a look into the world of web tracking

Privacy is as big an issue today as its ever been in the online world, with Google and Google+ (the behemoth of data mining), real name usage online, and even bills in the US government to require ISPs to track web usage. If you’ve ever wondered about how web sites track you online, even when you think you’re being private, check out the Wired article, “Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged.” Especially check out the embedded link to KISSmetrics’ details. This sort of detail is sobering and annoying at the same time.

On a side note, I dislike seeing discoveries like this made by academic researchers, in a way. I really wish more corporate security staffs would uncover things like this, or even leisure/hobby groups. It sort of suggests that corporate security staffs just don’t have the time to do much more than get by, while academic researchers (who are often on the fringe of practical reality) have plenty of free time to…well…research. And that sucks, since you’d certainly see things like the KISSmetrics scripts i.js and t.js run through regularly, and you can likely even stop that on your corporate “borders” with zero issues.

Maybe staffs do find these things, but we certainly don’t have a place to air such discoveries and likely the rest of us have way too many other things to think about or look at on any given week…

I guess that’s part of what makes security exciting. 🙂

reason #4 why infosec and journalism don’t usually mix

What gets more eyeballs to a popularity-driven “normal” news site? Is it talking about positive leaders and ideas in digital security, or it is piling onto infosec train wrecks like Greg Evans? It’s one thing to out charlatans in our industry and make sure their profile and truth get out (many examples of this, including podcast spots), but it’s entirely another to post useless articles with no value just because the guy’s name gets you 12 retweet mentions.

It’s this sort of train wreck journalism that turns me off to most mainstream services (and masses of people in general), where it’s more popular to talk about useless drama than it is positive leaders and examples of things that go right.

big brother watches, and even talks to you

The pressure on companies like Google to comply and assist law enforcement and government “investigations” must certainly be immense. Think about this article on Krebs’ site, “Google: Your Computer Appears to Be Infected,” particularly this:

…Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

I wonder when the first subpoena will be issued via a Google- or FaceBook-delivered popup when that user is logged in?

Scary or helpful?

incomplete: 2011: the year of the return of hacktivism?

(This is unfinished, and I’m not sure I ever will finish it. This illustrates simply a bit of for-discussion points. While I take the tone that this year’s hacktivism surge isn’t much of a “real” surge at all, it’s still hard to argue that we’ve had a larger-than-usual number of high profile and large targets being successfully attacked in a relatively short amount of time.)

Has this year heralded a new trend in rising hacktivism (i.e. the actions of Anonymous, LulzSec, WikiLeaks informers, and various offshoots surrounding those group)? Maybe. Let’s look at a few things that we pretty much know for sure. I’ll lump most of this year’s activities under the term, “hack attacks.” (I’m not including things like RSA, which are almost certainly of a more nation-state-like nature.)

1. Code hasn’t suddenly gotten more insecure. It’s not like we had a period of time where code was secure and the ball has since been dropped. I’d argue that all of these issues have always been present. Granted, the landscape is changing, and web security hasn’t kept pace at all, from both the server-side (code, OS, practices) as well as the client-side (browser), but it’s not like things have gotten worse; they’re just not getting any better.

2. These hack attacks are not demonstrating some newfound body of knowledge that attackers have gained. In fact, most (if not all) of these attacks are relatively simple and not new at all. These attacks aren’t dropping 0days; they’re poking at very poorly secured web sites.

Wait, this sort of sounds like I’m about to say nothing has changed. Alas, clearly something has changed…

3. Breach disclosure laws. Sure, I still believe the whole “breach disclosure” issue is like the proverbial iceberg: you get a certain number of visible, announced breaches, but I imagine there is a much larger mass of them hidden under the surface either not detected or simply buried in corporate bureaucracy and dishonesty. Still, you have to admit there are far more announcements today than 10 years ago that are prompted by law. I still don’t believe this means there are more breaches; we just hear about more of them.

4. The media is ready for geek news (and the never-ending ‘reality show’ drama of security that has been thwarted, or conversely someone who has failed). Ten years ago, the media couldn’t give two rips about digital security and the breaches suffered by it. Today, it seems like the media is more comfortable being a bit more technology-focused. And hacktivists seem quite happy to feed this new trend in media coverage, while at the same time feeding off the attention. (Incidentally, I’d say many “older” hackers don’t give a rip about attention, at least not from the secular world. One might consider more mainstream attention desires to be somewhat immature.)

