.: November 2010 Archives
Wanted to link really quickly to a recent example of the problems we face in security, even amongst ourselves. EvilGrade 2.0
was recently released, and the full-disclosure announcement sparked some...discussion. As background, EvilGrade is software that assists an attacker in hijacking the upgrade process of a piece of software and sending its own executable in place of a real upgrade executable, thus having it automatically executed by the software.
The subsequent discussion
brings up the points of (I'm just informally summarizing here):
- Hijacking upgrade mechanisms is a vulnerability (or weakness).
- This vuln is not necessarily easy to leverage by an attacker. Has limited (but useful!) applicability. (local network access; targeted; etc)
- There is an opportunity cost to addressing this issue. (Time spent fixing small issue = time not spent elsewhere.
- The issue may be easily fixed with certificate signing. (Everything is always 'easy' to someone...)
- Certificate-signing also has its own weaknesses.
- Cert-signing also means added code which means added complexity and possibly more exposure to other attacks.
- Ultimately the question: is this issue worth fixing in product ABC? Is this huge enough that we stop corporate updates until a fixed is proven, audited, and required by regulations? (Ok, I added that last part myself...)
This is a classic example of the belief that every
vulnerability must be fixed, no matter the cost vs doing what you can with the resources and costs/risks available to you (which can be very subjective in measure). This sort of argument is pretty much religious. In fact, I've called it such in the past with posts about security religions
. There are usually no universally correct answers, and there is usually pretty detrimental and venomous discussion once you start down these threads.
But it illustrates the challenges we face even amongst our own in the security circles. It gets worse when you have one person on each side of this discussion whispering into opposite ears of the non-technical business-owner who makes the ultimate decisions. (Although, cost-savers probably always have an inside track in that argument...and 'doin nothing' is the easier example to explain...)
Full disclosure: I have sympathies on both sides of that discussion.
by michael 11.01.10 at 1:14 PM in /general
Bejtlich posted, "What Do You Investigate First?"
He brings up the question of three different approaches:
- focus on the threats
- focus on the assets
- focus on the vulnerabilties
These are great bullet points for a blog post (or hell, probably a small book) on how these approaches can be tackled, including perspectives from prevention, detection, response. And how these may compare to the "reality" many orgs face in responding to only the things that people will raise fire alarms about if they're not available or what you might get in the most trouble for not responding to...
I was going to flesh this out as a full future post, but decided already that I don't have the time, yet didn't want to lose the beginning of my thoughts...
by michael 11.01.10 at 2:11 PM in /general
Via the infosecnews mailing list
I perused a cyber security article in the New Yorker
. I wanted to draw attention to two and a half points.
First, I liked the discussion on the difference between "cyber espionage" and "cyber war." That's basically been my view of things, and how so many of the threats and "attacks" we're seeing today are not new...it's just traditional espionage moving further into the cyber plane. That's it.
Second, it takes a few pages to sink into the topic of the desire of the NSA to peek into encrypted communication and how that compares to those groups and the public who strive to encrypt everything. This is a complicated picture. For instance, a private company is smaller scale of the same government/citizen issue. If the security teams can't see into the traffic generated in the company, they also will lose quite a bit of intelligence in their operations. If an employee can set up an encrypted tunnel out port 80, this is still not something easily found and/or blocked my many enterprises. And it certainly is a problem to see what is being sent over that tunnel.
Lastly, I made note of the mention about how the NSA also wants to know the identity of people in these communications. A wholly new topic, really. At least this is far more trackable in an organization, than in a public nation.
By the way, read to the end for the payoff on the EP-3A recon aircraft that helps open the story.
by michael 11.03.10 at 10:28 AM in /general
Kevin Lister has a fun post over on the SANS diary where he presents tables on common web attacks and countermeasures
. (Warning: I'm feeling contrarian today...)
[Aside: Some of my trivial annoyances with this article echo my similar annoyances surrounding yesterday's announced IE CSS 0day (advisory link
, krebs link
, eeye link
). There is a huge difference between initial attack (the 0day) and the payload...even when they're tied together into one package or chained exploit.]
