Archive for the ‘Current Affairs’ Category

Sourcefire IPO – Like Rain in the Desert…

October 26th, 2006 No comments

SporkCongratulations to Wayne, Marty and Team @ Sourcefire as they filed their S-1 to go public. 

Sourcefire is one of Crossbeam’s top ISV partners, so it’s great to see them do well in reaching both profitabilty and leading a security IPO.  God knows we need it in this drought.

Mike Rothman did a nice job of extracting the S-1 particulars:

They hope to raise $75M or so and released the following data:

* Total revenue in 2005: $32.9 million
    * 2005 loss of $8.1 million
    * Current cash of about $25 million
    * Existing shareholders have put about $56 million into the
    * Revenue ramp starting in 2002: $1.9MM, $9.4MM, $16.6MM,
    * Services currently running about 36% of total revenues
    * Last 4 quarters have been: $11.6MM, $8.5MM, $9.5MM,

    * Profitable and cash flow positive for Q3 2006
    * Over 80% of revenue from the US
    * Marty Roesch owns about 9% of the company
    * Sierra Ventures is the biggest venture investor with a 28.8% position

As Mike said, this puts SF in a very interesting place; they can either go out or set themselves up to be taken out before they finalize the deal.   Watch the sharks start to circle once again!

Interesting also that the BT/Counterpane deal also surfaced.  Makes sense given IBM/ISS.   I give HP odds of buying Verisign’s MSSP division next… πŸ˜‰

It’s about time we had a security IPO — it’ll set the stage for ’07.

A chronology of privacy breaches…

July 7th, 2006 2 comments

What a staggering number of individuals who have had the privacy of their personally-identifiable information compromised:


This information comes from the Privacy Rights Clearinghouse and presents a chronology of breaches since the Choicepoint incident in February, 2005. 

I don’t remember seeing or hearing anything about most of these incidents…imagine the many more than none of us do!



[O]ffice of [M]isguided [B]ureaucrats – Going through the Privacy Motions

July 4th, 2006 No comments

Like most folks, I’ve been preoccupied with doing nothing over the last few days, so please excuse the tardiness of this entry.  Looks like Alan Shimmel and I are suffering from the same infection of laziness πŸ˜‰

So, now that the 4 racks of ribs are in the smoker pending today’s festivities celebrating my country’s birth, I find it appropriate to write about this debacle now that my head’s sorted.

When I read this article several days ago regarding the standards that the OMB was "requiring" of federal civilian agencies, I was dismayed (but not surprised) to discover that once again this was another set of toothless "guidelines" meant to dampen the public outrage surrounding the recent string of privacy breaches/disclosures recently. 

For those folks whose opinion it is that we can rest easily and put faith in our government’s ability to federalize legislation and enforcement regarding privacy and security, I respectfully suggest that this recent OMB PR Campaign announcement is one of the most profound illustrations of why that suggestion is about the most stupid thing in the universe. 

Look, I realize that these are "civilian" agencies of our government, but the last time I checked, the "civilian" and "military/intelligence" arms were at least governed by the same set of folks whose responsibility it is to ensure that we, as citizens, are taken care of.  This means that at certain levels, what’s good for the goose is good for the foie gras…kick down some crumbs!

We don’t necessarily need Type 1 encryption for the Dept. of Agriculture, but how about a little knowledge transfer, information sharing and reasonable due care, fellas?  Help a brother out!


The article started off well enough…45 days to implement what should have been implemented years ago:

To comply with the new policy, agencies will have to encrypt all data
on laptop or handheld computers unless the data are classified as
"non-sensitive" by an agency’s deputy director.
Agency employees also
would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote
connection, which must be automatically severed after 30 minutes of

Buahahaha!  That’s great.  Is the agency’s deputy director going to personally inspect every file, database transaction and email on every laptop/handheld in his agency?  No, of course not.  Is this going to prevent disclosure and data loss from occuring?  Nope.  It may make it more difficult, but there is no silver bullet.

