The evolution and move to REST is quite a clear one from a benefits and adoption perspective.  REST re-uses many of the standard HTTP protocol verbs such as GET, POST and DELETE,  when constructing URL's.  These verbs are well understood and well used, so there's no new syntactic sugar to swallow.  Each component of the service owners database is abstracted into neatly described resources that can be accessed using the appropriate URI.  Requests can then be made to return, say, a JSON or XML representation of the underlying database object. 

The client, permission granted, can then in turn update or create a new object in the same way, by sending a new JSON object via a PUT or POST request.

What's This Got To Do With IAM?

Identity management has often been thought of as an enterprise or organizational problem, focussing on the the creation and management of company email, mainframe and ERP system accounts.  This process then brought all the complexity of business workflow definition, compliance, audit, system integration and so on.  Access management on the other hand, has often been focused on single-sign-on, basic authorization and web protection.  IAM today is a much more complex and far reaching beast.   

Organizations are reaching out into the cloud for services, API's and applications.  Service providers and applications are becoming identity providers in their own right, reaching back out to consumers and businesses alike.  For once, identity management is on the tip of the tongue of the most tech-avoiding consumers, concerned with privacy, their online-identities and how they can be managed and consumed.

A RESTful Future

These new approaches to identity and access management require rapid integration, developer adoption and engine-like API's that can perform in an agile, scalable and secure fashion.  Identity and access management services for consumers, such as being able to login with their Facebook or Twitter account using OAuth or OAuth2 without having to create and manage multiple passwords for the other sites they interact with, not only increases user convenience.  It also puts pressure on business security strategies as they can struggle to cope with the ability for employees to bring-their-own-identity to many of the now popular business services such as Webex, Dropbox, Salesforce and the like.

As identity management is no longer solely concerned with siloed, business unit or organisational boundaries and looking more to being fully connected, integrated and focused on consumerization, developer adoption has never been more important.  Security in general, has never been a high priority for application builders, who are more centred on features and end usability.

Identity and access management is making a big change to that area with many access management systems being easy to externalize from application logic using RESTful integration.

Originally posted at Infosec Professional

While the widespread rage over the government engaging in the systematic collection and analysis of data about law abiding citizens is more than understandable, the fact is that people in this age of the Internet freely share huge amounts of personal information on a daily basis, and doing so puts them at risk.

We freely share details of our lives, our travels, information about our children, our extended family, about our business, our employers, our Web browsing and shopping habits, our medical condition – all data that falls under the definition of Personally Identifiable Information (PII).

This information, when aggregated in Big Data systems, can reveal very personal details about nearly every aspect of our lives. And it’s not just the government we should be worried about in the application of this information, it’s also big business marketing machines and even worse – attackers who seek to exploit these open sources of intelligence for their own gain.

The NIST’s Special Publication 800-122 defines PII as “any information about an individual… that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name…” but it encompasses far more.

“The definition of PII that most people understand is really far too narrow. PII is really any piece of information that can be used to confidently link data back to a human,” said Andrew Storms (@st0rmz), director of security operations for Tripwire.

His colleague Lamar Bailey (@btle310), director of security research and development, agrees. “PII is not just credit card, Social Security numbers, and bank accounts. It’s literally any information that can used to impersonate you or gain your trust online and offline.”

PII is routinely collected every single day of our digital lives – through tracking cookies when we visit websites, keywords in emails we send, through purchases made with credit or debit cards, when we scan parking or public transportation passes, and more – all of it together producing a portrait of our very selves.

“Here’s an example that involves department store and grocery store rewards cards,” Storms points out. “Last year, Target got in trouble for using consumer purchase data to  identify a pregnant teenin before her parents knew.”

This type of data is quite valuable to the businesses we patronize, and it is also often sold to other commercial interests. While we might expect the businesses we frequent to use this data in an attempt to tailor our shopping experience, there are much more nefarious elements who find this data valuable as well, which is why it is so often the target of criminal cyber attacks.

Aside from the vast amounts of data stored by organizations that can be exfiltrated by hackers, there is even greater amounts of personal information readily available that we ourselves produce and distribute through social media platforms – information that can be used against us.

“Many people don’t think like attackers, and trustingly add their information to online sites like high school yearbooks, birthday reminders, and genealogy or family tree sites that are prevalent on social media,” said Tripwire’s CTO Dwayne Melancon (@ThatDwayne).

“For an attacker that is targeting you or attempting to steal your identity, these sources are a gold mine.”

And it’s not just personal details we are broadcasting through social media, we may also be providing clues to attackers that can be utilized in brute force and dictionary attacks designed to gain access to our accounts.

“Attackers can also mine a wide range of social sources to find out the answers to your ‘secret questions’ for identity validation – where you went to school, mother’s maiden name, previous addresses, and things like that,” Melancon pointed out.

Storms agrees, pointing out that “one of the most significant  attacker innovations recently  has been the ability to tie multiple smaller bits of information together as part of a cohesive attack strategy. Social media and networking sites are treasure troves of  data that users unknowingly give away every day.”

It is not only our personal assets and accounts that are being targeted through data mining of social networks, it is also our businesses or our employers who may be the real target of such operations.

“Attackers are not just  looking for PII, they also look for ways to get data from others that can be used against you,” Melancon said. “For example, people who want to gain information about company executives may mine Facebook looking for informative posts from the executives’ family and friends.”

So this is the age we live in. No, there is not a lot we can do about big business and big government utilizing Big Data stores – that issue lands squarely with our elected officials who need to enact strong data collection and use laws.

But, there are some precautions we can take in an effort to not over-share personal information. Just how much damage we have already done to our own privacy and security remains to be seen.

“The bottom line is that every piece of electronic data about you is being captured and analyzed,” Storms said. “With enough data and compute cycles, just about anyone can be identified and ‘hacked’ without the traditional PII data points.”

Cross Posted from Tripwire's State of Security

KEY TAKE AWAYS

1. Use Proxies and Monitor. This Control isn’t bad (though see Improvement Area number one) and it provides what I think is some really great advice.  Use proxies when you can, and when you do use proxies detect any traffic bypassing that proxy.  The idea is to allow traffic through known locations and monitor based on those “choke points.”  Some of those who won’t want to be monitored will try to get around the choke point, which would then, presumably, be detected by appropriate monitoring.  Some of those who won’t want to be monitored will simply tunnel out – but you should be able to monitor for that as well.

POTENTIAL AREAS OF IMPROVEMENT

1. Focus. To me, this Control could easily be merged with Control 19 (Secure Network Engineering) and it should be – appropriate boundary defense is part of engineering a secure network.  If what this control is really seeking to convey is how to secure the services you provide through your boundary (i.e. VPN, SMTP, and so on), then the control could be renamed.
2. Key Management Requirements.  Don’t forget that when you recommend that things can be encrypted or signed that you’re also recommending the key management that comes with it.  Key management is not easy, and you won’t be able to rely on your users to do it well – we can’t rely on users to manage their passwords well, right?

REQUESTING FEEDBACK ON

• Requirement 6
• Requirement 10
• Requirement 14
• Requirement 15

REQUIREMENT LISTING

1. Description: Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (white lists).
   • Notes: See my notes for requirement three below – essentially, find a service that updates black lists and use it.  If you actually know the communication patterns required throughout your organization well enough, then white lists are the way to go.  But, ensure that you control IP address changes otherwise using a white list could just be another way in.
2. Description: Tests can be periodically carried out by sending packets from bogon source IP addresses (unroutable or otherwise unused IP addresses) into the network to verify that they are not transmitted through network perimeters.
   • Notes: I have to be honest with you, I thought bogon was a typo for logon. It turns out that it’s not (http://en.wikipedia.org/wiki/Bogon_(address)). If you have many devices, you’re going to want to manage this blacklist in one location and propagate that list throughout your infrastructure.
3. Description: Lists of bogon addresses are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.
   • Notes: Find a couple of sources and merge them. Or, find an authoritative source of these and subscribe to the list (here’s one: http://www.team-cymru.org/Services/Bogons/)
4. Description: On DMZ networks, monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) should be configured to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border.
   • Notes: Notice the two requirement levels. At a minimum, grab header information. For those who are more advanced, or perhaps under attack by more capable adversaries, then grab entire packets. To determine which is right for you, you’ll need to perform a risk assessment.
5. Description: This traffic should be sent to a properly configured Security Event Information Management (SEIM) or log analytics system so that events can be correlated from all devices on the network.
   • Notes: I know this makes sense from an industry momentum perspective, but SIEMs have really come under scrutiny lately for being dustware (they’re purchased, then sit on the shelf collecting dust because they’re unusable). If you’re going to get into this, then do so with the knowledge that you need to have competent personnel to manage the SIEM.
6. Description: To lower the chance of spoofed e-mail messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.
   • Notes: I don’t know enough about the details of SPF (maybe one of our readers does and can comment), but I know this is worth doing. The work it takes to set this up will be far less than the time and energy it takes to deal with spam and it’s associated issues (spending too much time tuning filtering rules, receiving questions from users, cleaning up after users click on things – and they will).
7. Description: Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic.
   • Notes: A simpler way of stating this: Use network IDS especially in externally facing networks such as the DMZ. Everything else seems to make this overly prescriptive.
8. Description: Design and implement network perimeters so that all outgoing web, file transfer protocol (FTP), and secure shell traffic to the Internet must pass through at least one proxy on a DMZ network.
   • Notes: Good advice and a clear requirement.
9. Description: The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, and IP addresses to implement a black list; and applying white lists of allowed sites that can be accessed through the proxy while blocking all other sites.
   • Notes: Specific requirements for the proxy mentioned in the previous requirement. Nice. Notice the blacklist integration – remember the service I shared with you above? Take some time to ensure that your proxy is being updated appropriately with that information when it changes (I’d check daily).
10. Description: Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.
    • Notes: This seems pretty clear. Does anyone out there have experiences they can share? How has use of an authenticated proxy helped your organization’s security posture?
11. Description: Proxies can also be used to encrypt all traffic leaving an organization.
    • Notes: Sure, but only to known locations, right? It’s probably a good idea, though, especially if you’re connected to different geographic locations.
12. Description: Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication.
    • Notes: We’ve seen two-factor authentication before, and at that time I claimed that two-factor authentication should be used everywhere. This is no exception. It’s really not that expensive to implement when compared to the safety of what could be compromised. Yes, that’s a blanket statement, so be sure to perform a risk assessment.
13. Description: All devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels.
    • Notes: The question I have here is this: How is the internal network defined? Does this imply a VPN type of situation, or does it include configuring your iPhone to use the corporate Exchange server? In both cases you have a BYOD problem to consider. I don’t think organizations realize just how much productivity they lose with requirements such as this. I, for example, do not use a corporate-issued machine (sorry IT) to get my real work done. Instead, I use my personal machine with my own software, because I get more done that way (and I’m a geek). There must be a way to allow BYOD and protect the enterprise at the same time. I don’t know what that really looks like, but one solution could use a mix of VMs and services like SpiderOak.
14. Description: Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms.
    • Notes: If you’re looking for unauthorized VPN connections, you’re going to need a tight list of access rules to check against. Another interpretation of this requirement might be that you need to check for VPN traffic outbound from your internal network to some non-organizationally provided VPN (like one to Amsterdam). If you’re logging all your packets at the boundary (like previous requirements say), then you shouldn’t have a problem looking for common VPN protocols – until you get to an SSL VPN, in which case you’re going to need a list of VPN services and their IP addresses to check the traffic. It seems like host configuration is a better way to go about this – are there any good configuration mechanisms you use to meet this requirement?
15. Description: To limit access by an insider or malware spreading on an internal network, organizations should devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network.
    • Notes: OK. Who out there has guidance for meeting this requirement? I can segment my networks without any meaning and meet this requirement. Some guidance is needed. I believe there was, once upon a time, a PCI Scoping SIG that my have done some public work in this area. Does anyone have advice?
16. Description: Develop plans to rapidly deploy filters on internal networks to help stop the spread of malware or an intruder.
    • Notes: I don’t know if you need to develop plans here – get your incident detection and response planning down pat and ensure automated configuration deployment. That should be enough. What you want is the ability to update your filtering on demand, and that demand will be driven from incident detection and response.
17. Description: To minimize the impact of an attacker pivoting between compromised systems, only allow DMZ systems to communicate with private network systems via application proxies or application-aware firewalls over approved channels
    • Notes: It’s all about detection and response at this point. We know that attackers will, when they want, find a way in. Our job is to minimize the time they have to do damage, which is to minimize the time to detect, contain, and expunge. That’s what this requirement is about.
18. Description: To help identify covert channels exfiltrating data through a firewall, built-in firewall session tracking mechanisms included in many commercial firewalls should be configured to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions.
    • Notes: I’m happy that this is an advanced requirement, because it requires some notion of what normal is before it can work. The catch here, as usual, is that you should do what you can to ensure you’re capturing normal in the first place. Of course, now attackers know that longer sessions are bad, so they’ll turn to slow and low to subvert.
19. Description: Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity.
    • Notes: I’ll be honest with you. I’m not a network security guru. But, I’m educated and well-read enough on flows to know that they can be invaluable when detecting anomalies. In fact, they shouldn’t be relegated to the DMZ (seehttp://link.springer.com/chapter/10.1007%2F978-0-387-68768-1_1 for more information).
20. Description: Packet sniffers should be deployed on DMZs to look for Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies.
    • Notes: This can be applied for anything that should traverse a proxy by policy. HTTP, SMTP, FTP, SSH, and so on. By enforcing a proxy, you can detect odd behaviors more easily.
21. Description: The system must be capable of identifying any unauthorized packets sent into or out of a trusted zone and ensure that the packets are properly blocked and/or trigger alerts.
    • Notes: This is a pretty big metric, but it’s binary. I’d like to see percentages and things of that nature in metrics rather than binary. I’m not sure why.
22. Description: Any unauthorized packets must be detected within 24 hours, with the system generating an alert or e-mail for enterprise administrative personnel.
    • Notes: Again, 24 hours, as stated in the document, is an upper bound. If there are unauthorized packets traversing your network, notify as quickly as you can, and not just administrative personnel, but your incident response team as well.
23. Description: Alerts must be sent every hour thereafter until the boundary device is reconfigured.
    • Notes: The obligatory nag.
24. Description: To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices by sending packets from outside any trusted network to ensure that only authorized packets are allowed through the boundary. All other packets must be dropped.
    • Notes: None.
25. Description: In addition, unauthorized packets must be sent from a trusted network to an untrusted network to make sure egress filtering is functioning properly. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the unauthorized packets within 24 hours.
    • Notes: None.
26. Description: It is important that the evaluation team verify that all unauthorized packets have been detected.
    • Notes: None.
27. Description: The evaluation team must also verify that the alert or e-mail indicating that the unauthorized traffic is now being blocked is received within one hour.
    • Notes: None.
28. Description: The evaluation team must verify that the system provides details of the location of each machine with this new test software, including information about the asset owner.
    • Notes: None.
29. Description: It is also important that the evaluation team test to ensure that the device fails in a state where it does not forward traffic when it crashes or becomes flooded.
    • Notes: None.

