.: April 2011 Archives
Today's article rant comes from ComputerWorld's article titled, "Failure to encrypt portable devices inexcusable, say analysts."
The quote from the article is actually, "'"There really is no excuse for not encrypting laptops ...'" In this world of smartphones and mobile devices, that's a *huge* distinction, especially since you're still being told, "good luck," when it comes to smartphone encryption (Droid Pro being an exception).
Also, it's annoying to make such blanket statements about inexcusable security measures. It's inexcusable that orgs not do a risk analysis of their mobile devices and determine whether device encryption is going to be worth their time and money. It may not be.
But I do wonder if executives and managers are vastly naive about the sorts of data their employees are storing on laptops. Many such leaders have verbal expectations that sensitive data is protected and not placed on laptops and how their employees are smarter than that, and so on, but that's getting back to management by belief, which is a gamble you will eventually lose.
Sometimes it makes me wonder. We trust employees to make proper choices, but then we want employees to be innovative and get their tasks done and be creative. Those values can be just as at odds with each other as security and usability.
by michael 04.01.11 at 7:41 AM in /general
Since I started the ball rolling, I guess I'll continue logging references to the recent RSA hack. Finally, RSA has started talking about the actual incident progression itself
in a blog post. This is a great thing! I tweeted my thoughts, but I'll repost here for posterity.
1. Kudos for posting more information, and being detailed about it! I was a bit surprised, but I appreciate it.
2. Sadly, the blog post rambles. Remove the historical/contextual crap about APT. Remove the historical examples. Describe APT in another blog post, or in a separate section of the blog post. That way I can skip that useless crap and not feel like I need to skim it because what I want to read is interwoven with it.
3. There's no reason, so far, to even include the term "APT" into this post. APT is a reference to the ATTACKER. If you've not identified the attacker, you can't name them an APT. This would have simplified the entire blog post and focused it very nicely if no mention of APT had been made. There is plenty of time to do so if you need to, but later. Use attacker(s), hacker(s), cracker(s), whatever. It was just not useful to use APT right now, except to try and deflect any blame by tying it to some genius attacker(s) whom Google didn't even stop, blah blah blah. Let the mass media do that, not you.
4. I loved the start with mentioning your own internal CIRT and detection. I know it's a dig and sort of jerking yourself off to talk about your own products and response time when so many others don't detect this shit at all, but IT'S FUCKING TRUE! So, props for starting the conversation moving forward, though I'd still love to hear more details on the detection. So far, for all we know, this runs into the category of, "user reported 'weird' system issues, desktop support checked on it and thought things looked weird, found Poison Ivy, queue CIRT." That's not the same as, CIRT notices FTP data egress, opens incident. One shows luck, the other security maturity. Still, great, great start to that discussion, and I hope to see more!
5. APT is not new. I really bristled in the few moments in the blog post where it was implied or outright stated that "APT" is new. APT is not new, in practice. Again, drop the APT crap for now. These attacks are not new. The existence of 0day is not new. SE is not new. Yes, they may be on the rise and increasing in use and exposure, but that's not new. If you're in security, you hate those moments in blog posts like this. It's awkward, it makes you feel like the author is a newbie (or so far removed that this stuff *is* new to him), and it detracts from the usefulness. You're not a special snowflake, but no one is saying your baby is ugly. Stop being defensive up front. That's for PR drones and legal vultures.
Lots of people are whining and complaining and throwing stones at RSA, and I think justifiably so, but only on the basis that they've been unforthcoming with answering my basic two questions:
1. As a customer, tell me enough about how this impacts me so that I can manage my risk and talk intelligently to my boss. RSA is still failing at this, even in a twofold manner. By not telling me anything useful, they're allowing rumors to run rampant, which are damaging to them and me.
2. As a security geek, tell me enough to understand the progression of the attack, how the attackers worked, moved around, eggressed data, and how they were found, handled, investigated. Both the good and the bad. Lessons, people!
For lots of other people who complain, I wonder if they're just doing so to complain. Are there any conditions that would appease your complaints that RSA can meet? If not, then shut up and stop wasting your time and energy.
by michael 04.02.11 at 8:35 AM in /general
The RSA breach details will spark discussion and armchair quarterbacking for years, that's a given. But I can at least pile on a little bit more here and there, yeah? The SANS ISC weighed in on some of the RSA details
, and I wanted to pull out small bits to tackle briefly. Here's what I consider the prefacing assertion:
There are just too many ways to circumvent the perimeter, spear phishing being just one.
