.: December 2011 Archives
Watching the Illinois water pump hacking situation has been fun. Wired pretty much summed up the end story
: no hack here, just a series of fun incidents.
While it makes for a great movie plot, and gets people excited, I've found that most "strange" things at work involving computers ends up being completely innocent, and not the effects of some nefarious digital attackers. For as paranoid and ear-to-the-security-ground as I might be, I'm still one of the last people to think an actual attack is under way when something weird happens on my networks. And 98%+ of the time I'm correct. Jumping the gun and throwing cries of, "hackers, hackers, hackers!" without anything solid to go on does no one any good.
It's one thing to muse about the possibility of an attack or to wildly (or jokingly) suggest it, but doing so outside of very controlled groups of people leads to a misunderstanding as someone walks away from that conversation and tells someone else that it *is* a hacker. And then it gets to someone important, and now you're spending days, weeks (or more) trying to dig out of that hole and pass the hot potato.
When in doubt, stick with non-extravagent gut feelings. As they say in law enforcement, there may be the possibility of a complex, movie-like conspiracy, but the truth is almost always rooted in the simplest answer. Not some complex plot.
I will say, kudos to finding that Russian (but not the German?) IP address accessing the remote systems. Not so impressed that those IPs can even log in (no idea on the auth mechanism). And just a sigh about not finding those IPs very soon after the fact (i.e. log review, but it's hard to fault someone for not reviewing logs when it's a time/money sink 99% of the time and even then it might be missed, besides which maybe they get 240 logins a day, which would suck to browse through, and I don't know many SIEMs that would be smart enough and easy enough to just tune out anything from your normal systems...seriously, the ideas on how to monitor are easy, but not so much with the tools at hand...yikes, this is a whole discussion in and of itself.)
by michael 12.02.11 at 8:50 AM in /general
Skype still beats on the enterprise door with regularity. Brandon Knight talks about Skype in the enterprise over at infosecisland
. I've talked about it before
I like Brandon's take on the potential eavesdropability risk with Skype (which is almost certainly real, since China allows its use and they certainly never would if it were truly private):
For example, how are you communicating today in your organization? If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines.
Fair enough argument. But this only applies to people who understand that Skype isn't a private network. I've had plenty of discussions where users argue that Skype *is* private. You can't make that assumption; you're using someone else's app, over someone else's lines, and through someone else's proxy/login/servers.
This also applies only to the instances given. If I want to eavesdrop on John's Skype conversations, I can do some network tomfoolery to reroute traffic. Doing that on a PSTN or somesthing else is a whole different game. The name of the game in the digital world is efficiency, which blows away any comparable example in the analog world (just ask the MPAA or RIAA...).
Brandon's article is an excellent companion to any discussion about Skype in the enterprise, and he brings up decent points about public information disclosure, desktop maintenance, network security visibility (data exfiltration), and even side-channel delivery of content such as the ads accompanying the app.
There are even other considerations, such as how you handle people's personal accounts upon termination (and contact lists and client/customer contact habits), automatic updates, logging, etc.
by michael 12.02.11 at 9:53 AM in /general
(Disclaimer: Putting this out there, but my time at work this afternoon is forcing me to do less re-reading than I'd like. Hopefully I'm not sounding like an unreasonable ass!)
Carrier IQ is a hot topic right now, which itself sort of pisses me off. In the same spirit of what pisses me off, I read the ComputerWorld article, "Carrier IQ is BYOD kiss of death -- urgent action required"
(via Dan Morrill
). Yes, read the article because it at least doesn't whine about data gathered by carriers, rather that this data is logged and stored on vulnerable devices.
1. If the confirmed presence of Carrier IQ on your phone prompts new (ensconced) action, you're doing it wrong. Whether this is a business-purchased device or a personal one, it's not entirely YOUR device. The carrier is going to and is already doing whatever it wants. While it's nice that people are getting mad now, you shouldn't be surprised by this state of affairs. Maybe this will spur usage of unlocked phones not supplied by carriers, or custom ROMs, but still...