This article was written by a former contributor to The State of Security who now resides with a non-profit group with an excellent reputation.

Cross Posted from Tripwire's State of Security

Have you ever been swimming in the ocean only to find yourself being pulled in one direction from a strong current? No matter how hard you try, you can’t make any progress when swimming against the tide. Similarly, while social networking may have its issues in the workplace, and in particular security concerns, the key to success is not in fighting against it but, rather, figuring out to harness its potential while staying in control.  Just like swimming in the ocean, the best approach is to stop fighting and swim with the tide until you reach the shore.

Redefining Social Networking

When it comes to adoption, the initial resistance in the enterprise seems to be that social networking isn’t typically associated with working. To put it bluntly, there are laggards who think that if it’s “social,” it can’t be business. Changing the way we talk about it by using the terms “social business” and “enterprise social networking” will re-align the way we think about social tools in the workplace. In turn, the minds of those aforementioned laggards will begin to open and see that social can have a place in business.

Simplicity and Ease of Use is Key

Introducing a social business environment should make life easier, not more complicated. At the heart of social business is simplicity and ease of use, which is why there’s a huge problem with some of the really complex tools available. The ideas behind them are nice, and they certainly seem comprehensive enough to fulfill the needs of the enterprise, but if it’s too difficult to figure out and actually use, adoption will be low. The iPhone is a great example of simplicity done right. All of the basic functions that people want are readily available and incredibly intuitive– like making calls, checking email, downloading a new app, searching or texting. Because of that, it’s very popular. The same is true for rolling out a social business environment, it must be intuitive and secure or it will not thrive.  

Social is Enhancing, Not Fixing

Generally the enterprise is looking to solve a problem when adopting new technologies. This mindset works against social business adoption since it’s really not solving anything, per se. However, it is enhancing the way things already work, which is just as valuable. Think about the car – when Henry Ford invented the motor vehicle, we already had means of transportation via horse and buggy. But with the car, we can travel faster and for longer distances over a shorter time. Similarly, there’s always room to improve processes in the enterprise. So, in the enterprise, we can already communicate and collaborate, but there’s a way to do it more efficiently with enterprise social business. Research from McKinsey shows that social business offers companies the potential to improve productivity of highly-skilled workers by 20 to 25 percent. It is simply taking a process that is already in place, and making it better.

Understanding Business Value

While social networking tools may be about enhancing rather than fixing, users will be slow to adopt these tools if they don’t understand the value. Organizations must first recognize the business value and communicate to users exactly how social business will advance current processes and activities. If a user knows they can save time or improve an existing process with the help of social tools, they will be much more inclined to get on board.

Serious Consideration

In light of these barriers, I believe that the enterprise is beginning to seriously consider integrating social business as part of its normal every day. Historically, the enterprise is very slow to adopt, often lagging about four to five years behind the consumer. Think about the Bring Your Own Device (BYOD) trend, for instance. Consumers started working on their own devices remotely without authorization, and once adoption got really deep within the organization, the IT department or CIO in charge realized it was not under control and lacked certain securities. This is how BYOD evolved to have more standard practices, and social business is following suite.

Already the enterprise is beginning to see how social business benefits such as structured conversation and simpler communication have value. These realizations are backed by research, too.  For instance, McKinsey reported that companies that use social media internally can reduce, by as much as 35 percent, the time employees spend searching for company information. They state that additional value can be realized through faster, more efficient, more effective collaboration, both within and between enterprises.

While this is undoubtedly compelling, we’re in the early stages of ROI and more quantitative results will likely be needed before enterprise social networking becomes the new norm. As businesses come to fully understand how social networks will propel their organizations forward, I predict adoption rates will surge. I look forward to the day when business and social meet and, until then, am certainly enjoying the ride.

Cross-posted from WIRED Innovation Insights

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one's communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree's of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the "Loopcast" recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo's on one's neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it's fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system "could" and "might" do so outside of the rules and that is the problem here ... Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won't do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn't have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who'd listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It's a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to "get to know you better" *cough* It's just a friends with benefits thing as the government see's it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn't effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

"The only privacy that you have today  is that which you make for yourself" is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you're on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on... It's not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don't believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren't hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning's theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well....

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it... He says as he hits enter on a public blog post!

Princeton’s WordNet defines it more broadly (not specific to the cyber world) as such:

“Intelligence on the identity and capability and intentions of hostile individuals or organizations that may be engaged in espionage or sabotage or subversion or terrorism”

John Burnham of Q1 Labs brings a little flare by adding in the notion of “actionable,” as such:

“Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

So what you have, really, is actionable and comprehensive insight on the identity, capability and intentions of parties that are hostile to your organization.

Today’s enterprise is under constant attack, there’s simply no denying that. And there has never been a more important time to have timely and actionable insight into what’s going on. There is, however, a caveat here which we’ll discuss in a bit.

Know thine enemy, before thou striketh

Let’s talk about why identity, capability and intentions are important. Take an article like this one hot off the presses, “U.S. urged to permit self-defense retaliation on hackers” from ZDNet. Let’s pretend for a minute that we live in a world where “retaliation on hackers” is a capability your enterprises possesses. (This would put you in the top .05 percent of all organizations out there, from my humble experiences, but let’s ignore that for a moment and just pretend.) The decision to strike back is difficult — there are no two ways to go about it. An organization does not simply make a decision to “strike back” at any random attacker. There is a difficult decision to be made. The insight that security intelligence provides you on the identity, capability and intentions is critical to your decision-making process.

Attribution is perhaps one of the most critical components of such a decision, and having a clear identity (whether it be a group, a nation-state, or an individual) is paramount to your decision-making process. You wouldn’t go wasting resources striking back at someone port-scanning your web servers, would you? That simply wouldn’t make sense, partially because this happens every few seconds on the Internet. Identifying an attacker is a difficult process, and while the art and science of profiling and target attribution is developing … it’s still largely something best left to the specialists.

While you’re putting together the identity of your attacker it’s important to know the capabilities of that entity. You don’t want to end up in a situation where a lone attacker, being part of a larger group, probes your organization and you strike back at them, stirring the ire of the entire group and thereby incurring a greater attack than you’ve aimed to stop. Capability is important because you need to know whether your attacker has more resources and knowledge than your anti-hacker-hackers™ which you employ.

You don’t want to end up bringing a knife to a gun fight.

Last — but certainly not least — is intent. As part of your decision-making process you’re going to want to bring in the intentions (or at least perceived intentions) of the attacker you’re thinking of striking back against. Ask yourself: Is this a targeted attack by a determined individual?  Or is this your grandparents’ computer being compromised and used as a point of origin for an attack against your company to simply cause a distraction or take your attention away from something more important?

