Ten years ago, it was still common to refer to hacking groups by their creative and rather dark names like Cult of the Dead Cow, and handles like Master of Disaster. These days, hacker criminals (note the use of the adjective “criminals” to quality an otherwise non-negative “hacker” noun) have matured their practices from just being curious and annoying and destructive to being profitable. But so have the security pros. While there are still people like Major Malfunction and Phenoelit around (and many, many others), just look at my list of links to the right, especially the blogs. I now have more real life names than I would ever have had 10 years ago.

That’s not to say hackers do not have witty handles anymore, but there is that maturing going on in all facets of this industry. Curious, if nothing else. Me? I like the ability to use a handle to protect my identity online just a little bit more. Games, forums, IRC, IM…everything still asks for a unique username, so may as well blend that in with my industry handle. Better than being Avengerr26078 or Neo643389x!

UCLA just announced the disclosure of private data on 800,000 persons. I find it disturbing that the “attacks occurred between October 2005 and November 2006.” I almost suspect that that is only as far back as backup tapes and/or logs go. And there were multiple attacks? I would be willing to put money down on the detection being accidental on the part of the network admins. Maybe someone just looking at something they normally don’t, or seeing something odd when troubleshooting an extraneous error as opposed to an IDS barking alerts or alarms going off or the attacker(s) being noisy.

Information security and insecurity isn’t going away, and it is very hard to ultimately protect juicy targets. IT is understaffed and underbudgeted. We complained about this 8 years ago and we still complain about it because technology and information have grown along with staffs.

We also have an inability to share information. We work in an industry that cannot disclose details without the very real fear of lawsuits. But we desparately need to share this. We need to share what broke down in UCLAs detection strategies. We need to share how they learned of the incident and investigated it. We need to share the goods and the bads, what works and what doesn’t work, the internal political barriers and the champions who push through them. Otherwise this issue just cannot go away and we’ll only have analysts and journalists telling us (and our management) what “should” be done with absolutely no regard to the feasiibility of those measures. (Of note, I love analysts/journalists telling companies how easy it is to encrypt full hard drives just because they were able to encrypt their own hard drive once, two weeks ago, and then didn’t like it and removed it…)

If we are to start making headway, we need the details. Otherwise the details, in their silence, will kill prevention.

Open source software is considered by many to be the untainted version of freeware available on the web. Far too often, “freeware” packages in other smaller programs, from announced installs like Google or Yahoo toolbars to unannounced installs like spyware and adware. Open source is a much, much more trusted “standard” for web surfers to download and install programs while sleeping easier at night.

But I wonder how long such trust will last. I download and install open source apps regularly, and in fact, unless I know the application well I don’t install a closed source app when open source has alternatives. But do I look at the source code to check and make sure some spyware app isn’t packaged inside it? How many other people compile the source themselves, let alone truly understand the code enough to feel safe? And if someone with programming knowledge does this, will he be able to let the rest of us know and “out” the application?

Right now we (I) have blind trust in something deemed open source, and maybe a little more trust in something open source available on SourceForge or through a package manager, but there will someday come a time when even open source is not safe from the little things installed by determined marketers. What if an application is only really “safe” if manually compiled from source, but the compiled binary version has small print in the EULA hiting at additional software…?

There is more and more talk of people (typically people that just talk about things, i.e. analysts, as opposed to people who really *do* anything) wanting the ISPs to take up the battle against botnets and zombies. Personally, I feel that if ISPs are going to be forced into taking care of things closer to the end-user or that affect the end-user (either through detection and/or shunning after a threshhold), they’re going to go balls-out and go farther than I, as a consumer, want them to go.

It is already difficult enough to shop around for an ISP that gives me a static IP (or at least very low turnover dynamic), allows me unfettered incoming and outgoing ports, and allows me to use my own mail and DNS servers as I see fit. I don’t want that crap done for me. And I don’t want to pay for business-class service. But if I were an ISP forced to go this route, forced to tackle a layer in the communications that I wasn’t really supposed to tackle (this is like asking the physical layer to protect the sessions), I would make damn sure I log everything I can and get as far as I can and as thorough as I can before consumers start decying privacy issues and freedom of service. This is a ball I do not want to have started rolling.

Besides, I don’t really think ISPs are going to dent that particular problem right now. I’d rather they were left to focus on what they do best, and provide me with uptime, reliability, and faster circuits. I don’t want to have my system shunned (loss of reliability) because one of my neighbors can’t stop visiting infested porn pages or out of the blue if it is my system affected.