2. If you're pissed about carrier-implemented apps, are you pissed about all the crappy apps your users can install on their phones? Again, if not, you're doing it wrong. And there will be apps with even worse transgressions (if not outright malware apps). In users' defense, at least they dont have a chance to know about carrier apps.
3. Are you worried about corporate espionage targeting your phones but not your carriers? You're somewhat doing it wrong. I like that the article mentions the risk of phone-based attacks harvesting extremely juicy data that is brilliantly stored on the end device, but one should also keep in mind that these carriers and anyone else logging anything at all (the carriers absolutely will be, it's their network) are also risks (that includes Google or Apple, the makers of your OS). Those entities are making your risk decisions for you.
4. Why are you kneejerk reacting to get rid of Carrier IQ software in the "urgent action required" section? This is the same backwards approach to security that says you only react to bad things actually happening right now, instead of doing any prevention. It's fine to react, but please don't be surprised or crazed with action after the revelation of something that was predictable and probably expected at some point. And just because you get rid of Carrier IQ, does that mean you also fully understand every other part of your phone's OS, included software, carrier presence, and installed apps? Shit no.
Is there a difference between malware keyloggers vs carrier-embedded software logging vs OS-enabled logging? In my books, not really, until users are fully made aware of what is going on. Which itself is an entirely new topic because if you're doing something that will piss people off if it were made known, why the crap are you doing it?
I think Dan is on the money when he says this really doesn't change anything on the BYOD front and poses the question of whether these phones really are yours or not.
Another discussion topic would be what makes these phones so different in this regard to our Microsoft-clad personal computers running on our ISP of choice? It's interesting that I do actually trust Microsoft as my OS more than Google or Apple and I trust my interaction with my ISP a bit better than with my phone carrier and I also trust the software process a bit more (i.e. I have the ability to deeply on a technical level watch an install and monitor/alert on behavior). You make everything convenient which hides the details which, to me, fosters less trust...
by michael 12.05.11 at 3:30 PM in /general
SecTools.org has long been a nice repository of must-learn tools
for security enthusiasts. In the last month, the tools list has been updated with a new top 125. I see you can now also submit reviews for the tools as well.
by michael 12.06.11 at 10:15 AM in /general
I love having Twitter up next to me while I do other things like play Skyrim. I get to see things fly by like the article "Why I Hire People Who Fail," by Jeff Stibel
, passed on by @chrisclymer
We don't just encourage risk taking at our offices: we demand failure. If you're not failing every now and then, you're probably not advancing. Mistakes are the predecessors to both innovation and success, so it is important to celebrate mistakes as a central component of any culture. This kind of culture can only be created by example — it won't work if it's forced or contrived.
About a year ago, the company I work for made an effort to spark innovation. And while I'm sure a few good ideas percolated up to the top, the problem is all the ideas generated are placed into a review group to pick and choose ones to follow, which ultimately leads to only accepting the safe and obvious stuff. That's really not innovative, and really does nothing to promote risk taking or enable failure, and thus learning.
Take some risks. Fail at things. Be better for it. It's just like taking the effort to practice so that you get better for the future.
by michael 12.10.11 at 12:03 PM in /general
Look at that, another breach discovered by someone else that is not part of the victim company, this time affecting Dutch telecomm KPN.
...a hacker broke into a Gemnet [KPN subsidiary] database after exploiting poor password policies set up on its PHPMyAdmin server... The article said the hacker came forward to prevent the kind of debacle DigiNotar created, but "he has also found evidence that he is not the first person who have gained access to the systems."
We hear a lot of these reports of third party notices of breaches. I wish we could correlate that better with how many get detected internally, though I imagine a good chunk of those are never discussed beyond the immediate team involved...
by michael 12.13.11 at 8:30 AM in /general
When someone in the "echo chamber" of security says something about getting the defenders to think more offensively, and then gets a response similar to, "Rather than complaining, maybe you should give us real ideas on how to do that," it really irritates the crap out of me. That sort of response is antagonistic and even insulting, plus it's always going to result in a defensive or even offensive response. There are better ways to make the same point without the passive aggression. Especially when you're not actually disagreeing with the point!
