.: December 2007 Archives
Over on Chris Shiflett's blog
is a guest post from Elizabeth Naramore, php/web developer, in which she talks about commenting and documenting code
, using a dishwasher as a common analogy. The post is well-written and can apply not just to code documentation, but security process documentation as well. Many of my colleagues hate doing documentation and as such we have painfully little of it, but I'll always do my best with it because I think it is especially valuable. I think some people think it is so simple, they never get around to it, and as such, this "simple" thing never gets done.
by michael 12.03.07 at 11:27 AM in /general
Does information really just want to be free? Or systems that is?
In the beginning we had ports on systems running their own services. Port 80 had HTTP. We blocked ports we wanted to stop.
Then services started tunneling themselves through port 80. We started inspecting traffic over port 80 and denying what was obviously an improper request, usually HTTP. We even added software installation denials.br>
Applications started going to the web, because then they look like the normal HTTP traffic we didn't want to block, and used an application on the desktop they knew we couldn't fully deny. We need more application-aware blocking (deeper inspection, HIPS, and even DLP types of technology).
Soon, I suppose Google will offer up the OS on the web, and we'll connect to a portal that will offer us everything we need, a veritable AOL "walled garden" on the web. What then? Vista is portending the death of the OS as we know it...right? A return to dummy terminals, only this time enabled on the Internet through the browser?
Is security to blame for part of this?
(Let's say we do get back to client-server types of architecture, does that mean we're done with endpoint security because the endpoints will become expendable plastic? Will the Web OS go the way of AOL? Sure, it may eventually offer a ton, but do users really want the freedom to do what they want, even if those choices and risks are bad? Do you want to decorate your house one way, and just adhere to slim building and fire codes or rather have a cookie-cutter home with small cosmetic differences? Ahh...)
by michael 12.03.07 at 2:23 PM in /general
Just a quick link to a 2-page pocket reference card [pdf]
from Joshua Wwright for 802.11 headers, wireshark filters, and kismet keys.
by michael 12.05.07 at 8:37 AM in /general
As this year has gone by, one thing has become pretty solidified in my mind: training for security and IT/developers is necessary. I'd rather have training for them than for users in general. Not all security measures can be adopted in every organization, so not just technical training, but training to be aware of the risks and how they affect the business needs. For instance I can see some organizations thriving while users run as local admins. Why? Because the risks are known and dealt with in other, often-times more creative ways. And yes, this may incorporate user awareness training. I'm not against user awareness, I just put it lower on the priority list.
If you can't build things securely, or secure them accurately and quickly, then business needs will almost always win over security. From tasks to projects to software.
One might think training should be for manager levels as well. But I would counter that managers can learn a hell of a lot from their employees, with good, trusting communication.
by michael 12.05.07 at 9:16 AM in /general
An interesting look at the Ron Paul spam event a month ago
, including the web interface for the Ron Paul spam job.
by michael 12.06.07 at 10:22 AM in /general
April Fool's Day idea for sites bigger than mine: Replace the site front page with a fake Websense/SurfControl blocked message and get everyone to ask their admins what's up. "I swear, we're not blocking it! I don't know what's going on!"
by michael 12.06.07 at 1:19 PM in /general
I started out the week pointing towards people doing some thinking. I figure I'll end the week the same way.
Bruce Schneier posted an article about home user security knowledge
I really like, since I've been saying the same thing, roughly.
At work, I have an entire IT department I can call on if I have a problem. They filter my net connection so that I don't see spam, and most attacks are blocked before they even get to my computer. They tell me which updates to install on my system and when. And they're available to help me recover if something untoward does happen to my system. Home users have none of this support. They're on their own.
Absolutely true. When I purchase a car, do I have a manual on how to tune and maintain it or troubleshoot it when things go wrong? Do I even get to see the standard specs for safety and security? Hell, do I get a lesson in changing my oil? Nope. And we expect people to "get" the much more ephemeral workings of a computer when not everyone has nearly the logical mind that most techies have? Yikes!
If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn't any other way.
