.: March 2008 Archives
I've finished up my part in the 2008 Winter Scripting Games
. I pretty much stuck to PowerShell Advanced and also some of the Sudden Death events due to time constraints. I skipped anything not specifically code-related. I'm happy with the events, and very happy that I was able to complete all the Advanced events in only about 3 days of effort. Other than last year where I actually didn't finish one event, I expect a perfect
My submissions are compiled on the wiki page
by michael 03.03.08 at 1:51 PM in /general
over to James McGovern
who posted a list of 10 mistakes the CIOs consistently make that weaken enterprise security
. I want to highlight a couple things. Take your time reading McGovern's post, since it does seem a little muddled and sometimes packs 2 distant points into one bullet item (see: ostrich principle). In fact, I don't necessarily agree with a few of these, as worded.
Use process as a substitute for competence
- I see this in IT as well as security, and sadly, it is a natural business reaction to any little thing that goes wrong that costs the company more than $5. Someone put a can in the paper recycle bin on accident! We must investigate, formulate a new process, and ensure that this never happens again! Right... I am fine with improvement, but business too often gets ridiculous about this, covering up incompetence with processes. Carry this on for a few years, and you have lots of fluff and frustration and few real answers. Some would call this a "bigness mentality."
A trend I see in McGovern's post covers the superficiality of many security endeavors.
Rather than actually making a difference or tackling root problems, many points he brings up deal with avoiding the problems, or implementing shallow fixes which aren't fixes at all. Some people purposely do these things, but I feel that most of these are a symptom of a lack of empowerment and competence. Business must empower security professionals, but they must also get and train up competent professionals. Taking either leg away can result in the things McGovern is pointing out.
And some things I think could be better worded.
Putting network engineers in charge of security
- This is pretty general, as I'm sure there are plenty of network engineers would could excel when managing more security than just the network. An inference from what McGovern has said is security practioners need to know everything. I think what McGovern is really trying to say is to make sure the people most qualified to secure XYZ are the people who know the most about XYZ. Network engineers can secure the network; application developers can secure applications. But finding someone to do them all is like trying to find that silver bullet box that will provide everything. Ok, so there are some all-stars out there who can get their hands in it all, but waiting to find them is not a practical expectation. Here's a question, though: Let's say you have a kickass, security-aware network engineer. If you put him in charge of security, what risk are you still leaving open? If your application gets pwned, can he still detect it, monitor it, maybe even limit the exposure? Perhaps. Will he be able to fix the application? Most likely not, but he can certainly be a huge part of the security team.
Hoff throws a few nuggets in as well.
Security is top secret, we can't talk about what we do
- This is natural to us security guys. We don't like to tell people about our measures because then people can avoid them. If we utilize hidden cameras but talk about them, then an insider can just hide their face at the appropriate times to thwart identification. Likewise, we tend to think like attackers, which means talking about our security measures is something done from the negative side: by talking about ways to get around our security measures. It's like defining brightness as the absence of dark properties; the strength of our security by how easy someone could cover the security camera. But that's not how we really should be when asked twice about security. We should make our jobs transparent as much as security allows. A lot of our need to "align with business" is simply being transparent with our controls.
by michael 03.04.08 at 3:50 PM in /general
It has been known for a while that a Firewire port can own memory, but it is getting new traction now with the "cold boot"/"memory remanence" attack on laptop FDE. Adam "Metlstorm
" Boileau has released his python script that can unlock a Windows box through the Firewire port. Keep in mind this accesses memory (RAM!) to do its dirty work. I've seen announcements to this here
and many more places.
I can't confirm this, but I think this attack requires connecting a Linux box to a Windows PC via Firewire (you can just do this directly), running a tool (tar.gz)
to gain DMA access (Direct Memory Access), and running the python script on the Linux box. The script can cause all passwords to succeed on a locked system, can just unlock a system, or pop up a shell at the winlogon prompt (basically get into the system without logging in). I've not tried this, but I think this is as simple as it gets.
