[SecurityRatty] tag: wall-e

Manage and test firewall changes

Mon, 01 Dec 2008 10:10:00 +0000

Regardless of how you approach firewall management, manage. Configuration changes which appear to work properly can easily produce unwanted results. Only a formalized change and testing process based on clear strategic objectives can prevent growing cracks in the wall.

Mayhem in Mumbai

Thu, 27 Nov 2008 02:48:00 +0000

The total number of casualties rise in the financial capital of India after terrorists attack multiple locations.

The latest figures suggest that at least 100 people have been killed and as many as 900 injured. Radio and television reporters are saying that it has all the hallmarks of an Al-Qaeda attack. Locations included a railway station, a cinema, the Taj Hotel, and another very popular restaurant.

It appears as if the terrorists singled out Westerners as they are reported to have taken British and American tourists hostages and brought them up to the 18th floor of the hotel. This evening the hotel is on fire and the fate of the hostages is still unknown.

The good news for some, is that they were able to escape form the hotel in the confusion. It appears that the terrorists could have numbered dozens of heavily armed men. This is definitely not a random attack but a well planned and executed operation aimed at causing mass casualties amnd hitting India's financial markets in much the same way as Wall Street was attacked on 9/11.

We do not hear that much about India's terrorist problems in the West but I was made aware of it when I was invited to India to speak on Security matters this time last year. I have since that time made clients and potenital clients aware of the security situation.

There has been much outsourcing to India and many U.S. businesses are sending personnel over there as a result. Those who can afford to have their own professional security protectors should consider that option very carefully. It could very well turn out being more of a necessity than a luxury in these dangerous times.

New DHS Head Understands Security

Wed, 26 Nov 2008 09:43:33 +0000

This quote impresses me:

Gov. Janet Napolitano, D-Ariz., is smashing the idea of a border wall, stating it would be too expensive, take too long to construct, and be ineffective once completed.
"You show me a 50-foot wall and I'll show you a 51-foot ladder at the border. That's the way the border works," Napolitano told the Associated Press.

Instead of a wall, she said funds would be better utilized on beefing up Border Patrol manpower, technology sensors and unmanned aerial vehicles.

I am cautiously optimistic.

Show 032 - An Interview with Jeremiah Grossman

Thu, 13 Nov 2008 23:17:49 +0000

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

Jeremiah Grossman
Clickjacking
Adobe 0-day Browser Exploit
Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
Web application scan-o-meter
The “Wall of Fame”

Stop Me if This Sounds Familiar

Sun, 02 Nov 2008 19:30:30 +0000

My favorite book from last year was Charlie Munger's "Poor Charlie's Almanack", there are so many fascinating parts in the book I can't go into them all here. Charlie Munger is Warren Buffett's partner at Berkshire Hathaway, the book is a collection of a number of his speeches, and serves as a great backdrop for today's events, an investing education, and a way to think through complex problems ("invert! always invert!"). It goes without saying that I think you should buy this book.

Chapter Three is a collection of Munger's unscripted remarks at Berkshire Hathaway and Wesco annual meetings. The below sections were transcribed by Whitney Tilson, from annual meetings around the 2003-4 time period, and are pretty interesting given our current financial predicament.