Identity, capability and intention are all critical in the way that an enterprise defends itself. Back to the real world — where your enterprise security organization is trying to do intelligent defense — having this information is absolutely critical to how you position your defenses, build your strategy, and operationalize your defensive capabilities.

So what exactly does actionable mean?

There is a lot of talk about having the right data, and being able to turn it into knowledge in a timely manner to make decisions or take meaningful action. At the center of that discussion is the idea of “actionable intelligence,” and what it really means. In my opinion, and after watching several organizations attempt to operationalize intelligence reports/feeds, in order for anything to be actionable it must be able to quickly be converted by your organization from bits to meaningful action. Actionable intelligence can be as broad as a memorandum that alerts the banking industry that there has been chatter by “cyber terrorists” of creating a large botnet in order to DDoS banking websites. Even if this doesn’t provide immediate detail, it can provide a sense of direction and urgency from which your organization can then derive action.

On the other end of that spectrum is an automated feed that takes data generated from human interaction and is packaged for consumption by an automated mechanism. More concretely, a feed from a security research organization that produces IP reputation data that is then fed into your firewalls and IPs to make more intelligent — alerting and blocking decisions is a great example.

Putting it together

Now that we have a relatively more clear definition, and have discussed what security intelligence is and should provide for your enterprise, let’s talk about putting it all together. You see, having the information and being able to do something with it are entirely different. Having knowledge that it will rain tomorrow does not necessarily mean I won’t get wet during the day — it simply means I’ll likely be more prepared if I heed the information.

This is where things get difficult. Where the rubber meets the road. In the next post, I’ll discuss why even if you’ve got good, actionable intelligence you’re probably not going to do much with it.

Cross Posted from Following the Wh1t3 Rabbit

In ‘The State of Information Security Survey -India, 2013′, a report by PWC it reported that the size of the information security market in India in 2012 was Rs 1,200 crore and their estimate for 2013 is Rs 1,415 crore, a growth of 18 per cent. According to the survey, medium businesses with revenues ranging from Rs 500 crore to Rs 5,000 crore, saw an estimated 17 per cent increase in security spending in 2011-12 followed by small businesses with revenues less than Rs 500 crore where the spending increased by 14 per cent. This proves that organizations are not only aware of the menace of cyber threats and attacks but are also focusing on addressing these issues.

There are local laws in almost all countries pertinent to cybercrimes and their admission in the legal system for trials. However, until an actual “terrorist intent” is detected; these perpetrators are never addressed as criminals – instead as white collar criminals or simply as ‘Hackers’. White collar crimes are generally victimless crimes and do not get the attention in society, as much as crimes of theft, hate, violence narcotics and terrorism. However in terms of actual state or national revenue lost, white collar crimes amount to just as much. A hack or a cyberattack can lead to organizations losing data worth millions and can have their revenues compromised. It is also because these criminals are often educated and have jobs in reputed organizations, that gives them leeway. They don’t get the same amount negative embellishment or social interest compared to other criminals. The damage that these crime do is often worse and has far-reaching effects.

To illustrate this let us look at an average cybercrime caused by a DoS (Denial of Service) or a DDoS (Distributed Denial of Service, which is often an organized cybercrime). Web applications belonging to financial institutions like banks, stock exchanges, government bodies & universities remain hot-targets for such attacks. A simple DDoS on a banking site affects all the banks customers and parties associated to the bank. Very simply put it is a two-way damage affecting the payee and the recipient of funds. In many cases this can mean the difference between life and death. Clearly this is NOT a victimless crime. Because the victims are not around to lodge a complaint, or do not even know in most cases that they have been exploited.
The sheer penetration of internet, dependence on it and consumer-convenience of internet banking, e-commerce, trading and online management systems is what often provokes cyber criminals to commit crime. Services like internet baking, airlines bookings / check-ins are no longer a luxury; but life essential amenities. The outage of such services often causes a lot of media hype and gets the attackers exactly the attention they are looking for. Hacktivist groups and cyber vandals are constantly on lookout for such easy consumer based targets.

Just imagine; you are stuck in a blizzard cannot check into a hotel because your credit card limit has abruptly maxed-out, or you are unable to transfer funds back home for an emergency, or not being able to charge your health insurance policy because the networks are down. These are scenarios that are often not taken into account while defining a punishment for the act of a cybercrime. It has also been my personal experience that during such attacks the target banks and application / internet / telecom service providers often do not disclose the occurrence of such attacks; to avoid public embarrassment. It is because there is substantial lack of transparency in the reporting of such incidents by the affected parties that makes it increasingly difficult to catch the culprits. It takes the average victims more than a week to determine if they have actually been exploited. The combination of the two factors mentioned above along with the time-delay assists the criminals to get away.

Law enforcement agencies and legal bodies need to realize a simple truth – “Cyber crimes are actually capable of taking lives”. While the statement may sound a little exaggerated, the actual ripple effects of cyber crimes are felt very late. The impact of a cyber crime is far more than what can be seen at the outset. It is not simply about a unavailability of services or some sites being defaced. This is somewhat like the “Butterfly Effect” theory.

Cyber crimes are becoming costlier by the day. They are costing the global industrial landscape billions of dollars. Such crimes also have severe fall out effects such as permanent loss of reputation, loss of jobs and an overall negative hit on the economy. Not too long ago, Microsoft had officially put up a bounty of USD 250,000 for apprehending the creators of the MSBlast malware.

The Indian IT Act has come a long way from where it began. However it needs to become stringent in two ways – by enforcing onus on the authorities like the police and empowering them with the right tools and knowledge to apprehend such criminals, and also by increasing the severity of the applicable punishments. While harsher sentences are not the complete solution, they are a very strong deterrent. Frost & Sullivan reveals that nearly 80 percent of Indian business enterprises have reported data theft through online hacking and that the cost of computer crimes has reached a whopping USD 10 billion – India is ranked fifth in terms of ecommerce security breaches. These criminals should be tried & prosecuted under the extent of the law. There also needs to be inter-agency synergy between the local cybercrime authorities and the bodies such as the Interpol, NSA, and the CERT.

Cross Posted from the The EC-Council News Blog.

In fact, the same security threats enterprise organizations face should also be taken seriously by SMBs, especially: targeted espionage, unintentional or accidental loss of data, Denial of Service (DoS) and Distributed Denial of Service (DDos) attacks, understaffed IT teams, phishing attempts and malware exploiting common vulnerabilities in Java and Flash runtimes.

Given the expanding threat landscape for the SMB and the increased demand for affordable IT security tools, here are five valuable tips for IT pros that help shed light on managing enterprise security on a budget:

1. Demonstrate Value: Show how powerful analytics, incident awareness, change modeling, automated audits and built-in reporting convert to operational efficiencies, and in turn, major cost savings for the company.

• Analytics and Incident Awareness: The combination of real-time analytics and incident awareness of operational and policy-driven events happening on the network ensures continuous monitoring and the ability to identify potential security threats. Real-time event log correlation provides granular analytics to detect and alert on threats sooner, and results in quicker and more efficient remediation measures.
• Change Modeling: There’s a great deal of time and effort invested in implementing firewall rule changes, and if this fails, networks may be exposed to security risks and firewall irregularities. Predictive change modeling helps evaluate the impact of proposed changes to ACL, NAT, and route rules on network operations before going live on the production environment, which augments the operational efficiency of managing firewalls.
• Built-in and Automated Reporting: Security tools with these features save manual hours spent generating detailed and customized compliance and management-level reports, and they also keep pace with network and security audits.

