Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide


Information Security Travel Guide: November - December 2008, Kauai to Italy, Washington DC and Richmond VA


By Stephen Northcutt, Google+
Version 1.4

[December 19, 2008] Return home to Kauai. Well, this has been a long trip if there ever was one, but Kathy and I have had fun. We made it home just fine even though this is a crowded time of year to fly. United did not have enough staff at Richmond airport to give out tickets, but Kathy had printed our boarding passes in advance so we were OK. I think I will add that one to our travel tips file. We also checked our bags curbside. United also did not have enough staff to load the airplane, so we left Richmond 40 minutes late. We raced through Dulles and made our connection to LAX, but our bags did not. The service on the cross country flight was fine though. We were further delayed due to weather and had to fly south to get around the storm, this was not a good day to fly. Our flight from Los Angeles to Lihue, Kauai was delayed and LAX was very crowded, but it meant we had enough time to visit the California Pizza Kitchen; Kathy had the Pea Soup and I had the Mushroom, Sausage, Pepperoni Pizza, I think that is their best pizza, though I know they are famous for their Barbeque Chicken Pizza. Even after we boarded, we had to wait, over twenty people were running late coming in from Chicago. We took a taxi home. My brother Jack, his wife Tamara and their son Sean Grant were already here. We enoyed a shrimp and veggie stir fry over rice and then headed to bed. Long day.

Read an interesting DR/BCP note this morning: France Telecom reported that 3 major underwater cables were cut: “Sea Me We 4” at 7:28am, “Sea Me We3” at 7:33am and FLAG at 8:06am. The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear. One suspicion is a ship anchor. But what is amazing is the amount of damage, check out the loss of service:

* Saudi Arabia: 55% out of service
* Djibouti: 71% out of service
* Egypt: 52% out of service
* United Arab Emirates: 68% out of service
* India: 82% out of service
* Lebanon: 16% out of service
* Malaysia: 42% out of service
* Maldives: 100% out of service
* Pakistan: 51% out of service
* Qatar: 73% out of service
* Syria: 36% out of service
* Taiwan: 39% out of service
* Yemen: 38% out of service
* Zambia: 62% out of service

France Telecom deployed a maintenance boat, the “Raymond Croze”, to investigate and do repairs. Part of disaster recovery is triage and France Telecom's priority will be given to the recovery of the Sea Me We4 cable, then the Sea Me We3. By December 25th, Sea Me We4 could be operating. By December 31st, the situation should be back to normal. This is certainly going to cause me to look at my business impact analysis.

I am also pleased to announce the Commonwealth of Virginia has a new Deputy CISO effective January 12, 2009! John Green will fill the position of Deputy Chief Information Security Officer. John brings to the Commonwealth of Virginia a wealth of information security experience at Fortune 500 companies, the federal government and start-ups. His background is extensive and varied. John possesses both hands-on information technology architecture experience and extensive practice implementing security and risk management programs. During John's time with SANS he created 35+ hours of GIAC certification courseware and trained thousands of persons globally. He also consulted with staff from the White House, National Security Council, FBI and other defense and intelligence agencies during the 2000-2001 internet attacks, helping to create national response procedures. John has a Bachelor of Science degree in Computer Science from the University of Mary Washington and is GIAC certified with honors as both a System and Network Auditor as well as a Forensic Analyst. I am certain you will join me in welcoming John to the Commonwealth Information Security Community!

[December 18, 2008] Richmond VA. Trying to balance the struggle of family and business that happens during the holidays. As a family we are spread out all over the globe. But Kathy's brother and his wife, and also her mother, are in Richmond. Hunter, our son, is also here. So, we are doing the holiday bit early. We have both traditions of Christmas and Hanukkah to honor. And, we are trying to retrofit an apartment so we have a landing place here with the help of Harry Williams from Kauai. So yesterday, I switched roles and cooked for everyone. We served spinach dip, turkey with chestnut dressing, cranberry sauce, roast beef with a layer of turkey bacon on top, two salads, roasted asparagus with sharp cheddar sprinkles and twice baked potatoes. We also had two pies for dessert. Today, I am trying to catch up on work. A number of instructors are starting to pick up on the importance of focusing on Google hits, I got three notes just today. I have been amazed in my life how people think Google can be gamed by tags and the like. I also hope they understand that a few files of content generally are not enough as well. There is a lot of misinformation about search engine optimization.

I received a note from Mark Weatherford, Director, California Office of Information Security and Privacy Protection, pointing to an interesting security blog. It is titled, What’s Missing in the way the Government does Security? The blog opens with, "I love transition time. We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole. And then, they all leave. Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk. Talk is cheap, security is not." There is a bit of redundancy, but the blog is a must read.

One of the goals of our Security Travel Blog is to better understand the world we live in. I read an interesting blog about "the Dec. 14 incident, in which Bush skillfully dodged – twice – size 10s that Muntazer al-Zaidi of Al-Baghdadia TV had hurled at him during a joint news conference with Iraqi Prime Minister Nouri al-Maliki, jokes have been bombarding Internet sites, blogs and forums, spreading like wildfire on cyberspace and through text messages." They go on to say, "For many Iraqis and Arabs, however, the war was an illegal move against a sovereign nation, it had dismantled the state's institutions, brought disorder and violence, provided fertile ground for more terrorism, killed hundreds of thousands of Iraqi civilians, made more than 4 million homeless, and fragmented an Arab country along sectarian lines. In other words, the war is widely seen as having destroyed Iraq. So when Zaidi threw his shoes at the U.S. president as a "farewell gift" just a few weeks before Bush leaves the White House, the Iraqi journalist was seen as a hero; Dec. 14 was declared the "start of a shoe revolution," and wealthy Arab businessmen offered to pay millions to buy the famous footwear that had narrowly missed Bush's face, but hit the American flag behind him." I certainly do not believe that any civilized person should support al-Zaidi's action, throwing things at heads of state is not going to move our world forward, but the article is worth reading as it is a poignant reminder there are always two sides to every story, or should I say, be careful of judging until you have walked a mile in the other party's shoes.

[December 16, 2008] Amtrak to Richmond (again). Life has been a blur; we spent two days in Richmond and zipped back up on the train to Washington DC. I taught the one day leadership course, SANS Leadership Competencies and then my primary course SANS Security Leadership Essentials For Managers. Our stay in the Marriott Wardman Park was excellent, the staff was friendly and the conference went well. We ate on property most nights, the roasted pumpkin soup at Stones Throw is excellent and we can also recommend the mushroom ravioli. The halibut was also cooked to perfection. Stone's Throw is primarily a steakhouse and they have signature sauces, though I pretty much just put salt on a high quality cut. Harry's Pub seems to need a tune up in the kitchen, both the Reuben and the quesadillas were soggy. The chili used to be excellent and it was a challenge to finish it. The shimp and sausage creole is still quite nice. There is also a snack and coffee offering in the lobby, The Woodley Market, that has a cup of oatmeal for breakfast that starts the day off right. The concierge lounge has a nice continental breakfast and veggies and cheese at night. One evening we did a floor picnic in the room from the Manhatten Market across the street, they have a lovely selection with plenty of Mediterranian choices. Checkout from the hotel was a breeze and our train, the Carolinian was on time. Lovely, peaceful ride on a rainy day.

