Another argument that the full disclosure fans like to make is that the bad guys probably already know about it and are using it. That may be so but in a vast majority of the cases IF they have exploit code it is probably not being used except in limited cases. If it was then there would be noise on the internet that would point to it. It’s better that it be used in limited cases than it to be used on a large scale against anyone who happens to be unlucky enough to go to the wrong web site or click on the wrong link. Not to mention the fact that now instead of being in the hands of a very few it’s now in the hands of anyone who wants it and worse available to every script kiddie who wants to make a name for himself.

Also the argument that many in IT use saying that by knowing the details prior to a patch allows them to be able to test their systems and put controls in place doesn’t hold much water either. Why? Because many if not most companies don’t do this. They don’t even know that the details are available and they don’t have the resources to use the information to protect themselves. So while a select few may be a little better protected the vast majority (including almost 100% of consumers) are left wide open to attack. Is this the best way to secure the internet? I don’t think so.

Peoples finances, reputations and ability to use the internet for legitimate purposes are at stake. When exploit code, PoC code and full details about vulnerabilities are released in an irresponsible manner  then you are increasing the threat landscape and not helping it like you claim to be doing. You are putting them in danger that most likely they would not face if you had acted in a responsible manner. Are you willing to reimburse them for the money that is taken out of their account? Are you willing to go to jail for them b/c their infected system (thanks to you) is not housing child porn? Are you willing to explain to their wife why all of a sudden porn is being shown to the kids when they try to go to pbskids.com? Are you willing to pay them the salary they lost because their compromised computer caused them to lose their job? I didn’t think so. And don’t give me the argument about good forensics being able to clear them b/c in most cases that is not going to happen. Most individuals are not going to hire and forensic expert to prove to their wife that they weren’t looking at porn. Most won’t even know it’s an option. I’d venture to say that most companies, especially small ones, aren’t going to hire a forensics expert to see if what you were doing was you or malware.

In today’s world where much of what happens happens in electronic format and happens on computers that are connected to most every other computer in the world you are messing with peoples lives when you release this kind of information in an irresponsible manner. So what is irresponsible? I can’t define that completely but I can say that when you don’t give a vendor an opportunity to get a patch out you are practicing irresponsible disclosure.

Paragon Software is giving away their Virtualization Manager 9.5 Personal for free from Friday May 21, at 9:00 AM (EST) until Monday May 24 at 9:00 AM (EST)  . It usually cost $29.95 but today it’s free if you go to http://www.paragon-software.com/free.  I’ve never used it before but have heard good things about it so I thought since they were giving it away I’d pass it on. Now it does require registration so be prepared to have the waitress put a menu in front on you.

Those of us in infosec circles know these dangers haven’t changed but management keeps on chugging along as if it doesn’t really matter in the grand scheme of things.

Maybe it doesn’t…?

Well, I don’t think that Kevin believes that it doesn’t matter. He just seems to be at a point where he just doesn’t understand why this continues to happen.

I have a few theories that I want to share with you.

1. Those who do understand still are not doing a good job translating the danger into a language that the business understands.
2. We don’t understand the business enough to realize that the cost/benefit trade-off is not enough for management to buy. They would rather accept the risk, take the chance and deal with the consequences.
3. There is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.
4. Compliance still makes the Auditor happy and we all know that when  Audit isn’t happy nobody is happy.

There are other theories and reasons for this phenomenon and I invite you to share yours in the comments. To answer the question as to whether or not it matters I think that it does. It matters because just doing enough to get by is wrong in lots of ways.

1. It’s putting short term benefits over long term ones.
2. It’s telling the world that our standards aren’t really that high and that we only care about what looks good.
3. It’s creating issues that go way beyond us and the here and now.
4. It affects  lots of “innocent” people.

This is the kind of attitude that has gotten us into the mess that we are in with the economy, housing and even the BP Oil spill in the Gulf. It’s this type of attitude that has brought down companies such as Enron, Aurthur Anderson, MCI, and is going to bring down many more.  I’ll stop here before I get on a soap box.

Then everyone goes on their merry way and no one outside the group that wrote the policy knows what it says. Sure they have an idea because of the summary given in the announcement but that is about it for most people. Then something happens and someone is allowed to ignore the policy or maybe just to “alter”  or “reinterpret” it. Like the situation that occurred when police officers were allowed to get around a policy that said that they were not to use their department issued communication devices for personal use. Instead of enforcing the policy their supervisor (or someone) said that they could use them for personal use as long as they paid for any overages occurred. This happened for a while until someone reviewed some messages that was sent and an officer was disciplined for what was in the message. This is where another part of the policy comes into play. You see officers were also told that policy stated that there should be no expectation of privacy when using department supplied equipment. Yet the officer felt that since he was paying for his personal messages that they should be private.

You may think that this is pretty clear cut. The officer is wrong, policy was clear and his discipline should stand. The problem is that the enforcement of the policy was not consistent with the intent of the policy and officers were allowed to ignore policy. In other words the message was not the message. What was intended and what was enforced were not the same and therefore the policy is weakened and possibly useless. There was no consistency in the intent and the implementation of the policy.

The team at Information Nation have a quick write up on this that is worth the read if for no other reason than it reminds us of the importance of consistency in how we apply policy. I think the bigger message is that there has to be a more concerted effort on part of the company to ensure that policies are understood, applied and enforced. The cycle of creating, announcing and forgetting has to end or we might as well quit creating them. We can use or time deploying firewalls and AV. All we really need.

So I’m going to get my blogging back up to speed. I’m going to start blogging more and hopefully other bloggers will head the call and get back to it. Let’s get the conversations going again.

First they lie and deny that the cars were even collecting the data and then they come clean when they realize that they have been caught. That makes this even worse. Now they are getting on the same level in my eye as Apple and that is pretty low. I’ve been openly critical of Google for their lack of concern for privacy and even went so far as to try and “degoogleize” my life (although I have sense started using more of their services). Now I’m starting to get more and more disenchanted with them b/c of this type of stuff. The quote by Eric Schmidt a few months ago about privacy not mattering was bad enough and now they are stooping to openly lying until they have to “fess up”.

Look, there are no perfect people or companies but come on act like an adult. Wait, act like a mature adult. If you are doing something that others may not agree with and it gets exposed (as it most always will) then just be grown up about it and admit it. I assure you that people will respect you more for it. That is one of the problems that I have with Apple. They have a history of dishonesty when dealing with vulnerabilities and such. If they would just admit it and move on then I probably would not have “de-appled” my life.

So here is my advice to Google and everyone else. If you get caught in something just fess up and admit it. Don’t try to hide it, spin it, deny it or hope if will go away. It won’t. People will remember how you act and respond. Remember Character does count and it does impact your business.

It wasn’t exactly a debate but we did have a good discussion on the subject as well as on airline security and a few other things. We really enjoyed  joining them and appreciate them having us on the show. It should hit the download site in a couple of days so please download it and check it out.

Wednesday, May 12, 7:00 – 8:30 PM

Gordon Biersch Brewery Buckhead

“A Brief History of Hacking,”
by Dave Shackleford

Question: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?

Answer: They were all milestones in the evolution of hacking and information security.

In this session, you’ll learn about:
The early days of phone phreaks and bulletin boards
The growth of hacker gangs and 2600: The Hacker Quarterly
The 75-cent accounting error that led to an international crime investigation
Bill Cheswick’s evening with “Berferd”
The first malware and Trojan horse programs
And much more!

As an added bonus, Dave will discuss a number of the most popular hacking and hacker movies, giving his opinions on which are most realistic (if any)! It’s an evening you absolutely won’t want to miss! RSVP today, and please invite your security colleagues and friends.

Speaker: Dave Shackleford is currently Director of Risk, Compliance and Security Assessments at Sword and Shield Enterprise Security. He was formerly CSO at Configuresoft and CTO at the Center for Internet Security. Dave, a certified SANS instructor, also has worked as a security architect, analyst and manager for several Fortune 500 companies. In addition to these roles, Dave has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.

Today I saw something that got my blogging juices flowing. This article on NetworkWorld.com talks about how the city of Los Angeles has decided to transition to Google Docs for much of their business. They are transitioning everyone from an internal email system (They used Groupwise for email and collaboration so it’s understandable that they would want something else) and they are going to use Google docs for much of their office suite duties as well. There were several things that got my ire up about this so I thought it would be a good subject for me to “rant” on for my first blog in a while.

So here are my thoughts and issues with this. First, this quote that shows that those who are responsible for ensuring that the data is secure and private don’t seem to understand the meaning of the word “responsible”.

L.A. officials were convinced by Google’s security credentials, which includes SAS 70 certification,

EXCUSE ME!!!! REALLY! They honestly think that a SAS 70 is ANY measure of security? Come on are we sure that this isn’t April Fools day again? Have they ever read up on exactly what a SAS 70 is?  Saying that a SAS 70 is even remotely proof of a secure environment is like saying that using Gmail is similar to having your own private email server.  Now don’t get me wrong I’m sure that Google has some pretty impressive security in place, at least on parts of their network, but it’s still gmail. That’s email that is available to any and everyone.

Then there is the whole “cloud” issue. All of their email and documents will be stored on public servers. Let me be clear, these are the same servers that some of your Gmail and Google docs are on. These are servers that every hacker in the world has poked around looking for issues. These are servers that could easily be misconfigured and expose these emails and docs to the world. Just look at how many times we hear of data stored on Google infrastructure being “accidentally” exposed in Google searches. I’d bet that everyone reading this has done some Google Hacking and found all sorts of things that the owner of the data didn’t want to be seen by others.

That brings up the point of configuring the settings on the documents. Will Google handle this or will the City of LA, maybe even the end user will have control of these settings. What about someone who decides that they also want access to their own Gmail so they configure forwarding from their city account to their personal account and log into their personal account. Now they have access to both accounts and now the cities data is no longer under their Google infrastructure (even though it may be on the exact same server). What about sharing of docs that are stored in the Google infrastructure. If the control over that is not closely controlled then users personal accounts may get access to these documents and that would seriously hinder any additional security that may be applied to the city account.

This whole thing just reeks of potential problems. Then when you think about the math behind this you really have to wonder.  The article says that the City of LA has 30,000 users. Google Apps charges $50 per user per year. That’s $1,500,000 but the city is paying $7,500,000 to get transitioned from their internal systems to Google Apps. That means they are spending $6,000,000 dollars for transition and that’s if Google actually charged them $50 per user which would mean that they didn’t get any discount off of “retail”.  Sounds like a consulting firm saw the city coming.

They next math equation seems equally as questionable. They expect to save $5,000,000 over the 5 year contract. That’s only a million dollar savings per year for a 8 million dollar initial investment. Not exactly stellar but every penny counts. They they say that they expect to get another $15,000,000 dollars in increased productivity. ARE YOU KIDDING ME! Do they honestly think that the ability to work on documents at the same time will provide that kind of added value. If you do the math that equals out to $100 per year per employee in increased productivity which is doable and reasonable. Again we have to be realistic about this. All 30,000 employees won’t see that kind of increased productivity. Most of them will see no increase because the way that they work will not change for the most part. Next they will still continue to use Excel and other MS Office products for a fair amount of their work because Google docs doesn’t have some of the required features. So let’s be realistic and generous and say that out of those 30,000 accounts in actually 5,000 of them will see increased productivity. Now we are looking at 5,000 employees having an increased productivity of $600 per year. Still possible but not probable. If we are honest about it maybe 500 employees will see increased productivity so now we are looking at $6,000 per employee in increased productivity and that WON’T happen.

So I think that as with many things government the people are getting a raw deal financially and now government documents are are increased risk of being breached. Sounds like a great deal for the people of LA doesn’t it.

It’s been a month since episode 9 was recorded due to time and technical issues but we have a great show for episode 10. Once again Martin and I were recording live after the April NAISG meeting (this time Martin didn’t wear his wife-beater and Speedo, WHEW! The Princess Leia costume was still disturbing though). We were joined by our News Yankee, Steve Regan, via Skype and had a special guest live with Martin and I. We were privileged to have Carlos “Dark Operator” Perez from Pauldotcom Security Weekly join us. He was in town for work and decided to attend the Atlanta NAISG meeting and when we found out we invited him to join us. We had a great conversation, discussion and Interview with Carlos.

Please download it, listen to it and let us know what you think. We’ve hit 10 episodes and plan on going for a long, long time. We want to know what you like, don’t like and would like to hear.