1. "The thing is I don't think this new paradigm is so new. Many have been advocating for years moving the prevention and detection closer to the data."
- We wouldn't be *quite* (important word!) as concerned about the circumvention of the perimeter if we didn't have such awfully porous technologies sitting on the desktops. Yes, you, web browsers and attending tech (Flash), Adobe, and Office. You've all become too bloated to be secured anymore, and it's your own damn fault. Just think if these were much better secured by default. We'd have less updates which should mean better ways to keep them updated on desktops, etc. (Some may argue that others will just take over the role, and perhaps that is the inevitable result...but you can't ignore that these porous softwares are making things worse. The insecurity of the interior is making the security of the perimeter worse. If you improve the middle, the perimeter is better valued...from a certain perspective.)
2."There are a lot of approaches that can be used here, but in my mind it begins with segregating servers from the desktop LAN and controlling access to these protected enclaves as thoroughly or better as we do our perimeters today."
- This is one area where the "cloud" is actually useful; it moves data away from these workstations...sort of. One could still argue that access is access, whether you have 3 firewalls or 0 between them. But any push to get users better segregated from servers when so many are in a shared network by default, is a good thing. If nothign else, this can push better documentation on data flow needs. This should also include better egress controls...yeah, I'm looking at you FTP-exflitration. (Of course, lock that down, and even more people/devs will just use 80/443 more...)
3. "It means classifying your data and installing protection and detection technologies appropriate to the sensitivity of the data."
- I imagine the most common way of classifying data in an SMB is saying it's all secret. Classifying data is great and makes a lot of sense, until you get into the reality of *gasp* actually doing it. This is where the CISSP hits the road and suffers the knee and elbow scrapes.
4. "It means installing and tuning Data Loss Prevention (DLP) technologies to detect when your sensitive data is leaving your company."
- Just don't fall into these three traps with DLP: First, don't expect to plug it in, do a few hours of tuning, and then forget about it. It'll need ongoing love. You will have false positives and small incidents constantly, or it's not tight enough. Second, don't think you can tackle DLP without first coming to terms with data calssification, or at least doing *something* to identify your data and flows. Third, don't think that DLP will block/detect everything. Does it interrogate 443? Should it? And so on...
5. "It means instrumenting company LANs and WANs so a network baseline can be determined and deviations from this baseline be detected and investigated"
- This is another idea I find compelling, but the cloud isn't helping, nor are consumerland technologies that just spray garbage into your baselines and everyday traffic patterns. Still, if someone FTPs a large amount of data to an external source you've not seen before, you really want to know that happened. But again, this is just a part of a blended network security posture and not something to even do until you've a maturing security team/process.
The end result of all of this is: SECURITY IS HARD. And it's only getting harder.
by michael 04.05.11 at 9:50 AM in /general
Last year Gucci had some drama in their networks as a former employee wrecked some havoc in their systems after being terminated. This brief from the New York DA's office
goes over the quick details.
What I find interesting is that Yin had enough rights to make himself a fake employee account before the fact, and then used that fake account to remotely connect to the network and do his thing. Being able to track and stop that sort of thing is definitely a step up from the obvious recommendation to disable/audit terminated employee accounts.
You need to track changes and map those changes to valid requests.
You need to regularly audit accounts to make sure they're needed and legit. (ask boss?)
You need to audit VPN access to make sure they're allowed.
You need to catch any weird VPN setups, like a regular user mapped to servers or a service account appearing in the list.
You need to audit any users who aren't locked into certain targets for VPN access (i.e. their existing desktop or a virtual system).
You need to educate help desk persons on SE and procedures/challengebacks.
You need to monitor and audit VPN logs on access/activity.
You need to regularly change service account passwords (those can be usurped too!).
You need to regularly audit any account with elevated privs (domain admins!)
As a privileged person, myself, sitting back and wondering at all the ways I can sneak in a fake account to pose as a fake person in the absence of my normal access is quite intriguing. Definitely don't forget that I have the ability to create service-type accounts in addition to regular users, or have access to service-level passwords!
by michael 04.05.11 at 10:34 AM in /general
I don't keep up with some blogs like I used to. So it has come as a pleasant surprise to me to see the rather busy Command Line Kung Fu blog
has (yes over a year ago!) added a PowerShell section to their little challenges. Well, shit! :) If you work with Windows at all as a server dude or even in security, it would behoove you to be familiar with PowerShell.
by michael 04.08.11 at 2:10 PM in /general
A bit of a personal update, since I'm avoiding work on a beautiful Friday... Much of my free time has been devoted to really three major areas recently.