5. More financial transactions are done online. I don’t have numbers, but I’d expect there are more mainstream consumers and many more businesses today who perform financial transactions online than there were even 5 years ago. This means more opportunity for attackers to usurp the process (banking trojans) as well as much more data stored in databases behind public and poorly secure web sites.

My opinion really comes from the above. I don’t think there is a huge difference this year from the past 10 years, except in media coverage and the risk footprint of more financial information online. I think there have always been hacker groups and hacktivist activities; we just normally didn’t hear too much about them in the past.

Here are some things that may be red herrings in this discussion:

– The rise of social media is not significant for the geek crowd. Sure, there may be new faces in the newest generation who are growing up with “social networking,” but for the actual hacker/security geek, the social network has been around for decades, from BBS’s, to IRC, to web forums. The problem with social networks are their desire to data mine and their lack of trustworthiness, which will erode any malicious hacker’s efforts to remain hidden. I might entertain an argument that current “hacker” entrepreneurs are encouraging, by their success, younger coding-friendly geeks to be more bold, since it clearly paid off for them, but that’s more of a socio-cultural thing…

I might also entertain the idea that more mainstream people are online due to social networks, which then acts as their gateway to more “hacker-appropriate” networking online. I’d maybe even argue that much of today’s hacktivism is done by these newer members wielding non-novel attacks. This sort of rise and fall in the pursuit of notoriety has gone on for decades in the hacker underground. It usually wanes as these “newbies” grow up and actually start having bills they need to pay (and either turn into for-profit criminals or move on to real jobs) or have a law enforcement scare.

– Anything to do with the criminal world, or even “APT,” i.e. nation-state-sponsored digital espionage. There is little argument that recent coverage of these hacktivist attacks and plunders has driven at least some interest in security, and if nothing else is exposing the risk and/or insecure state of things. No criminal or espionage threat agent will like that attention. It hurts their chances of success, of being undetected, and increases the chance of “make an example of” penalties if caught. The for-profit crime and APT trends have been around for several years now, and are not new this year.

– I hate to go here, but I’d almost certainly leave discussions of PCI and compliance at the door. I believe compliance (read this as “PCI” even if I just generalize the term) does improve certain things, but I also believe it erodes other things. This is a discussion tangent big enough for its own treatment, but I think the net gain compliance has on a discussion about this year’s hacktivism is zero.

the bad news of no unemployment

Via Twitter from GovInfoSecurity came a link to an article titled, “The Bad News of No Unemployment.” This certainly is a problem that I’ve seen personally, where someone in a “security” position (whether it be contract, consulting, advisory, or full employee) really doesn’t know what the fuck they’re talking about. Either they can’t walk the walk (whether that be security testing or walking in the shoes of ops/devs) or they absolutely fail the talk (when their advice sucks and they clearly don’t have much real knowledge beyond a few boilerplate topic responses).

Do the industry some favors. Hire only people who have real talent; filling a position with an assclown is a disservice to your business and the industry. Expose those who do not. Don’t support those who are doing us all a disservice, or do help them to get out of that doghouse by imparting real wisdom, advice, and assistance. I really believe this also includes informal, non-paid assistance to non-sec managers who just need 30 minutes of lunch talk to get a better idea on how to evaluate security vendors/candidates/services.

work in a way that matches your personal values

I am by no means well-read on books about business and leadership and entrepreneurship and biographies of successful people. But I do quietly collect casual information from news articles and other sources online. To me, one of the “work” rules in recent decades has been to essentially be yourself. Wear what you want to wear (within respectiful, credible reason), work in a way that aligns with your personal values, be human; essentially not to have a work persona separate from your home persona. Work in a way that matches your personal values, your character.

