Sometimes a blog post comment can be just as good as the blog post that inspired it. A comment on a post by Richard Bejtlich is an excellent real-world example of changes that occur in an environment and what can happen if everything is managed separately. I’ve seen something similar to this before, where a pix static NAT rule was put into place (on accident I hope; we never did answer this question because the tech who made the mistake had left a few months before the discovery) that basically left the balls of 2 servers out on the Internet for the wind to tickle. Eventually they fell victim to worm activity, but thankfully the damage was limited to just those two old dev servers. NSM did not lead me to the answer (we didn’t practice that), rather a lucky port scan from the outside conducted from a gut feeling revealed the issue.

I enjoy reading what breaks or didn’t work in environments. Too often such stories are so cloaked in corporate secrecy that we don’t get the opportunity to learn. How often are firewalls managed in a way that if a system is taken down and another put in its place, the firewall mappings will be reviewed and updated as well? How much chaos in a network can an IT team handle before problems like this arise? How much should policy mandate what happens and what does not happen? Or invoked policies or, better yet, inventory of systems and configs.

A post by Adam Dodge about a couple of University of Arizona departmental web servers being defaced reminded me of a sort of 5-year-ish prediction I have in my head now and then. These webservers were running Twiki and a vulnerability in that program led to the defacement and were apparently known about by the admins.

In my last job we were an ASP (application service provider, i.e. we hosted a web-delivered service) and about 150 employees. About 1/3 of the company was comprised of IT and development staff. The number of applications we, the infrastructure (network, security, sysadmin, etc) team, supported was not terribly high, maybe about 2-3 dozen different types of systems we needed to stay abreast of or at least keep secure. That’s still a lot of work to be on top of patching and securing and managing those applications properly. And it really sucked to have surprise applications (one was a wiki hosted on a developer laptop that suddenly became a burden to his system performance [gee, ya think?] and a critical piece of their own processes [ugh, thanks]) pop up in the environment.

My prediction is corporate applications will do one of three things:

1) Security will move to the network and we won’t necessarily give a crap about what goes on a system. Thin-client computing is being talked about again… If people want to run an application for their department that is buggy and 7 years old and barely supported anymore, go ahead in your own little secured network area.

2) Security and IT management will win out and corporate applications will consolidate and diminish. Rather than trying out everything under the sun and small pockets of people relying on a disparate number of applications, corporations will get rid of a lot of them and just use the really important ones. Providers that can provide a full solution will benefit. For instance, Salesforce.com provides sales with almost everything they need except corporate email and phones. That’s awesome and leaves sales really not wanting for much else other than mobile devices and access to information when they need it, anywhere.

3) We’re just plain screwed and the security function of managing all those disparate applications will be a regular task for IT/security.

This flies in the face of what I really think is coming: outsourced security. You can audit, evaluate, test, assess, monitor, and manage alerts from an outsourced entity, but how can an outside entity ever truly understand all those little apps that pop up in every corporate environment? How much clout would such an outsourced team have when saying an HR tool is outdated and should be removed as a liability and administrative drain on resources? How intimate can they REALLY get? (Answer: only as intimate as the tools let them…and they don’t get that intimate…)

I guess I can mix this all around and say a prediction will be the grinding of these two gears that don’t quite fit with each other: outsourcing security and day-to-day IT tasks vs. the disparate and complex and everchanging digital landscape of the corporate campus.

“If you hide your form, conceal your tracks, and always remain strictly prepared, then you can be invulnerable yourself.” The Art of War, Chapter 4: Formation

There’s a lot of analysts and journalists who write and talk a lot, but it’s just all blah blah blah blah, with little substance or anything that matters. And they tend to talk in circles and argue a lot about much of nothing. Brian Krebs is not such a writer. He’s one of those rare journalist gems in the security world who gets it, and has respect. He tells it like it is, and I gotta admit, I’ve enjoyed his writing, accuracy, and tenacity in sticking to his guns despite the unwashed ignorant commenting masses on his more popular topics. He wades into the whole substitute teacher porn exposure case quite deeply, and rightly, ready to get the facts out as this whole incident is one out of proportion debacle. Sic balls, chopper!