The mitigation to date is to turn off your firewire ports when they are not in use or not allow anyone else physical access to them.
Boileau has released it on his own site
(scroll to the bottom) and there is also a mirror up
. His presentation (pdf)
is still available on the topic as well.
More information about dumping memory via firewire (pdf)
. Some likely outdated info on connecting 2 PCs (Windows) together using only Firewire
I would expect the gentlemen at Hak5.org
to demonstrate this on a future episode. :) Hell, if someone is looking to get some hits, whip up a video of this in action, demonstrating in a how-to format.
by michael 03.05.08 at 8:13 AM in /general
This is an amusing story
. Supposedly a hacker has broken into a new site and has been posting plagiarized news posts to discredit the company...for the past 2 years??
No one noticed until last month. What an amusing, devious hacker! I'm surprised more people don't blame the nebulous, mysterious, all-powerful hacker for lots of things going wrong. Global warming? Hackers! Hell, it was hackers that made Doom and all these demon-devil killer games popular! Hackers play D&D, create bombs out of computers, and torture squirrels!
by michael 03.05.08 at 11:25 AM in /general
Ask.com has been an also-ran search engine for some time, and is going through some changes. I think part of their problem is their name: Ask.com. Ever try talking to someone about Ask.com? Say it out loud a few times conversationally. Yup, it sounds like you're talking about Ass.com. That just can't be good.
Then again I thought HD-DVD would beat Blu-ray because my mom knows what HD-DVD means, but has no clue about Blu-ray. HD + DVD? Must be better DVD! I guess I didn't take into account the pockets Sony had...
by michael 03.05.08 at 6:33 PM in /general
Ever read a security article that makes you hurt with every
sentence written? Yeah, not too often, but this article in The Register about a data breach nine months ago at the Pentagon
that had "an amazing amount of data" stolen, offers up a lot of hurt. I can't even quote the bad parts since the whole thing is an escalation (or downward spiral!) into needing a few stiff drinks before lunch.
And sometimes, just sometimes, sentences offer up Hurt Combos, like this one:
It took three weeks and $4m to clean up the mess.
Ok, that shows off how bad this issue was, but it also hurts to remind us just what it takes to spend money to get shit done. We (the US) spent $4m in 3 weeks...can't we do that to prevent the amazing
number of issues packed into this little article/incident? This article absolutely begs disclosure on what the hell happened.
by michael 03.07.08 at 10:42 AM in /general
Holy crap! Chinese [coughmay becough] able to backdoor routers
created over there and shipped to the US!
While I understand contemplating such an attack has some minor value, this is not a slippery slope anyone in security should spend too much time sliding down. You can literally grind your company to a halt by going down this road too loudly. Besides, it's one of the fundamental limitations of security: you have to trust a lot of things transitively in the world. We like to think of our networks as castles with a nice perimeter, and logically that can still hold up, but when you get deep enough, the materials to build those castles still come from elsewhere.
Do you know where:
...your napkins are created? What if they're laced with anthrax!?
...your keyboards are created? What if they have hardware keyloggers?!
...your cell phones are created? What if they have GPS trackers and can record/transmit your calls?!
...your softwares are created? What if they have backdoors?!
...your cigars are creased? What if they have calf blood in them?!
...your contractors come from? What if they are ninjas bent on haxing your systems and stealing your company?!
...your air comes from? What if they pump toxins into the air as it prevails over the Pacific to us?!
...your cars from from? What if they are set to explode on Oct 23, 2009?!
...the rocks in your garden come from? What if they are alien invaders disguised as rocks?!
...your best friend is right now? What if he is a shape-shifting self-preserving freak from Antarctica posing as your friend?!
Someone needs to make a security lolcat. "Im in ur paranoya, makin' u crazee!"
by michael 03.10.08 at 11:04 AM in /general
I normally don't follow Bruce Schneier because I figure the good posts he makes will get linked by the sites I do read. Yet again I'm right, as I got pointed over to Bruce's latest by a post from Rothman
. Bruce is talking about buying security suites vs best-of-breed
and tons of other little pokes and prods. I know not everyone gets what the big deal about Bruce is, but you have to admit he has a lot of good thoughts.
