For Information Security Newcomers, It’s More Good than Bad.

Posted by Dennis Kuntz on November 12, 2009 · 1 Comment 

by Dennis KuntzGood versus bad

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Most people like attention. Like we did as kids, to get that attention sometimes we engage in good behavior, and sometimes bad. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: this industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One, from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security in practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they are talking about when reading responses to blog comments, on social media outlets and forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It’s intrigued (but not surprised) me that a group whose genesis, it could be argued, stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that or at least the positive influences in information security deserve an equal – or greater – due as any negative cliques.

When I have had questions or needed a boost, there are positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has been a had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training to H.D. Moore (@hdmoore) offering his thoughts on VM’s and “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there. And they are active. Maybe we need to do a better job of seeking them out, engaging them, listening and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , , ,

Firefox Patch Tuesday

Posted by carl.anctil on November 10, 2009 · Leave a Comment 

prayingby Carl Anctil

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , , , , , , ,

FTC Says Bloggers Must Disclose Freebies

Posted by Aaron Titus on November 5, 2009 · 1 Comment 

A Closer Look at the Moneyby Aaron Titus

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

Read more

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , , , , , , ,

Collaboration versus Privacy

Posted by carl.anctil on April 15, 2009 · Leave a Comment 

glowingphoneby Carl Anctil

The perceptions and concerns we have about disclosing to much personal information have a direct link between the sharing and the openness of collaboration. When peering is added to the equation, we end up with what we have today, which is often referred to as Web 2.0.

The debut of dynamic content and open source software such as the LAMP stack, have contributed and provided an affordable platform for people to create and share with others. Without this basic foundation, we would still find it difficult to collaborate with every day people. This brought on a new requirement, how could we justify or to approve the work that people are creating and sharing with other peers. The easiest and most affordable method to legitimize the work created by a large pool of unknown people is to be open about the content, how it is built and where it comes from. The easiest way to accomplish this is simply by using your real name and identifying the purpose of your collaboration. (blog, wiki, social media, etc.)

Social media websites such as Facebook, Myspace, Linkedin, etc. are common these days and they make it easy to collaborate and share with family, friends and anyone else really. Through these new collaboration means, our personal information is much more exposed than it was before. If convenience is counter to security, then exposure must be counter to collaboration. In security, when something is convenient it usually means it is less secure. With collaboration, the more we collaborate, the more exposure (risk) we put on our private information. Just look at the social media websites mentioned above as examples. They contain a lot of private personal information, and people must learn how to balance the kind of detail they share with others through this new digital medium.

We all know (should know) that increased exposure normally also means more risk or at least greater risk. How do we mitigate this risk? By helping people protect their personal information. People have to learn how to collaborate online. The key is to learn to manage which personal information to give out and how to control it.

I believe that using a real name for collaboration doesn’t necessarily increase the risk of exposure as long as the other personal information included is also common knowledge or otherwise publicly known or easily obtainable. For example, I can manage the combination of my real name plus my work history. I control what I expose, so I can manage that information about me. Other private personal information such as date of birth, social insurance numbers, addresses, etc. should and need to be kept private and tightly controlled. Besides, private personal information should not and is not required in general collaboration. So why take the risk?

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , ,

Security Roundtable for October 11, 2008 – Social Media Ethics

Posted by Michael Santarcangelo on October 22, 2008 · Leave a Comment 

The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved.

With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information.

This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name).

Learn more about the participants:

Jennifer Leggio

http://blogs.zdnet.com/feeds/

http://mediaphyter.wordpress.com/

http://twitter.com/mediaphyter

Martin McKeay

http://www.mckeay.net/

http://netsecpodcast.com/

http://twitter.com/mckeay

Michael Santarcangelo

http://www.securitycatalyst.com/

http://www.intothebreach.com/ (books now available – eBook or hardcover)

http://twitter.com/catalyst

Bookmark and Share

Podcast: Play in new window | Download (37.1MB)

Filed under Blog, News and Events, Podcast, Security Catalyst Community · Tagged with ,

May 2008 Security Round Table | RSA – Going Beyond the Hype

Posted by Michael Santarcangelo on May 14, 2008 · Leave a Comment 

I had a great time at RSA 2008 this year, but didn’t attend any keynotes and only saw some snippets of sessions. Yet I took several *quality* briefings during the course of the week — and will be interviewing, profiling and sharing my impressions over the coming months. I started the week a bit sad — after walking the show floor, it felt to me that the industry was, en masse, running in entirely the wrong direction. I ended the week not only with renewed hope, but with new and powerful insights.

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 

Bookmark and Share

Filed under Podcast · Tagged with , , , ,