|
.: September 2009 Archives
The good folks at Offensive Security have posted a video (camtasia) of the Win2k IIS 5.0/6.0 FTPD exploit in action (found via Andrew Hay). The difference between this version and the kingcope expoit is this sets up a bindshell where the original set up a new Windows user account.
What isn't mentioned is the exploit does require a valid connection to the FTP server, either through valid credentials, stolen credentials, or anonymous write access. So the old "best practices" of removing anon access, being careful who you let into your server, and enforcing strong passwords helps mitigate this risk. Though that's really not enough assurance and I expect an MS patch for this soon, this at least should let you sleep at night if you have vulnerable servers. And don't just think about remote attacks from China but also internally-accessible FTP servers.
Another "best practice" is to flatly not use the IIS FTP server. I think that suggestion has been around for 10 years now...
by michael 09.02.09 at 9:21 AM in /general -
...because your personal acceptance level (or ignorance) of risk differs from that of the company you work for.
There are always posts about how draconian IT policies are for users, and responses on why it is that way. This well-written article is another example of the justification for IT restrictions.
It is often the job of IT security folks to do and enforce these things, usually as a blessing from upper management. Getting mad at them is rarely going to get you anywhere, just like getting mad a TSA agent. Sorry, they're just doing their job; take it up with their superiors or the policy-makers. We're not (always) trying to be sadists.
The end of this article is a key point: "As a user, are you ready to accept personal responsibility if something you want affects the security of the network?"
In the end, it is all just a balancing act between corporate culture (which includes productivity and happiness) and managing your risk. If we could forget all the endpoints and properly secure the important data while letting people all run as local admins, we'd probably do it. Logical decisions are usually easy for us...
by michael 09.03.09 at 8:50 AM in /general -
I'm not a fan of password managers in browsers; it makes me feel even worse about how OS-like the browsers are getting (and how far from Firefox's "we're secure because we're simple" roots they've strayed), but I'll have to remember this Firemaster tool (article by Lifehacker) if I ever find a need to break into a Firefox password manager store. (via h-i-r.net)
In-browser password management is something people looking for efficiency and shortcuts want to use. In my opinion, most of those people are probably the same people who re-use passwords and use simple passwords. I would suspect most people choose simpler passwords for their in-browser management tool, making Firemaster a risk. (Of course, you'll never learn what your passwords are if something always puts them in for you!)
Then again, one should always expect some method of cracking or brute-forcing passwords, and thus always choose reasonably complex ones.
by michael 09.03.09 at 10:51 AM in /general - comments(2)
Since Firefox has gone down the same path as IE (bloated, trying to do everything, untrusted, slow-loading, and being so big that it just can't, alone, be the "more secure" option anymore which, along with speed and trust, catapulted it up into contention with IE in the first place!), my loyalty to Firefox is entirely hinged on add-ons like NoScript.* This means I'm open to new tools that may be simple and get back to what I really want: speed, trust, simple, and reasonably secure largely through that simplicity.
I just read about SeaMonkey's new release. While it's a new option, I don't like the idea that it is trying to be an "Internet suite" of tools (really, HTML editor?) with a browser, email client, news client, IRC client, etc. In that regard, I'm not tripping over myself to try it, but though I'd share the link in case it does become a legit contender as the new upstart (just like Firefox and Google once were...oh how the popular forget what made them popular). Besides, in trying to do all that stuff, can it ever possibly satisfy my security desires enough in any one part to best dedicated individual clients? Yeah, if I get around to trying it out, I'll try it out. If not, I'm probably not missing much.
* Strangely, IE7 loads faster, at least in perception, than any instance of Firefox that I run anymore, Windows or Linux. But, I like that I can really reduce the toolbar footprint of Firefox down to like one bar, and it sucks that IE's bar has gone the way of being a pain in the ass to customize in the same way. Still... really it's NoScript that keeps me locked to Firefox.
by michael 09.04.09 at 8:56 AM in /general - comments(2)
Thank you Bejtlich for posting about this and making me revisit this for what is probably the fifth time in 2 days. I fully blame Microsoft poor wording for the confusion.
Yesterday, my first reaction (heck I even Tweeted it) to MS09-048 was to call it a Big Deal. Truly, it should be: On affected systems, any listening service exposes the system to at least one of the vulnerabilities.
Microsoft played dumb with Windows XP, however, stating the default configuration for XP SP2 and SP3 has the Windows Firewall turned on and not allowing any listening services.
But I think anyone who has even a smidgen of tech-sense in them knows that once you network the box (or basically even just use it, it seems), listening services are started and maintained or the Windows Firewall is flatly turned off.
So, the question remains: Let's stop playing dumb and just say XP SP2 and SP3 at least potentially should be considered vulnerable. Does that mean XP is vulnerable to just the DOS/reboot vulnerabilities or also the part that allows remote code execution?
A big fail on Microsoft's part for basically omitting this information.
Update 1:00pm: I can also confirm that there are no patches at all for XP systems relating to ms09-048 in WSUS or Windows Update. This could mean a few things. Maybe XP is en total not affected (but why the asterisk?). Maybe no patch was ready (of course, this could mean Microsoft just indirectly released their own 0day once what was released is reversed). Or maybe something screwed up. But the bulletin certainly reads like XP is potentially vulnerable if you, god forbid, expose listening services.