2. Combine Visibility and Control: Visibility from monitoring tools combined with the ability to take control and manage rules, roll back device settings, identify rogue devices, and quarantine systems to pre-empt security disasters, will ultimately help avert security risks.

• Roll Back Network Device Settings: Many times there’s a security mishap due to unwarranted configuration changes. Having visibility over these changes, comparing configurations over time, and being able to roll back to an earlier, good configuration is a powerful security remedy.
• Identify Rogue Devices: With the BYOD explosion, it’s become more complex to manage and maintain visibility on all user devices on the network. When a rogue device connects or an error is caused by an offending device, it’s important to be able to identify it and shut down the port to mitigate security risks and prevent network problems.
• Quarantine Infected Systems: It is possible that when security is breached and any system is infected by malware, phishing, spyware, etc., the infection could spread to other machines on the network. This has to be detected in real time and the infected machine has to be shut down and disconnected from the network.

3. Bang for Your Buck: Use best-of-breed security tools that also render functionality to address and simplify IT operational challenges alongside securing IT assets from vulnerability exploits. Establish integration between security and network management tools to simplify management and centralize security and operations control.

• Patch management is a strong security measure that prevents vulnerability exploits by patching applications with security updates. Besides the security viewpoint, centralized and automated patch management reduces manual patching efforts and simplifies IT operations.
• Firewall change management is another key security frontier that provides tremendous functionality to simplify rule and object management and thereby enhance security.
• User device tracking tools integrated with IP address management solutions allow IT pros to gain extended visibility into the organization’s IP space and help manage BYOD.
• Network performance monitoring solutions integrated with SIEM systems provide correlation of network events with other events across the enterprise, perform root-cause analysis of problems across systems, and triage or respond to issues.

There are various combinations to put the network and security pieces together, and they need to be tailored to the organization’s specific requirements. For what it’s worth, this is definitely more affordable than larger and more complex enterprise security solutions.

4. Prepare Failover, DR and Backup Plans: Should there be a security mishap, avoid data loss and service downtime. Here are some tips:

• Have a secondary network line as backup to ensure high availability in the event the network goes down.
• Back up as often as possible – at least important data. Avoid using partitioning on the same disk to back up and instead use a different storage device.
• Consider affordable cloud storage options to back up corporate data.
• Have failover servers to switch over should the primary server fail or crash.
• Prepare failover options for network monitoring tools in order to monitor network performance.
• Have the capability to monitor logs and identify anomalies in order to understand if security systems function as expected or are breached.
• Put remote connectivity options in place should employees need to work from home.

These are a few cost-effective tips for ensuring the network and services are up and running without interruptions. Many SMBs do not have a proper DR and backup plan in place and thus fall victim to crashes and downtime, as well as the inability to redeem lost data and service.

5. Education and Training: Educate and train employees and IT teams on corporate IT security policies, violations, and security risks.

• Make employees personally feel they are also responsible for corporate IT security.
• Spread awareness via emails and short group sessions on the impact of not being alert and prudent when it comes to actions that could sprout security risks.
• Have security FAQs in the help desk knowledge base.
• Conduct internal IT security policy quizzes or tests for employees and encourage them to learn policy violations and their impact on business.
• Consider registering employees for free daily online security tips, like these from the SANS institute.
•  Leverage peer-to-peer online communities for security mindshare.

Security education is part of smart security preparation. Better awareness and preparedness will help avoid many commonplace security lapses.

When selecting security tools, keep in mind that budgetary restrictions don’t have to entirely compromise IT functionality. Based on the information outlined above, SMBs do not have to invest in costly and sophisticated enterprise solutions for IT security. The trick is to find the optimum tools that are affordable and efficiently serve multiple network and security requirements while accounting for cost savings.

About the Author: Vinod Mohan is a senior product marketing specialist for SolarWinds, a provider of products and tools that help solve a broad range of IT management challenges.

The newly published information should not be ignored. The court order requiring Verizon to hand over customer data, PRISM and Obama’s Presidential Policy Directive 20 all reflect the same difficulties in finding a balance. Citizens’ private information and correspondence are being scrutinized in the name of collective security. At the same time, the legitimacy of intelligence depends on democratic consent/consensus and calls for the protection of individual rights. The risk brought by excess is that the state uses security as an excuse to ignore cyber issues from the public discussion and, in the worst case, turns authoritarian. On the other hand, lack of sufficient information makes one prone to surprises.

The challenge of finding the right balance is centuries old. In the cyber world, it has just acquired a new form and scale. It is natural that intelligence and security players operate in the common space shared also by people and information. The changing world opens new opportunities to the aforementioned players and the society itself demands continuous presence in the cyber world. Most commonly, these demands are presented in the name of collective security as it would be denounced irresponsible if the intelligence and security actors did not screen the cyber world. PRISM is only likely to be the tip of the iceberg for many actions in the networks we are not even aware of.

Making a distinction between public and private is not an easy task. In addition, the difference on the public-private axis is dependent on historical grounds.  The war against Terrorism moved the line clearly towards stronger state secrecy and weakened privacy. At the same time, the world became aware of both vulnerabilities and opportunities inherent in the cyber world. Over the past few years, nation- states have allocated more and more resources to the development of cyber collection and both offensive and defensive cyber warfare capabilities. We only hear about the results of these development programs when they are utilized in public, as is the case with Stuxnet, or leaked to the media. Most often we do not hear of them at all.

Only the whistleblowers themselves know their motives for handing over information to Wikileaks or newspapers. Nevertheless, it is fair to interpret these actions as some kind of reaction against tightening cyber surveillance and the securitization of the cyber world. The fear of deteriorating privacy protection has strengthened the demands for transparency in state administration and in its agreements with 3rd parties.

It is important and desirable that the potential excesses of state intrusion on citizens’ private data are brought into daylight. However, a different question is what are the acceptable channels through which information finds its way into public discussion or how detailed it is. Nonetheless, the right balance between surveillance and privacy or freedom of speech can only be set in public discussion. Today’s definition of democracy already requires this. In addition, the rules of the cyber game are to be established and confirmed on the same arena.

The United States is not an exception amongst modern democratic societies. On the contrary, all these societies struggle with the similar kind of tension between privacy protection and societal security. Therefore, it is only desirable that active discussion on the topic takes place on many arenas everywhere.

• Related: NSA Surveillance Is Legal And Not Targeting Average Americans, Says Texas A&M Professor
• Related: Government Surveillance Under Fire: What You Need to Know (SecurityWeek)
• Related: US Intel Leak Sparks Fierce Internet Freedom Debate
• Related: Broad Coalition Protests US Surveillance Program
• Related: Canada Eavesdropping on Phone, Internet Records Too
• Related: Assange Fears for US Internet Spying Whistleblower

ANDREA MITCHELL: “Why do you need every telephone number? Why is it such a broad vacuum cleaner approach?”

JAMES CLAPPER: “Well, you have to start someplace.”—NBC Meet the Press, this past Sunday

Concerned about the surveillance of millions of ordinary Americans, last year Senator Ron Wyden asked Director of National Intelligence James Clapper, Jr. a simple question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?"

