six worst security mistakes

NetworkWorld posted a rather good series of articles on the six worst security mistakes.
1. Not having a security architecture– I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.
2. Not investing in training– This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.
3. Neglecting identity management– Since I’ve not worked in environments over with over 500 employees, I’ve not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, “you need identity management, here’s kinda what it is” but never discuss what products work, what don’t, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I’d like to examine identity management systems, but so far I’ve not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.
4. Ignoring the insider threat– Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.
5. Not protecting web appliances– This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell… 🙁
6. Buying products with the most bells and whistles– This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.

free is not always free even in cyberspace

An article posted on SecurityFocus quoted:

Building on a Wall Street Journal analysis of the 20 million search queries leaked by America Online that found “free” to be the most popular search term, SiteAdvisor warned that the results produced by such searches frequently lead to malicious Web sites.
“Often, so-called ‘free’ items are anything but free,” the company, recently bought by security firm McAfee, stated in its advisory. “Free screensaver and games sites are notorious for bundling spyware and adware with downloads… Free e-card sites often share users’ e-mail addresses with third parties and can lead to a never-ending influx of spam… Ringtone sites frequently lure consumers with misleading offers of free tones that ultimately lead to automatic enrollment in paid subscriptions.”

I admit, back in the day free stuff used to be cool to download. These days, however, they are packed with spyware and other not-so-nice things. Always have to wonder, “why is this free, what are they hoping to get?” More often than not, to get something installed on your computer or get your “clicks” on their sites.
I honestly have more trust in downloading cracked commercial apps through my regular channels as opposed to free sites. However, when looking for legit free things, I put a lot of faith in SourceForge-hosted apps and anything from a website that looks like a real developer just offering out to the world some little tool he/she created to do something cool. Anything else like free screensavers and the like are just not really worth the time and effort and risk.


I am really toying with the idea of plunging fully into Linux…while also just testing with my toes again. Hrmm…
I’ve run Linux in the past, from Red Hat version 7 up to SuSE 9.x and various Livecd incarnations. But I’ve never been able to stick with an install for long enough to really immerse myself into it. Red Hat 7 was interrupted due to a need to do some resume/website work back after college when I was unemployed. SuSE was interrupted by my need for gaming…mulitiple times.
But the gap between Linux and Windows, especially the apps in Windows that I rely on a day-to-day or weekly basis, is greatly diminished now, if not gone altogether. The only real gaps would be ease of use of all the years of acquiring apps and programs to do certain tasks, the support for gaming, and the support for wireless.
The years of acquiring apps may be interrupted soon by Windows itself…who knows what Vista will be changing when it finally releases, but it will be a whole new world to learn anyway (although not entirely). The support for gaming has been getting better, but only slowly. Thankfully, having a gaming-only machine is not a bad idea, especially since any Linux that I run will not need beefy specs or expensive machines. And support for wireless has been getting better in leaps and bounds, to the point that some of my Livecds recognize my wireless laptop right from the install, and get online with absolutely no work on my part.
But, I do still game, and I do still have a lot of things on my XP laptop that I just can’t part with quite yet, especially since it’s the only machine that seems to accept any of my old Windows XP keys and licenses (damn Genuine Advantage, in the end, it will end up driving me away from Windows…).
So, one thing I really want to do is make sure I have Linux on a laptop, which does greatly limit my choices on my systems. I think I might give another shot to dual-booting or even just running VMWare Workstation on my laptop and carving out some space for a Linux install. I know my system is that all that robust (512MB RAM), but I think if I go ahead and wipe it off and reinstall Windows XP, it should be cleaned up enough to allow me to run a VM Linux (Ubuntu or SuSE again).
This post started out with me wondering to myself where I should put Linux and work it into my daily life, up to listing my systems and the pros and cons…but I think I already just talked myself through my plan.
This will leave me my gaming system, a possibility for less intensive games on my laptop, and leave me other lesser-speed Windows 2000 laptops for other uses. My other desktop-class systems can then still be whatever, as they are just used in my lab.
First order of business though: clean off the XP laptop, back everything up that I need or want, take inventory of what I need to replace, and start to organize up my tools and tempfolder (a dropbox for all sorts of incoming things that I’ve not played with, tried out, or used enough to file them away to keep or delete).

site upgrade planning

Now that I should have some more time on my hands, I am looking at possibly upgrading my site a bit. I seem to alternate between back-end updates and front-end design updates, and I’m overdue for both. However, I still like the site design, so I think it is time to jump into a back-end upgrade.
I am looking at blog systems that I can install. Currently I run on Apache with PHP4 (it might be 3!) with Movable Type 1.4 using flat files instead of a database backend on a very stable Windows 2000 Pro box. Movable Type fit my bill exactly, back in the day, but then quickly went commercial and I’m not really willing to pay for something like this. I also have Perl installed, and am willing to update all of these components (I would prefer to keep Windows 2000 though, simply because it is stable, I can get it free, and I’m intimately familiar with it).
My requirements/wishlist, for my own edification:
– easy posting from anywhere (u/p login)
– optional comments…bonus: toggle comments per entry as opposed to per site
– MSDE/SQL 2000 (preferably MSDE) backend with little administration needed
– php-based, but something that requires very little tinkering and coding other than templates/layouts
– the ability to make everything very minimized/minimalistic, from archives, comments, to posts, and the whole blog itself
One thing that is a bit flexible for this version of Movable Type was not just having multiple blogs, but to be able to use them creatively. For instance, my movie list on the right is actually another blog embedded into this page.
I also have a private page where I host all my geekier things. This is almost like a knowledgebase for myself. I am currently running Blosxom which I really love for its simplicity, but I think I am ready to move to a wiki or knowledgebase system.
– easy posting and updating of posts/topics
– good support for wiki-style knowledgebase stuff
– comments system or possible collaboration
– MSDE / SQL 2000 (preferably MSDE) back-end
This upgrade may not happen for a long time simply due to other things going on, and I plan on evaluating some solutions over time, so that I can get the most out of a wiki or blog system. I also now have spare systems to test things on, which will be ideal.

maynor&cache vs apple: the winner…full disclosure

So for the past month the IT world has been abuzz about how David Maynor and Johnny Cache demonstrated undisclosed attacks to root wireless laptops where they may or may not have used Apple’s built-in wireless card or third-party wireless drivers for a possible third-party wireless card.
And look at where Maynor and Cache are now. In the middle of this summer’s biggest IT feud which is spreading a feeling amonst the “blogosphere” that is worse than a smarmy, humid, hot, and never-ending day in the mosquito-infested bayou. Ugh.
All of this uncertainty has resulted in mudslinging, amatuer journalists (bloggers) having panic attacks, Mac fans up in knee-jerk reactionary arms, large corporations side-stepping issues, and quite a lot of upset and pissed off people all yelling at each other and only half-reading everyone else’s posts before adding to the panic. And the only way to clear all of this up is for Maynor/Cache to admit they faked the whole thing (I don’t think so), for Apple to admit they have been skirting the issue and finally take responsibility for it (I don’t think so), or for the details to finally be released (after a fix, of course).
Until such time, we’re all still left with uncertainty. But what I am certain about is our approach to “responsible disclosure” is going to be coming to a head, and I don’t think corporations will be happy with the imminent conclusion.
Security practioners are paranoid people. They tend to not trust much, let alone large corporations. Hackers and the underground are far less inclined to trust corporations. This distrust promotes the use of full disclosure, whether or not you notify the corporations beforehand, although I suspect a majority of people will notify the target companies prior to full detail release.
Wireless issues aside, there was no real way for these two to publish their findings without incurring wrath from someone. I think they took the lesser of three evils, while they at least got their names out there and known in the industry.
Last year was Michael Lynn vs Cisco where Lynn finally came clean (or attempted to) with a big Cisco vulnerability which Cisco did not fix in a “proper” amount of time. This year we have Maynor and Cache with wireless driver attacks.
In the end, every security researcher is going to think three times about releasing code. I think this will lead to one extreme or another. Either vulnerabilities will be released to the highest bidder or to the parent corporation and not released until a fix released. Or exploits will be publicly released right away, giving the information to everyone at the same time. Considering security/hacking circles that are paranoid, a little untrusting of corporations, and very passionate about security/insecurity, I see the latter being the more likely.

security pet peeve #4: the obvious need

There are a number of news publications and sites and posts that say things like, “organizations now need encrypted backups,” or “spam is out of control,” or “building a comprehensive disaster recovery plan.”
I get a little happy when I see something like that, I and read into the article only to realize it is just one of those “obvious need” articles. These articles are great for new topics, but far too often they are already old news topics and offer me nothing on how to actually perform lots of these functions. Too often, I get the feeling these are written by people who can complain about the problem, but really have no idea how to fix it, nor have had any experience in what the challenges may be in encrypted all backups or trying to implement and company’s first diaster recovery initiative.

lifting the veil

So, I’ve been asking myself some questions and kind of dealing with how to present myself on the net while at the same time categorizing my own information overload by spilling things out into this log. I’ve decided that I don’t know why I maintain my cute redirection code in place to thwart trackbacks and referral readers. On a bigger note, I’m not really sure why I keep this site secret, other than just because I don’t have a desire to really share this with people.

However, I think I have decided to remove the clunky code that at least veils the referreals. I may not entirely open this site up to the world, but I guess I won’t bother trying to actively obfuscate it.

slicing and dicing information loads

There are way too many news sites and blogs out there that I want to read. I’m at a phase in my career where I’m just sponging up everything I can. I have a growing list of sites that I use for resources and news and new stuff.
The problem is trying to manage it all. As I have gotten older, I have realized the grim reality of managing one’s time. In my youth and even in college, I had a lot of free time to just while away doing nothing much. Now, I find I have to sacrifice a lot of that “nothing much.” Thankfully, I shed the whole “tv watching” thing back in college, and unless it is a movie, my TV gets zero use.
Likewise, unless I’m relaxing for a few many hours on a weekend with my computer, a hot drink, and some calm music, I don’t get a chance to check all the blogs I want to check or network with the people I want to network with or try all the new things people have posted about or created. Ugh!
I’ve tried keeping my own private blog with a list of all the interesting links and then posting about the tidbits I wanted to keep available or braindump about. The posting part has been working amazingly well and I love it. But the links part, which ends up being just a web page of bookmarks, in essence, is something that I have a bit of a problem with.
Reading the news requires clicking on each one. Being that I want this page to remain private, reading at a hotspot or at work can reveal its presence, and I have to take extra coding measures to obfuscate the redirect trackback. This is just a little bit annoying. And if I ever did want to share its existence with someone else, that would mean also sharing my home web site, since they share the same IP (and box). Moving it to hosting is a bit of a chore as well, since I use a smaller, lesser-known perl publishing tool for the site content. Ideally, I would have a second IP just for this site…maybe in the future.
But reading the news there is still less than ideal.
I’ve tried out standalone RSS readers, and I settled on using RSSReader for a while. Unfortunately, I find that I’m not always on my home laptop in such a fashion as to pull up the app and read the news. Sometimes I’m at work, sometimes I’m in a live cd doing something else, and sometimes I just want one big long page with all the news right there so I can just scroll on down effortlessly. The one good thing I like about RSSReader? If I have populated it beforehand, I don’t have to have an Internet connection to read the content later. That’s really a big plus as sometimes I want to go someplaces that don’t have open wireless and sometimes I just don’t want to fuss with locking myself down a bit more at a hotspot.
I just started a Bloglines site yesterday and have begun populating it with news and blogs and vulnerability advisory sites. While I like the idea of a one-stop website I can go to for news, this still does tie me down to an Internet connection. I also have not been happy with the presentation of the feeds either. I like to have full content (unless fully overridden by the feed itself), I like to have posts parsed chronologically (not by site only), and I like to have them all displayed for at least a week back for blogs and less for others. With Bloglines, I’ve found I have to click a few times to get the Week view, and they never arrange in full chrono order. Hrmm…but I do like it for one-stop news while at work and at a hotspot. I can also maintain some anonymity there.
Maybe I should recheck RSSReader for some more view options. Other than at work, it really is a good option, as I really love the freedom to unplug somewhere like a park, and just browse news there.
The big downsides to RSS feeds? Easily, I dislike the oddball blogs or sites that have no RSS or non-compliant RSS. Some, I understand, are a functionality choice that was consciously made by the author, and that is fine. It is just hard on someone like me to remember that that site is an oddball. A new downside that is growing in popularity is the trust that apps and sites and people put into parsing RSS feeds that can possibly allow malicious code in feeds.
Someday, I also need to find a good way (on Windows and preferably without iTunes) to automatically download podcasts and load them to a folder that I can sync with my iPod. Yeah, I know, I might still be behind the times, but iTunes originally was not something I trusted on my box, so I always stuck with winamp to manage my iPod. For now though, I’m content with my site of links to pod/vidcasts and downloading them manually.
Forums I truly love. I like the usually informal and discussion-like format of a forum. Maybe it just reminds me of IRC days, but forums have a special place in my heart. Sadly, finding a well-populated one with useful information is definitely not easy to find. My list of forums is woefully small, and half of even them are filtered at work.
My last major source of information has been mailing lists. I started out getting on a number of busy mailing lists a few years ago with a gmail account, but found the web mail interface and my own lack of time very disappointing and as such I stopped reading them. I have only recently renewed my reading by pulling that gmail data down to Thunderbird and abusing filters to sort out the mailing lists. This has worked pretty well for me, but I still have yet to really work mailing list reading into my daily or weekly routine. I need to read them for a while, cull the useless ones, and settle down there. Having mailing lists post directly to a forum or blog (with thread REs being placed into comments) would be awesome, even if just for my own private viewing.
Anyway, these are just some ways I’m attempting to usher myself through this sponge phase of my career, and I can already feel it coming to a climax and settling down for me, which is very good.

security pet peeve #3: ethics and the color of your hat

Today I happened to get called a “black hat” on a blog comment simply because of some off-the-cuff comment I made that, admittedly, is not necessarily a straight-laced, stick-in-the-mud, ne’er-do-wrong practice. However, me being called “black hat” is about as laughable, as, well, anything else I’ve experienced this week so far…
But it illustrates to me one of my other big pet peeves in security: hat color.
Fashionistas aside, some people are pretty obviously Black Hat. The rest of us are pretty much stuck in a quagmire of uncertainty and greyness that really has no definition. What seems like grey hat to some may be very black hat to others; what may be white hat to some may be grey hat to others, and so on.
All of this is just so much drawing lines in the sand, only to have someone else wipe it away and draw their own line in the sand, and another person wiping it away and drawing their own line in the sand. It is all about ethics and morals and how you conduct yourself. And if anyone has taken any academic coursework or even any casual discussion on the subject of ethics, one will quickly realize there are no hard and fast lines. It is all very relative and all very undefined to such a degree that arguing about it is a complete waste of time.
As it is, I have no problem with most “black hats” or “white hats” or anyone in between. Each can live their own life and that is fine with me. But what really incites my pet peeve is when people get so ensconced with rage and prejudice and blind ignorance about the whole issue of ethics that it manifests into nearly fanatical knee-jerk reactions to any hint that there might be an ethics or hat color discussion arising… That is just shallow.
White hats have to live up to a certain level of ethics and morals, right? Well, how do they feel about speeding when driving? If it is a 30mph zone and they drive 32mph, do they feel guilty? Does that guilt adjust their behavior back down to an apologetic 30mph? Do they regularly bump 10mph over the limit, whether in residential or on the freeway in the throes of a 10 hour road trip?
This is the dilemna. This is the grey area.

obvious but new

A career in information technology is a career in lifelong learning.
A career in security is a career in lifelong learning.
Sometimes the obvious things are just not consciously obvious, and once they become obvious, things just “click.” That was a click there for me this morning, for some really odd reason. And I’m just glad I love learning both academically and on my own.

data, data everywhere…

The old adage can ring true for online habits: “Don’t do anything you wouldn’t want your grandmother learning about.” Long hailed as a place to conduct oneself with a wide measure of anonymity (read how bold kids can be in chat rooms or online games when they don’t have to face people in person), we’re all starting to feel the creeping implications of data retention policies, particularly illustrated recently by AOL’s search data release.
It is a bit sobering. I have been online in some form or other since the early-mid 90’s when I was barely into high school. Granted, Google was not around, but AOL sure was. And I used it, and searched using a number of search engines available at the time. How could someone like me know that 10 years later, data retention and search engine query analysis could reveal some dirty little secrets?
Not that I have much to hide, but it is still offending to have that sort of privacy illusion (?) yanked away. Have I searched for porn online? Yeah, I’ll admit it. Have I searched for some not-so-legal things such as hacking or bomb-making just to see if I could find it? Probably. Have I done an ego-search looking for my own name? You bet. And have I done all of those, in some combination or other, from the same IP? Considering I’ve had only a handful of IPs in my online life (not counting AOL dial-up in high school), the chances are really darned good.
Scary. Just think the dirt that may be dug from such databases on politicians 20 years from now. Our president in 40 years may have an old MySpace site still lingering there, waiting to explode with traffic from mudslingers.
Step back and take that one place further. What about spyware/adware apps which remain dormant and diligently reporting user surfing habits to central servers, maybe years while users just silently huff and deal with their slowly ailing computer speeds. Or ISP traffic records that might be kept some day. Just think of all the places visited from just the one location. This now includes work-related websites, sites for stores in the area (ever look for the most local Mitsubishi dealership or the working hours for the local Papa Murphy’s Pizza?), and even the things you’d not want your grandma to know you were viewing online. Even people like me who maintain a moreorless anonymous presence in security/hacking venues would be outed.
Then again, some may argue this can be good for the morality of the Internet. I remember a long time ago a study was done where people were put into a room to socialize. Later other people were also put in the same situation, only this time the lights were turned off. You can imagine the remaining senses were used, but they were used to a degree that almost all of the people in the room wouldn’t have used them in broad daylight. Use your imagination. 🙂 Maybe with the veil of anonymity removed, people will behave better? Naa…I just think they’ll try all the more passionately for anonymous services, onion routing, VPNs, and privacy standards.