Update 1:37pm: Fabs has released details on one of the dos vulns, CVE-2009-1926
by michael 09.09.09 at 9:42 AM in /general -
Quick pointer over to some nice postings. Rich Mogull pointed to and responded to an article by Bob Russo from the PCI Council. Bob also responded back in the comments. My feelings are also in comment form, there.
Bottom line: PCI is a great value, an excellent value, as long as you don't think it is the only thing you need to do, or lash back at it in some odd hatred of "best practices" because, god forbid, they're not perfect. It is the kind of guideline that so many companies need, and so many of us experts can use to make our cases. It doesn't end with PCI, but for many it does start with PCI.
by michael 09.09.09 at 4:45 PM in /general -
Bejtlich has been far more active on this than I, so I'll defer to his updates here and here.
I've heard from a couple places now that reference a report last year in regards to the TCP/IP dos vuln CVE-2008-4609 that Microsoft, Cisco, and others coordinated patch releases for this week (one of the the dos parts to MS09-048). This is probably accurate since Outpost24 (Jack C. Louis who passed away earlier this year) is credited in the Microsoft bulletin.
Here are the key points:
1. Windows XP is vulnerable to the two dos issues in MS09-048 when it has a listening service open.
2. Windows 2000 is vulnerable to the two dos issues in MS09-048, and will not be patched.
3. Windows XP currently has no MS09-048 patch, and may not get one for the same reason Windows 2000 is not getting one: the change is too big/hard/impacting to the underlying TCP/IP (NDIS) implmentation.
4. So far this just deals with a vulnerability that leads to a low-cost DOS attack (i.e. you don't need 10,000 distributed systems). There may still be a potential for r00t code to be developed, or malware payload that may be used to storm through a network and just repeatedly down every XP/2000 box. Better yet, if you need a box rebooted as part of your attack, this could be a sure way to do it, or to get an admin's attention to then log into the box and snag some credentials while he investigates.
by michael 09.10.09 at 8:40 AM in /general -
InformationWeek's August 31, 2009 issue included a nice article from the folks at Neohapsis (Greg Shipley, Tyler Allison, Tom Wabiszczewicz) titled Breach Diaries: 5 lessons learned from the front lines of today's major data thefts. I'd link to the article, but InformationWeek wants you to register first. Lame, because the article hits key points very well which I'll very briefly list. Some of the thoughts are my own below, but many are yoinked from the article. I share this because, as the article states in the beginning, the business tendency to shut up about breaches is making it harder for security to improve.
1. Get serious about web security. Web apps are being widely used as attack vectors. WAFs buy time, but the root issue is code. Review apps and incorporate security into dev cycles.
2. Add secondary controls. This includes internal firewalls, network segmentation, encryption, database monitoring. Implementing them is not enough. Implement them with a purpose, audit the settings/policies/configs, and watch the logs. Arguably weighted in the reverse order!
3. Know your limits. Most (hell, all!) security technology has limitations. Know them and lean on those techs only as much as they should be leaned on. Fill in the gaps with other solutions (usually watching events, traffic, anomalies, etc) and diligence. I really think this is where staff will make or break you, not the technology.
4. Trust but verify. Wake up every morning and say this until you live this.
5. Plan for incidents. This is another "duh" item, but a tougher one when you get down to it. For instance, how often does a security breach happen compared to a simple system outage/issue/mistake? A vast majority of the time an admin attends to an issue, the response is to rebuild or do things that destroy data. I'd argue that once an incident is truly suspected, then IR policies come into play, but for day-to-day work, I would usually suspect that systems or evidence may get destroyed or at least tainted. Really, this might come down to being careful to keep logs and audit trails and events separate from day-to-day ops.
by michael 09.10.09 at 9:35 AM in /general - comments(3)
Very quickly, ComputerWorld has an opinion piece on The Unspoken Truth About Managing Geeks. A nice read.
by michael 09.11.09 at 8:58 AM in /general -
This is still begging to be produced. Christopher Hoff recently posted lyrics for Security Rockstar (to the tune of Nickelback's Rock Star). And a portion of it bookended the Network Security Podcast episode 161 (the version at the end does the first verse and chorus).
Strangely, the music is far more painful than Hoff's singing. :) And does contain some nice lines. I especially dig the rhyme of "...ubuntu" and "...can hack into." It really should include something about being the target of kiddie hacks, once you get to be a security rock star (maybe kiddies want to be the rock star but then rage against them in the next breath).
by michael 09.11.09 at 11:00 AM in /general -
Via LiquidMatrix, a demonstration on some vulnerabilties have been disclosed against RBS WorldPay over on the rather sobering unu1234567 blog. This brings up a couple comments:
1. If a breach occurs and no one notices it, is it a real breach? (I mean this sarcastically and rhetorically; of course it is a real breach, but it illustrates something that blows my mind: vulns that linger for weeks, months, *years!* and then get discovered. And how long have we had this hole in the ass of our pants and not known it?)
2. I hope RBS WorldPay is going over their logs to make sure their databases haven't been siphoned off already. And good luck trying to find all the permutations...it would be fun to take such logs and start carving them up, kicking out obviously valid calls, and collating items of interest for manual review. And if they don't have reasonable logs saved, fail.
