links for further reflection

Some topics in the security field are important enough to always be visited, even if a solution or consensus is not met. Such topics can lead to formulating entire paradigms on how we approach our daily security decisions personally and professionally. In fact, these discussions are important to me whether I agree with them or they run fully counter to my own views and I certainly do love bookmarking excellent essays.

Kurt Wismer has recently posted a couple such topics that I think are especially important to keep in mind. First, Kurt talks about why vulnerabilities are just never going to go away, and what that means to our approaches. Second, he probes the question on what average users need to know about their computer security.

policy compliance walkthroughs

Andy ITGuy posted a picture of a login and password taped to a keyboard. Awesome! So, how does one combat this besides just waving the policy around (since I’m not gonna bet my salary that that will work)?

First, I love the idea of walkarounds. I know it sounds juvenile, but some night do a walkaround inspection of the premises, especially cubicles/workplaces. THis can be done in phases of small random samples, as well.

Second, document and fix any mistakes. That login information on the keyboard? Photograph it and remove it and destroy it. That way the next time someone needs to get on there, they have to ask someone or make a cognizant effort to recall the information. That might be all the goading they need!

Third, maybe write up people who break the rules, but that is difficult at times to get managers and HR to get behind and put some teeth into. Instead, dock teams of people (or departments) points for policy breaks and reward the teams who break the least rules. Give em an extra day off, a pizza lunch, or whathaveyou. And no, a luncheon with the CEO is NOT a reward (yes, I’ve seen that!). Make it something people want just enough to add a little social pressure to comply. And try to keep it on the positive side of conditioning.

parallel thought of the day: rfid vs internet search

You use Google as your search engine, and you do searches for all sorts of stuff from your home connection with a predictable IP address. The resultant data kept by Google will likely eventually be sanitized with a unique identifier that won’t be tied to you. But as we’ve seen in the past, we can analyze all the searches I’ve done with that unique identifier and create a very real profile of me. Most likely you’ll find my habits, purchasing trends, most likely where I live thereabouts, and so on.

With RFID still being talked about, can you still have a problem with encrypted RFID tags or passports and such? Sure. While I might walk around with my RFID-enabled passport, various stores I shop at won’t be able to decrypt my passport information, but what if they could detect and copy it? They can track me without really knowing me. Get a wide enough subset of data by someone/something that can get long-range detection, and you can easily see where I work (I spend 8 daytime hours there), where I live (I spent 14 evening hours there), where I can to lunch, and my favored shops…

I wonder when cell phone tracking will become a marketing data set? It’s on me all the time and it is on. You can see every place I go by tracking it…again, even if you don’t know me.

Without knowing me, you can still know me…and given the ease of reading RFID devices and/or cloning of them… Hrmm…I bet in ten years I could get a Harry Potter-esque clock that lets me know when my kids are within proximity of my house and pop their portrait out when they’re home.

searching for people info online

Want to look someone up? Well, this blog post doles out some links to some fun people searching sites. As much as I’d like to say it found me out, there are quite a lot of people who share my name, and the only information I found on me was dated at least 4 years ago. Almost tempted to add this as a “people search” menu item on the right…but not really sure I’d use it unless I was a hiring manager or something….

corporate espionage tricks and tools

For Christmas, Andrew Hay linked over to a SANS paper by Shane W. Robinson, Corporate Espionage 201. Excellent little paper, and I thought I’d pull some info out and post it.

The idea of using Netgear XE102 devices to deliver ethernet over electrical lines is interesting, but I didn’t know it had gotten this far. For under $100, one can get a pair of these and start experimenting. Pretty soon we’re going to need some electrical outlet monitoring devices to listen for these signals being passed…

Silex has a SecurePrint device which will hold print jobs until the requestor walks over to the shared printer and is authenticated via their fingerprint. This seems to run around $500, which is a bit expensive for me to buy as a simple home toy, but might be justifiable if you can get dedicated printers out from HR/execs/managers/account managers and get them to securely use a workgroup printer. Still, if there is any issue with workground printers holding possibly confidential information in their print tills for too long, or grubby fingers picking up other people’s pages, this could be pretty useful.

DriveLock does what it sounds like it would do, especially when paired with the context of mobile laptops: locks down ports and drives. No idea how much this runs or even how truly effective it might be in a corporate setting, but I know we and many others are still wrestling with how to tackle device security on this level.

TrackStick is a GPS logger which can be attached to a car, left to log the driver’s travels, and then loaded into GoogleEarth or other programs. Just a small hop below real-time GPS locating technology. Can be found on Amazon for roughly $200, and others can be found by searching for “vehicle tracking.” I guess parents can use this to track their kids, eh? Jealous adults can track their significant others, and corporate spies can use this to profile assets. I wonder if the old concept of a surveillance society included the idea that everyone can surveil everyone else!

The LogiCube Sonix or Forensic Talon will provide fast media/drive duplication for well over $1000. Until encryption becomes widely used, it can be very exciting (or sobering) to think about what can all happen to a media device in an unintended party’s hands..

And to drive home the need for device port security, you can get a wristband that looks a heckuva lot like the “Be Strong” wristbands, but packs a USB port inside it. Load up your favorite USB-capable distro…

security’s top five priorities

DarkReading recently posted Security’s Top Five Priorities. I wasn’t going to post on this, but my manager made this a homework assignment as we’re going to discuss it at our team meeting today, so here’s some notes.

1. The Portable Problem – We can encrypt everything: PCs, thumb drives, portable devices, backup tapes. This should also deal with things (data) leaving our control and things (data, devices) coming into our control. Data Leakage Prevention may be a good logging mechanism on what is leaving, and device port control may help control things coming in. I’m not personally sold on NAC/NAP, although…

2. Web Two Point Zero-Day – Nice title! I think the authors missed making the distrinction about two very important veins in talking about Web 2.0 attacks: serverside concerns and userland concerns. Serverside concerns deal with fixing up the issues in web applications and making sure they are not opening holes to internal footholds or data that external users should not have; SQL injections, XSS, file executions, and so on. Userland deals with better assurance that users wielding a browser as they surf a website are not going to get pwned or catalyze a site-wide pwnage. Proper SDLC, developer education, regular audits will help serverside issues. Userland issues are much more difficult: endpoint security, browser and OS hardening and possibly even tools like NoScript, web filtering, gateway malware detection; user education about best practices as well as education on data leakage by posting confidential stuff to the Internet.

3. Attacker Inside! – Monitoring and logging, i.e. an audit trail, is paramount when it comes to detecting/preventing insider attacks. Database access monitoring, least privilege when it comes to network and data access (as opposed to OS access), and separation/rotation of duties could help. Likewise, making sure “small” security breaches that go against policy are truly dealt with, as opposed to ignored such that it creates a bad slippery slope.

4. Endpoint End Game – This is the big one these days. From encryption of the device to OS hardening, HIPs/firewall, device restrictions (USB…). This is also where user education comes into play, teaching users about the risks of using wireless, laptops, what data is important, social engineering issues, software policies (P2P), and what to do on laptops when not away from our more secure network where web filtering and gateway controls won’t block malware from malicious sites.

5. Botnet Bugaboo – There’s far less we can do about botnets than the other five issues, but as I’ve long predicted, they are a very real spector looming over the Internet. A lot of power that has thankfully not yet been wielded in a way that impacts me too much. We do have two things we can do. First, prevent PCs from becoming part of a botnet. This should include detection of C&C communications through IDS/IPS. Second, perhaps think about a strategy for responding to a DDoS attack, either directly to us or affecting us as collateral damage (we’re amplifying it or part of the same ISP block). The former doesn’t seem to require anything beyond endpoint and network security in general, and the latter is still pretty “out there” to be a huge priority beyond just thinking about it. I think ISPs, public networks, and security reearchers/products have more to worry about here.

seven fundamental info tech career questions

Saw this posted by Ben Rothke, Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates, about fundamental IT career questions. It’s nice to see that I’ve asked myself this same battery of questions the past few years, albeit in different ways and words. It seems a very common sense and effective approach.