Again, this is why data classification doesn’t work.  If they knew where the data was and where it was going in the first place, it wouldn’t go missing, now would it?  I posted about this very problem here.

Gee, for a $1.50 and a tour of the white house I could have drafted this.  In fact, I did in a blog post a couple of weeks ago πŸ˜‰

But here’s the rub in the next paragraph:

OMB said agencies are expected to have the measures in place within 45
days, and that it would work with agency inspectors general to ensure
compliance. It stopped short of calling the changes "requirements,"
choosing instead to label them "recommendations" that were intended "to
compensate for the protections offered by the physical security
controls when information is removed from, or accessed from outside of
the agency location."

Compensate for the protections offered by the physical security controls!?  You mean like the ones that allowed for the removal of data lost in these breaches in the first place!?  Jesus.

I just love this excerpt from the OMB’s document:

Most departments and agencies have these measures already in place.  We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us.  Please ensure these safeguards have been reviewed and are in place within the next 45 days.

Oh really!?  Are the Dept. of the Navy, the Dept. of Agricultre, the IRS among those departments who have these measures in place?  And I love how polite they can be now that tens of millions of taxpayer’s personal information has been displaced…"Please ensure these safeguards…"  Thanks!

Look, grow a pair, stop spending $600 on toilet seats, give these joes some funding to make it stick, make the damned "recommendations" actual "requirements," audit them like you audit the private sector for SoX, and prehaps the idiots running these organizations will take their newfound budgetary allotments and actually improve upon rediculous information security scorecards such as these:


I don’t mean to come off like I’m whining about all of this, but perhaps we should just outsource government agency security to the private sector.  It would be good for the economy and although it would become a vendor love-fest, I reckon we’d have better than a D+…


Ode to a suppressant. Or, “Why a colocation facility parked in the ocean still needs fire extinguishers…”

June 26th, 2006 3 comments

It just goes to show you that even on an old anti-aircraft gunnery tower cum colocation facility squatting squarely in the middle of the ocean, you still need to master the basics of risk management — or at least buy insurance…I swear this was on the CISSP exam.

I remember reading about HavenCo a couple of years ago when the debates were raging about the offshore hosting and colocation of, er, interesting commercial interests were raging. 

HavenCo is was an Internet-connected hosting and colocation facility located on (in) the principality of Sealand which prides itself as being known as the world’s smallest soverign territory.  I thought that claim actually belonged to Cleveland, Ohio.  Oh well.

As it plays out, HavenCo is perched atop a structure which amasses said principality and is located 6 miles off the coast of Britain.  It was previously known as "Roughs Tower," an island fortress (anti-aircraft battery tower, actually) created in World War II by the British and ultimately "…surrendered/abandoned to the jurisdiction of the High Seas."  You can read about Sealand.  It’s a really trippy concept.  Read the history and fast forward to the tenants who are the featured element of this story…

If you’re interested in the guts of the place, check this out.  At least you know they have a toilet.

From HavenCo’s FAQ, you can clearly see that they pride themselves on providing the utmost service for their customers:

What makes HavenCo the best secure colocation facility?

  • Unsurpassed physical security from the world, including government
    subpoenas and search and seizures of equipment and data.
  • Redundancy and Reliability
  • Quality – 3 milliseconds from The City of London.

  • Tamper resistance – Our standard machines come with encrypted disk for
    user data partitions. We will deploy FIPS 140-1 Level 4 coprocessors, the
    highest security anyone has ever achieved, and offsite unlock codes.

It seems that the only thing missing was a fire extinguisher as HavenCo apparently burst into flame yesterday when a generator caught fire.  From EADT:

A FORMER wartime fortress which is now a self-proclaimed independent state has been left devastated after a fierce blaze tore through the structure.

The so-called Principality of Sealand, seven miles off the coast of Felixstowe and Harwich, was evacuated at lunchtime yesterdayafter a generator caught fire.

