From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 277 for Thursday February 9th, 2012

  • John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".

Interview: Adam Shostack

Adam is a principal program manager on the Usable Security team in Trustworthy Computing, which performs ongoing research into classifying and quantifying how Windows machines get compromised. Before joining Microsoft, Adam helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the book, The New School of Information Security.

Adam writes at the Emergent Chaos blog and The New School of Information Security blog


  1. Can you briefly describe the idea of the New School?
  2. The New School of Information Security has been out for almost four years, what are the most encouraging changes you have seen in that time? And the least encouraging?
    1. The title of chapter five is an Alan Schiffman quote, "Amateurs study cryptography, professionals study economics", a great quote, but I assume some people took exception to that.
    2. The book challenges some sacred cattle, such as user education. Do you still struggle to make people understand the importance of understanding the human element of Information Security?
    3. An interesting human element covered in the book was that visible security measures appear to make people less cautious. I have certainly seen people who believed the firewall and anti-virus meant that they didn't have to take any personal responsibility for their actions online. This "dealing with people" thing is tricky.
    4. The book also promotes what some now call the operationalization of security. While some are picking up the idea, others seem entrenched and are content with the status quo. Have you seen any successes in this area in large enterprises?
  3. Reports such as those from Verizon, Mandiant, Veracode, Trustwave and others are giving us more information, but the formats vary and the raw data isn't always available. How can we make the most of these reports?
  4. You have done some creative things to educate people about security. Can you tell us how you came up with the idea for the Elevation of Privilege card game, what it was like promoting it internally at Microsoft, and how it has been received?
  5. Tell us about Saltzer and Schroeder, their 8 principles, and why a paper that was written in 1974 still makes a whole lot of freaking sense to the computer security industry.
  6. I was going to post this as a story, but I'd like to hear your thoughts on why breach disclosure is expensive, and will this discourage companies from reporting breaches, even at the expense of fines, etc,


Paul's Stories

Darren's Stories

Larry's Stories

  1. Backing Convergence - [Larry] - Moxie is asking browser devs to back Convergence, an open source too to provide a notary for SSL certs. This is a really neat concept, but browser devs are concerned that it will not scale and it is too experimental. I say that they should include it, as a toggle on/off option.
  2. Remotely Wipeable USB Thumbdrive - [Larry] - Lost your drive with sensitive data on it? No problem. This drive connects to cell networks and can be disabled or wiped remoteley. Now, I think this is really cool, but I think there are a few small issues: 1. it is freaking huge. 2. It will only work when powered up/plugged in, so not instantaneous. 3. it requires a separate monthy service, and what happens when an attacker removes the simcard? does it fail closed? 5. how resistant to attack is the protocol? can we DoS or exploit?
  3. FotoForensics - [Larry] - While I don't pretend to understand the math here this stuff really fascinates me. Upload a photo jpg or png (or reference a URL) and it will perform realtime Error Level Analysis (ELA), indicating likely places where modifications have been made. I tested it with some pictures of…um, yeah, folks who are often airbrushed, and surprisingly this person was not.
  4. Trustwave bad certs -[Larry] - Oh oh. So, why is TrustWave getting such a bad rap on this one for admitting what they think is a mistake? (No, seriously, what am I missing?). They did appropriate audits, and secured the secondary CA chain appropriately. The issue is that the SSL cert allow for sniffing SSL traffic, common on many products for data exfiltration, etc on corporate networks. It has even been claimed that MANY CAs do this for their customers. Ok, I get it that it will be for ANY site on the internet….
  5. Satellite Phone Encryption cracked - [Larry] - With $2000 in gear German researchers were able to extract the encryption keys from firmware and were able to re-implement them to decrypt transmissions. They extracted the keys from two separate phones that utilize two separate encryption methods, GMR-1 and GMR-2. Oh, did I mention that it only took 30 minutes to accomplish the task? It does not appear to be an issue for military uses of sat phones, as they often use additional encryption on top of the base handsets.

Jack's Stories