1. What are my long and short term plans?

2. What are my strengths and weaknesses? Both soft and technical strengths and weaknesses.

3. What skills do I need to develop? It seems more appropriate to say “want” instead of need. If I want to develop the skills I also need, I’m in an appropriate career for my happiness goals.

4. Have I acquired a new skill during the past year? This is great for revising a resume or evaluating a current job. I like to separate this between new skills learned on the job and new skills learned on my own.

5. What are my most significant career accomplishments and will I soon achieve another one?

6. Have I been promoted over the past three years? Promoted or given raises would be my take on this.

7. What investments have I made in my own career?

bejtlich on does failure sell

I can’t imagine anyone that may read my site doesn’t read Bejtlich’s blog, so this post is just a reference for me. Bejtlich has posted a thoughtful blurb dealing with several very poignant issues that I firmly agree with. I know digital security has several absolute Laws (no silver bullet, you will be intruded, etc), but some of the included topics of the post are what I would call Demi-Laws or sub-Laws; things typically true and should be kept in mind in any digital security situation.

– management by belief (I think a Bejtlich term) increases up the organizational ladder; i.e. as one gets away from operations and hands-on day-to-day. The real pulse of an organization’s security rests with the incident responders and operations guys.

– somewhat related, the bar of acceptable security likely rises as one decreases down the organizational ladder to the operations guys. The techs typically can’t accept risk, whereas managers can; thus operations tend to be far more difficult to satisfy.

– management does not like hearing “yes, we spent $xxx on a security technology but it is still not ensuring our complete security in even that field. Security requires a different definition of success which we need to explain at every opportunity.

– digital risk is much less obvious to see; compare “network is slow” vs a SQL injection error leading to database leakage through your website.

Everyone should be asked the point blank question Bejtlich asks: Do you believe all of your defensive measures are 100% effective? One of my top Laws is security will fail. We have to accept that, and then the answer becomes apparent and we can move forward without living in some warped rose-colored reality.

Do you know how often people know better about some topic, but feign ignorance? Sometimes it’s when they find out, sometimes it’s to themselves. It’s an interesting psychological issue… I think our culture tends to have this pull towards living in some state of ignorance about most things…

accuvant security news

In case you don’t see these, Accuvant has a regular security news posting called Five Minute Security Digest that has some info and links to various articles posted online. You can subscribe from the top of the page if you like these emails.

The last story is a link to a Google search for Belarc Advisor reports posted on the public nets. Whee, I could always use extra Win XP keys for my old test systems!

a security interview question

Every now and then I’ll see a post about interview questions for geeks…I mean, IT employees. One question that just came to mind involves a security position, or one that requires a person who has security in mind.

You have the following services known in your organization. Where/How do you look to keep current on the security issues in these services? Cisco, Microsoft Windows Servers, XYZ ticket system with ABC modules, Skype for IM/VOIP, HP laptops (chosen for a reason), Fedora/BIND DNS servers, IE6 as only desktop browser, and so on…

The obvious first answer all IT persons should give is the manufacturer’s website for patch releases and advisories. But the real security-minded people will know how to go beyond that. For Windows, there are any number of ways to view security released either by WSUS, MBSA, or many dozens of sites that post about them every month. Securiteam, Bugtraq, Full-Disclosure, Secunia, and various other vulnerability disclosure sites have RSS feeds and/or mailing lists that discuss or announce various issues, sometimes in advance of the manufacturers having fixes out. Further knowledge of services like McAfee’s internal threat announcement system can be a bonus as well, especially if it pertains to what you have already deployed in your environment. “Omigosh, they already know about Snort and how to properly update and read new signatures! They’re relevant to me already!” And yes, the ability to subscribe to Bugtraq is one thing, but can they pick out the necessary information from the non-interesting stuff? Do they know the Linux teams regularly post out their advisories there? And so on…