[SecurityRatty] tag: east

Sniffers class for the ISSA Kentuckiana

Mon, 27 Oct 2008 20:20:21 +0000

I'm teaching another free class for the ISSA, hope some of my readers can make it. Here are the details:
Who: Presented by Adrian Crenshaw of IronGeek.com
What: "Using Sniffers Effectively" - hands-on workshop with network analyzers such as Wireshark and Cain.
When: Sat, November 8, 2008 9:00 AM - 12:30 PM
Where: Louisville Technical Institute - Room 364, 3901 Atkinson Square Drive, Louisville KY 402018 (502) 456-6509
Directions: From 264 East get off on 1st Newburg Rd exit, Turn RIGHT at Bishop Lane, Turn RIGHT at Atkinson Dr./Atkinson Square Dr., Go .2 miles, Turn right at LOUISVILLE TECHNICAL/INTERIOR DESIGN INSTITUTE. Park in front parking lot. Go in Main Lobby to sign in.
Why: ISSA Kentuckiana's mission is to be the Louisville Leader in Information Security and Awareness. We want to provide relevant educational opportunities to members that enable learning, career growth, and should enable certification and technical advancement.
Cost: FREE! - Bring your own laptop or use one of the classroom PC's
How to sign up: send email to education (at) issa-kentuckiana (dot) org

Barak Obama Discusses Security Trade-Offs

Mon, 27 Oct 2008 03:31:12 +0000

I generally avoid commenting on election politics -- that's not what this blog is about -- but this comment by Barak Obama is worth discussing:

[Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at that moment would have said [inaudible] but from what I hear, you pushed back.
[BO] I did. I remember the conversation, pretty precisely. He made the case for maximum flexibility and I said you know what if I were in your shoes I would be making the exact same argument because your job right now is to succeed in Iraq on as favorable terms as we can get. My job as a potential commander in chief is to view your counsel and your interests through the prism of our overall national security which includes what is happening in Afghanistan, which includes the costs to our image in the middle east, to the continued occupation, which includes the financial costs of our occupation, which includes what it is doing to our military. So I said look, I described in my mind at list an analogous situation where I am sure he has to deal with situations where the commanding officer in [inaudible] says I need more troops here now because I really think I can make progress doing x y and z. That commanding officer is doing his job in Ramadi, but Petraeus's job is to step back and see how does it impact Iraq as a whole. My argument was I have got to do the same thing here. And based on my strong assessment particularly having just come from Afghanistan were going to have to make a different decision. But the point is that hopefully I communicated to the press my complete respect and gratitude to him and Proder who was in the meeting for their outstanding work. Our differences don't necessarily derive from differences in sort of, or my differences with him don't derive from tactical objections to his approach. But rather from a strategic framework that is trying to take into account the challenges to our national security and the fact that we've got finite resources.

I have made this general point again and again -- about airline security, about terrorism, about a lot of things -- that the person in charge of the security system can't be the person who decides what resources to devote to that security system. The analogy I like to use is a company: the VP of marketing wants all the money for marketing, the VP of engineering wants all the money for engineering, and so on; and the CEO has to balance all of those needs and do what's right for the company. So of course the TSA wants to spend all this money on new airplane security systems; that's their job. Someone above the TSA has to balance the risks to airlines with the other risks our country faces and allocate budget accordingly. Security is a trade-off, and that trade-off has to be made by someone with responsibility over all aspects of that trade-off.

I don't think I've ever heard a politician make this point so explicitly.

U.S. Consulate in Northern Mexico attacked with guns and grenade

Sun, 19 Oct 2008 14:53:00 +0000

The motive for last week's attack on the U.S. consulate in Mexico is being investigated but there is still no clear cut reason for the unprovoked attack.

The attack had more in common with what we have come to expect in Iraq than from just below the Southern States of the U.S. News of the attack is making me think more about the article I read in one of the Gulf papers here in the Middle East a couple of days ago.

The article read; "Mexican workers leave the U.S. disllusioned with the American Dream". The story, like so many others these days, focused on the worsening U.S. economy. That made me think; could a returning mexican worker have launched the attack on the embassy due to his frustration at not being able to do as well as he had expected North of the border?

I hope for Mexcio's sake this is not the case. Mexico's dangerous crime rate is already a concern for many people deciding where to go to spend their holiday dollars.

In this current economic climate, visitors need to be encouraged and given a reason to spend their hard earned money in your country, not made to feel like targets.

Blackwater Says It Will Fight Somalia's Pirates

Thu, 16 Oct 2008 16:14:00 +0000

Security analysts and the Somali government publicly flirt with the idea of hiring mercenaries to stop the pirates that are terrorizing east Africa. Now, the notorious guns-for-fire at Blackwater respond to the call, with a resounding arrrr!!!!!

Mauritius moves on smart card ID

Tue, 14 Oct 2008 20:00:00 +0000

Mauritius, a small island off the east coast of Madagascar, is working hard on its smart card identification system. The Ministry of ICT is looking forward to phasing in the introduction of electronic identity cards by mid 2009.

Does Risk Management Make Sense?

Tue, 14 Oct 2008 09:25:09 +0000

We engage in risk management all the time, but it only makes sense if we do it right.

"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It's instinctual, intuitive and fundamental to life, and one of the brain's primary functions.

Some have hypothesized that humans have a "risk thermostat" that tries to maintain some optimal risk level. It explains why we drive our motorcycles faster when we wear a helmet, or are more likely to take up smoking during wartime. It's our natural risk management in action.

The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008. We make

systematic risk management mistakes -- miscalculating the probability of rare events, reacting more to stories than data, responding to the feeling of security rather than reality, and making decisions based on irrelevant context. And that risk cockpit of ours? It's not nearly as finely tuned as we might like it to be.

Like a rabbit that responds to an oncoming car with its default predator avoidance behavior -- dart left, dart right, dart left, and at the last moment jump -- instead of just getting out of the way, our Stone Age intuition doesn't serve us well in a modern technological society. So when we in the security industry use the term "risk management," we don't want you to do it by trusting your gut. We want you to do risk management consciously and intelligently, to analyze the tradeoff and make the best decision.

This means balancing the costs and benefits of any security decision -- buying and installing a new technology, implementing a new procedure or forgoing a common precaution. It means allocating a security budget to mitigate different risks by different amounts. It means buying insurance to transfer some risks to others. It's what businesses do, all the time, about everything. IT security has its own risk management decisions, based on the threats and the technologies.

There's never just one risk, of course, and bad risk management decisions often carry an underlying tradeoff. Terrorism policy in the U.S. is based more on politics than actual security risk, but the politicians who make these decisions are concerned about the risks of not being re-elected.

Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers.

You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics.

The problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle. We don't know how well our network security will keep the bad guys out, and we don't know the cost to the company if we don't keep them out. And the risks change all the time, making the calculations even harder. But this doesn't mean we shouldn't try.

You can't avoid risk management; it's fundamental to business just as to life. The question is whether you're going to try to use data or whether you're going to just react based on emotions, hunches and anecdotes.

This essay appeared as the first half of a point-counterpoint with Marcus Ranum in Information Security magazine.

Female Bodyguards Get the Job Done.

Sun, 28 Sep 2008 17:45:00 +0000

Those who think that Bodyguarding is a job best left to men - think again.

The Dublin City Herald recently ran a story about Lisa Baldwin, from Dublin, who is a female Personal Protection/Close Protection Specialist based in the U.K. Ms. Baldwin is in high demand by Middle Eastern clients who wish to have their women and children protected by female agents.

That is exactly why SEXTON EXECUTIVE SECURITY(www.sextonsecurity.com)designed a Middle East E.P./C.P. course that will be held in the U.A.E. from the 11th of October through the 18th. The President, John Sexton summed it up as follows; "We saw the need for agents from all over the world to be able to train in the Middle East and to experience the culture,tradition and religion first hand". "Middle Eastern clients are extremely important to our industry", he added "and it behooves all agents involved in providing safety for these families to become conversant with every aspect of their lives in order to be able to offer the best protection possible".

SEXTON will also have a group of female trainees attending their Executive Protection course in San Diego, California in December. Lisa Baldwin is described in the Herald as being "one of the world's few female bodyguards". Many women around the world now recognize that by undergoing professional training like Ms. Baldwin, they can be assigned to prestigious contracts and make a very lucrative living.

Ms. Baldwin's petite stature does not prevent her from succeeding in a mostly male-dominated industry. "You realise you're not in Iraq, you're in London", she advises. Very true. Smart protectors understand that the Art of Personal Protection is about using your mind and not your brawn. The differences between working in Iraq and London/New York/Dubai are like night and day.

Unfortunately, if the agent does not receive proper training, they may very well fail to realise the difference. There is one type of training needed for a Hostile environment such as Iraq or Afghanistan and a completely different one for the corporate/private sector. A security contractor coming fresh out of a hostile environment will often find it extremely difficult providing protection in a covert, "grey man" style.

