Herein lies the story of a botnet herder. I find these sorts of stories far more interesting than vague reports on data disclosures, akin to the difference between cheesecake and rice cakes.
We thankfully have a few trends available to us that help keep these threats in check. Greed, arrogance, stupidity. While some criminals make stupid mistakes out of their pursuit of money, there are many others who are more savvy than to be obvious and brazen with their tradecraft. I guess in another lifetime if I wanted to be a cyber criminal, I would follow a few non-technical steps:
tell no one, don't brag
always respect your adversaries, don't be sloppy or cocky
make enough money to be comfortable, don't be greedy
wake up
by michael 05.09.08 at 1:51 PM in /general - comments(0)
I was pondering the point of Twitter again today. It is so much like IRC. If you step away and don't read updates for a few days (or you have a really busy list you're following!), there is no way to really catch back up on what was said or jump back into a conversation. In fact, you likely will miss reponses even directed to you! Just like stepping away from IRC and it continuing to scroll on by.
So, I wonder when a botnet will use Twitter for command-and-control?
by michael 05.09.08 at 10:13 AM in /general - comments(1)
The SecurityWannabe has posted one of the better lists I've seen in some time: 10 Myths About Life As An IT Security Professional. Some I wanted to pull out:
4. You won’t learn as much as someone doing a “normal” IT job. Depending on your role in security, I find that we need to have some level of aptitude in everything IT, from scripting, to programming, to low level memory analysis, desktop troubleshooting, networking, packet analysis, web app coding and architecture, cc surveillance, wireless cracking, optimized scanning, manual scanning, and on and on. Even a jack-of-all-trades in an SMB may not know quite this much. And if we don't know one of these topics, we know places and people to ask to get answers and self-teach.
5. Your friends will disown you - IT security is geek - but not “cool” geek. One of the best parts is being able to relate to non-geeks. For instance, my parents and I can talk to each other on their level about data theft and credit card fraud risk, or the concerns about adopting wireless in their home or at work. I can't talk to them about coding kickass C# apps, the newest developments in virtualization, how sexy the latest big iron is, or the most recent Ubuntu release. I once even had a roommate who thought her boyfriend was looking at too much porn. And let's just say he couldn't do anything to stop me from keeping her well informed indeed.
An excellent list that I consider a must-read highlight so far this year.
by michael 05.09.08 at 9:15 AM in /general - comments(0)
Continuing my wiki cleanup is this list of LiveCDs with a security twist. Some of these are evolved (Auditor) while some are simply gone (Phlack). I even missed adding a few from earlier this year (Russix, Deft...)
KnoppixSTDM is a Knoppix Security distribution. Sadly, it came out as version 0.1 and remains at that level. Knoppix has tons of documentation and tutorials, including this little bit on [http://blogs.ittoolbox.com/security/investigator/archives/quick-inspection-technique-for-windows-laptops-10094 mounting a Windows disk and doing some forensics].
BackTrack is probably the most solid and most-maintained security-based live cd around right now. Extensive support for wireless and a very solid, matured distribution. This distro really has pretty much moved into the lead of security livecds, if there is such a thing.
DamnVulnerableLinux (DVL) is a very vulnerable live cd and local installation distro that is designed to teach about security and insecurity through tutorials and providing an insecure Linux installation. Really sounds like a cool idea and on par with something ike WebGOAT or the Foundstone Hackme series of exercises.
Helix is a currently maintained livecd with a forensics focus to it.
Trinity Rescue Kit is also a forensics-based livecd.
Pentoo is a Gentoo-based livecd for penetration testing and security.
nUbuntu is an Ubuntu-based livecd. While not necessarily of a security focus, it is still a solid distro. The live-cd version can also be installed locally.
Auditor has been succeeded by BackTrack, but is still a highly documented auditing and security livecd.
Nullbound looks like an in-line Snort/IDS implementation in a livecd.
OWASP Live CD Project has not really kicked off yet, but I'm hoping they are able to put something out.
Ultimate Windows Boot CD is not really a livecd in the strictest sense, but it is as close as it gets for Windows.
Phlack is another of the "original" few security livecds from a number of years back. Development has stalled, but may still get going on version 0.4.
