Archive for the ‘Uncategorized’ Category

Interesting Nuggets: Quick Tidbits I Find Compelling

April 29th, 2009 1 comment

Here are some interesting nuggets that I find compelling:

Trend Micro is buying Third Brigade – One of my favorite Canadian companies is getting hitched. Third Brigade has always been measured and understated in their approach to Virtualiation Security and their entry into Cloud and their solutions tend to deliver good value.  Their “acquisition” of OSSEC was also smart given the nature of guest-oriented controls for Cloud environments.  This is a good move for Trend as it gets them a solution suite they didn’t have previously.

Panda gets cute and cuddly with AV in the Cloud -Take a thin-client, add “Cloud” based scanning and you get a revised model for AV.  I like this idea for a couple of reasons, the most interesting of which relates to the notion of what the aggregated telemetry from all the client interactions will mean to more real-time threat mitigation.  I wrote about this sort of thing a while ago with one of my favorites being a post titled “Thinning the Herd and Chlorinating the Malware Gene Pool”  I’ll be very interested to see how functionally the service compares with traditional AV in terms of efficacy and what sort of performance one might expect.

…and so does McAfee – This appears to be simply a SaaS offering that replaces typical on-premise gateway solutions unlike Panda’s which includes a thin-client endpoint client.  Expect everyone and their mother (and their VC’s mother) to provide this in the short term.

IBM re-enters the networking market via Brocade deal – IBM is extending its existing OEM arrangement with Brocade to include the Ethernet switching and routing products from the Foundry acquisition.   Huh.  I thought they’d already done that with Juniper?  Oh, they’re going to do that, too.  Response to Cisco ya think?  IBM is good at hedging bets.

Forrester Backs Private Clouds – Will Others Follow Suit? – This is both gratifying and personally annoying. Firstly, Forrester is NOT the only analyst company backing Private Clouds.  Gartner is and has (although their definition seems to have morphed) well before Forrester and some of us have been proponents of Private Clouds before they became pop culture. Ugh.

Google Fires Back at VMware about Virtualization for Cloud Computing – Well, of course they do.  Google doesn’t utilize virtualization — they deploy millions of servers instead. It’s a “diabolically-opposed” approach.  Welcome to religious debates 101, please take a seat…or stand.

DMTF announces the Open Cloud Standards Incubator – I don’t know what to think about this.  It sounds like a good idea and has some solid backers.  I noticed that the charter is focused on IaaS/PaaS but not SaaS.  Telling.

Randy Bias says the Open Cloud Is Coming – I reviewed Randy’s original draft and he’s done a good job refining his points although I don’t agree with all of them.  His last statement is a good summary “Ignore the naysayers.  Customers want choice and they will have it.  Choice is driven by open standards, cheap resources, and easy ’self-service’ access.”  Yep, customers want choice, but choice isn’t driven by “open standards.” It’s driven by “open-enough standards” that customers feel meet their needs.

More later.


Categories: Uncategorized Tags:

Amazon’s Kindle: Some Interesting Security Thoughts

February 26th, 2009 13 comments

My Kindle2 showed up yesterday. I un-boxed it, turned it on and within 3 minutes had downloaded my first book and was reading away (Thomas Barnett's "Great Powers," if you must know.)

So this morning after I checked my email on my other indispensable tool/toy, my iPhone, I realized something was missing from the Kindle: a password.

So you might think "Hoff, why would you need a password for a device that lets you read books?'

Well, while it's true that the majority of users will simply read "off-the-shelf" books/blogs/magazines they download from's storefront on their Kindles, there are a couple of other interesting scenarios that ran through my mind:
  1. To purchase a book using the Kindle, the device is linked to Amazon's One-Click purchase capability.  This means that once I choose to purchase a book, I simply click "Buy" and it's delivered to the device, automagically charging my credit card.  If I lost my device, someone who found it could literally download hundreds of books to the Kindle on my nickel until I am able to do something about it.  This would be short-lived, but really annoying.
  2. It is possible using an Amazon web service to convert documents into the Kindle Format and download them over WhisperNet to your device.  Given how convenient this is for reading, imagine what would happen if some crafty person decided to convert and download a sensitive document to the Kindle and then lose the device.  Imagine if that document contained PII or other confidential/sensitive information?  I wager we'll see a breach notification being issued based on someone losing a Kindle.
Yes, I know it's a piece of "consumer" equipment, but look a little further down the line: college students using it for textbooks and all sorts of other communications, business people using it for reading corporate materials, etc…

I am interested in exploring the following elements in the long term:
  1. An option for password-protected access to the device itself.
  2. A content-rating based password-controlled parental rating system for certain materials. My kids already grabbed my Kindle and (see #1 above) downloaded 3 kids books to it.  I may not want them to read certain content.
  3. Remote self-destruct 
  4. Encryption of content (at rest, in motion)
  5. Security of Whispernet itself
  6. WiFi (and it's attendant issues)
I'm sure as I dwell on this, there will be other issues that crop up, but the security wonk in me was in full gear this morning.

You have any other security shortcomings or concerns you've thought of re: the Kindle? 

Categories: Uncategorized Tags:

Berkeley RAD Lab Cloud Computing Paper: Above the Clouds or In the Sand?

February 19th, 2009 2 comments

I've waffled on how, or even if, I would write my critique of the Berkeley RAD Lab's paper titled "Above the Clouds: A Berkeley View of Cloud Computing.

I think I've had a hard time deciding where the authors have their heads, hence the title.

Those of you who know me are probably chuckling at the fact that I was a good boy and left off the potential third cranial location option…

Many people have written their respective reviews of the work including James UrquhartDavid Linthicum and Chuck Hollis who all did a nice job summarizing various perspectives.

I decided to add my $0.02 because it occurred to me that despite several issues I have with the paper, two things really haven't been appropriately discussed:
  1. The audience for the paper
  2. Expectations of the reader 

The goals of the paper were fairly well spelled out and within context of what was written, the authors achieved many of them.

Given that it was described as a "view" of Cloud Computing and not the definitive work on the subject, I think perhaps the baby has been unfairly thrown out with the bath water even when balanced with the "danger" that the general public or press may treat it as gospel.

I think the reason there has been so much frothy reaction to this paper by the "Cloud community" is that because the paper comes from the Electrical Engineering/Computer Science department of UC Berkeley, a certain level of technical depth and a more holistic (dare I say empirical) model for analysis is expected by many readers and their expectations are therefore set a certain way.  

Most of the reviews that might be perceived as negative are coming from folks who are reasonably technical, of which I am one.

To that point and that of item #1 above, I don't feel that "we" are the intended audience for this paper and thus, to point #2 above, our expectations — despite the goals of the paper — were not met.

That being said, I do have issues with the authors' definition of cloud computing as unnecessarily obtuse, their refusal to discuss the differences between the de facto SPI model and its variants is annoying and short-sighted, and their dismissal of private clouds as relevant is quite disturbing.  The notion that Cloud Computing must be "external" to an enterprise and use the Internet as a transport is simply delusional. 

Eschewing de facto models of reference because the authors could not agree amongst themselves on the differences between them — despite consensus in industry outside of academia and even models like the one I've been working on — comes across as myopic and insulated.  

Ultimately I think the biggest miss of the paper was the fact that they did not successfully answer "What is Cloud Computing and how is it different from previous paradigm shifts such as Software as a Service (SaaS)?"  In fact, I came away from the paper with the feeling that Cloud Computing is SaaS…

However, I found the coverage of the business drivers, economic issues and the top 10 obstacles to be very good and that people unfamiliar with Cloud Computing would come away with a better understanding — not necessarily complete — of the topic.

It was an interesting read that is complimentary to much of the other work going on right now in the field.  I think we should treat it as such and move on.

Categories: Uncategorized Tags:

Links for 2008-11-17 [No, I don’t use]

November 17th, 2008 3 comments
Categories: Uncategorized Tags:

Pay-It-Forward: I’m collecting donations for my Kiva Micro-loans Security Pro Funding Pool…

July 2nd, 2008 2 comments

…everyone who wants to make a difference should just go ahead and get
their own foreign policy and stop waiting on change from above."– Thomas Barnett

Inspired by my friend Gunnar Peterson, I’ve committed to begin funding Kiva Micro-loans in the next 30 days with a goal to fund up to $1,000 by year end.

What does Kiva do and what is a micro-loan?

Kiva is focused on serving the working poor

Kiva’s mission is to connect people through lending for the sake of alleviating poverty.

Kiva is the world’s first person-to-person micro-lending website,
empowering individuals to lend directly to unique entrepreneurs in the
developing world. The people you see on Kiva’s site are real
individuals in need of funding – not marketing material.

When you browse entrepreneurs’ profiles on the site, choose
someone to lend to, and then make a loan, you are helping a real person
make great strides towards economic independence and improve life for
themselves, their family, and their community. Throughout the course of
the loan (usually 6-12 months), you can receive email journal updates
and track repayments. Then, when you get your loan money back, you can
relend to someone else in need.

Here’s a snippet from Gunnar’s posting which describes his experience with Kiva:

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

If you are interested in helping me — and thus others — with contributing to the micro-loan movement, either sign-up to donate directly yourself, or feel free to donate via gift certificate to my pool and we can make an even bigger difference!

If you want to send a Kiva certificate, you can do so through the PayPal-enabled link above and use my email addy as the target recipient: choff [@]

At my birthday BBQ bash this weekend, in lieu of gifts I’ve asked for folks to donate to my pool for this year to fund multiple loans.

My family of three young girls and my lovely wife are all very excited about being able to participate in this process both domestically and internationally. 

In fact, all three of my kids are invested in giving up material goods and gifts in exchange for donations to Kiva.  How cool is that? 

Thanks to Gunnar again for the motivation and Thomas Barnett for his inspiring words.


Update: Within 3 minutes of posting this, my bud Zach already donated!  Fantastic!

Categories: Uncategorized Tags:

Verizon Business 2008 Data Breach Investigations Report

June 12th, 2008 14 comments

This is an excellent report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team.

There are some very interesting statistics presented in this report that may be very eye-opening to many (italicized comments added by me):

Who is behind data breaches?
73% resulted from external sources  <– So much for "insider risk trumps all"
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error  <– Change control is as important as
59% resulted from hacking and intrusions   <– compensating controls
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system <– Know thy data/where it is!
75%  of breaches were not discovered by the victim  <– Manage and monitor!
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls <– So why aren’t they used?

Very, very interesting…

You can get the report free of charge here.


*Update: I’ve read quite a few bristling reviews of this document.  Some claim it doesn’t go far enough to describe how VzB collected and sampled the data and from whom.  Others suggest it’s FUD and obviously just meant to generate business for VzB.

It’s true we don’t know who the customers were.  We don’t necessarily know which segments of industry they came from or how big/small they were.  It’s not authored by a disinterested party.  Got it.

I guarantee that some of people who are amongst those being critical of the report will bitch about it and then use this data just like they have the FBI/CERT data over the years…

Take the report on face value and map it against others to see how it lines up.

This is not the definitive work on breaches, for sure, but it’s an interesting and useful data point to consider when exploring trending as well as for use in strategic planning in assessing your security program and preparing for an inevitable breach. 

Categories: Uncategorized Tags:

Announcing the Security Star Chamber…

February 17th, 2008 No comments

I had an idea today; a platform upon which to launch a little security parody mixed with an even dose of introspective navel gazing and the odd spoonful of guffaw. The goal is to provide a healthy whilst humorous appraisal of the state of the security industry.

Think InfoSec Sellout meets Monty Python and The Apprentice.

Did you ever see the movie The Star Chamber?

In one of his earlier features,Michael Douglas plays a young judge who
becomes disillusioned with the law system he used to so admire when he finds
himself continually having to aquit particularly dispicable criminals on the
grounds of ridiculous technicalities.

Sensing his frustration,a close friend
(Hal Holbrook) informs him of a secret judicial society that meets and
dishes out the appropriate punishment to those who have escaped the clutches
of the law.