...and we continually fool ourselves into believing whatever we don't have is better than what we have at the time.
I'm a firm believer in this cyclical pattern coming up quite often in human experience. In IT, it is like having centralized mainframes, then decentralized microcomputers, and now pushing back to centralized iron. By the time we get entrenched in web services, we'll be wanting the next thing (or going back to fat apps).
Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.
I think I do agree with what Bruce is saying here. The problem is we, as an IT industry, cannot keep up with the pace of technological change right now. By the time we get people experienced and trained to make secure decisions about a technology, we either get new software versions, new hardware with a new OS, new needs by our stakeholders, new solutions from our developers, or entirely new technologies. An analogy to the car world would be like driving a new car every week. Sometimes the lights stay on when you shut it off, sometimes the stereo buttons are on the left, sometimes you don't get teloscopic tilt, and that's not even getting into how you learn the feel of the shifting on manuals and how it handles on the road in varying conditions. The questions come down to: Can you drive it safely? Can you drive it well? Two very different approaches.
It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.
The problem? Security is not something you can achieve completely. This means your vendor *will* fail. What happens then? Do you sue them? Do they recover your losses? The problem with moving security anywhere but outside the company is the difficulty in also moving the responsibility and blame for insecurity. Risk management is the way to go, but it still seems business doesn't handle that very well as a whole. Either it works always, or it doesn't work and we're moving on.
this another way which I fully agree with.
It's true that customers don't really care about security, but I can tell you they absolutely HATE their carrier or cable company. The idea that they would trust them to provide security in the cloud is a joke.
You're damned right. Carriers are large beasts, and they completely suck at delivering services. They can deliver a product (pipe of size X or solution B) but once you get away from their small portfolio of slightly specialized products, they suck. I'd never trust my home provider or any of the providers we use at work for my security. And I'm positive they won't help me anyway once things get inside my walls, just like they don't troubleshoot network issues past the demarc. But they deliver my Internet pretty damned well most of the time!
(Aside: What is security, a product or a service? Bring that up as a discussion starter at the pub next time!)
But let's move from ISPs and go further. I understand that companies like Boeing contract pretty much all of their IT out (I believe mostly Dell right now) to solutions providers (btw, ask anyone at Boeing just how not-awesome their IT support is!). In this case, security better damn well fall into Dell's lap as well, or some other outsourcer. But that leaves a hell of a lot of SMB business still fending for themselves. Sure, security and IT should be one and the same and both outsourced as infrastructure, but I feel we have a VERY long way to go before this can trickle down past the Fortune 500 or into consumerland. Siemens, IBM, and other players can only go so far before they become so diluted the whole landscape remains at a minimum security level. Images of Jerry Maguire...less clients, better attention, better quality...or the opposite.
So what else is an answer besides just outsourcing it all since that will take forever? Marrying IT and security in house with your current IT techs. If they can do their job while keeping security in mind, you can do some pretty acceptable things, with some oversight.
Of course, if anything even partially mentioned above or in the above links is the right answer, it'd be very obvious and the idea would take our industry by storm. But none do, which mean none are really the answer for everyone.
by michael 03.11.08 at 10:20 AM in /general
last night linked me this image of "an activity diagram
to describe the resolution of HTTP response status codes, given various headers." I wanted to save this flowchart, so this post is me saving it!
by michael 03.12.08 at 9:44 AM in /general
A quick InfoWorld article on the traits of a good CISO
. The tagline says some of these traits are surprising (or that maybe deep technical knowledge being lower is surprising), but I'm personally not surprised by this at all. I think the technical knowledge is related to making informed decisions, knowing what information is needed to make informed decisions, and in being a good mentor. Other traits are a good moral compass and the ability to take the blame. I really like the mention of taking blame, since it is so hard to admit being wrong or just taking the blame for someone else. We're not trained that way as kids with school and report cards and everything else. We're questioned by adults (parents) until we make up some excuse or blame someone else.