I agree, although that doesn't mean we should dump user awareness totally. But really, corporations (and us geeks!) need to buck up and help their own employees at least a little. Training at work about security and computer usage will carry over into their home life. If nothing else, perhaps they can bounce home computer questions off the cyber talent present in the organization. I know us techs hate troubleshooting home PCs, but giving free advice is not nearly as painful.
What digs at this approach, however, is while advice is free, most people just want someone else to do it and do the thinking, the dirty work. Not everyone is into computers as much as us geeks, and they simply don't want to be. Just like I don't change my own oil, and really don't want to be troubled with it, despite how necessary it is to protect my investment. Anything beyond "don't install random things," and "don't click links in email," is still too much to trust most end users to understand.
Sadly, we have a huge computer security industry now, and they simply will not let someone like Microsoft put out a solid, more secure OS. Which puts us in a real bind... In the end, insecurity may just be a permanent reality, just like crime in general is a permanent reality, or home insecurity is a permanent reality (when assuming cost is realistic).
by michael 12.07.07 at 2:12 PM in /general
Jeremiah Grossman has written about how Full Disclosure is dead
. Good article, and some interesting comments on his blog.
Is FD dead? Well, not really, but even as attackers have criminalized to realize profit, so too have "researchers" grown up and realized they can get jobs doing this fun hacking stuff. With jobs comes some professional integrity, maybe not just with proper disclosure, but with not getting into legal trouble and becoming the next rogue IT admin plastered around the presses. Heck, some of these guys get jobs for their silent disclosures, or money for reporting them and shutting up (a sort of legalized form of extortion or ridiculously cheap labor, take your pick).
We can also see this with far less people hiding behind aliases, and likewise the number of hobbyist security persons.
Is FD dead? I don't think so, but the pool of people who *can* provide FD has greatly diminished. Should FD die? No, because in many cases I prefer FD to staying hidden in the darkness of naievity. We certainly need it, and if FD does ever appear to die, I'll be willing to bet yet another cyclical counter-counter...counter-culture will emerge fighting against The System and not playing as complacently as the rest of us aging geeks are doing.
by michael 12.07.07 at 2:44 PM in /general
An article on ComputerWorld
illustrates why I don't care for media rags and prefer news straight from security professionals (blogs, email, etc).
State officials announced late last week that they have agreed to purchase about 60,000 licenses of McAfee Inc.'s SafeBoot encryption software.
Ohio officials moved to launch a hefty security policy makeover after a backup tape containing Social Security and other personal information of residents was taken from the car of a government intern in June.
What's wrong with this picture? Well, even the article lists the features of SafeBoot, and they don't include encrypting backup tapes. So this is a misleading article that any knowledgable IT staffer in Ohio has to be a bit annoyed about. That's also a hell of a lot of licenses. I wonder how long and how painful that roll-out process is going to be...
It also goes to show that while Ohio may have some policy, process, and people problems when it comes to digital security (and have maybe addressed them!), the measures that seem easiest to do and report on are technological controls like the purchase of yet more software to patch the problems. Reminds me of conversations about internal security. "Upper management would rather not think about internal employees being malicious; they want to trust and empower them, not treat them as potential criminals." Hence, technology is a far easier pill to swallow for such paradigms...
by michael 12.12.07 at 9:42 AM in /general
Saw posted on NoticeBored
a link to an August 2006 Microsoft paper describing measures to combat social engineering
. It's a 30+ page paper that goes over quite a lot of different classes of social engineering tactics like phishing, web page exploits, service desk calls, and even in-person conversation which reminds me a lot about secret Tradecrafts... Linked for my own future reference.
by michael 12.12.07 at 10:24 AM in /general
is a free (hopefully it stays free!) streaming music service that sends out music based on your preferences, kinda like a Netflix queue that adjusts as you rate music. You start out by picking some artist or band whose style you want to listen to, and the system provides the rest.
You can listen to a few songs before being nagged about registering. You can then register for free and supply whatever information you want; there was no email validation or anything.
It worked great at home on Ubuntu + Firefox. I was in an electric mood so I chose Underworld as my initial seed and got a nice 3 hours' worth of decent music with one exception of some Nickelback-sounding pop rock song that came in. No idea how it got in my list, but you can click a "thumbs down" for any song. It'll log your preference and skip right to the next one.
I really dig SomaFM.com's Groove Salad
, but Pandora will definitely vie with them for my web radio pleasures as long as they stay free and have as varied a mix as they seem to have at first blush. If they do, this truly is the future of "radio" and music exposure. Much like the past decade and more where I've expanded my tastes and horizons through mp3 sharing (and thus spent money on those I liked!), this is serving me up that same benefit without the hassle of finding, downloading, and sorting it all myself.
by michael 12.14.07 at 8:25 AM in /general
Josh Wright earlier this year posted a couple wireless security papers which are quite valuable. First he talks about wireless framing; basically a blitz through how wireless 802.11 works
. There is also a paper about 5 wireless threats we may not know about
. In the list, Wright mentions 802.11n (Greenfield mode) and Bluetooth rogue APs. I think scanning for rogue APs using kismet is becoming fairly common in concerned organizations (or by concerned geeks anyway). But how does one begin to scan to find these other wireless technologies?
can be used, plus there are other papers on pentest.co.uk
should also work, although I'm not sure if this is the same tool that was absorbed into Aruba Labs
I'm sure there's more, I'm just not coming up with them at the moment.
AirMagnet's Laptop Analyzer
will detect 802.11n signals. I'm not sure what else is available out there for this new tech.
I'm sure pretty soon there will be scanners
for detecting vulnerable wireless keyboard/mice devices
(pdf)) as well...
by michael 12.14.07 at 1:00 PM in /general
Not sure where I found this, but this blog reviews the upgrade from Windows Vista to Windows XP
(yes, that's worded properly). Nice read! I'm still eyeballing parts for my 2008 gaming machine that I plan to build early next year, and I've really not been sold on getting a Vista license with it. I may as well stick to XP since I know everything will work just fine with it, and I don't have any need for the graphics or security enhancements since this machine only does one thing: play games. The only real reason I would want to use Vista is to be familiar with the OS and support it if users have questions. But maybe I'll not sweat that until my company decides to migrate to it...
For the system itself about the only thing I've not decided upon is the case and cooling, and the little bells and whistles that come with them.
by michael 12.17.07 at 1:16 PM in /general
This post talks about various Linux services in Fedora and Ubuntu (Debian) systems
, along with a recommendation on turning them off or not. I really like knowing more about some of the mysterious services running. Normally with Linux, I wouldn't do the whole "Windows thing" about disabling services because they start on their own, but with Ubuntu I think there is plenty of extra stuff that can be turned off with no ill effect. This might help guide me a bit.
by michael 12.17.07 at 3:07 PM in /general
Every now and then I'll see a post about interview questions for geeks...I mean, IT employees. One question that just came to mind involves a security position, or one that requires a person who has security in mind.
You have the following services known in your organization. Where/How do you look to keep current on the security issues in these services? Cisco, Microsoft Windows Servers, XYZ ticket system with ABC modules, Skype for IM/VOIP, HP laptops (chosen for a reason), Fedora/BIND DNS servers, IE6 as only desktop browser, and so on...
The obvious first answer all IT persons should give is the manufacturer's website for patch releases and advisories. But the real security-minded people will know how to go beyond that. For Windows, there are any number of ways to view security released either by WSUS, MBSA, or many dozens of sites that post about them every month. Securiteam, Bugtraq, Full-Disclosure, Secunia, and various other vulnerability disclosure sites have RSS feeds and/or mailing lists that discuss or announce various issues, sometimes in advance of the manufacturers having fixes out. Further knowledge of services like McAfee's internal threat announcement system can be a bonus as well, especially if it pertains to what you have already deployed in your environment. "Omigosh, they already know about Snort and how to properly update and read new signatures! They're relevant to me already!" And yes, the ability to subscribe to Bugtraq is one thing, but can they pick out the necessary information from the non-interesting stuff? Do they know the Linux teams regularly post out their advisories there? And so on...
by michael 12.19.07 at 1:43 PM in /general
In case you don't see these, Accuvant has a regular security news posting called Five Minute Security Digest
that has some info and links to various articles posted online. You can subscribe from the top of the page if you like these emails.
