[SecurityRatty] tag: roger

Security Maxims

Fri, 26 Sep 2008 08:42:29 +0000

From Roger Johnston, funny -- and all too true -- stuff.

Texas National Guard Website Remains Unavailable After Malware Infection

Fri, 19 Sep 2008 20:08:16 +0000

The website for the Texas National Guard remained unreachable on Friday, two days after security researchers said it had been hacked by miscreants who were using it to install malware on visitors PCs. Some pages on the website were probably SQL injected. On Wednesday, Roger Thompson, chief research officer of anti-virus provider AVG, reported that selected [...]

Links List 8.1.08

Fri, 01 Aug 2008 17:37:08 +0000

The Yankee Group had this not-so-urgent advice for IPv6 visibility. “It may be time to ask your network monitoring and management software vendors about their plans for IPv6 visibility.” Although we’re still a few years away from broad adoption of IPv6 in the US, experts have been urging enterprises to pave the way for a smooth migration now by having IPv6-ready infrastructure in place…

I’ll take your 6 centers of excellence and uh, raise you 2 data centers. Following up on the HP announcement that they’ve partnered with Yahoo and Intel to create cloud computing Centers of Excellence this week, IBM said they were building out 2 data centers to accommodate the coming cloud computing resources need. I should say that IBM had already announced their “partnership” with Google to provide services for the cloud back in May. Who’s left to partner with on cloud computing? Microsoft and Amazon?

Packet Trap Networks recently conducted a survey of network engineers and IT professionals who perform network management duties inside companies with more than 100 employees. Out of the 800 engineers surveyed, 49 percent stated that they did not have a comprehensive network management system in place – showing a need for solutions focused on the mid-market – i.e., the right features at reasonable prices. If you remember, Sevcik and Wetzel (not a vendor!) conducted their own survey on application performance management and had similar findings but a rather different answer… (hint – starts with “E” and ends in “7”)

Is open-source software more secure? After all thousands of eyes are better than a handful, right? Well, according to a report sponsored by Fortify Software, that’s just not the case. Roger Thornton, founder and CTO of Fortify Software, adds that the underlying problem is “a lack of understanding and collaboration between developers and security experts – today each are talking past each other when it comes to security.”

For all you aspiring CIOs out there, WSJ has provided a must-read list. Uh oh– the first on the list is “How to Read a Book”. Please, any negative comments directly on the Journal site…and any “good” ones here!

ShareThis

World War II Deception Story

Tue, 29 Jul 2008 09:50:05 +0000

Great security story from an obituary of former OSS agent Roger Hall:

One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.
The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, "Mail!"

The lid opened, and in went two grenades.

Hall's book about his OSS days, You're Stepping on My Cloak and Dagger, is a must read.

Loving customers frustrate security firms too

Fri, 13 Jun 2008 15:45:37 +0000

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways. Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

Can Azulstar Make WiMax Work without Buying Spectrum?

Fri, 09 May 2008 06:58:59 +0000

Azulstar once pinned its fortunes on city-wide Wi-Fi, but now looks to a special licensed spectrum band to make WiMax work where Wi-Fi failed: Azulstar has been the also-ran in Wi-Fi for some years, I'll just state bluntly and upfront. They built a network in Grand Haven, Mich., in 2003 that's one of--if not the--longest running metro-scale Wi-Fi networks in the world designed for public access. The mayor of Grand Haven since 2003, Roger Bergman, told me, "I got on board personally right away, and I am still on."

Azulstar soon answered several RFPs and partnered up with major firms to bring Wi-Fi to Rio Rancho, N.M., Winston-Salem, N.C., Sacramento, Calif., and most notably Silicon Valley--a set of dozens of cities along with county government and private enterprise all wanting some kind of tiered Wi-Fi across 1,500 sq mi.

While EarthLink, MetroFi, and even Kite Networks (with their extensive Arizona buildout in Tempe launched a bit before any other large competiting network) seized the headlines, and later made news about their stalls, failures, and exits, Azulstar seemed quietly to sink into the sand. The Wireless Silicon Valley deal fell apart, as did Sacramento after efforts to get stakeholder and outside investment seemed to fail to materialize, and the marquee partners--Cisco, IBM, and Intel--just wouldn't step up to the plate to make the project move forward. Azulstar was the lead techology firm, but the money just didn't come. (Both California projects are moving forward with a different set of partners and expectations now.)

Rio Rancho was perhaps one of the biggest letdowns. City manager Jim Payne explained in an interview a few weeks ago, "They had a number of things that were going against them from the start, and they did make an attempt to meet the requirements of the contract." But Rio Rancho voted to not just terminate the contract after years of attempts to make the network work, but rejected a proposal from Azulstar a few weeks ago to switch over equipment on the poles. Azulstar now has to remove all its devices.

All of this might make the typical company head a bit depressed about his firm's future, and less than sanguine about the potential for wireless broadband to work at all. Not so for Tyler van Houwelingen, Azulstar's chief, and I have to admit that he convinced me that the wireless provider has a fighting chance, due to a good combination of timing, spectrum policy, and a large dollop of can-do spirit.