SecureDVD is a full DVD loaded with 10 security livecd distros. This hasn't really been maintained, but is an excellent source and reference for some other livecd distros.
Slax is a Slackware-based livecd.
by michael 05.08.08 at 2:00 PM in /general - comments(0)
I am cannibalizing some sections of my wiki to place as entries on this site simply to reorganize some stuff. Here are some links to information about network printer hacking.
Irongeek has a very thorough and well-written series of walk-throughs on playing with networked printers.
Phenoelit [old link] has done some impressive work in the past, which includes their excellent HiJetter tool.
Coincidentally, this same topic just came up on the pen-test mailing list on SecuityFocus. Perhaps some links there will someday be useful.
by michael 05.08.08 at 1:39 PM in /general - comments(0)
Matasano has updated their link to their Blackbag tool. Yes, their link has been down for quite a while..hehe. More details on what it actually does can be found on an older post at Matasano.
by michael 05.08.08 at 10:49 AM in /general - comments(0)
Anton Chuvakin throws down a doozy in discussing "Reverse Compliance or 'Logs as Proof of Incompetence?'" Granted, he was inspired elsewhere, but he's the first I read on this.
What if you keep so few logs that no one can prove you've been negligent beyond just not keeping logs? What if so few logs are kept, you don't even need to know you've been hacked 2 years ago? We don't know where these White House emails have gone, it must be our incompetence. Slap our wrists and let's please move on...
by michael 05.07.08 at 2:00 PM in /general - comments(0)
PCI is a beast, and continues to blot out the sun with its harpy wings, wheeling in the desert sky, slowly waiting to pounce on the weak. Between concerns over requirement 6.6, code reviews, WAFs, and so on...where will this lead us? Let me play annoying Devil's Advocate a bit.
Well, if you're a web development shop, why go through all the friggin trouble? Rather than process and store any payment information, hire out to someone like PayPal. When you're ready to check out, click the PayPal button which transfers you over to the PayPal site along with whatever transaction information you need. User logs in there, performs transaction there, and completes it there. Let the PayPal-type sites deal with PCI.
This way, every web dev shop won't need a WAF or layers of security or code reviews. Not that I think they should all ditch such efforts, I just feel such efforts are too idealistic for our economic world. I know I've yet to hear a developer or developer manager who has any interest in spending effort, time, or money on an SDLC beyond what it takes to roll out product faster and with higher quality (quality not being defined in terms of security other than the most basic stuff like SSL support).
Of course, this means that while web shops won't process your credit information or store it, they can and likely will store everything else about you. But, hey, that doesn't fall under PCI!
by michael 05.07.08 at 1:52 PM in /general - comments(1)
It might seem like there is an epidemic of information disclosures in recent years. I maintain there is a companion epidemic: one of silence about the reason for these intrusions and disclosures. This prevents anyone from really learning how to improve by any other means beyond having a finger waggled at us/them or a painful ruler smacked across our cheek. (I sometimes wonder if we're going to be stuck in a silo no matter what our efforts...)
The Daily Camera has a story about the disclosure of data on 9,500 persons from the University of Colorado (dig the off-beat green-tinted site).
Hilliard said three computers [one laptop, two desktops] in the Division of Continuing Education and Professional Studies were compromised by a "very complicated hack" that was discovered Thursday afternoon.
One man's "complicated hack" is another man's obviously gaping hole. Useless information.
"We think they were compromised by digital intrusion with some sort of hack," Hilliard said, noting there is "no direct evidence the data has been taken and used for nefarious purposes."
I'm done being nice about these things. No shit you don't have any direct evidence of wrong-doing. If someone breaks into my house and steals my gun, I can cover my eyes and say "I have no proof a crime is being committed with it!" By the way, no kidding, "some sort of hack..." amazing.
According to Hilliard, none of the computers was [sic] supposed to have personal information stored on it, following a policy change CU implemented last fall after someone hacked into a computer issued to the College of Arts and Sciences' Academic Advising Center.
Policies don't actually stop anything, just like education. Both are necessary, but neither will guarantee anything. Kinda like that 35 mph sign on the road that I always drive past at 42 mph.
by michael 05.07.08 at 9:26 AM in /general - comments(0)
Last week I finished putting everything together for my 2008 gaming machine. It's been about 6 years since my last gaming machine, so I was due for an upgrade. The parts list is saved on my wiki. Special props to NewEgg, my hardware supplier for many, many years. And I added PetrasTechShop.com as my water cooling parts supplier. Excellent service at both, and absolutely no bad parts this go-around! My source of most information comes from the HardForum.
Total cost is probably somewhere around $1100-1300 (not including monitors), with probably the largest chunk being all the water cooling parts. Six years ago, I saved a lot by putting the system together myself, but these days gaming boutiques and other computer outlets have pretty damn good pricing, and I likely didn't save all that much off a comparably performing pre-built system. But few of them do water cooling at all without a premium cost. So to get silence with water, I did save a bundle.
The system is running on WinXP 32-bit right now. I know, I lose some performance, but I didn't want to spend any huge time (getting everything to work and run) or money (a real, honest license [damn Microsoft]), until I hear more details on when Windows 7 will be out and how long Windows XP will be extended. If they start to overlap, I'm just going to skip Vista like I skipped ME. (DirectX 10 support/availability may make a difference when Starcraft II comes out.)
Everything works great. Wow sits at 60 fps no matter what I do (including fraps recording), and isn't taxing the system at all. Temperatures stay barely above room temp, even after hours of gaming, so I'm very happy with the water cooling.
I ended up water cooling my GPU as well. When powering up system components the first time, I was terribly disappointed with the noise from my HD-3870 fan. With that gone, the system hums away unnoticed.
What would I do differently with my setup if I knew what I know now:
Bigger case. It took a lot of experimenting to get everything in a good position in the midtower case I got. I lucked out with the top fan (didn't have to drill more holes to mount the top radiator), but I got screwed with the hard drive cage and other crap in the lower right corner of the case. I moved what I could, but the pump still is at a non-optimal angle. Also, I wouldn't mind making a bigger hole on the top and mounting the radiator on the inside of the top of the case rather than the outside. Alas, not a huge deal.
Bought all the water cooling parts at once. Since this was my first time parting water cooling out, I did it in very small orders. I think 6 total! I would have planned a bit better too: gotten a flow indicator somewhere in the line, better fill setup (currently the only thing still in progress) so I don't even have to open the case to add liquid (not that I will need to very often), and maybe a drain port if I ever upgrade stuff and need to remove parts. As it is, I'll need to turn the case upside down and around to fully drain it.
by michael 05.02.08 at 9:07 AM in /terminal23 - comments(0)
Every other post Hoff makes is packed with information that is way over my head, oftentimes making me lightheaded. But he continues to have great posts in between the bleeding-edge ones. I took two points from a recent post of his on the conflict between virtualization and PCI compliance (2.2.1 which wants single roles for a server may fail all host servers that "serve" multiple guests of various purposes, although I *might* argue the host serves the single purpose of hosting virtual servers).
1. Auditors and checklists will always be behind new technology.
2. Auditors need to know what the crap they're talking about.
If they make certain observations on their audits, they know they need to field questions that may be as obvious as "how do we secure or satisfy this virtualization piece you dinged us on?" If auditors can't answer questions like that, I wouldn't be surprised if they decide to fluff through and try not to touch it, further miring checklists behind technology, and further not providing much real security. It all comes down to training and hands-on exposure to technology.
This is a chicken-egg scenario. Can you implement and mature new technology or do you have to wait until compliance, which may mean needing to implement and mature it to learn it...
This is made futher painful because this contradicts what I consider a rule of IT and security: Technology moves forward. There is no holding it back, putting on the brakes, or waving the yellow flag of security. It inevitably moves forward. (Fine, we can hold some things back a bit, but eventually it simply will happen.) This is especially true if new technology is economically beneficial. Companies don't need to think bleeding-edge, but they can't afford to be lagging badly behind the curve.
by michael 05.01.08 at 1:01 PM in /general - comments(0)
Microsoft Windows and IIS have long been a whipping boy for security issues. If you hadn't noticed, they're back in the spotlight, only not quite as loudly because of the technical nature of recent issues. But this year is different. Instead of Microsoft standing alone, web developers are strapped to the stocks as well.
Microsoft has a new security advisory up (April 23rd) giving vague details of a vulnerability that matches details provided by Cesar Cerrudo at HITBSecConf2008. It sounds like this is less an issue with external hackers and more an issue with trusting your developers, the ones who provide code that could possibly exploit this issue. The workarounds are a bit annoying as posted currently. I think every Windows admin has experienced angst when changing accounts that services or pools run under, and we all do so only if necessary (and cross our fingers that nothing breaks too badly). And disabling MSDTC (COM+) when your apps that run your business use COM+ is not an option. (Microsoft may as well tell us to turn off the web server and unplug the machine!) I think I would be more concerned if I were a larger hosting provider running on Windows...
The above issue does not affect Vista or Windows Server 2008, it appears.
This is paired up with a recent large scale of SQL injection attacks. Microsoft (and many others) rightly point the blame to developers and coding practices. The OS and even the coding environment can only go so far to protect against incompetent, ignorant, or rushed developers. The rest is up to the developers and those leading the developers.
Attackers continue to move up the layers.
by michael 04.29.08 at 8:32 AM in /general - comments(0)
How do you know your laptop users aren't using their cell phone connection to access the Internet around your firewall while at work?
by michael 04.25.08 at 2:40 PM in /general - comments(1)
Thomas Ptacek continues some talk about the merits of (or lack thereof) "defense in depth" (DiD). He is not sold on DiD as a core principle for security design. Which I think is perfectly fine! Even though I believe in the value of DiD, it might not always apply in every situation.
Three things to start any DiD discussion:
1) Thomas quotes Eric about my first point: "But Eric also associates ‘depth’ with network security, not application security..." I think Eric is somewhat correct. Any discussion on DiD should start with where we're framing the discussion, application, network, other...
2) I've mentioned before about security religions. There is a group who does not accept anything but truly secure "stuff." Incremental or DiD principles need not apply. There is no use in arguing about DiD to someone who believes heavily in the absoluteness of security measures. These would be black and white people: either it is secure or not. Don't argue DiD with someone who fanatically believes in absolute security; DiD is absolutely worthless to them.
3) How do you define DiD? I know of two different definitions. First, DiD refers to layers of defense overlapping to cover deficiencies in other layers; complementary DiD. One blanket can cover half your car when it is raining, but a second, different blanket overlapping the first one can cover the rest of your car. Second, DiD refers to layers that sit like concentric rings. If you break through one, you still have to break through several more; additive DiD. Without defining our view of DiD, none of our analogies will be appropriate to compare.
I sympathize with the points raised about causing an attacker to take more time/effort to achieve an asset (attrition) and also cause them to trip more alarms in trying to evade everything you've thrown in their way (delay). Notice these don't *stop* an attacker, but they give defenders a chance to react better or avoid a compromise. Does an adhoc military base erect walls such to withstand missiles, tanks, and planes? No, they rely on detection of incoming threats and react to them. Kudos on the point of reaction, though, since many of these attacks are so quick to execute in the cyberverse. But in counter, I'd rather known after the fact than not at all.
Some comments paint what I think is a realistic vision of DiD.
One comment mentions that DiD is all about economics. This is more increasingly being called risk management. If you have layered defense where an attacker uses his known parlor tricks to get into the outer crust, but has to spend a lot of time and energy to get any farther because he's not as knowledgable about other techniques, the risk of him bullishly continuing to try may be small.
Another comment mentions DiD should not be "an alternative to rooting out and fixing vulnerabilities." Very true, but again this comes down to economics. It also seems to be the driving point behind WAFs. Rather than fix the code (which can be costly), just throw up a WAF and not bother fixing something that can be bandaged.
Complexity vs Security vs Economics...
by michael 04.23.08 at 3:01 PM in /general - comments(0)
(IN)SECURE Magazine Issue 16 is now available. Reminded about this by the ServerGuys!
by michael 04.23.08 at 2:13 PM in /general - comments(0)
So I've spent several days on Twitter, alternating between not watching to being interested in the goings-on.
My impression of Twitter is: IRC+IM+Web.
