So you travel thousands of miles, shelling out a cool $2,125 for the full-conference fee, and you get to the your first session of the day–one of the best on the RSA docket: Joanna Rutkowska’s presentation on security challenges in virtual environments–and you’re asked to leave because all the chairs in the room are taken 15 minutes before the start, and you’re not allowed to stand in the back.

Score it: San Francisco fire marshal 1, full-fare paying RSA attendee 0.

More than 50 attendees grumbled their way out of the session–held in one of the smaller conference rooms at the Moscone Center–who were told that fire laws prohibit standing along the perimeter of the room.

Two security staffers came into the room and made it clear that anyone not seated–Information Security magazine included–had to leave. One attendee remarked that pre-registration for sessions was not an option, and nowhere in the registration process was this particular issue raised. “You can take that upstairs,” security told him.

To her credit, Rutkowska stuck up for her audience, asking why they couldn’t stay and sit on the floor. But not even a renowned hacker has any pull at RSA.

Lesson learned: Put Rutkowska in a bigger room next year. Her sessions are always well attended at industry events such as RSA and Black Hat. And hers was the only virtualization research session scheduled Tuesday, an issue not lost on those who crammed the hallway straining their hearing for some insight. Before of course, the doors were shut.

Do you MySpace? You know your kids do–and chances are that a good percentage of the twenty-somethings at your company do too. And that’s a potential problem that not enough security managers are paying attention to.

Steve Patton, security architect with a financial services organization, spends a good amount of time investigating social networking sites and cautions enterprises that while your intellectual property might not be leaked to MySpace, Facebook or Friendster, your company’s reputation could be at stake.

“Most of the corporate work being done there area is in the area of policy and prohibition,” Patton told me this week at Black Hat. “ ‘You should not use these things at work; you should not talk about work on these sites.’ It’s not very effective. It’s helpful for the person who wants to do the right thing, not so for the person who doesn’t.”

Social networking numbers are staggering–it’s been reported MySpace has anywhere between 90 million and 180 million registered profiles. Patton likens the exercise of data mining social networking sites to social engineering. Profiles are rich with personal information: school history, work experience, blogs, photos, comments and more. It’s terrain you likely cannot ignore much longer, especially if your employees are ranting on their blog about work issues, linking to unsavory sites or posting illicit or damning photos.

And with the emergence of targeted attacks against companies, even down to the departmental or individual level, any reconnaissance is valuable to an attacker. The problem for security managers, Patton said, is balancing the demand for access to social networking with security and corporate well-being.

“It’s definitely becoming an issue where younger workers are expecting access while at work,” Patton said. “Corporate managers are finding they have to get firmer with corporate policy.”

Technorati Tags: Social+networking, Social+engineering

Noted cyberlaw attorney Jennifer Granick announced today at Black Hat that she’s leaving her post at Stanford University and is headed for a position with the Electronic Frontier Foundation (EFF).

“At this point in my career, my mission is not necessarily just about making better lawyers, but better law,” Granick said. “I’ll have that opportunity with the EFF.”

Granick is currently the executive director of the Center for Internet and Society. She begins her new position Sept. 1.

Technorati Tags: Jennifer+Granick, Electronic+Frontier+Foundation, EFF

Had an interesting conversation with new Sun Microsystems CISO Leslie Lambert this week. Lambert is a Sun veteran having held a litany of IT roles including several line-of-business CIO titles. Lambert shared a little bit about her short- and long-term goals and they include different aspects of identity management such as role-based access controls, and change management. The most interesting, however, reflects concerns any enterprise with intellectual property would have: data protection and mobility.

Sun is a global enterprise and its development and sales forces operate on campuses around the world. Sun Ray virtual desktop Java thin clients will remain standard issue, she says, but the need for mobility means a prevalence of Macintosh and Windows-based notebooks and devices. This is unavoidable and necessitates some flexibility and admittedly some security tradeoffs, says Lambert, who carries a Sony P910 mobile phone.

“Sun is an environment where we have not permitted a lot of Windows desktops. We’re shifting there,” Lambert says. “With our [employees] working from home or various campuses, the need to put more mobile devices for productivity is a reality. We’ll have to now focus on higher levels of data protection.”