My sister gave me a book, Leadership Secrets of Attila the Hun. It is a small book and I was able to finish it during scraps of time at the conference. I cannot recommend it. I enjoyed learning a few facts about Attila. From Wikipedia: "Attila (406 – 453), also known as Attila the Hun or The Scourge of God, was leader of the Huns from 434 until his death in 453. He was leader of the Hunnic Empire which stretched from Germany to the Ural River and from the River Danube to the Baltic Sea (see map below). During his rule he was one of the most fearsome of the Western and Eastern Roman Empires' enemies: he invaded the Balkans twice and marched through Gaul (modern France) as far as Orleans before being defeated at the Battle of Chalons." Apparently the defeat was a big deal and the book has a chapter on what Attila learned from it. Anyway, everything is made up, we don't have much information about Attila that is provably true. Supposedly he died on his wedding night and the possibilities range from hemmorhage, to being murdered by his wife to assassination. The book also does not portray him as a really mean guy, but most of history does. I think you can afford to skip the book.

[December 07, 2008] Amtrak to Richmond. We left most of our bags in the Marriott and took the Red Line. If you are staying in the Wardman tower, take the elevator to LL and there is another elevator to the Metro right there, you hardly have to pop outside. On the Metro nowadays. everyone has to have their own fare card. If I remember correctly, you used to be able to share a fare card, just had to run it twice. I used a credit card to pay and the machine defaulted to two fare cards which was handy. Kathy and I took the Red line to Union Station and picked up our tickets to Richmond. It looks like people are already traveling for the holidays, but Kathy spent the four extra dollars to get business class. We like to use the train, because they have power outlets and I can keep working. I have to reconnect to Verizon every fifteen minutes or so, but I do not mind and it is great to be able to get online. Train 79, the Carolinian was 15 minutes late, but trains are not for people in a hurry. I love this route. When I was working at the Pentagon, I commuted by train. In fact, I wrote most of my first two books on the train, one hour up from Fredericksburg VA and one hour back. I particularly love some of the scenes of the Potomac just north and south of Quantico.

I was supposed to be on a plane to San Jose today to give a speech at an internal Cisco management conference, but they canceled as a cost savings move. I am somewhat thankful: instead of flying across the country to speak for an hour and then flying straight back, I am on a leisurely train with Kathy and we are headed to see our son Hunter and also Kathy's mother, brother and his wife and child. Sometimes life works out pretty well. We are thinking about making Richmond (Western Richmond, Glen Allen) a second home. It is a lovely southern city that has all the amenities, but isn't too, too urban. With family already there, it just makes sense. And I have been traveling so, much having a place to hunker down for a few days instead of flying all the way back to Kauai would be nice.

Went ahead and signed up for updates from President-elect Obama's website, and I found the Obama-Biden Transition Project to be worth some viewing time. They have a new program called Your Seat at The Table where they are publishing the documents currently under review. I read the one on Asian and Pacific Islander health initiatives today and sent in some comments.

[December 06, 2008] Flight to DC. We got to the airport in plenty of time and settled into the Star Alliance lounge. The Internet did not work, which is fine, I was kind of burnt out anyway. The flight to Dulles was uneventful. We scored business class on the 777 using my systemwide upgrades. The crew was somewhat attentive, certainly not the best I have had, they didn't bring water for about an hour and a half after the meal, but I had enough of my own. After that though, they started coming by every 45 minutes or so. I watched three movies on the flight, just did not feel like working. The Sisterhood of the Traveling Pants was fun, a romantic comedy, bit of a chick flick, but fine for a guy on an eight hour flight. The Mummy: Tomb of the Dragon Emperor, on a scale of one to stupid, this is stupid. I sure would not want to own it, but while stuck on a plane it helps pass the time. Finally, I watched Mamma Mia, this is the eighth time to watch this movie and I still love it. On the eighth pass it is getting just a touch familiar, of course, but I still noticed a couple of things I had missed before. Keep in mind that seven of the times I have watched the movie, it has been on the little 5" Boeing 777 screens, so it is easy to miss stuff; would love to see this movie on my home entertainment system with a proper screen and sound system. Ran into the silliest of problems clearing customs at Dulles. One of my checked bags is a mountain climbing style backpack from Australia. It has served me well and I have a packsafe wire protection system. Well my wires got caught in the zipper of a gentlemen's Travelpro bag. Part of his zipper had broken off and my wire somehow got into his zipper pull. This is not ideal, in customs, grouped around the bags for a long time, easily 20 minutes. The drug sniffing dogs came by twice. I cannot recommend Travelpro and not just because of this, all of our Travelpro bags are broken and their so-called warranty is a crock. Anyway, I asked the United baggage claim, lost bags department folks for help and they came by with some tools including the largest bolt cutter I have every seen, but the gentleman who owned the travelpro bag managed to get the bags separated using an automobile key. Then, we got a car to the Marriott Wardman Park. It is so nice to be "home". I say home because I have stayed at the Marriott for say, seventy to eighty days over the years. They are always friendly, but they seemed to be in high gear, even gave us a bottle of water in a gift bag as we checked in. Our room was clean. We will be there ten days, so I will do a full report.

[December 05, 2008] Working in London. They never did get the Internet working in our hotel room so they moved us to the 2nd floor, which turned out to be a blessing since the elevators then failed. Also, I ordered a pizza in the bar, the upper deck lounge, and it was fourteen British pounds (about 20 dollars) and it was still frozen. You have to be pretty cheeky to sell a frozen pizza for 20 dollars and then not fully heat it up. However, they really are trying at the hotel, I need to say this. The room is thoughtfully done. The staff are trying, they are just a mess. We had a bit of rain, as in coming down like buckets, so having a hotel close to the conference location was really nice. All in all, I think the ExCeL center does a good job; there were a few temperature problems, but, on the main, they did a good job. We had one really strange event. One attendee from Saudi Arabia kept running around with a video camera systematically taping every entrance. I don't want to be a prejudiced non-tolerant person, but to film all the entrances and exits only a few days after the Hotel Taj Majal killings in India is just plain subhuman. I didn't understand it; it was at night and hardly anyone was around, and I was sorely tempted to sidekick him straight into the river. However, the police picked up on him, he was that obvious. I will make a political statement: if peaceful Muslims wish to practice their religion unhampered, it would be best to self police. Don't turn a blind eye when one of your own is doing something reprehensible.