Oops, that turned into a ramble.
by michael 03.12.08 at 1:57 PM in /general
More than a couple hospital workers have been fired or punished for accessing private information on singer Britney Spears at the UCLA Medical Center
. This brings up two quick points.
First, considering how many people checked out the information, I'd have to say access controls are pretty lenient. I think I'd be safe in saying that if this many people accessed her records even though they had no need to know, it indicates this has been done before...maybe up to a point where some didn't think this was a bad thing. That hot girl in bed 312? Let's check her records out! Lenient controls may help everyone do their jobs, granted. But at least it sounds like they had good auditing to track the accessing.
Second, give your management a new test, something that can be called the "Celebrity" test. Assume you have some huge profile celebrity using your services. How many of your own authorized employees would let curiosity pull them to access information about the celebrity? Or perhaps a hot new movie you have access to. Or hot new game. Or important information that could lead to recommendations to trade or not trade for your parent's stock portfolio. And so on. Assume that instead of the normal run-of-the-mill corporate data you have, replace it with something very enticing to normal employees. Do your controls rely on people beating the curiosity beast? Or at least being able to audit those breakdowns? Good employees who've resisted accessing data 34,212 times previously may think differently in the Celebrity test, "Just this one time..." Guess which makes the presses?
Sure, that may over-value the data you really do have, but it is a good exercise to mentally test your own controls and security posture. Besides...do you know for sure that tomorrow won't see Britney Spears as a new customer of yours?
by michael 03.16.08 at 8:50 AM in /general
"Reality is that which, when you stop believing in it, doesn't go away." -Philip K. Dick
by michael 03.16.08 at 9:01 AM in /general
Wired has a Bruce Schneier essay posted that dives "Inside the Twisted Mind of the Security Professional.
" Mostly, he talks about having a security mindset.
The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don't stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.
by michael 03.20.08 at 9:14 AM in /general
A link was recently posted to the DailyDave
mail list with the simple subject, "the typical security guy I interview." The link went to a Craiglist resume post
which I found quite amusing. I'll repost it below, in case the original ever goes down. This is not my work!
I chat all day long on the underground hacker chats including _SILC_ AND _IRCS_ ones, not just public IRC servers. Therefore I KNOW ALL THE HACKERS. When it comes 2 the streets of the internet underground I have my ear 2 the ground.
i never use a spell checker, and i send terribly formatted work emails often with numbers used for letters and words.
I'm basically extremely lazy and I scope projects that take 4 hours of real work time for about 1-2 weeks since thats how long it takes to bring myself to work on whatever stupid project I'm assigned. I've been mudding against recently, I have to get the good eq. drops.
I work marginally well on teams. I dont have a problem with authority, I just dont view them as being authoritative. I am late to work constantly, but not _THAT_ late. I need at least $105k a year. I consistently order the most expensive drinks I possibly can get away with when the company card is down. I will even order drinks to then just pour out into the toilet or onto the carpet just to make the company tab higher.
I can program a variety of languages including but not limited to C, C++, a number of assembly languages, PERL, BASH, TCL and SPIN.
I cannot currently program ERLANG, SCHEME, PYTHON or RUBY but if required (which is highly likely if you think your company is a cool, hip and intelligent one), I can learn any of these languages in 2 days with fluent programmign ability with 2 weeks, as any real programmer can do with any language.
I'm an excellent programmer but many aspies (people with aspergers) can out-program me.
I have microcontroller and embeded systems programming and hardware experience including fabrication and circuit design, although I am by no means an expert in this.
I have a very useful formal college education in mathematics from a top tier university I dropped out of, and therefore I can solve many problems very logically with many extra mental tools. I am by no means a mathematics genius.
