End to End Trust

Here are soundbites from an interview I did with Microsoft about End to End Trust in preparation for RSA.  Yes, I do look uncomfortable in suits.

Jim.Reavis


More Dumb Grid News

Now Fox News has gotten into the act, interviewing IOActive regarding vulnerabilities in AMI (automated metering infrastructure), a key part of our quote-unquote Smart Grid

Jim.Reavis


Malicious Bots - the Book!

Malicious Bots was written by long time colleague Ken Dunham and Jim Melnick.  At only 129 pages, it is a quick read, but provides a concise history of botnets, breaks down different technologies they use, explores the various resultant criminal activities and shows how difficult they are to stop.  It is a criminal platform, not a piece of malware any more, and the future of cybercrime.

Jim.Reavis


Web 2009: The Mandate for Application Security

Jim Reavis will be presenting about the business drivers for application security at this online (ISC)2 conference December 9 at 1:30pm EST.

Jim.Reavis


Google Seminar: Data Governance in the Cloud

If you are in Atlanta, Philadelphia or L.A., you will want to come to these breakfast seminars where we are talking about how Cloud Computing is impacting security, with the first seminar focusing on data governance and eDiscovery.  You can register here.

Jim.Reavis


Is your Cloud Provider making money?
August 11, 2009

At a recent Cloud Security Alliance event, George Reese moderated a panel  about Public/Private cloud interoperability and application portability.  It was a great discussion, and I hope to be able to publish the proceedings soon.

One of the common points that comes up when discussing this topic is the subject of cloud provider viability, which is one of the many reasons why we care about the topic.  Obviously, you want your application (and data) to be portable if you have concerns about where it is hosted.  A question I asked that has been bothering me was, how do you know if your cloud provider is making money?  Financial stability is a good indicator of viability.

If the cloud provider in question is a publicly-traded company and is a “pure play” cloud company, their financial performance should be a matter of public record.  A privately held company may be more difficult to pin down, but will often provide this information to the right customer.  But what about a company that has a significant portfolio of products and services, of which only a few may be cloud-based?  Is it easy to decipher the financial reality of a cloud product line?  In these heady “cloud rush” days, it is to be expected that many companies will seek market share, and they may do so by offering loss leading products that are not intended to make money.  Is it possible that the least expensive IaaS option you seek is a trojan horse to sell additional services, and if so, do you want them?

Personally, I am very interested in understanding the true profit margin (or lack thereof) of the emerging cloud services.  Profit is an indicator of corporate strategy, and the cloud provider’s corporate strategy is of the utmost importance to the cloud customer - sometimes that strategy backfires.  If you were to pick your 5 favorite cloud services, how much do you know about the profitability of those services?

By Jim.Reavis • Articles • • No Comments »

Post-Click Fraud: A Definition
May 15, 2009

A term I use a lot nowadays is Post-Click Fraud.  It’s a term that I had to coin because one didn’t already exist that means what it does.  eSignet TrueLinks™ and TrueForms™ hypertext enhancements aim at the heart of it.

Post-click fraud is theft that occurs as a direct result of clicking on a deceptive link or submitting a deceptive form.  Post-click fraud is traceable to a single unfortunate click.  Today, that means theft precipitated by drive-by malware and phishing.  Tomorrow, for all I know that means twenty other things we haven’t imagined yet.  On any given day there are millions of deceptive links and forms in circulation that claim thousands of victims.

Post-Click Fraud is perpetrated by criminals. It causes individuals to lose sensitive personal information, cash from bank accounts and brokerage accounts and credit lines, credit ratings, and control over their computers. It causes businesses to lose brand integrity, proprietary data and control over computing infrastructure.

The lawyerly-minded could argue that any victim of online fraud is also a victim of post-click fraud — after all, clicking is how one navigates the Web!  However the single unfortunate click I’m referring to is the deceptive one that got you into trouble, if it got you into trouble.  So if you clicked on a deceptive link and nothing bad happened, then mistyped a domain name where you got phished, you’re a victim of your sixth grade typing teacher, not of post-click fraud.

By Larry J. Hughes, Jr. • Articles • • No Comments »

Security Glitch in Google Chrome
May 2, 2009

Glitch as in where’s the meat? For context, I’m trying to find out where Chrome’s security features are discussed by their engineers.

Google [ security OR secure OR safe site:chrome.blogspot.com ]
Google Chrome Blog: Google Chrome’s Universal Terms, explained …
Apr 5, 2009 … options like blocking non-secure items on a secure webpage. … Google provides features such as Safe Browsing that warn you if you are ..
chrome.blogspot.com/2009/04/google-chromes-universal-terms.html

Ok…so their engineers spend their time writing secure code instead of blogging about it. I’m good with that. So maybe I can fall back to the party line.

Google [ security OR secure OR safe site:google.com/chrome/intl/en ]
Google Chrome
A searchable index of most pages you visit (except for secure pages with “https” web addresses … Google adheres to the US Safe Harbour privacy principles. …
www.google.com/chrome/intl/en-GB/privacy.html
Google Chrome Terms of Service
… settings (see http://www.google.com/help/customize.html#safe). … grant a security interest in or over your rights to use the Software, … (B) YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR … (V) YOUR FAILURE TO KEEP YOUR PASSWORD OR ACCOUNT DETAILS SECURE AND CONFIDENTIAL …
www.google.com/chrome/intl/en/eula_text.html
Google Chrome
Read about why we built a browser. One box for everything. New Tab page. Application shortcuts. Dynamic tabs. Crash control. Incognito mode. Safe browsing …
www.google.com/chrome/intl/en/features.html

I suppose it’s out there somewhere.  C’mon Googlers, as if security weren’t hard enough already…

By Larry J. Hughes, Jr. • Articles, Industry Moves, Technical • • No Comments »

Cloud Security Alliance has vision!
April 30, 2009

One of the best journalists in the industry, George Hulme, wrote an article about the Cloud Security Alliance, which I think was very good in describing the enormity of the problem, but also questioned whether or not the CSA has the vision necessary to bring security to cloud computing. We do think we have the vision, perhaps inelegantly stated, or maybe in our Twitter Nation that expects 140 character vision, it needs to find the right medium.

Our vision is that Cloud Computing is a seismic shift in computing, and the security industry rarely participates in these shifts. In our introduction, we state, “Phase one of the Internet was connectivity, with Cloud Computing we are leveraging that connectivity to optimize the utility of computing.”

Our call to action is that security practitioners take charge and work with the cloud providers to build security in, as Dave Cullinane said in our foreword, “.. do it right the first time”.. The reality is that this is a shared responsibility, and it is not realistic to think that there is a Braveheart that can charge onto the scene and mobilize the masses. Befitting our broad guidance, we need providers, CIOs, CISOs, legal, audit, technologists, standards bodies and world governments to collaborate. Even that is not enough, for it is not Google or IBM or anyone else currently on the scene that will ultimately define the cloud as much as the innovators no one has heard of yet – and they are only playing by the rules of innovation. However, by getting the stakeholders involved in current information security assurance and governance, we think we can make significant steps in the right direction. As Dave also said, “It is imperative that information security leaders are engaged at this early stage to help assure that the rapid adoption of cloud computing builds in information security best practices without impeding the business.

I have been involved in several initiatives in this industry, such as those to promote secure software development. As laudable as those have been, they have had to fight the huge inertia – legacy apps, etc. We have a clean slate here, let’s do it right!

By Jim.Reavis • Articles • • No Comments »

Cloud Security Alliance starts up
March 30, 2009

If there is one scenario of history repeating itself in our industry that I would like to stamp out, it is the unhappy case of new applications of technology being broadly adopted prior to proper security vetting.  It is in that spirit that a few of my colleagues and myself are announcing the Cloud Security Alliance.  You can read the press release or go to the website to get the official story, and we hope to see you at RSA in San Francisco when we release our first guidance whitepaper.

The Cloud Security Alliance is made up of a diverse group of subject matter experts including attorneys, auditors, CIOs, CISOs, technologists, entrepreneurs and experts from several other disciplines who have come together to understand the cloud information security issues and opportunities in the broadest sense and provide measured and pragmatic guidance.  We consider ourselves to be very inclusive, if you are interested in helping out, we would love to hear from you. (more…)

By Jim.Reavis • Articles • • 2 Comments »

eSignet TrueForms and TrueLinks
March 23, 2009

For all the good we in the security industry stand for and achieve, sometimes we just miss the point.  When that happens so does the tech industry at large.   (Yeah I know, at least they’re listening.)

I’ll get on with that in coming posts.   For now I’ll skip right to the punchline.  eSignet is a security startup I founded early in 2008.   Our recently announced technology – TrueForms and TrueLinks — endows the Web with an overdue ingredient: Truth.  Our press release is here.

In case you haven’t noticed, nothing on the Web is obligated to tell humans the truth.  Nothing.  SSL certainly tells the truth, but the truth it tells is a cryptographic one, which is not at all meaningful to humans.  EV-SSL adds a pinch of truth for humans, but like SSL it has a built-in defeater:  It speaks only for the occasional HTTPS page.

TrueForms and TrueLinks aim at the heart of post-click fraud, i.e. theft brought about by clicking on deceptive links and submitting deceptive forms.  In other words, theft precipitated by drive-by malware and phishing, both of which are traceable to a single unfortunate click.  We had to coin this term post-click fraud, by the way, since a suitable one did not already exist.  Sorry if you’re not thrilled with it because of its near collision with click fraud, but we didn’t want that misnomer to drive creating yet another by working around it.

Our product does not solve a security problem that happens to involve business. It solves a business problem that happens to involve security.  There’s a big difference between the two, and in my experience it’s lot bigger than most people think.  But that’s also something I intend to cover later.

As of today, what we say in our press release and on our site begs more questions than it answers.  That’ll be addressed in the near future.   In the meantime we’re all ears for whatever you have to say, and here is as good a place as any to say it.

By Larry J. Hughes, Jr. • Articles • • No Comments »

We need a smart “Smart Grid”
March 21, 2009

Anytime an initiative is launched for “smart” anything, the hair on the back of the neck of the security practitioner should stand at attention.  The gurus at IOActive were referenced today in a headline story at CNN.com, ‘Smart Grid’ may be vulnerable to hackers.  According to the story, IOActive told CNN:

“…that an attacker with $500 of equipment and materials and a background in electronics and software engineering could “take command and control of the [advanced meter infrastructure] allowing for the en masse manipulation of service to homes and businesses.”

If you are not quite sure about what that statement means and are not sure if that scenario is possible, consider this article from the current issue of Forbes, about Silver Springs, one of the companies providing technology to upgrade the grid (emphasis mine):

“The data from the meters, as well as the sensors that will be installed on other parts of the grid–each node has its own unique Internet Protocol address, just like a computer–also will help pinpoint outages. Right now most utilities find out the lights are out only when customers call, which leads to costly–and at times unnecessary–trips into the field by linemen.”

You don’t need much of an imagination for it be going wild.  I like smart things, but to equate it to people, smart technologies are generally akin to teenagers, who think they are the smartest beings on earth.  We need smart smart technologies, the parents of those teenagers, but that is only achieved through the pain of growing up.

By Jim.Reavis • Articles, That Old Problem • • 1 Comment »

Security Spending Survey 2009
March 4, 2009

In light of the volatility in the current economic landscape, Pacific Crest Securities and MetroSITE Group are conducting a survey to gauge IT and security-related spending and project priorities.  The survey will help us understand the strategies organizations are employing to maintain security programs during 2009 and will only take 10 minutes to complete.  All responses will be confidential and used only for the purposes of this survey, and respondents will be entered into a drawing to receive a $100 iTunes gift card.

Click here to enter

By Jim.Reavis • Articles • • No Comments »


Sidebar
  • Pages
  •  
    October 2009
    M T W T F S S
    « Aug    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |