the zombie apocalypse is coming!

Michael Gorsuch posted this article of a Texas road sign that was changed to display warnings of “ZOMBIES AHEAD!” I really can’t stop giggling about this, so I had to look up some more pics and info here and here.

I think this is hilarious! Although, yes the signs are there for a reason, but if someone sees orange construction equipment ahead and flashing signs, they really should be exercising caution, even if the sign is working, broken, or tampered with. If I saw this on the way to or from work, that would totally make my day.

It annoys me that people think someone “hacked” into this. Almost certainly the control box was not locked and was still using the default password. A bad move, but I’m not surprised considering the people who use these and deploy them state-wide. The last thing you want is to have your technician out on the road and unable to log into or unlock a construction sign. Fine, maybe someone did break a lock and maybe guess a password, but any non-hacker could do that. Next thing I know someone will break a window and rob a house and hackers will be blamed!

making choices in new technologies

Over the years, one lesson I am learning is being able to spot which trends in IT and security are things to do sooner than later (disk encryption) and which things are too new, too infant, too complicated, or simply have too few threats to do now (virtualization security). Certainly allows time to focus on the important things and simply be aware of the future things…

simplify

Warning: This isn’t a normal geek/tech post. There must be something in the digital air that is promoting personal posts this week…

I don’t typically read more than a few skimmed words in Rothman’s first section on his regular posts (they’re always more personal), but today I read a bit more. “I can only hope at least some of us have gotten past the greed of the past 20 years. I know that’s being way too idealistic, but we can hope, no?”

Yeah, sadly, I’m not even that optimistic to even think that. 🙂 Sometimes economic woes can be caused by natural issues (both nature and just natural economic cycles) or global influences. But, in my non-expert opinion, our current climate was caused by the confluence of just two* things: greed and affluence-addiction.

Greed. There’s no real need to expound on this topic. Corporations are greedy, individuals in corporations are greedy, and individuals themselves are greedy. It just gets back to one of the insinuated tenets of capitalism: always increase profits. There is no plateau, no arrival at happiness or some financial equilibrium of bliss. Unless policy or corp culture/leadership provide hard stops, the risky decisions continue.

Affluence-addiction. Sure, this is my own term I made up today, but it’s what I feel drives too-high mortgages/household budgets, gas-guzzling but “impresses the coworkers” SUV tanks and v8 cars, and exponential credit debt. Some odd need to always have better, perfect, impressive, and increasingly costly affluent luxuries. The drive that tells someone to go wash their car every 3 days so it looks pretty (especially on Saturday so it looks good in the Sunday church parking lot). I feel this every time I see a report on how some family is having budget issues as they send their kids to private school, drive two cars, and want their 250 channels of cable (or whatever it is people watch today, tivo?). Or drives the decision for a automotive exec to fly in a private jet to beg for money, but then continue to avoid the dirty commercial airlines to drive themselves on their second try.

I like my affluence as much as anyone, and I have my costly hobbies and interests, but I don’t like it being taken to non-practical excess.** I do have a little Emerson or Thoreau in me, and that’s the part writing today. There has got to be something said about the slave-driver weight of debt being indirectly related to happiness…

* Yes, I’m sure there are more, especially the long-term issues like maybe a governmental administration or long-term 9/11 fallout or whathaveyou, but I consider those, ultimately, to be minor influences.

** If you want a popular movie that explores a very similar topic, watch American Beauty. And try to compare every character in the movie on a scale of superficial down towards “underlying value.” A hint: stalker boy is one extreme, real estate wife is the other.

comparing web app scanners

Anantasec has posted a review/comparison of three major web app security scanners: AppScan, WebInspect, and Acunetix. This is an excellent-looking report! Just to save time for anyone curious about the results, AppScan lagged behind the other two in detecting vulns. Acunetix certainly scores well when you get a chance to use the AcuSensor piece. I personally have only briefly used/seen WebInspect. Basically I’ve never had a budget to get real hands-on with them.

chasing the ghost that is file integrity checking

When I read these two lines from Andrew Storms over at the nCircle blog, I got a little pissed off. Then I read them again and said, “Oh, yeah!” The post subject is the Heartland Payment Systems data breach and how there is little excuse for the lack of detection:

Many well performing products are available on the market today to perform system integrity monitoring. A basic email alert to an IT systems administrator could have done much to dam the flow.

Of course, quickly reading I missed that he is talking about a small slice of a security posture, but one that is exceedingly important when it comes to malicious software installs on server: system integrity monitoring (aka file integrity, digital integrity, etc).

Sadly, this is a slice that I don’t think is present enough, especially in the Windows space. I believe Tripwire Linux is still free, as are possibly others, but pretty much anything for Windows beyond homegrown scripts is yet another budget cost. My last two companies have not had any digital integrity software in place beyond your normal AV/AM pieces. Of course, anything that already has an agent on the server should be putting this in as a feature, eh? Well, as long as they aren’t one of the Big Boys who get disabled or thwarted as a first step in an attack…

This is yet again all part of a layered defense. Yes, people should not be doing much on servers such as browsing anything or installing much beyond what is needed. Yes, the network should have controls to limit access whether that be direct or pivoted (like Skoudis’ latest hacking challenge answer from McGrew). Yes, there should be network monitoring to find anomalies in egress and ingress, let alone some sort of IDS presence (come on, all that pilfered data had to either be sent out or stored in some constantly growing file!). Yes, server roles should be limited as much as possible, if only to allow regular deletion and rebuilding nodes in a cluster when they become inconsistent or “weird” as we call it. Blah, blah, system monitoring, blah, change management, blah, blah…

Why is it difficult to get this integrity monitoring? I can only guess. Money for yet another tool? Someone to install it on all the servers and tune it to ignore all the normal things like Windows patches? Lack of trust that ninja-like malware will get in underneath and root down lower than these checks?* Someone to watch all the alerts that come in and check them out? Maybe a lack of technical knowledge in someone who is “just watching alerts?” Or lack of knowledge to look far enough to explain an alert rather than write it off as yet another “Windows just being Windows?” Who knows, but all of these reasons don’t surprise me.

* Really, how often have we seen or heard of cutting edge techniques truly being used by people in the Crazy-Fu level of black hat criminal demigods? Maybe they don’t get caught, but my guess is that everything else is still so easy that there is no need to bother!

but it’s possible, right?

This is one of the fundamental differences between IT security and IT operations (or a difference between haphazard IP operations and properly managed IT operations):

web dude: “I need you to give a development service account access to a staging environment system for me to get a project done.”

sec dude: “Umm, no, you need to use a staging account in the staging environment.”

web dude: “Are you saying no because you don’t want to, or because you can’t do it?”

sec dude: “I’m saying no because that’s not how we manage and operate our environment.”

web dude: “But it’s possible, right?”

sec dude: *sigh*

It’s one of those “always painful” parts of what we do… Yes, it’s possible. It’s also possible for me to clone my HID card and leave them scattered in the parking lot just in case someone gets stranded and needs a warm place to wait while help arrives. It’s possible for me to open up the firewall to allow everything in and out. It’s possible for me to give everyone admins rights to their machine, go home, unplug my phone, and ignore frantic calls for help when things break. Yes, it’s possible, but it’s illegal/prohibited/stupid.

Further conversation can go down the topics like the difference between the right and wrong of most crime versus the right and wrong of digital practices/security; or how layered protections that go beyond the level of knowledge by the web dude in the above example will succinctly quell his protests (he doesn’t know I limit accounts to certain servers); or how policy is enforced, etc.

i don’t get the big deal of cloud computing

I don’t get it, but I admit I’ve not tried all that hard.

I actually don’t get “cloud computing.” No, I know the basics principles, but I don’t get why I need it, would ever want it, or ever care. Like “distributed computing” in an enterprise, it sounds economical in theory, but it seems otherwise impractical in the real world.

I understand that standard services can be outsourced/offloaded/clouded (depending on what era your marketing terms come from), like DNS or web acceleration or proxying. Or an Amazon storefront. Or CMS software. Or backup services from your data center. Whether I am Joe Blow or Susie Q, my needs will be pretty much the same thing and both of us can be serviced easily by the provider/outsourcer/clouder/offloader.

But I feel this only works when what you need is predictable by the vendor providing it, i.e. the more customized your needs are, the less you will ever be happy with what someone else builds. I see this quarterly in the pain levels of implementing third-party software and applications versus having in-house developers roll their own.

Fine, high-end number crunching may work, but I think those organizations with that need already invest a lot in the people designing such number crunching, and can probably fit into clouds better just by sheer numbers and mass. The people who still use mainframes, I guess. Maybe that’s the problem, maybe I’m just not in the mainframe space…

Update: I use my ISPs DNS services. Is that cloud computing? I also use GoDaddy as my registrar, and I may someday move to shared hosting. Is that also cloud computing? See, I don’t get it. 🙂

So it gets back to, why should I ever care about the cloud? I feel it sounds nice on paper, and for the few people who jump in with proper expectations it will be “just fine,” but for everyone else I think it will be more difficult to wrap heads around than keeping the computing in-house.

cutting corners with security*

There’s a comment over on Mogull’s blog post for the Heartland Payment Systems incident that was announced the other day. I wanted to link to it quick and highlight it. I won’t post the name or even copy the comment itself, but rather paraphrase (I’m just avoiding searches, especially if the comment gets removed later):

I have worked for the company for many years. They cut corners. They have big problems internally.

For the moment, let’s assume this comment is truthful and legit. A couple points I will use this for:

1. You get the real story on security the farther down into the trenches you get. Yes, you get far less actual risk management and ability to accept risk, but you get the real deal down with the techs who have their fingers on the pulse of the network and systems and processes. Any respectable security posture should include information-gathering from them.

2. Look behind the curtains of any company, and I would estimate that 99% cut corners, even up to making very huge mistakes or oversights. This is why pen-testing is not going away or beginning to die. This is economics, really, and part of the superficial facade that a business can throw up to anyone looking too closely. A role-play exercise for a security posture should be to pretend your systems and processes are suddenly transparent. What would the experts point out? What would Mike Rothman do? (Along the lines of ‘What would Brian Boitano do?”) This might throw eggs at “some security through obscurity,” but assume that still gives value and can be only looked at lightly. Really, the role-play should expose the real problems.

3. Is it possible for PCI to improve a poor security posture that has been an active choice for that entity? If a company is cutting corners, choosing to accept risk poorly, or simply incompetent, I would bet they will actively make sure PCI doesn’t catch it, or outright lie, fudge, or (hah) cut corners with the Assessor.

*”Cutting Corners With Security” reminds me too much of the book series that might read, “How to Cheat at Securing Your Shit.”

ev ssl fail or how to rebrand ssl and charge a premium price

The site SSLFail has rekindled my disdain for the “Extended Validation SSL” farce. It sounds lofty to have a CA validate that you are who you say you are, but all they really do is make sure you are a corporation or entity of some sort. After which (at least for the CA I use, which is one of the major 3), I can order as many EV SSL certs as I want and apply them to any domain that I can register. That includes domains that look like they might belong to someone else, i.e. their brand. I do this on a weekly basis for our clients. I’m not affiliated with company XYZ, but I sure can register a domain and purchase an EV SSL for it!

The first time my company acquired an EV SSL, it required some extra jumps through vague hoops. All I know is that it required a call to our main phone line (someone who claimed to be a receptionist) to then talk to one of the persons on our company charter (?) over the phone (someone who claimed to be the CFO). In our case, of course, these people were legit, but phone verification is ridiculous. I’m sure the CA looked up other things, but really the only information given was our incorporation date and entity type (corporation).

I imagine if I were a sole proprietor or LLC I’d still get approved, or at least an agent of mine would get it approved if they ran my web presence and I wanted EV SSL. Besides, like Blizzard not having real incentive to blacklist accounts or credit cards used to purchase exploitative accounts (read this book), what incentive is there for a CA to turn away my desire to purchase an EV SSL? Hah. Integrity and trust? Only if the process were totally transparent!

The point is, I’m less than impressed by the money-making scheme that EV SSLs are. And even less impressed by browsers forcing this adoption. It really is maybe the first time I think Firefox has failed me.

digital crime and punishment from rsnake

I just want to post and save a link to a discussion/essay that RSnake has written. In it, he talks about increasing the penalties for digital crime, maybe to an exaggerated level. It is worth a good read along with the comments.

Like security, I’m of a mind that there is no “solving” of digital crime in general. It is a fact of life and we have to find a moral equalibrium, just like any law enforcement category.

Sadly, I think the only way RSnake’s approach will work is if we remove one of the fundamental drivers of what makes many of us even use the Internet: the privacy. To achieve better punishments for more criminals, we absolutely must remove the anonymity, privacy, and transparent digital borders between nations.

This all goes back to what your “security religion” is. Are you a glass half empty kind of guy? Are you a “It’s not secure unless it is absolutely secure? sort of guy?” Or are you a glass half full person who sees value in partial security or incremental steps towards a goal that doesn’t need to be absolutely attainable? This is not just fundamental to a consistent approach to security solutions, but also fundamental for our attitude in our career.

heartland payment systems announces massive data breach

I see Krebs (via Mogull) has posted about an astoundingly large payment processor data breach at Heartland Payment Systems and may affect 100 million credit and debit card accounts. By the way, do as I do: use your credit cards only when you need to! I don’t even use a debit card.

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

Some questions I have:

So, how did malicious code get installed and run unfettered for as long as it did?

What led to the suspicions that a breach had occured? It sounds like the malicious code was found only *after* experts were called in. Why were they called in?

What breakdown led to all of this? I hate asking this question, since too often we get zero details on how these things truly happen, as companies, people, and legalese cover it all up leaving the rest of us unable to truly learn from their mistakes.

Was the firm PCI compliant? This is mostly a trivia question, but it will get asked so I might as well join in. PCI compliant or not, there *will* be incidents, even large ones. But it is useful to see if PCI or compliance in general is just not working as the means and end. PCI and any compliance should be an “oh yeah, we got this on the road towards being more secure,” as opposed to being the driver or the goal.

What could have prevented or, better yet, detected this issue? This is part of the “let’s learn from their mistake” that never gets truly answered. I imagine some egress monitoring should have helped…100 million transactions a month all going back out to one or a couple locations should have been spotted, right? And if you do *that* much business, you should have damned good monitoring on systems for processes and digital integrity, right?

downadup/conficker worm details

I sometimes skip posting about major events for a few reasons, two of which being I hate sounding like I’m just repeating what everyone else says, and any one who reads my blog should be involved enough to not use my blog for breaking news.

Anyway, the Downadup/Conficker worm has arrived and made its way into the mainstream media. I posted some info to my team and boss about it this weekend. Here are some links to more information (the more the better, especially for the analysis since no one source seems to get it all).

CNN article
F-Secure details
SANS info

Really, this whole worm occurence begs the age old question, “Did you update when you were told? Did you even know this was brewing?”

For us, this is still a somewhat non-event, although the widespread reality of this worm raises my concern over incoming laptops and VPN connections from home users, but not enough to keep me up at night, yet.

geek at work performance rewards

Joel Spolsky recently posted his latest inc magazine article dealing with the topic of performance rewards. While I think he dropped the ball on the actual reward he offered, I feel he has good food for thought on the subject. Questions like:

How do you measure performance and contribution?
If you measure, how do you know you’re measuring enough pieces to get a proper view of the employee?
How do you reward contribution without stepping all over your other employees?
How do you reward such that a competitor can’t just match it and steal away the employee?
How do performance rewards influence the attitudes of the other employees?
Should you reward based on how their updated resume would look to someone else?
Do you want to run a socialist or capitalist company? (Ok, I’m stretching it there!)
I think Joel has a good approach when he talks about the intrinsic and extrinsic motivations. Money and peer recognition are cool, but ultimately geeks like me derive their motivation internally because we love what we do and want to do it well. Obviously, that is not for everyone or every company.

Why do I think Joel dropped the ball with his example? Because that intern walked away with absolutely zero reward from Joel; instead walking away with what amounts to a coupon for a store you may or may not want to shop at again. Granted, his real reward (especially as an intern) are the line items on his resume and knowing Joel was impressed. I’m also not a big fan of ‘stock’ in its various forms. I’m not a huge fan of only doing peer recognition (unless it winds up as a resume line item) because it really has little monetary value (the fundamental reason almost everyone works) and can become so unvalued in other ways over time and if mismanaged. And I can go both ways when it comes to performance-based rewards.

Obviously Joel does other little things beyond direct monetary compensation to make work enticing and fun for his programmers; making it a place they *want* to work. So maybe he doesn’t truly need to think too hard about monetary performance-based reward schemes and instead keep doing what he does. Maybe give Noah an extra gift of some sort, but don’t otherwise break the cooperative culture that he obviously values. Maybe the reward or lack of one should not be a reason his workforce remains present and motivated.

At the bottom of the article, click the link to go to the base page if you want to read other comments posted directly to the article.

a taste of ssl failures at sslfail.com

If you want to get my feathers ruffled up a bit, bring up the topic of SSL and browsers. The whole situation is a mess, and I blame the browser makers (and partially our extended use of the web outpacing SSL updates) for muddying up the waters. Did we *really* need EV SSL and browsers throwing error messages on *everything* that wasn’t EV SSL? It’s just silly… Half the problems (sure, that’s my scientific measure) with SSL arise because of the browsers and the “market” for PKI. Sure, for consumers, they should be on the lookout for self-signed certs. For geeks that manage network devices and internal sites, self-signed certs are a daily reality.

I need to stop on that rant before I look more foolish than normal!

A new site, SSLFail.com, by Marcin and Tyler illustrate the issues SSL and web browsers (and admin teams that try to manage them) have. Not only does the site present images of failures in SSL usage, but they also have informational posts if you want to learn more about SSL and the nuances involved with it. To be honest, if you manage any device that uses SSL (web, network, VPN…), I’d suggest checking the site out. Hell, even if you just like to sit back and laugh at the security failures (or admin issues) other people have, check it out, too!