Wyden had good reason to worry. As a member of the intelligence committee he had access to classified information and had been warning from the Senate floor that the American people would be “shocked” to find out how the government was interpreting the FISA Amendments Act and the PATRIOT Act in secret.

DNI Clapper’s answer was simple: "No, sir ... not wittingly."

This just is not true. We’ve known for years that the government has been conducting surveillance on millions of ordinary Americans, and now we know that the Foreign Intelligence Surveillance Court issued an order in April requiring Verizon to hand over *all* call records, foreign or domestic, of every call of every customer to the NSA. Simply put, DNI Clapper’s statement was not the truth. 

On Sunday’s Meet the Press, Clapper was grilled about his statement to Congress.  He claimed it was the “least untruthful manner by saying no.”

How does he defend that?  This may sound strange, but the Administration actually uses very particular definitions of words that are vastly different from how ordinary people interpret them and how they're normally defined. As we explained in this dedicated page to the NSA’s word games, “collect” has a very different meaning to them than it does the rest of us.

Under Department of Defense regulations, information is considered to be “collected” only after it has been “received for use by an employee of a DoD intelligence component,” and “data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”

In other words, the NSA can intercept and store communications in its database, then have an algorithm search them for key words and analyze the metadata without ever considering the communications “collected.”

Here's how Clapper explained it:

JAMES CLAPPER: And this has to do with of course somewhat of a semantic, perhaps some would say too-- too cute by half. But it is-- there are honest differences on the semantics of what-- when someone says "collection" to me, that has a specific meaning, which may have a different meaning to him.

“Too cute by half”? Clapper’s answers certainly was not a slip of the tongue. Today, Wyden said in a statement that he gave Clapper a day’s notice that he was going to ask the question, so as not to catch Clapper off guard. Wyden also gave Clapper a chance to amend his answer after his testimony, but Clapper declined.

In bizarre analogy, Clapper compared the NSA’s vast database with a library:

A metaphor I think might be helpful for people to understand this is to think of a huge library with literally millions of volumes of books in it, an electronic library. Seventy percent of those books are on bookcases in the United States, meaning that the bulk of the of the world's infrastructure, communications infrastructure is in the United States.

So in the DNI’s world, “collection of U.S. persons' data would mean taking the book off the shelf and opening it up and reading.” 

Of course, in the real world, when you add books to a library, that’s when they become part of the collection.  Even if the librarian hasn't read all, or even most of them. Imagine Clapper has a built a home library, and friend comes over. "That's quite a collection of books," the friend says. "No, no, that's not a collection of books – I haven't read them all." 

Ironically, the one check on Section 215 of the PATRIOT Act that was added by Congress is restrictions on how the FBI can target libraries.

All of this would be amusing if the Administration’s main argument to defend the NSA’s massive spying program is that Congress has been informed of all their activities. Democracy can’t function when Congress is “informed” by the “least untruthful” statements of the Administration, using unusual definitions that are designed to given an impression that is the polar opposite of the truth.

Lots of words can have multiple definitions – “to fire” can mean to discharge a firearm or to glaze pottery in a kiln. But if you’re asked if you fired a gun, they’re not asking if you put it in a kiln. Senator Wyden was clearly asking if the NSA obtained the records, not whether they looked at each and every one, and DNI Clapper is too smart to have misunderstood him.

It’s clear Congress has been deceived and DNI Clapper and the Administration should come clean on how, when, and why they scoop up the phone and Internet records of millions of Americans. Join EFF in calling for a full investigation by emailing Congress today.

Cross Posted from the EFF's Deep Links Blog

Ron Sievert, a law professor and director of the Advanced International Affairs Program at Texas A&M's Bush School of Government and Public Service, says the so-called "whistleblower" Edward Snowden, a former CIA employee, did leak classified information about NSA surveillance programs, but the information was about operations that follow the law.

"Everything that has been disclosed as of this date is not illegal or unconstitutional," he notes.  "Anyone who is saying that what the government is doing is illegal doesn't understand the law."

Sievert, a former Department of Justice litigator and author of the books "Cases And Materials On U.S. Law And National Security" and "Defense, Liberty and the Constitution," has long studied issues related to the law and national security, and says despite media reports to the contrary, "if you are a U.S. citizen and not the subject of an investigation, then no one is reading your emails or listening to your phone calls."

Claims that President Obama has granted sweeping new powers to intercept U.S. communications are simply not true, Sievert says.

"And this 'whistleblower' probably didn't understand that these programs are not illegal," he adds.

One of the programs in question, known as PRISM, involved the monitoring of emails of foreign citizens outside the country, Sievert says, not American citizens.

Since only the emails of foreign citizens were intercepted, Sievert says the program was not unconstitutional. "The Supreme Court held in the Verdugo case (1990) that foreign citizens do not have our 4th Amendment Constitutional right [against unreasonable search and seizure], and so there is no constitutional violation," he insists. "Moreover, it appears these were monitored pursuant to a court order."

The other surveillance program under suspicion, the collection of phone call data, does involve U.S. citizens, but Sievert says, "they're only looking at the numbers that are being called, not listening to the content of the calls."

Sievert says this type of phone data collection has been legal for decades.

Related: US Intel Leak Sparks Fierce Internet Freedom Debate

"The Supreme Court held in the 1970s that you do not have a constitutionally protected expectation of privacy in what you share with a third party and, of course, you share the numbers you call with the phone company and your Internet contacts with Internet service providers," he explains. "The ISP shares those contacts with advertisers, and that's how you get targeted pop-ups."

He says that later, The Electronic Communications Privacy Act of 1986, amended in 1994, gave the federal government the right to collect data on phone numbers being called. Then in 2001, The Patriot Act expanded that to include email addresses.

Collecting data on the numbers, times and duration of phone calls can aid an investigation, says Sievert because, "investigators may be able to make assumptions as to content by looking at patterns of calls. This may require collecting an enormous amount of data, but this type of data collection is legal as long as they have a court order and it's relevant to a federal investigation or for intelligence purposes."

So why are people so up-in-arms about legal programs that have been going on for years?

"The 'whistleblower' disclosed the nature and extent of the programs," the professor explains. "No one knew that the government was accumulating a vast amount of phone call data for the purpose of determining patterns that might be characteristic of terrorist activity.

"He also disclosed that with foreign communications, the government is looking at content, but again, foreigners do not have our constitutional rights. These are things we've been doing for a long time, it's just the extent and the specifics of the programs had not been disclosed until now."

And as for widespread media chatter about NSA surveillance on the average U.S. citizen, Sievert dismisses it. "They're trying to prevent terrorism; the NSA doesn't care if you're calling your bookie."

Of course there are instances when the federal government might listen to the phone calls or read the emails of an American citizen. "It's a much higher standard for a U.S. citizen," Sievert notes. "They must have probable cause to believe that you are an agent of a foreign power or that you're committing a crime, and they must have a court order that says the surveillance is relevant to a proper purpose. It's common that the affidavit submitted to the judge to establish that probable cause is greater than 60 pages in length."

Sievert points out that erroneous reports of "illegal" or "unconstitutional" government surveillance programs are confusing people. "These programs are legal, so if people don't like them, they need to change the law."

SOURCE: Texas A&M University

• Related: Government Surveillance Under Fire: What You Need to Know (SecurityWeek)
• Related: US Intel Leak Sparks Fierce Internet Freedom Debate
• Related: Broad Coalition Protests US Surveillance Program
• Related: Canada Eavesdropping on Phone, Internet Records Too
• Related: Assange Fears for US Internet Spying Whistleblower

"What do you say to organizations considering software security, but struggling with adoption due to the inevitable, additional drag on release cycles?"