[November 29, 2008] Rome to London, Hotel. We had an easy set of flights on Lufthansa, Rome to Frankfurt then on to London. We were able to make use of the Senator club in Frankfurt because of my gold status in the star alliance and that was very nice. I had a draft beer, potato and fennel soup, one sausage, and a cabbage salad and felt very German for a few minutes. The flights were on time, the flight attendants very professional and they even give you a little sandwich on the plane. After clearing customs, we caught a cab to the Novotel Hotel ExCeL, 7 Western Gateway, Royal Victoria Dock, London E16 1AA Tel. (+44) 207/5409700. The cab was 100 pounds, which is about $177 dollars, so the sticker shock is just beginning. I just need to remind myself this is part of the price of doing business. They gave us a wonderful room, SANS upgraded us to a suite which was nice. They have some thoughtful touches, including having the toilets separate from the bath/shower part of the bathroom. The room was mostly clean; there were about ten hairs in the tub that I could see and some debris on the carpet, but, boy, have I seen worse. The Internet in the room does not work which is a big problem since I cannot update my schedule; but, tomorrow is setup day for our conference at ExCeL exhibition centre, so maybe I can get some connectivity there. I feel really stupid that my cell phone does not work in Italy or London. I know they sell iPhones in both countries; we talked about it with the ATT people before we left and they told me it would be $1.50 a minute, but there it is, big as day, no service. It was rainy so we ate in at the hotel; Kathy had a salad and two sides of vegetables; I know just how she feels, after ten days of pasta, vegetables are quite attractive. I had the halibut which was cooked almost to perfection, maybe one shade over cooked, but still a moist center and the fungi was excellent.

[November 28, 2008] Quiet day at Anne's Place. We are out of get up and go spirit. This blog cannot exist if I don't take time to write and I also started a new book while on this trip, so we took some time to write. We did go to the street market. This is an Italian tradition and a place where you can pick up fancy label clothes on the cheap. Of course, most of my clothes are SANS branded, so I'm not sure what I would do with fancy labels. We had a good time at Anne's Place. The way they organize tours is a big plus and the price is very fair. Yes, you need to factor in the time to take the train into Rome into a decision to stay here, but I found we could only do so much Rome each day, so it worked out well for us. Anne and David were very caring and competent and they have their system down, even a special train timetable so you always know how to get back to the Zagarola train station. The restaurants in Palestrina are a bit cheaper than the ones in Rome, and I dare say the food is better. All of the restaurants Anne and David recommended were fantastic. The one caution: they are dog people, so if you do not like dogs, you might want to factor that in. They keep the dogs largely under control, except the puppy Joey seems to be a master at jailbreak. However, Joey will not be a puppy much longer and they are working hard to train him. All in all, a lovely trip. We pack tonight and fly for London tomorrow; it has been really nice taking a vacation, but I am excited to be working again as well.

[November 27, 2008] Ostia Antica and St. Paul's. Ostia is a set of ruins. It is, at least, as well preserved as Pompeii. If you are in the Rome area, you might want to consider it an alternative so you don't have to make the drive to Naples. It is reachable by train so you do not have to hire a tour or driver. A 6 Euro per day ticket covers trains, metro and buses. There is a cafeteria onsite, but the food was forgettable; try one of the restaurants outside the ancient city, or wait till you get back to Rome. On the way back, we stopped at St. Paul's outside the walls and had a lovely walkthrough. We even fed some coins to increase the lighting, that was fun. Anne from Anne's Place met us at the train station. We didn't want a full three-course dinner, and we were tired of pizza, so she drove us to Non Solo Pizza, (not just Pizza); their lemon chicken was great, and so were the artichokes and spinach. Felt good to actually eat a vegetable after so many days. Anne loaned us Mamma Mia, the movie. If you have not seen that movie, make a point of it. The casting is simply fantastic.

[November 26, 2008] Central Rome on our 25th wedding anniversary.
We took the late train into Rome, the 11 AM. Grabbed the metro and got off at the Barberini stop. Walked around the block, our Rome PIU passes got us into the Barberini museum which feature, amoung other things, a well known semi-nude by Raphael. Next, we wandered down to the Trevi fountain and bought some roasted chestnuts, and then we continued down to the Leonardo Da Vinci Invention musuem. This may not be worth the price for everyone, they do give you a discount if you have an PIU pass, but I loved playing with the devices and you are allowed to play with the majority of them. Next, the Pantheon, and that truly is an impressive building. Outside in the Piazza, we hired a horse-drawn carrige to see the back streets of central Rome. It was nice to be off our feet for an hour. Then we grabbed lunch to go and worked down to the Forum. Along the way we saw this huge white marble building which had to be interesting, so we climbed the 242 steps to see what was up. It turned out to be the Victor Emmanuel monument and they have a free musuem which is mostly military. I think the purpose is to honor how Italy became a state, it was a bunch of townships for almost forever. Anyway, we blew through that, out on the roof are some awesome, awesome views of the city. There is also a museum cafeteria where you can get a glass of wine and occassionally step outside for another view. The light changes quickly in Rome and this is a super place to shoot pictures from. At one point, we saw a banner below for a Picasso exhibit. Our PIU pass got us a discount and that was really fun. Now, Picasso is not really one of my favorite painters, but they have a large set of sketches of him playing around with ancient Roman themes. There is some really great work there, I thoroughly enjoyed it, we went through the sketches twice. Then across the street, past some more ancient ruins and the Forum which honored our PIU pass. Once again, it is incredible how much of ancient Rome is still standing. It is also incredible how the Catholic church built a church on so very many ruins. Great fun. Then we picked up a bus to go back to the Terminy train station and rest a bit before dinner. We had supper at Piscarello; I have been on the road a lot, but this was simply one of the finest meals of my life. They have meats, but specialize in seafood and black truffle. If you find yourself in Palestrina, their phone is +39-06 9574326, awesome.

[November 25, 2008] Colosseum, Arch of Constantine, Palatine Hills and St. Peter's Basilica
. Same metro stop as yesterday, since we had the Roma PIU pass, we were able to duck the ticket lines for the Colosseum and get straight in. My favorite part was actually the exhibit of artifacts that had been stolen or otherwise removed from Rome and then been recovered. Next, the Arch of Constantine is still in really good shape and makes for a perfectly enjoyable walk in the Palatine hills. This is an incredible set of ruins where the ancient Caesars made their homes. You get away from the bustle of Rome. It was a nice day, though a bit damp, so we did not make a picnic of it, but this is the perfect picnic spot; it is huge so you can certainly find an empty bench or fallen column to sit on. Now Saint Peter's Basilica, it is impossible to describe how big that is. They have moved the Pieta even further back, but you can still be very impressed with this Michelangelo sculpture. We took some time to visit the prayer chapel, don't you just wonder how many prayers have been offered from St. Peter's. That was enough for the day; our minds were on sensory overload, so we headed back to Palestrina.

