The Security Catalyst

Recorded! From a hotel room in Phoenix (sure, it’s hot, but it’s a dry heat - try taking a tumble in your clothes dryer)… it’s another Security Catalyst Podcast (I know, about time!).

I’m actually excited to share something I’ve been quietly working on now for over a year - the evolution of security I have been calling Security 2.0. Wait! Look past the name and check out what I think the future for information security holds. I have started to collaborate with Ron Woerner on what this would entail, and we have submitted a proposal to speak at RSA 2007 in February - if selected, we hope that will be where the concepts really get grounded and introduced.

Until then, you can count on Ron and I to start to advance the concepts and the ideas covered in Security 2.0. Basically, security 2.0 comes down to three elements:

• leveraging web 2.0 to improve the way we practice information security
• taking the knowledge we have and securing web 2.0 offerings
• the tools, skills, attitudes and experiences of a Security 2.0 professional

Basically, I believe it’s time to completely shift the way we practice information security. We have to change the focus, make it more convenient, more simple and more, well, secure. It’s not that simple - but in this podcast, I introduce the concepts in a condensed fashion. More details will emerge and evolve in the coming weeks and months.

I look forward to your ideas, insights, passions and excitement as we work together to celebrate the positives and truly blaze a new trail in the future of information security. By learning our history and studying other fields, we will advance!

If you’re new to Web 2.0, here are some links to get you started:

Start Here:

What Is Web 2.0

http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html

This is a good summary: http://www.squidoo.com/introtoweb20/ 

I found this useful, too: http://en.wikipedia.org/wiki/Web_2

As we prepare to relaunch the Security Catalyst Community, we’ll incorporate a section for Security 2.0 so we can work collaboratively, leveraging Web 2.0 tools (!) to evolve this concept.

Help spread the word by linking to the Security Catalyst and share these ideas and concepts with others!

 

 Security Catalyst 35 [18:06m]: Play Now | Play in Popup | Download

As a coach, consultant and speaker, you can imagine I’m not a stranger to airplanes. And to be honest, aside from the time away from family, traveling with the right attitude is really not so bad. But if you also find yourself traveling, I have a small favor to ask, whether you are on a bus, train or plane –

PLEASE PLEASE PLEASE… LOOK BEFORE SLAMMING YOUR SEAT BACK!

Chances are that if you’re reading this, you own a laptop, and if you’ve flown, you’ve dealt with someone literally SLAMMING their seat back - and then it catches the top of your laptop, creates a nifty “crunch” sound and then you adjust, typing with little space. Generally there is no harm, but man does it cause a short term rise in blood presure. And if you’ve not yet experienced this, sadly, you probably will. When you fly (or take Amtrak), please be wary of the person sitting in front of you.

And before you caution me on how to position myself — I have learned to position my laptop more carefully - but whether flying in coach or first class (hey, status sometimes has benefits), I’m continually amazed that the way people don’t pay attention to what is around them… and simply “slam back.”

I’m all for resting back - and have at it. But PLEASE - look before you leap (or slam back) and consider going slowly. I think everyone would be better suited if we all practiced a bit more “situational awareness.” And we’d probably have a few less hostile moments and injured laptops.

Thanks.

PS: I guess we could consider this the “Physical Security of your laptop?”

**Updated** When I wrote this, I didn’t mean for it to sound negative. I actually had a wonderful travel experience heading to PHX and am looking forward to an exciting week. I just wanted to comment on something that happened to me (again) and that I witness all the time. Have a great week!

Adam and I (mostly Adam) are working to get postfix configured to run virtual domains in a secure configuration. Along the way, we have come across two challenges and would appreciate some ideas, feedback or insights (links, experience, whatever):

1. Is there any way to setup postfix + sasl to use both CRAM-MD5 and mysql encrypted passwords for secure smtp authentication over TLS? Or is this type of security redundant and unnecessary?

2. Is there a way to set postfix + mysql running virtual mail domains and users so that the users may change their own passwords?