First, this cam watching the nest of a pair of bald eagles
and their 3 newly-hatched eaglets is absolutely fascinating. I am a closet naturist (my first major in college was Environmental Studies until I realized that has more to do with water dynamics and even engineering than biology and ecology...) and love me things like this. The eaglets are still tiny and awfully adorable, having all 3 hatched over the last week and a half. Oh, and they're in Iowa.
Second, I've recently, FINALLY, bought into the smartphone market (and android market and e-book reader market...) with my HTC Thunderbolt on Verizon as well as my Nook Color which I have rooted to allow the installation of market apps and such. The phone is really cool and fills some gaps in my ability to be connected and use things away from a desk. Laptops are great, but admittedly bulky and so 2002. Netbooks are fine, but for being just a little bit too bulky, they end up having far less power than I hope. Even with proper expectations and usage, netbooks just feel weak (I personally believe it is the bloated and needs-rebuilt-badly OS on top of them). I just found I didn't use the Netbook much. But, the Nook Color is one of the best things I've bought in some time and am completely happy with it; I'm pleasantly happy reading books on it as well.
Third, I still play WoW, and I still don't raid. I just level up my toons, run instances, gear up, and do heroics until I'm satisfied. Basically, for a casual player like me, my characters are done when they can run through all the heroic 5-man content without too much problem.
My healers are an 85 shaman and an 85 aa/disc priest. I really absolutely love the heal role, but since they've both done all the heroics with no issues anymore, I don't play them much. I have done holy and that's fine, but I really like the mechanic of the smite/shield focus for the aa/disc priest. No, I don't get excited about the dps; I rather just like the amount of busy-ness it affords and how it sets up everything else and has good mana-management. The shaman is a busier healer (especially when using lightning bolts to regen mana), but I feel the priest is the easier one.
My tanks are an 85 warrior, 81 death knight, and 39 druid. The warrior was a surprise for me; an old bank toon, I got bored waiting for Cata so leveled him up almost exclusively tanking instances from level 24 up. He's only done 2 heroics, but I've also only ever tried 2 heroics on him. Surprisingly, I found him fun and somewhat easy. Just last weekend I started in on the death knight and am only now getting my head wrapped around blood tanking. Other than having issues getting AoE threat with out-of-control PUG DPSers, it's been an experiment. My Bear tank is my original worgen whom I am leveling up with a friend, and has gotten behind as our schedules haven't matched up lately. Eventually the druid will also dual-spec as a healer, just so I can see what rolling hots is like on a druid.
My sole dps toon is my original toon, an 85 warlock. Even with all the changes in Cata, my afflication warlock still plays roughly the same as he always has, which has caused me to get bored pretty quickly with him once I hit 85. I've not taken him into a heroic yet, since I'm not even geared for one...plus he's still only teasing 7-8k dps, which is my personal cutoff for being able to be successful in a heroic (7k dps or higher).
by michael 04.08.11 at 2:15 PM in /general
Via Twitter (@jaysonstreet) I opened up an article by Dan Goodin (TheRegister) with the sensational title, "How is SSL hopelessly broken? Let us count the ways
. This just begs comment.
1. It's still a human problem.
I'm not sure I would go so far as to call SSL hopelessly broken. Then again, I'm not writing a story aimed to be sensational and gain views. What we have here is the age-old problem of human involvement in a well-meaning system. All of the weaknesses presented in the article center around poor implementations, user convenience (which strangely is not what EV SSL changes did), and a drive for profits in the CA industry. All of these are not a problem for SSL to solve, but rather for groups of people to solve and make better choices. Good luck with that.
We often get wrapped up saying security is a human problem by beating "users" over the head, and maybe even including administrator mistakes. But implementation decisions and poor oversight are just as much a human problem as a user who opens every Adobe email attachment they receive.
2. Silly questions.
Should browsers not trust every CA root cert (and probably give errors by default, which will suck)? Should CAs do far more to only issue truly valid certs (and pass that cost to whom exactly)? Should CAs beef up their OCSP infrastructure (and cause my corporate software to make even more strange call-outs to unexpected places) so that it can be made a critical path for trust (even when 99% of the certs probably won't be revoked)?
I don't think there are easy answers and maybe not even any answers for these questions. So maybe this does say that SSL is hopelessly broken. But would *any* alternative ever be better? Money, convenience, and profits will always beat up against security, so I'm not sure. It's still an implementation/human issue. Should CAs be held accountable? I don't like that approach, but I don't really have a good argument off the tip of my fingers for why...
I've been reading some Gunnar Peterson
lately, and I've seen him talk about identity-based security being the future (or now). I don't completely follow or understand that yet, but I can see that SSL infrastructure has the same problem.
4. Strange article points.
Don't get me wrong, this article is necessary and good, but it does have some absolutely strange moments. The comparison of CAs to CitiGroup and AIG is just bizarre and nonsensical. The implication that browser-makers should play traffic/moral cop with which CA roots to include in their browsers is dumb (especially when the example of Google/China/CNNIC is doubly based on rumors). The article also focused way too much on the recent Comodo affair, for no real benefit to the central hypothesis.
And one missed point about poor certificate implementation/issuance in the predictability of PRNGs in OpenSSL which some CAs, I believe, were using. I can't find reference to it other than OpenSSL in general, though.
But this begs the question of just how much attacking should CAs do to themselves in order to prove their adequacy? I've grown more sympathetic to the realistic approach that you do what you can, but you *have* to set yourself up to detect and respond and fix any issues someone else finds in the future. If you wait until you've achieved perfect security, your product/company will fail.
Yeah, that sounds a lot like, "Just Enough Security."
by michael 04.11.11 at 8:24 AM in /general
Just recording some notes on my Nook Color here. For starters, the Nook Color can be easily rooted by heading over to NookDevs.com
. The process (I did an AutoNooter rooting, which leaves the original software intact rather than fully replacing it with Android Froyo/2.3/Honeycomb...) is straight-forward once you start doing it. In fact, the hardest part is simply getting the microsd card inserted into the awkward slot in the corner of the Nook. Other tricky parts include making sure you have a Google account on hand as well as an open (or easily-connected-to) wireless network for the device setup. You won't have a chance to get the MAC address during setup, so if you use MAC whitelisting, be sure to harvest that item first.
Whenever rooting a device, there is usually that risk of turning it into a brick, but with the Nook Color there is very little risk since you can factory reset the device including the original software. Basically, why wouldn't you make a try of it?! I personally used the AutoNooter tool so that I can still at least have the default software running, but with the extra capabilities of installing apps from the Android Market, and beyond.
Also read this post
(or this original location
) that goes through the initial process, but also details some great "next steps" to do after rooting the Nook Color. Specifically, follow the suggestions for SoftKeys and Advanced Task Killer so you can refresh the installed apps list (Extras) without a full reboot. Since this post is hosted on a public education site, I'll be quoting portions of it below for my own future reference in case the original goes away. That link also reminded me that I can play movie files on the tablet, and includes some suggested settings in Handbrake to encode files in playable format. Score!
Lastly, I've been trying out some of the games on the android market. While I find app games to be pretty and kinda fun to control with touch, none have really been nearly as solid or exciting as games I've been able to get on various dedicated gaming consoles or handhelds. Yes, Angry Birds is addicting, but it's not a fulfilling game for a hardcore gamer; I'd even prefer to fire up SMB3 or FF1 all over again. So I've gone ahead and installed Nesoid, SNESoid, and Gameboid, to start out. Pair this up with all my ROMs on the microsd card I leave in the Nook, and I've now got a nostalgic and gorgeous handheld gaming system to play 'golden age' games! The touchscreen controls take time to get used to, and just won't ever feel good in some games, but most of the time that is forgivable. Now to just get a controller and stand...
(Aside: The NookColor comes with an unused Bluetooth radio, so it does have the potential to become enabled and start attaching Bluetooth controllers! Would also enabled the use of microphones/headsets...)
Video conversion for Nook Color (to unprotect DVDs or rip them local, I use AnyDVD):
[paragraph formatting has been removed for space] The trick with Handbrake is figuring out what settings are best for a particular device. Lucky for you I've already done this for the Nook Color. Note that Hadbrake will not convert any videos that you have purchased on iTunes, as these are copy protected and only work with Apple devices. When using Handbrake to encode video from a DVD or other (un-protected) video file, set Handbrake up as follows: On the main page, set the Video Codec to "MPEG-4", check the "2-pass encoding" box, and set the "Average bitrate" to "1000", as you see below: Next, click on "Audio" and set the first track to a bitrate of "128", then disable any other tracks you see: Finally, click the "Picture" button and set the width to "512" (the height will adjust automatically).
Fixing Extras (because it won't refresh and list newly installed apps until you reboot...or do this!):
If you decide to install Advanced Task Killer, you'll need to change a few settings to get it to do what we want. Once installed, launch Advanced Task Killer, then tap the menu button, followed by Settings. Scroll the page up and tap "Security Level", then set to "Low". I also uncheck "Show Notification" because I don't like having an advanced task killer icon in my notification bar, but that's up to you. Press the back button twice to close Advanced Task Killer, then re-open it. You should now be able to see com.bn.nook.applauncher in the app list. Hold your finger on com.bn.nook.applauncher and select "Kill" from the menu that appears. The next time you open Extras, it will reload the launcher and refresh the list.
by michael 04.14.11 at 8:59 AM in /general
In my last post I linked to a Nook Color-rooting article on an education site. Intrigued by this (sit back a moment and think how exciting tablets are for educators!), I checked out the author's blog and found this awesome post about innovation
. He made several points:
1. Innovators put little stock in criticism from the mainstream (example: iPod)
3. Innovators embrace resource constraints (example: WWII German jet-turbine engines)
4. Innovators jump curves (example: ice farmers vs ice factories vs refridgerators)
5. Innovators don't pretend to know the outcome (example: Friendster vs users)
6. Innovators aren't afraid of failure, and are quick to let go (quote: Walt Disney)
by michael 04.14.11 at 10:27 AM in /general
I would be remiss to encourage rooting a Nook Color without making mention that Barnes & Noble has been planning on rolling out updates to the device that actually include Android 2.2
. The only thing that may doom this in my mind is if B&N wants to lock people into their app store apps or some captive portal or something, which would be a travesty. This is an awesome tablet and device, and I would hope they embrace the creative ways people are consuming it rather than stifle it.
I even have a second Nook Color just to test out these updates on a non-rooted device. The worst thing about being a tinkerer with systems is that I eventually start to hate rebuilding something I broke. It's one thing to make your main system a strange operating system, but you eventually take less risks with it because you don't want to fuck up your main system, yeah? Well, at least *I* have that hang-up. So I like having a backup plan in place where I have other VMs or spare systems to do my dirty work on.
by michael 04.14.11 at 10:37 AM in /general
Looking for a comparison between Suricata and Snort
? I wasn't either, but someone did it and posted the results online. While I'm not surprised by the results, I really wanted to link to this comparison mostly because of the way you can click around in the report and see various tidbits like what specific payloads they sent and other test cases. While this isn't absolutely detailed and recreatable (take for instance all the client side attacks), this still should give anyone some idea on what to do to test your own IPS/IDS implementations, whether you're an admin setting up a sensor or even an auditor who needs to do some deeper verification that an IDS/IPS is performing as expected over a particular traffic segment.
By the way, if you haven't before, feel free to browse around the site topics at the top and drill down to some useful how-to's and sort-of-turotials on various tools and techniques in security and pen-testing.
by michael 04.14.11 at 3:36 PM in /general
Speaking of Suricata, here is a distribution iso for Smooth-Sec
, which is a Suricata + Snorby build on top of Ubuntu 10.04. I have not tried this, so I can't attest to how easy it is to install or get ready, but it sounds like a promising IDS/IPS setup
, even though the wiki (documentation?) is behind a sourceforge registration-wall.
. The wiki is here!
by michael 04.14.11 at 3:53 PM in /general
ClubHack Issue 15 [pdf]
has been released. This publication has several articles:
Mozilla Firefox Internals & Attack Strategies [interesting...could benefit from a video demo!]
FireCAT [good to spark interest]
Being Invisible on the Internet [poorly scoped, not useful]
The Information Technology Rules [interesting at least]
Configuring Apache SSL [decent instructions]
MATRIUX VIBHAG Introduction Part 2 [not sure what this is]
by michael 04.15.11 at 8:31 AM in /general
A couple days ago I posted a reaction
to the "SSL is Broken" topic floating around. Via Securosis
I was pointed to a much better article directly from the mouth of an expert: SSL And The Future Of Authenticity by Moxie Marlinspike.
Rather than go all sensational and say something like, "SSL is broken," Moxie digs much deeper and smarter by tackling the specific problems with SSL, namely authenticity and "trust agility."
I look forward to Moxie's future posts on proposed solutions. I agree with his sentiments, and I firmly agree with his reservations about tossing away CAs for a kneejerk replacement that may not be better and my in fact be worse!