Lambert says Sun employees can expect a ramp-up of awareness programs and security tools on those devices including antivirus, firewall and network access control that authenticates and audits mobile devices before they connect to the Sun network. In addition, depending on the categorization of data on the device and job responsibilities, hardware encryption may soon be part and parcel of laptops; all will have encryption software installed.

“Sun has been in a position to be able to create so much unique intellectual property to offer to the industry,” Lambert says. “Our collection of IP is who we are; protecting that is important.”

Technorati Tags: Sun, Java, identity+management, access+controls, intellectual+property, Leslie+Lambert

OK, allow me some journalistic license here when I say that if you squint a little bit sitting across from Marty Roesch that he could pass for Ray Romano. If you’re not buying that, then you have to at least buy the notion that Everybody Loves Marty.

Marty, for the uninitiated, wrote Snort in his basement back in the day. He open-sourced his homegrown IDS and more than three million downloads later, it’s become a behemoth and largely thought of as the standard for IDSes. Marty also built Sourcefire–with a bit of help–into a thriving pure-play security company that continues to develop Snort commercially and open source.

Talk to security professionals about almost any vendor, and their face will contort into a painful combination of wrinkles and furrowed brows. The derision in their voice is as uncomfortable. But turn that conversation toward Snort/Sourcefire and it becomes clear that Sourcefire is one of the few exceptions.

For example, when Check Point came a calling last year, checkbook in hand, people were protective of Sourcefire and Snort, wanting assurances that Snort would remain open source and development would continue. Yet at the same time, people felt badly for Roesch and company when the government intervened in the acquisition and it went south.

Sourcefire got its payoff recently when it went public in March and raised more than $70 million. But since then, it missed its first quarter targets, blaming a few deals that didn’t close or were shorter than expected. Not a great start and it probably raised a few eyebrows. But those are the pains of doing business quarter-to-quarter.

In February, I had a sit-down with Marty Roesch at RSA, right in the middle of Sourcefire’s quiet period, so he couldn’t be candid about the IPO, but he was forthcoming about plenty more:

On the fall of the Check Point deal: “There were people [at Sourcefire] who wanted the deal to finish up, get the money and get out. And there were other people who like the company the way it was, and if they were going to make some money, that was nice, but building the thing we’ve built is hard to do, and it’s almost a shame to sell it because you lose the culture and all the other things.”

On going public: “We’re so big now, there’s a small number of companies that could buy us, we might never get bought. Let’s do what we planned to do originally, run this company independently for the foreseeable future. As a credit to our management and operations teams, everyone has executed. It’s crazy, but it’s like the Terminator, you can’t stop it, it has a life of its own. It’s cool.”

On Gartner’s “IDS is Dead” claim: “It hurt initially, because it really slowed down our sales cycles. … It forced us to do something radical like build RNA, or get killed like most startups. I don’t like to lose, so we built RNA. The ‘IDS is dead’ thing was an annoyance, but one of those things that forges the company, gets everyone on the same page and crystallizes our drive to succeed. I still run into it from time to time.”

And finally, on balancing being a commercial company with Sourcefire’s open source interests: “One of the things executives get when they come on board is that we’re not gonna close-source this, you better get used to the idea of developing technology, making it really good and giving it away for free. If you can’t get used to that, don’t take the job. I like to remind people at Sourcefire that any time we mess with the community, they all have my email address and I’m the guy they get on.”

Not everyone in the underground is concentrating on targeted attacks. Jose Nazario stopped by today; he’s Arbor Networks’ resident botnet guru and he shared a cool anecdote about some bot-on-bot crime as he put it. Apparently, the lovelies behind the Storm worm are trying to put rival spammers–the guys behind the Warezov/Stration family of spam worms–out of business with a series of DDoS attacks. So take heart anti-spam groups like Spamhaus and other blacklisters–you’re not alone.

“There’s competition in this marketplace like any other, and it’s already cutthroat,” Nazario says. “Why not DDoS your competitors’ update sites?”

Spammers have used DDoS attacks in the past against rivals like Blue Security, an antispam outfit which was put out of business last May by a vengeful DDoS attack carried out by a spammer known as PharmaMaster. The Storm creators haven’t succeeded in knocking out the Warezov/Stration camp, but this scrape likely isn’t over.

These guys mean business; they’re not fooling around. They make a lot of money and they’re willing to defend it,” Nazario says.