3. I don't care if RBS WorldPay will say this is a development box. It's externally accessible. It contains valid logins. As Heartland will attest, even satellite, non-critical apps/servers can act as a launching pad for deeper attacks. Unless you purposely hang a box (honeypot) out there to be attacked, there is no such thing as a valueless target for an attacker.
4. Clearly, this system either has never had any security review of the app, or their external assessments are failing to detect that this was externally accessible, or their change control sucks to let this system get configured to be external in the first place. Lots of fail here, really. Lots of head in the sand issues no matter what the story.
4. Congrats on the free security lesson, RBS WorldPay.
by michael 09.11.09 at 2:56 PM in /general -
Daemon is an excellent book (despite a couple minor annoyances on my part, which are very minor!). So I wanted a quick pointer over to Daniel Suarez interviewed on PaulDotCom episode 165. An excellent listen for anyone who enjoyed the book.
I've heard talk about movie rights, and it'd be interesting to see what comes of that. I'll skirt around one issue I have since it is a bit of a spoiler, but I would most hope that this doesn't fall into the PG-13 range and keeps the hard edge to it. There should be a certain adult gravity to this that just is not possible while maintaining that teen-friendly color (besides, who over the age of 13 doesn't eventually see the good R movies anyway?).
by michael 09.11.09 at 3:16 PM in /general -
This article on Wired (via LiquidMatrix) discusses how an intelligence analyst is being charged with unauthorized access even though he was given valid credentials, had access to use those credentials, but was simply told not to. Someone fucked up, but it's not necessarily this guy.
This could be fun. I mean, remind me to put up some signs advertising a garage sale at my place. Allow me to prop open a door and put out a table with cookies and lemonade on it. Oh, don't worry about that sign in the corner that says if you get within 5 feet of my cookies I get to whack you mercilessly with a whiffle bat until you leave. You should have read the sign, silly fool. Oh, and I get to cackle with glee during the flogging.
Or the EULA. Or the TOS.
Or remind me to give you my gmail account and password with a note saying not to use them if you're not me. Yeah, that sounds like a great idea!
by michael 09.15.09 at 10:57 AM in /general -
Quite often someone's first experience with evidence handling/collection and first-responder forensics is, well, during a live incident. It really helps to read (and later role-play either on your own or just pretend small-time incidents are major ones and go through the motions!) what someone *should* do in a real envidence collection situation.
Personally, I probably know enough to first evaluate whether the incident at hand will ever see the inside of a courtroom or will end in my HR or manager's office. If a courtroom is possible, I'll likely try to defer to an experienced professional, if possible. If not, document everything and get uncontaminated copies of everything before diving into the guts of your *copies.* Better yet, it might not hurt to video record the damned thing. It might be the most boring thing in the world, but someone may love you for it a year later.
by michael 09.15.09 at 4:18 PM in /general -
Care about your privacy and take diligent action to clean out your browser cookies? Don't overlook Flash cookies.
The SANS Forensics blog goes into a quick primer on what Flash cookies are and how to find them. This is all in response to research that Wired posted about in August that is pulling the wool back a bit from these little-known buggers. Comments in the SANS article can lead to more research sources.
by michael 09.16.09 at 8:29 AM in /general -
A year ago I picked up a Cowon A3 portable media player (music and movies). My goal has been simplicity in my electronics; something the iPod/iTunes empire cannot give me. I've been exceedingly satisfied with the A3 in my year of use.
I have stuck with the Cowon brand and just yesterday received my Cowon iAudio 7 ($139). This little guy is basically the equivalent to an iPod Nano; meant to be stuffed in a pocket or worn on the arm. At 16GB, it fits the bill nicely for an on-the-go sort of device. It won't hold all my music, by far, but it will hold most of the music I use for such purposes (hard rock, techno, breaks).
Using it the first time cannot be easier. Unpackage. Plug the USB cable into a computer. Drag-n-drop files into the Music folder just like any USB flash stick. Unplug, hit play. Done! I copied 13GB of music (3GB were large files) from a networked system to the iAudio in less than 3 hours, so that's not terrible at all.
The playback is simple as before. Browse to a song to play, and hit play. You can then have the iAudio play back all the songs in that folder, or play all the songs in that folder and subfolders, or all songs on the device. All three of those options can be sequential or shuffled playback. You can loop through your chosen song or loop through the random/sequential setting. My use is to just browse to the folder of music I want (I only have 3 on this), hit play, and hit forward to get the first shuffled song. After that, I just let it go for days without needing to adjust anything other than a pause here and there.
There is rudimentary support for an on-the-fly playlist that you can build, but that's not something I really use.
The controls take about 15 minutes of use to get used to, but after that are amazingly friendly. If you think they're a bit sensitive, you can not only turn that down a bit, but also just set the Hold and all buttons will lock.
A few caveats. The device does not have a built-in loop for an armband (though it does have a small loop for a carrying strap). Armband use will require a special case (cheap). There is no AC power cable (it gets power off USB), but this can be bought cheap as well. The earphones are also normal fare (but decent sounding). If you plan on running or being active with them, you'll probably want something that won't fall out of your ear.