[November 24, 2008] The Vatican Museum. The plan was to slow down today. Breakfast scheduled for 9:00 AM instead of 8:00, leaving for Rome on the 11 AM train. After days of blur-like speed, this seems good to me. The train ride was easy enough. Most of these trains have bathrooms, you might want to take advantage of that. The train station in Rome is Terminy and they charge for the toilets. I don't mind that so much, but they do not take the one Euro coin and that is the most common coin. We took the Metro, it was an easy walk, the three day Roma PIU pass covered the train, the metro, buses, and many exhibits, but not the Vatican museum; no matter, it is very worth it. The museum is huge and so many people are in a hurry to see the Sistine chapel that they miss a lot of the exhibits. We spent some time in the Sistine chapel and then outside, people were flying out after the chapel which means they miss a few Chagalls, including one from my undergrad art history book, and a Matisse statue. We ate in the museum cafeteria, that was a recommendation, but not a good one. Then the rain was pouring and we waited for it to slow down. There is a sign right outside the museum "Metro 50 meters", so we went for it. They lie, they lie, they lie, so we got soaked. We raced through the rain and at 50 meters there was another sign, and then another. Somehow you expect a bit more integrity from the Vatican. We decided to call it done, and took the train back to Palestrina.

[November 23, 2008] Umbria. In a sense, the trip to date is exactly what I have been hoping to avoid: awake, showered, shaved, and dressed by 8 AM; breakfast, hit the tour bus, here one day, there the next. However, one makes the most of opportunity. Anne's Place cannot afford to take us on long distance tours unless there are at least four people and we are fairly compatible with another couple, Pat and Paul, and everyone wanted to go to Umbria, so who am I to complain. And we have seem many a lovely sight, memories for a lifetime. This time both David and Anne came, so there would be a relief driver and we headed north, past Rome to Umbria. Our first stop was Spolete; since it was Sunday, we were not the only ones touring and we had to cruise for a few minutes to get a parking place, but we were able to find one quickly. We must have looked like tourists since an Italian gentleman, small but perky, came alongside and directed us to the city square or Piazza. He showed us all the sites on the way, including their working ampitheater. Like so much of Italy, it is a blend of the old, the older and the new. It was a cold day, bouncing between 1 and 6 centigrade, but we were all well dressed with jackets, hats and gloves, so it was not an issue. Spolete was neat and we got a few shots for Kathy's photo project, but we wanted to move on. Next stop was Spello. It was the highlight of the day. At least for us, it was the perfect northern Italy hill town. We poked around the alleys, talked to people, took lots of pictures and met at a wine bar for lunch. The proprieter recommended a wine from nearby Assisi and the six of us shared a glass apiece and ate off of their finger food menu of antipasta and cheese, as well as bread and the new olive oil. After being porky pig for so many days, a light lunch hit the spot with everyone. Then, on to Assisi, just fifteen minutes away. This is most known, of course, for Saint Francis of Assisi. It was interesting, but I preferred Spello. There are lots a great big churches, all richly decorated. Monks, priests and nuns are not the majority of the people on the street, but they certainly are well represented. It is a bit commercial, you can buy any sort of religous relic, especially if it relates to Saint Francis or his sister. There are also wine shops and arts and crafts aplenty. About 5 PM, we headed back to Anne's Place, one more stop at Santa Maria degli Angeli to see the little chapel St. Francis built, encased in a monster cathedral, and then dinner back in Palestrina. On the drive back, several of us had the sniffles from exposure to the near freezing temperatures all day. I told Anne about astragulus and promised to give her a few pieces and asked if we could put one piece in the morning tea. Kathy and I also made an evening tea and added a piece, sometimes it just takes a little bit to help the immune system get past a shock. For Sunday night dinner, we went to a fixed price place, Amedeos, with Pat and Paul. Lovely dinner, we chose the medium serving over the grande and that was wise. A great antipasta selection, the pasta was a mushroom fettucine where the noodles were done in truffle oil, just a fraction too much salt, but really good. The meat was a ham steak that wasn't popular with the rest of my dining party, but I liked it, and it came with salad. They ended with some lovely home baked desserts and, of course, coffee. A good meal, good and lively conversation, this is our last night with Pat and Paul, they are headed for a cruise ship. In terms of sights and sounds, if this was the end of my trip, it would have been plenty, but I really want to poke around in Rome some more and to do some thinking. I am reading president-elect Obama's book, The Audacity of Hope, and I am almost finished; while he does not draw parallels between our nation, and its condition, with the pre- and post-Roman civilization, I keep sensing that there are some and would like to make these thoughts more complete.

[November 22, 2008] Rome. Today we got up and David drove us to the train station and we went to Rome. For six Euros you can get a rail pass that is also good all day on the metro and bus system. The train ride is about a half hour. Then we got on a bus. Anne had arranged reservations for a tour of the Galleria Borghese. This is a truly awesome musuem. One of the highlights is the statue of David by Bernini. Everyone always hears of Michelanglo's version, but this one looks the part of fighting Goliath a bit better. Titan's Sacred and Profane Love is there, as is Pauline Bonaparte. Napoleon's sister, Pauline Borhese, was the model and, from what I can tell, she was a bit of an exhibitionist; it isn't the only time she posed nude. Bottom line, great museum, the senses can barely take it all in. Then Kathy and I made our way through the park to the Spanish Steps with a Bernini fountain at the bottom. Next we navigated to Trevi fountain stopping for lunch at Mia Casa Restaurant and Pizzeria; we both liked our pasta dish, Kathy had the lasagna, I had the fettucine with wild boar, but our meat dishes were both poorly done. That night everybody at Anne's Place felt like a return visit to Schirbizzo. We still ordered too much food, but it was great.

