I'm reading the news and it's like watching Mythbusters. On one hand, NASA managed to find "life" in space. On the other hand, my myth of NASA's security is busted. For the sake of discussion, it does not matter how the virus got there and whether or not it is dangerous or just annoying.  The simple fact is that there are no more sanctuaries.

I hate to sound like I'm FUD-ing - and I hope that no one will Defudder me - however, there are some questions that should be asked.

PCI version 1.2 is starting to make its rounds. Having been through 1.0, then 1.1, this new version continues to give me the warm and fuzzies about this regulation. Why? Because it's just so reasonable. I know people will take issue with that, but if you've been around regulations for awhile you know what I mean (does anyone remember HIPAA and all the cycles we went around on that? Or the SOX COBIT meat grinder?).

Amichai and I held a webinar last week. Recalling the rush around 1.1 as organizations tried to get their heads around the regulations, we decided to help folks get a head start. Our net take away is the old Hitchhiker's Guide to the Galaxy adage, "Don't Panic."

   

(\There's a New Talk in the Block\ figure of speech)

 

After watching Chicago Hope, ER and Grey's Anatomy I can now follow some of the medical lingo thrown here and there. With NYPD Blue, the various CSI's and Law & Orders, I got to know some police slang. From LA Law, The Practice, and Law & Order (2 for the price of 1!) I learned some lawyer talk. Even Buffy the Vampire Slayer enriched my gothic- vocab.

And now it's the security industry's time to put a list together before we find ourselves ashamedly bewildered couch potatoes. While not as comprehensive as Douglas Adams' (and John Lloyd) "Meaning of Liff", here are some terms I gathered for those very common infosec concepts that we all need names for: 

• Malvertisements: malicious ads that, once clicked, route the user to some malware site. Drive-by-downloads thrive on malvertisements.
• Freetards: mainly used to describe those that click on malvertisements promoting free proprietary software, free movies, and free songs. Remember, you get what you pay for (or perhaps, you pay for what you get for free).
• Hacktivism: Hacking with a political / social agenda. Hacktivists usually target popular websites in order to deface them with their message. A popular defacement method is SQL Injection.
• Great Firewall of China: China's strict policy of IP and content filtering. Hactivists usually try and find a way to bypass the Great Firewall of China.
• Hacker- ogler: one that hacks into a Webcam.

And may I add one of my own:

• Defudder: The act of bloggers and forum members to refute the FUD (Fear, Uncertainty, Doubt) vendors try to feed the non-technical user.

Let's practice some geek talk now: "Don't be a freetard and click that link! It's probably maltvertisement planted there by a hacktivist who couldn't get past the great firewall of China"

Feel free to post your dictionary additions in the comments sections!

So, in an attempt to overcome coffee deprivation, I am trying to read some trade rags.  Here's what I dug up similar to what my colleague, Sharon, posted recently: "This Year's Data Breaches Surpass 2007 Totals".  We are now "ahead" of 2007 numbers now.  So, sort of like the opposite of "tax freedom day," we are now moving the date back for how quickly we hit last year's numbers.  Despite that, I take that as a good sign as I expect that while the number of breaches is increasing, people are becoming more aware and are starting to report it as well (voluntarily or involuntarily).  There is definitely light at the end of the tunnel, and, no, it is not that of an oncoming train :-)

In the world of media, ratings are everything. It is the industry's lifeblood. Check the US TV buzz pulse here. Success and failure are determined by the ratings value: daily and weekly statistics, all based on statistical sampling.

When it comes to security and auditing, sampling is simply not good enough. The leaders at Fuji Television Network, Japan's leading television broadcasting company (they also broadcast Dragon Ball Z, ask your kids...)  know that. One of the key reasons to select SecureSphere according to said Mr. Satoshi Morimoto, Manager of Information Security for Fuji Television Network was that "SecureSphere provides us with full details on database queries and responses"

Image source: http://www.oliverdunne.com/alldone/comics/4%20-%20No%20Coffee.png

My all time Donald Rumsfeld favorite:

There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know.

