I don’t typically go for inspirational/motivational speaking. I also don’t usually get into the same old marketing/business-speak of annual corporate meetings. But a month ago our annual meeting had a nice, minor message that our CEO mentioned. That of entitlement. The attitude that someone is owed something. This attitude breaks down teams, organizations, even cultures. It is a waste of karma. I found the quick message meaningful enough to tuck away with just this quick mention to reinforce it. Always earn your way. If you deserve it, you’ll get it. (I’m sure this was in reference to this year’s talk of exec bonuses and frivolities in Wall Street, but I take it on a far different and more personal level.)

Just wanted to link to some (months old) updates on the Terry Childs case, the SF Net Admin who locked the city out of the network. ComputerWorld has two updates, one from July and another in August where 3 of the 4 charges against Childs were dropped.

Why am I bothering? Because this is a big deal, even if many people fall quite easily into the black or white sides on this topic and even if the conclusion of this case will slide into history quietly with no fanfare.

Have you ever been in charge of a privileged account? Or built a system or network that your job is to secure and protect? And then ever have someone ask you for that password, or to bastardize that account setup, or allow someone inferior to access, modify, or change the requirements of your setup in a way that decreases the stability and/or security? It’s not a fun to position to be in, especially in the constantly-on worlds of stability and security. I’ve never been and likely never will be in a position as huge as Terry, but on much smaller scales I have felt the pangs of frustration when other business units diminish my work because they make their own decisions, and so on.

Just today I was asked to give over an account password to a SQL DBA. This account is intended to be used in only one place and considered sensitive to the point that only admins on my level have access to it, and even then we forget the password after setting it. But now I’m put into a position where another set of eyes gets to see the password and store it to his leisure (and have it transmitted to him probably via internal email). And to have that account and password stored in a second system beyond the intended use. My initial reaction is that of concern, and it is frustrating to build up security only to have it dropped back down for whatever reasons.

Yes, an admin probably should defer to the actual owners of the system (business or political), or look out for the better good of the whole (usually a business and the customers). But sociologically it is a deep topic, and in terms of security a very weighty one. Do you set a precedent that access is shared out? That you never divulge the secrets? That you divulge the secrets when compelled? That you deny there are certain admins and rock stars in a business that truly do have godlike abilities and the value would be diminished if you limit that? And so on…

It really winds up being a series of problems with no real solution once you look at the various extremes. This is one aspect of why I think “risk management” is the rising star these days. Which extreme is the least risky and least costly/likely?

The Wall Street Journal has another article discussing the fact that consumers are often ahead of corporate IT practices and policies that tend to err on the strict side rather than the liberating side. These topics get beaten to death and it really just comes down to economics (often in IT support costs for all the disparate things employees end up doing), but it is always a good topic to be aware of and exercised up on. From both sides of the fence.

Found this on 1Raindrop.

Jim Routh and Gary McGraw discuss “why twenty-somethings skateboard right past security controls, and what it means for employers.” Basically this gets back to how Gen-Y (and some Gen-X) grew up with the Internet and can multitask and expect such access at work as part of their social culture. The subtle twist is that these multitaskers will often non-maliciously fenaggle access to the very things that are blocked, i.e. they’re “lifestyle hackers.” This puts pressure on policies, and on security teams that look for this behavior and consider it suspicious by default (kinda like why Skype sucks from a security perspective; ever try to analyze strange traffic endpoints when your business uses Skype? It blows!).

I can argue the topic either way, but what I don’t like is a company that uses only the excuse of productivity for such blockages, and makes it feel like the decison is an IT one. Really, productivity is an HR and managerial thing. Making it an IT or even painting productivity as a security issue reflects weak management. Sure, such restriction can be made a security reason, but productivity angles should not be argued in IT.

Oh, and I tend to fall into this lifestyle hacker group somewhat. I won’t go so far as to access FaceBook through a proxy/tunnel or be blatant about it, but I won’t shy away from updating my blog, Twitter, or other not-blocked things given I do actually get my work done. I do prefer to multitask, but I also do remember life before the Internet. I’m, age-wise, on the cusp of all these generational changes (I’m 32 this year).

Found this while catching up on my HiR feed.