[November 21, 2008] Road trip to Pompeii. Another couple at the B&B wanted to visit Pompeii and it is a minimum of four people for the tour. Anne's Place currently charges 55 Euro per head on these tour, and our room was only 85 Euro per night, so tour and room is less than most hotels in Rome and you get breakfast, too. It is a long drive from Palestrina to Pompeii, but what fun romping around the ruins. I had been before, so we ditched the guide and audio aids and Kathy focused on taking photos and we talked about the different architectural features. One thing I observed about Pompeii is that they did not have one way of doing things. Many of the columns are actually built of brick and plastered to look like hewed stone. Others are stone. We saw both vertical and horizontal stabilization features, but, amazingly, they are rare. Shows, too - some of the walls are held up by steel braces and will have to be reconstructed. We saw a number of different arch styles and also approaches to lintels. They have continued to excavate since I was last there so the city is much larger than before. After Pompeii we got a quick bite to eat and headed for Casino and Monte Cassino. We dropped in on the Allied grave site (this was the scene of a fierce battle in WWII). Then, up to the Monastery at Monte Cassino founded by, you guessed it, Saint Benedict. So, of course, it is at the very top of the mountain; we had to drive through the clouds to get there. This is one unlucky building, it has been wiped out either four or five times, the last time in WWII. Anne arranged a private tour. What a lovely set of sites. The last time they rebuilt this they really did it up, the underground chapel done in golden mosaic is one of the most incredible things I have ever seen, but the highlight for me was the underground tour. This monastery, as several others in Italy, are built over a former pagan temple. So, the basement is an ancient and well preserved set of Roman arches and stairs. When we got back, we took a nap until the restaurants opened. All of the guests at Anne's Place went to dinner at IL PISCARELLO. It was quite nice, I had a thin steak dish served with rocket greens, Kathy had an all fish experience which she enjoyed.

[November 20, 2008] Touring the hill country in Italy. What an amazing day, I will probably get some of the names wrong. Anne took us and we had a great time. The first stop was Capranica. These are all hill towns, ancient stone villages built on the tops of ridges and mountains. The communities are close and there are lovely walks through the cities. Everything is ancient. In fact, sometimes the house are built on foundations and walls from ancient Rome. So, we had a lovely time walking throughout the town which is preparing for a festival of some sort. Next, the Sanctuary of Mentorella. As I understand it, this was founded by Saint Benedict, as in the Benedictine order of the Catholic Church. There is a cave in the rock where he spent a couple of years meditating and praying. This is in the middle of nowhere, and then some, and it stands all alone on a giant rock outcrop. They still have three monks keeping the place going. They have an interesting tradition: when you die, they take your bones and put them near where Saint Benedict stayed in the cave. There is a window on the outside, and you can see skulls and such. I imagine this gets very cold in the winter. Now this Benedictine order has a catch; you never get a transfer, you stay where are first sent until you die, so if you draw Mentorella, you will certainly get to talk to God, because there are no people up here. But it is beautiful! Amazing views, very thankful I got to see it. Next, we went to Castel San Pietro, another lovely hill town. We marched around the alleys and such, and we had a great time. Their claim to fame is a statue at the very top of the redeemer. The original one had to be taken down (too many lightning strikes). This is is very well grounded and serves to protect the amazing antenna farm below it; they have dozens of microwave repeaters and the like. This is a high point and is line of sight with a lot of Italy, so you can just guess there is a lot of RF around the statue. I wonder about the health of the residents of the town near the antenna farm. Then back to Palestrina, also a hill town. We had lunch at a local lunch-only site, very nice Italian comfort food. I had the Saltim Bocca, Kathy had a ravioli and then we hiked up to the temple and museum. That is an amazing ancient temple site - huge, and a lot to see. Then, as the sun set, we wandered back down through the hill city. When we were ready, we called Anne with one of the B&B's loaner cell phones and she came to get us. Great day, my head was spinning. We couldn't deal with a restaurant experience, so we each grabbed a pice of pizza and called it a night.

[November 19, 2008] Anne's Place, Palestrina Italy. We are staying at Anne's Place, a Bed and Breakfast outside of Rome. When we first got in, we asked if we could close our eyes since we had been in a travel status for over 24 hours, not a problem. We are staying in the terrace room. They agreed to wake us at 7:30 PM, the restaurants in Palestrina open at 8:00 PM. That is the tradition in Italy, things close down between noon and 2 PM. Sure enough, we both went down. That night we went to LO SCHIRIBIZZO DI STELLA DANIELA and had an awesome meal; I ordered a pasta dish with shirmp and smoked salmon that was as good as any I have had, and Kathy ordered a pasta dish with bacon and a red sauce (it was also good). I ordered a trout cooked in a bag with tomatoes, onions, and olives for my second course; Kathy got a beef filet with mushroom sauce that left something to be desired. The sauce was really good, the meat was a must to avoid. David had warned us about getting the beef, and we should have listened.

[November 17, 2008] Lihue to Rome, Italy. We took the redeye from Lihue to LAX, then Dulles IAD, Munich MUC switched to Lufthansa and hopped to Rome FCO. Everything worked. The details of the flight will be posted in the United Airlines News segment of this blog. Because I am a star alliance gold member, I was able to visit the Luftansa senate club lounge. Boy, that is nice: sandwiches, fruit cheese, and every kind of alcohol you can imagine. With the timezones and duration of the flight, we landed November 19, 2008 in the early afternoon in Rome and were met at the airport by David, from Anne's Place.

[November 17, 2008] Flyday. The winter winds are howling here on Kauai, I would guess with peaks to 50 MPH. We will certainly drop the hurricane shutters when we leave for Italy and beyond. Since I am a captain of a blue water sailing canoe, I cannot stop thinking about ancient Polynesican voyaging; a night like tonight is a very big deal in a wood, bamboo, and coconut fiber sailing canoe. The kite surfers are loving it, but you know a couple of them are going to have equipment failures; you run too big a kite in high gusty winds and you end up swimming in if you don't get hurt. I am very glad to be typing inside of a modern house built to code, and a bit more.

In the email, I got something incredible today, "We have an early holiday present for everyone. Today, we at NetWitness announced the immediate availability of a freeware version of our core product, NetWitness Investigator. With today’s announcement, we are working to begin a philosophical change in the security industry – providing users at all levels in security, I/T audit, anti-fraud and law enforcement with comprehensive analytical insight into technical, complex threats faced by the smallest to the very largest organizations. Effective immediately you may obtain this fully functional and licensed free version of NetWitness Investigator at: http://download.netwitness.com.

The free version of NetWitness Investigator contains all major features of the Enterprise edition and the NextGen infrastructure. Version 8.6 of NetWitness Investigator provides users with significantly enhanced protection to analyze network sessions and deliver increased insight into all traffic and context. New features include SSL decryption and analysis of encrypted network traffic; interactive charts for instantaneous analysis; and enhanced content views for numerous protocols and applications. We all know that there are gaps in addressing today’s advanced threats because current security solutions are highly dependent upon on signatures, operate at the network layer, or are based upon incomplete statistical information. NetWitness Investigator is deployed at some of the largest government and financial institutions in the world to detect and helps stop nation-sponsored and organized criminal techniques. It is also used to monitor insider threats such as rogue users and to verify operational regulatory compliance. This free version of Investigator, now available to all organizations, will permit users of all levels (novice to expert) to easily analyze and mine large amounts of information – the actual full content of captured traffic. This approach allows users to rapidly identify and resolve many of their most complex security problems -- achieving faster and better informed security responses. Once you download Investigator, you can visit our YouTube channel where you will find information on getting started with the software. You also can join the NetWitness Community, where you can share use cases and applications of the software with your peers in the industry. We are sure that once you install the software and capture some of your organization’s data, you will see your network in ways you never imagined – and begin to understand why so many people are excited about this free release of Investigator."

