Robert J. Brown

Here are the updated instructions for joining the PwC Alumni group on LinkedIn as of early 2008.

1. *** IMPORTANT *** If you did not previously work for PwC, PW, or C&L, you are not eligible for the group. This includes all of the recruiters who regularly request group access and are denied. Please don't click the link if you didn't work for the firm.

Assuming you worked at the company, click on this link. You will now be listed in the system as having a pending membership to the group.

2. Make sure your PwC work experience is on your LinkedIn profile and is visible. Some people have elected to keep it private which is fine, but you definitely need to send me an email if I can't see PwC somwhere on your profile.

3. Send me an e-mail to rjb .a.t. robertjbrown .d0t. com. You will have to manually insert the @ and the . in my address - otherwise spammers will find me. Mention that you wish to join the group and also provide the name of the partner you worked with most frequently.

It will take anywhere from a day to a few weeks to approve membership to the group. The volume of requests has grown from a few per week to close to 20 per day. There are over 600 group members as of this post and it is becoming a very valuable resource for reaching out to former colleagues.

Posted by Robert J. Brown at 11:14 PM | Permalink

If you haven't seen the news reports, Consumer Reports has been catching quite a bit of flack for their recent test of antivirus products. The methodology they used was to take existing viruses, modify them in some way, and then test to see which virus scanning products picked up their "new" viruses. Apparently many people in the security community think this is a Bad Idea because it involves the creation of "new" viruses. This was irresponsible in their eyes.

I'd like to outline why I think what Consumer Reports did was a good thing and why I am in support of their efforts.

The major virus software developers, including McAfee and Symantec, have an enormously profitable business selling software and virus definition updates. It's a great business idea - people keep paying for the software over and over because it is licensed and not sold outright. The challenge from a security perspective is that antivirus software is more reactive than proactive - it has similarities to the traditional issues with a pattern-based intrusion detection system. They are both great for stopping specific known threats, but do not work as well against unknown threats.

To understand why this is an issue, let's think about how an attacker works. Look no further than 9/11, Richard Reid, or the recent case in London of the liquid bomb plot. The attackers analyzed the security controls in place at the airports and attempted to exploit vulnerabilities in those defenses. They did not try to pack a suitcase with a bomb and check it in because they knew that this was not as likely to work and may be caught in the security scanners. In the same manner, an attacker wishing to distribute a virus can test their new code against the top products in the market just by downloading them. The bad guys are analyzing the defenses to find a hole. It's an endless arms race and the only way to get better is by improving the products to better defend against new attacks.

Focusing on this specific class of product - antivirus - how do you defend from a situation where the bad guys can see your controls and create tactics to evade them? One way is to improve the products in such a way that they are self-defending. McAfee even claims to have done this on their web site:  "<VirusScan's> advanced heuristics and generic detection even finds new, unknown viruses."

I'm glad the product is able to do that. As an informed consumer, I'd like to know how well the product stacks up to those claims. As a CISO, it's my business to identify and mitigate risks to my company. I want to know what product can best protect me from both known and unknown threats.

Moving back to Consumer Reports, they figured (rightly so) that the only way to validate the product claims was to modify existing viruses and test them against the software. So they created new variants of known viruses and reported the results. Did their new viruses "escape" and infect anything other than their testbed? To date, nothing has been reported. No damage was done because they appear to have employed care in how they conducted the test. I would expect this from an industry leading product evaluation company that brought in competent  security consultants such as Dr. Avi Rubin.

What's the bottom line? Consumer Reports obtained an independent test result that I am very interested in - which products were best able to cope with new and evolving threats. This information is valuable to me because it was created by a credible not-for-profit institution and provides details to help me choose the best product for defending against both existing and new threats.

Posted by Robert J. Brown at 11:00 PM | Permalink

I was installing my own Squid cache this weekend for my home network and wanted to set it up such that when my devices are home, they automatically use the proxy. I looked into it a bit, and Windows Proxy Auto Detect, or WPAD, seemed like a good solution. Basically, you turn on "automatic proxy detection" in your browser - be it Internet Explorer, Firefox, Flock, Safari, or anything else - and it automatically finds the proxy server.

How does it find the server? It uses a DHCP configuration setting or DNS to search for the entry "wpad.yourdomain.com" where yourdomain.com is your local domain as served up by your DHCP server. If that host resolves, it looks on that server for a wpad.dat file - a small bit of javascript that tells the browser what the proxies are. If that file is there, the browser blindly trusts it and executes the javascript to obtain the proxy settings right from that file - even if you have completely disabled Javascript in the browser. The next logical question for me was "where is the authentication for this?" and the answer is: there is no authentication.

This is scary for a number of reasons. If you can set a proxy for someone, that means you can force them to connect to a proxy YOU control. This is a man-in-the-middle attack and you can now obtain login credentials or anything else - including for SSL sites. Now, this gets even better if you combine it with a DNS cache poisoning attack or a second/fake DHCP server. How about you go to the local wireless hotspot and redirect WPAD to a server you control (even prior to asking for the credit card input)? You can now intercept their browsing sessions. How about you check into a local hotel? Do you suspect that a number of executives will be staying there with browsers preconfigured to look for a local proxy? I do. Oh, and the best part of this is that this is 100% transparent to the user - no pop-up box or other warnings are provided.

Allowing an unauthenticated network device/file to modify your behavior without your knowledge or consent is bad security. Although there have been published exploits for this in the past (and Microsoft fixes such as MS99-054), this remains as a vulnerability - especially combined with DNS cache poisoning or a second DHCP server controlled by an attacker. In today's world, the assumption must be made that computers are not stationary. They move around, and hence their security environment changes with them. Long-standing "features" like WPAD should be either secured or eliminated based on risk. The world has changed since this was introduced and our products should also change based on the updated risk profile.

Posted by Robert J. Brown at 10:02 PM | Permalink

Enclosed is my presentation "The Executive Guide to Information Security" given at the 2006 WesCorp CFO Forum event. The presentation is an enhanced podcast meant for viewing in Apple iTunes, Quicktime, or via an iPod. Click on this link to download the presentation or view it in Quicktime. The podcast is an overview of information security and risk management aimed at an executive management audience.

You can subscribe to the Podcast via the orange icon at the right side of the page. Drag that icon to your iTunes Podcast menu and it should automatically subscribe you.

Posted by Robert J. Brown at 5:30 PM | Permalink