First, let me say I think this is a false choice — deciding between security and speed. If adding security to your enterprise software development methodology and lifecycle creates a significant amount of drag on the actual release deadlines —for an extended period of time — you’re doing it wrong.

You’ll notice I highlighted a part of that last sentence. There’s a reason for this. There is no denying it: If you’re dropping security into an existing software release strategy it’s going to be hell on wheels initially. Whether you’re dropping into a waterfall methodology, Agile, or continuous release, it’s going to initially set a fairly heavy drag on the release process. This pain shouldn’t last very long.

The reason why isn’t obvious, and worth explaining from my perspective.

In the last six years I’ve probably been responsible, either directly or indirectly, for about two dozen implementations of security into an existing enterprise SDLC (I’ve had success to varying degrees). Each engagement started with a reasonable period of data gathering, then pilot, then lessons learned and then phased/staggered enterprise-wide implementation. At the start of each phase there was the inevitable learning curve, adaptation, and then rapid assimilation of the security processes. That was for the times we got it right. When we got it wrong, that inevitable learning curve collapsed into a plateau and never really got anywhere. That was our indicator to try, try again.

This is where I get my argument that speed and security should absolutely not be mutually exclusive. Let’s be realistic though, security processes aren’t entirely going to disappear into the woodwork and become zero-effort (believe me, no one wants that more than those of us pushing software security). The best-case scenario you can hope for is an appropriately designed injection of security — such that the drag balances the benefit of reduced technical risk. In that game, everyone’s happy and no one cries foul.

You’ve probably heard the purpose of brakes on a car isn’t to slow the car down, but to enable it to drive faster, right? Same applies to injecting an aspect of security into your software development and release processes.

If you think about it carefully, injecting security components into your software development and release methodology early on — and throughout — actually helps you go faster.

Follow my logic:

Let’s assume that no organization actually wants to release software that forces it to take on unknown amounts of technical risk. If that’s the case, then you want to have better security, but strategically, and in the right places, so you’re not stuck finding out the day before you have to go live that you’ve got major security problems. At that point you’re stuck with more than just having to push a release date — often times enterprises are hit with financial penalties. Even if the code goes out vulnerable, you’re still likely going to have to make the fix at some point. And unless your math is different than mine, you’re still adding to the overall release cycle and wasting a lot of energy needlessly. Of course, I’m not telling you that just because you include security into your requirements cycle that you won’t end up with 100 SQL Injection vulnerabilities in your web application, but I am telling you the likelihood is significantly less, and your overall release velocity is better.

So, back to that original question.  What do I say to those organizations considering software security, but struggling with adoption due to the inevitable, additional drag on release cycles?

First, it’s 2013 and if you don’t have a software security strategy by now, odds are your adversaries have beaten you multiple times, and you haven’t realized it yet. Second, someone is making cheap excuses. Software security is as much about speeding up the release cycle as it is releasing safer and less risky software.

Cross Posted from Following the Wh1t3 Rabbit

We first covered a session about a free Windows web server tool called OMENS, followed by a review of Fun with WebSockets Using Socket Puppet and a session titled Matriux Leandros – An Open Source Penetration Testing and Forensic Distribution, which examines the first Debian-based security distribution for pentesting and forensic investigations.

This week we look at a session titled, Vulnerabilities in Application whitelisting: Malware Case Studies by co-presenters Jared Sperli (@JaredSperli) and Joe Kovacic (@itSoSafe), which seeks to demonstrate how malware can accomplish negative outcomes by manipulating application certificates and using file system filter drivers to defeat Application whitelisting efforts.

Whitelisting, one of the newer breeds of antimalware strategies, is already falling prey to malware with features developed to impede this new technology’s adoption rate with techniques, like “causing unwanted behavior in the solution to directly altering the execution of the security solution to avoid detection while making it appear as though it is operating correctly,” according to Sperli and Kovacic, who will also discuss how to factor these kinds of vulnerabilities into your security decision making process.

Kovacic is the CEO and principal engineer for itSoftware, whcih specializes in Windows security solutions, and Sperli acts as COO and “principal chauffeur” for the company which the two co-founded.

Kovacic started his career as an IT Helpdesk Software Engineer and later applied his Windows expertise to software development at VMware, while Sperli is an Army military intelligence veteran with training in computer network operations.

Sperli said he and Kovacic chose the topic of whitelisting vulnerabilities because they were already interested in embedded security options for Windows devices, and malware had been winding up on more Windows embedded devices recently.

“While the market for enterprise computer protection is very crowded, the embedded device security market is bare,” Sperli said.

“What we saw were a few different application whitelisting products since blacklisting products would not work with most of the designed devices.  We figured that there was malware already in existence that defeats these types of security as well since whitelisting has been around for a few years.”

Sperli and Kovacic designed the presentation to be of interest to a rather wide ranging audience – namely anyone who is responsible for securing Windows devices or computers.

“There are a few different technologies that try to stop malware on the Windows operating system,” Sperli explained. “Most people are familiar with antivirus and its shortcomings.  The lesser known technologies include application whitelisting, behavioral based detection, and automatic execution detection.”

Sperli said about one-fourth of their talk will focus on advice for security professionals to help them secure their Windows machines, and they plan on providing more than a few lessons for the attendees to walk away with.

“One key lesson is to engage with your security vendors about the known weaknesses of their solution,” Sperli said.  “Vendors need to be honest and should offer mitigation tips when discussing their solutions.”

Sperli emphasized that it is really important to dedicate a significant amount of time customizing your security environment to make it unique, and thus that much harder for an attacker to defeat.

“It is also important to understand the weaknesses of every security solution an enterprise purchases, because if you don’t have that information you won’t know where to focus your security review efforts,” Sperli said.

It is a given that malware writers will continue to try and defeat the latest security solutions, Sperli asserts, and there is just too much money and information at stake.

The question remains as to whether enterprises will continue making it easy for malware writers by simply maintaining the status quo, or if they will become more dynamic and  adopt new technologies while working to close remaining vulnerabilities.

“I predict the organizations that experience a catastrophic event will embrace change,” Sperli said.

“But most will wait and hope a catastrophic event doesn’t occur.”

Cross Posted from Tripwire's State of Security

A more concise approach at a run down on the functionality of VA warez may be worth a try. At least lets give it one last shot. On second thoughts, no, don't shoot anything.

Actually forget "positive" or "negative" views on VAs before reading this. I am just going to present the facts based on what I know myself and of course I'm open to logical, objective discussion. I may have missed something.

Why the focus on VA? Well, the tools are still so commonplace and heavily used and I don't believe that's in our best interests.

What I discovered many years ago (it was actually 2002 at first) was that discussions around these tools can evoke some quite emotional responses. "Emotional" you quiz? Yes. I mean when you think about it, whole empires have been built using these tools. The tools are so widespread in security and used as the basis of corporate VM programs. VM market revenues runs at around 1 billion USD annually. Songs and poems have been written about VAs - OK I can't back that up, but careers have been built and whole enterprise level security software suites built using a nasty open source VA engine.