Warnings About Financial Institutions and Derivatives
Risks of Financial Institutions
The nature of a financial institution is that there are a lot of ways to go to hell in a bucket. You can push credit too far, do a dumb acquisition, leverage yourself excessively---its not just derivatives [that can bring about your downfall].
Maybe it's unique to us, but we're quite sensitive to financial risks. Financial institutions make us nervous when they're trying to do well.
We're exceptionally goosey of leveraged financial institutions. If they start talking about how good their risk management is, it makes us nervous.
We fret way earlier than other people. We've left a lot of money on the table through early fretting. It's the way we are -- you'll just have to live with it.
Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.
People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.
Somebody has to step in and say, "We're not going to do it - it's just too hard."
I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.
It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.
Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system.
In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.
Accounting for Derivatives
I hate with a passion GAAP [Generally Accepted Accounting Principles] as applied to derivatives and swaps. JP Morgan sold out to this type of accounting to front-end revenues. I think it's a disgrace.
It's bonkers, and the accountants sold out. Everyone caved, adopted loose [accounting] standards, and created exotic derivatives linked to theoretical models. As a result, all kinds of earnings, blessed by accountants, are not really being earned. When you reach for the money, it melts away. It was never there.
It [accounting for derivatives] is just disgusting. It is a sewer, and if I'm right, there will be hell to pay in due course. All of you will have to prepare to deal with a blowup of derivative books.
Likelihood of a Derivatives Blowup
We tried to sell Gen Re's derivatives operations and couldn't, so we started liquidating it. We had to take big markdowns. I would confidently predict that most of the derivatives books of [this country's] major banks cannot be liquidated for anything like what they're carried on the books at. When the denouement will happen and how severe it will be, I don't know. But I fear the consequences could be fearsome. I think there are major problems, worse than in the energy field, and look at the destruction there.
I'll be amazed if we don't have some kind of significant [derivatives-related] blowup in the next five to ten years.
I think we're he only big corporation in America to be running off its derivative book.
It's a crazy idea for people who are already rich - like Berkshire - to be in this business. It's a crazy business for big banks to be in.
Yo would be disgusted if you had a fair mind and spent a month really delving into a big derivative operation. You would think it was Lewis Carroll. You would think it was the Mad Hatter's Tea Party. And the false precision of these people is just unbelievable. They make the worst economics professors look like gods. Moreover, there is depravity augmenting the folly. Read the book F.I.A.S.C.O., by law professor and former derivative trader Frank Partnoy, an insider account of the depravity of derivative trading at one of the biggest and best-regarded Wall Street firms. This book will turn your stomach.

These are very blunt warnings from a legendary investor over many years, yet no one listened. It does explain why it is so hard for Infosec to make its case for building margins of safety into the system.

Google deals, Microsoft's Azure, IT money woes

Thu, 30 Oct 2008 21:00:00 +0000

Google proposed settling lawsuits related to its book-scanning and indexing project, and word also seeped out through The Wall Street Journal that the company's search advertising deal with Yahoo could be scrapped because of regulatory issues. Meanwhile, Microsoft unveiled its Azure cloud-computing services strategy.

Given the Current Economic Turmoil, What Should IT Managers Do?

Fri, 17 Oct 2008 07:38:02 +0000

Gartner's Compliance & Risk Management Research Community met recently and considered what IT managers should do given the economic turmoil spreading around the world.

What started as a problem with risky mortgages in hot real estate markets in the United States has spread to Wall Street with a devastating impact on the financial health and well being of a number of banks and an insurance company. Each day, the turmoil spreads, first to the equity and commodity markets where investors and speculators attempt to preserve what capital remains. Next, the central banks and governments rush in with an infusion of liquidity in an attempt to keep the money flowing through the world's financial market.

The media commentary on the current financial crisis sounds the tone that all the laws of economics and free markets no longer apply. The reporters sound as if the next developments will be Mother Nature suspending the laws of physics and gravity. Against this backdrop, CIOs and IT managers wonder, "What do we do?"

There is no denying that business as usual is not currently happening. To speculate or attempt to deal with the regulatory fallout that will follow this financial crisis is currently a waste of time. The central focus that CIOs must address now is what impact will this financial crisis have on IT in the next budget cycle. Also, how can IT help the enterprise demonstrate trustworthiness to key stakeholders, maintain critical functions that drive revenue and cash flow, and focus on the needs of the people who work for your organization.

At the heart of the current financial crisis is a lack in confidence in the credit markets. Government officials report that interbank lending has ground to a halt, which prompted the U.S. Federal Reserve to step in on 7 October 2008 and offer direct short term lending to U.S. corporations.

First, to combat this lack of confidence permeating the market, enterprises should take extraordinary means to increase their financial transparency and demonstrate that they have the ability to meet their obligations to creditors, customers, and the communities where they are located. Senior management must develop and exercise a voice in the public policy dialog immediately - and voluntarily. Do not wait for Congressional subpoenas, shareholder meetings, or ambush interviews by the media. Tell the world, honestly, about the state of your company and its plans for the near term and the long view.