I’d agree with this. I think that sort of feeling aligns with why I really respect people who “geek out” about their chosen field, even if they come across as strange or even obsessive. Give me a security geek who lives and breathes the industry during work and play over a 9-to-5-only sort of mentality.I understand work-life balance issues, but I also understand happiness and enthusiasm as well.

the futility of chasing cheating

Saw a link pass through Twitter to a blog post, “Why I will never pursue cheating again”. This is a quick read that hits the following points:

  • catching policy violations violators (the human problem)
  • “us against them” environment
  • reflection on customer evaluations (managerial conditioning)
  • rechanneling activities and interaction

Unless your job is specifically about finding corporate security policy violators, no one ever truly does it, until such violation has a tangible negative effect to the business (or *not* reporting it has consequences, like a mantrap that locks up if two people go at once). And it doesn’t take a genius to see how this makes digital security difficult, regardless whether you believe in tackling the human or technological problems in security.

simple isn’t simple

(That’s the best title for this; afterspending a few minutes staring slack-jawed for a better idea, I figured I’d just steal the title.) Rich Mogull wrote a DarkReading piece, “Simple Isn’t Simple,” (and companion Securosis mention) that I think everyone should read. This part stood out to me:

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. …I am saying we need to recognize that it’s hard at all levels. That even the easy parts are nearly universally difficult in practice.

This is one reason I often sacrastically wonder aloud whether some people who talk security only do security in their one-room office with 2 computers and an all-in-one fax/printer and ActionTec DSL/wireless router. Likewise, I appreciate anyone who understands which “easy” best practices are, in *real* practice, really difficult for various reasons. (Dare I say that a little empathy goes a *long* way to helping embattled security managers/analysts? And please don’t tell our execs what we should be doing in a tone that makes it sound easy!)

This is also one place where it probably sucks to be a QSA. You have one-liner PCI requirements and practices on one side, and a real world operation on the other. And then you tell them they need to rearchitect their network/systems…at what cost again? And it needs to be done before the next audit? Does the QSA know all the little things operations does to hide or cover issues when backs are against a wall? Maybe we should talk incremental improvements? (If Josh Corman needs more ammunition in his PCI debates, talk about going from no security to full security in one audit cycle and how healthy that will turn out to be! Hey, it might work…)

The only real easy part is when you get to buy a piece of technology and slap it in and it just works, say a card-activated magnetic door lock. But so much in security requires process (maintaining access, following up on logs, checking out anamolies, verifying proper working order, maintenance, safety…), which isn’t going to be very easy any time soon and is excrutiatingly hard to measure.

bcp and dr planning; don’t forget to do it

Deb Hale has a nice BCP/DR story to tell over at the ISC Diary page in regards to this summer’s Missouri River flooding. This hits a little closer to home (pun intended) since I’m from Sioux City and my parents currently reside in the Dakota Dunes (they’ve been lucky).

While at first glance a natural disaster isn’t always a foremost thought in the minds of information security, it certainly is part of a wholistic security view. And is one of the few scopes that pretty much any manager or executive can relate to and have ideas about, especially since managing people in the face of a disaster is a key problem. While light on details of what you can do to enhance your business continuation plans, it does illustrate the impact such events have on the community and may have on your business, both short term and long term.

I’d just like to add 2 things to the discussion. Keep abreast of area disaster possibilities. You don’t want to find out too late that a flood is going to happen in your area. Some events are quick (tornado), but others are not. And when you do hear about an incident, don’t drag feet when making preparatory or reactive actions. The sooner you act, the better off you are. This is also one place where community, in-person networking will always trump your digital network and internet social ties.

gosh, 90% of us companies are breached?

90% of US companies have been breached!
90% of US companies hacked!
90% of US companies have been victims of cyber attacks!

These are the sorts of headlines coming out from a survey by Ponemon sponsored by Juniper, named (for reasons that are unclear) “Perceptions About Network Security.” [pdf] These are also the sorts of headlines that I immediately question, namely: “What is your definition of a cyber attack/breach?” Sadly, the report doesn’t answer this question, but does hint that any sort of security incident counts, even if it happened to someone else who had some information from your company (i.e. Episilon email ‘marketing’ breach) or some workstation issue which is never defined. Normally, I wouldn’t even bother posting about the survey, but I keep seeing those stupid headlines mentioned at the top…

Ok, fine, page 6 does start to hint at the sorts of incidents we’re talking about in Bar Chart 8 where “malware” is featured in 5 of the 8 breach causes. I’m sorry, but largely incidental malware attacks don’t necessarily count as “cyber attacks” or “breaches” to me. (Yes, I understand that is arguable, in fact, that’s my point.) The same goes for lost or stolen laptops. Far too many of those incidents are going to be non-targeted crimes of opportunity.