I presented on the subject of automation in VA all those years ago, and put forward a notion that running VA tools doesn't carry much more value as compared to something like this: nmap -v -sS -sV . Any Security Analyst worth their weight in spam would see open ports and service banners, and quickly deduce vulnerability from this limited perspective. "Limited", maybe, but is a typical VA tool in a better position to interrogate a target autotragically?

One pre-qualifier I need to throw out is that the type of scanners I will discuss here are Nessus-like scanners, the modus operandi of which is to use unauthenticated means to scan a target. Nessus itself isn't the main focus but it's the tool that's most well known and widely used. The others do not present any major advantages over Nessus. In fact Nessus is really as good as it gets. There's a highly limited potential with these tools and Nessus reaches that limit.

Over the course of my infosec career I have had the privilege to be in a position where I have been coerced into using VAs extensively, and spent many long hours investigating false positives. In many cases I set up a dummy Linux target and used a packet sniffer to deduce what the tool was doing. As a summary, the findings were approximately:

• Out of the 1000s of tests, or "patterns", configured in the tools, only a few have the potential to result in accurate/useful findings. Some examples of these are SNMP community string tests, and tests for plain text services (e.g. telnet, FTP).
• The vast majority of the other tests merely grab a service "banner". For example, the tool port scans, finds an open port 80 TCP, then runs a test to grab a service banner (e.g. Apache 2.2.22, mickey mouse plug-in, bla bla). I was sort of expecting the tool to do some more probing having found a specific service and version, but in most cases it does not.
• The tool, having found what it thinks is a certain application layer service and version, then correlates its finding with its database of public disclosed vulnerabilities for the detected service.

Even for some of the plan text services, some of the tests which have the potential to reveal useful findings have been botched by the developers. For example, tests for anonymous FTP only work with a very specific flavour of FTP. Other FTP daemons return different messages for successful anonymous logins and the tool does not accommodate this.

Also what happens if a service is moved from its default port? I had some spectacular failures with running Nessus against a FTP service on port 1980 TCP (usually it is listening on port 21). Different timing options were tested. Nessus uses a nmap engine for port scanning, but nmap by itself is usually able to find non-default port services using default settings.

So in summary, what the VA tools do is mostly just report that you are running ridiculous unencrypted blast-from-the-past services or old, down-level services - maybe. Really I would hope security teams wouldn't need to spend 25K USD on an enterprise solution to tell them this.

False positives is one thing, but false negatives is quite another. Popular magazines always report something like 50% success rate in finding vulnerabilities in staged tests. Why is it always 50%? Remember also that the product under testing is usually one from a vendor who pays for a full spread ad in that magazine.

Putting numbers to false negatives makes little sense with huge, complex software packages of millions of lines of source code. However, it occurred to me not so long ago whilst doing some white box testing on a client's critical infrastructure: how many of the vulnerabilities under testing could possibly be discovered by use of a VA tool? In the case of Oracle Database the answer was less than 5%. And when we're talking Oracle, we're usually talking critical, as in crown jewels critical.

If nothing else, the main aspect I would hope the reader would take out of this discussion is about expectation. The expectation that is set by marketing people with VA tools is that the tools really can be used to accurately detect a wide range of vulnerability, and you can bet your business on the tools by using them to test critical infrastructure. Ladies and gentlemen: please don't be deceived by this!

Can you safely replace manual testing with use of these tools? Yes, but only if the target has zero value to the business.

Cross posted from Security Macromorphosis

I've been a fan of PHP since the Personal Home Page days because of its familiar syntax, decent performance and easy integration with the best web servers out there. It has its issues, but what doesn't?

Unfortunately, that same low barrier-of-entry for PHP allows inexperienced developers act like engineers and publish insecure code. These developers may be developing useful stuff, but they simply don't understand security.

So, how do you continue to use PHP? Even more concerning, how do you continue to allow your customers to use PHP?

Over the past several months, I've been working with a combination of Suhosin, mod_security, and other security tools (see my Top 5 Apache and PHP Security Modules post). While a lot has been written about mod_security, Suhosin is pretty interesting and not praised nearly enough.  Suhosin is a hardening module installed as a plugin to PHP, and included in most Linux distributions.

Suhosin essentially enforces many PHP best practices. For example, you can prevent silly things like calling includes or curl in an eval(). You can even force PHP to run a script when any file is uploaded (think: virus scanner). However, be warned: like other security modules, you'll need to fine-tune the configuration or your customers will scream.

Suhosin, mod_php, and other such applications mask the problems and don't replace smart software development. Static source code analysis tools, penetration testing and vulnerability assessment tools will always have their place, but it doesn't hurt to buy some really effective (and free) insurance.

Lee V. Mangold is an information security researcher, author, student, entrepreneur and self-professed INFOSEC evangelist. He currently a senior researcher and network operations manager for a US Department of Defense contractor. 

The Situational Awareness Reference Architecture (SARA) is what the ICS ISAC was created to foster, and to itself be a part of. It has been clear to us since 2006 that there is a critical need for a basic agreement on how facilities can determine the three questions of situational awareness - Identity, Inventory and Activity - and how they can appropriately share knowledge of those with external parties to create broader situational awareness. Until this year, when evolutions in many areas have come together to provide the necessary foundations there has not been any value in trying to drive to a final specific definition of SARA. Today however, evidence that the stage is set for the final act is everywhere.

Years of legislative, technical, organizational and sociological evolution have produced the environment in which an operable solution can be created. From STIX 1.0 to PPD-21 "Implementation" section 4, NERC CIP 5.0 to Qatar's National ICS Security Standards, from advances in security products to growth in the motivations of asset owners and integrators, the major building blocks of the shared solution have been placed together in the Assembly Area.

While enjoying Erich Gunther's Brandy Barrel Porter on the Enernex veranda this Monday I related a story that sums up the times we are in. Back in 1990 at GE Power Generation we were assembling the first 9000F turbine prototype. After years of development and billions of dollars the 100-ton rotor of what would become the world's most powerful fueled motor hung inches above the casing. A tense crowd of executives and luminaries watched anxiously as it crept downward. With less than an inch left before the finned marvel of science and engineering nestled onto its mirror-smooth bearing journals the harness supporting it went unexpectedly slack.

It didn't fit.

With corporate masters fainting into the waiting arms of acolytes a group of four engineers and operators gathered and talked for a few minutes. With a mutual nod the largest of them - a Paul Bunyan of a man - strode over to this pinnacle of engineering and proceeded to beat the living tar out of it with a massive wooden mallet with an enthusiasm which would have made Wiley E. Coyote blush with envy. Finally satisfied, he gave a gesture to the crane operator and stepped back to watched the rotor snuggle perfectly into place.

We fired the 300,000 horsepower monster a few months later and went on to beat Mitsubishi for a billion-dollar installation at Tokyo Electric Power Company. That 9000f's descendants went on to become the dominant fuel turbines in power generation worldwide to this day.

To solve the challenge we face in our community today we must establish a Global Knowledge Network. We must create an environment where industrial facilities: are able to have and maintain knowledge of their systems; where they can appropriately share some of that knowledge with the rest of us; and where they are capable of effectively using knowledge shared with them. The architecting, engineering, machining and component assembly of the Global Knowledge Network has been done. After it has been bolted together we will be tuning and tweaking it for many years to come,but now we need to seal the casing, install the support equipment, roll the bloody thing out to the test stand and fire it up.

It's Hammer Time.

Crossposted from the ICS-ISAC Blog