There are additional features on this than I expected. It has surprising sound recording quality with the built-in mic (not that I'll use it). It has FM radio support. It does some bookmarking on music files (basically set a bookmark and you can always start the track on that spot; might be useful for full album rips or break sets). Supposedly it can also do some movie playback, but you'll need to use the Cowon media software to encode the video in a format the iAudio can read. Nice to include, but shouldn't be the point of this device.
by michael 09.16.09 at 10:08 AM in /general -
Is there anyone yet who doesn't understand that Apple is a consumerland company and still fails as an enterprise-friendly company? Oh well, from InfoWorld are details on recent iPhone updates silently fixing problems (again), only this time they were problems Apple was masking in order for users to circumvent policies.
As usual, security can be measured in "WTF's" per arbitrary unit. This one gets several.
by michael 09.16.09 at 10:56 AM in /general -
Joel Snyder over on Opus1 has a couple white papers posted about evaluating IPS solutions. Granted, these are dated 11/2007, but they read well enough to stand valid still. The first paper lists 6 steps to selecting the right IPS (pdf).. The second paper lists 7 key requirements for IPS vendors (pdf).
I don't have much to add to the first paper as it is pretty complete. The second paper has a few things I'd mention.
1. I still prefer calling an IDS/IPS just an IDS. Unless specifically configured (and you have the confidence in the device) to actually prevent attacks, they all work as an IDS instead. And this is good so no managers start thinking all attacks are being prevented even though 90% of the IPS device is working as an IDS device. It's an expectations thing.
2. In the performance item (#1), I'd just briefly mention along with failopen capabilities, that the device should do so as seamlessly as possible, especially during an upgrade of the device/software. I don't like patches/upgrades being disincentivized by downtime and off-hours work. That just leads to admins dragging ass. Same with power cycling the device if it isn't very stable...
3. Item 2 in this paper should be read along with item #2 in the first paper; both deal with what sort of detection the IPS will be doing (rate, signature, anomaly, behavior...). Keep in mind that many IPS offerings doing all of them ends up doing all of them sort of watered down. If you already have netflow analysis efforts, you might value that the least.
4. Item #7 asks for some limited firewall capabilities. While noble to include, I don't want to confuse network gurus in thinking they should be mucking heavily in these ACLs and IPS rules just because this is the closest device to the source traffic. In IDS/IPS shouldn't be heavily leaned on for such duties, and thus arguably shouldn't even begin to be leaned on.
5. I'd add item #8 to the mix and say that enterprise IPS should give the operators the ability to be informed and capture enough evidence in an alert to make an informed decision. No data = fail. 1 packet = fail. And so on. This should be part of the evaluation of the IPS and not something you take as truth just because a sales guy says so.
6. Additionally, the alerts an IPS gives should not only be clear and precise on the problem, but signatures should be viewable by analysts to compare why something was triggered. Bonus points if you have capability to craft new signatures, either fully new or using an existing one as a template.
by michael 09.16.09 at 1:29 PM in /general -
Before dissing "best practices" in general, keep in mind that following many "best practices" will save you time and effort discovering for yourself what others already know. Basically, "standing on the shoulders of giants..."
I think many people get mad at "best practices" because they're not universal and absolute. They won't work in all cases (maybe they just won't work in yours!), and they won't result in absolute security (what does?).
As paranoid security geeks, we should question and strive to understand what is going on, but don't just rage against "best practices" because it's chic.
by michael 09.17.09 at 3:22 PM in /general -
Just filing this story away as an example of why policies and computer restrictions are in place. Local admin rights, checking personal email at work,* local malware prevention, etc.
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.
* This is getting stupidly hard, really. But everyone should still stop the big names, and then manual analysis of logs should pick up on regular use of smaller mail providers which can then be added to a blocklist. Sadly, this means staff-hours in a time when every company wants automated appliances to secure the world with little input.
by michael 09.18.09 at 8:52 AM in /general -
Some good reading to pass a quiet Friday, in case I ever find such a thing this month. Chris Brenton dives into the topic of network mapping through firewalls in part 1, part 2, and part 3.
Moving deeper into networking, Nanog has a presentation posted, " A Practical Guide to (Correctly) Troubleshooting with Traceroute."
by michael 09.18.09 at 9:05 AM in /general -
A new version of wlan2eth has been released.
by michael 09.18.09 at 9:38 AM in /general -
I'm of a mind that some HR folks overthink their job, especially when it comes to hiring and looking at resumes. Maybe this is all just a result of needing to sift through and rule out potentially dozens or hundreds of resumes for a single job (and maybe have backable reasons for ruling whittling them down!). But it still seems like a lot of overthink for something you just can't predict until an interview and you test drive the employee. This tiny mini-rant was inspired by a post over on Jeff Snyder 's blog, an excellent blog that combines both security issues and career/hiring issues. I'm not sure I know of another similar blog to his
Though there is no magic length of time to stay with an employer, this HR executive likes to see longevity of 3-5 years or longer with each employer. Within each 3-5 year stay, Mike looks for growth. Growth could be represented by expanded skills, expanded responsibilities, bigger titles, etc.
I don't really buy into such an approach for tech positions. Managerial or leadership positions, sure. But I think this threatens to shackle technical people with the often superficial trappings of business appearances. With the exception of being let go repeatedly very quickly, I'm not sure I'd read too much into how often someone changes (non-contract) jobs or whether they're seeing progression or not.
Disclaimer: I haven't really done much hiring (I helped look at resumes once...) nor manage people. I also fall into the bucket of 3-5 years per job with progression, so this isn't me bitching about being shorted personally. :)
by michael 09.21.09 at 8:39 AM in /general -
(via infosecramblings) Jennifer over at Security Uncorked has posted up a paper on why NAC is failing. It makes for a good read (pdf).
If you were to ask me before reading this paper what my gut reaction to NAC is, it would read:
- complex to manage in anything beyond a lab or small org with strict system policies, low speed of change, and few exceptions.
- can only exist with other foundational technologies like something to compare against (AV version, etc) and something to control access (managed switches, firewalls, proxy, etc). If you don't have the foundations managed well, you have no business putting NAC in yet.
- can be a nice way to validate inventory and policies, every organization still has to manage the exceptions and guests. If you have inventory and policy-checking already being done, NAC's only purpose is rogue isolation which you can do, to varying degrees of depth, in many other (even homebrew) ways.
- I always hear about messy, issue-prone installation attempts and have never heard of one real success story.
- orgs like McAfee already are trying to put all the pieces together anyway; it's not a big step to take their huge suite of apps and just add in a control piece to their rogue detection/ePO/HIPS/NIPS conglomerate (for better or worse, since all of that rolled into one huge dungpile makes for a beast in administrative costs). But you still need the foundations set even outside such a "complete" (yay marketing!) security suite. This leads into the "it's a feature not a product" argument which I don't usually voice because it sounds way to "analyst-like" for my tastes. Besides, too many features = unwieldy product that is worth far less than the sum of the features!
It makes me a lot more confident in my impressions of NAC that Jennifer hit on these points and more (for instance I totally didn't think about authenication/identity with NAC) in her paper. I'm also not sure I've ever read a more complete and understandable description of NAC in general!
One key quote I want to pull out is this one, which I think succinctly sums up some of my feeling.
A single NAC product will not, in any environment, scale or grow to a level
acceptable for widespread adoption. At the moment, the solutions are too difficult to implement and there are other alternatives that give organizations many of the features NAC can offer without the hassle involved with implementing NAC.
Often we do have to implement security technologies and apps that aren't perfect and don't provide 100% coverage no matter how much hacking we do on the side. But NAC is too big of a beast for many managers to swallow and still admit it only protects swaths X, Y,and Z systems/scenarios. Huge suites of varying quality (like McAfee, Symantec, Cisco, etc) that already have roots in what I consider the foundational aspects of an enterprise network already have their work cut out for them. It's natural the NAC will absorb into them rather than be yet another boulder to massage into the corporate cyber landscape.
If I had one suggestion, it would be to include a sub-list in the exec summary under the technical challenges item, and quickly list the big technical challenges specifically, or word it in a way that my initial reaction to that item is not the question, "What challenges?"
by michael 09.21.09 at 3:13 PM in /general - comments(1)
Our ID cards are being scanned at an increasingly alarming rate. Marisa over at Errata Security has posted about having her driver's license scanned at a doctor's office (including more links to other reports).
I don't see why this is necessary. Is identity theft at a doctor's office *that* big of a deal? What is the gain, free health care at someone else's expense? Hijacked prescriptions? I can't imagine healthscare theft is widespread as those seem like ballsy, planning-intensive forms of crime. Then again, maybe all it takes is one check-up and that information for someone else is entered into your record (positive for herpes? allergic to penicillin? DNA on file that isn't yours?) which can have disasterous effects on your health later on. But that seems to be more a failure of relying so heavily on what is stored on a computer somewhere. We see movies that make these wild scenarios (The Net, Hackers, and many others) where a computer says you're evil so everyone treats you as evil without a question...
Shit, maybe I'm convincing myself of something here!
Still, what if we go further down the RFID route, or any type of embedded ID system? RFID could be gathered without your being able to stop it once you walk in the door to an office (or god forbid walk *near* it and away!). An embedded ID chip (like pets are getting these days) pretty much has the requirement to be scanned, and let's just hope that's not being saved and is just being validated (yeah right). These kneejerk reactions to having our ID scan may be a joke in 20 years from now.
If you read the "Red Flags" Rule from the FTC, you'll get the distinct impression this is not to protect consumers, but to protect healthcare providers. It also doesn't even make a hint that providers should scan and store ID card information. It sounds very much like being carded at a bar where a visual glance at the card will be enough. (What I "like" about the Reg Flags Rule is just how vague they are...and we thought PCI was vague! This basically says you need to spot "red flags" and good luck with that!).
It was just last week that I mused on Twitter that I might have to look into a tight sleeve for my driver's license; a sleeve that keeps the front visible but obscures the back so that I can stop a merchant/receptionist from scanning it while they slip the card out of the sleeve, yet still slip it into the slot in my wallet.
by michael 09.22.09 at 8:14 AM in /general -
Even geeks need to unplug and relax a bit. Security geeks probably more so (although I may be a bit biased there) with our constant battle to maintain acceptable security and the constant threat of our phones, PDAs, and Blackberries chirping for our attention. I read an article by Tom Hodgkinson titled "10 ways to enjoy doing nothing" (CNN) yesterday and wanted to echo a few points.