Besides, even when talking in the echo chamber, making these clear statements isn't a *bad* thing, and it may even need to be heard by one or two audience members.
It really comes down to education, teaching, awareness, and experience if we want to make security more inherent in IT (coding, infrastructure, networking, systems...).
If you want a stable high-availability network, you need someone who can actually do it in the way you want, otherwise your admins will end up learning the mistakes and correct answers on the fly. And it might take years to build that experience. Therefore, you ask experts and get other ideas.
As a systems/network admin on a team of systems/network admins, we do this every single month where we may look at new things but not inherently know the pros and cons and gotchas of the solutions without experience or assistance.
We frustratingly bitch a lot in security, but we need to support each other during our bitch modes, not lash back and kick each other when we're down. That's really my point.
by michael 12.18.11 at 1:13 PM in /general
Rafal Los threw out a nice article this weekend, "Steps to Avoid Mental Stagnation - Or how to re-awake your inner hacker:"
What worries me is when you've been working in corporate IT for 10+ years in a single organization or a single organizational profile (education, finance, whatever) and you can't seem to break free of a specific train of thought.
I have worked in my current position 5.5 years, and I can sympathize with the broad points. In fact, I'm a bit sensitive to it this year in knowing I'm getting behind on the things I don't have exposure to in my business, or even things that are under the purview of another team member and not myself.
One idea I'd add along with the ideas Rafal adds is to work to carve out some free time. This can either be at work or in your personal life, where you just tinker with some of those things you want to do that are on the topic of security, whether it means participating in PTES, the social network of security, coding some new things, or standing up a better lab to test tools you've long put off. At work, I strongly believe that good admins need a significant amount of free time to poke at strange things, learn new things, try stuff out, and stay happy (I've seen this talked about with *any* IT discipline and have often heard the number 30% free time thrown out).
by michael 12.19.11 at 10:23 AM in /general
Speaking of conferences and speakers, it really torques me when I see someone wants to talk at a con (or better yet is already accepted) but then laments that they've not yet figured out what to talk about. Chances are, I don't want to go to your talk if that's the approach. (There are exceptions, such as friendships, entertainment, etc... Ok, fine, there are *very* few exceptions where I'll see someone regardless of their message, like Adam Savage, but those people are rare and most of us are not them.)
At a con or talk where I want to learn something, I really appreciate people who have a passion to get something specific out there, whether it be something new, some incite into an industry or process I don't normally get, or whathaveyou. I'll even sit through people who don't have strong speaking skills if they have a compelling expertise on the subject. I'll leave only if their level of expertise is lower than mine and I'm clearly not getting any value (though others may be).
I'm not the most keen on people who are part of the speaking circuit and speak for the sake of speaking, rather than the sake of the topic. And it eats up a slot for someone who may have neat things to say.
(This isn't about anyone in particular in recent weeks; it's a general feeling I've had for truly many years.)
by michael 12.19.11 at 10:24 AM in /general
Brian Krebs has two excellent articles that made my morning. (Ok, one of them is several weeks old and I just hadn't read it yet.)
First, "Busy Signal Service Targets Cyberheist Victim,"
talks about a new service in the cyber criminal underground that will call a victim over and over to tie up their phone line so that bank calls to verify large money transactions can't get through adequately.
This illustrates the give and take the security plays with attackers. You want to complete a call to the customer but have been blocked. Essentially, while a nice feature, this isn't going to be foolproof. Basically, spin again.
Second, "Loopholes in Verified by Visa & [MasterCard] SecureCode."
The hole is essentially a piss-poor method to reset forgotten passwords.
I hate things like this because it illustrates how much lip-service is put into security until you get concerned consumers or other entity asking public questions or slapping proverbial wrists. This is why I so heavily value disclosure, transparency, and public assistance. It might also illustrate the lack of critical thinking in those who contract, design, and implement these solutions.