Ideas? Suggestions? Leave a comment or send a note to michael.postfix@securitycatalyst.com

Please join me in welcoming Adam Dodge to the catalyst community and to the catalyst team. You will have an opportunity to learn more about Adam in the coming weeks and months; he is studying to get his Master’s degree in Information Assurance — and what I really enjoy about Adam is his passion for security and his belief/understanding that it’s bigger than technology.

Adam is going to be working with me and the team of Catalyst Advisors to help move the mail server to postfix. Once this is completed, we will be re-launching (or perhaps formally launching) the Trusted Catalysts program. Adam is also helping me to rebuild the Catalyst Community (which will be powered by drupal) and preparing the new oppportunity to “practice” security that I have briefly alluded to in the past.

This represents an exciting step forward and demonstrates the growth of our effort. Stay tuned for an exciting fall!

From a fellow catalyst, Eric:

“I make the technology decisions at a small CPA firm, and our Symantec subscriptions are up in a week. I have been researching antivirus software for too long and just keep going in circles. I cannot distinguish between different antivirus software vendors because of either their marketing hype, inconsistent reviews, FUD, etc. I have reviewed them all myself, and have used a handful of them in the past years. Is there really a quantifiable difference or is it just opinions?

I feel there is too much subjective information out there to base a good decision out of. Since I do not have a
robust antivirus testing lab myself, it makes this decision very tough. With firewalls, I can test them with an arsenal of tools freely available but antivirus if different. I have been researching network and internet security extensively this summer and played with Linux some. In doing so, the knowledge I have gained makes me suspicious of antivirus companies. For
example, Symantec Internet Security Suite requires you to run as admin. I have tried various workarounds, talked to support, but not successful. You must run as admin. They want you to not practice computer security basics
that would decrease the attack vector in the first place, and rely on their security software blindly and pay them a fee.

What are your thoughts on this, and if you could your antivirus suggestions.

I see a lot of products realying heavily on signiture based defense, which has its strengths and weaknesses.  The more I research into host based intrustion detection, I like the idea of behavior and Knowledge based intrusion detection more and more.  While signiture based detection is always going to be a need, over reliance on that I think is a weakness.  The
problem I have come across is that any products that get into the host based type intrustion detection are weaker in the signiture based area.  For example, Zone Labs security suite has a good OS firewall (behavior based), but a watered down antivirus scanner.

At the moment I am leaning more towards either Zone Alarm Security Suite, or Kerio and NOD32.”

I’m certain some of you are dealing with a comparable issue - and if you’d like, we can even do a podcast episode dedicated to questions to ask you AV vendor to make sure you are making the right choice.

That said - share your ideas, comments and questions either in the comments below (user name registration required) or send me an email to michael.catalyst@securitycatalyst.com with your ideas and insights!

Thanks for helping a fellow catalyst out.

What would the impact be to your business or organization if your web server were running and serving pages, but the very people you needed to see them couldn’t access them?

Recently, I’ve come across a new form of Denial of Service (DOS) against Internet sites. Your customers are blocked from your web site without your knowledge. This technique doesn’t use bots, takes little to no effort, and requires no network bandwidth. It prevents users from accessing your web sites; reducing your web presence and potentially reducing your revenue.

Why is it happening? Who is behind this evil plot? Through something as innocuous as Internet Filters (aka Content-control software).

Many organizations and homes use Internet Filters to protect their users from the seven deadly sins of the Internet (i.e., adult content, gambling, sexuality, malicious sites, etc.) Companies use it to enforce employee policies on the use of the Internet. They help keep honest people honest, which is often my main goal in security.

They can also be used to keep honest people from honest sites. It’s happened to Security Catalyst. A few months ago I tried to access this site from work, but was blocked by our Internet Filter. It was labeled an MP3 site, which my company disallows as part of its policy. (We won’t debate that here.) You and I know that this isn’t an MP3 site, but because Michael uses MP3 for his podcasts, our vendor mislabeled it. I notified the vendor and they corrected it. However, we don’t know how long it was blocked and who may have been impacted.

This isn’t an isolated occurrence. I’ve seen this happen time and time again: DOS by Internet Filter.