The unfortunate part of any discussion like this is defining the context/scope. In this case, I would break down context into 4 distinct options:
- non-technical home user / micro network
- technically-sound home user / micro network
- small business (~10 to a few hundred people)
- medium to large enterprise
Why the difference? Because how one approaches web security should differ depending on your context. Articles like this probably should define a scope first.
In addition, one should define the scope of the defense. Are you trying to protect against the initial attack itself, the resultant payload, or both?
While Kevin has a lot of "Free" items, none of these approaches are "free" in small and larger businesses. Even a "Low" in the tinker field means man-hours in research and support.
I have a few misc points to make as well. For home users they can also take "alternative browser" one step further by using an alternative OS. There is no mention of host firewalls, sandboxing, or virtualization (i.e. sacrificial host). I personally think the alternative OS option should have something more significant than a "-" effect. An attack against IE will fail against Firefox, and vice-versa. So we're back into a, "it depends" mode. I also feel that the "noscript" category, based on these tables, is woefully under-valued if someone just glances at this data. I think it's worth more than what is reflected.
I'd also note that there are three fuzzy classes of protections that probably should be treated separately.
- Those that require someone to make an update (signatures, opendns, ips, whitelists...)
- Those that stop a certain behavior from occuring (lower admin rights, noscript, dep...)
- Those that avoid the issues entirely (alternative whatevers...)
(I'd post comments, but posting on sans has been problematic at best for me...when I even remember my password there.)
by michael 11.04.10 at 9:13 AM in /general
Call of Duty: Black Ops (COD:BO) has been released and I spent pretty much my entire evening playing multiplayer on the x-box version. I'm exceedingly pleased with the end results, and it is far superior to the recent unfinished Medal of Honor (which I complained about
) and better than most aspects of the last COD game, Modern Warfare 2.
I already liked Treyarch's previous COD entry, World at War, better than either of the Modern Warfare games, both in single and multiplayer. I liked the guns, pacing, and the polish of things like the menu and lobby systems. The menu system quality Infinity Ward never even came close to as far as ease of use and usefulness of information. Treyarch's map designs have also been far superior to most of the ones from Infinity Ward. In single player (infinite respawn difficulty aside) WAW was a far better experience than the cobbled-together story and uninspired gameplay of MW2 (and unsatisfying final vehicle and QTE endings). WAW was also a far better experience to complete in veteran. Frustrating, yes, but it felt way better when completed. (I did not bother with Mile-High Club in MW2.)
Similar to what I did for MOH, here are some Day 1 impressions on multiplayer. I stuck to Team Deathmatch for the duration. I wasn't a high enough level yet (need to be 19) to play Hardcore modes, which is where I spend most of my time. I'm also not going to mention everything I liked; just the things that I really liked above and beyond the norm for COD games. If you read my complaints about MOH, pretty much every one is a positive in COD:BO.
Note: Any mention of money or buying items refers to in-game money that you earn by playing. This is not
purchased with real money.
- Top-notch FPS maps. I absolutely love Treyarch's map design team. They make interesting maps, large maps, with a great, great eye to competitive play and game flow and versatility. There are spots to camp and ways to attack every camper. This is even more pronounced after having played the horrible MOH maps and the not-nearly-perfect MW2 maps.
- There are 14 maps out of the box. In MOH, it only took about 60 minutes to already be sick of the small map rotation, and map packs in MW2 have given rise to not even seeing every map in a given 6 hour play session. I love the variety.
- Killstreak rewards no longer contribute to earning more of them. So if you call in an airstrike that kills 3 people and you only needed 3 more kills for the next reward, you still have to earn your 3 kills on your own. This is an excellent change, and a subtle shift in making killstreak rewards not contribute nearly as much to the OPness of some players. Chaining killstreaks was common in MW2, and really felt pretty cheap.
- You get upgrades when you want them (mostly). In-game money buys your upgrades. This is cool since you don't have to wait until like level 28 for the Ghost (camoflage) perk. If you know what you want to get, you don't have to necessarily wait for the right level to unlock them. Guns and some other items still have a level requirement, but for most things you can open them when you want them. This is really cool and will help streamline class buildouts for experienced players who know what they want to use.
- Menu system is excellent. I hated certain nuances in the MW2 menu system, and MOH was downright awful. WAW had the best one in recent memory, and somehow Treyarch has even one-upped that. It's beautiful and easy. How hard is it to make one-click voting?! Thank you Treyarch.
- Combat stats. In a word, I fucking love the stats provided by BO. I sorely missed even the small amount of stats provided in WAW that MW2 just didn't bother with. Happy to see little things as well, like the Nemesis card is back. Little things like that help make a 4-hour session in the same lobby kind of fun.
- kill-death ratio displayed on all score screens. This is the golden stat in team deathmatch (and maybe in any FPS game mode): kills over deaths. If you're above 1, you've been a service to your team, whether you made only 3 kills whiling dying 2 times, or made 30 kills while dying 20 times, you're still a benefit to your team. It's great to actually see this number finally represented.
- Party-only chat is back! One of the most annoying parts of x-box MW2 multiplayer was being forced to hear all the racist kids talking, and stealing away any buddy-buddy privacy for talking to your friends. Treyarch brought the WAW style back where your party can stick to party chat for some privacy...and sanity.
- The playercard design-making is interesting, and I can't wait to see some really cool examples that people make in game, especially the emblem.
- Grenade Launcher/Bazookas (so far) aren't as low-rent as in MW2. MW2 multiplayer, especially in hardcore, sometimes devolved into who can toss out the most grenade launcher and bazooka shots and score lucky kills. So far, it seems like these weapons aren't quite as OP as previous games, which is a nice change. It's possible people just aren't using them yet...
- Theater mode. I certainly won't use it much, but the ease of use and power in watching game replays and editing them is amazing. I spent some time in just one of my own games, and was amazed at what you can see and do, from watching anyone in game (even enemies) to snapping out of FPS view into free-floating camera. (caveat: I didn't find a way to move the camera elevation straight up or down yet.)
- Tomahawk looks fun! Actually, I can't believe how often I died to one last night. Also, I swear someone threw some sort of homing knife at me once. At least, that's how it looked in the killcam! I wonder if the crossbow does that... In MW2, I enjoyed working on the throwing knives to unlock that title/emblem (still hard to be effective with them), so knives/tomahawks may be more viable this time around?
- Small resolution on menu text. If you're like me and haven't upgraded your television in 3+ years (I was early on the plasma kick), then there is some annoyance in all the information presented on menu screens. Not a huge deal, but noticable.
- Initial feeling of being overwhelmed by all the things you can buy, especially upon realization that if you want to unlock Red Dot sights on every gun, you don't just buy it once or even once per weapon type, but actually buy it on every single weapon. This is offset by the quick earning of money to spend. There's also added tracking of contracts, challenges, your money, what you can and want to buy, and so on. It's a pretty detailed game that
can will be overwhelming at first.
- Playercard design is different from MW2. In MW2, you tended to earn your way through titles and emblems, but in COD you pretty much get to the level you need to be and then buy the designs. I'll likely just miss the challenges, but not miss the difficulty in getting some of them.
- No preview ability for playercard purchases. Need to spend in-game money to test things out.
- Dogs are back as a killstreak reward, and they're still a pain in the ass to kill on xbox (stupid controller).
- Melee attacks lack "thunk!" I still miss the WAW melee attacks where there was a very visceral "thunk" of the knife slamming in, as well as a physical jerk of the body that felt exceedingly satisfying. MW2 didn't come close, and MOH was awful. BO does ok, but it still feels a little weak. By default, it seems you can score knife kills from a half-step farther away than previous games.
- Knifer/Runner build? Speaking of knife distance killing, I don't think there is a perk anymore to lengthen the distance you can score knife kills. These were very fun in WAW or even MW2 to run around quickly and get knife and other obscenely CQB kills. I'll try a runner build again at some point. Hmm, no riot shield either, not that that was terribly efficient in any but the smallest maps (Rust)...
In short, it is glorious to not only be playing a COD game again, but to be playing a Treyarch COD game.
by michael 11.10.10 at 8:44 AM in /general
I've lived with Call of Duty: Black Ops (COD:BO) for a week now, and have even prestiged once (yesterday). So I thought I'd tie off my impressions on the multiplayer game. Notes: I play the x-box version, liked World at War slightly more than Modern Warfare 2, beat both games on veteran mode, and really do like COD:BO quite a lot, despite the cons down below. See my previous post for a huge list of pros
, which still all apply. My notes here start get pretty nit-picky...
- Map flow is broken, probably due to spawn code. I'm still not sure what the exact problem is, but it certainly is not the maps. I believe strongly it is involving the code that decides where to spawn players. I think this is still based on putting you close to your team but also with a weighting towards the player who just killed you. In WaW/MW2, you could track the flow of a game when one team is dominating the other, as a sort of slow circling of the map as you chase the team slowly around. In BO, there is no such flow at all, and I can't begin to count the number of times I've been killed or surprised by an enemy that should not have been present in the location he was present in. I blame poor spawn code for lack of better candidates. Runspeed may be a tad too high, but not really sure on that. Spawning is just not right.
- Throwing grenades upon respawn. WaW and MW2 seemed to get this right, but in COD:BO, if I am cycling through players in spectator mode while I wait to respawn, I'm hitting the right/left bumpers to do so. But if I'm not watching the timer and it hits 0 and respawns me, when I hit that bumper (which I do sometimes to see where my buddies are and who is under fire) it immediately tosses a grenade. Lame. At least in the previous games I swear you couldn't toss something like that for a split-second or two after spawning. Perhaps this is needed because of the strange spawning issues described above...
- Lots of awards, medals, and challenges pop up during games. This is really cool, but sadly there is just no time to glance up and check out what you just did. The messages are too quite and way too often. Likewise, you don't get any list of them after matches, one of the only oversights in all the stats and information you get post-game and ongoing. In WaW and MW2, I always knew which challenges I just finished, but in COD:BO, I don't think I've been cognizant of any except the Perk Pro things I need to get (because I'm looking for them and doing them specifically). This may also be a product of just overwhelming players with so many things to do and track and pay attention to, that challenges get left out for me. I'm busy with classes, contracts, equipment, working on perk unlocks, leveling, etc.
- Points in Hardcore Team Deathmatch (HTDM) seem low. I really like HTDM, but unfortunately the rewards are small compared to the points gained from even crappy Headquarters matches. You want to level up quick, stick to Headquarters. It is not uncommon to score 10,000 points in a round, and far more in a good round. Unfortunately, the game is quick and fast, which is not for all people.
- Voiceover status messages can be late. If you get a lot of care packages and killstreak rewards, and game status changes (someone is planting the bomb), you can get a really weird long list of voiceover updates, some of which occur significantly late. "Yeah, I got that care package like 30 seconds ago, thanks!" I'd have liked quicker ones, or even just overlap the damn things...
- The one issue with buying upgrades: timing. When you hit the max level in WaW or MW2, you've unlocked everything and can do whatever you want. In COD:BO, I made level 50 and while I had all the perks unlocked (not all pro, of course) and most of the weapons I wanted to try out, I didn't have anywhere close to all the attachments and enhancements I would have played with. When you prestige, these all get reset along with your "money" in game. Not sure what I think about that...I like that I can open what I want to open, but I'd like to have had a chance to try everything once hitting the top, ya know?
- Playercard interface could be enhanced. Yeah, this is pretty low to pick on a really cool new feature, but this section could see some enhancements with previews and such. Also, it's really annoying to see the...creative...things some kids come up with.
- No payback dollars. I thought the payback kill dollar bills flying out of those kills was fun. I kinda miss it now that it's gone.