It is like IRC in meeting new people and hearing new voices, and having your voice heard to others you normally don't interface with directly; like sitting in an IRC channel with 50 others, you can just pipe up with something and get involved. I could have use forum instead of IRC, but forums are threaded and usually slower, while IRC feedback is far quicker and linear.
It is like IM in tracking the people you like to talk to, direct messages, and so on. Unlike IRC where people come and go as they wish (minus your friend lists), IM is far more dependent on you having added them as a friend and vice versa.
And combine that with web accessibility. Companies have long fought against the time-wasters of IM and even chat (ok, fine, IRC is largely blocked because of its prevalence in bot control mechanisms), but people still want IM and chat. Hence, they now use a port 80 web interface to do essentially the same thing. If that is blocked, there are numerous other portals, site plugins, and clients to use to get the access. We're destined to lose battles against cultural trends unless we're an organization that absolutely requires high security.
Also, Twitter is easy to use and enjoy. There aren't a ton of features, which I think is a key to anything "2.0" these days. I know, all sec pros should know how to use IRC and various chat clients (you're old/middle school, right?), but the reality is not everyone has ever fired up non-web-based IRC before. So, this makes the IRC chat part of the equation much more accessible.
It is definitely not bad, and I do enjoy it, especially since I don't get to use IM or IRC at work. Now, I can only join one public group of people in my Twitter club, but I can register other names for my other circles of buddies if I had any. :) I could even have a work name and a group with just coworkers about what we're doing or where we are.
by michael 04.23.08 at 1:22 PM in /general - comments(0)
Questions/tickets posted to me today remind me how much of a stressor it is to support developers. Typically speaking, developers have very few boundaries in which to solve their problems. Their lack of boundaries turns into my headache when they start finding creative (special ed) solutions to problems. Kinda like kids who want to do something but can't, and they find some unexpected, completely terrible way to do it that causes a hole in the wall.
And sometimes, it's not their solutions that suck, it's the bad initial requirements that suck and really aren't possible in a given architecture without a lot of unnecessary pain, cost, and compromise of security posture. And of course it's my team that gets to be the mean parent...
by michael 04.23.08 at 11:00 AM in /general - comments(1)
An article on CNET about a LendingTree data leak made me pause for a moment.
Several former employees of LendingTree are believed to have taken company passwords and given them to a handful of lenders who then accessed LendingTree customer data files, the company said.
LendingTree could also face lawsuits from its customers, as well as sanctions from the U.S. Federal Trade Commission, particularly given the potential for identity theft...
I hope that those employees were already "former" when these incidents occurred. That makes life a lot easier. But what if they were still valid employees who gave away their valid passwords to a presumably remotely accessible system (web portal, most likely)? That just sucks. We go from corporate negligence to malicious insider, and that's a world of difference.
This should bring up questions of how to make authentication non-transferable. Or about the need and scope of remote access. Or that we simply can't be perfect and sometimes, especially with malicious insiders, ultimately our only recourse is rigid auditing and alerting.
by michael 04.23.08 at 9:56 AM in /general - comments(0)
Slashdot ran an email from a senior security engineer lamenting his company's ethics in security auditing. Dan Morrill posted about it, which was my first exposure to it. I posted a comment on his blog, and he sort of lightly guilted me into posting it on my own blog here. Honestly, I had some points in it that I kinda didn't want to just lose to the ether, and instead save them here for myself.
So read Slashdot first, then Dan, then my post will make more sense. I will concede points that say audits really are a bit about negotiating your security value, but I think it needs to be documented. Risk A, mitigating factors B, accepting C...
I know it's a cop out, but I would look for work elsewhere. It's not only a cop out, but also a bit of a cynical approach. But once you drop down this road of fudging the risks/numbers, where do you stop? Where do you re-find that enthusiasm for an industry you're helping to game? What if your name gets attached to the next big incident? What if the exec that got you to bend throws your name out to others looking for the same leeway? Integrity is maybe our most important attribute in security.
I know strong-arming (or outright lying!) happens, it always happens. I think the only way this won't happen is to have a very mature, regulated industry much like insurance or the SEC/accounting/financial space.
