But there's one glaringly obvious reason why they won't succeed for recreational book readers... which is the absurd pricing of eBooks.
The most recent evidence of this is the launch of the Sony reader in the UK. I had a look round their site and all looks well. The price is reasonable (£199) and the product looks nice. To get a feel for the books available I went to Waterstones UK website, who are Sonys eBook partner for the launch..
What I found really does surprise me, it's like the book publishers want this to fail.
First book on the page, The Private Patient by P.D James. Waterstones eBook price £12.92... Amazon.co.uk's price for the Hardback version..... £9.49 !
So they're seriously expecting people to pay 36% more for an eBook which is a digital file, easily produced, with no shipping or production costs and with DRM on it, as against a hard back book that could be resold once you've read it.
Looking through some of the other prices, this doesn't appear to be a limited aberration either, the differential is higher for hard back books (a concept which makes zero sense in an eBook world) but the prices seem uniformly higher for eBooks than physical ones.
Now I do see that for some applications where physical books are impractical eBooks , whatever the cost, could make sense.
But for recreational reading, the chances that large numbers of book lovers (many of whom are attached to the experience of physical books anyway) will change for a more expensive, more restrictive, electronic implementation are pretty slim!
]]>I'm not going to get into the politics of whether that's a good thing/bad thing or how urgent patching is as it's been done to death elsewhere...
I was thinking though about how it may be possible to mitigate this in other ways than patching...
Having heard the detailed explanation from matasano on the vulnerability, wouldn't it be possible to mitigate this by changing the behaviour of the authoritative name server..?
If I'm understandning things correctly as the authoritative name server for a domain you'd see a whole load of requests for invalid subdomains to your domain (eg, AAAA.MYDOMAIN.COM AAAB.MYDOMAIN.COM) and usually you just respond with NXDOMAIN. Now the attacker is relying on you responding NXDOMAIN so he can respond with the additional RR of your real website, say, WWW.MYDOMAIN.COM.
Would it be possible to change your behaviour to respond as the attacker would do with the RR for your valid hosts, so causing the caching DNS server to cache them on the first attempt and preventing the attacker from getting the incorrect entries in first..? The attacker is relying on guessing port and transaction ID so won't get there in the first attempt, so it would seem that this would potentially mitigate the problem..
That said I'm no DNS expert so this may well be off base...
]]>As Hoff mentions you need to understand the wider context in any risk assessment, but I actually think that in the scenarios that VMware have painted out, I'd agree with Alessandro, that the fully collapsed DMZs talked about in the paper are a no-no.
And there's a nice risk assessment reasoning here, it's not just a "ooh hypervisors scary" kind of reaction, honest :) ..
So here's how it works. In the diagrams they've used they've laid out a picture of a number of security controls. The main one being separate firewalls segregating the Internet from each of the DMZs in turn. This would indicate to me that the risk assessment dictated that no one device should be a point of failure for the security being provided by the environment (a more cost effective, but traditionally seen as more risky design would be a single firewall with multiple interfaces, one for each network.)
So if we then introduce virtualization to this scenario then it seems that the option of a "partially collapsed" DMZ meets the security requirements as each DMZ has it's own VMware ESX instance and a compromise of the hypervisor won't result in a breach of DMZ segregation.
I think that in a lot of cases it's easy to look at virtualization as something new but it should be possible to look at the current risk appetite in an environment (are you using separate devices to segregate things, are you relying on VLAN tagging for separation) and then apply that to come up with the appropriate virtualization design.
But here's the thing, security professionals actually indoctrinate users not to follow policies!
How do they do this? Well people like following patterns, and so when the pattern "It's okay not to actually follow this" is established in relation to security , people will apply that pattern the next time they run into a security policy that's potentially difficult or hard to follow.
I'm sure there's a lot of security people saying "No idea what he's talking about, all my policies were made to be followed!"....
O'Rly..
Here's an example that I'll bet is familiar to a lot of people. Password policy. Does anyone actually follow their companies password policy? I'll bet it looks something like
We're setting ourselves up for failure, and study after study shows that users will write down their passwords, or use sequences or many other tricks to make them more memorable.
This example (which may be a users main interaction with "security") sets the expectation that security policies can be ignored, because they're unrealistic.
So what's the answer..
Well when designing controls, I think that it's not enough to just look at the technical security properties in abstract. We've got to consider the psychological/sociological elements of the people we're expecting to execute the controls, and maybe take a path that isn't the best abstract solution but may well be the one that will work best in real life...
After all once users are set on the path of ignoring security it becomes pretty difficult to get them back on the one true way!
Only thing is, what if you don't have access to the shell to do exactly that....? What if you don't even know you run debian Linux...?
Over the last several years there has been a proliferation of computing "appliances" which almost inevitably run a cut-down Linux underneath the main software stack and in many cases, that's going to be debian Linux.
The thing is, in some cases the vendor won't even explicitly mention what the underlying software is, so the end customer may be blissfully unaware that they have vulnerable machines...
]]>You can be torn between the urge to explain in detail why that question can't be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or a flippant "yes" which may well come back to haunt you...
One of the reasons why the answer could be so long is the obvious question "Secure from what". A set of controls which may be reasonable tight when faced with a non-targeted threat from malware may be totally inadequate against a motivated knowledgeable insider threat.
So, perhaps one way to help is to break down the "secure" question a bit in to categories of threat.
For example: -
This way you can classify your controls as to how well they target each threat category, giving a better picture as to what level of risk your organisation is actually running.
