Archive for March, 2010

Google versus China: Round Four

Last week I flew around the world—literally. Starting in San Francisco, I flew to Singapore, then on to Brussels, and finally back to San Francisco. The fact that I did not achieve the same frequent flyer status with United Airlines in 2010 that I did the previous five years made the trip much more uncomfortable. I was upgraded only on one relatively short flight segment. Still, I got enough sleep to be able to be sufficiently awake to stay in tune with the unfolding drama involving Google and the government of China.
You may remember that the government of China pressed Google to hand over information about dissidents in that country. Google refused. Then the Aurora incidents, almost without a doubt originating in China, involved massive break-ins into Google’s (as well as others’) computing systems. In the case of Google, speculation says that China was seeking information about dissidents in that country. After considerable deliberation (and also indignation—after all, China ostensibly rifled through Google systems at will), Google decided to move its China operations to Hong Kong, something that I believe was a move that the Chinese government had not at all anticipated.
Round four of this drama is currently underway. The Chinese government blasted Google in a communist party newspaper. Some of Google’s partners and advertising customers in China have suddenly turned against Google. For instance, China’s second-largest mobile phone company recently announced that it will no longer use Google’s search function on two of its new phones. All this threatens to drastically slash Google’s China-based revenues. Consequently, Google’s stock price has dropped six percent since January, presumably in part due to Google’s struggles in China. Read more…

Categories: Uncategorized Tags:

The Case for Fast and Agile Information Security

I interact with information security managers all the time. I have built a healthy respect for almost all of them in the course of my interactions with them. Information security managers generally have a sound strategy that includes all the “classic” components such as information valuation and labeling, controls evaluation, vulnerability management, and more. At the same time, however, I have developed a deep concern over a too commonly observed weakness in information security practices—a lack of speed and agility. Advanced persistent threats (APTs) are a constant threat to our data and information processing resources. The threat climate is constantly changing, but I fear that many information security practices (including the one I used to manage!) are not quickly and flexibly adapting their security defenses accordingly.
Information security policy is an area in which I am confident that better speed and agility is generally needed. In many information security practices the information security policy becomes a legacy document in the matter of months. In everyone’s defense, the information security manager typically has so many fires to fight that revisiting issues such as whether an information security policy in which so much effort has been invested might need to be updated is the last thing on this person’s mind. But this document needs to be viewed as a living and breathing document that sets the tone for an organization’s security posture and that addresses the organization’s threat profile. If either changes, the policy should change accordingly and it should change sooner, not later. Read more…

Categories: Uncategorized Tags:

Propriety Issues Concerning Vendors and Information Security Professional Organizations

Before I go any farther, I want to assure everyone that I have a lot of respect for every information security professional organization out there and I really have no gripes with any of them. But sometimes I wonder whether the relationship with vendors and these organizations has sometimes crossed the proverbial line of propriety. My musings are the result of attending meetings for which some vendor has picked up the cost of the meal or something else. I have no problem with the vendor doing this—after all, money does not grow on trees, especially with non-profit, volunteer organizations. And I also have no problem with the vendor being recognized and thanked for having picked up the cost. My problem instead comes from someone from the vendor’s organization getting up in front of attendees and hawking the vendor’s wares. In this case, the vendor has crossed the line of propriety. I consider this practice to be unethical as well as insulting to those of us who attend professional meetings. Read more…

Categories: Uncategorized Tags:

Top Ten Most Critical Web Application Security Vulnerabilities

March 22nd, 2010 No comments

Web application security is often viewed incorrectly as a set of server and host-based security issues, rather than code-level and configuration-based security vulnerabilities. Although servers and hosts may still be the cause for exploitations, it is critical that security professionals recognize the major impact of poorly written web applications as well as how their applications and servers are configured separately and in combination. The Internet is increasingly responsible for handling and storing information and files of a sensitive nature requiring security and protection. Keeping hackers at bay and assuring the privacy of private and proprietary documents is paramount. Below are the top ten security vulnerabilities and how Security Programmers mediate these to prevent exploitation.

Security Web Programmers are often not given the clout nor the attention they deserve. Security programmers apply a much higher degree of attention, detail, and time to programming. Secure software may require more time and money than insecure software. A comparison must be made between the cost of securing web applications, and an insecure web application bringing the business down or releasing sensitive information to potentially nefarious hackers.

Don’t be misled by security misnomers or be mistaken about your security requirements. Security factors can be well-defined and explained at any level of your corporate structure. Emagined Security employs security programmers who are trained and experienced to develop secure software, including web and database applications. Our proven security programming techniques and multi-layered security development protocols ensure your web applications are protected and your sensitive information secured. Read more…

Categories: Uncategorized Tags:

A Kudo for NSS Labs

It is likely that you already know about NSS Labs. If you don’t, you can find out about them by visiting This organization was created nearly five years ago to perform independent evaluation and certification of information security products. Products that meet NSS Labs’ standard criteria are approved, and ones that meet even higher criteria are awarded the NSS Labs Gold status. NSS Labs is not the only entity that does testing of this nature. What is different about this organization is that the testing is truly independent; it does not cost anything to participate in the testing. The vast majority of NSS Labs’ revenue is instead from vendor certification, although because group testing started just last year, their revenue related to testing (e.g., having vendors pay for rights to distribute the NSS group test executive Summaries) is likely to grow substantially. NSS Labs also makes revenue from evaluation reports that it produces after testing for a particular type of product is complete. NSS Labs then sells these reports.