But yes, I do think security will still head towards the switch, only the switch will be inside corporations and inside the user home.

I am often amazed at some of the solutions to security problems that some organizations and people implement. A mailing list situation recently came through that had a web-based system developed to “hide” the URL bar from users so they couldn’t see and/or manipulate the URL. This is almost certainly to obfuscate sensitive data in the URL and possibly avoid risk from manipulating that data (the classic www.domain.com?price=199 variable which can be changed to change the actual price). Now IE7 is out which forces the URL to be displayed. Kind of defeats some of that purpose, no?

Other times there can be some very creative ways to deal with security issues. SMTP “security” can be achieved by capturing emails with “SSN” in the body and saving them on the mail server for pickup by the recipient party. This really does not fix anything in SMTP or email, but rather just changes the path of the missive. Sadly, this is usually pretty annoying from the recipient’s point of view.

These are sometimes just patches and workarounds to the real, deep issues of security. In the first example, the app should have been rewritten to display a sanitized URL. In the second, figure out a better way to utilize email or try to re-invent SMTP (hard sell, that).

I’ve found that there is an endless supply of creative and work-around ideas in the field of security, and I think a large part of that is a function of the skill in the field. As more and more auditors (people who check lists…), non-geeks, and barely competent IT support persons move into this field, the talent and skill gets a little bit more and more watered down. Instead of understanding the nuances and/or realities of a tool, too often shallow knowledge gives way to sometimes ill-conceived workarounds and obfuscations of issues.

It truly does take a technical and deeper knowledge to effectively and quickly determine security responses and measures (or how to beat them). Someone cannot take a position to secure DNS without understanding how DNS works. Likewise, how do you secure applications that depend on DNS when you don’t even know DNS itself?

Web applications are teeming with this issue. If a developer knows how to program security into the product on the fly and codes with security in mind, that is a huge benefit to the developer who only knows how to make the functionality work (sometimes in equally ill-conceived ways), but then has to spend tons of time trying to boly on security down the road. Knowledge would save time and money.

I think this is where a lot of bad security comes from, just a simple lack of expert level knowledge. This itself is tough to achieve anyway, as a security guru tends to be seen as a cost, not a value-add. They add value by also doing network/systems administration, which tends to trump security when push comes to shove.

And while budgets, poor management, poor decisions, and other things influence one’s ability to be educated and/or implement solid security endeavors, I still think being an expert in the basics goes a long ways. Why implement an expensive NAC solution when you can drop in an old box running arpalert (free) and check for rogue machines that way? Why spend hundreds of manhours on limiting exposure of an application on the network when you can ensure your code can withstand fuzzing attacks?

This isn’t the only reason we have insecurity, obviously. There are time issues and often pressures from outside the competent developer’s control. And there is much to be said about defense in depth by doing everything one can to make a more secure product, but I still believe the basics are what comes first. The obfuscation needs to come after. The creative workarounds that could be obsolete next year need to be second.

The future is still going to remain with open source tools and creative ways of being an expert with the basics. Not on spendy and fancy workarounds that too often miss the real points of insecurity or create insecurity itself. Besides, even something as epidemic as XSS is not a difficult issue to either exploit (usually) or prevent. This is basic stuff that we’re still struggling with.

(On a flip side, I find it equally as bad to be both complex and an expert in it, as that means only you have the knowledge to make things work…complexity begets complexity begets less security…)

I made a few discoveries this weekend. First, a wireless access point has popped up in my neighborhood recently that is not encrypted, as a quick test of Netstumbler showed me. Second, my newest used laptop appears to be equipped with an Atheros card. Oh joy! I might just have to dual-boot that guy into Linux!

I hopped on the wireless network to poke around, but the Netgear AD password had been changed, and the one other system on the network was sending very few packets across. In fact, all the packets I picked up, with few exceptions, were not being decoded by Wireshark properly. They keep coming up as a Belkin MAC and something about broken packets. I’m wondering if this is something like a Netgear/Belkin combination using proprietary “speed-boosting” which is mucking up the packets. I fired up the newest Cain as well, just in case something interesting flew by.

I’m not really sure since I’ve not seen it before, but I’ve left the laptop on the network and will check it out over the next week or two. I do have an Internet connection through it. Windows Network Neighborhood gave me the computer name which happens to be a girl’s name, and the AP SSID was a last name. Tonight I need to check what IP I have so I can get the service provider and IP to do some external testing, although I suspect I won’t find anything useful. Given some Google searches and any possible traffic that I can decrypt, that is quite a bit of information to leak already.