As a background, I have leanings towards zen buddhism and meditation. Not necessarily your traditional lotus position meditation, but just the ability to find peace and reflection where you are; and just mentally and spiritually relax. I'll add a few other points below from my own experiences.
1. Banish the guilt. We are all told that we should be terribly busy, so we can't laze around without that nagging feeling that we need to be getting stuff done....Guilt for doing nothing is artificially imposed on us by a Calvinistic and Puritanical culture that wants us to work hard. That's true, right? Me, I tend to laze around and play video games. While that is still technically *doing* something, it usually is not something that directly adds to my life, ya know? The point is, don't be guilty about doing things that don't matter or doing nothing at all. Find a hobby, play a guitar, tinker with something, but never let it make you feel anxious or time-constrained or stressed when you do it. Just do it and flow with it like a babbling stream rather than a raging wave.
7. Lie in a field. Doing nothing is profoundly healing... Listen to the birds and smell the grass. Ever do this as a kid? I did. It's beautifully calming and amazing. Ever do this as an adult? Me either, not nearly enough!
8. Gaze at the clouds. Don't have a field nearby? Doing nothing can easily be dignified by calling it "cloud spotting." It gives a purpose to your dawdling. Go outside and look up at the ever-changing skies and spot the cirrus and the cumulonimbus. You can even do this as you sit at Starbucks on the outside chairs if they have them. Or on the steps of your nearby library. Gazing up at the sky no matter what the weather is an amazing, heart-warming, thing that helps put so many things about life and our place and our thoughts into perspective.
And my own additions...
11. Gaze at the stars/sit out in the rain/sit out while it snows. I have an immense appreciation for nature; nothing in the world is or ever will be as perfect as a whole, even with its individual imperfections. Stargazing, sitting out in and watching/feeling/smelling/hearing the rain or snow are the kinds of things that make you know you're alive; your senses assuring you of existence. You can even do this in your regular residential neighborhood (although seeing the stars might be a bit difficult without a good dark park or something) as long as the rest of the world is not too busy. Preferably without distractions, but I wouldn't judge someone less if they mixed in some mood music as well ("new age" music or even minimalistic electronica adds to these moments).
12. Exercise. Many people bemoan exercise as boring or painful or just a waste of time. If you're going to be doing something whether cardio or weights, you really should enjoy doing it; it's good for the soul to be happy with the things you do. So rather than focus on the pain, focus on the good things. Focus on your breathing, not just the rate, but *how* you breathe (chest vs stomach; mouth vs nose...). Focus on the movements of your body, the contracting and relaxing of the muscles that move our limbs. Focus on the rhythmic beat of your heart. Focus on your posture and form. Focus on those points where you do feel real pain and be aware of your limits. If you need to, include music that you can focus on as well; minimal words, heavy on beat and instrumentation/sound, and longer than 3 minute sound-bytes-go for real trance/techno).
by michael 09.22.09 at 8:35 AM in /general -
HD Moore posted up his thoughts to a recent NSS Labs report on some "anti-malware" testing. I'm not surprised too much by the results even though it still is a bit disheartening to see freer products scorer lower (where really they should score below the big boys with money). I just know that surfing the web doesn't actually scare me, but I'm constantly wary and conscious of what I'm doing and what scripts I am allowing to run. I can't imagine doing so on a Windows/IE box day-to-day anymore.
The real problems are user education and layered defenses (or risk mgmt), not some expectation that Anti-malware be perfect.
by michael 09.23.09 at 11:10 AM in /general -
@SimpleNomad threw down a doozy of a link today to a CNet interview with Jon Shalowitz, general manager of Skye, a new hosted DNS 'cloud" division for Nominum, who talks about why his proprietary DNS cloud solution is better than what is currently used. This is an example of many things, including how some people will say anything to market their product. And a shining example of irresponsibility in putting crap like this into ears of other managers who may then bring up these "solutions."
Freeware legacy DNS is the internet's dirty little secret — and it's not even little, it's probably a big secret...Given all the nasty things that have happened this year, freeware is a recipe for problems, and it's just going to get worse.
So, freeware (later he clarifies that he means "open source" when he says freeware) is the root of evil. Moving on...
Freeware is not akin to malware, but is opening up those customers to problems. So we've seen the majority of the world's top ISPs migrating away from freeware to a solution that is carrier-grade, commercial-grade and secure.
So, freeware is not carrier-grade, commercial-grade, nor secure. This is a big jump in logic with nothing backing it up. And there is nothing inherent in a non-freeware solution that makes it carrier-grade, commercial-grade, or secure.
By virtue of something being open source, it has to be open to everybody to look into. I can't keep secrets in there. But if I have a commercial-grade software product, then all of that is closed off, and so things are not visible to the hacker.
So, does this mean code review is bad, or improving security through obscurity is good? I'd ask that as a question as I don't want to strawman the poor fellow, but none of this really demonstrates any understanding of development practices or security common sense. You shouldn't be relying on keeping secrets. At least open source code with holes exposed has the chance to close those holes rather than keep them latently present for years.
Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.
And how does anyone know your software is "inherently more secure" if no one can look at it? Because you can keep your little secrets hidden, the secrets of shoddy code?
I would respond to them by saying, just look at the facts over the past six months, at the number of vulnerabilities announced and the number of patches that had to made to Bind and freeware products. And Nominum has not had a single known vulnerability in its software.
Jon has used lame examples of security incidents this year to somehow prove his "statistics," so I'd offer it right back that Microsoft and Apple and Adobe have closed source software but have been inundated with security issues all year and beyond. Oh, and a commentor linked to a disclosed vulnerability for Nominum software. Granted, it's not this Skye "cloud" DNS solution, but I have a strong suspicion Skye is just the same products rebranded by marketing.
By delivering a cloud model that allows essentially any enterprise or any ISP to have the wherewithal to take advantage of a Nominum solution is like putting fluoride in the water.
An argument can be made about a homogenous environment being inherently less secure...I mean, if we're talking about "inherent" assumptions.
You really do need to look under the hood and kick the tyres. Maybe it's a Ferrari on the outside, but it could be an Austin Maxi on the inside. The software being run and the network itself are very critical. And that's one point the customer really needs to be wary of.
Umm, exactly. People need to be able to look under the hood of the code. Oh, and saying something to the effect of, "If you care about security you'll accept we're right," is not an argument. It's typical marketing/sales-speakto confuse the dimwitted.
All in all, poor Jon has given us an example of how NOT to give a technical interview. By the way, if you dig a bit on him, you'll see he is marketing and product management (more marketing), not technical. Especially when the interviewer makes a point of asking point blank if he means open source. That is an obvious giveaway that you're doing something wrong and you need to stop and back up, not truck forward like an idiot.
by michael 09.23.09 at 3:03 PM in /general -
The "free" Metasploit Unleased course from Offensive Security has been...unleashed! The additional materials you can purchase have been held back a bit until the next stable version of Metasploit (v3.3), but the wiki portion is available to consume now.
I'd strongly suggest donating money or paying for the additional materials if you have the funds and desire. Even if it weren't going to charity, the guys who make BackTrack and this training possible deserve the kickback.
by michael 09.23.09 at 4:04 PM in /general -
...but security is rarely about absolutes.
Bill Brenner has posted 7 Ways Security Pros Don't Practice What They Preach. I'm surprised more of these types of lists don't show up, especially as normal users rage against security measures.
So, my thoughts and how do I rate?
1. Using URL shortening services. Yeah, these suck. I hate clicking them and I hate using them. But sadly, Twitter use has forced us to do something risky in order to fit ghastly URLs into small boxes. Hell, even magazines use them. Just think if browsers could only handle xx characters and had to truncate the rest of the URL inthe address bars. Yeah, fucked. This reminds me of 1997 IRC where you'd learn quickly not to click on blind links because you're see some fucked up shit that you thought was going to be something cute. This is probably why "Rick Rolling" never seemed that big a deal to me. Am I guilty of using these? Sadly, yes, I use (and only use) tinyurl.com, but I should move to one that, by default, previews the URL first.
2. Granting themselves exemptions in the firewall/Web proxy/content filter. Disclaimer: Yes, I'm exempt from some policies at work because I have to investigate such things. Yes, I get to exempt myself from some web site category filters (ever do security research when "hacking" sites are blocked? ever investigate hits on your external services when you have no idea what might be hosted on the other end? ever go to a blocked URL that a user hit only to see just why it was blocked?). But other than legitimate work uses, I don't poke my own holes into security protections just because I want to, such as gaming sites or opening up holes for me to bridge a home network...
But here's the real deal. Business wants you to get XYZ done. If you were a normal employee, you'd do whatever you *can* to skirt the rules if those rules are stopping you from getting XYZ done as requested. When you start doing that same business habit to the people who control the rules, then you put those people into a position where they *can* accomplish XYZ because they *do* have that power. This is a classic example of how security and convenience butt heads, and sadly convenience almost always wins without some help on the security side. This is why I hate the question, "But technically, you *can* open the firewall for me, right?" Yes, duh I *can,* but I won't.
3. Snooping into files/folders that they don't own. Doing this in the course of an investigation or because a manager or HR has specifically requested it (properly I might add) should be quite alright. Again, this is like saying don't jump in the water, and then yelling at the fish because they're inherently in the water.
There are also other reasons, such as disk usage investigations (really, I shouldn't run that 300MB movie file you have on your network drive to determine business need because my fileserver disk is filling up at 10pm?) or when migrating a user from one system to another (yeah, people shove shit in the craziest places on their disk...).
But looking at things you shouldn't look at, should be avoided. If a file says something like, "performance appraisal" or "tax return," you probably want to take extra care not to open it. If you're on an exec system, it's probably best to stick to only the exact task at hand. Basically: common fucking sense.
Then again, this is just me. Even if I have such files in front of me, I won't open them or touch them if I can help it. I think IT and especially security are hinged entirely on the integrity of the employees. Once that goes, there is no getting it back. So I try to vehemently protect that.
4. Using default or easy passwords. This is a red herring point; shame on Brenner. But it does ring of some truth. First, of course I use some easy passwords. Why? Because I dub such uses as low value fruit. For instance, I tend to reuse forum passwords because they're untrusted systems and I maybe post 3 times and that's it. I don't care if the admin boinks the database and publishes my password. But for other things, in recent years I have slowly migrated all those passwords I made before I thought about security, into more complex ones. I'm almost complete, in fact. In defense of admins, I'm positive we tend to have a far higher tendency to use complex passwords vs easy passwords, than your normal population of users.
5. Failure to patch. I patch any time I have a moment at home, especially my Windows boxes. Applications getting patched is a bit different, but I have only limited Windows use these days. At work, this is a whole new ballgame as patch management needs to scale and there needs to be testing and change management. Windows/Microsoft patches are one thing, but I conjecture that very few shops keep applications patched (let alone internal applications). See item #2 for clues on why patches sometimes either don't get down or keep getting pushed off (hint: it has to do with stakeholders/customers).
6. Using open wireless access points. This is an interesting item. First, security pros at least know what to look for and what not to do at wireless access points. Hopefully they're not checking email with clear text auth. Second, the risk of being snarfed at a wireless hotspot can be low. But all it takes is once and you're pwned. Me? I use open wireless, but I'm highly conscious what I do on them, even including sidejacking/injected CSRF attacks. Then again, I tend to be the snooper as opposed to the snooped...
See, when security pros tell "users" to not use open wireless access points, we'd only do so because we know the user isn't technical enough to do it the right way. But what we're really saying is, "don't do sensitive things on open wireless, and be careful and protected from other things already." This limits your risk greatly.
7. Misuse of USB sticks and other removable storage devices. I don't have much to say on this one! But I will say I don't use USB sticks at work or for moving work data. And I don't keep sensitive stuff on my personal USb sticks longer than I need to. My assumption is that I will lose the stick at some point.
8. Seriously, you forgot to include running as least privilege Windows user? I'd be guilty of this, both at work and at home. At least at work I only run as domain admin on servers or using runas. For as much as we preach about least privs, we cheat at our own advice by running more Linux and MacOS. If we were on Windows systems, I'd bet most still run as local admin.
One thing I notice is how so many of these points skew our "advice" a bit. Most of these are, "Don't do this unless..." or "Do this, but..." It's the ability to fill in those second halves that make us security geeks. When people want advice, they usually want simple advice. "Don't use simple passwords," is far easier and digestable than explaining how to rate the risk of all the services you use a password for and how they interoperate.
by michael 09.24.09 at 10:47 AM in /general -
Last week I had a tiny, tiny rant about some feelings on isolated HR practices. The author who inspired my tiny, tiny rant posted a response to my initial comment on his blog, so it is only fair and right that I mention it here as well. Appreciation and thanks passed on! :)
Of note, I don't have a relationship with any recruiters. I still get a voice mail on my phone now and then from a firm or two, but I admit to not following up or updating my resume with them (god, I still haven't put CISSP on it either!). I really should get my face back on some recruiters minds...but I'm more than aware that Des Moines is not a very big city by any means, and most IT managers/recruiters are probably only 1 or 2 steps away from any others whom I talk to. I don't like the idea that someone hears I might be looking, just because I updated with a recruiter. (One recruiter 3 years ago scared me away because she made mention she was well-acquainted with my boss, whom I wasn't telling I was looking for a job...). I imagine with my CISSP and easily 5+ (loyal) years progressive technical experience I'm actually now marketable.
by michael 09.25.09 at 2:08 PM in /general -
Hoff has opined about virtualization over on his blog. He calls it in incomplete thought (a blog post series, really), but it's really quite thorough and deep. I suggest reading the comments as well.
In essence, Hoff says, "There’s a bloated, parasitic resource-gobbling cancer inside every VM." It's true. Virtualization isn't a solution to much of anything. It's a golem of a beast created to fix problems that were symptoms themselves or much larger problems.
Here's a really quick, 30-second mindset I have on this.
- mainframes centralize everything and people get things done with their slices
- personal computers take the world by storm
- suddenly everyone can do something on their own without the centralized wizards and curtains.
- ...and everyone does things on their own, creating apps, languages, etc; decentralized apps and data
- the OS just can't really keep up; same feature bloat hit Windows that hits all software that wants to be popular and fit every niche need (McAfee, Firefox, browsers, etc).
- then shit gets too splintered and the IT world becomes an inefficient money-drain of equipment and maintenance
- attempts to centralize everything is met with cries of "they're stealing our admin rights, but my system is slow when I have admin rights!"
All of this ends up turning into a cycle, and one we're destined to follow over and over. Big iron. Smaller iron. Big iron. Centralized. Decentralized. Centralized. Administrative power over your individual system. Locked down. Empowered. Locked down. It's like a "grass is greener" mentality out of control.
But it's more than that, as well. Part of this cyclic, mess of a vortex is the speed at which technology is progressing and our world is changing. It moves so fast that no one (business or individuals) can take the necessary time to do any of this correctly. As you'll hear Ranum and I think even Potter say in recent talks, the problems of today are mistakes from 15 years ago. I think things just move too fast for us to realized it.
At any rate, it's not like we can do much about it today, but at least we can be cognizant of this situation and do what we can in small measures to avoid the eddies and undertows that drown so many in these changes.
by michael 09.29.09 at 12:48 PM in /general - comments(1)
|
