NOT another Heartbleed Post

no-heartbleed-218x218But rather a heartfelt thank you and cry for your support! In exchange for not writing yet another piece on Heartbleed (enough coverage by me here  from last week) I thought I would take this opportunity to talk about the European Security Blogger Awards.

In it’s second year only, the competition has certainly heated up with a large number of high quality blogs, blogs and podcasts on offer to vote for. There is a good commentary from IT Security Guru and Brian Honan on what it is all about here.  I am thrilled, excited and pleasantly surprised to have been nominated in five categories this year:

  • Best Corporate Security Blog
  • Best Personal Security Blog
  • Most Entertaining Blog
  • Most Educational Blog
  • Grand Prix best Overall Security Blog

(I’m not sure how I got into the corporate blog category, but it’s all good!)

Thank you to all of those who nominated this blog in all of those categories, but with the quality amount of the competition I shall have to start practicing my Hollywood Oscars “really upset but can’t show it that I lost to that charlatan” face when the winners are announced.

One of my other internet tenancies has also been nominated three time, Host Unknown:

  • Best Security Video Blog
  • Most Educational Blog
  • Best New Security Blog

With less than a year in “business” it is great to be nominated here as well, and we have a number of very exciting activities coming up over the next few months.

I said this last year, and it is worth repeating again; this list of nominations represents the very best of what the information security blogging community has to offer. Some of it serious, some of it humorous and some of it acerbic, but all of it providing a viewpoint of one kind of another that is worth listening to, reading or watching. Use this as a shopping list for your RSS reader.

Voting closes on Wednesday 23rd April, and the awards will be announced on Wednesday April 30th at the Prince of Teck Pub, Earls Court.

Thank you again to those of you who nominated me, time for the voting campaign to begin!


Top Five From RSA USA 2014

rsac2014-program-guide-cover-320x407pxI attended the RSA Conference USA last week and was able to witness the chaos, FUD, genuine insight, original thoughts and 25,000 people queueing for a coffee and bagel at 10 o’clock in the morning.

Rather than even attempt to do an end of show round up that other have been able to do far more successfully than me, here are the five things that I remembered the most from the week:

3M Visual Privacy

I still think 3M produce the best privacy filters for monitors, but I have been waiting a long time for technology to catch up and remove the unsightly and easily-left-behind at home piece of plastic in favour of a solution built into the screen itself. Whilst I didn’t unfortunately see that, one of the product managers assured me that this is exactly what the boffins at 3M are currently working on. This is going to be a huge step towards universal and transparent (forgive me) visual security for people using laptops in public places.

MISD_PrivacyFilters_Apple_IMG_ENWW3M also surprised me by demonstrating a pice of software they have designed as well; the known problem with privacy filters is that they only protect you from people looking at your screen from your left or right. From directly behind you they can easily see your screen. The software uses the built in webcam to recognise the users face, and if another face appears in the background looking at the screen, pops up a warning to the user and blurs the screen. To be honest it was a little clunky when I saw it, and it is currently only being developed for Windows, but this is exactly the sort of environment that people working with sensitive information need to “watch their backs” almost literally. I hope they continue to refine the software and expound it to all other major platforms.

Security Bloggers Meetup

sbnRSAC USA sees the annual meet up of the Security Bloggers Network, so i was very excited to be able to attend this year and witness the awards show and a great deal of silliness and nonsense (to whit, the “bald men of InfoSec” picture for one). I managed to meet for the first time a whole bunch of people that I have either conversed with or followed myself, and some of whom I have very much admired. No name dropping I am afraid as there is too much of that later on in this post, but one thing I did take away was that there is a very valid desire to harmonise the North American and European Security Blogger Awards moving forwards which can only be a good thing and build the international blogger network further. In fact, you can now nominate for the EU Security Bloggers awards here.

The "infamous" bald men of security.

The “infamous” bald men of security.