At any rate, it is fun to have a spare system that I can just dedicate to wireless stuff. I’ve been wondering what to do with the system, as it is a little too big to properly carry anywhere (about 10 lbs and only fits in my backpack) for real portability, especially since I have far lighter systems. But now I think I have at least one use for it as a wireless workhorse.

I’ve seen a few “wide scope” posts lately about the state of security, but this one has some of the best points in it, and presents them very well. Mostly I just want to save this for my own use in the future.
Just one comment on it. Items 14 and 15 talk about how we cannot seem to agree, as a field, on best practices. Those posts are illustrated in item 2 on disclosure practices. Many of us understand both sides of the equation and even the grey area in between, but yet we still fall on all sides of the debate. Sometimes there is really no universally correct answer…especially in such a complex field as IT and security.

The first Syadmin of the Year awards have just been announced. While half the stuff said is likely embellished and it is just a little pat-on-the-back kind of site, I just thought it was interesting to see what these guys did that made their peers and co-workers nominate them.
I also would like to note that not one of them (with the Air Force exception) is wearing a tie to make them work better. Nor do any of them work for recognizable large-type corporations. These guys just plain “get things done” as opposed to running the gamut of business politics. And I would be willing to bet that every single one of these guys actually truly loves their job and company. Happiness == productive == successful.

Saturday saw me working most of the day on some productive stuff. On my test server I was finally able to install compatible and updated versions of Apache, MySQL, PHP, and Perl along with a new version of Movable Type. And I got it all to play nicely and properly render my website in full. Finally PHP and Apache2 ironed their issues out and I can proceed with my upgrades.
But this reminds me of the futility of trying to maintain a server and network in terms of security, and I don’t even have all that much stuff installed.
My old server is a Windows 2000 Pro system that would have a 100% uptime if not for power outages and apartment moves (and update reboots). It runs MovableType1.2 I think, with 4 year old versions of PHP and Perl, a year old version of Blosxom, and Apache 1.3. I’ve not really updated the system itself in about 4+ years. That’s heavy! And I’m a paranoid security guy who truly does know better!
Now, I will have updated versions of all of that, including a Wiki program. This means I need to keep up on:
– keeping my installs updated by applying any patches or security upgrades
– keeping my code secure by knowing how to program in a secure fashion
– remain an expert with all those technologies so that I know how to properly secure them
– for every update, be able to test it before putting into full production, or be able to spend time to recover when something royally screws up
– maintain resources for backing up the important stuff
My environment has two systems and a half dozen apps and a single OS version. And yet that’s already a very big list of tasks up there. Just think how tough it is to be secure on a corporate level where every department has their own desires, software and web developers use their own systems to host things when they don’t get their way on servers, and so on. It is no wonder that there are thousands of vulnerable forum sites out there running unupdated software. You can just wince when coming across an old forum site whose last 6000 posts are spam ads for Viagra.
Now, imagine turnover in the IT space. A 5-year vet of a company leaves and takes a heck of a lot of institutional knowledge with her. That might mean some systems have unknown software installed that no one else knows about, and no one else can manage. Imagine those things being used by someone for something critical, and by the time some issue arises, the company that created it (or internal developers) are no longer in business and support is not possible. Legacy is a very apt word for what we will go through as the years go by…legacy apps, systems, serers. It’s not just hardware we need to worry about anymore, or bulky mainframes in basements.
Unless a corporation is very diligent and very controlling (which everyone resists vehemently), the application layer is becoming a lost battle. It is enough for IT divisions to attend to downtimes, connectivity, and failed hardware, let alone to stay abreast of the latest news on package Y or application X. And we can rest assured that we’re also losing the battle of getting security packaged into software from the start.
As a side note, just think how much knowledge a tru security pro needs. Not only do I need to know how to install and secure Apache, but I need to know how to break it too. I also need to know what is bad in php (i.e. I need to know how to code it). I need to keep up with all those areas and updates. I need to have intimate knowledge not just of the OS, the apps, and the code, but the countless interactions between those two… Very, very heavy…

