I'm reading the news and it's like watching Mythbusters. On one hand, NASA managed to find "life" in space. On the other hand, my myth of NASA's security is busted. For the sake of discussion, it does not matter how the virus got there and whether or not it is dangerous or just annoying.  The simple fact is that there are no more sanctuaries.

I hate to sound like I'm FUD-ing - and I hope that no one will Defudder me - however, there are some questions that should be asked.

In the world of media, ratings are everything. It is the industry's lifeblood. Check the US TV buzz pulse here. Success and failure are determined by the ratings value: daily and weekly statistics, all based on statistical sampling.

When it comes to security and auditing, sampling is simply not good enough. The leaders at Fuji Television Network, Japan's leading television broadcasting company (they also broadcast Dragon Ball Z, ask your kids...)  know that. One of the key reasons to select SecureSphere according to said Mr. Satoshi Morimoto, Manager of Information Security for Fuji Television Network was that "SecureSphere provides us with full details on database queries and responses"

Image source: http://www.oliverdunne.com/alldone/comics/4%20-%20No%20Coffee.png

My all time Donald Rumsfeld favorite:

There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. There are things we do not know we don't know.

Ask anyone that used a software for long enough and he'll tell you that error messages
should provide helpful information and advice, not only for the user, but also for tech support and maintenance programmers. The web is full with examples of useless and stupid error messages like those in this classic article from 1998.
No doubt that errors messages should be useful, but in most cases, it's far better than no messages at all. I've seen individual developers and even companies taking the shortest path to "solve" the problem of problem by taking the totally DTTC wrong approach (Don't Tell The Customer), thinking that they can swipe a temporary or minor event's problem under the rug but then creating a bigger problem of unknown unknowns.

In a rather unusual email, Google's Android security team approached the security community earlier this week via the full disclosure mailing list introducing themselves, asking for moral support and responsible disclosure. Amichai and I talked recently about responsible disclosure (here, here and here) The Android security team at Google took no chances, promising credit only to those that will play by their rules.

Our vulnerability bulletins will credit responsible reporters of any  flaws.

If you did not had a chance to read Google's mail, you should. It's fun reading, here are my comments...

Do you have the next great web idea but lack technical staff? Do you have technical skills and are looking for the next big thing to drive your excitement and enthusiasm? There are several sites that will try to connect entrepreneurs with highly skilled professionals but JustHackIt is the first site that is dedicated to web applications.

So the idea is to connect people who want to build something RIGHT NOW. Ideas can be simple 1 page websites or complex Google competitors. The main point is to just get started hacking with new people! Hopefully you'll meet your next co-founder or your 1 page website will be successful by itself. If you find out you don't work well with someone, try someone else. No pressure.
 

Simple idea, nicely executed. Some of the ideas are good. From an ROI perspective, it looks like a good $7 investment. According to Centernetworks, the site is now for sale. The use of the hack-words, with all possible diversions and inflections makes sense as well as a buzz generation tool. If nothing works, it can always continue to be used as the hackers dating site. 

Discovering new servers and application data is a routine task. Security officers are scanning SQL databases to determine if they contain Non Public Information (NPI) or Personally Identifiable Information (PII), a necessary step to in the battle towards compliance. A routine task.

Apparently, discovering new parts of the universe is also a routine task but only seldom new elements are discovered. Universe Today brings the story of 2006 SQ372 (yes, that's its name). 2006 SQ372 is a "minor planet" with an unusual orbit has been found just two billion miles from Earth, (closer than Neptune).

When everybody is watching the 2008 Summer Olympics, old news is being recycled. I could not avoid commenting on the usually excellent Threat Level that tells us about Gmail's insecurity. Very similar to the same story that was told in the past, also at Threat Level (here) in January 2008 and RealTechNews last year. To be fair, Threat Level mentions previous disclosures but I am probably missing the point.

Web sites will not use SSL by default.
SSL does not always provide security.

Unfortunately, many sites will not use SSL by default. This is not unique to Gmail. Many applications behave in a similar way. So what can one do? use SSL (visit https://www.gmail.com instead of the default http://www.gmail.com),  set proper preferences and minimize the use of insecure applications at unsafe locations.

It's a miracle. That's how I feel each time after finding the answers I was looking for.

Here's the latest answer from last weekend's question.

Question: How to chill beer very fast
Answer: http://zerocold.wordpress.com/2007/07/09/how-to-chill-beer-fast/

Many words were written about the cyberwar between Russia and Georgia. Georgia is accusing the Kremlin, and there were reports that the Georgians experienced cyber-attacks even before the invasion began. If you Google around, you'll get hundreds of related news stories.

Evgeny Morozov decided to report from a different angle. Probably intrigued by quotes stating that cyberattacks are inexpensive and easy to mount, he decided to join the war.
 
Protected behind the shields of his laptop and far from the dangers of the fights. The Slate brings his story.

"Cybercrime was probably here to stay". Kypros Chrysostomides, Justice Minister, Cyprus

This quote is taken from an article in the CyprusMail, delivering the story of an IT consultant breaking into a former client, an international investment and finance services company, which the island's industry is based upon, and stealing customer data.

Looks like Cybercrime is everywhere, including the peaceful Mediterranean island. Only several years ago the paper quoted another official stating that "no one in Cyprus has ever been arrested or charged with any sort of cyber crime". But now, it's there to stay.

When I was writing the tip of the iceberg post I was excited from the thought that the overall damage of the data loss problem is much higher then reported. According to the Wall Street Journal, The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks. In other words, not only the numbers are probably much higher than reported and therefor estimated by the FDC, it also seems like the bigger data loss events are a direct result of one of the following causes:

1. An application and / or database hack.
2. Some sort of a separation of duties violation .
3. All of the above.

SecureSphere covers all those use cases. In other words, the portion of the problem that can be addressed by SecureSphere is very big. Huge.

Everyone (read: me) is looking for an unfair advantage. the cloak of invisibility that allows you to see and not be seen or makes your product sell like there's nothing else.

If you were watching the Summer Olympics swimming contest, you could have understand how technology can be translated into unfair advantage, in its positive meaning. The number of new world records is sky rocketing. In fact, it looks like we have a new world record for the number of world records....

Taste some of the debate at the Sport Scientists , and here the other experts are claiming that it's harmful. The unfair advantage is not just a result of the new suit technology (priced at $550 versus the regular $25 swimsuit). It's also the result of differently designed swimming pool (deeper, wider), more lanes, better springboard etc. Assuming that everything's legal (no drugs, the stopwatches are working perfectly etc.) the Chinese have managed to create the technology advantage that changes the rules of the game for everyone, while Speedo provides the unfair advantage to anyone that wears their suit.

Last week, the US Justice Department charged 11 people with stealing more than 40 million credit- and debit-card numbers from nine retailers, calling it the largest U.S. identity theft prosecution.  Kudos for all that were involved in this operation. The Chronicles of Dissent blog (One of the best sources of privacy related sources) identified that some of the retailers mentioned did not disclose the breach earlier.

I am a non-native English speaker. Usually I can get along just fine with small talk and volubility chats, but when it comes to grammar I have to sweat before a decent paragraph can be posted or sent.

My biggest challenge is the comma. This small punctuation mark makes my life difficult as I have a tendency to use it very often and probably more than I should. As a service to all the others that might be facing a similar challenge, I would like to recommend a book that was given to me not too long ago and helped me to overcome my comma challenges. 

The book "Elements of site" (an online version is available) was written almost 100 years ago yet it provides invaluable guidance how to use English properly. The elementary rules of usage section includes the most common comma usage rules including:

1. In a series of three or more terms with a single conjunction, use a comma after each term except the last.
2. Enclose parenthetic expressions between commas. 
3. Place a comma before a conjunction introducing an independent clause. 
4. Do not join independent clauses by a comma.
   

(click to see a larger image)

If you felt the winds of change last week, it wasn't only SoCal's earthquake aftershock. McAfee, announced that it is "redefining the entire data protection market." In a press release, last week, they announced the acquisition of Reconnex, a network based DLP vendor, that followed an earlier acqusition (2006) of the host based DLP vendor Onigma. Since I was part of another team that was "redefining the market" earlier, I feel that given the time perspective (almost two years) there are few DLP lessons that can be learned from McAfee's acquisitions that apply to the DAM space, especially related to the network vs. host debate.

Ask anyone that attempted to deploy a DLP solution and he'll tell you that the main obstacles are a result of the deployment-related issues: Identifying the starting point, the number of endpoint systems, data discovery, classification and host protection. Database Activity Monitoring and Security solutions are less effected by those factors due to the inherent nature of the DBMS model and business applications that they are protecting (Note to self: a good idea for another post).

Choosing a host based solution for activity monitoring and security, when the bulk of operations are performed over the network, will increase complexity, add burden on the host (increased CPU % and memory footprint) and requires a very complicated policy management model, as McAfee probably found out. Unlike laptops that can be stolen, left behind or simply lost, database servers have a tendency to stay in a known location. Sure, there are some use cases such as separation of duties (SOD) and privileged user monitoring (PUM) that require the monitoring to take place on the database server itself.

Database activity monitoring (especially for auditing purposes and compliance with regulations like PCI) requires inspection of all database activity. Network based solutions (like SecureSphere) uses a network appliance to examine the transactions related to the database, either in inline or sniffing mode (off a TAP or a SPAN port usually). However, this method presupposes that the activity is occurring between the database server and a remote (i.e., non-local) application or user over a database connection.

When the database activity is not available for inspection by the network appliance (e.g. some database activity is performed locally on the database server or via one of the few unsupported encryption methods), something else is needed.  In this case SecureSphere uses a light-weight database agent that is installed on the audited database and can examine all relevant communications, eliminating blind spots.

This light-weight database agents captures only relevant database activity and sends traffic to a gateway appliance for analysis and audit using different transport methods. It has negligible performance impact on the mission critical database server and allows to maintain a unified policy model with network activities and therefore reduces the overall administrative burden.

Looking at the past and learning from experience tells us that heavy agents and agent only approaches indeed are limited in DAM as well as in the DLP market. Solutions that rely on host alone will never scale. Sure, there might be a scenario when one will buy into this concept and even will try to implement it, looking into large scale production deployments, it will only be possible with combination of fast, reliable network based solution and lightweight, hassle-free host agents.

Will McAfee redefine the market (again)? only time will tell.

Every now and then, a company would take credit for being able to deliver some solution or develop a unique marketing term (yes, usually, it has some 'life cycle' in it).  Having said that, I believe that companies should be measured by overall strategy and vision and their ability to execute on that vision. 

Today, we announced another piece of a unique solution that is part of an overall, larger vision and solution strategy to combine security and activity monitoring for web, databases and enterprise applications.

In June, we announced that we extended the Application Security Life Cycle to production systems and delivered broadest PCI compliance. Today, we are announcing Web Activity Monitoring capability to close the loop between security operations and developers. The two announcements are related and just two parts of our overall vision to protect Application Data.

The first announcement was the industry's first closed loop solution for managing the Web application security life cycle on production systems. It includes not only the ability to take vuln data from scanners, but feeds changes back to them...this is what closed the loop.

Today, we announced that SecureSphere Web Application Firewall adds Web Activity Monitoring (WAM) to automate the discovery and accelerate the remediation of application vulnerabilities in production systems. Not only that SecureSphere can block attacks (including one packet attacks), it can record malicious inputs and application responses to provide development teams with the information they need to pinpoint and fix coding flaws. As an application security company, we were focusing on blocking the attacks, but in order to provide the developers with better understanding of their code, we had to provide the ability to capture and keep all the relevant data as well as block the attack. Those two tasks might be contradicting and we had to spend a great amount of time to find the right way.

The diagram below illustrate how SecureSphere bridges the development and production realms for web applications. Note that the timeline is not displayed: One can argue that code can be fixed manually, however, the WAF integration with scanners and the new WAM component would accelerate the protection process.