I do buy that 90% of companies probably do suffer computer insecurity incidents. I just dislike the sensational tone so many headlines are taking. Like 90% of them are pwned and attacked and being stolen from by attackers in targeted incidents. Hell, the number should be 100%.

I had more to post, but it’s just all me complaining about the report being misleading, laughably funny in other places, supportive in the obvious places (no shit, complexity and resources are challenges?), and having a few concluding recommendations based on weak supporting evidence (e.g. 2 leading questions). None of that helps anyone, so I excised it. 🙂

even the simplest of questions isn’t simple in security

Sometimes the simplest security questions are the worst. Today, I got an email forwarded to me: “Am I ok opening this?”

That question is properly responded to with another question,”Do you know the sender and did you expect a file from that sender?”

The easiest answer is when it is obviously a spam or phishing attempt. Beyond that, however, all bets are off on this ever being a fun question. Will I ever be able to say, “Yes, this is absolutely safe?”

And how is a user ever going to truly know the risks and make a proper acceptance or denial of them on their own? Even I had to take a few dozen minutes out of my day to poke around, since that email isn’t very clearly business-related, includes a link to a different site, includes a file format I can’t ever vouch for entirely, and the site used for the file transfer has an invalid SSL certificate.

And do I know that site is legit and itself is secure?

Little questions like these carry some of the worst weight with them. It also illustrates how, at some point, security just has to draw some line and say, “Looks clear.”

(Way too obscure allusion to Pitch Black’s Riddick character, who says, “Looks clear,” just before someone steps out and gets snatched by some creature. “You said it was clear!” “I said it *looks* clear.”)

cwe/sans top 25 software errors report is released

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors report has been released to the public. [PDF version here]

This may be a carry-over from previous years, but I like the actual advice given for each item, even if I feel the description is lacking. Part of this is because of the modular design of the doc, where even if you grab and take offline the PDF version, you can’t click the links in the PDF file to get to the online definitions of the items. I understand, but dislike that choice.

I also really like the “Monster Mitigations” on page 35, which give the general high-level advice for framing your security posture.

infosec career advice blog

It sometimes amazes me when I find I haven’t included a link in my sidebar to a site I greatly respect and enjoy. So goes when I just realized I love the advice Lee Kushner and Mike Murray give on their blog, but noticed I don’t actually link to the InfoSecLeaders site at all! Travesty! Lee & Mike answer questions and give advice about careers in information security.

the perimeter is still here, it’s just different today

If the old perimeter were the firewalls and network borders…

…and the current perimeter is your web presence(s)…

…the next “border” is your remote connectivity and mobile devices? (I’ll ignore for the moment how “the cloud” explodes the current perimeter.)

With the last two “perimeters” in the above example, you can hire a security geek to come in and immediately direct their effort at something somewhat finite. “Go look at the firewall rules and network segmentation!” “Go scan our websites and vomit out a vulnerability report of your findings!” “Go make sure our client-app-database pipeline is appropriate!” But none of that expands to what offers real endemic security in an organization. Those are necessary security tasks, but certainly are not wholistic.

Maybe this is why data-centric security is scary. You can’t just target the data in some data warehouse (the visual of that is far more interesting to me than the definition!). Rather than treat the skin of the organization, you’re basically needing to cover the same area that the entire vascular system covers (heart, arteries, veins, capillaries…).

It might also be why mobile device security is scary: it’s not easily scoped and bounded to narrow segments of an entity. And, god forbid, it means dealing with users and consumer devices. I mean that not only in the backroom security geek being scared to interact with people, but in the thought that, holy shit, *users* need to be part of security, too, whether they (the users) like it or not. I know we often talk to education and policies, but most every user I know in an organization that doesn’t have a direct interest in security as part of their job, will almost always prefer someone else deal with it. And this is absolute if that security even remotely negatively impacts their own job or convenience.

I’m actually wrestling with buying back into Apple (been out since ipod 4th gen) and actually getting an iPad device, but not because I want to use it. It’ll be because I need to get back to the user perspective and have some sort of experience with it.

You certainly cannot say that security is a cheap career (in money, time, and effort)!