In August and September, Evan Ratliff, a writer for Wired issued a challenge. He would attempt to disappear, both online and offline, from his normal life. And readers were encouraged to find him, with financial reward promised. The project has now concluded and his story has been posted.

Many of us think about anonymity on the Internet. But have you ever thought about dropping off the online or even the Real World grid? Changing identities entirely? Well, ok, so maybe black hat hackers do. 🙂 Or perhaps you’ve wanted to know how private investigators work. Or maybe what would happen if a massively public manhunt for some notorious criminal may proceed. Maybe wonder how those FBI Most Wanted lists and television criminal profile specials could possibly be usefulf.

Or maybe you’ve wondered just what “average” people can dig up about someone. Some of the posts pulled out for the article are downright…creepy. How the heck did they get that information legally?

Maybe this is the future for government and private tracking/investigations or even espionage (although more than likely the present)? Sticking to what people know (interests, locations) but also leveraging the draw of our online social lives to reveal small, but dramatically important bits of information, even subterfuge in online interactions. Combining IP addresses with social network information with old-fashioned stakeouts and interviews; the trails we leaves in logs and lives touched.

The article is written pretty quickly and, well, it doesn’t flow very well. But it touches on many amazing topics, from identity to social engineering to the lonliness (even desire to be caught!) and psychology of a mind on the run.

If there is any weakness in this whole adventure, it was that Ratliff didn’t need to pick up a job or want for money…yet. I imagine new challenges appear once you run out of cash and need to make up some money quick, yet stay off the grid or futher legitimize an identity. Likewise, I’m sure the stakes change once real law enforcement starts tracking your existing assets and moving quicker and with more experience on tips and information. I’m sure some aspects of his run are easier for real efforts (ditching gf/family/boss, the silly challenges), and others less so (money, life).

Still, this is a great glimpse into a person on the run, and the grassroots efforts regular people can undertake to track someone of interest in our cyber-real lives.

Currently listening to the excellent social-engineer.org podcast. They’re talking about police interrogations (probably more properly called ‘interviews’) and it reminds me of what I’ve read in a book a while back that I browsed over a few lunches in the bookstore (I hope I’m recalling the book content properly, it’s hard to verify without the book nearby). I’d still recommend it, because it does go into some good detail on police/FBI interviews: Arrest-Proof Yourself: An Ex-Cop Reveals How Easy It Is for Anyone to Get Arrested, How Even a Single Arrest Could Ruin Your Life, and What to Do If the Police Get in Your Face. Yeah it’s a long, cheesy title with a cheesy cover, but the insight is pretty nice for the price.

Television interviews are often rife with drama and tension and lots of build-up and subterfuge, but often it just comes down to the on-the-spot ability for an interviewer to get someone to tell them something they probably shouldn’t or wouldn’t want to tell you. From my observations, this just ends up being a small set of subtle reflexive skills. Skills that you can learn and, for a while, conciously employ, until they become normal. But really, it’s less specific situational subterfuge and elaborate planning and just about general human interaction like mirroring.

I’m not sure what is the worst part of reading an article like this that describes an obgoing investigation into the selling of millions of customer records from a “major mobile phone company.” The employee who had access to, ability to exfiltrate, and sell the records to competitors? The company that had no idea what happened until a third party had to break the news to them? The vague details that we’re yet again subjected to? That a company would buy such records (believe it!)? There are other issues I have, but I’ll stay quiet on them and only say that if there is a monetary value on data like this to someone in the world, then it will be realized, whether unauthorized or “authorized.”

My stance on security consultants vs dedicated security staff is pretty much across the board. Probably because it boils down to, “It depends.” I think security consultants have a sweet gig, to be honest, despite the issues.

If I were a typical business owner today, I would probably act much like a typical homeowner when it comes to security: wait until it is convenient, in terms of time, effort, finances, and emotional situations (i.e. did someone you know just get broken into? [is that transitive risk? risk-by-proxy?]). That probably means asking two questions and needing possibly one thing that consultants or a third-party provide:

1. How secure or insecure am I? This is answered by the function of audits or pen-tests. No folks, they’re not going away as long as this question is asked. Stop making it so damn complicated for the business owners when they ask a simple question like this. Compliance falls into this question, because owners will wrongly ask, “Am I compliant with XYZ?” rather than the correct question, “Am I secure?” A subtle, but important difference.*

2. What suggestions do you have that would improve my security? A sub-question usually not spoken but definitely just as important would differentiate between ideal suggestions versus high value/low resources suggestions (not the same as ROI if you ask me!). There’s that big difference between “patch Windows boxes” versus “patch all your software you use.” Or “log management” versus “out-of-band log management with your admins locked out, backed up to encrypted, secure tape and offloaded…” It is when business owners hear the extravagent solutions that they decide to just forget the whole thing and not bother. There is still a huge thirst for security knowledge, not just from enterprises, but even from individual consumers. It just needs to be doled out in digestible, actionable chunks. Often this ends up looking like, “Give me the top 10 things to do, in order of value/effort. I’ll only do the first 4, but I want to know what roadmap would be possible for the next 6.” This is healthy, and I think should be encouraged.

3. And consultants or a third-party can provide some managed services and regular tuning of an environment somewhat above and beyond advice and audits and pentests. I can argue that situation back and forth, but I concede there is realistic value. If you can share a security expert between 4 or 5 companies and they can tune your firewalls and give regular advice, that might provide a good value without the overhead of dedicated staff. Why try to figure out what PCI means on your own, or how best to maintain router config integrity or what to monitor with Tripwire, when some shared consultant already knows how? And if you get someone dedicated to you and a few others, you’ll probably get better service than some cog in the huge wheel of a large enterprise professional services department.

This third point that consultants provide is one thing that I often rag on because I don’t believe a third-party service will top quality internal, dedicated staff, and some consultants gets to happily throw down their suggestions and walk away without ever actually implementing them or experiencing the day-to-day realities of them. But relatively few firms have the ability to have dedicated security staff. Many barely get away with dedicated IT staff let along specialized security staff!**

And it is a nice step up from just buying point products with the intention of not maintaining them, but rather plopping them in and spending as little time with them as possible. This often ends up meaning unqualified persons put it in and call it good, when it fact no one knows if it is working properly or being used properly. This is why SIEM is in such a weird boat. They’re a bastard child between your typical “turn-key” solution and your high maintenance “gotta watch it!” process. Other recent complex solutions also fall into this trap, like WAFs and DLP and even identity management. They’re complex, they sound like low-maintenance efforts, but anyone who truly gets security knows they’re still going to be time vampires quite often, especially when used wrong.

* Compliance is a great driver, but it really should be placed under the auspice of having “security” as the goal. Sure, it may be a thin, cheap veneer, but it’s better than building a culture of just meeting compliance XYZ.

** Adding a bullet item to your IT staff job descriptions that says “maintain security” is not the same as having security staff. Yes, baking in security is necessary. But operations and even IT projects will always, always, always trump any security-related tasks that *should* be done to maintain a quality security posture. The only way to do this is to have dedicated time carved out of your staff hours for security, and that’s just never adhered to without a real SOC they can retreat to.

Offensive Security has opened their exploit database. This is a response to the halt of milw0rm due to whatever circumstances. In fact, they improve on it a bit by sometimes adding a link to the vulnerable application, which is pretty slick. If there’s anything missing, it’s that I haven’t seen an equivalent section for the milw0rm videos. (Bonus: this site isn’t blocked by Cisco like milw0rm is!)

Social-engineer.org has a new podcast out about, wait for it….social engineering! Hopefully this becomes the de facto place for SE information and education.

Mike Smith’s (rybolov) DojoSec talk on compliance is a good listen. The panel is good as well, although be forewarned that it gets deeper into government-types of compliance and standards. One theme: collaboration in creating and defining regulatory controls.I had to pull out one quote from Mike from the panel in regards to a question about graularity in compliance controls: “If you make [regulatory controls] very, very broad, you’re relying more on [in-the-trenches practitioners] with varying levels of skillsets to interpret it, but if you make it more and more specific, then you rule out a lot of other solutions. So you lose a lot of that flexibility. And in the places where you have really smart people who know what they’re doing that actually limits what they can do.” Other DojoSec videos can be found in their archives.

Andrew Hay decides to torture himself by reading (and then sharing!!) horrible press releases. Yes, I agree a little bit dies inside whenever I read this drivel where it reads more like marketing (or a company) trying to impress themselves with long sentences filled with vague buzzphrases and 5-cent words. This is why I prefer to talk to the SE and get my hands on products directly to form my own conclusions.

Chuvakin has been busy! First, he throws down about SIEM complexity (for me, SIEM is a nice-to-have only because it ends up being too complex…but that’s what you get in pursuing the futile effort of replacing analysts with a box, rather than marketing SIEM as a tool to *assist* analysts…). Second, he grabs FUD by the throat both for a shake and a hug. (Me, I don’t rail on FUD too often because I agree, it’s necessary and will never go away, but that doesn’t mean we need to wallow deep in it; besides, “FUD” itself is too subjective…). And third he addresses the devil of PCI DSS. (Again, my take is that PCI DSS is just fine, but organization’s suck at security in general and they’d suck even worse without PCI DSS. I don’t get how that’s hard to swallow.)

To swerve off on a brief tangent, security is not solvable. To this end, that means media can forever be able to point out flaws. Likewise, analysts can forever be able to point out how measure XYZ doesn’t address MNO. And further, FUD can always be brought up (whether “FUD” is a negative or a positive to you depends on that subjective definition [connotation/context] you place on it). Therefore, when I read tales about how XYZ isn’t addressing MNO, my first question has to be whether I need to care about MNO, not to rail against XYZ. My second question has to be how I would addres MNO, regardless whether XYZ exists or not, especially if XYZ is just a product/standard and not a concept. My third question would be whether XYZ *should* address MNO. And so on. If you read the links Anton lists in the devil entry, this paragraph will make more sense. Don’t create XYZ to be a devil when that’s missing the crux of several problems.

Mike Murray opines about why information security is the hardest career. He makes true points about how security needs to stay on the forefront of change in technology. (Although you can poke holes in the career examples, it is the point that counts, not the specific details.) And it is true. I could learn how to code something today, and probably live by honing that specific skill for a decade or longer. Security, however, doesn’t have that luxury. You tend to have to be knowledgable in many things, and sometimes at a workable level with those whose whole years are embroiled in that one technology (advising web app devs on secure coding [json] practices, for example).

I sometimes feel security consultants have a sweet gig. They can drop the hard projects in a few sentences and walk away all smug and feeling helpful, when those projects may in fact simply be impossible in practice for various political or economic reasons (run a vuln scan and address every finding is typically *not* a casual weekend project). But I admit they have the most need to be on top of everything new as they no doubt get the joy of answering questions on technology so new they’ve never even heard of it yet.

And none of this really goes into the dirty work of not just keeping up with new things, but keeping the existing things monitored and updated and in check as time marches on and attackers try everything from new techniques to old goodies from 10 years ago.

No matter where you are in security and how you try to roll it, it’s a difficult task and a stressful, but fun career. Then again, maybe I’m dramatizing it since I’m in it… 🙂

Mike and Lee’s talk at Defcon is one of those few talks I really should have attended, in retrospect. Hell, I still have to find and download it!

0day vulnerability in SMBv1/SMBv2 in Windows OS products (including 7) has been released. While this sounds like other recent similar vulns (MS09-050, MS08-067), there are differences. First, this latest one sounds like a response attack from a malicious server rather than a direct attack (meaning yes, your web browser can be tricked to making an outbound call to a malicious SMB server if your egress filters suck). Second, so far the result is “just a DoS.” Best to keep an eye on this one.

Philosecurity makes a good point about the role of airport security identification checks during inter-state travel. Does showing a “valid” ID while traveling inside the country add any security at all? My opinion is summed up by saying this whole modern concept (post 9/11) of airport security is stupid. The reasonably preventable problem from 9/11 is the taking of the cockpit (or more accurately, the taking over of flight pathing) on large aircraft. That should never have happened. That cockpit needs to be absolutely secured long enough to make emergency landings. Sure, you can still concoct film-script scenarios, but all of them are far more involved than bashing through a door by force.

Rich Mogull has two pieces that are great to read together. First, about getting tried of the “security is failing” chants. Second, about the problem of the anonymization of [cyber] losses. There are no big answers here, and some of his points are arguable, but the end conclusions I feel are sound: we’re not dying, our bank accounts are not empty, and economics plays a huge role in security. I feel a lot of the activity in metrics and risk management of the last couple years are geared towards reducing the stress of the first article, and removing the anonymity of the second article (thus paving the way for more resources for security), as opposed to many of the activities that are trying to play catch-up and stop-all directly against insecurity.

Via Twitter I see someone has taken the SSL/TLS renegotiation vulnerability and was able to inject enough to get the target to display unencrypted Twitter username/passwd combinations.

This still has some limitations, I imagine. For instance, you’d have to inject into a stream that could post or somehow redirect the unencrypted data, otherwise you’re really not getting anything or going to be able to see anything. Perhaps you can inject something that will affect the user’s browser, but I see that less as the whole attack, and rather more like a way to get in and start doing Bad Things. It’s still only half a big deal. And I’m not even talking yet that you have to be in the middle of the traffic stream.

The article says critics were somewhat dismissive of the bug initially. While that can be true to some degree, I expected it to be somewhat shunned because it is a highly technical bug and not easy to either explain to a journalist or have a journalist properly regurgitate back out for their pub. This is especially true since no one put into layman’s terms what all the techspeak meant.

UCSniff 3.0 has been released. UCSniff is a VOIP/IP Video sniffer.

Thierry Zoller discusses the recent SSL/TLS authentication gap issue (pdf). Pass this up if you want easy summaries and less technical coverage.

Nickerson mentioned this presentation on ExoticLiability 39. This is how a technical talk should go. A couple slides saying web security is a big deal, WAFs try to prevent it, and then spend the vast majority on deep details on how to bypass WAFs. If I can find the audio/video of this presentation, I think that would be even more effective than just the slides.

OWASP Top 10 RC1 (pdf) has been released. What I like about a list like this is they don’t just present the knowledge-based issues, but they also address the need for actually planning development smarter. Solving things like SQLi and XSS often comes down to being an expert coder (beyond just a functional 2+2=4 coder). There are still plenty of bonehead mistakes made in the planning and architectural stages.

You have to look out for user-supplied content, but you also have to look out for unattended user-supplied administration of things like groups: Facebook Groups can be hijacked.

I missed it, but the 60 Minutes feature on cybersecurity this weekend sparked others talking. Sounds like they prominently used the example of hackers taking down part of the Brazil power grid a couple years ago. Robert Graham at ErrataSec’s blog has posted a far more believable theory.

Via the attrition.org Twitter account comes a link comparing new media’s (TechCrunch) coverage of FaceBook ad scams versus old media’s (NY Times) coverage of the same topic. Talk about a perfect way to make a great point (not that the reverse couldn’t also be true…).

Skype in the enterprise continues to have hurdles to climb, not the least of which is the ability to easily ensure your employees are not leaking confidential information through it. If you trust the integrity of the Skype IM log files, you can work on understanding the Skype chat log file format.

MoW’s The Powershell Guy site has a nice post on how to use Powershell to convert Unix timestamps to a more readable format. My need the other day was to correlate some log entries in my IPS against my web proxy access logs.

I’ve long made it a practice to add commentary to many links I give, and not spew out too many, or make lengthy posts filled with, “go elsewhere” bits. Too often I read other blogs with lists of links and I’ll think, “I like #8 and want to check it later.”” Then I end up with orphaned browser windows/tabs/bookmarks waiting for attention or RSS reader items unread where I really have read it and only want to revisit 5% of the content.

But over time I get lots of little links stuck around here and there that I really have nothing to add to, but would like to save or point out for future or community reference. I really like Kevin’s format over at InfosecRamblings; not too long, gives some context to what I’m clicking to, and I find that they’re not always the same links as I see everywhere else. I also like to avoid posting the 14th mention or something and making it sound like my link to it is a big deal that no one else has. Those are the ones I tend to mention in one line, or not mention at all since everyone else does. I certainly hope that anyone who reads my blog here also reads many of the other great sec blogs out there that are in my reader as well (or at least people should, since my blog is geared to me more than any audience).

Anyway, long story short, I’m going to try out an irregular format of spitting out a couple links every so often to see if I like it or not. I may find it offers me nothing new…