I just got a spam email from a company trying to sell me something-or-other for email that included the following quote:

“Most organizations are struggling with the rising tide of email attachments, which can rapidly consume all available email storage when left unchecked.”

They attributed this quote to Matthew Cain, which I can’t verify, but my only response is: Really? I mean really? In this day and age? Are you sure this quote isn’t from…. 19992?

Since the terrorist attacks of September 11 2001, a lot of money has been spent on fighting terrorism. People who want money, whether for their department budgets, federal grants, or to fund startups, have been casting themselves as terrorist fighters. It has simply become to word du-jour. In the information security field, one of the outgrowths of this is the complete and utter overuse of the phrase cyber-terrorism. Admittedly I saw a lot more of this when I was in government circles than I do now in the private sector, so I suppose this is a “leftover rant”, but it is also intermittently popular in the media. Let me say loud and clear: cyber-terrorism does not exist – now, or ever. (Cyber-warfare is a more complex issue which I’ll deal with in another post).

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.

It always amazes me that:

1 – people assume that because something is written down it must be true.

2 – disreputable people will always find new and creative ways to take advantage of the above.

Courtesy of Emails from crazy people (and further variants on snopes) comes the newest evolution of the Nigerian 419 scam. Absolutely astounding.

I want you to read this message very carefully, and keep its content secret till further notice, you have no need of knowing who I am, where am from, till I make out a space for us to see, I have been paid $50,000.00 in advance to terminate your existence with some reasons not listed in my contract by my employer, this employer is one you may call family, I have been in close surveillance for one week and three days now and have seen that you may be innocent, which really is not for me to decide.

Note that for your safety do not think of contacting the police or F.B.I or try to send a copy of the message to them, because seeing an alert on this massage will force me to do what I do not intend doing (Believe me it will seem like an accident to even the F.B.I forensics) As this is the first time am betraying a client.I will be needing a retirement fee from you to return to my country ASAP as I can not stay any longer in your country after this.

Now, listen very carefully I will arrange a location for you to pick up tapes and pics of me and my employer for court evidence, and also meet with you face to face if you promise you won’t involve the police or F.B.I. Contact this email within 48hrs as I do not have much time. *****@yahoo.

Be careful of who you think you are showing this massage to, we are watching and listening to every move you make.

You don’t need my phone contact for now till am assured you are ready to comply good.

A very interesting development in the disclosure debate.

A few weeks ago, Charlie Miller, Alex Sotirov, and I [Dai Zovi] arrived on a new meme: No More Free Bugs.

Therefore, reporting vulnerabilities for free without any legal agreements in place is risky volunteer work.  There are a number of legitimate alternatives to the risky proposition of volunteering free vulnerabilities and I have already mentioned a few (I don’t want to turn this into an advertisement or discussion on the best/proper way to monetize security research).   There just need to be more legal and transparent options for monetizing security research.  This would provide a fair market value for a researcher’s findings and incentivize more researchers to find and report vulnerabilities to these organizations.

In his book 7 habits of highly effective people, Steven Covey describes presents universal habits which can be applied to any person, organization, profession, corporation, or business. As part of habit 3, “put first things first”, he describes a way to classify activities in terms of importance and urgency . He has a basic four box matrix that looks like this:

	Urgent	Not urgent
Important	I (crisis)	II (Prevention)
Not important	III	IV

His point is that too many people spend too much time in box I, which is the crisis box. Crises, in his words, “act on you, rather than you acting on it”. The solution he says is to spend more time in box II – things which are important but not urgent. To give a brief example, if you were suffering a heart attack and needed medical attention, that would constitute a box I event – it is both urgent and important. A box II event would be exercise and proper diet, which would ultimately reduce your likelihood of having the heart attack in the first place. By working more in box II, you ultimately shrink the amount of time you spend in box I. Security is, almost by definition, a box II item – it is important, but rarely urgent. However within our profession this matrix can still be applied, and I think that properly classifying and thinking about these activities can greatly help an infosec individual or group better prioritize it’s activities.

	Urgent	Not urgent
Important	Incident detection, Incident containment Incident eradication Deploying urgent patches because the newest worm is tearing you apart	Security reviews Hardening systems Deploying secure technologies like DNSSec, VPNs, SPF, DKIM, etc. code review Implementing a good patch management policy User awareness training
Not important	Regulatory compliance Complying with legal requests/issues	Playing solitaire

I’m clearly not saying that you should all start to simply ignore the crises that regularly crop up in your line of work, however I think that entities which focus on box II items will ultimately see far more benefit than those that ignore those things (as they’re not urgent), and will end up spending all their time in box I.

Chris Wysopal has a good article in securityfocus about security reviews of outsourced software. I must admit I agree with just about everything he said (that you need to do due dilligence on the code that was outsourced, just like you do for internally developed code). However, there is one factor missing from the article. The reason so much development is outsourced these days is because companies don’t want the hassle/cost/overhead associated with doing their own development. Security is included in that. If a company doesn’t want to go through the hassle of hiring their own developers and doing QC on their own code, what makes you think they’re willing to hire security experts to do QC on the code they outsource?

Although there are many solutions, including having a third party review built into the outsourcing contract, one obvious solution that comes to mind is having third party certifications, similar to the common criteria or DITSCAP.

A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:

• Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
• January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
• Feb 12 2009 – I send a followup email asking what’s going on.
• March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.

So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.

Over the last few days there have been a lot of headlines about how the US has cracked the biggest ID theft ring ever. Frankly it’s a load. Biggest? Perhaps. ID theft? Only by the worst definition. The suspects in question are alleged to have stolen 40 million credit card numbers by breaking into retailer’s networks. (Most notably the much maligned TJ Maxx). The problem is that the US government defines stealing a credit card number as identity theft. This is the most inclusive definition but it’s also the worst. If someone steals your credit card number you simply cancel the card and are not held responsible for the fraudulent charges. No one can wreck your credit score or open a line of credit in your name. (For that they usually need your social security number.)  Including credit card numbers in ID theft numbers artificially inflates them and makes for great scare tactics from companies like lifelock, but doesn’t actually measure the real risk to your credit score. Some organizations that have no vested interest in scaring you (like the privacy rights clearinghouse), but most simply use the largest and scariest number possible. It’s time for this tactic to stop. Stealing someone’s credit card number is not the same as stealing their identity, and if reliable crime statistics are important, then we need to stop equating the two.

I don’t want to spend a lot of time bashing airport security, if only because it’s a little bit like shooting fish in a barrel. Every security expert, regardless of background, knows it too.  However, should I be worried that George Carlin is making more sense than TSA?

For those of us who like to be able to represent everything graphically, this is what a botnet looks like. Researcher David Vorel mapped interconnected, bot-infected IP addresses and created this geometric representation. If you’re at all interested, it’s a very good way to understand the command and control structure of a botnet.