I admit that I am biased in that I know and very much like the NSS Labs CEO and President, Rick Moy. I got to know him when I consulted for High Tower Software (before I was hired as the CTO there). Rick was the product manager, and I thought he did a very fine job in this role. He not only wrote a product requirements document that clearly stated the functionality that the High Tower SIEM tool needed, but along with Antonio Bianco also had a major hand in designing the user interface. Over the years, this product’s user interface was one of the best in any security product, and Rick had a lot to do with this accomplishment. Read more…

Categories: Uncategorized Tags:

Defense in Depth: It’s Just Not the Same Any More

Just a few days ago I read an extremely interesting article titled “Update: Security industry faces attacks it cannot stop.” Written by Robert McMillan, it appeared in the March 10 issue of Computerworld. It in effect said that although we have all kinds of security technology available to us, attackers need exploit one vulnerability (often one of which we are not aware) to breach security. Success for the black hat community is thus inevitable if attackers try one exploitation vector, then another, then another, and so on—one will eventually work. Try as we may, we are losing the war against computer criminals very badly right now. Read more…

Categories: Uncategorized Tags:

Liability Issues when Banking Transaction Fraud Occurs

Liability Issues when Banking Transaction Fraud Occurs
Just yesterday I had a very interesting telephone conversation with someone concerning liability issues when banking transaction-related fraud occurs. If a bank customer’s savings account is drained by a fraudster, who is liable, the customer or the bank?

This issue is by no means new. You might recall the incident that occurred in 2005 in which an owner of a small business, Joe Lopez, found that funds had been transferred from his company’s Bank of America account without his authorization. He reported what had occurred to the bank, which launched an investigation that showed that a keystroke logging program had been installed on Lopez’s PC. The perpetrators gained remote access to this PC, copied the stolen information, and used it to make money transfers to a bank in Latvia that ultimately ended up in their hands. Informing Lopez that the fraud was due to Lopez’s failure to secure his computing system rather than the bank’s failure to provide suitable security, the bank initially refused to replenish the stolen funds. Lopez disagreed. The press picked up the story, making it look as if Lopez had been victimized by a gigantic, customer-indifferent bank. Fearing public relations damage, the Bank of America reversed its position and compensated Lopez for the money he had lost. Read more…

Categories: Uncategorized Tags:

Could the U.S. Lose a Cyberwar?

Nearly two weeks ago Admiral Mike McConnell, the former U.S. Director of National Intelligence (DNI), testified about the preparedness of the U.S. in the event of a cyberware at a meeting of the U.S. Senate Commerce, Transportation and Technology Committee. He said that if the U.S. were to be attacked in a cyber war, the U.S. would lose. Admiral McConnell’s testimony created shock waves among members of this committee, who reportedly did not have a clue that the U.S. was so dismally prepared for cyberwarfare. Jim Lewis, who heads the government’s Commission on Cybersecurity, followed Admiral McConnell by saying that most of the U.S.’s critical computing infrastructure is within the commercial sector, but this sector is not doing enough to safeguard computing assets. According to Lewis, no improvements in cybersecurity practices within private industry are likely to occur unless regulations require these improvements. Read more…

Categories: Uncategorized Tags:

RSA 2010

Earlier this week I once again went to the RSA Conference in San Francisco. I could have gone to some of the presentations and panels, but once again I chose to not do so. Why? I have found that many times one can learn more from meeting and talking to people at this conference rather than attending sessions, and once again I found this to be mostly true.

I went to the RSA Conference last year and noted in a blog entry shortly afterwards that attendance had dropped considerably from 2008. An unfortunate outcome was my having to deal with the conference’s PR firm, which objected to my mentioning the then downward turn in attendance. Good news—this firm should have no objection whatsoever to my saying without any reservation that the attendance for RSA 2010 was dramatically higher than last year. My main metric, good or bad as it might be, is how easy it is to get from point A to point B within the Moscone Convention Center. This year I had to constantly dodge people in the main upstairs areas and down below in the exposition hall. Seating areas were crowded. There is no doubt that attendance was at least back to its 2008 levels, or very possibly even higher. Read more…

Categories: Uncategorized Tags:

Guest Editorial on Code Liability

In a SANS NewsBites editorial a little over a week ago I lamented the fact that to date software companies have for the most part not been held responsible in legal cases for damages resulting from bugs in their code. I described this situation as “the single greatest enabler of bug-infested coding on the part of vendors.” A mentor and also friend of mine, the legendary Bill Murray, sent me a message with a plethora of excellent comments concerning the issue of liability related to software bugs. His commentary on this issue is so outstanding that I decided to (with his advance consent) publish it as a blog posting. Read more…

Categories: Uncategorized Tags: