If you’re like me and you support Windows web servers running ASP.NET code, you’ll want to at least read through today’s Microsoft security advisory which talks about an anonymous, remote DoS vulnerability in said targets.

In light of recent penny-arcade-and-customer vs oceanmarketting [sic] drama, I was catching up on Penny-Arcade entries and came across one for >Star Wars: The Old Republic (SWTOR) which sums it all up [emphasis mine]:

While playing last night with Scott he explained that his bounty hunter was all about completing her contracts and getting credits. She didn’t let her feelings get in the way of the job. He was thinking about this before his character was even level 10. I’d be very surprised if he had any idea what sort of “person” his Troll Shaman was in WOW.

I went from 6ish years of WoW (wow!) over to Skyrim a month or two ago, which is a single-player story-driven game that is excellence. And then over to SWTOR. So the change was a slightly phased one for me, but I absolutely felt this same presence in SWTOR that Gabe/Mike mentioned above: you feel your character. And this is entirely because of the choices you make. And unlike other games where there is one “correct” answer and one “lesser” answer so you always want to make the “correct” answer, or even other games that waffle on the idea of irrecoverable choices, SWTOR gives players roughly equal, permanent choices, and they do so in a way that eventually becomes less agonizing and more beautiful. Thankfully I came into SWTOR from Skyrim, so it was Skyrim that started conditioning me to play the character because none of my choices are ever “wrong” (ok, so I still abuse the Quicksaves…).

Anyway, for those curious, I’m only a level 15 Sith Sorceror (heal/dps), but only because I enjoy the game so much and still agonize over some of the choices such that I’ve played 4 classes up to level 11 so far, just to experience the characters, storyline beginnings, and playstyles of the classes. That game may not be “better” than WoW, but it is a very, very welcome change from the same old MO in “that other MMO.”

You receive the following email:

You have received a secure message

Read your secure message by opening the attachment, securedoc_2011228T1023948.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. For access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL.

If you have concerns about the validity of this message, contact the sender directly.

First time users – need to register after opening the attachment. For more information, click the following Help link.
Help – https://res.cisco.com/websafe/help?topic=ReqEnvelope
About Cisco Registered Envelope Service – https://res.cisco.com/websafe.about

Attack or legitimate email?

There is certain behavior that we teach users to look for that are certain signs of something fishy. For instance, an attached file with instructions on how to open it in a more vulnerable application like a web browser. Which then brings you to some strange site to log in. The problem is the business desire to encrypt email contents. There really isn’t a realistic solution to that problem that I’ll personally ever be happy with. So this is a bit of a half-hearted bitching session by me.

Oh, and of course this is a legitimate email in support of delivering encrypted email. Which is to say it’s not encrypting email at all, just forcing the recipient to go to a third party web site and download it over an HTTPS connection.

I was reading a Branden Williams blog post and came across a line that I agree with. It’s one of those lines that I think needs time to sink in and be pondered, as it applies to not just traditional crime, but cyber crimes as well.

When I was first interested in computer forensics, I took an optional course at a security conference, given by the head of fraud at Lucent. It was a great class, where he walked through real scenarios that he had to deal with. After the session we were talking for a bit and I asked him, “If I did *** and *** and of course ***, how would you have to change your investigation?” He responded by saying, “We’d never find you. You see, we catch the dumb ones.” [author’s italics, my bold emphasis]

It somewhat resonates to understand that law enforcement does not try to prevent all crimes. Can you imagine how ridiculous the controls and cost would be to prevent all crime in a particular type?

Really, just keep things like this in mind.

Oh, and also, definitely be scared of intelligent attackers (one [of many] reason the criminal arena of the digital world is scary). And be scared of those who operate absolutely on their own or in small circles or with the cover of diplomatic immunity of some sort. One of the biggest problems for criminals is the lack of trust in their own circles, which means lone rogues are powerful. And the less they need to rely on anyone else, like someone to sell their stolen goods to, or identity providers, the better off they are.

Thankfully, our underlying societal, governmental, and religious ideals (believe it, you’re influenced by religious morals even if you don’t specifically align with a religion) help keeps the general intelligent public from being too criminal. Unfortunately, it is far easier to cross moral lines when you’re masked by the anonymity of the internet and physical meatspace from your targets/victims/work.

And so on…

I appear to have found my snarky drawers tonight! What do these statements have in common?

“I didn’t want that last chocolate anyway.”

“I meant to do that.”

“I’m happy with second place.”

“Security shouldn’t inhibit everyday ops.”

Ok, I’m using hyperbole to make a point, but a point nonetheless. It is up to business to decide what risk they would like to take, but us security professionals should always strive for, be ready for, and work towards as much security as we can achieve, rather than make silly mantras so we can feel better when we don’t get our way. Ok, so maybe it’s not about getting our way, but it is a strange copout that can be used whether you win 99 security battles and concede one that impedes business too much, or you lose all 100 and use that statement as your excuse.

It’s been a tough week (think: windows domain DNS corruption), so I wanted to poke at something and not spend too much energy. Happily, I came across two nice entries by Ben Tomhave. The first is “3 Common Ways Security Fails People.” Sounds like fun, and I’ll go over each of the 3 points with my Devil’s Advocate robes on. I could rename these as the Neutrality Robes, or Robes That Keep Overzealous Ideas Checked Into Reality.

1) It [security] gets in the way. Well, duh. And that’s just going to be the way it is. A firewall gets in the way of traffic. A castle wall-n-moat get in the way of open wandering. I do actually like the points Ben makes here, but ultimately we are dooming ourselves if we let ourselves (and others) think that security needs to not be in the way. But yes, people who want to do things will find ways to do them. And that’s not the fault of security as much as the fault of the people finding ways around security. Just this week I had a developer using a writable file location set up for purpose X, and he decided he wanted to start writing application logs somewhere. So he picked that spot that he knew he could write to, which added an undocumented use to a location otherwise used for just one thing. Thankfully we talked about it and his need was only temporary so I allowed it, but that’s the kind of thing security runs into, and always will.

2) It makes life more difficult. Well, yeah. If you want a more secure house, you make the rounds to ensure the windows are locked, garage door is down, and alarm set. God forbid that is annoying. This wouldn’t be the case at all if a) shit worked, and b) people weren’t human. I made the comment on the blog post example that perhaps Ben was in the wrong for accessing OWASP Google Apps with a non-standard account, rather than blaming security for making his life difficult. Security is a compromise and a give-and-take [risk]. That goes both ways.

3) It doesn’t understand what’s important. I hear this enough that I’m kinda sick of it, but it’s a good point. Again, though, this goes both ways. If what you’re doing isn’t in the best interest of what’s important in the business, and security calls you on it, don’t blame security. And don’t yell at security for everything that doesn’t go your way. Yes, people do that.

The second article is similar in tone: “3 Uncommon Solutions for the 3 Common Problems.” I also like this article, but I haven’t taken off my robes yet…

1) De-Operationalize “Security” – I understand the spirit of this point: get security inherent in the way operations works. But I’m not sure this ever really properly works without oversight of some degree. First, when push comes to shove and I have to do task A to satisfy a customer or do task A with a dab of security B on top, when I already have an overflow of things I need to do to satisfy business/customers, I’ll do A and attend to B later when I have time. Operations will *always* get in trouble for not doing A, but will rarely get in trouble for pushing off security B. This is the same concept for coding. You can assign a variable a value quite easily, but to assign that variable in a secure, scalable, documented way takes more effort and knowledge. This is why I will agree that operations needs to do security, but the pressures are never really there to make sure security is as important as accomplishing the goal. If customer pressures Admin to open the firewall in an insecure way, what do you think that admin will do when part of his job appraisal is based on customer service and peer feedback?

I could even tackle the idea that security is everyone’s problem. While certainly a requirement in a blended approach, I’ll take technological controls over human decision-making any day. At least from a strictly security perspective.

2) Elevate “Security” to “GRC Program” I’m not going to tackle this because I’ve never worked in a situation like this. It’s a bit of a sideways step to my experiences. In the brief mention in this article, it just seems like another silo and something for people to point fingers at. It also feels like it will still depend on all the operational people and technical managers to filter up enough accurate knowledge for potentially non-technical GRC managers to make decision upon. I’d rather just have one layer of experts (security team), but again, this isn’t my reality.

3) Understand the Business – I’m losing mental momentum after my long week by now, so I don’t have much to say that is useful. I agree with the concept, but I don’t necessarily like the idea that regulations are distracting. Difficult and annoying, sure, but I’m not sure how any of them go against what a business wants, other than being a cost center. This may just be an illustration of the break between auditors (and external security) and their rigid interpretations of regulations and very un-agile recommendations to meet them for every business.