This illustrates part of my point in my post: it is hard to patch an ultimately human problem. And I still really think that trust in a human-backed entity is inherently going to be a problem unless they have the ethics of the Supreme Court or something And globally, that will never be possible. This is why I'll sympathize with the idea there are issues with SSL, but it might just be "good enough."
[struck a really offtopic rant about complaining, thinking several plays ahead, and ultimately "just enough security" being ok, i.e. there *are* shades of grey...none of which was ever worth reading and so unformulated...]
To briefly put on my tinfoil hat, it might be worthwhile to say something like, "Let's just get perfect, universal encryption for everything." But never, ever, ever underestimate the desire for governments (and on smaller scales, corporate entities) to have the ability to intercept and inspect. Ever. China and other countries may make the news with their heavy-handedness, but don't think for a moment that govs like the US don't do many of the same things, only in more secrecy.
by michael 04.15.11 at 9:24 AM in /
The 2011 Verizon Data Breach Investigation Report (DBIR)
has been released. I would say it seems like just a few months ago the last one came out... I always post some comments after consuming the report, so I'm sure I'll do so again in the coming days.
by michael 04.19.11 at 2:57 PM in /general
I was listening to pauldotcom 236
last night and Bugbear
had a great point that I wanted to tackle. I've combined two quotes into one:
...in order to catch up with attackers, we're going to have to understand our information systems better so that we can detect, triage, and deal when we do get compromised, because it's only a matter of time. And that does not include clicking on a management console somewhere.
I wholeheartedly agree with this. As defenders and even as *effective* attackers, the knowledge has to get deeper. I would also add that this understanding also does not include just having good inventory and documentation; we're talking real, expert/working-level knowledge.
Sadly, I wanted to tackle this idea not to preach to the choir, but just to play devil's advocate and not try to make it sound like once you accept this idea, your head is in the clouds where puppies and kitties frollick amongst forests of candycanes and pastures of skittles. Instead, there's a heck of a lot of pressure that keeps us from being the experts we need to be in order to do security well.
1. Technology moves on
- Lifelong learning is a mantra in security; duh. But there does need to be acknowledgement that even if you devote the time to learn something deeply, someday you'll start the whole process over when your knowledge is obsolete and needs updated. Once you understand A, we'll have B, C, and D beating down our doors. Security is one area where you need to have deep knowledge on things past as well as what's coming tomorrow. That's a tough job, and it's ego-sapping. You can't come in with an ego and expect someone to help you. We're constantly wisened adults and learning infants at the same time.
2. Know your security tools as well
- Deep knowledge on your own systems? Check. Deep knowledge on your security tools? Wait, what? As full-disclosure recently demonstrated, even security tools have issues. Could *you* have seen that Pangolin reported back to a mothership? The security community is just as interested as any in punking its own, and who better to pwn than the guys with the vuln reports, admin access, risk analyses?
3. Security dashboards don't [always] help us
- My one biggest issue with security suites and large management tools is the same interface that allows management of an enterprise-wide array of data/systems/information is the same interface that steals away our ability to be agile, hands-on, and expert with the underlying roles it serves. If you rely on a tool to do your nmap scans, you'll lose the ability to do your own nmap scans without the tool. Layer such management tools on top of other management tools on top of other layers, and pretty soon security analysts can only work on those monolithic management dashboards and can't do crap on the command line, hands-on. That's not to say you should know how to write an AV detector rather than buy an AV suite, but you do need to be functional underneath the tool if need be. Low-level skills are important, like those found in forensics or coding or traffic analysis or reading your own damn logs, etc.
4. Experts at everything
- Yeah, as if it didn't suck enough all the technical things to know, we should also be aware of interpersonal social skills, both from an attacker perspective (SE) to inner political workings of a business. And the business processes, risks, and goals. Granted, this is why we make various levels in security, from technical analysts to risk managers, but still we're far to few to rely on that stratification. We need to field questions and give actionable answers on a variety of topics including mobile security, virtualization and cloud, malware, espionage, physical theft, C++ code, .NET code, scripting, encryption cipher strengths, traffic captures, VOIP and VLANs, CCTV/IP cameras... Ever try to BS developers on security practices? :) Ever get asked to prove that something is a risk or that the risk is more costly than the fix?
5. You don't know enough
- You know the saying, "There's always someone better than you." That's true with knowledge as well; none of us will know everything about something. There will always be places to learn more, tricks to practice, technical talks to attend that don't just speak obvious unhelpful generalities like, "security sucks."
by michael 04.25.11 at 9:57 AM in /general
You're a firefighter in a burning building, but you're not supposed to put out all the fires; the fires are just part of the environment. Instead, you're just there to make sure it doesn't turn into the Towering Inferno.