Thames Coastguard, Harwich RNLI lifeboat, Felixstowe Coastguard rescue teams, firefighting tug Brightwell, the RAF rescue helicopter from Wattisham and 15 Suffolk based firefighters from the National Maritime Incident Response Group (MIRG) were all called into action to tackle the blaze.

One man, believed to be a security guard, was airlifted from the scene and taken to Ipswich Hospital with smoke inhalation but no one else was on the Second World War gun emplacement.

β€œThere have been a number of explosions on board as the fire has engulfed gas bottles and batteries. Only one person was on Sealand at the time, whom we understand to be a watchman whose job was to maintain the generators and equipment.

Horrible, really.  Especially when you realize that the royal family don’t appear to think that fire insurance is a necessary risk management utility.

I seem to recall reading stories of a nitrogen-filled data center to provide either anti-aging capabilities for the inhabitants (Sealand’s "rulers" are royals, after all…and we know how strange they can be) or supress fire due to the absence of oxygen. 

Oh well, dashed are my hopes of starting my own off-shore casino.  Perhaps I should consider speculative real estate.  Seems Sealand’s having a fire sale.


Categories: Current Affairs Tags:

If news of more data breach floats your boat…

June 26th, 2006 No comments

U.S. Navy: Data Breach Affects 28,000

It looks like we’re going to get one of these a day at this point.  Here’s the latest breach-du-jour.  I guess someone thought that our military veterans were hogging the limelight so active-duty personnel(and their families, no less) get their turn now.  From eWeek:

Five spreadsheet files with personal data on approximately 28,000 sailors and family members were found on an open Web site, the U.S. Navy announced June 23. 

The personal data included the name, birth date and social security
number on several Navy members and dependents. The Navy said it was
notified on June 22 of the breach and is working to identify and notify
the individuals affected.

"There is no evidence that any of the data has been used illegally.
However, individuals are encouraged to carefully monitor their bank
accounts, credit card accounts and other financial transactions," the
Navy said in a statement.


Why are people so shocked re: privacy breaches?

June 25th, 2006 4 comments

This is getting more and more laughable by the minute.  From Dark Reading:

JUNE 22, 2006 | Another
day, another security breach: In the last 48 hours, Visa, Wachovia,
Equifax, and the U.S. Department of Agriculture have joined a growing
list of major companies and government agencies to disclose they’ve
been hit by sensitive — and embarrassing — security breaches.

The organizations now are scrambling to assist customers and
employees whose personal information was either stolen or compromised
in recent weeks. They join AIG, ING, and the Department of Veterans
Affairs, all of which have disclosed major losses of sensitive data in
the last few weeks.

Each of the incidents came to light well after the fact.

Disclaimer: I am *not* suggesting that anyone should make light of or otherwise shrug off these sorts of events.  I am disgusted and concerned just like anyone else with the alarming rate of breach and data loss notifications in the last month, but you’re not really surprised, are you?  There, I’ve said it.

If anyone has any real expectation of privacy or security (two different things) when your data is in the hands of *any* third party, you are guaranteed to be sorely disspointed one day.  I fully expect that no matter what I do, that some amount of my personal information will be obtained, misappropriated and potentially misused in my lifetime.   I fully expect that any company I work for will ultimately have this problem, also.  I do what I can to take some amount of personal responsibility for this admission (and its consequences) but to me, it’s a done deal.  Get over it.

The Shimster (my bud, Alan Shimel) also wrote about some of this here and here.

Am I giving up and rolling over dead?  No.  At the same time, I am facing the realities of the overly-connected world in which we live and moreso the position in which I choose to live it.  It isn’t with my head in the sand or in some other dark cavity, but rather scanning the horizon for the next opportunity to do something about the problem.

Anyone who has been on the inside of protecting the critical assets of an Enterprise knows that isn’t "if" you’re going to have a problem with data or assets showing up somewhere they shouldn’t (or that you did not anticipate) but rather "when" … and hope to (insert diety here) it isn’t on your watch.