Pros: I really have nothing new to add here. The game is pretty darned fun and a good successor for the series.
by michael 11.16.10 at 12:00 PM in /general
SecTor 2010 videos are available
. Consume and learn! Honestly, pages like this are like walking into a candy and comic book store or video arcade when I was 10 (take away the candy, and I guess this still happens!).
by michael 11.18.10 at 10:49 AM in /general
Quick article over at InformationWeek
where there are two points that caught my eye (that part where my pet peeves lounge).
The study queried more than 200 security professionals about their organization's ability to detect and deal with advanced, persistent threats.
I'd like to hear why Random Corp ABC needs to worry about APT. I can tell you why Boeing or Google or PayPal may care about APT, but some nebulous, possibly SMB-sized, company shouldn't by default
be caring about APT. That makes this question useless.
Interestingly, when it comes to responding to security incidents, what respondents fear most of all isn't intellectual property theft, corporate brand implosion, or recovery costs, but downtime. Indeed, 93% of respondents said that network or system outages were their primary post-incident concern, and 92% said they feared excessively long cleanup times.
It'll make a smart security geek wince, but it's true. That A in CIA (Availability) may mean the least to security, but it means the most to organizations. Down systems are very obviously and clearly resulting in lost productivity or customer frustration and loss. Disclosure of C or I (or other security incidents) are not usually so obvious and in-your-face.
Should we fear downtime the most? I guess it doesn't matter, since the business is going to force us to fear downtime the most, in many cases. Which is doubly fun because not only should you avoid downtime caused by attackers (read: sec incidents), but also downtime caused by implementing security controls or security tools disrupting things. It's often like threading a tiny needle with fluffy yarn!
by michael 11.18.10 at 1:37 PM in /general
Catching up on some new feeds, I see Marcus Sachs threw down a quick SANS diary post question about the future of security
, framed with recent Stuxnet analysis from Symantec. I have two pieces to pull out.
While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms.
It helps (from a certain perspective) that organizations and people are bypassing these controls during daily business. For instance, the big stink in recent years about SCADA has been the degradation of the traditional "air gap" between those controlling systems and the greater network (even Internet) of the organization. The classic defense mechanism of an "air gap" doesn't even need to be bypassed by attackers, because it's already done! Same with challenges in endpoint controls and basically any other traditional, rigid, layer.
Well, we need to start rethinking how we are going to defend our networks in the coming years and decades. Layers of defense are, of course, important - but what should those layers be?
This is a strange question, especially as these layers of defense are deteriorated by users and organizations themselves. I'd probably point to several directions as discussion-starters. I think the real point is there are no longer discrete "layers" so much as a creative blending of existing and new pseudo-layers to create some security value.
Disclaimer: I have no answers at the moment; just contributions to ongoing discussions!
- diligent staff - It might sound stupid and all 1950s, but when all else fails, you really simply have to have skilled staff keeping their fingers on the pulse of the network. Technological layers aren't going to fix what is increasingly becoming a soft problem; not without defining end truly enforcing rigid limitations/controls. This is fallible, yes, but if one wants to say all these layers of defenses today are failing, you need to move into layer 8...
- get security correct from the start - Obviously software, systems, hardware, and the various ways they're put together need to be created/implemented in a secure fashion from the start. Unknown attacks will still pop up (0days), but at least start as secure as we possibly know how to be.
- encryption - Basically, encrypt everything. Of course, this cuts both ways, and will impact security visibility as well.
- identity - If you need to blindly trust encrypted communication, you must implement a trusted identity mechanism to control who can dump information into those encrypted communication channels. This includes people as well as devices and even app identity.
I'd say none of these options are realistically possible to fully achieve. Some of all of these can be used. Besides, the whole concept of a layered approach to security *should* imply that no single layer (or even couple of layers) provides full security. Likewise, none of these additional pieces above will do it alone, but rather each should be implemented as much as resources allow, for even more blended approaches.
Of course, we're back to looking at security less from a technological standpoint and more from a pragmatic or risk standpoint, yeah?
by michael 11.18.10 at 3:47 PM in /general
Training and policy are necessary, but don't bank your security on them. This story on a couple security breaches at the VA
illustrate this. When business says employees must get XYZ done, and employees *can* technically do something to help themselves get XYZ done, they will do that (based minorly on their own internal risk analysis of job vs getting caught+fine...). The only thing policy/training does, ultimately, is give the business grounds to fire offenders and CYA against negligence. But it doesn't specifically *prevent* anything any more than a sign that says No Loitering.
Just like this car I see daily in the visitor slot of the parking lot. Unless someone gives that person a warning and/or tows them, no soft measures are going to stop them. (Yeah, not a life-threatening heinous offense, but it illustrates a point.)
As a counter-point, one might mention stoplights. Nothing is really technically stopping people from ignoring a red light...
I better stop before I hurt my brain on a Friday.
by michael 11.19.10 at 8:57 AM in /general
Amrit Williams has an awesome post about the state of security
, and I thought I'd dive into it. Just to state up front, I agree with some things and disagree with others, but in no way think discussion like this is wrong.
...What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe...
Well, I can confidently say nothing will self-destruct nor any killing catastrophe will happen. People in general are resilient bastards, as is business and technology. In short, life and technology and progress will move on. Sure there may be stumbles and maybe even paradigm-changing events, but that is all still progress, in my book. In short, I don't believe that sort of belief should exist.
... trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents...
One could argue that we're not meant to be faster or more agile than our opponents. I'm sure there are military comparisons here somewhere, as well as comparisons to security ever since the first caveman wanted to protect his territory. While the battlefield changes, I really think the core concepts of security really don't. Why implement more security than you need to meet known and maybe unknown threats? I won't belabor the point, largely because I won't go terribly far to defend it. This is just an avenue of discussion that is useful to dive down and dirty into because it helps to figure out people's religions/beliefs/approaches. I truly believe we need to both react *and* anticipate as much as possible; there is no win, but we don't have to be drug behind the cart.
Organizations tended to react driven by a security incident or compromise, an audit or compliance event, or due to perceived changes in the threat landscape. For the most part security has been and still is an afterthought.
Truth! There is also the need for someone to think like a paranoid nut (trust no one), the need for expert-level knowledge to properly anticipate and bake in security while also meeting requirements, and so on. But as a corrolary to my above paragraph, the question may be whether security will *always* have a major "afterthought" component to it?
For example the concept and delivery of cloud-computing was introduced and then it was realized that the lack of security...was a huge inhibitor to adoption.
I think the cloud is a poor example. This isn't a technology that consumerland is clamoring for as the obvious answer. I would say the inability to understand how to integrate the "cloud" into one's own processes is a bigger inhibitor. (Obviously, I'm not counting gmail or CDN services or hosting services as "cloud" providers.) I think security is a convenient bed-buddy for the fact that these cloud services just aren't to-die-for-and-obviously-must-have-right-now, nor are they consumerland toys. If consumerland had been behind them, like iphones or mobile devices, security would have had far less actual or perceived weight.
Most security professionals lack an understanding of the operational environment that they work within and they lack the ability to modify that environment even if they did.
Absolutely correct. The reverse is often true as well. Operations lacks understanding on security risks and countermeasures. Hell, most of the time they have no managerial pressure to be secure and every managerial pressure to just get shit done as quickly as possible (scarily the same pressures developers have; maybe more to the point, managers won't notice if security shortcuts are taken or rules wildly bent; hence our exploding role of auditors). This is why I personally feel (and I'm biased) that someone who can claim the roles of experienced security and experienced sys/netadmin are godly. Mix in some business sense, and you've got a closet (and probably quiet) rockstar in the back room.
Security must be operationalized, it must become part of the lifecycle of everything IT. This is the theme for 2011: Operationalizing Security.
I'd agree for the most part (even if I stray as these next few paragraphs develop). And this is exactly like baking in security during the dev lifecycle. It also shares the same problems. I also believe while this is necessary, it's still not the panacea approach either. "Security as an afterthought" will always be around, but we should be building security in at all stages and making sure that it is part of operations.
However, the real challenge is taking this *out* of just the backroom server operations, and making it a part of the business fabric. But that always adds costs, right? So maybe business will say that this doesn't make sense, why not save money by tacking on security after, and only when needed?
This is the fight the it ultimately boils down to. It's not about the differences in how geeks or even IT's overall approach technology and security. It's a business and cultural decision on the value of security. And I'm not going to hold my breath that this will get very deeply ingrained. Hell, far too many people don't physically secure their own homes, let alone cyber space, let alone in business. This will only be a slow burn over generations as they are born with and live with technology.
Buisiness constantly puts me into this situation:
"We'd like to implement ABC."
"Well, you shouldn't do ABC because it is insecure, goes against policy, and is going to be a risk. This is bad news. In fact, no I won't do ABC for you. You should do it this other way, or maybe another way." (Often, the first two sentences are just my own thoughts or discussion in my team.)
"But *can* you do ABC if we asked you to?"
"Well, yes, technically I can do it. I technically can also make your passwords all be the number '3,' but that's stupid."
"Well, we need you to do ABC."
*facepalm* (What is needed is a security-minded person to champion my viewpoint on their [IT development] side of the fence, and then another on the business side. The art is getting all sides to come to the correct conclusion, and having experts enough everywhere to make those correct conclusions attainable.)
This is where business leaders need to step in and make decisions. It is also the place where expert level knowledge of business, technology, and security need to be in place. And that's insanely difficult, no matter how much we pray to the gods of IT/business alignment.
See? Now I've waded down far enough to find myself hipdeep in the quagmire. Go far enough in any direction, and you'll find it. Yes, more security needs to be operationalized, but let's not get too religious about it, since it also is not the ultimate answer.
by michael 11.19.10 at 9:21 AM in /general
Gunnar Peterson channels Hunter S. Thompson with a great little essay on "security."
I'd take this further and replace the person in the essay with "organization." The same will hold true.
There are two points to make if one wants to reduce the possible weight of this essay on "security" as we usually talk about in infosec worlds. Disclaimer: I'm being devil's advocate here, but I really do like the essay and in general agree with it.
First, persons can't avoid all risk, i.e. sit in a rut. Even if you're sitting in your rut, your identity may be stolen, your system trojaned, or your organization experiencing an attack of some measure. Thompson's security in the essay is more akin to an on or off situation, whereas information security today can't really be off. (Unless you have no assets and no data and no systems...). Hunter's position is that of either reaching our and grabbing for improvement (risk), or sitting back and doing nothing (no risk).
Second, and this is really silly and minor. But not every entity needs to strive for more. I may be upsetting economic science or business paradigms by saying it, but I don't believe every entity needs to always be improving. If I run a business that makes $500K a year for myself, I might be happily satisfied with that, no? This tackles Hunter's points in the last paragraph about defining happiness, really. Maybe an organization may be just fine achieving a comfortable level of security by not pushing the technological envelope any more than they have already. Some may see this as a rut, but maybe they see that as having reached their goal?
by michael 11.22.10 at 11:20 AM in /general
Two things to take away from the Bejtlich post, "Stop Killing Innovation
," plus one thing I'd add.
First, stop separating business and IT. This separation, even when done in the mind or as an understood implication based on culture and decisions and attitude, really has fundamental impact on the fabric of IT, and the people in it.
Second, stop causing IT to be risk averse. This kills innovation. This should be a funamental management concept...or even psychological.
And my thing to add: this still comes back down to talented staff, just like I say about having good security. You don't get it from just education or tools, but rather good staff doing cool things.
by michael 11.23.10 at 3:58 PM in /general
I was posting a comment
elsewhere when I worked myself up to this line:
It’s interesting that the TSA once had this image of security theater, i.e. the show of security just to make people feel better. But what happens when people aren’t feeling better?
[Right now, the TSA is sabotaging even their theater of security.]
I'm still of the opinion that all this ridiculousness comes from our American culture of lawsuits and general "blame someone"/entitlement/self-centered-me-me-me attitude. The TSA, in my guess, is going overboard to cover their own ass, because all it will take is one person to get through and blow up a plane and then everyone will want to sue. They're just trying to prevent everything, and that's just not going to happen.
I'll stop now. :) I'm cynical enough as it is, that I don't need to work myself into more of a lather!
by michael 11.23.10 at 4:24 PM in /general
ChrisJohnRiley presents prn-2-me
, a tool to MITM print job submissions (no, not porn-2-me). Legitimate uses? Maybe log what people print out?
by michael 11.24.10 at 3:22 PM in /general
(Looking back, I seem to have kind of vomited out a trail of thoughts in this post...pardon the ramble.)
We really have to live with certain things in security. Issues won't go away. And none of us will ever agree on what to do about it (get 10 security consultants in the same room, even some from the same firm, fill out a questionnaire, and you'll get 10 different strategies for security).
Brian Krebs does some great research and coverage (as usual...seriously, why aren't there more badass [real] security journalists like Brian??) of an escrow firm suing a bank
because attackers made an "authorized" wire transfer out of the escrow firm's account.
This situation where business-owners have computer systems that get owned and then victimize their bank accounts isn't going to go away. Ignoring what the bank can do to help (multi-factor...), I both like and dislike Brian's suggestion:
The cheapest and probably most formidable approach involves the use of a free Live CD, a version of Linux that boots from a CD-Rom.
This is really good advice, but I would temper such advice with some cavaets.
First, I'm a firm believer that, ultimately, an OS is only as secure as the person using it knows how to keep it secure. Way more people have a better chance with Windows than they do with Linux in knowing how to keep it secure.
Second, I wouldn't necessarily expect a Linux OS to always be compatible with (or supported by) whatever your financial institutions implement for their website or authentication scheme. In some cases, I suspect you won't be officially supported, and that could be a problem when push comes to shove.
Third, if you have any system issues (business owners are usually not computer experts), you'll have an easier (and cheaper) time trying to find some support for a Windows box than for your Linux livecd. This might depend on how much you intend to DIY and your aptitude for learning Linux...
Fourth, mention Linux and/or livecd and non-geeks will give a look that is worse than a blank stare: the "yeah-I-won't-ever-understand-that-and-thus-will-trust-it-less-I'll-say-I'll-look-into-it-but-really-do-nothing-because-I-don't-have-the-time" look.
I really, really like the idea of a dedicated netbook or system that is *only* turned on and used for financial operations or updates, but runs on Windows and is not necessarily of the Livecd or USB-operated flavor. Most people understand and take to Windows quite well, banking sites will support it and the popular browsers that run on it, support is usually easy, and so on.
Don't get me wrong, if a business is willing to go the Linux livecd route, that's definitely a worthy suggestion, but the reality gutcheck tells me to more often expect the dedicated Windows box to win out.
Really, smaller and even medium businesses are just screwed as a default bottomline reality. They're almost certainly running Windows with Internet Explorer and don't have any decent sort of web browsing filter. This means that over time, the line that indicates the odds of being infected approach 1 (that's math).
Businesses pretty much need some level of IT these days, as simply a necessary part of having a business, much like a telephone, payroll, accounting, desk/printer services, etc. Unfortunately, while everyone eventually does things like accounting in pretty much the same way (unless you're being dishonest, there are only so many ways you can manipulate numbers, that are acceptable to the government), your computer systems/IT have an infinite number of ways they can be creatively used and built. This is one big reason we get so much angst between business and IT, or the CFO and CTO, or the business and its insecurities. There's no "correct" way to do it, but rather subjective measures on what the effective ways to accomplish things are (to the business, a cable mess and fans in the server closet to keep 10-year-old servers from overheating is just as correct as a polished, professional data center...as long as they have their availability up and cost down).
by michael 11.26.10 at 12:40 PM in /general
Oh look, a user-supplied content vuln in Twitter
! It's cute that Twitter attempts to validate the uploading of jpg files into a user profile, but not gif.
by michael 11.30.10 at 8:18 AM in /general