Fortunately for them, Sexton Executive Security's focus is on private clients and their E.P./C.P. corporate training program can help those returning form overseas contracts to make the transition smooth and profitable.

In the corporate/private family world, you don't have heavy weaponry to rely upon but as Ms. Baldwin states; "Its all about the mind and prevention". Like the old saying goes; "an ounce of prevention is worth a pound of cure".

"Would you feel safe with this man looking after you?

Sun, 28 Sep 2008 16:44:00 +0000

That was the caption under the picture of Rocker,Ted Nugent, in last Tuesday's Guardian. Nugent had volunteered to be Sir Paul McCartney's "Bodyguard" when he played a concert in Israel.

Unfortunately,this is what our industry has to tolerate. Many people, from broken down celebrity deer hunters to jail guards think that if you know how to shoot a rifle or open a gate for inmates to go to the yard, it automatically follows that you know everything about protecting the life of a executive.

So, Ted Nugent knows how to play guitar and shoot deer. Just what part of that background would equip him to keep the former Beetle safe in the Middle East? It is certainly not like Mr. Nugent is trying to pull the wool over our eyes when it comes to any specialized training he may have received. "I'm Dirty Harry with a ponytail", claims the singer.

First of all Mr. Nugent, "Dirty Harry" was a film produced by Hollywood to entertain people, not a "training aid". Secondly, even if we were to stretch our imaginations and consider Harry Callaghan's actions, we would recall that the character was a Police Detective and as such, would have undergone rigourous training at a professional Police Academy.

Refering to reported Islamic Extremist Death Threats made against McCartney if he insisted on playing the concert, Nugent informed us that he "will not bend or waiver to Voodoo Religions or Whackjobs".

It is unknown whether or not Mr. Nugent thinks that Islamic Extremists come from Haiti, but if he is serious about a future career in Executive Protection, we would advise him to attend our upcoming course in Dubai next month where he will not only learn first hand the Art of Personal Protection, but he will also learn about Middle Eastern Cultures, Tradition and Religion.

Unfortunately, there's no way of predicting how much culture we may be able to pass on to Mr. Nugent, as the course is only a little over a week long. We will also be teaching etiquette and which knife and fork to use when attending a formal event with your Principal. That's right Ted, you don't get to tear the meat from the bone with your hands.

Someone call the U.A.E. and let the Hilton know that we may have to stay longer than planned.

Too Many Events, Too Little Time

Thu, 11 Sep 2008 11:00:42 +0000

ScienceLogicians will be scattering around the nation next week to cover 5 shows. Where we’ll be:

Interop NY

East Coast version of this major networking show. ScienceLogic is the official provider for network monitoring and help desk for InteropNet, the world’s largest temporary network. See us in action in the NOC. Stop by the booth, #1045, to chat, pick up your own deck of EM7 cards, or fill out a survey for a free t-shirt.
When: Conference runs from Mon 9/15 – Friday 9/19. Expo days are Wed 9/17 – Thurs 9/18.
Where: The Javits Center, NYC.

VMworld 2008

The largest virtualization show put on by VMware, the leader in the space. VMworld is only a couple of years old but growing like gangbusters. This year’s show should be an interesting one in light of all the turmoil surrounding VMware and Microsoft’s putsch, oops I meant push, into the space with Hyper-V.
When: Mon 9/15 is Partner Day. Conference runs from Tues 9/16 – Thurs 9/18
Where: The Venetian Hotel, Las Vegas.

Hosting Transformation Summit

Executive-level hosting/service provider show run by The 451 Group (and Tier 1). The analysts at The 451 Group and Tier 1 discuss state of the industry and trends.
When: Mon 9/15 – Wed 9/17
Where: The Mirage, Las Vegas

ICE Summit

Also run by The 451 Group, the ICE (Infrastructure Computing for the Enterprise) Summit will focus on “virtualization in context”. This overlaps the last day of VMworld (personally making my life a little harder).
When: Thurs 9/18
Where: The Mirage, Las Vegas

Inc 500 / Inc 5000 Conference & Awards Ceremony

Since we made it on the list (#350!), we thought we should show the flag at the Inc 500 conference, culminating in an awards gala on Saturday night.
When: Thurs 9/18 – Sat 9/20
Where: Gaylord National Resort & Convention Center at the National Harbor (DC)

Stay tuned for live blogging and video from the various events with always lively commentary from the ScienceLogicians.

Is Rock Phish cybergang set for a comeback?

Fri, 05 Sep 2008 09:00:00 +0000

East European cybercrime gang Rock Phish is linking its Command & Control server to the Asprox botnet in an apparent effort to boost its ability to propogate phishing attacks.