Then again, attending to forgotten password issues is a bit of an art. This weekend I saw that my usual screenname was taken over at SWTOR.com (Star Wars!). The forgot password function requires that I at least know the email address under the account, and if this was indeed me, I don't recall what email address I used to sign up. So comes a call in to support. On release weekend. Needless to say, I'm still waiting to see how this goes. :)
(Side note: SWTOR.com accounts have the "option" of using 3-5 security questions. These questions are typical questions you see everywhere. Unlike Network Solutions who allows me to answer these questions all identically [but then tell me I can't do that when on the phone with a rep, despite their system letting me], the SWTOR.com site actually forces them to be different. I don't understand this. I don't use these questions as truthful answers but rather as a second password. I don't want to have to remember 3 more passwords. I don't have solutions that I like, but I can surmise this current situation of security questions and passwords is more often done wrong than done right.)
by michael 12.20.11 at 8:58 AM in /general
This stuff is fascinating: a trade fair for (lawful) trojans and (lawful) keyloggers.
We hate these things.* We fight against such malware constantly. We prosecute those that breaks laws in such a way. Yet there is a deep need, and clearly "legitimate" money involved in both private and public sectors.
I guess it can at least be one way a kid who finds herself on the wrong side of the black/white hat world and gains skills in malware creation/evasion, can eventually grow into a career doing the same thing for "legitimate" reasons. Certainly beats the untrustful world of unlawful crime.
* As a thought exercise, think about how many things happen on a network at home where a parent watches/controls a child's experience and compare that to how adults fight against such unwanted spying. Also compare against how similar things happen in a corporate environment to maintain security. I'm not saying these are bad, but it is interesting trying to draw philosophical positions to stand upon when looking at the appropriateness or global utility of various security efforts and practices. Ya know?
by michael 12.20.11 at 9:38 AM in /general
I was scanning Chris John Riley's post, The more things change, the more they stay the same!
," and noticed a Jeremiah Grossman talk mention: "WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)" which incidentally has some older slides available
for a taste of the content.
Yeah, we've come a long way and haven't really gotten very far. But I think every era in security will likely echo the same sentiments.
Nonetheless, glancing at that talk title just rehashed thoughts in my head that not enough security people are technical enough. It's one thing to throw an Infosec guy into a room of developers and have him spout generalities and vague security concepts (which is just going to turn off the developers and further drive a wedge of passive disrespect), but it's another one entirely for the Infosec guy to talk and operate on the level of a developer, even to the point of sample code and pointing out real world issues. I think that's the part that is difficult these days, and it's not just limited to the web apps. I also think this is why QSAs are poorly positioned, misunderstood, and way too often abused as consultants when they're really not.
If you know a young person who has technical interest such as building web sites, and also has a budding interest in security, please do what you can to stoke those fires early, before their coding workload and life responsibilities overshadow their other enthusiasms.
by michael 12.20.11 at 9:59 AM in /general
Merry Christmas, Siemens, Billy Rios is calling you out.
by michael 12.21.11 at 6:44 PM in /general
It's been a tough week (think: windows domain DNS corruption), so I wanted to poke at something and not spend too much energy. Happily, I came across two nice entries by Ben Tomhave. The first is "3 Common Ways Security Fails People."
Sounds like fun, and I'll go over each of the 3 points with my Devil's Advocate robes on. I could rename these as the Neutrality Robes, or Robes That Keep Overzealous Ideas Checked Into Reality.
1) It [security] gets in the way.
Well, duh. And that's just going to be the way it is. A firewall gets in the way of traffic. A castle wall-n-moat get in the way of open wandering. I do actually like the points Ben makes here, but ultimately we are dooming ourselves if we let ourselves (and others) think that security needs to not be in the way. But yes, people who want to do things will find ways to do them. And that's not the fault of security as much as the fault of the people finding ways around security. Just this week I had a developer using a writable file location set up for purpose X, and he decided he wanted to start writing application logs somewhere. So he picked that spot that he knew he could write to, which added an undocumented use to a location otherwise used for just one thing. Thankfully we talked about it and his need was only temporary so I allowed it, but that's the kind of thing security runs into, and always will.