Sad but true.  We’ve seen corporations with every capability at their disposal show up on the front page because they didn’t/couldn’t/wouldn’t put in place the necessary controls to prevent these sorts of things from occuring…and here’s the dirty little secret: there is nothing they can do to completely prevent these sorts of things from occuring.

Today we focus on "network security" or "information security" instead of "information defensibility" or "information survivability" and this is a tragic mistake because we’re focusing on threats and vulnerabilities instead of RISK and this is a losing proposition because of these little annoyances called human beings and those other little annoyances they (we) use called computers.

Change control doesn’t work.  Data classification doesn’t work(* see below.)  Policies don’t work.  In the "real world" of IM, encrypted back channels, USB drives, telecommuting, web-based storage, VPN’s, mobile phones, etc., all it takes is one monkey to do the wrong thing even in the right context and it all comes tumbling down.

I was recently told that security is absolute.  Relatively speaking, of course, and that back in the day, we had secure networks.  That said nothing, of course, about the monkeys using them.

Now, I agree that we could go back to the centralized computing model with MAC/RBAC, dumb networks, draconian security measures and no iPods, but we all know that the global economy depends upon people being able to break/bend the rules in order to "innovate" and move business along the continuum and causing me not to put that confidential customer data on my laptop so I can work on it at home over the weekend would impact the business…

The reality is that no amount of compliance initiatives, technology, policies or procedures is going to prevent this sort of thing from happening completely, so the best we can do is try as hard as we can as security professionals to put a stake in the ground, start managing risk knowing we’re going to have our asses handed to us on a platter one day, and do our best to minimize the impact it will have.  But PLEASE don’t act surprised when it happens.

Outraged, annoyed, concerned, angered and vengeful, yes.  Surprised?  Not so much.

Until common sense comes packaged in an appliance, prepare for the worst!


P.S. Unofficially, only 3 out of the 50 security professionals I contacted who *do* have some form of confidential imformation on their laptops (device configs, sample code, internal communications, etc.) actually utilize any form of whole disk encryption.  None use two factor authentication to provde the keys in conjunction with a strong password.  See here for the skinny as to why this is relevant.

*Data Classification doesn’t work because there’s no way to enforce its classification uniformly in the first place.  For example, how many people have seen documents stamped "confidential" or "Top Secret" somewhere other than where these sorts of data should reside.  Does MS Word or Outlook force you to "classify" your documents/emails before you store/print/send them?  Does the network have an innate capability to prevent the "routing" of data across segments/hosts?  What happens when you cut/paste data from one form to another?

I am very well aware of many types of solutions that provide some of these capabilities, but it needs to be said that they fail (short of being deployed at aterial junctions such as the perimeter) because:

  1. They usually expect to be able to see all data.  Unlikely because anyone that has a large network that has computers connected to it knows this is impossible (OK, improbable)
  2. They want to be pointed at the data and classify it so it can be recognized.  Unlikely because if you knew where all the data was, you’d probably be able to control/limit its distribution.
  3. They expect that data will be in some form that triggers an event based upon the discovery of its existence of movement.  Unlikely because of encryption (which is supposed to save us all, remember πŸ˜‰ and the fact that people are devious little shits.
  4. What happens when I take a picture of it on my screen with my cameraphone, send it out-of-band and it shows up on a blog?

Rather, we should exercise some prudent risk management strategies, hope to whomever that those boring security awareness trainings inflict some amount of guilt and hope for the best.

But seriously, authenticating access *to* any data (no matter where it exists) and then being able to provide some form of access control, monitoring and non-repudiation is a much more worthwhile endeavor, IMHO.

Otherwise, this exercise is like herding cats.  It’s a general waste of time because it doesn’t make you any more "secure."

I’m getting more cynical by the (breach) minute…BTW, Michael Farnum just wrote about this very topic…