Merry Christmas, Siemens, Billy Rios is calling you out. Boom.

I was scanning Chris John Riley’s post, The more things change, the more they stay the same!,” and noticed a Jeremiah Grossman talk mention: “WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)” which incidentally has some older slides available for a taste of the content.

Yeah, we’ve come a long way and haven’t really gotten very far. But I think every era in security will likely echo the same sentiments.

Nonetheless, glancing at that talk title just rehashed thoughts in my head that not enough security people are technical enough. It’s one thing to throw an Infosec guy into a room of developers and have him spout generalities and vague security concepts (which is just going to turn off the developers and further drive a wedge of passive disrespect), but it’s another one entirely for the Infosec guy to talk and operate on the level of a developer, even to the point of sample code and pointing out real world issues. I think that’s the part that is difficult these days, and it’s not just limited to the web apps. I also think this is why QSAs are poorly positioned, misunderstood, and way too often abused as consultants when they’re really not.

If you know a young person who has technical interest such as building web sites, and also has a budding interest in security, please do what you can to stoke those fires early, before their coding workload and life responsibilities overshadow their other enthusiasms.

This stuff is fascinating: a trade fair for (lawful) trojans and (lawful) keyloggers. We hate these things.* We fight against such malware constantly. We prosecute those that breaks laws in such a way. Yet there is a deep need, and clearly “legitimate” money involved in both private and public sectors.

I guess it can at least be one way a kid who finds herself on the wrong side of the black/white hat world and gains skills in malware creation/evasion, can eventually grow into a career doing the same thing for “legitimate” reasons. Certainly beats the untrustful world of unlawful crime.

* As a thought exercise, think about how many things happen on a network at home where a parent watches/controls a child’s experience and compare that to how adults fight against such unwanted spying. Also compare against how similar things happen in a corporate environment to maintain security. I’m not saying these are bad, but it is interesting trying to draw philosophical positions to stand upon when looking at the appropriateness or global utility of various security efforts and practices. Ya know?

Brian Krebs has two excellent articles that made my morning. (Ok, one of them is several weeks old and I just hadn’t read it yet.)

First, “Busy Signal Service Targets Cyberheist Victim,” talks about a new service in the cyber criminal underground that will call a victim over and over to tie up their phone line so that bank calls to verify large money transactions can’t get through adequately.

This illustrates the give and take the security plays with attackers. You want to complete a call to the customer but have been blocked. Essentially, while a nice feature, this isn’t going to be foolproof. Basically, spin again.

Second, “Loopholes in Verified by Visa & [MasterCard] SecureCode.” The hole is essentially a piss-poor method to reset forgotten passwords.

I hate things like this because it illustrates how much lip-service is put into security until you get concerned consumers or other entity asking public questions or slapping proverbial wrists. This is why I so heavily value disclosure, transparency, and public assistance. It might also illustrate the lack of critical thinking in those who contract, design, and implement these solutions.

Then again, attending to forgotten password issues is a bit of an art. This weekend I saw that my usual screenname was taken over at SWTOR.com (Star Wars!). The forgot password function requires that I at least know the email address under the account, and if this was indeed me, I don’t recall what email address I used to sign up. So comes a call in to support. On release weekend. Needless to say, I’m still waiting to see how this goes. 🙂

(Side note: SWTOR.com accounts have the “option” of using 3-5 security questions. These questions are typical questions you see everywhere. Unlike Network Solutions who allows me to answer these questions all identically [but then tell me I can’t do that when on the phone with a rep, despite their system letting me], the SWTOR.com site actually forces them to be different. I don’t understand this. I don’t use these questions as truthful answers but rather as a second password. I don’t want to have to remember 3 more passwords. I don’t have solutions that I like, but I can surmise this current situation of security questions and passwords is more often done wrong than done right.)

Speaking of conferences and speakers, it really torques me when I see someone wants to talk at a con (or better yet is already accepted) but then laments that they’ve not yet figured out what to talk about. Chances are, I don’t want to go to your talk if that’s the approach. (There are exceptions, such as friendships, entertainment, etc… Ok, fine, there are *very* few exceptions where I’ll see someone regardless of their message, like Adam Savage, but those people are rare and most of us are not them.)