As you already know, one of my deep concerns is that we are not detecting attacks, and this could be the start of a change in that. Run TCPdump or Windump, collect a lot of data, and then start analyzing that data; who knows what you may find.

USA Today ran a well researched piece today about data theft and who buys the data that is stolen. Great read.

Rob Lee, who oversees the forensics program and blog at SANS, tossed me a YouTube link that was a a real eyeopener. There is a southern gentleman, Scott Moulton, doing a talk with flash video explaining how you can extract data from a dead hard drive. Here is his YouTube site. Turns out that there are people that are certified data recovery specialists. This is a whole new world for me, I figured when a drive is broken, it is all over. But no, they have classes for this stuff, here is a description of one. The idea is that you take the drive into a clean room, if you are lucky you have a working drive just like it and you swap platters, or swap heads, or if it is just the chips that control the drive you may be able to image in reverse ( starting at the end of the drive) so you do not load anything into cache. They also go into imaging solid state memory.

[November 15, 2008] Starting to pack for Lihue/Italy/London/DC/San Jose/DC/Lihue. Have to be a bit careful when packing for five weeks on the road as well as vacation and teaching. I will wear my SANS trade shirts some of the time while on vacation and get them pressed to be ready for teaching. Also, in London they expect a higher standard of dress than most US venues, so I need to factor that in as well.

I got a note from Doug Rehman of ElectronicDiscovery.com. He presented on the difference between digital forensics professionals and private investigators ( as I shared earlier, some states are starting to pass legislation that you have to be a private investigator in order to conduct forensics. Here is his summation of the event, "The questions afterwards indicated where at least a few of those present are at on the topic. One lady, I'm not sure from where, seemed intent on trying to figure out how to regulate DF (as DF, not PI). I tried to point out the interstate nature of DF; this was met with a statement of something to the effect of "that's the same excuse we hear about regulating PI's". I countered that there are not a lot of forensic examiners so a specialist in some obscure OS or other matter may not exist in a particular state; since PI reciprocity hasn't worked out so well (this got a lot of head nods from the audience), citizens/businesses of that state would be ill served by preventing the out of state expert from doing the work. Likewise, I pointed out that a single civil case may involve collecting data from multiple locations, litigants would be forced to hire multiple examiners- making the process more difficult and expensive, as well as potentially resulting in a far poorer result due to the multiple examiners. It was stressed to the audience that DF practitioners are well regulated by the attorneys that routinely hire them and the Courts that allow their testimony. Mark Pollitt pointed out that an examiner only has one reputation and if that gets tarnished by one Court, it is the end of that person's DF career. Overall, I didn't sense an overwhelming interest in taking on the regulation of DF."

Very perceptive article on informationweek about rethinking PC Security, "I've always wondered if corporate PCs would be better off by switching from a blacklist to a whitelist. That is, rather than trying to define and recognize all the viruses and malware that exist in the world, simply list all the legitimate software that the IT department allows to run on the system. That can be extended somewhat by also allowing software to run that is crypto-signed by any whitelisted company. With a whitelist approach, it's nearly impossible for user mistakes to turn into company-wide infections." That is so correct, if you are not familiar with products like CoreTrace and SavantProtection, you should be.

[November 14, 2008] Situation in Italy is not good, there is a strike. Got a note from Emilio Valente, "It has been a week of strikes in Italy for transportation. I am listening to Italian news on TV (I have the RAI with the satellite). Especially “Alitalia” the Italian airline is in a very bad period because is going to be bought by Italians financial entrepreneurs (to avoid bankruptcy) and therefore there is chaos in the Italian airports for these strikes (today hundreds of Alitalia flights were cancelled across the country) People are angry and they have been for long hours (even 10-15 hours) waiting and sometimes they went back at home.

Here below is a link where you can check for updated info (Meridiana is part of Alitalia)
http://www.summerinitaly.com/planning/strike.asp

Special Security Travel Guide reorganization news. As of today, we are no longer going to post United Airlines 1K news, news that is focused on United, the company as well as its customers, inline in our travel logs. I guess I should have seen it coming, but just like with the travel tips, I have received email from people asking me to keep the United news all in one place. So, if you want United Airlines 1K news, please visit: http://www.sans.edu/resources/musings/united_1k_travelnews.php Thank you!

Off topic, but I found an amazing web site, it is a rollup of all of the explosions reported around the world. They include a "bug bomb for a cigarette," a missionary from Langley, yet another bomb in a mailbox in Indianna, 125 bombs found in India, there are hundreds more. I had no idea explosions were that common, including in the United States. I have been teaching in my class that Improvised Explosive Devices were not going to stay in Iraq and Afganistan, but didn't realize how far along we are in the process.

Just found out the Federal Reserve meeting on January 22, 2009 has been postponed to April 30, 2009. I was supposed to give a keynote speech on Enterprise Security Architecture; have no idea if I will be on the later meeting, but continue to work on my keynote.

An absolutely incredible paper has been posted to the reading room from .NET Framework Rootkits: Backdoors inside your Framework. Here is the abstract, "This paper introduces a new method that enables an attacker to change the .NET language. The paper covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper. This paper also introduces ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL." http://www.sans.org/reading_room/whitepapers/windowsnet/32954.php

This story broke in NewsBites Nov 14, but I want to add some additional information: More than a dozen Internet service subscribers have filed a lawsuit against NebuAd and six Internet service providers (ISPs)claiming that NebuAd's web surfing habit tracking technology and the companies that used it without customers' knowledge violated anti-wiretapping statutes. NebuAd has paid the ISPs to allow it to install monitoring equipment on their networks, which examined user habits and delivered targeted advertising based on their perceived interests.
http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
http://arstechnica.com/news.ars/post/20081111-nebuad-isps-sued-over-dpi-snooping-ad-targeting-program.html
A copy of the suit is shown below, I would say this looks bad for NebuAd:
http://www.docstoc.com/docs/document-preview.aspx?doc_id=2497992

There are several of these companies including Phorm and FrontPorch:
http://www.phorm.com/
http://www.frontporch.com/html/index.html
You may recall there was a hullabaloo in the UK in 2006 when it was announced that Phorm and BT were secretly tracking BT customers:
http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/
In addition, the consumerist reports an earlier NebuAd test, "Charter Communications is sending letters to its customers informing them of an "enhanced online experience" that involves Charter monitoring its users' searches and the websites they visit, and inserting targeted third-party ads based on their web activity. Charter, which serves nearly six million customers, is requiring users who want to keep their activity private to submit their personal information to Charter via an unencrypted form and download a privacy cookie that must be downloaded again each time a user clears his web cache or uses a different browser.http://consumerist.com/5008801/charter-to-begin-tracking-users-searches-and-inserting-targeted-ads
There is an interesting paper referenced in the suit by Professor Paul Olm where he asserts, "Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP). He goes on to say ISPs have the means and the motive to snoop on their customers: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1261344# Professor Olm's blog on the topic can be found here and we can give the NYTIMES the last word on the topic for now.