You're the chaperone for an outing at the bowling alley for 8 year-olds. Your job is not to teach them how to bowl, but rather keep things fun, so you have the gutters stuffed with pads so they can successfully toss the ball down the lane for some scores.
by michael 04.25.11 at 10:47 AM in /general
Way too many people have run around all crazy about the recent Amazon cloud outage that left various companies and persons high and dry for a period of time. I won't belabor the topic further but to point out two links.
First, this wonderful forum thread that claims patient lives are at risk with the outage
. Talk about fail; sort of a laughing while facepalming issue. Be thankful your business (probably) doesn't actually have lives depending on it...
At the end of that thread is a link to a blog post that essentially reasons that all of this is Amazon's fault
I wouldn't presume to say Amazon, in this case, may have overpromised or even misled people; and they may have just flat out fucked up.
But, so what? Does that mean your customers nod and say, "That's ok?" Does that mean you get your revenues back that you lost? Maybe a refund? Does that mean your boss isn't going to throw your ass under the bus when shit hits the fan? When he asks the status, you just point over to the Amazon support number and say, "They're working on it?"
If I give you a promise and I fail to deliver, what the fuck are you going to do? Sure, we may be talking contracts and actual damages and, worst case, tort law, but do you really think that's going to help? What if the court says, "Hey, why didn't you have a backup plan?" Or what if I skip town? What if the event is so catastrophic that your provider collapses and goes bankrupt? You really *can't* rely on something like that to help you out. While you shake it through the courts, your business might be done; or your job.
I dunno. Maybe it's the operations guy in me who knows that outages occur and they occur for an infinite number of reasons. And the less money you spend the more you get.
Lastly, if Amazon fucked up and didn't do something right, do you really think some other provider (not named Akamai, let's say) will be less error-prone? Really? At least Amazon now probably has one less issue to ever deal with, right? They *did* just gain valuable experience.
As the blog post says, choose your provider carefully. Oh, and this issue somehow makes it easier to choose a provider? Or give any further insight that cannot be gotten by common sense? Or insight that goes beyond the magic curtain the provider puts up in exchange for managing your infrastructure for you? No. Saying that is like having a Toyota recall and then glibly telling your Toyota-driving friend he should have picked his car better. The proper feeling in response to that is, "Ass."
by michael 04.25.11 at 2:32 PM in /general
NCircle has a nifty article up about the dangers of what installed [mobile] apps know and access
about you, whether they tell you or not.
This isn't new, apps do what they want when you install them; always. What *is* new is how we now have this device with us everywhere we go; we put in social contacts, search, and use geolocation...constantly. That wealth of knowledge makes even *me* salivate...and I'm not even into advertising!!
Thought I'd repost this blurb I made recently in a HardOCP forum thread on the topic:
Besides, no one with a smartphone with Google/3rd party/provider geolocation services enabled should even begin to be worried about ISP/IP tracking. You're already in far, far deeper with location tracking and delivered ads. Or if you don't remain anonymous while using something like Google search. They're already doing generic ISP location; I can't search for many things without Google appending my city name to the back of it.
And no, people just accept it, and will let their privacy slowly erode. If it's wrapped around an Angry Birds app, you've already lost the battle. If it's a free search engine that you use while logged into your free email account which also houses your RSS feeds and IM/VOIP friend lists as well as a free DNS provider (tracks when you query) and free browser (that won't let you globally disable scripting), all of which is also tied by account to your smartphone with a geolocation service...
...all from the same company*...you've already lost.
* Throw in things like Facebook and Twitter behind-the-scenes information-sharing, and you're even further in the hole. (Oh, and all of this is opt-in by default.)
I don't trust Google, nor do I trust Apple...and it really does suck that if I want a device like this, I'm screwed. If I want these convenience-adding apps that *need* a business model and to make money any way they can, I have to feel dirty when I install them.
By the way, recent news is that Apple requires and uploads location information
from their devices. This begs the question: How come Apple doesn't retrieve every single device that is ever stolen? If my device spends a huge chunk of time in my home, and suddenly spends it elsewhere shortly after me reporting it stolen...help a brotha out, ya know?
by michael 04.25.11 at 3:47 PM in /general
Not a big deal, but thought I'd mark the occasion where I now own the terminal23.com version of this site to go with the .net and .org. Ever since I wanted to name my site this, some group has held the .com version (along with many other terminal##.com sites), but it has since been relinquished.