2) It makes life more difficult.
Well, yeah. If you want a more secure house, you make the rounds to ensure the windows are locked, garage door is down, and alarm set. God forbid that is annoying. This wouldn't be the case at all if a) shit worked, and b) people weren't human. I made the comment on the blog post example that perhaps Ben was in the wrong for accessing OWASP Google Apps with a non-standard account, rather than blaming security for making his life difficult. Security is a compromise and a give-and-take [risk]. That goes both ways.
3) It doesn't understand what's important.
I hear this enough that I'm kinda sick of it, but it's a good point. Again, though, this goes both ways. If what you're doing isn't in the best interest of what's important in the business, and security calls you on it, don't blame security. And don't yell at security for everything that doesn't go your way. Yes, people do that.
The second article is similar in tone: "3 Uncommon Solutions for the 3 Common Problems."
I also like this article, but I haven't taken off my robes yet...
1) De-Operationalize "Security"
- I understand the spirit of this point: get security inherent in the way operations works. But I'm not sure this ever really properly works without oversight of some degree. First, when push comes to shove and I have to do task A to satisfy a customer or do task A with a dab of security B on top, when I already have an overflow of things I need to do to satisfy business/customers, I'll do A and attend to B later when I have time. Operations will *always* get in trouble for not doing A, but will rarely get in trouble for pushing off security B. This is the same concept for coding. You can assign a variable a value quite easily, but to assign that variable in a secure, scalable, documented way takes more effort and knowledge. This is why I will agree that operations needs to do security, but the pressures are never really there to make sure security is as important as accomplishing the goal. If customer pressures Admin to open the firewall in an insecure way, what do you think that admin will do when part of his job appraisal is based on customer service and peer feedback?
I could even tackle the idea that security is everyone's problem. While certainly a requirement in a blended approach, I'll take technological controls over human decision-making any day. At least from a strictly security perspective.
2) Elevate "Security" to "GRC Program"
I'm not going to tackle this because I've never worked in a situation like this. It's a bit of a sideways step to my experiences. In the brief mention in this article, it just seems like another silo and something for people to point fingers at. It also feels like it will still depend on all the operational people and technical managers to filter up enough accurate knowledge for potentially non-technical GRC managers to make decision upon. I'd rather just have one layer of experts (security team), but again, this isn't my reality.
3) Understand the Business
- I'm losing mental momentum after my long week by now, so I don't have much to say that is useful. I agree with the concept, but I don't necessarily like the idea that regulations are distracting. Difficult and annoying, sure, but I'm not sure how any of them go against what a business wants, other than being a cost center. This may just be an illustration of the break between auditors (and external security) and their rigid interpretations of regulations and very un-agile recommendations to meet them for every business.
by michael 12.23.11 at 2:02 PM in /general
I appear to have found my snarky drawers tonight! What do these statements have in common?
"I didn't want that last chocolate anyway."
"I meant to do that."
"I'm happy with second place."
"Security shouldn't inhibit everyday ops."
Ok, I'm using hyperbole to make a point, but a point nonetheless. It is up to business to decide what risk they would like to take, but us security professionals should always strive for, be ready for, and work towards as much security as we can achieve, rather than make silly mantras so we can feel better when we don't get our way. Ok, so maybe it's not about getting our way, but it is a strange copout that can be used whether you win 99 security battles and concede one that impedes business too much, or you lose all 100 and use that statement as your excuse.
by michael 12.23.11 at 7:29 PM in /general
I was reading a Branden Williams blog post
and came across a line that I agree with. It's one of those lines that I think needs time to sink in and be pondered, as it applies to not just traditional crime, but cyber crimes as well.
When I was first interested in computer forensics, I took an optional course at a security conference, given by the head of fraud at Lucent. It was a great class, where he walked through real scenarios that he had to deal with. After the session we were talking for a bit and I asked him, “If I did *** and *** and of course ***, how would you have to change your investigation?” He responded by saying, “We’d never find you. You see, we catch the dumb ones.” [author's italics, my bold emphasis]
It somewhat resonates to understand that law enforcement does not try to prevent all crimes. Can you imagine how ridiculous the controls and cost would be to prevent all
crime in a particular type?