Another analyst that I have grown to like, mostly because of his style of posting bullet points and getting all his stuff in one post as much as his incites (sic), is Mike Rothman. I may not always agree and I may find his stuff not relevant to my roles, but he has gems. He had one today where he said, “Everyone needs a plan, but those that spend all day planning, spend very little time doing. So plan quick, do stuff, adapt and repeat.” We can sit and talk about how to get the perfect security plan and plan, plan, plan so that we’re not the next headline in the paper. But we could end up doing that for ten years…and get nowhere. Just do it. Get an idea or something to do and do it. It might be only part of the solution, it might even be wrong, but just do it. Evaluate it. Fix it. Adapt. Improve. But bottomline do something! A company that really wants to support its IT and security personnel will be willing to allow some levity in getting things done and making mistakes here and there. If the company is not, they either won’t ever have security, have scared admins who end up doing nothing but the barest bottom line, or they have a team of perfect Jesus Admins working for them.

Laptop encryption is a big deal these days. But one must always keep in mind that the best way to keep sensitive information safe is to not have it on insecure devices and to physically destroy media when no longer used. Encryption, if you want to get really technical, is just obfuscation. It cannot realistically be broken today…but the key word there is “today.” If that drive is important enough, an attacker can keep hold of it for years and continuously work against it. Encryption is a huge step up from bare data, but it is still not a complete substitute for sound information storage and usage practices. Either way, full-disk encryption will soon become standard on every hard drive, and users can turn it off if they want on the hardware. Kinda like providing a lock and key on a computer case. If you want to take the trouble to supply the key each time you want in, go for it, otherwise just don’t lock it.

I’m sure everyone is going to be posting and abuzz about how MySpace got GoDaddy to drop Seclists.org. But what really makes me frustrated and angry is how often people make assumptions and how ignorant so many people can be (and apparently illiterate). Reading the comments here and here is just an exercise in working up a large frustration level with people who think Fyodor was the one who phished those accounts and then posted them on the site for everyone to grab. And so on. That frustration is what prompted this post, not the news item itself.

Big kudos to Fyodor for digging quickly to the heart of the matter in saying MySpace should have taken action to protect its users whose accounts were compromised, not trying to patch up an unpatchable leak.

Personally, despite my knowledge that security sucks still and botnets and phishing are out of control, I am not convinved that ISPs and registrars should be the police of the Internet. There is still a lot of vigilantism out there with non-official sources tracking down and raising cain about phishing sites and botnets and spambots and illegal or copyrighted material, which can end up with a lot of collateral damage as legitimate persons and innocent victims are infringed upon, especially with amatuer cowboys on their missions. I will say, however, that some of that is necessary and legitimate. F-Secure notifying an ISP or registrar about a known phishing site that is doing nothing but phishing is one thing, but non-experts doing it? I’m not sold on that idea.

Shame on MySpace for even pursuing this without at least a little bit of thought or investigation. They could have contact Fyodor themselves, they could have checked into the mailing list, they could have asked around or browsed the archives themselves to see what the whole story was. They could have (and should have!) notified their own users about the accounts and forced a password change. Wiping out a site when the accounts are already leaked and public domain does absolutely nothing to the integrity and security of MySpace and its users.

Shame on GoDaddy for their impatient reactions and also their own lack of follow-thru and investigation. GoDaddy should have experience and relations with known experts and groups who report phishing sites and other TOS violations. I doubt MySpace would or should be amongst those groups. Due process. As a customer of GoDaddy, I would expect due process and not a knee-jerk reaction based on which way the winds are blowing.

Can’t believe I originally missed an article on wardriving! And not a bad one either, considering the ComputerWorld source. The first page is interesting with the setting up of a rather cheap van office. I kinda like that idea, especially considering my car has zero room as it is. I was also enthused about someday getting together some cheap mobile rig (if I got more into wardriving/wireless assessments that is) after watching an episode where the packetsniffers mounted a laptop in their truck. While a front-seat-mounted laptop is borderline illegal (something about a tv or computer screen being visible to the driver), the idea of a mobile wardriving pad is pretty cool. Shag… At any rate, I like a good article with some good technical tips and hardware suggestions. Unlike many ____World articles, it really sounds like this author is definitely speaking from experience. I might have to hunt this guy down when I make it out to Seattle soon.

“Someone unfamiliar with the mountains and forests, gorges and defiles, the shape of marshes and wetlands cannot advance the army. One who does not employ local guides cannot gain advantages of terrain. -The Art of War, Chapter 7: Armed Contest

Amen to that.