Off topic, but very interesting: money.cnn.com ran an article saying the financial crisis may cause companies to seek a new type of leader. The article claims four types of industry leader through history, "The first was defined by Builders, company founders like John D. Rockefeller and Benjamin F. Goodrich. They were followed, beginning in the 1920s and lasting through the 1970s"... by the "Organization Man." In the early 1980s, leadership became defined by a focus on the individual, a celebrity worshiped by business magazines like ours. The Visionary CEO - think Lee Iacocca or Jack Welch - personified a corporation." Next, came leaders that were more apt to ask questions and form alliances, the article calls these lifeguard leaders."The CEO of the future is going to have to be someone who deals well with government," he says. The truth is, these days a CEO cannot fully control his destiny in a world of competing entities, ranging from regulatory agencies to angry shareholders, from consumers to foreign powers.

One more off topic, here is a web site that uses flash to give you a virtual sheet of bubblewrap so you can pop the pockets.

[November 13, 2008] Four days to Italy, flu shot and haircut today. Silconrepublic reports that I am on the board of directors for a start-up, Beyond Encryption: "Beyond Encryption has a dual use in both the business and military worlds. It creates a virtual computer on the network that users can access remotely via their laptops, but won’t allow information to leave that area. Nothing can happen to that data; it can’t be printed, emailed or put on a USB key. The virtual machine could exist for just a short period of time before shutting down. The result is no more firms get hit with embarrassing revelations around data leakage,” says Fitzgerald. He says that pivotal to Beyond Encryption’s growth is its ability to put in place C-level management, and its team includes US businessman David O’Reilly and SANS Institute CEO and president Stephen Northcutt, and a technical board that includes Dublin City University’s Professor Michael Ryan and globally respected security experts Eric Cole and Mike Poor." Not sure how I ended up with such a distinguished group, but will try to keep up!

Googling Security. My friend Ben Rothke just wrote this excellent book review: "In a fascinating and eye-opening new book Googling Security: How Much Does Google Know About You?, author Greg Conti explores the many security risks around Google and other search engines. Part of the problem is that in the rush to get content onto the web, organizations often give short shrift to the security and privacy of their data. At the individual level, those who make use of the innumerable and ever expanding amount of Google free services can end up paying for those services with their personal information being compromised, or shared in ways they would not truly approve of; but implicitly do so via their acceptance of the Google Terms of Service."

Twitter's access control sucks! It cannot remember my password. Very frustrating! A number of my friends are using it and it gives me a chance to learn about the personal side of them. I really can't quit using Firefox and NoScript, surfing the internet is just too dangerous otherwise, and I suspect that is where the problem is. But, I do not know how many times I can take reading "Hey there. Can't remember your password, huh? It happens to the best of us." Well no, Twitter, I do remember my password, thank you very much. In fact, I think I could safely post it on my blog because you cannot use it to log in to Twitter, that is for sure. OK, enough ranting. Time to go see what Jim Clausing is up to.

Are you patched? Tuesday, November 11 was Microsoft's monthly 'Patch Tuesday'. A number of important patches were released affecting both Windows XP and Windows Vista. There are also patches for Microsoft Office 2003 and Office 2007. If you are interested in more information about what the specific updates are for, you can go to the following web page which is the 'Microsoft Security Bulletin Summary for November, 2008'. It contains links to the specific Microsoft security bulletins for each issue that is being addressed. http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx Also, be sure and check out PSI for your third party applications.

New paper in the reading room, by John Brozycki, on detecting anonymous proxies, "Many organizations filter the Internet sites that their users may view. They do this for legitimate reasons that include preventing hostile work environments for their users, protecting network assets and data from malicious code or theft, and complying with regulations and company policies. Anonymous proxy services allow users to bypass most filtering systems. This paper explores methods organizations may use to detect and prevent anonymous proxy usage."

Federal computer week reports, "The U.S. military’s dependence on sophisticated network-centric information technology has become its “Achilles heel,” according to a new report from the Defense Science Board. Although cyber threats have grown, there has been limited progress on cybersecurity for national defense and the incoming Obama administration should place the “highest priority” on accelerating and strengthening cybersecurity efforts, said the report, titled “Defense Imperatives for the New Administration,” which was published on the Web on Nov. 4." Has anyone seen this report, can you send a copy to stephen@sans.edu?

I got a note from Stephen Sims, "Just checking in with you... I'm finalizing my expansion from two-days to four-days on SEC709... This thing is fun to write and I hope it gets the justification to go to six days sometime next year! Interestingly, I think London is over 20 people signed up for the two-day version of 709. I had to put a cap at 25 as it's probably not a good course to have large numbers. At least not at this point until it runs a few more times. SPAWAR is having it as a four-day OnSite in February I believe. The problem is that no one is signed up in Vegas yet for Security West. I know that one is having trouble all around, but it is odd to me that the Europeans just seem to be ahead of the curve on this stuff. Four of my students at NS2008 for 709 were from Sweden and London. They actually generated some of the students in London for me as they liked it so much. Wondering what we can do to get the US people on board? I really think this course is going to grow and I am excited about that. I just need to work on some clever marketing ideas. I'm also thinking the government and other similar sectors will likely be more apt to taking the course than the private sectors..." Ouch, no one is signed up for Vegas, Developing Exploits for Penetration Testers and Security Researchers is a great course, but it advanced level. It is designed for:
  • Incident handlers looking to take the next step in understanding exploitation in its most technical form
  • Network and system security professionals looking to understand the methods used to write exploit code and discover vulnerabilities
  • Programmers and code review engineers looking to understand the threat of exploitation and how to write Proof of Concept (POC) code to demonstrate exploitation techniques
  • Certification-holders looking to improve and put their practical knowledge to the test
  • Anyone looking to build credibility and take a technical course on advanced hacking techniques
So, if you know someone that will benefit, please let them know about the course. But again, it is not for everyone. Keep the following in mind: "Pre-requisites/ This is a fast-paced, advanced course that requires a strong desire to learn custom exploitation techniques and advanced penetration testing. Courses such as SEC504 :: Hacker Techniques, Exploits & Incident Handling, SEC560 :: Network Penetration Testing and Ethical Hacking, and SEC610 :: Reverse-Engineering Malware are recommended prior to or as a companion to taking this course. Experience with programming in any language is recommended but not required. The basics of programming will not be covered in this course. Most of the vulnerable programs and exploits are written in C, C++, Perl, or Python. Familiarity with Linux and Windows is highly recommended. Additionally, this course requires familiarity with the Intel x86 processor, machine code, and the C language."