SnoopWall and Miss Teen USA

snoopwall-website-logoIt wouldn’t be a security conference without some kind of booth babe furore and this one was no different. Although the presence of booth babes has dramatically reduced over the last few years there were still a few vendors insisting on using them. And then we thought we had hit a new time low with the presence of Miss teen USA, Cassidy Wolf, at the SnoopWall booth in the South Hall. Condemnation was rapid and harsh. BUT WAIT… THERE’S MORE TO THIS STORY THAN MEETS THE EYE! After I retweeted my feelings about a teens presence at a conference that could best be described as a recovering alcoholic when it come misogyny, I was contacted by Patrick Rafter, the owner VP of Marketing of SnoopWall.

They have partnered with Cassidy to promote privacy amongst teens in complement to their product that detects the misuse of, for instance, the webcam on your computer or your phone. For those that may not know, Cassidy was the victim of blackmail from an ex classmate who hacked into her webcam in her bedroom, took photos and then demanded more pictures. It goes without saying she stood up to the blackmailer, and has since made privacy one of her “causes” during her tenure as Miss Teen USA. Was having her at their booth at RSA a little misjudged? Yes. Is their cause and campaign (and software for that matter) actually have very good intentions? Absolutely. I chatted with Patrick a day later and while he acknowledged how Cassidy’s presence could have been misinterpreted, he strongly defended her presence and her intentions. I honestly found it laudable. Hopefully over the next few years as the industry finally sorts out its booth babe problem, people like me won’t be jumping to the wrong conclusions as we assume the worst.

The Thomas Scoring System

Thomas Scoring System LogoA few months ago I posted about Russell Thomas’ approach to risk management. I had the good fortune to meet with Russell at the Security Bloggers Meet Up and chatted in depth about his approach to measuring risk consistently. He has turned this idea into a very practical approach via an Excel spreadsheet, a point I made in my earlier review. This is important because without a way to implement at a very practical level it remains a theory. The following day Russell was kind enough to walk me through how to use the system in practical terms, and I am going to be trying it out in my day job as soon as possible. I would urge you to take a look at the Thomas Scoring System as I strongly believe it is a great way of bringing metrics together in a meaningful way.

Gene Kim & The Phoenix Project

I was fortunate enough to have been introduced to Gene Kim, the founder of Tripwire, author, DevOps enthusiast and all round genius/nice guy a few months ago, and we had chatted a couple of times over Skype. (Gene is very generously offering me his guidance around writing a book and his experiences publishing it; yes you heard it here first folks, I intend to write a book!) Knowing he was at RSA I was able to seek him out, and I can now say I have met one of my InfoSec heroes. He is a genuinely charming, funny and generous guy, and he was good enough to sign a copy of his book, The Phoenix project, as well as allow me to get a selfie with him. I would strongly encourage everyone in this field, as well as many of those not in it to read The Phoenix Project, as it quite literally changed the way I looked at the role of InfoSec in a business, and that wasn’t even the main thrust of the book.

Gene very graciously allowing me to take a selfie with him

Gene very graciously allowing me to take a selfie with him

It has taken me nearly a week to recover from RSA, but despite the scandal and boycotts and minor demonstrations it was an excellent conference, as much for the presentations as the “hallway track”. As always, my thanks to Javvad for being my conference wing man again.

Is that Javvad, or a waxwork I am posing with?

Is that Javvad, or a waxwork I am posing with?

Now it is back to real life.


Really Silly Attitude? Ropey Sales Approach?

cashRSA has had a tough few years; the subject of a high profile phishing attack in March 2011 resulting in the loss of information related to their SecureID product. They denied it was an issue until three months later when information gained from that attack was used against other companies, including Lockheed Martin, and had to subsequently replace a large number of the tokens.