The last story is a link to a Google search
for Belarc Advisor reports posted on the public nets. Whee, I could always use extra Win XP keys for my old test systems!
by michael 12.19.07 at 4:20 PM in /general
I can't imagine anyone that may read my site doesn't read Bejtlich's blog, so this post is just a reference for me. Bejtlich has posted a thoughtful blurb
dealing with several very poignant issues that I firmly agree with. I know digital security has several absolute Laws (no silver bullet, you will be intruded, etc), but some of the included topics of the post are what I would call Demi-Laws or sub-Laws; things typically true and should be kept in mind in any digital security situation.
- management by belief (I think a Bejtlich term) increases up the organizational ladder; i.e. as one gets away from operations and hands-on day-to-day. The real pulse of an organization's security rests with the incident responders and operations guys.
- somewhat related, the bar of acceptable security likely rises as one decreases down the organizational ladder to the operations guys. The techs typically can't accept risk, whereas managers can; thus operations tend to be far more difficult to satisfy.
- management does not like hearing "yes, we spent $xxx on a security technology but it is still not ensuring our complete security in even that field. Security requires a different definition of success which we need to explain at every opportunity.
- digital risk is much less obvious to see; compare "network is slow" vs a SQL injection error leading to database leakage through your website.
Everyone should be asked the point blank question Bejtlich asks: Do you believe all of your defensive measures are 100% effective?
One of my top Laws is security will fail. We have to accept that, and then the answer becomes apparent and we can move forward without living in some warped rose-colored reality.
Do you know how often people know better about some topic, but feign ignorance? Sometimes it's when they find out, sometimes it's to themselves. It's an interesting psychological issue... I think our culture tends to have this pull towards living in some state of ignorance about most things...
by michael 12.20.07 at 9:15 AM in /general
Saw this posted by Ben Rothke
, Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates, about fundamental IT career questions. It's nice to see that I've asked myself this same battery of questions the past few years, albeit in different ways and words. It seems a very common sense and effective approach.
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
Both soft and technical strengths and weaknesses.
3. What skills do I need to develop?
It seems more appropriate to say "want" instead of need. If I want to develop the skills I also need, I'm in an appropriate career for my happiness goals.
4. Have I acquired a new skill during the past year?
This is great for revising a resume or evaluating a current job. I like to separate this between new skills learned on the job and new skills learned on my own.
5. What are my most significant career accomplishments and will I soon achieve another one?
6. Have I been promoted over the past three years?
Promoted or given raises would be my take on this.
7. What investments have I made in my own career?
by michael 12.20.07 at 10:06 AM in /general
I'm not afraid of storms, for I'm learning how to sail my ship. -Louisa May Alcott
by michael 12.20.07 at 10:41 AM in /general
DarkReading recently posted Security's Top Five Priorities
. I wasn't going to post on this, but my manager made this a homework assignment as we're going to discuss it at our team meeting today, so here's some notes.
1. The Portable Problem
- We can encrypt everything: PCs, thumb drives, portable devices, backup tapes. This should also deal with things (data) leaving our control and things (data, devices) coming into our control. Data Leakage Prevention may be a good logging mechanism on what is leaving, and device port control may help control things coming in. I'm not personally sold on NAC/NAP, although...
2. Web Two Point Zero-Day
- Nice title! I think the authors missed making the distrinction about two very important veins in talking about Web 2.0 attacks: serverside concerns and userland concerns. Serverside concerns deal with fixing up the issues in web applications and making sure they are not opening holes to internal footholds or data that external users should not have; SQL injections, XSS, file executions, and so on. Userland deals with better assurance that users wielding a browser as they surf a website are not going to get pwned or catalyze a site-wide pwnage. Proper SDLC, developer education, regular audits will help serverside issues. Userland issues are much more difficult: endpoint security, browser and OS hardening and possibly even tools like NoScript, web filtering, gateway malware detection; user education about best practices as well as education on data leakage by posting confidential stuff to the Internet.
3. Attacker Inside!
- Monitoring and logging, i.e. an audit trail, is paramount when it comes to detecting/preventing insider attacks. Database access monitoring, least privilege when it comes to network and data access (as opposed to OS access), and separation/rotation of duties could help. Likewise, making sure "small" security breaches that go against policy are truly dealt with, as opposed to ignored such that it creates a bad slippery slope.
4. Endpoint End Game
- This is the big one these days. From encryption of the device to OS hardening, HIPs/firewall, device restrictions (USB...). This is also where user education comes into play, teaching users about the risks of using wireless, laptops, what data is important, social engineering issues, software policies (P2P), and what to do on laptops when not away from our more secure network where web filtering and gateway controls won't block malware from malicious sites.
5. Botnet Bugaboo
- There's far less we can do about botnets than the other five issues, but as I've long predicted, they are a very real spector looming over the Internet. A lot of power that has thankfully not yet been wielded in a way that impacts me too much. We do have two things we can do. First, prevent PCs from becoming part of a botnet. This should include detection of C&C communications through IDS/IPS. Second, perhaps think about a strategy for responding to a DDoS attack, either directly to us or affecting us as collateral damage (we're amplifying it or part of the same ISP block). The former doesn't seem to require anything beyond endpoint and network security in general, and the latter is still pretty "out there" to be a huge priority beyond just thinking about it. I think ISPs, public networks, and security reearchers/products have more to worry about here.
by michael 12.20.07 at 11:40 AM in /general
I knew US citizens got a free yearly credit report, but I didn't know I could get one from each major bureau. I saw this at Security Operandi, and links to get reports at the bottom of the post
. As he states, the best way to combact identity theft and fraud on a personal level is to monitor your credit report and statements closely.
by michael 12.26.07 at 2:50 PM in /general
For Christmas, Andrew Hay
linked over to a SANS paper by Shane W. Robinson, Corporate Espionage 201
. Excellent little paper, and I thought I'd pull some info out and post it.
The idea of using Netgear XE102 devices
to deliver ethernet over electrical lines is interesting, but I didn't know it had gotten this far. For under $100, one can get a pair of these and start experimenting. Pretty soon we're going to need some electrical outlet monitoring devices to listen for these signals being passed...
Silex has a SecurePrint device
which will hold print jobs until the requestor walks over to the shared printer and is authenticated via their fingerprint. This seems to run around $500, which is a bit expensive for me to buy as a simple home toy, but might be justifiable if you can get dedicated printers out from HR/execs/managers/account managers and get them to securely use a workgroup printer. Still, if there is any issue with workground printers holding possibly confidential information in their print tills for too long, or grubby fingers picking up other people's pages, this could be pretty useful.
does what it sounds like it would do, especially when paired with the context of mobile laptops: locks down ports and drives. No idea how much this runs or even how truly effective it might be in a corporate setting, but I know we and many others are still wrestling with how to tackle device security on this level.
is a GPS logger which can be attached to a car, left to log the driver's travels, and then loaded into GoogleEarth or other programs. Just a small hop below real-time GPS locating technology. Can be found on Amazon for roughly $200, and others can be found by searching for "vehicle tracking." I guess parents can use this to track their kids, eh? Jealous adults can track their significant others, and corporate spies can use this to profile assets. I wonder if the old concept of a surveillance society included the idea that everyone can surveil everyone else!
The LogiCube Sonix
or Forensic Talon will provide fast media/drive duplication for well over $1000. Until encryption becomes widely used, it can be very exciting (or sobering) to think about what can all happen to a media device in an unintended party's hands..
And to drive home the need for device port security, you can get a wristband
that looks a heckuva lot like the "Be Strong" wristbands, but packs a USB port inside it. Load up your favorite USB-capable distro...
by michael 12.27.07 at 12:43 PM in /general
Want to look someone up? Well, this blog post doles out some links to some fun people searching sites
. As much as I'd like to say it found me out, there are quite a lot of people who share my name, and the only information I found on me was dated at least 4 years ago. Almost tempted to add this as a "people search" menu item on the right...but not really sure I'd use it unless I was a hiring manager or something....
by michael 12.27.07 at 2:27 PM in /general
You use Google as your search engine, and you do searches for all sorts of stuff from your home connection with a predictable IP address. The resultant data kept by Google will likely eventually be sanitized with a unique identifier that won't be tied to you. But as we've seen in the past, we can analyze all the searches I've done with that unique identifier and create a very real profile of me. Most likely you'll find my habits, purchasing trends, most likely where I live thereabouts, and so on.
With RFID still being talked about, can you still have a problem with encrypted RFID tags or passports and such? Sure. While I might walk around with my RFID-enabled passport, various stores I shop at won't be able to decrypt my passport information, but what if they could detect and copy it? They can track me without really knowing me. Get a wide enough subset of data by someone/something that can get long-range detection, and you can easily see where I work (I spend 8 daytime hours there), where I live (I spent 14 evening hours there), where I can to lunch, and my favored shops...
I wonder when cell phone tracking will become a marketing data set? It's on me all the time and it is on. You can see every place I go by tracking it...again, even if you don't know me.
Without knowing me, you can still know me...and given the ease of reading RFID devices and/or cloning of them... Hrmm...I bet in ten years I could get a Harry Potter-esque clock that lets me know when my kids are within proximity of my house and pop their portrait out when they're home.
by michael 12.27.07 at 3:39 PM in /general
In case you've been too busy to keep up with the popular news, a video has been created where several wireless keyboards were recorded and their keystrokes decrypted
. Nice video, and of course I'd love to get my hands on the gear/software.
by michael 12.27.07 at 11:50 PM in /general
WatchGuard has produced a user awareness training video dealing with good password habits
. A good quality video, although I don't think we need to bug users' eyes out with 14+ character passwords. With proper regular rotation (60 days), they don't necessarily need to be insane lengths unless the accounts are especially sensitive.
by michael 12.28.07 at 12:01 AM in /general
Andy ITGuy posted a picture of a login and password taped to a keyboard
. Awesome! So, how does one combat this besides just waving the policy around (since I'm not gonna bet my salary that that will work)?
First, I love the idea of walkarounds. I know it sounds juvenile, but some night do a walkaround inspection of the premises, especially cubicles/workplaces. THis can be done in phases of small random samples, as well.
Second, document and fix any mistakes. That login information on the keyboard? Photograph it and remove it and destroy it. That way the next time someone needs to get on there, they have to ask someone or make a cognizant effort to recall the information. That might be all the goading they need!
Third, maybe write up people who break the rules, but that is difficult at times to get managers and HR to get behind and put some teeth into. Instead, dock teams of people (or departments) points for policy breaks and reward the teams who break the least rules. Give em an extra day off, a pizza lunch, or whathaveyou. And no, a luncheon with the CEO is NOT a reward (yes, I've seen that!). Make it something people want just enough to add a little social pressure to comply. And try to keep it on the positive side of conditioning.
by michael 12.28.07 at 5:28 PM in /general
Some topics in the security field are important enough to always be visited, even if a solution or consensus is not met. Such topics can lead to formulating entire paradigms on how we approach our daily security decisions personally and professionally. In fact, these discussions are important to me whether I agree with them or they run fully counter to my own views and I certainly do love bookmarking excellent essays.
Kurt Wismer has recently posted a couple such topics that I think are especially important to keep in mind. First, Kurt talks about why vulnerabilities are just never going to go away
, and what that means to our approaches. Second, he probes the question on what average users need to know
about their computer security.
by michael 12.31.07 at 1:39 PM in /general
I like this list of threats and risks and whatnot from the CISSPForum
[pdf]. It is a small 8-page document (1 page intro, 2 pages references and closing) which is a nice blitz on the topic. I really dig that each section is a printed page, so can be easily posted and/or digested over time. Totally recommend reading it through once.
by michael 12.31.07 at 4:27 PM in /general