Of course, this also means we need to remove or greatly reduce subjective measures and focus on objective ones. Those are the ones we hate: checkboxes and linear values. Those suck to figure out, especially when every single org's IT systems are different. I just don't think that will happen for decades, if that. Unlike the car industry or even the accounting disciplines, "IT" is just too big and broad and has too many solutions to control it.
This leads to one of my biggest fears with PCI. Eventually it will be something negotiated, and the ASVs will be the ones taking the gambles. Lowest price on a rubber stamp PCI compliancy. Roll the dice that while we roll in the money, our clients don't get pwned in the goat...good old economics and greed at work.
This also penalizes the many people who are honest, up front, and deal with the risk ratings in a positive fashion. Sure they may get bad scores, but that means there is room for measurable improvement. There are honest officers and people in this space. But there are also those who readily lie and deceive and roll the dice on security, and those are the ones who will drive deeper regulation and scrutiny.
--
I'm confused by the post itself. I'm not sure if his company is being strong-armed or if his company is doing the strong-arming.
If his company is being strong-armed, then any risk negotiation should be documented. "We rated item #45 as highly important. Client (name here) documented that other circumstances (listed here) mitigate this rating down to a Medium."
If his company is doing the strong-arming, you might want to just let the senior mgmt do their thing. Ideally, if shit hits the fan, it is the seniors that should be taking the accountability, not others, especially if they've been involved in the decision making processes.
With this line of thinking, there is another thing: the geek factor. As a geek, I tend to know about and inflate the value of very geeky issues. It is often up to senior mgmt or the business side to make decisions on the risks. Sometimes, the decision is made to accept the risk. This means possibly not fixing a hole because the cost is too great, even if there is a movie-plot potential for a big issue. It might be an approach to sit back, take some time and reflect on the big picture a little more. Are these strong-arm tactics covering up truly important things? Or are they simply offending our geek ethic?
One could also weigh in on what would be your proper measure of security? It is always a scale between usability and security, and in the words of the poster, there will always be some scale that involves accepting some risk in order to keep one's job. The alternative is to be so strict about security that you could only get away with that in a three letter agency or contractor thereof!
--
Ok, after all of that, if the guy wants to keep his job (or not I guess) but yet blow the whistle on such bad practices, I'll have to put on my less white hat and give some tips.
It sucks to do, but sometimes you do have to skip the chain of command and disclose information to someone up above the problem source. I'd only do this after carefully considering the situation and making sure I have an out. Even an anonymous report to a board of directors is better than silently drowning with the rest of the ship.
If there is a bug or vulnerability in an app or web app, get it reported through your reporting mechanisms internally, like a bug system or ticket system. Get it documented. The worst they can do is delete it, at which point you might want to weigh disclosing it publicly somehow... (of course, by that time, they'll likely know it was you no matter how anonymous you make it).
If the company is big enough and the issues simple enough, you might get away with publishing anonymous in something like 2600, the consumerist, or a general blog from a third-party. Sadly, when trying to get people to understand technical risk, it can be difficult to be precise, understandable, and concise. If the guy belongs to some industry organizations (Infragard, ISACA, etc) perhaps leaning on some trusted (or NDA-backed) peers can be helpful.
by michael 04.18.08 at 7:43 PM in /general - comments(0)
I just signed up for Twitter. I also embedded a tracker for just my posts over on my right menu bar up near the top.
I've been online a relatively long time now, nearing 15 years, which has included a lot of social stuff (IM, IRC, forums...). Because of this, I'm not terribly quick on utilizing various newfangled social networks. It's a lot of work to maintain a presence, and most of my old stuff still works just fine for me. But Twitter looks interesting and mildly useful, basically a web-based IM system when used with others and a more streamlined, eye-blink, steam-of-consciousness blog/journal type of thing when used alone.
I don't really have ambitions for Twitter beyond logging my own goings-ons that aren't quite blog-worthy, so feel free to invite/abuse/include me in whatever. Never know, I may instead decide half my posts to Twitter are useless to even me, and the rest I could just roll into blog posts... I certainly have that freedom since I have no ambitions with my blog itself (hence no ads or viewer tallies!).
by michael 04.17.08 at 1:44 PM in /general - comments(2)
|