Inspired by some conversations this last week at ShmooCon with friends new and old, I am creating the Rational Survivability version of the "Security Star Chamber."

I’m going to play the disillusioned (young) judge.  I’ve recruited my not-so-secret judicial society who will, on a weekly basis, cast judgment against a specific market of the security industry; we’ll pick on a segment in a no-holds barred look at the belly of beast, not to dispense punishment, but to rather provide perspective.

If we can’t take ourselves seriously, we may as well play the fool instead.

We expect to communicate our judgment in the most pompous, self-important and aggrandizing style as we possibly can.  Fair and balanced?  This ain’t Fox News (if you can’t sift through that irony, you’re sure as hell going to hate the SSC…)

Here’s the catch…each of the jury has to summarize his or her argument in one sentence.

This may lend itself to some awkward dialog, but it ought to be mildly interesting for sure.

You’ll meet the other judges shortly 😉



Categories: Uncategorized Tags:

Pushing Reset On the IT vs. SCADA Security Debate….

January 23rd, 2008 7 comments

I think that perhaps I have chosen a poor approach in trying to raise awareness for process control and SCADA (in)security.  You can find recent SCADA posts here, including the "awareness campaign" Mogull and I launched a couple of weeks back that got a ton of eyeballs …

I believe I reacted poorly to the premise that some of those who assert expertise in this area tend to dismiss anyone who has a background only in what they define as "IT Security" as being unable to approach understanding — let alone securing — this technology.

Let me take a step back for a moment.

I’d like to get to the bottom of something regarding the alleged great divide between what is being described as diametrically opposed aptitude and experience required to secure "IT" infrastructure versus process control systems such as SCADA. 

I notice a similar divergence and statements being made between those who specialize in web application security (WebAppSec) versus information or network security (InfoSec/NetSec.)

For example, WebAppSec is a discipline and specialty that some suggest requires a level of experience and expertise that goes beyond that of traditional "information security" or "network security" practitioners.  It is suggested that in order to truly secure web applications, one generally requires programming experience, understanding complex data structures, databases, distributed application architecture, etc., at a very detailed level.

I think these statements are reasonable, but does it preclude an InfoSec/NetSec practitioner from contributing to effectively manage risk in a WebAppSec environment?

A network security practitioner can deploy a web application firewall and generally configure the solution, but the antagonists suggest that in order to provide a level of protection commensurate with the complexity and dynamics of the code which they are attempting to "secure," it cannot be done without an in-depth understanding of the application, it’s workflow and behavior.

Again, in reflection, I’d say that’s not an unreasonable assessment.  However, WebAppSec and NetSec/InfoSec guys in mature organizations generally should know what they don’t know and work together to implement a holistic solution across layers.  It doesn’t always work out that way, but in order to secure the WebApps, we can’t ignore the underpinnings of the network or information security foundations, either. 

It really should be a discussion, then, on how to unify complimentary approaches at various levels with an overall focus on managing risk. However, what I find is a downright civil war on the "IT" vs "SCADA" security front.  I have to ask why?

Here’s an excerpt from a post I found on Dale Peterson’s excellent Digital Bond blog.  It was a review of a SCADA security presentation at a CCC event in Italy regarding an introduction (of sorts) to SCADA security.  The premise isn’t really important, but I think that this does a good job of explaining some of the issues and sentiments that I am referring to:

Now here’s the good news: Asset owners, you don’t need to worry about
hackers. When they talk about “owning critical infrastructure”, they’re
just sharing their wildest dreams. In reality, they have nothing in
their hands. Zero. Nada. Niente. It will take several more years until
the hacker community has learned to master various flavours of PLCs
with their different protocols and vulnerabilities. It will take
further years until they get to things like OPC and furnish advanced
attack methods against it. And by the time they come up with decent
exploits for the various SCADA applications that we use today, most
CxOs will already be retired. We have heard over and over again that
the IT folks aren’t particularly good at securing SCADA environments.
Guess what, they aren’t good at attacking them either. However our
hackers do think nobody will notice because the stuff is all so
complex. That’s what I call “insecurity by obscurity”.