I have 10+ years in professional (PAID) computer security experience but the security industry is completely retarded now. So I don't want to secure your web apps, _AT ALL_.
by michael 03.26.08 at 10:15 AM in /general
Need a tap on the cheap? I found a blog post detailing making a cheap passive tap
using some wiring plugs. Makes sense! The post didn't mention it, but, while there are 8 wires in an ethernet cable, 4 of them are not used. If the cable is built to standard, the brown and blue pairs are not used. The oranges take care of traffic in one direction, and the greens take care of the traffic in the other direction.
This is easy enough that it really should be added to the list of tasks all security neophytes should complete
by michael 03.27.08 at 10:02 AM in /general
is over and that also means the Pwn 2 Own contest
is over. I did a quick faux-prediction
a few weeks ago thinking the kill order would be Ubuntu, OSX, Vista. I'm a little surprised that Ubuntu survived unscathed even through the last day. I'm not surprised OSX or Vista were owned, particularly through applications (Safari in OSX and Flash in Vista). I think this means Ubuntu just isn't important enough to pwn yet, though I'm surprised by that since I figured many researchers to be Linux-friendly. Perhaps more are on Macs and Windows than the secuirty clubs would like to admit. :)
A fun contest, although I'd hesitate entirely to trumpet the results to back any sort of "xxx OS is more secure" arguments. The real benefit is increasing interest in doing these sorts of things on the good side of the fence before the bad side of the fence does them. It also appears to get Apple to patch their crap
... Besides, this is fun for our community, and we really need more fun and back-papping in the field.
Speaking of predictions, I'm kicking myself a bit for not getting into any NCAA Tournament pools this year, having picked
5 of the elite 8, all final fours, and am still confident in UNC over UCLA in the final. Of course, not a ton of broken brackets this year, so I expect lots of people would have been up there with me. I've been very busy lately and didn't research much before the games, so opted not to ante up to anything this year.
by michael 03.31.08 at 8:18 AM in /general
It has gotten to be a very busy couple months and only promises to get busier (coworker just resigned, death in the family, etc). Nonethless, I've decided to move forward with getting hooked up with the Offensive Security 101 training
offered by the good people behind the BackTrack
project. Either that or I wait until it's convenient to me, but I doubt that will ever happen; never does! My start date may be April 6th, or later if I'm slow on the payment.
If anyone has any experience with the course, feel free to drop me a line. I don't expect a huge sweeping ton of things, but I do expect to learn more about BackTrack and security assessing using it (I off and on use BT both from livecd and a laptop I've installed it to). I fully approve of videos and self-paced training, and look forward to that practical at the end. If this goes well, I'll likely go ahead with the next course in this series as well, BackTrack to the Max.
by michael 03.31.08 at 12:54 PM in /general
Amrit posted a really nice piece about what drives spending on security
. I agree with his three reasons: an incident, a requirement/law, and insecurity is impacting availability
. I think I've known and accepted this for some time, with caveats. One thing to notice in these three reasons: rather objective, firm reasons that you can measure; binary, black or white, on or off. I think many organizations drive security spending in exactly that fashion; even some that won't admit it to themselves.
However, if Amrit is correct, then there should be many companies that do not even follow best practices like using passwords, at least not until they suffer an incident. I can't quite buy that.
I don't buy this because the reasons he gives that are not
reasons that drive IT security spending do in fact drive security spending in some places. Some people do believe in security ROI and enablement, some companies do try to be proactive, others do afford their security curmedgeons a high level of credibility enough to drive spending based on their risk assessments.
For instance, some people do buy alarms for their house, not because they've had an incident, are required to, or because it helps availability. It's because of their personal, subjective risk assessment to prevent something bad from happening. They understand the potential incidents that may occur, and make a value judgement based on their comfort level, their environment, their assets, and their available funds.
But, if I were to make expectations on security spending, Amrit's reasons are the ones I would book on. There are plenty of organizations whose security spending is entirely based on those three reasons.
by michael 03.31.08 at 1:17 PM in /general