Interop Keynote Panel on Current Software Trends

Fri, 02 May 2008 17:43:41 +0000

The software trends panel preceded Jayshree Ullal’s keynote presentation at Interop 2008.

Software Trends Panelists:

Roger Burkhardt, –President and CEO, Ingress Corporation
Stephen J. Mellar, –Freeter, Integranova
Phillip Winslow, — Vice President – Software Analyst, Credit Suisse

(more…)

ShareThis

Are you clean? Let Google decide for you.

Mon, 03 Mar 2008 12:38:00 +0000

Interesting post on Roger Thompson's blog here about Google (in their infinite wisdom) deciding to block organic search links to sites they deem "bad." 90% of the time this works and is a good thing. If there is malware hosted on a site, you want Google to be blocking access from the search engine.

But what if there isn't malware there? What if it's a case of mistaken identity? The idea that it could take 12 months to get this fixed would do significant damage to the web sites that are mistakenly accused.

The answer? Actually there isn't one. You should be using a tool like Roger's LinkScanner or McAfee's SiteAdvisor as a matter of practice (yes, it's one of Security Mike's suggestions). But there isn't much you as a user can do besides cutting and pasting the URL into your own browser, which is a pain the backside.

Although hope is not a strategy, we can only hope that Google is right a lot more often then they are wrong...

Image credit: onedigitallife.com

Terrible animal abuse caught on video at Westland/Hallmark meat company

Tue, 19 Feb 2008 14:01:00 +0000

It would have been difficult for anyone to have watched the CNN video yesterday morning regarding animal abuse at the Westland/Hallmark meat processing plant and to not have felt outraged.

The video, which was covertly recorded by a factory employee, showed cows being pushed, dragged and prodded in order to get them into the slaughter house. As was obvious from the video, some of these animals were so sick that they could not stand up on their own and were "scooped" up by fork lifts and dropped into the killing area.

The reporter commented how these animals' symptoms were similar to that of the fatal "mad cow" disease. However, that did not stop the meat company from including them with the others that were being butchered and sold to fast food restaurants and to schools to feed the nation's children.

Yesterday, two fast food chains: "Jack in the box' and "In-out burgers", stated that they were no longer purchasing beef products from Westalnd/Hallmark. Today, 150 school districts dropped the meat company as their vendor.

What is difficult to understand is how the company President, Steve Mendell, could come out with a statement assuring the public that they "have met the highest standards for harvesting and processing meat". Either he is of the belief that the general public are about as sharp as bowling balls or the industry must have some really low standards overall.

Another difficult thing to understand is the fact that Westland/Hallmark claimed to have a full time USDA veterinary medical officer on site IN ADDITION to a full time officer from USDA's Grading Service. "Full time" should mean that they are always there durng work hours, should it not? It seems that the USDA has a lot of questions to answer.

It is ironic that last week we saw so much in the press about the Congressional hearing into Roger Clemens and the allegations that he took steroids. If he did, he shouldn't have, but is it right to devote so much attention and resources to an athelete when hundreds of thousands - possibly millions, of peoples lives and health are jeopardized by unscrupulous business practices that should have been detected by the very Govt. Agency assigned to over see such abuse?

I for one, will be reading labels in the supermarket more closely in the future. I would suggest that all of you do the same.

Relay attacks on card payment: vulnerabilities and defences

Tue, 08 Jan 2008 21:01:52 +0000

At this year’s Chaos Communication Congress (24C3), I presented some work I’ve been doing with Saar Drimer: implementing a smart card relay attack and demonstrating that it can be prevented by distance bounding protocols. My talk (abstract) was filmed and the video can be found below. For more information, we produced a webpage and the details can be found in our paper.

[ slides (PDF 9.6M) | video (BitTorrent — MPEG4, 106M) ]

The CCC is a great conference to attend and a good source of ideas for papers. There were many excellent talks, but here are a few I can particularly recommend (I’m still working though the videos of talks I couldn’t attend in person):

Current events in Tor development: Roger Dingledine gives Tor-related news, including anti-censorship features and interaction with law enforcement
Design Noir: ladyada talks about controversial electronics projects, including the TV-B-Gone and her own cellphone jammer
DNS Rebinding And More Packet Tricks: Dan Kaminsky describes the DNS Rebinding attack and demonstrates tunneling arbitrary TCP streams over a browser
Mifare: Karsten Nohl and Henryk Plötz describe how they reverse-engineered the Mifare encryption algorithm, Crypto1, and the weaknesses they discovered
Steam-Powered Telegraphy: Jens Ohlig et al. demonstrate their Internet connected (but not quite steam-powered) Telex machine
What can we do to counter the spies?: Annie Machon describes her work with MI5, why she left and her life on the run
Why Silicon-Based Security is still that hard: Deconstructing Xbox 360 Security: Michael Steil and Felix Domke demonstrate the clever techniques they developed to install Linux on the XBox360