Until recently, there was a distinct lack of decent, high-quality technical security conferences held in the United Kingdom. Home to the Global Financial Centre, London, there isn't a shortage of industries who require secure applications and rely on secure infrastructure and applications to operate.

With this in mind, 44Con is the first combined information security conference and training event held in Central London. The con will provide business and technical tracks, aimed at government, public sector, financial, security professionals and Chief Security Officers.

SensePost will be attending the conference, with Ian de Villiers giving a ground-breaking talk on intercepting and modifying the protocol used by SAP GUI, including the release of a tool that facilitates assessments of said protocol. In addition, Ian and Daniel Cuthbert will be delivering a training course aimed at educating developers, and those involved in the deployments and life-cycle of applications, on the correct approaches required to protect applications from common threats.

Unlike other developer-centric courses, developers will actively be involved in breaking into their fellow students applications, whilst they try and prevent the attacks from taking place.

44Con will be held at the Grange City Hotel in London on the 30th August until the 2nd September.

Register to train with SensePost at 44Con.

i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).

I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega's new book had received and felt i had to chime in.

I picked up "the myths of security" (what the computer industry doesn't want you to know) with hope, because O'Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that "at least, it wont take up space on my bookshelf".

Advertising++ The Foreword alone uses the word McAfee 14 times, and over the 48 chapters, the word McAfee goes on to appear about 65 times. This is acceptable on a blog, in a book i just paid for its slightly annoying.

Target Audience I agree with Bejtlich who cant figure the books target audience. One chapter might give explanations in crayon (presumably for the less sophisticated user) while the next chapter might give advice for how to label the security technology you plan to sell.

Consistency There are a number of times in the book where the author takes opposite sides of an argument (in different chapters). This is useful if coherently positioned as 2 sides of an argument, but if this is used on different arguments on different pages, it seems more like the author is merely choosing the position thats convenient to support his view at the time...

It's slightly odd when compared with his take on security spend to hear the author say this about the TSA and their "Security Theater": "But there's some hidden value here—it makes people feel safer. Whether it works well or poorly, it is better than nothing and it makes people feel better."

General whining (by me). The author dedicates a chapter to Mobile Phones titled "OK, Your Mobile Phone Is Insecure; Should You Care?". He concludes with: "Sure, there will always be the occasional virus for smartphones, but I don't see an epidemic emerging. At the end of the day, there is still lower-hanging fruit for the bad guys. It is still far easier for them to make money attacking traditional PCs and laptops then going after mobile phones. That may eventually change, but I'm not going to hold my breath."

I think the view that you only need to be worried about the ability of your device to withstand an attack "epidemic" is wrong on so many levels. Im far less worried about my iPhone becoming part of a botnet than i am of the fact that these days huge parts of my life are on it, and can be grabbed by Charlie Miller if he is willing to pay the $0.20 to send me a few SMS'es.

In his Epilogue, he writes: "But instead of preaching that the customer is hosed, I'm preaching that the security industry is hosed—I don't think customers are hosed at all." which is an interesting contrast to his chapter on PKI that ends with "That leaves the Internet fundamentally broken."..

Of course the lines that most bothered me were in the chapters on Privacy and Anonymity. Privacy gets just under 200 words but includes the classic line: "privacy is nice in theory, but if you don't have anything to hide, what's the big deal?"

Hmm.. OK.. lets see the take on anonymity before responding.

Anonymity gets 166 words (wow - 100 words more than the word McAfee!) and once more ends with the classic: "Oh, and I've got nothing to hide anyway…."

The author cites the example of Zero-Knowledge, who built a paid service to surf anonymously which "worked pretty well, but nobody cared".

Once more, i think there is so much wrong here, that im not sure where to start. Having to convince someone that Privacy is important even if you cant sell it seems like a pretty old argument to be having..

In general, i think its safe to say that the book left me disappointed, and a little bit afraid that somewhere decision makers could be forming an opinion on an entire industry based on ~250 words dedicated to a topic that deserves much more thought..

/mh

In early 2002 i recall reading and falling in love with Jim Collins book: "From good to Great". I recall being so excited by some passages that i typed out whole paragraphs and sent them around to the rest of the office..

For my last birthday Deels got me Collins other book "Built to Last: Successful Habits of Visionary Companies".

It seems as if he has done it again, with his new (soon to be released) book called "How The Mighty Fall: And Why Some Companies Never Give In"

Businessweek posted [an excerpt from the book], and i wanted to post an excerpt of that excerpt. He covers the 5 stages of a failure (im pasting 3 of them):

1. HUBRIS BORN OF SUCCESS Great enterprises can become insulated by success; accumulated momentum can carry an enterprise forward for a while, even if its leaders make poor decisions or lose discipline. Stage 1 kicks in when people become arrogant, regarding success virtually as an entitlement, and they lose sight of the true underlying factors that created success in the first place. When the rhetoric of success replaces penetrating understanding and insight , decline will very likely follow
2. UNDISCIPLINED PURSUIT OF MORE Hubris from Stage 1 ("We're so great, we can do anything!") leads right to Stage 2, the Undisciplined Pursuit of More—more scale, more growth, more acclaim, more of whatever those in power see as "success." Companies in Stage 2 stray from the disciplined creativity that led them to greatness in the first place, making undisciplined leaps into areas where they cannot be great or growing faster than they can achieve with excellence—or both. When an organization grows beyond its ability to fill its key seats with the right people, it has set itself up for a fall. Although complacency and resistance to change remain dangers to any successful enterprise, overreaching better captures how the mighty fall. Discontinuous leaps into areas in which you have no burning passion is undisciplined. Taking action inconsistent with your core values is undisciplined. Investing heavily in new arenas where you cannot attain distinctive capability, better than your competitors, is undisciplined. Launching headlong into activities that do not fit with your economic or resource engine is undisciplined. Addiction to scale is undisciplined. To neglect your core business while you leap after exciting new adventures is undisciplined. To use the organization primarily as a vehicle to increase your own personal success—more wealth, more fame, more power—at the expense of its long-term success is undisciplined. To compromise your values or lose sight of your core purpose in pursuit of growth and expansion is undisciplined.
3. DENIAL OF RISK AND PERIL As companies move into Stage 3, internal warning signs begin to mount, yet external results remain strong enough to "explain away" disturbing data or to suggest that the difficulties are "temporary" or "cyclic" or "not that bad," and "nothing is fundamentally wrong." In Stage 3, leaders discount negative data, amplify positive data, and put a positive spin on ambiguous data. Those in power start to blame external factors for setbacks rather than accept responsibility. The vigorous, fact-based dialogue that characterizes high-performance teams dwindles or disappears altogether. When those in power begin to imperil the enterprise by taking outsize risks and acting in a way that denies the consequences of those risks, they are headed straight for Stage 4

I just managed to pull the HackintheBox torrents for their [2008 talks]. (SensePosters can grab a local copy [here]).

I watched Marcus Ranums "Cyberwar is Bullshit" talk. A talk that was truly wince-worthy! While the talk will make you scream at the screen a few times, it is worth watching just to see the Q&A section after the talk.. It's quite clear that Ranum gets owned more thoroughly than his online gallery did.

VS.

Roberto Preatoni of WabiSabiLabi fame confronts Ranums simplistic views of cyber warfare with some pretty straight forward questions, to which Ranum is forced to concede "You got me there".

Another question from the audience included more lashings - with an added underhanded "USA lost in Vietnam without nuclear weapons" comment thrown in for good measure.

Overall, i think Ranum enjoys being contrarian.. I think over the last few years he has become famous for it.. But i think to completely bull@#$@# cyberwar, while setting such narrow definitions for what constitutes a war skates dangerously close to the thing that Ranum often complains about - Sensationalist topics shrouded in geek mystique that get eaten up by the popular press.. The talk was disappointing.. Ranum is indeed much better than this..

The last few weeks have brought some fairly interesting predictions for 2009 to bear in CSO Magazine columns. Two recent articles caught my eye from a penetration testing perspective.

In the first, Brian Chess, CTO of Fortify (they make source code review and software security tools, and he has written a great book on static analysis) predicted that penetration testing as we know it will die in 2009.

The premise of his argument is that penetration testing will die and be reborn in a different form, aiming more at preventing bugs from occurring, rather than identifying them (rolling things into QA / SDLC etc). Granted, it's a fairly valid point *in some respects*, albeit a biased one if you consider what he does for a living.

Ivan Arce (CTO of Core and pretty much as uber as they come) wrote a very well articulated response to this, stating the counter-viewpoint. I liked his response firstly because his points are valid, and secondly, because no bias toward his product is shown in his response.

I won't repeat the articles, but it is interesting to ponder, especially in light of the number of people (customers) that I know that read CSO magazine, and take what is written there as the gospel (for better or worse).

Either way, the argument on the value and validity of penetration testing is still raised often these days (even though governance and compliance with standards is mandating it more and more). I think some of the 12 points that Ivan Arce lists in his response are awesome ammo when addressing this timeless question, so I'll snip them out and include them below.

-snip-

1. A 35-year old practice with steadily increasing adoption rates does not usually disappear or transform itself substantially within just 12 months.

2. Penetration testing is intrinsically operational in nature. While pre-emptive measures such as security QA and testing and other SDLC practices may be useful to reduce the number of security vulnerabilities in custom or newly developed software, existing operational environments will continue to have bugs during 2009 due to the deployment of legacy or un-audited buggy applications.

3. Penetration testing is operational in nature (did I say that?). It deals with multistage and multilayered threats or attacks (not just vulnerabilities!) in real-world environments (not test labs) and then maps them explicitly to actual security risks. This will remain a valid use case scenario during 2009.

4. Penetration testing is tactical. It provides tangible, actionable information on how to incrementally improve an organization's security posture effectively to prevent real and specific attacks from happening and do so efficiently since it makes it easier to measure at least some for of return on security investment considering both the defense and offense technology currently available.

5. Penetration testing is strategic. If performed regularly, consistently and as part of an organization's overall security strategy, it becomes a useful and valuable practice to implement a program of constant improvement of information security.

6. Penetration testing is strategic. Incorporating an attacker's perspective to an organization's overall security strategy provides necessary checks and balances and improves the organization's ability to steer security policy in accordance to current trends in the threat landscape.

7. Penetration testing is not a silver bullet. It is best used in conjunction with other security practices and in doing so it amplifies those results with both positive and negative feedback (about what does and does not work).

8. Penetration testing is -- at least partially -- driven by compliance. It is a recommended or even a mandatory practice in several regulations, industry standards and organization's internal policies that will not go away in 2009.

9. The IT landscape is constantly evolving and will continue to do so in the next year. As new technologies emerge, new attack vectors become prevalent. Monitoring the evolution over time of sophisticated penetration testing techniques is a good leading indicator of threats that may see mass-adoption in the future which makes pen testing almost a necessity to improve SISSP qualifications.

10. There is money to be made selling penetration services and products. The opportunity will not go away in 2009.

11. Financial crisis and economic turmoil means also more and better opportunities for cybercrime. In the context of 2009 testing one's defenses periodically will be more (not less) necessary than if we had a more globally stable scenario.

12. Last but not least, five years ago IDS technology and its respective market was the "in thing" to make predictions about. Although predicted several times, the death of the IDS has been greatly exaggerated in the past years.

-snip-