Non-Targeted Threats
First off is probably the easiest one, "Non-Targeted Threats". This category includes a lot of the "traditional" threats to your security and is also probably the easiest one to mitigate, as the attacker isn't intelligently looking for a way to attack you they're just randomly interested in getting access to assets.
Examples of this category of threat are
Looking at these sample threats, we can see that it's likely that more automated controls will be effective against them. We don't need to be absolutely flawless in our execution of security to defeat them but we need to be "good enough" that the attack moves on to someone else.
So controls which are likely to be effective in this space could be :-
So far, so good. Next up we'll look at the trickier area of Internal Targeted Threats.
]]>It's amazing to see how many sources on the Internet took the original article here from the Seattle times and came to the conclusion that this was some magical box of tricks that would instantly bypass windows security, as opposed to just being a useful collection of forensics tools, examples of this response are here, here, here and here
Luckily someone at the Seattle Times did some follow-up with Microsoft to confirm that it's actually just a collection of forensics tools and doesn't bypass windows security here
]]>This update has created some comment and articles but none of the ones I've read has focused on the main point, as far as I can see...
Previously there were two options for satisfying Section 6.6
Now (unless I'm reading this incorrectly) there's an additional one
Completion of a manual or assisted web application vulnerability review...
The confusing part is that this third option isn't split out but is listed under the "application code review" section.
My feeling is that this'll affect a lot of merchants (and vendors) if they were planning on either spending money on WAFs or Code reviews and will now use a standard web application review (which they may already be undertaking as part of other security work....)
Another interesting point which I don't know the answer to is whether a single review which covered both penetration testing techniques and web application assessment techniques could be used to satisfy 6.6 and 11.3...
]]>There's a lot of discussion about Internet banking users potentially being liable for fraud if their PCs aren't "secure", as a result of this update.
The code says "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."
This leads to comments of "I use Mac|Linux I don't use A-V does that mean I'll be liable"
So what we have here is, failure to communicate...
The BBA appear to be correlating having basic software security packages installed with being secure. What I expect happened is that they needed to give some kind of shorthand guidance and that was the best they could come up with.
The problem is that without more detailed guidance fraud teams in banks may use this as the definition of secure and treat anyone who falls outside it as being at fault, which would put a lot of the more Internet security savvy people in the "not secure" bucket.
Personally I run Linux at home and I don't use A-V as there's no credible threat that it would mitigate for me....
]]>This time HSBC have lost 370,000 sets of personal details from insurance customers. One thing that puzzles me in the reporting of this story is the statement that
although the data on the disc was protected by a password it had not been encrypted
How do you password protect something without encrypting it ?! Any software I'm aware of that does password protection will at very least use some form of rudimentary encryption (eg, old versions of winzip or office) or in most cases (pgp, modern office/winzip versions) perfectly acceptable levels of encryption for most scenarios...
]]>Interesting to see someone have a shot a putting numbers on how far Oracle are behind Microsoft in the database security arena (well secure features as opposed to security features anyway). The number that they come up with is 5 years...
Assuming that nothing turns up soon it actually looks like SQL Server 2005 will go through it's whole product lifecycle without a published vulnerability. Secunia are currently showing it affected by 0 vulnerabilities.
]]>If you've got any events you'd like to get added to the calendar, just send an email over to Events@Infosec-Scotland.com
]]>We had Steve Moyle doing a presentation on Database security (slides can be found here )
I picked up some interesting ideas from his presentation. Firstly the idea that relational databases have a fundamental flaw when it comes to security, which is that the channel used to control them and the channel used to access the information they contain, are the same. This allows for someone who should only have access to information in the system to easily attack it as well.
The other thought which occurred to me when I was listening to the presentation was that any IDS/IPS style device which wants to block "malicious" traffic going to a system needs to parse the information it's seeing in the same way as the protected system otherwise there's a risk that quirks of rendering will introduce false positives or negatives.
It's something I was talking to a WAF vendor about recently, as I was asking them whether their product rendered JavaScript when looking for malicious traffic, as there's a specific problem with the idea of self-modifying JavaScript, looking innocuous in transit but then being malicious when executed
]]>On the 28th of February, there's an OWASP Scotland meeting with Dr Steven Moyle of Secerno doing a talk on Database Security. There's more information and the address to RSVP to on the OWASP Scotland Mailing list
Next up on the 27th of March is the latest Securetest Edinburgh RANT with Graeme Marsh from Deloittes doing a talk on "Plugging the Gap - Information Leakage in Organisations". For more information and to RSVP for this one go to this page on SecureTests site.
]]>When I saw this I thought I'd go over to the site and take a look around, as Microsoft have released some great information about developer security in the past and it's an area of interest for me at the moment..
But then I ran into a complete roadblock getting to the site! To view it you have to have the latest version of Silverlight installed! Unfortunately I think that won't work for a lot of users, either due to corporate builds not having deployed silverlight yet (and hopefully decent security policies in place to stop users self-deploying software) or due to platforms issues (admittedly a small proportion of linux fans like myself), although that said it's likely to be an increasing problem for some content, as a lot of mobile devices run Opera which isn't supported by silverlight from what I can see...
I understand that Microsoft are keen to get people looking at some of their new technology, but it's a shame that this kind of resource is limited in such a way that a decent proportion of their target audience won't be able to use it.... Perhaps a limited HTML version could be made available so people without access to silverlight
]]>