I read Shark Tales off and on, and saw this one today. While amusing, it also comes with a pang of sadness at how often no one ever know what IT does to keep the ball rolling. IT (all of it, including security) is too often seen as a utility. No one cares until it isn’t working. I mean, when was the last time you called up your electricity/internet provider and thanked them for providing the utility that day?

This is the best laugh I’ve had in weeks: CNNs 101 dumbest moments in business in 2006. The Chevy Tahoe viral act gaffe sets the stage, especially once I went to www.youtube.com and looked up some of those Chevy Tahoe ads. It just gets better as well! I didn’t realize so many funny and awesome things happened in 2006! And yes, there are IT and security-related incidents listed.

I honestly think email disclaimers are stupid. This is an entertaining list of some bad and worse email disclaimers. Honestly, we all know better than this anyway, and props to any company that just dispenses with this nonsense. I already know that Boeing (a large company that must be security-conscious) does not enforce email disclaimers. If they don’t, no one really needs to. Such wasted space and so unnecessary.

Here is a list of 20 things most people don’t know about Windows XP. Honestly, I didn’t know a lot of these other! A lot of them won’t mean as much to me right now since I don’t do much desktop support, but XP is gonna be around for a lot longer. (Do some soul-searching on whether your company really has a reason to move to Vista? Seriously, do you? Other than MS dropping support someday, I doubt it.)

Fred Avolio posted this excellent list of security admin errors last year. It has been languishing in my bookmarks and I thought I’d post it here for posterity. Some of these are excellent issues, although some are not necessarily the security admin’s fault.

Andy posted what is maybe the biggest question (and toughest) we should consistently ask ourselves in this field: What is the biggest problem facing security professionals today? Andy answered user awareness.

I’m not so sure I could so quickly answer just one thing as our biggest problem. If I were to tell a VP where to best spend his money, I think I would answer either technology to protect the users and data, or spend money on educating management, not all users. Managers need to lead, and unless managers are aware of the problems, users aren’t really going to give much more of a shit. Companies are economic entities, and users are entities that answer to their managers. Pressure can be applied by educating stakeholders such that they hold management accountable for security. But we all know that devolves into checklists, grades, certifications, and basically the representation (right or made up) of security…which may or may not be the real state of security.

An example of technology mitigating the user problem is in laptop encryption. Users can continue to be stupid and lose laptops because they leave them in plain sight in their cars and put data they shouldn’t on them, but if they are encrypted (technology), that user mistake is dramatically mitigated. Of course, this may perpetuate the cycle of relying on technology and ignoring user education…but that’s at least where I’d perhaps put my money first. Teach people to ignore spam and phishing and detect it and report it, or implement spam filtering good enough to minimize their exposure to those decisions, along with HIPS/detection to stop those fewer instances where they do slip through? Relying on users would keep me up at night, personally.

Complexity of our environments and technology advancements are also a huge problem right now. Environments keep growing outward and more varied. They’re also just plain growing. Trying to create an infrastructure today that can be properly and securely grown for the next 10, 5, or even 3 years is highly difficult. Our work environments creep and grow, and we don’t typically have the luxury to start over and build the house correctly to today’s threats.

For all that rambling above, I don’t mean to diss on users as being stupid and a lost cause. I do realize there are benefits to user education and I by no means would prevent user education or speak up against it. User education is truly part of a blended approach to security, and users are just another required layer to be protected and education, just like in the spam example above. I’m somewhat playing devil’s advocate, but I honestly don’t know if I would say user education is our biggest challenge. I think it is just far more complicated than that.

Update: After some more thought this evening and some time playing LEGO Star Wars (awesome!), I think one of the biggest problems we face is making sure our peers (and ourselvess) give management the best bang for the buck they can get, and give accurate and honest and truthful assessments and advice. Management needs our help to understand the reality of their state of security and how to properly tackle it. They also need us to keep hounding them so they don’t become complacent or think the task is done. So yes, in a way, education is necessary, just not necessarily user-centric as much as tackling the user base from the top. This might include heavy training for IT folks as well; those of us who are laying the blocks and doing the securing and growing and actual work. Even if management is on board, they can only spin their wheels if their people are not getting it.

RSnake posted about social engineering. For as much work as I do with networking and computers, I still maintain that the highest success rate attacks on a target are physical and social engineering attacks. The only thing stopping most people from doing more of those things are social mores and the stigma of getting caught and not being able to maintain the anonymity like we have on the Internet.