At a con or talk where I want to learn something, I really appreciate people who have a passion to get something specific out there, whether it be something new, some incite into an industry or process I don’t normally get, or whathaveyou. I’ll even sit through people who don’t have strong speaking skills if they have a compelling expertise on the subject. I’ll leave only if their level of expertise is lower than mine and I’m clearly not getting any value (though others may be).

I’m not the most keen on people who are part of the speaking circuit and speak for the sake of speaking, rather than the sake of the topic. And it eats up a slot for someone who may have neat things to say.

(This isn’t about anyone in particular in recent weeks; it’s a general feeling I’ve had for truly many years.)

Rafal Los threw out a nice article this weekend, “Steps to Avoid Mental Stagnation – Or how to re-awake your inner hacker:”

What worries me is when you’ve been working in corporate IT for 10+ years in a single organization or a single organizational profile (education, finance, whatever) and you can’t seem to break free of a specific train of thought.

I have worked in my current position 5.5 years, and I can sympathize with the broad points. In fact, I’m a bit sensitive to it this year in knowing I’m getting behind on the things I don’t have exposure to in my business, or even things that are under the purview of another team member and not myself.

One idea I’d add along with the ideas Rafal adds is to work to carve out some free time. This can either be at work or in your personal life, where you just tinker with some of those things you want to do that are on the topic of security, whether it means participating in PTES, the social network of security, coding some new things, or standing up a better lab to test tools you’ve long put off. At work, I strongly believe that good admins need a significant amount of free time to poke at strange things, learn new things, try stuff out, and stay happy (I’ve seen this talked about with *any* IT discipline and have often heard the number 30% free time thrown out).

When someone in the “echo chamber” of security says something about getting the defenders to think more offensively, and then gets a response similar to, “Rather than complaining, maybe you should give us real ideas on how to do that,” it really irritates the crap out of me. That sort of response is antagonistic and even insulting, plus it’s always going to result in a defensive or even offensive response. There are better ways to make the same point without the passive aggression. Especially when you’re not actually disagreeing with the point!

Besides, even when talking in the echo chamber, making these clear statements isn’t a *bad* thing, and it may even need to be heard by one or two audience members.

It really comes down to education, teaching, awareness, and experience if we want to make security more inherent in IT (coding, infrastructure, networking, systems…).

If you want a stable high-availability network, you need someone who can actually do it in the way you want, otherwise your admins will end up learning the mistakes and correct answers on the fly. And it might take years to build that experience. Therefore, you ask experts and get other ideas.

As a systems/network admin on a team of systems/network admins, we do this every single month where we may look at new things but not inherently know the pros and cons and gotchas of the solutions without experience or assistance.

We frustratingly bitch a lot in security, but we need to support each other during our bitch modes, not lash back and kick each other when we’re down. That’s really my point.

Look at that, another breach discovered by someone else that is not part of the victim company, this time affecting Dutch telecomm KPN.

…a hacker broke into a Gemnet [KPN subsidiary] database after exploiting poor password policies set up on its PHPMyAdmin server… The article said the hacker came forward to prevent the kind of debacle DigiNotar created, but “he has also found evidence that he is not the first person who have gained access to the systems.”

We hear a lot of these reports of third party notices of breaches. I wish we could correlate that better with how many get detected internally, though I imagine a good chunk of those are never discussed beyond the immediate team involved…

I love having Twitter up next to me while I do other things like play Skyrim. I get to see things fly by like the article “Why I Hire People Who Fail,” by Jeff Stibel, passed on by @chrisclymer.

We don’t just encourage risk taking at our offices: we demand failure. If you’re not failing every now and then, you’re probably not advancing. Mistakes are the predecessors to both innovation and success, so it is important to celebrate mistakes as a central component of any culture. This kind of culture can only be created by example — it won’t work if it’s forced or contrived.

About a year ago, the company I work for made an effort to spark innovation. And while I’m sure a few good ideas percolated up to the top, the problem is all the ideas generated are placed into a review group to pick and choose ones to follow, which ultimately leads to only accepting the safe and obvious stuff. That’s really not innovative, and really does nothing to promote risk taking or enable failure, and thus learning.

Take some risks. Fail at things. Be better for it. It’s just like taking the effort to practice so that you get better for the future.