This whole notion of "it’s so complex and so few people know anything about it so we have nothing to fear" seems to be the point of divide.

There’s another really telling post on Dale’s site (authored by him) titled "Firewalls are easy, control systems are hard" wherein the following inaccurate premise is painted which reduces the scope of the entire infosec/netsec profession down to a five-tupule in a basic packet filtering firewall:

One of the common refrains heard again at ISA Expo is that IT
firewalls are too difficult to configure and deploy. Several
presenters, especially those promoting field security appliances,
mentioned this, and it seemed to be generally accepted. While I’m all
for simplicity and credit the vendors for trying to ease deployment,
firewalls are simple compared to the deploying PLC’s, defining points
in the SCADA database, developing displays, control loops, and the
myriad of other detailed configuration required to make a control
system work.

A firewall ruleset is as simple as defining rules by source IP,
destination IP and port. Since communication in control systems is
limited as compared to the corporate network, the ruleset is usually
very small.

How simple is that compared to monitoring and controlling a complex
process distributed over a plant or large part of the country with 5000
points or 100,000 points? I was introduced to control systems in 2000
and have worked on a large number of SCADA and DCS in a variety of
industry sectors and I still marvel at the effectiveness and attention
to detail in these systems. There is nothing in firewall or any other
IT security system configuration that comes close to the complexity in
configuring and deploying control systems

That maybe true in an SME/SMB network, but the reality is now that firewalls in a large enterprise (which is a much more reasonable comparison) are just a small piece of the puzzle.  Endpoints numbering in the thousands (if not tens of thousands) which run hundreds of application combinations aren’t exactly chopped liver to secure.  Add in Web Application Firewalls, Database Monitoring, Encryption (at rest, in motion,) IDS, IPS, Proxies, A/V, URL Filtering, Anti-spam, NBAD, SIEM, etc. and it just gets more complex from there.

If life were as simple as deploying a firewall and firing off a five-tuple ruleset, we wouldn’t be in this pickle.

Regardless of whether a NetSec/InfoSec practitioner knows in-depth details regarding implementing PLC’s/RTU’s or the inner-workings of the IEC61131-3 block programming language is neither here nor there because it’s only one piece of the puzzle. 

Many InfoSec/NetSec practitioners don’t have expertise in SQl/pSQL, but they work with the DBA’s to secure databases, right?

Once these systems are interconnected to an IP-enabled network, it requires cooperation up and down the stack.  InfoSec/NetSec pro’s need to become SCADA-aware and SCADA pro’s need to stop suggesting that this technology is just so complex and overwhelming that it’s beyond our ability to effectively collaborate and that "firewall jockeys" just can’t understand.

The reality is that the bad guys look for the weakest link in the chain.  Will they attack complex protocol stacks and programming languages first?  No, they’ll go after the low-hanging fruit like poorly-configured/secured end-nodes, bad perimeter controls and general user-driven crap like we see in the rest of the world.  They won’t need to even spell PLC.

We need the same level of information sharing and respective skill set cross-pollinization in this regard instead of squaring off like it’s a battle between us versus them. 


Categories: Uncategorized Tags:

CIA: Hackers to Blame for Power Outages (’nuff said)

January 18th, 2008 1 comment

I’m sorry, did someone say we have nothing to worry about when it comes to SCADA and control systems security?  I must have missed the memo:

CIA: Hackers to Blame for Power Outages

WASHINGTON (AP) — Hackers literally turned out the lights in
multiple cities after breaking into electrical utilities and demanding
extortion payments before disrupting the power, a senior CIA analyst
told utility engineers at a trade conference.

All the break-ins
occurred outside the United States, said senior CIA analyst Tom
Donahue. The U.S. government believes some of the hackers had inside
knowledge to cause the outages. Donahue did not specify what countries
were affected, when the outages occurred or how long the outages
lasted. He said they happened in "several regions outside the United

"In at least one case, the disruption caused a power
outage affecting multiple cities," Donahue said in a statement. "We do
not know who executed these attacks or why, but all involved intrusions
through the Internet."