Really, just keep things like this in mind.
Oh, and also, definitely be scared of intelligent attackers (one [of many] reason the criminal arena of the digital world is scary). And be scared of those who operate absolutely on their own or in small circles or with the cover of diplomatic immunity of some sort. One of the biggest problems for criminals is the lack of trust in their own circles, which means lone rogues are powerful. And the less they need to rely on anyone else, like someone to sell their stolen goods to, or identity providers, the better off they are.
Thankfully, our underlying societal, governmental, and religious ideals (believe it, you're influenced by religious morals even if you don't specifically align with a religion) help keeps the general intelligent public from being too criminal. Unfortunately, it is far easier to cross moral lines when you're masked by the anonymity of the internet and physical meatspace from your targets/victims/work.
And so on...
by michael 12.27.11 at 12:46 PM in /general
You receive the following email:
You have received a secure message
Read your secure message by opening the attachment, securedoc_2011228T1023948.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. For access from a mobile device, forward this message to firstname.lastname@example.org to receive a mobile login URL.
If you have concerns about the validity of this message, contact the sender directly.
First time users - need to register after opening the attachment. For more information, click the following Help link.
Help - https://res.cisco.com/websafe/help?topic=ReqEnvelope
About Cisco Registered Envelope Service - https://res.cisco.com/websafe.about
Attack or legitimate email?
There is certain behavior that we teach users to look for that are certain signs of something fishy. For instance, an attached file with instructions on how to open it in a more vulnerable application like a web browser. Which then brings you to some strange site to log in. The problem is the business desire to encrypt email contents. There really isn't a realistic solution to that problem that I'll personally ever be happy with. So this is a bit of a half-hearted bitching session by me.
Oh, and of course this is a legitimate email in support of delivering encrypted email. Which is to say it's not encrypting email at all, just forcing the recipient to go to a third party web site and download it over an HTTPS connection.
by michael 12.28.11 at 1:23 PM in /general
In light of recent penny-arcade-and-customer vs oceanmarketting
[sic] drama, I was catching up on Penny-Arcade entries and came across one for >Star Wars: The Old Republic (SWTOR) which sums it all up
While playing last night with Scott he explained that his bounty hunter was all about completing her contracts and getting credits. She didn’t let her feelings get in the way of the job. He was thinking about this before his character was even level 10. I’d be very surprised if he had any idea what sort of “person” his Troll Shaman was in WOW.
I went from 6ish years of WoW (wow!) over to Skyrim a month or two ago, which is a single-player story-driven game that is excellence. And then over to SWTOR. So the change was a slightly phased one for me, but I absolutely felt this same presence in SWTOR that Gabe/Mike mentioned above: you feel your character. And this is entirely because of the choices you make. And unlike other games where there is one "correct" answer and one "lesser" answer so you always want to make the "correct" answer, or even other games that waffle on the idea of irrecoverable choices, SWTOR gives players roughly equal, permanent choices, and they do so in a way that eventually becomes less agonizing and more beautiful. Thankfully I came into SWTOR from Skyrim, so it was Skyrim that started conditioning me to play the character because none of my choices are ever "wrong" (ok, so I still abuse the Quicksaves...).
Anyway, for those curious, I'm only a level 15 Sith Sorceror (heal/dps), but only because I enjoy the game so much and still agonize over some of the choices such that I've played 4 classes up to level 11 so far, just to experience the characters, storyline beginnings, and playstyles of the classes. That game may not be "better" than WoW, but it is a very, very welcome change from the same old MO in "that other MMO."
by michael 12.28.11 at 3:17 PM in /general
If you're like me and you support Windows web servers running ASP.NET code, you'll want to at least read through today's Microsoft security advisory
which talks about an anonymous, remote DoS vulnerability in said targets.
by michael 12.28.11 at 4:36 PM in /general