innocence, playfulness, maliciousness

At first there was innocence, ignorance of the needs of security in networks during the days of the open networks, where network downtime and intrusions were borne more by discovery and accidents. Then there came playfulness, where security was beginning and attackers made more curious, playful attacks, toying with users or just crashing systems to see the effect.
Then came adulthood, maturity. Now, attackers are not necessarily interested in downtime or playing around. They have an agenda and they have profitable goals. Suddenly, we have maliciousness…

rambling: blogs, news, everywhere

I have a more private site that I keep as my own private little portal to security news, virus information, resources, tools, links, papers, and on and on. Every now and then I add a few sites to my links and remove a few defunct sites.
But every now and then while browsing news, I read on some site that “so and so” has more information, or “from the site of such and such.” And I end up following 5 links deep to 5 different sites all reporting on the same news tidbit. Then I realize what has happened and I say to myself, “wow, there’s a ton of blogs and news sites for tech news and opinions” (as I type one out here myself!). I wonder how cut-throat some of these link-relationships get? I’ve seen blog wars where someone feels they didn’t get credited or where people of differing views post in their blogs their reactions and then wield their viewers and commentors like some botnet to swoop on the other and comment-spam them, escalating the all-out blogosphere war. Ugh.
It is sobering the effect of the web as a way to express oneself, to self-publish, to create, to share, and share with. Even the most stubborn hermit still has that need to share his or her thoughts with at least one other receptive person, and the web is such an easy outlet to masses. There are times when I feel like heading out to the mountains, just me, nature, spirituality…and an Internet connection. 🙂
I used to run online gaming league/tournament/community sites, and I know the amount of effort and dedication it takes to keep something popular on the web. It was tough 5 years ago when I finally “retired” from that, and I can’t imagine how much tougher it is now, especially when you’re not just offering up something unique and fun like Then try to find all the digg copiers or slashdot wannabes or every other blog out there that tries to act very self-important and get fans and followers. People like me who add that blog to their short (but growing) list of weekly visits. I can’t imagine how tough it might be to always put up meaningful content, opinions, and original substance on a technical blog or tech site…especially for me, someone who does not yet have something unique or original to share (someday, I think so).
But then I look back and see why I post here or even on my personal site. It is much the same way I might keep a journal (girls call it a diary, journal is more manly) next to my nightstand or in my backpack. It is a way to document my thoughts, and also comment on and document news stories. When 9/11 occurred and every blog in existence posted comments, it was not all because they wanted to be part of the news megasphere or get readers or even self-publish. That was an important event in their lives, more than worthy of being in the journal…only today’s journals are more able to be public and commented on. I definitely need to lighten up on my lashback of the blog effect on the web.
At any rate, there are blogs and tech news sites all over. There are weekends where I grab something warm to drink, and spend the morning or evening following the blog links. It is much like roaming down an unknown state park path, taking in the sites. Click a link, check that person out, look at his or her link list, pick another that looks interesting, and just roam randomly. Sometimes I pick people from Iowa, sometimes security/hackers (I love wandering into the sites of people whose names I might recognize from the scene, but who have grown up or moved on and their site remains as it was 5 years prior…), sometimes just random people with cool site designs or ways of writing. Sometimes I am looking for new people to add to my bookmarks, sometimes just checking out site designs for inspiration, sometimes just bored.
I wish I could keep up with such a huge community, but there are not many jobs that pay for that kind of a hobby, and in all honesty, I wore out my “online life-living” back in high school and college with IRC, IM, forums, gaming, and other things not worth mentioning, and it really never got me all that far anyway. As it is, I am one of those people who just looks for useful and meaningful blogs and sites to bookmark on my private page, to visit again over the months and perhaps even pipe in and comment to the author, perhaps making a friend or colleague in the process. It is always a sad event when one of my links gets removed, either from lack of updates or lack of updates that are useful to me as either I or they have moved on to other topics or phases of life.
For those that know what it means, I’m feeling just a bit QQ today. 🙂