TaoSecurity Blog

This is not a political blog, and I don't intend for this to be a political post. I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure. However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event. The reason this caught my attention was that it reminded me of the Best Single Day Class Ever , taught by Edward Tufte. I attended his class in 2008 and continue to recommend it. I've since blogged about Tufte on several occasions. Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons pr

I'm pleased to announce a special event involving Packt Publishing . The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members. I'm interested in two recent titles: Metasploit Penetration Testing Cookbook by Abhinav Singh Advanced Penetration Testing for Highly-Secured Environments by Lee Allen In a few months a third book will arrive: BackTrack 5 Cookbook At this point I don't have personal experience with any of these titles, but I plan to take a look. Thank you Packt for sharing part of your library with us! Tweet

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them. If you want to start a debate/argument/flamewar in security, pick any of the following. "Full disclosure" vs "responsible disclosure" vs whatever else Threat intelligence sharing Value of security certifications Exploit sales Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT Reality of "cyberwar" "Builders vs Breakers" "Security is an engineering problem," i.e., "building a new Internet is the answer." "Return on security investment" Security by mandate or legislation or regulation Did I miss any subjects people raise to "stir the cyber pot?" Tweet

I just read a blog post (no need to direct traffic there with a link) that included the following content: This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents. For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices. This author is well-meaning, but he completely misses the bigger picture. Against a sufficiently

People often ask me how to tell if they might be victims of state-serving adversaries . As I've written before , I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile? A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements. Adam Segal Tweeted a link to a Xinhua story titled China aims to become world technological power by 2049 . The following excerpts caught my attention: China aims to become a world technological power by 2049 and strives to be a leading nation in innovation and scientific development, according to a government document released on Sunday. The document, released by the Communist Party of China Central Committee and the State Council, or the Cabinet, namely opinions on "deepening technological system reform

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a " dead drop ," a clandestine method to exchange messages. You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them. Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do? You decide to take this information to the world via your bl

From TaoSecurity Today I read a well-meaning question on a mailing list asking for help with the following statement: "Unpatched systems represent the number one method of system compromise." This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment. I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity over time . For both opportunistic and targeted threats, when exploiting unpatched vulnerabilities no longer works, over time they will escalate to attacks that do work. I recognize that if you have to start your security program somewhere, addressing vulnerabilities is a good idea. I get that as a Chief Security Officer. However, the tendency for far too many involved with security, from the CTO or CIO perspective, is to then conclude that "patched = secure." At best, patching reduces a certain a

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit . He said in part: 15 years ago Aleph One published “ Smashing the Stack for Fun and Profit .” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end. Now, I'm not a programmer, and I don't play one at Mandiant. However, Adam's last sentence in the excerpt caught my attention. My observation over the period that Aleph One's historic paper was written is this: we don't seem to "solve" any security problems. Accordingly, no "era" seems to end!

I just read Cyber Fail: Why can't the government keep hackers out? Because the public is afraid of letting it , an article in the new Foreign Policy National Security channel . I've Tweeted on Mr Arquilla's articles before, but this new one published today offers a solution to security problems that just won't work. Consider these excerpts: Back in President Bill Clinton's first term, the "clipper chip" concept was all about improving the security of private communications . Americans were to enjoy the routine ability to send strongly encoded messages to each other that criminals and snoops would not be able to hack, making cyberspace a lot safer. I see two errors in this section. First, having lived through that time, and having read Steven Levy's excellent book Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age , I disagree with Mr Arquilla's statement. The Clipper Chip was the government's last attem

Last week Vago Muradian from This Week in Defense News with Vago Muradian interviewed me for his show. You can see the online version here . The online version is about two minutes longer than the broadcast version. We recorded the extra material separately and the video staff added it in the middle of the session. They were so smooth I didn't originally notice the change! Vago asked questions about how companies can defend themselves from digital threats. He wanted to know more about state-sponsored intrusions and how to differentiate among different types of threat actors. In the extra session Vago and I talked about recent SEC activities and how to tell if your organization has been victimized by a targeted attacker. There's a possibility Vago will invite me back to participate on a panel discussing digital security. I look forward to that if it happens! If you have any questions on the video, please post a comment and I'll answer. Thank you. Tweet