The Security Skeptic

My friend and colleague David Strom's Web Informant (26 March 2008) is entitled Multiply by Pi. David talks about meeting an IT manager who uses a Rule of π for estimating project durations, i.e., "anytime a consultant or an employee gives you an estimate of what something costs or how long it will take to complete, multiply the estimate by π" which David identifies as "a geometric constant of of 3.14159".

My first reaction was to reply to David and tease him about his definition of Pi. My geometry teacher insisted that Pi is always an infinite decimal but only a constant in Euclidian geometry. (Look it up)

I'm amused by this definition. I can easily imagine most IT projects taking three times as long as predicted. And I began thinking of other analogues that apply to IT project estimation.

Many factors play into IT project planning. Another analogue that applies to IT project estimation is A Perfect Storm which I'll describe as an occurrence of three events which occur together and prove to be extraordinarily more powerful, dangerous and possibly destructive by their coincident occurrence than the obvious factor of three if they occurred independently. In many IT projects, the three events are:

1. Infrastructure change. Here, the introduction of new technology and software introduces a Perfect Storm of of its own:
   • IT and others assess and revise security and other policies as issues associated with this introduction are revealed
   • IT experiences a learning curve while it becomes familiar with new management tools, and
   • IT wrestles with problems that arise from topology changes as well as problems that interoperability and compatibility testing reveal.

2. Configuration change. Here, another Perfect Storm gathers, as IT configures new and old systems and network equipment in a new topology to
   • take maximum advantage of the new technology and software,
   • mitigate or reduce threats exposed during the vulnerability assessments once the new topology is operational, and
   • fine tune the network to meet performance criteria.

3. User change. Yes, a third storm within the storm gathers: users must be informed of the change, the effects the changes have on user interfaces and the effects the changes have on user behavior (interactions with users, systems and the network).

IT is constantly called upon to manage projects have complex problem sets. Some problems in the set are revealed early on, while others are revealed later, and as security practitioners are too well aware, some don't become evident until they are exploited. Is it any wonder why estimating IT project lifetimes is more than a simple matter of multiplying by Pi?

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID681 by Dave Piscitello  

Antivirus programs vary in effectiveness, and "how good is my AV protection" has less to do with whether you are using free or commercial ware and more about how frequently you update virus signatures and how aggressively you set the virus inspection. Certain antivirus software offer an advanced feature that allows you to specify the level of detection and at higher levels, you should expect some false positives, i.e., that some files that are not viruses may appear enough like a virus to be flagged as one, even if the file is perfectly benign.

Let's consider an example. I set my AntiVir scanner to high detection level. During the next daily full scan, four files were reported as viruses: Serv-U.Gen, zpf.exe, RockXP.exe and Pwdump2.exe. Serv-U is an FTP server. ZPF.exe is a zip password finder. The others are password recovery utilities I've tested and written about in past blogs. If you search to learn more about the password recovery files, you'll learn that antivirus vendors do not uniformly treat these files as badware/malware. You'll also read reviews at download portals like Download3K that say, "Download3K.com has downloaded and tested RockXP on 2 Apr 2007 with 4 of the best antivirus engines available today. We have found it to be clean of any form of badware" and "Some antispyware, antivirus or antitrojan programs can detect RockXP as being infected or possibly infected with a form of badware (virus, spyware), although the application runs perfectly safe and does not pose a threat to your system. This type of reading is called a 'false positive' and it occurs when antivirus software wrongly classifies an inoffensive (safe) file as a virus. The incorrect report may be caused by heuristics or by an incorrect virus signature in a database."

I find the phrase "inoffensive (safe) file" unsatisfying and inaccurate. Download3K.com and others use this phrase to indicate that nothing malicious is hidden in the file. Inoffensive is not necessarily safe. Perhaps it's an *unauthorized* download. Perhaps it's a program the owner evaluated long ago and forgot to remove. Isn't a password recovery or file transfer program useful to someone who's owned a PC? Isn't it possible that it's present on my hard drive because someone other than the rightful owner/operator put it there?

Rather than calling these false positives, let's call them aggressive positives. An aggressive positive is a scan result that causes you to pause, reflect, and do some research. OK, the file is benign: do I need this file on my system any longer? Does keeping it put my PC, the data that reside on it, and other systems on my network at risk?

Unsophisticated users may gain the most benefit from aggressive positives. What do they know about files? They expect one thing from AV programs, "to keep nasty stuff off my PC". Yeah, aggressive positives, I like that...

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID680 by Dave Piscitello  

The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy, including how to protect your US Social Security number, how to freeze your credit rating should you suspect your identity has been stolen, how to remain anonymous when surfing, and how to complete obligatory web forms without disclosing your personal information (see 5 Disposable Web Accounts to Keep Your Identity Safe, brilliant!). Toolbox lists privacy related blogs, applications that cater to anonymity, confidentiality, and the protection of sensitive, personal information and sites where you can opt out of unsolicited credit card offers (visit OptOutPrescreen.com). Find the Privacy Toolbox here.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID679 by Dave Piscitello  

Susan Crawford, a visiting associate professor at Yale Law School, was recently asked to give testimony to the U.S. House of Representatives' Committee on the Judiciary, Task Force on Competition Policy and Antitrust Laws. The subject of the hearing was, broadly, net neutrality and free speech on the Internet, or specifically, whether Internet access network providers should be allowed to discriminate based on the origin and content of traffic they transport. In her testimony, Susan speaks to three issues that form the bases of the net neutrality issue: (1) the Internet is rapidly supplanting all former communications infrastructures and will soon become an indispensable delivery mechanism for all forms personal and business communications, information and entertainment; (2) Internet access providers operate today as "an unregulated duopoly with enormous market power that has every incentive to discriminate against speech (and products and services)", and (3) Congressional action is needed to ensure, in advance, that access to the Internet is provided in a nondiscriminatory fashion.

Susan does a marvelous job of juxtaposing the concept of "common carriage" (serving customers without discrimination) as historically provided in telegraphy, telephony, etc. against the Internet, which is capable of supporting a a virtually limitless set of applications *and* providing a global platform for free speech. Susan explains how the Internet disrupts the traditional perception of "one network, one service (application)" more dramatically than any predecessor network and how traditional markets and demarcation points of private operators who are major players in transport are threatened by this shift in paradigms. She offers examples of the measures and business practices private operators propose and use to protect their traditional markets and explains how these actions not only fail to serve the public interest but are characteristically discriminatory and sufficiently arbitrary as to threaten innovation. Susan also calls attention to the even more disconcerting consequences of content and origin discrimination: censorship and information "cleansing".

Crawford's is a remarkably complete and thoroughly insightful account of the net neutrality and free speech issue. I haven't found any discussion on this topic that comes close to being this informative. I strongly encourage you to read it.

You can find Susan Crawford's testimony here.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID677 by Dave Piscitello  

Product life cycle management can be loosely defined as all the activities a vendor engages in to launch, develop, market, mature (or evolve) a product. Some products reach a point at which they can no longer adapt or evolve, and hence vendors end the life of a product. A noteworthy, recent EOL example in the security market is the Cisco PIX.

Users, especially enterprise administrators, contend with product life cycle management in a very meaningful way. They monitor a product's evolution and in many cases, they press vendors to add (or kill) features, improve performance and security, etc. They must stay informed so that they are not caught unprepared should a vendor choose to EOL a product; for example, if an admin ran a Cisco PIX only shop, he ought to have kept informed regarding the future of this firewall and ought to have considered what he would employ "post PIX".

Today, users have a longer life cycle to manage than vendors, one that includes hype cycle management. The hype cycle begins before a product announcement. Hype that sparks the cycle takes many forms: new standards and regulations, demonstrations of prototypes at trade shows, trade pub and street talk. Soon, *THIS NEW THING* is widely heralded as the most disruptive technology since, well, the last most disruptive technology.

Consider this tale of two C*Os and their experiences with the iPhone. The first C*O shows up at a senior management retreat with an iPhone, announcing that "this is so freaking cool". This begets a must-have attitude that trickles down from management, which begets an organization-wide buying frenzy, which begets a business imperative directed at IT to "integrate iPhones with our enterprise mail system and corporate web apps". To accommodate iPhone adoption, a planned 802.1x/network access controls project is dropped from the budget. There's always next year.

This C*O failed to manage the hype cycle and allowed enthusiasm for a consumer grade product to snowball into a mobility issue that resulted in an unplanned network deployment, funded at the expense of an important security initiative.

I know a second COO whose response to exactly this situation serves as a five-star example of hype cycle management. When iPhone was announced, this COO sent an "all hands" email with the subject line "iPhone". He acknowledged the awesome coolness of iPhone and that he desperately wanted one. However, he tempered his enthusiasm when he realized that interoperability issues would prevent him from accessing intranet services that were essential and that an important network and security upgrade would have to be sacrificed to accommodate iPhone adoption. He asked all hands to temper their enthusiasm, be patient while IT investigated iPhone integration, and promised that the organization would do its best to accommodate new mobile technologies. This COO jumped in front of the bus as it was departing and yelled "stop!" but in doing so, he acknowledged the desirability of the new technology rather than dismissing it. He explained why iPhone adoption was problematic, reminding rather than rebuffing staff that the mission and business of the organization takes priority over having a cool handheld. Lastly, he empowered IT by announcing that iPhone adoption would be studied.

If you study these scenarios carefully, I'm pretty certain you can tease out a set of "best practices" for hype cycle management.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID678 by Dave Piscitello  

Senior editor Kelly Jackson Higgins interviews me, Rod Rasmussen (Internet Identity) and Joe Nazario (Arbor Networks) on the potential impact ICANN SSAC's Advisory, Fast Flux Hosting and DNS, could have in shaping future countermeasures to fast flux attacks (see Battle Against Fast-Flux Botnets Intensifies). It's a quick and IMO interesting piece that may encourage readers to consider reading the Advisory itself.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID675 by Dave Piscitello