In September this year they recommended that customers of their BSafe product should stop using the built in, default, encryption algorithm because it contained a weakness that the NSA could exploit using a backdoor and therefore would be vulnerable to interception and reading. How very open and forthright of RSA I thought at the time. Despite the potential damage they may be doing to their brand by giving this information freely out, they are doing so in their customers interests and at the same time offering secure alternatives. It reminded me of the early nineties and the pushback against the Clipper chip, with RSA at the forefront protecting client interests and pushing back against the spooks of the three letter agencies of the USA. Here is what D. James Bidzos said at the time:

“We have the system that they’re most afraid of,” Bidzos says. “If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.’s interests that it’s driving them into a frenzy.

Powerful stuff. The newly formed Electronic Frontiers Foundation would have been proud.

 Now this is where it gets interesting and has raised the shackles of many in the Twittersphere and internet echo chambers. A few days ago it was revealed that the real reason for RSA to have used a flawed products for so many years was because the NSA paid them to. It wasn’t a huge amount of money although it possibly helped save the division that runs BSafe in RSA that was struggling at the time.

Businesses change. Leadership changes. Market forces steer a company in different direction to one a degree or another. To my mind though, to deliberately weaken your own product for financial gain is extraordinarily unwise. By taking the money, RSA have declared that profit is above patriotism, whatever your view of patriotism is. If they took no money at all, there would be a good defence that the decision was taken in the national interest and to work harmoniously with the governmental agencies that protect the USA from danger. Unfortunately organisations that have relied on RSA’s products to secure their data have been let down simply to make a fast buck,

In October this year Art Coviello spoke about “Anonymity being the enemy of Security” at his Keynote at RSA Europe. That statement takes on a very different viewpoint now.

The response has been fairly unanimous, but here is one that got me thinking about my relationship with RSA:

Mikko RSA

I personally wouldn’t go this far as I go to network with friends, peers and colleagues, as well as listen to folks from the industry talk and present; I don’t necessarily go to listen to RSA as such. However this kind of reaction is going to have an impact on RSA that is likely to be felt for a number of years to come. Most security people I know are somewhat distrusting in the first place (hence why they are in security very often!). To have these revelations is going to have an impact both in their mainstream business as well as their conference business, so often seen as the gold standard of conferences globally.

If the last few years were tough for RSA, what is the next few years going to be like for a giant in our industry?


Do as I say, not as I do (and other things our parents told us)

clip-image0026This may be quite a challenging post as I potentially expose myself as a willing victim of an Orwellian world, if not a supporter of it. Nothing could be further from the truth, but I do think certain aspects of the forthcoming argument need to be aired.

I am amazed that people are surprised and angered to hear that the US and UK governments are “spying” on their citizens. I recall as a schoolboy in Dover in the eighties seeing a large installation on the cliffs of Dover, and it was common knowledge that it was used to intercept telephone and radio signals for the government. The thought was, and still is, a comforting one that various powers-that-be are intercepting communications in a morally correct albeit secretive manner.

While the scale of the interceptions highlighted through the Snowden leaks did somewhat surprise me, the fact that it was happening did not, in fact I expected it. My surprise was  perhaps a factor of the rapid growth of the internet and the related technologies, but I was able to rationalise that with the many different methods of communications available to so many people on the planet.

I don’t agree with government back doors inside industry systems, and I don’t agree with the wholesale handing over of encryption keys to them either, but I do agree with the discrete and specific targeting of certain communications of “interest” and the decryption and handing over of those communications by the relevant company to the government in response to a valid and legal request. But it has to start with the interception, analysis, trending and prediction of traffic in the first place.

There, I said it.

We then move to the current advice being given to parents about monitoring and controlling their internet access and social media use. This type of advice is warmly embraced by most people, as one would expect, because children cannot possible be expected to know and understand the types of threats they might be exposed to on the internet, and too naïve to be able to deal with them. They do not have the experience or understanding of what could happen if they use the internet without some kind of supervision and monitoring, and as responsible parents we are there to protect, educate and support.