Not that I'm going to actually *use* that domain, but it's a nice full circle sort of thing to have it under my control.
CAs have a nice scam going on with constant cert renewals, but registrars have it even better with all the damn top-level domains, let me tell ya...
by michael 04.26.11 at 9:20 AM in /general
I mentioned on Twitter yesterday that Barnes and Noble have released their long-awaited update
to the Nook Color which includes Android 2.2 Froyo, Flash support, an apps store, and other updates. Really cool!
While the app store has been down for me all day (not something I'd hold too hard against someone, since I'm sure the load is high and the site brand new), I'd overall give the rollout a "B" grade so far.
Pros: Excellent upgrade and the chance to buy and install apps! Flash support really rounds out the web experience. Things just overall seem faster. Essentially, they're transitioning the $250 e-reader+ device into an actual tablet. Good deal! I know this is a short list, but it's a big update. (A continued pro for the device itself is the better, less proprietary format of media in comparison to the Kindle.)
Cons: The app store is "curated," meaning it's a B&N store and *not* the whole Android market. While this makes me sad, I understand why they would do it, both from a profits perspective but also support. (Why allow users to install apps that won't work? And what about the lack of the traditional Home/Menu/Back/Search/Settings buttons that some apps require?) Bluetooth radio is untouched and still not enabled (Can't blame them, but *I* personally want it so I can hook up a gamepad). Also, still no geolocation, though I don't think that's even possible with the current hardware, and even if it were, the usefulness would be severely limited without 3G connectivity.
Compared to my autonootered Nook Color: Bottomline, my rooted Nook Color can do more apps and play more games (NES/SNES...) than my non-rooted Nook Color, so I don't yet plan to unroot that particular one. Sure, there are some small issues like needing to kill a particular task to get the Extras to update after an install, but I still really value the apps that are not yet available on the B&N storefront. If and when they expand further and cover any apps I'd want, the move would be a no-brainer.
If you have a non-rooted Nook Color, this update is a no-brainer and a huge deal.
by michael 04.26.11 at 4:01 PM in /general
In case you missed it, the recent Playstation Network outage has been finally acknowledged in a Sony release
. If you were thinking it was a DoS, you're wrong. It was complete pwnage [emphasis
...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.
In short, this is a big deal. Maybe not ultimately to Sony/PSN, but it is a big deal for the industry. And these are the hard questions:
1. How did this one breach disclose so much? Was it one issue or several that were leveraged? (As a learning opportunity, which is better, a single issue that caused your (gigs of) data to be exfiltrated or a series of leveraged weaknesses?)
2. No password hashing? Encrypting? Credit card information segregated/tokenized/hashed/encrypted? If it was, was the key management that poor? I hate to be the one to say it, but let's hear that PCI compliance status... (without the PCI marketing spin)
3. What was Sony's security budget? Or any budget around technology and the protection thereof.
4. If Sony's deep pockets and ability to have a deep budget didn't help, is this further illustration of security futility? If nothing else, it's illustration of the view of digital security in profitable enterprises...
5. What if Sony *has* done risk analysis and determined to accept whatever risk was present? (Even the act of not doing anything is an unspoken acceptance of risk, in my book.) This is my biggest problem with risk and probability: You're still susceptible to that one-in-a-100-years-hurricane scenario; and heads will roll. It's also my biggest problem with security and the media: We, in security, believe that you *will* fail, and the media will always sensationalize everything it can. This will always shake out against us; even when we do things absolutely correct (and what organization lets us even come close to doing things absolutely correct?).
6. Do you blame the attacker or do you blame Sony?
7. What was the time-to-breach after they leveled their attacks against you? I'm hoping it wasn't hours, days, or even weeks... I'm also hoping their breach-to-detection time is small.
One thing I won't harp on is how long or quick it took Sony to announce something to its customers. A 6-day period during which it took the network down to analyze the extent is not entirely something I can get upset about. And you certainly don't want to tell 70 million customers something until you know it for sure; not just because of a loss of customers, but simply because if you're wrong, you've just done fucked up even worse. This is an announcement you take the time to get right; and 6ish days is not unreasonable. Does this mean an attacker may have had free reign on credit card information (etc) for 6+(time of breach-to-detection) days? Yes, but when is that *not* the case?
by michael 04.27.11 at 9:13 AM in /general
Reading packet captures is one thing, writing your own packets via Scapy
is taking it to a whole new level.
by michael 04.29.11 at 3:42 PM in /general