[November 12, 2008] Still in a holding pattern to get ready for our trip to Italy, London and more. On the security news front, the most advanced Information Security Certification is the GSE, but so many people are afraid of it. So it is refreshing to see a blog post like this from Craig Wright. "Next for me... The GIAC Secure Software Programmer - Java (GSSP-JAVA) certification and then the final GSE to complete the trio later in 2009. What better way to show that you know your stuff in secure coding! The GSE requires the GCIH, GCIA and GSEC certifications, all of which I have. One REAL benefit is that I will get the material for the GSEC before I take the GSE exam next year. I have the GCIA and GCIH material already (though I am looking forward to seeing all the updates for they change regularly). I challenged the GSEC and thus do not have these books or MP3's. I guess this is something to look forward to."

Peter, who has an interesting and eclectic blog just passed his GSNA, "Needless to say, I’m psyched. I learned a lot at the SANS training, and also while reviewing the materials on my own. In hindsight, I probably studied more than I really needed to, but I lost all momentum back in August during the initial phase of my separation/divorce. Fortunately, I was able to recover and make up the lost ground. I got just over a 95 on the test, which I completed in under two hours (despite having the test server freeze on me and not accept any input for 5 minutes - annoying, but again, I recovered)."

[November 11, 2008] Continuing countdown to Europe and England. Kathy is going through her clothes, trying to decide what to bring; for myself, I am racing to finish a painting, not sure why I am in a hurry though, so may prioritize other tasks. Found a couple interesting tidbits in my mailbox.

An article by Marcia Savage picked up by Search Security states, "According to the study, which surveyed 199 security experts and industry representatives, most industries that make up the critical infrastructure are not prepared for cyberattacks. More than half of the respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping sectors were not prepared." That is so true. The problem is that the focus on compliance has taken away focus from security. Compliance does not equal security. Let me give you a few examples:
  • Processor Magazine, "In his “Information Security Scenario” presentation at Gartner’s Fall Symposium, analyst John Pescatore stressed the importance of “protecting customer and business data first and then implementing automated processes and integrated compliance efforts to demonstrate how those security controls satisfy compliance requirements.”
  • Search Security, "The fact is you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They're arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach."
The situation is grave, we each need to start dialogs between the audit folks and the security folks, determine the priority and I agree with Mr. Pescatore, protect customer and business data first, and get on the right track.

Our own John Strand was just published in Search Security on Predictable Blacklists, "The highly predictive blacklist (HPB) approach is unique; it allows for custom blacklisting based on the importance to a given company. An HPB gives an organization's firewalls individualized attack data and integrates an inventive relevance-based ranking setup based on Google's PageRank system, which analyzes hypertext links. For example, let's say that you are a Department of Defense contractor that contributes attack logs to DShield. Because you are not the only defense contractor contributing to DShield, the data center can develop a list of IP addresses that have been known to attack other defense contractors and develop a list for your organization based on historical attack data from similar organizations."

Three great opportunities to take Security Training without traveljust popped up; I found a technical auditing course, the leading hands-on computer forensics course, and also a penetration testing course. And, yes, even though you can take the course from home or work, it is still fully hands on, they have a remarkable technology that makes this possible.
  • SANS Auditing Networks, Perimeters and Systems will be taught by SANS senior instructor Tanya Baccam. The weekly course webcasts begin Monday, January 12. See full course details, class session dates, and register for SANS Auditing Networks, Perimeters and Systems by clicking on http://www.sans.org/info/33224. If you want to learn from someone that can teach both real security and also remaining compliant with the regulations, Tanya has the kind of deep experience to help you with that.
  • Computer Forensics, Investigation and Response delivered via SANS @Home. SANS Certified instructor Michael Murr will teach the course for the 5th consecutive time. For complete details, read below or click on http://www.sans.org/info/33223. Professionalism is becoming crucial to the computer forensics profession. Many of you are aware of the legislation in Texas that only Private Investigators can conduct forensics. This course prepares one for the leading forensics certification, the GIAC GCFA. By the way, if you are not familiar with the new http://forensics.sans.org/ site, you should be. I particularly like the breaking news section on the home page and their blog.
And, from the mailbox: "On November 19th and 20th, the Institute for Information Infrastructure Protection (I3P), in cooperation with Carnegie Mellon's Software Engineering Institute and the University of Virginia, is sponsoring a workshop, "What Businesses Need to Know about Harmonizing Resilience and Cyber Security", at Virginia's Darden School of Business. Touching on the ability of businesses to withstand and recover from cyber attacks, the workshop will examine the link between cyber security and operational resilience, a topic that has received little coverage but is of increasing importance to the nation's economic infrastructure. Overall, we anticipate a diverse audience of thought leaders from industry, government and academia. To register or obtain more information about the workshop, please go to: http://www.thei3p.org/events/workshop_uva08.html " If you go, drop me a line (stephen@sans.edu ) and let me know if you found it useful.

Also, want to make sure you caught this from NewsBites (if you don't get NewsBites, you really should):
--Researchers Publish Paper on Breaking WPA TKIP (November 6 & 10, 2008). Two German university researchers have discovered a combination of techniques that could allow an attacker to compromise Wi-Fi Protected Access (WPA) encryption in less than 15 minutes. The attack does not result in the encryption key being discovered. Rather, the technique allows attackers "to decrypt packets and inject packets with custom content." Martin Beck and Eric Tews present their findings at the PacSec 2008 conference in Tokyo this week. The attack targets the WPA's Temporal Key Integrity Protocol (TKIP).
http://www.securityfocus.com/news/11537
http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-hack--/news/111922
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
Johannes Ullrich comments: "Although the attack is rather limited, it highlights the fact that WPA and TKIP were meant to serve as a transitional fix for older hardware. WPA2 is the "real fix"." And, from Raul Siles at Internet Storm Center: This new research opens the door to new WPA/TKIP attacks and future attack enhancements, so it is time to start applying and planning the appropriate security countermeasures to remove or mitigate this and similar future threats. Update to WPA2/AES as soon as you can! Because the vulnerability is in TKIP, both WPA and WPA2 can be affected. The attack affects WPA2 if configured with TKIP because WPA2 allows both, AES and TKIP (while WPA only allows TKIP). http://isc.sans.org/diary.html?storyid=5315
[Stephen Northcutt] I completely agree, we need to be running WPA2.

[November 10, 2008] Countdown to Europe. Kathy and I will be traveling to Italy and London, and a number of other places as well. Somehow, all the traveling I have been doing lately has not really prepared me for this trip, because I will need to factor in both vacation time (Yayyy) and business travel. However, I will start thinking about wardrobe and the like shortly.