I think there is a parallel here, namely that the general population simply does not understand the kind of threats that are out there, and how monitoring communications and the internet is a fundamental way of ensuring that we don’t find out the hard way. There has to be a certain level of trust in the various government bodies that the monitoring is done for specific purposes, in the same way a child will have a level of trust that a parent monitoring contacts and online activity is doing so not to harm the child but to protect them from needless abuse and worse.

This parallel is not a clear one I understand; there have been abuses of power, and the politics of government is a dirty business at the best of times, but I pay taxes and participate in my community for the benefit of the greater good and therefore expect a certain level of protection from the powers that be. I chose to live in a somewhat paternalistic society because it benefits me and I get to enjoy a largely violence free lifestyle as a result.

Were you surprised by these revelations? Angered or resigned to them? I will continue to encrypt my most personal of data and practise good information security next time i do my banking in a Starbucks; not to protect myself from the government but from the criminals. I will leave the criminals to the government.


Amsterdam has them now: RSA Europe 2013 and playing the Game of Thrones

IMG_2991As usual it was a great week at RSA Europe, as much for the hallways track as all the other tracks on offer. Whilst it may not be as large as it’s bigger brother in San Francisco the move to Amsterdam from London seems to have given the conference a new sense of purpose and scale. The potential to grow in this location is obvious. But I hope it doesn’t grow too much more; there was always a sense of knowing what was going on and when, and where you were in relation to the auditoriums and speakers. I am sure that sense of perspective is more than lost in the scale of RSA San Francisco.

It still had it’s challenges, all minor. For instance, tea and coffee points that seemed perpetually shut throughout the day, a distinct lack of activities on Wednesday even after a 17:00hrs close, and perhaps the location did not lend itself to the kind of out of hours socialising that London had to offer. For me the Novotel bar became the centre of my networking experience, no bad thing, but I would wager there were a few more hotel bars doing the same thing meaning the networking was seriously fragmented.

The usual suspects were there for me to socialise with as well as some new faces, such as Tor and Kjetil from Norway who were both intelligent and hilarious, a combination I always enjoy. I managed to meet a few more of our industry “luminaries” as well which is always interesting (never meet your heroes!), as well as catch up with others I had met previously and enjoyed their company and insights.

IMG_2998For me the whole conference was focused upon 14:40hrs on the Thursday when I presented “Playing the Game of Thrones: Ensuring the CISO’s Role at the King’s Table”. Not only was I presenting in my own right but I was also presenting content and an approach that I had synthesised from a variety of sources and my previous thoughts and theories. The session went extremely well, was watched by a number of people I know and respect, and was fully attended (with even a couple of people having to stand). Questions at the end were thin on the ground although I had noticed that throughout the conference, but the feedback has been phenomenal. I haven’t had the formal feedback from RSA yet, but their newly introduced conference app allows me to see a certain degree of feedback on both me as a speaker as well as the talk itself.

RSAC Europe 2013 GRC-R08 THOM LANGFORD.005

The slides are above in PDF format, and are also available in Keynote format here. My good friend and evil twin brother Kai Roer kindly filmed the talk as well, and as soon as that is available I will be publishing that on YouTube. One of the key reasons for doing so is to invite more comments on the material itself, as I made a few bold statements that I am sure not everyone would agree with. For instance, the less influence a CISO has, the more prescriptive (and lengthy) the policies are, in turn making them less effectives. This is based on my observations only rather than research, so getting feedback on points such as this helps inform everybody more.

All in all it was a great week, making new friends and meeting old ones and always learning new things almost every hour. Here is my honour roll of folks from the week that made it as memorable as always:

Javvad, Brian, Kai, Kjetil, Tor, David, Dave, Bruce, Tor, John, Dwayne, Quentyn, Neira, Josh, Martin, David & Olivier (my apologies to anyone I left out, it is the fault of my memory and not how memorable your were!).