Ask anyone that used a software for long enough and he'll tell you that error messages
should provide helpful information and advice, not only for the user, but also for tech support and maintenance programmers. The web is full with examples of useless and stupid error messages like those in this classic article from 1998.
No doubt that errors messages should be useful, but in most cases, it's far better than no messages at all. I've seen individual developers and even companies taking the shortest path to "solve" the problem of problem by taking the totally DTTC wrong approach (Don't Tell The Customer), thinking that they can swipe a temporary or minor event's problem under the rug but then creating a bigger problem of unknown unknowns.

In a rather unusual email, Google's Android security team approached the security community earlier this week via the full disclosure mailing list introducing themselves, asking for moral support and responsible disclosure. Amichai and I talked recently about responsible disclosure (here, here and here) The Android security team at Google took no chances, promising credit only to those that will play by their rules.

Our vulnerability bulletins will credit responsible reporters of any  flaws.

If you did not had a chance to read Google's mail, you should. It's fun reading, here are my comments...

Do you have the next great web idea but lack technical staff? Do you have technical skills and are looking for the next big thing to drive your excitement and enthusiasm? There are several sites that will try to connect entrepreneurs with highly skilled professionals but JustHackIt is the first site that is dedicated to web applications.

So the idea is to connect people who want to build something RIGHT NOW. Ideas can be simple 1 page websites or complex Google competitors. The main point is to just get started hacking with new people! Hopefully you'll meet your next co-founder or your 1 page website will be successful by itself. If you find out you don't work well with someone, try someone else. No pressure.
 

Simple idea, nicely executed. Some of the ideas are good. From an ROI perspective, it looks like a good $7 investment. According to Centernetworks, the site is now for sale. The use of the hack-words, with all possible diversions and inflections makes sense as well as a buzz generation tool. If nothing works, it can always continue to be used as the hackers dating site. 

As a follow up to our ADC webinar on SQL Injection led by our CTO - Amichai Shulman, I had an opportunity to meet with some of our customers and discuss the latest SQL attack trends.

Our partner, AppSec Consulting, chose the location, which I admit was not to my liking. They choose an indoor gun range and while for some people, shooting stuff is the ultimate stress reliever, I'm not one of them. As a veteran Lieutenant of the Israeli Defense Force, shooting brings up some stressful memories. If you have never experienced shooting in an indoor range, let me tell you - it's scary. The sound produced by gunfire is deafening outdoors, but when the acoustical energy it produces is confined to a small indoor space as in a firing range, it gets even louder. Add to that the fact that some shooters are new to the experience, and some (not our customers) may be doing stupid, crazy things... oh, well. I stayed outside while the guys were having fun.

But as I mentioned, we spent some time talking about SQL Injection attacks as well. Often when we talk about SQL Injection attacks, we think about protecting the application with a web application firewall. Less often, we talk about the impact on the database behind the website. In the past, when most of the SQL Injection attacks tried to get valuable information out of the database, and in that case we didn't compromise or change anything on the RDBMS itself. But lately we see more attacks that try to manipulate the content of the RDBMS. The example I used at my demo showed how you can use SQL Injection to insert into the database a command to run  JavaScript. The compromised database can have a piece of JavaScript (JS) embedded in it, which in turn points to another JS file on a separate domain. Any web page which is now built based on a compromised database may result in running these scripts, downloading malicious code and silently distributing malware through the connected system.

A compromised database entry:

     

The bottom line is that databases are a critical component of any web application and when protecting the application you can not ignore the database itself. Databases should be scanned and monitored continuously to prevent compromised content.

I hope our next event takes place at a less stressful location - perhaps even an outdoor gun range. How about paintball? I heard that's a lot of fun.

Discovering new servers and application data is a routine task. Security officers are scanning SQL databases to determine if they contain Non Public Information (NPI) or Personally Identifiable Information (PII), a necessary step to in the battle towards compliance. A routine task.

Apparently, discovering new parts of the universe is also a routine task but only seldom new elements are discovered. Universe Today brings the story of 2006 SQ372 (yes, that's its name). 2006 SQ372 is a "minor planet" with an unusual orbit has been found just two billion miles from Earth, (closer than Neptune).

When everybody is watching the 2008 Summer Olympics, old news is being recycled. I could not avoid commenting on the usually excellent Threat Level that tells us about Gmail's insecurity. Very similar to the same story that was told in the past, also at Threat Level (here) in January 2008 and RealTechNews last year. To be fair, Threat Level mentions previous disclosures but I am probably missing the point.

Web sites will not use SSL by default.
SSL does not always provide security.

Unfortunately, many sites will not use SSL by default. This is not unique to Gmail. Many applications behave in a similar way. So what can one do? use SSL (visit https://www.gmail.com instead of the default http://www.gmail.com),  set proper preferences and minimize the use of insecure applications at unsafe locations.

It's a miracle. That's how I feel each time after finding the answers I was looking for.

Here's the latest answer from last weekend's question.

Question: How to chill beer very fast
Answer: http://zerocold.wordpress.com/2007/07/09/how-to-chill-beer-fast/

Many words were written about the cyberwar between Russia and Georgia. Georgia is accusing the Kremlin, and there were reports that the Georgians experienced cyber-attacks even before the invasion began. If you Google around, you'll get hundreds of related news stories.

Evgeny Morozov decided to report from a different angle. Probably intrigued by quotes stating that cyberattacks are inexpensive and easy to mount, he decided to join the war.
 
Protected behind the shields of his laptop and far from the dangers of the fights. The Slate brings his story.

"Cybercrime was probably here to stay". Kypros Chrysostomides, Justice Minister, Cyprus

This quote is taken from an article in the CyprusMail, delivering the story of an IT consultant breaking into a former client, an international investment and finance services company, which the island's industry is based upon, and stealing customer data.

Looks like Cybercrime is everywhere, including the peaceful Mediterranean island. Only several years ago the paper quoted another official stating that "no one in Cyprus has ever been arrested or charged with any sort of cyber crime". But now, it's there to stay.

When I was writing the tip of the iceberg post I was excited from the thought that the overall damage of the data loss problem is much higher then reported. According to the Wall Street Journal, The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks. In other words, not only the numbers are probably much higher than reported and therefor estimated by the FDC, it also seems like the bigger data loss events are a direct result of one of the following causes:

1. An application and / or database hack.
2. Some sort of a separation of duties violation .
3. All of the above.

SecureSphere covers all those use cases. In other words, the portion of the problem that can be addressed by SecureSphere is very big. Huge.

Everyone (read: me) is looking for an unfair advantage. the cloak of invisibility that allows you to see and not be seen or makes your product sell like there's nothing else.

If you were watching the Summer Olympics swimming contest, you could have understand how technology can be translated into unfair advantage, in its positive meaning. The number of new world records is sky rocketing. In fact, it looks like we have a new world record for the number of world records....

Taste some of the debate at the Sport Scientists , and here the other experts are claiming that it's harmful. The unfair advantage is not just a result of the new suit technology (priced at $550 versus the regular $25 swimsuit). It's also the result of differently designed swimming pool (deeper, wider), more lanes, better springboard etc. Assuming that everything's legal (no drugs, the stopwatches are working perfectly etc.) the Chinese have managed to create the technology advantage that changes the rules of the game for everyone, while Speedo provides the unfair advantage to anyone that wears their suit.

Imperva launched its technology partner ecosystem called OpenSphere almost a year ago and one of the founding members is Crossbeam Systems.  What follows is a blog posting from Sanjay Raja, Sr. Product Line Manager at Crossbeam.  This is the first such posting from our partners and I hope to follow-up with many more value additions that are being developed as a part of OpenSphere.

-Rohit Gupta, VP Business Development, Imperva.

--------------

The reality of most large enterprises is that they need to support specialized classes of security applications on their networks to comply with regulations and protect against evolving threats. Often these security apps must be integrated within a layered security architecture.  Imperva's SecureSphere's application data security products are a perfect complement to existing Firewall and IPS technologies as they protect enterprise business data from the database, through the application.

The problem today is that companies are challenged to manage this growing sprawl of mission-critical security apps and associated security infrastructure without sacrificing the performance to ensure non-st