It occurs one of two ways: either through the automated software that evaluates and categorizes sites or by someone requesting a particular site be placed in a certain category. Either way, we are seeing innocent websites placed in categories that many homes and organizations can’t reach. It’s also possible that it could be used malicious to block a competitor’s web site.

I’ve spoken with Internet Filter companies and they don’t see this as a problem. They are in denial that their software can cause a DOS against websites. It seems they don’t want to take the time and energy to find a better solution.

Granted, there is no easy answer to this problem. It’s impossible to have a human look at every new or changed Internet site across the globe. Automation is necessary. However, it must be intelligent enough to properly assess the true nature of the web site and categorize it appropriately. (Does one game on a site make it a Gaming site?) Also, the vendor must have a process that allows an unbiased review of web sites and be able to quickly re-categorize the site.

Other ideas I have are: (1) Have a voting process for each website allowing users to categorize them. It’s along the same idea as Wiki. (2) Have an independent review board to either categorized sites or to mediate disputes when there are disputes on the category for a web site.

What do you think? Am I alone in thinking this is a problem? What are other ways to improve Internet site categorization?

Network Access Control, or NAC, is a hot and important topic these days. Recently, some of the experts in the industry starting a discussion via their blogs… Martin McKeay then suggested they take it to the Security Roundtable and talk it through.

Thanks to the efforts of the team, we can all be smarter when it comes to NAC. You can listen to the result on the SRT website, here: http://www.securityroundtable.com/ or I included the link in the feed. Martin claims he was an innocent bystander. I don’t understand the claim of innocence We’re scheduled to record another SRT this week, this time looking at the actions and impact/fallout of the AOL blunder. We’ve also got several more topics sure to impact our thinking in the trenches lined up for the coming weeks…

 

 SRT Special on NAC: Play Now | Play in Popup | Download

After the “bump key” information hit the web, Medeco made it know that they are resistant to the bump key attack.  From the press release:

Medeco, the industry’s leading high security lock manufacturer, has expanded its’ acclaimed educational training module to explain the vulnerability that many locks face to a bumping attack. This training is offered to Crime Prevention associations and security dealers.

Medeco is commonly known as a ‘bump proof lock’ by those who view picking as a sport. Standard locks utilize a single locking point, while high security locks such as Medeco utilize multiple locking technologies. To see why Medeco is not vulnerable to this type of attack, a short video is available at www.medeco.com in the Interactive Security Solutions link.

Read the entire press release here: http://www.medeco.com/about/whats_new/pr/bump.html (hat tip to Brett Lewis for pointing this out to me).

I’m impressed that they are offering training, but not sure how many of us will benefit from it. Regardless of whether you’ll be able to attend the training or not - this is valuable information. Now we all know that when conducting a site survey or assessing new space, we have a question to ask. And then we have a potential solution to suggest, or more information to include.

The website, while admittedly commercial in nature, provides some interesting information and might be worth the look, depending on your needs.

Welcome to Security Catalyst 34! I am excited to bring you an interview with a Web 2.0 company that has incorporated security and privacy into their solution from the very beginning… Always Known As (AKA). Join me as I discuss their efforts and talk security and the future of digital ID management with Greg and Terry.

I recorded this from a hotel room in Phoenix, Arizona - which is why it’s a bit later than expected. I have more podcasts recorded, lined up and ready to be edited and released and will work to get back on track.

I’ve also been busy planning to new security catalyst community, the trusted catalyst designation and a new way for us to learn and practice security that I hope to roll out this fall - we have a lot going on!

After you listen this week, let me know what you think of AKA and what questions you would like me to ask. If there is enough interest, I’ll work to resume our teleconferences/skypecasts (probably for the Trusted Catalysts) in September where we will all have the opportunity to speak with Terry and Greg about AKA directly!

My AKA: Michael

I look forward to your comments and your continued efforts. I have some exciting programs planned that I’ll be releasing in the coming months. Keep making a difference!!

 

 SC34 [22:46m]: Play Now | Play in Popup | Download