Security Pie

Ok – So I have a vested interest in DLP. Sue me.

But here is a real cool use of DLP to detect plagurizing of dissertations:
http://ondlp.com/?p=9#respond

Notes:
1. Really cool use of the fingerprinting technology
2. I did not know that Dave’s wife was a professor

/al

 

 

Cisco is promoting Diego Rivas

Dave, a developer from Melbourne, Australia brings an interesting story . He was installing a newly purchased VPN product. When he loaded the VPN client software, he discovered that in the place of the usual boring software was an audio disk with 12 tracks of Spanish music (see Cisco\’s Hit). A lively discussion on Dave’s blog tried and successfully managed to identify the musician.  You can watch the video below.

Beyond the anecdotal story there are few things that we can learn from this incident. I’m not picking on Cisco specifically: In the past, one of the products that I was managing was built by very large OEM partner that was responsible for building the appliance, packaging, forwarding etc. Though it was very rare, we had few incidents when customer X received parts of a printer with his order (inside the appliance package), while another customer received the wrong CDs etc. Errors do occur and I believe that Cisco will do everything it can to learn from this manufacturing snafu and improve its quality assurance process. However from a security risk management point of view , this incident is a reminder to trust no one:

Every CD should be considered suspicious, even if it arrived inside a box that has the Cisco logo. Due to the popularity of Cisco’s gear there’s a second hand market and also some fake devices. Softpedia tells that even the United States government is reportedly using some 3500 fake Cisco-branded network devices, including routers, network switches and hubs. “According to the investigation results, the fake devices are worth up to $3.5 million.” 

Trust no one is the moral of this story.  On a side note, this story also explains why the DOD is investing so much money looking for the kill switch. 

Enjoy the music!

(Arik, What’s going on down there in Australia?, we’re getting a steady stream of weird reports recently  

in the internet nobody knows you are a dog

New research finds workers more prone to lie in email. I did not read the entire research yet but it does look like an interesting topic with a lot of potential. Over the years email (security) evolved from server protection (do you remember swatch) to content protection. From a security research stand point, content detection methods were mostly static, focusing on white listing, black listing or even behavior. Data Fingerprinting changed our (mine for sure) approach for content protection. It was possible to identify and classify even small chunks of information.  New profiling technologies will also allow us to understand normal behavior and in a way, create a way to distinguish between good and bad.

According to the research, people feel justified when lying using email.  Liuba Belkin co-author of the studies and an assistant professor of management at Lehigh University said that “There is a growing concern in the workplace over email communications, and it comes down to trust, ….in an organizational context, that leaves a lot of room for misinterpretation and, as we saw in our study, intentional deception.”

Read the rest of this entry »

I have recently completed a book called “The Billionaire’s Vinegar: … “. In this book Benjamin Wallace spins a fascinating tale of how a group of very rich Americans spent 100’s of thousands of dollars on a select cache of wine bottles that were allegedly linked to Thomas Jefferson and were found in a non-disclosed location in Paris. Very soon questions of provenance started to emerge, culminating in a very expensive law suit waged by Bill Koch against the purveyor of the wines, a German collector named Hardy Rodenstock. The book is well written and is a highly recommended read.

  Thomas Jefferson’s bottle or a really expensive counterfeit?
 

If we can't ask Mr. Jefferson, perhaps we can find an expert?

Read the rest of this entry »

HWY 101 is jammed again, which gives me a lot of time to stare at the billboards.  Symantec (big yellow) caught my attention with a “you need the speed” sign promoting their latest anti virus release. Apparently, they started a huge campaign around the speed of their anti virus, it’s weightless etc. No too many words about security.

You Need The Speed

I am not trying to pick on Symantec’s Norton Anti Virus.  In today’s commercialized  and commoditized environment, the messages should be catchy, fast and appeal to the common dominators. But this ad allows me to rant on some of the two non-changeable variables couples or opposite pairs that makes data security such an interesting field.

Read the rest of this entry »

I love this smell as well

It’s this time of the year. One can smell it. If you remember Lieutenant Colonel Bill Kilgore’s statement ”I love the smell of napalm in the morning”, you know what I’m talking about. It’s the last uphill battle at the continuous war on business. Assaf calls this EQ. I call this the best time of the quarter.EQ – the End of the Quarter. Everyone is on the watch, alerted and ready. This is the time to separate between the boys and men.  Get the POs and meet your personal goals as well as the company numbers. All are reay to take a bite of the pie. 

It’s all about eve sales. The ability to answer the customer needs, create a solution, close a deal and get a PO. All are alerted, focusing on the goal. To be honest, I always thought that sales is an art, but then I’ve learned that it is actually a process.

Old school will use Og Mandino’s sales principles: 

Read the rest of this entry »

The Following text is taken from a GAO report on the SBInet (DHS Needs to Address Significant Risks in Delivering Key Technology Investment) that was published yesterday and caught my attention. The title says it all: risk, technology and investment – everything one needs in order to have a good reading). But then, as I go over the text I was very disappointed to learn that the DHS was not learning from the Israeli mistakes when the security fence was built. Judge for yourself. Read the executive summary below:

SBInet, DHS Secure Border system

Just replace some of the names and you feel like your in the Middle East, where projects are known to be delayed, technology is always ahead of what was originally planned and the overall cost is several times higher then originally planned….

Read the rest of this entry »

Finally, some interesting security pie.  Palo Alto Networks Application Usage and Risk Report contains lots  and lots of pies. One can follow the link and read the document.  Two obvious items had caught my attention:

• HTTP has become the universal application protocol
• Obvious attempts at activity concealment continue

At this time (September 2008 , one could think that the different security solutions would solve the different HTTP tunneling and concealment attempts. After all, there are so many and diverse methods including URL filtering (to block the destination), application identification, proxy authentication (to prevent unmanned applications etc).

I’m curious if and when applications will start to use 53/udp to sneak through the security systems.

Here’s some very interesting reading material. I must admit that I was not aware of all the Federal policies to govern and protect IT systems and data in private sector companies. Below you can read the summary of the United States Government Accountability Office GAO-08-1075R.

More important, this document lists some of the penalties and enforcement options that the Feds can use.

Summary of Federal Requirements for Securing Privately Owned IT Systems and Data

Federal policy identifies 18 infrastructure sectors–such as banking and finance, energy, public health and healthcare, and telecommunications–that are critical to the nation’s security, economy, public health, and safety. Because these sectors rely extensively on computerized information systems and electronic data, it is crucial that the security of these systems and data is maintained. Further, because most of these infrastructures are owned by the private sector, it is imperative that public and private entities work together to protect these assets. The federal government uses both voluntary partnerships with private industry and requirements in federal laws, regulations, and mandatory standards to assist in the security of privately owned information technology (IT) systems and data within critical infrastructure sectors. As agreed, our objectives were to (1) identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector’s privately owned IT systems and data and (2) identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards.
Read the rest of this entry »

My bikes

There are things that we just can’t forget: like riding a bicycle or even driving a car. I was accompanying one of our sales engineers the other day at a customer sites and felt the urge to configure a layer 4-7 switch. If my memory serves me right, the last time that I was doing something similar was in 2000. Yet, one stare at the Access User Verification prompt and my memory was loaded.

I’m sure that somewhere, someone is studying why there are things that we can not forget. I am more interested in the opposite question. Why did I remember how to configure this switch? No, it was not a Cisco switch. However since Cisco’s IOS, style has been widely copied by other networking products (including the one I was configuring), it was very similar.  ? show run conf t ena always work somehow in a networking environment. Like seeing a friendly face in a “networking” cocktail party before the conference is a bout to begin…

Read the rest of this entry »