A CIA spokesman Friday declined to provide additional details.

information that could be shared in a public setting was shared," said
spokesman George Little. "These comments were simply designed to
highlight to the audience the challenges posed by potential cyber

Donahue spoke earlier this week at the Process
Control Security Summit in New Orleans, a gathering of engineers and
security managers for energy and water utilities.

The Bush
administration is increasingly worried about the little-understood
risks from hackers to the specialized electronic equipment that
operates power, water and chemical plants.

In a test last year,
the Homeland Security Department produced a video showing commands
quietly triggered by simulated hackers having such a violent reaction
that an enormous generator shudders as it flies apart and belches
black-and-white smoke.

The recorded demonstration, called the
"Aurora Generator Test," was conducted in March by government
researchers investigating a dangerous vulnerability in computers at
U.S. utility companies known as supervisory control and data
acquisition systems. The programming flaw was fixed, and equipment
makers urged utilities to take protective measures.

Now, this article says these attacks were outside the U.S. (since it came from the CIA, you can imagine why.)  Also, it does NOT directly say that SCADA systems were attacked.  However, these statements were made at a SCADA "Process Control" Security conference, so I’m going to take the liberty of bridging that assumption.  Either way, it highlights the problem at hand (see the 787 Dreamliner story and the Polish Tram derailment…)

Do y ou really think it’s that much of a reach to suggest it’s not happening on our shores?

If anyone gives me any more crap about being concerned regarding the possibility/potential for disruption…look at the boldfaced section.  The compromise was conducted over the Internet.  Don’t forget, this sort of thing is supposed to be impossible given some comments from my "awareness campaign":

Oh gosh, where do I begin Chris? 

What do the first letters of SCADA stand for?  Supervisory Control. 

A real SCADA system doesn’t issue direct controls. It issues
Supervisory Controls. There should be no time critical control loops in
SCADA. In other words, we have vulnerabilities. But they won’t destroy
anything right away. We engineers know better than to trust complex

Most good design practice is based upon graceful degradation. In
other words, we don’t send a command to open a valve. We send commands
to change the pressure differential setpoint. A local controller takes
care of the rest. There are sanity checks in the local controller.

You could send commands to the field that would screw things up. But
most people would notice and we’d take action. Keep in mind, that while
our operation is very careful and deliberate, the distribution system
was built for some wild extremes including pipe breaks, extreme
weather, communcation outages, and vandalism. A successful attack would
require intimate knowledge of where the real vulnerabilities are.

Are you an expert at water utilities too? 

No, Jake.  I’m not a water utilities expert, just a concerned observer & citizen. 

Hat tip to Stiennon for the source.


Categories: Uncategorized Tags:

Come to Boston’s Own (New) Security Conference in March 2008 – Source Boston

January 16th, 2008 1 comment

Besides the monthly BeanSec! gatherings, New England really needs a security conference to call its own.  Now we have one.

You can find a ton of detail about the show here, but if you’re impatient because you’re pahking the cah in the yahd and can’t get to your browsa, here’s the skinny:

The security convention is called SOURCE: Boston 2008, and it’s held
from March 12-14th, the W-F before St. Patrick’s Day weekend. The place
it’s being held is the Hyatt Regency Cambridge, right on MIT’s campus.

It’s the big step-shaped hotel with the neon framing right on the water. We have negotiated low room rates and are sporting quite a line-up of speakers and keynotes, including keynotes from Dan Geer of MIT Athena/Kerberos fame, Richard Clarke, and Steven Levy.

We will also have a panel with the members of the L0pht – speaking together for the first time in 10 years. We have some great evening activities such as a VIP reception and a Thirsty Thursday Pub Crawl.

The three tracks are application security, business and security, and new security technologies. It’s a professional conference and we’re having several CEOs speak, as well as other chief officers. However, it’s combining that professionalism and business component with the edginess and fun of some of the hacker conferences.

Rich Mogull and I are appearing on stage together as Click and Clack (or is it Wallace & Grommet?)  That ought to be worth the price of admission right there.

See you there.


Categories: Uncategorized Tags: