An Information Security Place

The next BayouSec is going to take place at the new Alert Logic location on March 5 starting at 6pm. They have some conference rooms we can use. 1776 Yorktown, 7th floor. Just south of the Marathon Oil tower on San Felipe.

We are going to start making this a tad more formal as far as having an event to draw people in. There will be food and drinks as usual, but I would like these to be somewhat more educational if possible.

If you live in the Houston area or are just going to be down here then, feel free to come out. 

Vet

I have to disable it.  I think it is not compatible with the latest version of Wordpress.  Polls will be back up when I get it fixed.

Vet

Proofpoint Closes $28 Million Financing Round

DAG Ventures Joins Email Security and Data Loss Prevention Leader Proofpoint’s List of Blue-chip Investors

Sunnyvale, Calif. – February 27, 2008 – Proofpoint, Inc., the leading provider of unified email security and data loss prevention solutions, today announced that the company has closed a $28 million financing round, led by new investor DAG Ventures. All previous investors — including Benchmark Capital; Bridgescale Partners, Inventures Group; JAFCO Ventures; Meritech Capital Partners; Mohr, Davidow Ventures and RRE Ventures — also participated in this round, bringing Proofpoint’s total raised capital to more than $86 million. The funds will be used to accelerate Proofpoint’s continued global expansion, customer acquisition and product development initiatives.

“Proofpoint’s singular focus on solving enterprise messaging problems, combined with outstanding technology, great customer support and exceptional sales and marketing execution has made it the leading independent vendor in the white-hot email security and data loss prevention market,” said Greg Williams, partner with DAG Ventures. “We’re excited to help fuel the next stage of Proofpoint’s growth.”

“Proofpoint has tripled its customer base since its last financing and is now poised to accelerate growth through rapid worldwide expansion,” said Gary Steele, president and CEO of Proofpoint, Inc. “This latest round of funding will help Proofpoint meet growing global demand for email and data security solutions, strengthen our distribution channels and bring even more innovative products to market.”

“Benchmark continues to be impressed by Proofpoint’s tremendous track record of technology innovation, commitment to customer satisfaction and demonstrated success in a fiercely competitive and dynamic space,” said Kevin Harvey, partner with Benchmark Capital. “Our increased investment in Proofpoint reflects our confidence in the company’s ability to become the dominant player in the multi-billion dollar messaging security market.”

Proofpoint is the email security and DLP solution of choice for a rapidly growing number of enterprises, universities and government organizations worldwide, helping them stop spam, protect against email viruses and prevent leaks of confidential information via email and other network protocols.

The company recently concluded its best year ever, growing revenue by more than 50% annually over 2006, fueled by new product introductions including the Proofpoint on Demand™ service, accelerating competitive displacements and an extraordinary customer renewal rate of more than 98%.

About DAG Ventures

DAG Ventures is a venture capital partnership investing in and helping outstanding entrepreneurs create leading, long-term companies across a range of markets. With roots from the 1980’s in cable TV, infrastructure, media, and wireless industries, the partnership today is privileged to work with world-class entrepreneurs as they build tomorrow’s leaders in the information technology, energy, and life science sectors. DAG Ventures invests in companies with proven technology, from the prototype stage onward.

About Proofpoint, Inc.

Proofpoint provides unified email security and data loss prevention solutions for enterprises, universities, government organizations and ISPs to defend against inbound threats such as spam and viruses, prevent leaks of confidential and private information across all protocols, and encrypt sensitive emails. Proofpoint’s products are controlled by a single management and policy console and are powered by Proofpoint MLX™ technology, an advanced machine learning system developed by Proofpoint scientists and engineers. Proofpoint provides the most scalable and flexible deployment model including: hardware appliance, virtual appliance, hosted services and software. For more information, please visit http://www.proofpoint.com.

# # #

Proofpoint, Proofpoint MLX, Proofpoint Messaging Security Gateway and Proofpoint on Demand are trademarks, registered trademarks of Proofpoint, Inc. All other trademarks contained herein are the property of their respective owners.

Take a look on the right.  —->

Vet

OK, just a sanity check… this article is talking about sinkholes.  I honestly have never heard the term (at least not that I can remember), so I decided to check out the post.  It is Cisco centric, but it has some good stuff. 

But as I read on, I really could not see the difference in this and a honeynet.  Is this simply another term for honeynet?  This article says they are different, but I don’t see it?  Am I wrong?

Vet

Just letting everyone know I will be gone for the week, so I won’t be blogging.  Have a good week.

Vet

Vet

Looks like I have been elected as an Official RSA Conference 2008 Blogger!!!  Uhhh, probably along with every other blogger that is getting press credentials to the conference.   But they didn’t do that last year, and it comes with a cool graphic.  So I am putting it on my blog, damn it!

Vet

This is messed up… and hilarious!

[youtube gk9qKdYtF3U Achievement Whore Video]

Vet

Douglas Haider (Accuvant wireless guru) and I went to the New Orleans ISACA chapter meeting yesterday.  Douglas was doing a talk on wireless auditing and RFID.  Douglas did his usual great job, and we made some great contacts down there.  I am probably going to be going down next month to give them my talk about using blogs for security research.

But my point to this post is the chapter itself.  These are people who had some pretty bad things happen to them not too long ago.  The city itself is still rebuilding a lot, and here is this little ISACA chapter trying to build up and become a source of information security assistance for the area.  The people trying to get it started seemed to be very dedicated to the cause and were trying to get connected to local ISSA and Infragard chapters as well (I believe they said the local ISSA chapter was in Baton Rouge – about an hour to the west of The Big Easy) to get some kind of local conference going (I mentioned TRISC and how we might be able to give them some benefit of our experience).

I was really impressed by this small group of information security and auditing professionals.  They were extremely hospitable and thankful for Doug and I coming out.  They are really interested in getting speakers out to New Orleans so they can start drawing in more members (kinda the chicken and egg thing – get better speakers to draw more people so you can draw better speakers).  If you are interested in speaking at one of their meetings (usually the second Thursday of each month), let me know and I will get your contact info to them.  They are small (there were about 20 people attending) but passionate, and I think it would be worth your while to give them a shout.

Vet

It has been over a year now since I have been in the trenches dealing with all the issues that security and network people have to deal with.  When I was in there, I wrote a series of posts that talked about all the things a security manager has to deal with and how to be a successful security manager (see here and here – and forgive some of the weird characters and formatting since those posts were imported from my old Blogger site).  But just the other day I realized just how separated I am from that world.  Yes, I talk to clients on a daily basis.  I know what they deal with.  I have been there, so I can relate.  But now that it is really not a part of my day-to-day job, I just have forgotten the amount of crap those people have to deal with.

What brought that to the forefront for me was when I was in Fort Worth earlier this week talking to a client.  After our meeting we were shooting the bull, and my sales guy asked what they had planned for Valentine’s Day, where they were taking their wives, etc.  They both said that they would be spending tomorrow, Friday, and through the weekend testing and deploying all the new MSFT patches that came out this month.  When he said that, it really hit me how long it had been since I really had to mess with that kind of stuff.

Now don’t get me wrong.  I work hard.  I have worked on four RFP’s this last month, have put out several SOW’s (statements of work), and have worked on several solution and design documents for clients.  I have worked every weekend for the last month and have worked quite a few late nights (the wife is not all that happy about those).  I have been on many, many meetings, have flown back and forth between Houston and Dallas, Houston and Lubbock, and Houston and New Orleans (actually, the Big Easy trip is tomorrow).  So I don’t think what I do is a cake walk.  In fact, I probably work harder now than I ever have, with a few exceptions.  I guess it just comes down to the fact that everyone has their own crap they have to deal with.

But I also know that the guys in the trenches are the real heroes out there.  Those guys have to navigate the murky waters day after day, they have to worry about management breathing down their necks, they have to keep users happy, they have to deal with me and my sales guy trying to sell them stuff, etc.  So here’s to those people in the trenches.  Keep it up.  We have got your back.

Vet

I just got this email from Rosanne.Mcrae@schneier.com last week (seen from the MX Logic console).

I actually checked, and I don’t see an SPF record for schneier.com.  Not a big deal.  Not everyone uses them, and some speak out against them.  I just thought it was funny.  And it made me actually see what the email was, so it was effective.  I felt safe doing it since it was in MX Logic. 

If it had appeared in my Outlook Inbox folder, I definitely would have opened it.  You never know.  It might have been Bruce’s assistant asking me if he could interview me.  Yea, you never know…

Vet

I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.

To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?

Answer? Time.

Since the application is catching all of our attempts and not providing any good feedback the thought was … let’s come up with a way to have the database provide us an “indirect” response. To do this, I tried “waitfor”. WAITFOR specifies a time, time interval, or event that triggers the execution of a statement block, stored procedure, or transaction.

Syntax: WAITFOR { DELAY ‘time’ TIME ‘time’ }

To implement ‘waitfor’, simply tag it onto the end of the injection test you’re trying to accomplish. For example, if you’re injection string is:

30000′ union select 1,email,password from Customers –

By implementing ‘waitfor’, your string might appear as….

30000′ union select 1,email,password from Customers waitfor delay ‘0:0:30′ –

Keep in mind that while the injection results might not appear to your screen, you will experience a delay of the response back to the browser. The point here is to demonstrate that:

1. Our injection is being accepted by the database server
2. The injection is executing.

So, while our injection string might not render results to the screen, we can test that the database server is executing our injection strings.

I have had a major problem with Google in the past with how they cater to China, just like I have a major problem with anyone else that does business with that pinko regime.  Now Google is getting sued for it by Guo Quan, a Chinese scholar whose name was excised from local search results in China because he is setting up an opposition political party in Communist China.

Read this great quote:

“To make money, Google has become a servile Pekinese dog wagging its tail at the heels of the Chinese Communists.”

That was excellent.

Vet

These are just crazy.  MAJOR viewer discretion advised.

VEt

OK, I finally got on Twitter.  It’s kinda fun.  I’ll see if I stick with it. 

Oh, and thanks to Alan Shimel for posting his “Twit” post that led to me finding Jennifer Leggio’s great “Twit” post.  I was having problems finding people on Twitter that were fellow security bloggers, and that post did the trick.

Vet

Since I haven’t been doing a lot of serious posting for a while, it has been a while since I had an altercation with The Hoff on anything.  But now it is in full swing, and I have to say that I have missed this a lot!

So here’s the deal for those of you just joining the program.  There was an article posted a couple of days ago that said business people were becoming more concerned with availability than security.  I expressed my incredulity here with a very simple and direct question.  I got a quick verification of my point by Mr. Wismer, and I felt I had done my duty in protecting the CIA Triad once again.  I think the first time I posted about this was back in March of 2007, when OpenBSD people were discounting a buffer overflow vulnerability in their code as NOT a security issue.  This simply befuddled me because availability, in my old world, is an inseparable part of security (And Chris, it does mean what I think it means – “old” doesn’t mean we are old, maybe just conservative).  I wrote this off to some people trying to get away with skewing statistics so they looked better on the security reports at the end of the year.

Of course, I could not have been more wrong in thinking that my day of heroic pursuits was done.  First, I got the scalpel from Dr. Chuvakin (I know, I know… he’s not that kind of doctor – but it sounded cool.  And seriously… PHYSICS??).  Then I got drop-kicked by The Hoff on my blind side (which, incidentally, is the direction from which Chris always hits – not complaining at all, he just seriously has a really cool mind that makes him have wonderfully refreshing lines of thought).

So I saw all of this, weighed responding against how much work I had to do so I could have family night with the wife and kids, and I decided to work.  So by the time I got around to hitting back, I really didn’t feel like arguing too much.  But I did a little bit, and that quick quote can be found here. Chris responded and called me a redneck.   Mr. Wismer entered the fray again. Chris posted about it so it would have better visibility.  Anton presumably has better things to do (I don’t blame him at all).  And one more comment by Chris, and here we are… sheesh…

OK, now that you are all caught up and have read all of the comments and posts with serious interest, here’s my response… What were we talking about?  Oh yeah, information security…

So I thought originally that Hoff missed my point on the first comment he made.  He seemed to think that I thought the “C” and the “I” should come before the “A”, just like all us old dogs with allergies.  Of course, that is not what I meant at all.  I was actually arguing that people keep taking the “A” out of information security (search for CIA Triad on your favorite search engine).  So now this article pops up, and I really got a little peeved. 

Now, as to Anton’s point, this article was from more of a business centered IT magazine.  So I get it from that angle.  Chris even argues from that angle as well.  But still, Chris’ first take on my argument was not correct, and I felt that I needed to clarify that.  I think in some weird way, we were actually agreeing.

But my overall point in all of this is that I think the definition of information security has been skewed as security has been more and more commoditized.  And I don’t necessarily disagree with the skewing because I think the definition has actually become almost all-encompassing and has removed a lot of stovepipes that needed to go away.  EVERYONE touches security now.  From the switch guy to the server gal to the router dude to the firewall chick.  Sure, the “security” group may tell those people what buttons to push, but the “on-the-front-lines” people still push the buttons. 

In the same way, there really is no pure security solution out there now.  Too many products serve duel purposes.  Almost every product, whether it be an application or an appliance, has security built in.  It may be nothing but a marketing gimmick so the word “secure” can be placed on the website, but no one disagrees that it is there.  Take for instance the switch.  Not too many years ago, switches did nothing but push packets.  Now they are becoming an integral part of security through 802.1x and other NAC functions.  Take the firewall and router.  Those two products, at least for the SMB, are becoming a single product.

And because of that, many companies consult on IT practices as well as security practices because you really can’t separate the two anymore.  IT frameworks build in security now (ITIL and COBIT).  Chris says risk management encompasses security, and I see his point.  But my take is that security is the whole, and ALL the other areas are pieces.  Yes, people still code and expect the network to protect the code, but that is becoming less common.  I see it everyday just as you do Chris.  I see people getting pwned due to application vulnerability.  Just ask Jeremiah Grossman and my friend David Nester from HP who is now posting on this blog.

Security has to be thought of almost before anything else.  Have an idea that is going to revolutionize the IT world?  My first question is, “How do you secure it?”  And that means, “How do you make sure it is available while at the same time making sure everyone’s data doesn’t get leaked?”

Vet

I really don’t think I should have to ask this question, but…. WHAT????

Article here

Vet