Second, everyone must develop a laser-like focus on the organization's value proposition, those intangible reasons that define why your enterprise exists. To leverage an old cliché, every oar must be in the water and pulling in the same direction. The goal is not just to make it to the finish line, but to survive. Ancillary or tertiary projects must be postponed for a later time; and tasks that improve customer service, remove friction from processes, and increase cash flow should be top priorities.

Finally, think about the people who work for you. No doubt they are scared by the uncertainty about the future. Management must be honest and open in keeping the rank and file apprised of the organization's situation. They should be encouraged to communicate that information in a timely fashion with friends and neighbors in the community. Management should be extremely sensitive to non-work related issues that may have an impact on employee morale and well being. The most obvious is related to housing, mortgage default and potential foreclosure. However, it can extend beyond the most obvious issues. The problem with short-term lending is also having an impact on some governmental agencies, and some school districts are cutting back to only four days of instruction, forcing many parents to scramble and find new daycare arrangements.

New case study on RSA enVision

Wed, 08 Oct 2008 20:00:00 +0000

The Institute of Applied Network Security released a case study on the implementation of RSA enVision at the Depository Trust Clearing Corporation (DTCC). DTCC is an organization that acts as the back end for Wall Street, processing $1.8 quadrillion in securities transactions in 2007, and thus an essential component in our economy.

Biometric Security for Financial Meltdown Solutions

Mon, 06 Oct 2008 06:43:28 +0000

Wall Street was dominated by 5 major investment banking firms at the beginning of 2008. Nine months later, only 2 of these investment banking firms remain. This is probably the worst financial turmoil...

Links List 10.3.08

Fri, 03 Oct 2008 16:55:16 +0000

Well finally, an upside to the financial crisis – more students in computer science. After the dot-com crash, enrollment went down in computer science, almost 50% since 2003. Many students shifted their interest from the technology field to banking and finance because they thought they’d make more money. And now the financial crisis could scare them into choosing majors and careers that are “safer alternatives”, like IT. And perhaps the trend is reversing for those already on Wall Street as well. Ben Worthen writes about the influx of resumes Kodiak Venture Partners has been getting: from financial-services vets who want to work at tech startups, – not to “strike it rich” this time around, but just to make a living. And it’s not just the tech workers. Seems like the ones that don’t even have any real IT experience are looking too – for jobs as VPs of marketing (harrumph). (img from www.fas.org)

I’m sure you already know about the other “network management” – where ISPs and carriers get their hands publicly slapped for limiting bandwidth to high-traffic offenders. But when is this kind of “network management” a good thing? At a panel sponsored by the FCC in DC, reps from carriers and ISPs discussed what steps they’ve been taking to prepare for a pandemic or other major global crisis – that would force workers to stay at home or work from more remote locations to limit exposure.

Are people paying attention to ICANN? They’re saying that IPv4 will be fully allocated in the next two or three years. Does anyone care? In their bid to make people care, ICANN talks about the state of IPv6 adoption and touts Africa as the most rapid adopter.

SOA soon part of the ‘cloud’? No, please no.

Microsoft – The Silver Lining in Every Cloud. Joe Wilcox over at eWeek’s Microsoft Watch, has been following Steve Ballmer around and collecting some nice quotes on how the company is transitioning. “For many years, we had kind of what I would call the all-encompassing mission, vision and scorecard statement: a computer on every desk and in every home. …Well, our footprint and portfolio is broader than that. “ [In every hand and of course, in every cloud…] “So, as a vision statement we talk about creating seamless experiences that combine the magic of software, the power of the Internet across a world of devices.” The magic of software – something I haven’t thought about for a while. And:

“You need a real platform in the cloud. When we wanted to go after the PC, we built an operating system. When we wanted to go after the phone, we built an operating system. When we wanted to go after the enterprise, we built an operating system. We’ll announce a new operating system, one that runs in the cloud and has a wide variety of capabilities.”