The “next year” predictions has begun. McAfee issued their list of top threats for 2007. While they are driving their own market, they also take the easy road and state the obvious. It reminds me of the Top 20 Attack Targets from FBI/SANS which covered just about every broad base in the digital world that you can. Great, talk about useless.
For my part, rather than just rehash the same old, I thought I would just issue out some thoughts I had for the coming year and beyond, by going out on just a little bit more of a limb than saying, “spam will rise.”
convergence of culture on security policy – In the coming year and years we will see more of our digital culture permeating every aspect of our lives, and workplace policies will need to adjust or become obsolete or even barriers to getting good talent. Web filtering, Email filtering, IM controls, device restrictions, and the like will all be challenged as the Internet generation continues to fill more and more roles in the workplace and the digital lifestyle fills up and moves beyond just personal time. Companies need to embrace these changes and technologies now, instead of waiting until the pot boils over. It might be tough to properly handle IM, but it should be started now anyway. And dare I mention continued DRM and copyright troubles? Naa, that’s obvious.
pockets of wireless driver exploits – The wireless world did not see huge gains this year in tech, but it did collectively hold its breath for news on wireless driver vulnerabilities. Granted, we had to wait longer than expected, but they are obviously present. And who updates drivers anyway? (Only three groups in Windows: gamers, people reinstalling their system [albeit usually from a disc], and us geeks…a vast minority of users…) Because of this, and the continued trend for municipalities to roll out widespread wireless access, I expect some pockets of wireless exploits to be had, whether it be a muni, airport, or university or corporate campus. Considering how deep the vulnerabilities get and how often people do not update their drivers, I expect something like this to be wormable, especially from an airport or location where the infected laptops migrate offsite. Issues like this might not be found out for days, when it is too late.
Managed security and IT takes a strong hold – More and more companies will realize that IT and security is expensive. It is difficult to manage, and even more frustrating for the professionals who know what to do but don’t have the time to perform the needed tasks, or for the professionals who don’t know what to do but have to take time to become experts. Ask any pro who has had to juggle their daily tasks while also researching the viability of blades and/or virtual systems. Suddenly you have to be an expert. Why do all this when this can be outsourced or at least managed by a third party. And as this continues, the industry will grow as well, by experiencing scales of economy and being able to best utilize expert knowledge and quality talent properly. Why should one awesome security pro manage only one client, when they might be able to effectively manage 5 with some extra hands to help? This is a classic fully mutual economic growth where companies will fuel this and providers will get better.
More disclosure debate – The disclosure debate will get hotter, especially just today with announcements of the Week of Oracle Bugs being cancelled due to some external pressures and Vista coming out. This debate will get ugly before it gets better, especially if something else comes out that really exposes government, critical infrastructures, or large swaths of people. And if people start exposing exploits, will someone finally sue for having spoken out about it? Should we pretend they don’t exist until someone uses them and gets caught or detected? Hopefully this stays out of the mainstream media otherwise we’re all in trouble.
laptop theft and data disclosure not going away – Ever since we’ve had laptops, we’ve had lost laptops and data on those laptops. The media keeps acting like this is some new amazing trend we’ve never seen before, but it is as old as the concept of possessions. This will not be going away because we continue to make laws to disclose losses, we get better at detecting and tracking these things, and the number of mobile devices and expectations of mobile work is still growing at a huge rate. I just hope the media stops reporting every single one, thus numbing everyone about it.
the rise of the browser – The web browser is already an over-powered computer application. It has become almost bigger than the OS itself, and will keep going until all you need is an OS and a web browser to access all you need. This is dangerous and illustrates how technology is pushed and pulled without regard to security. Web 2.0 has assured this.
the decline of the OS – The OS is slowly going to fall out of vogue. People hate upgrading and the insecurities, people don’t want to pay money to have their known and accepted OS replaced with yet another interface that must be learned. And with the rise of the browser, there is a very real chance that security just gives up on the end system and moves security into the network. Next year will be a dangerous time for the OS and browser, and Vista right now holds the reins.
Mac will have malware – The Mac will finally get hit with some definitive malware, which can finally shut up all the Mac fan boys (my next laptop will be a Mac) who keep dodging around and protecting their precious “no malware on Mac” claims. This will occur next year, and we can all finally move on with life and get some great things done without this marketing zealotry always muddying the waters of the blogs and media.

My move to Linux as my main computer system is about 80% done, I think. That figure does not include things that don’t run in Linux, like Ventrilo, some games, and Soulseek (p2p network). But the rest is coming along nicely.
I can now rip new cds using Grip. I have installed XChat for some IRC socializing (I had no idea there was a Windows version of XChat…yeesh). I found that GAIM will support GoogleTalk (Jabber) although it won’t do voice chat. And I’ve shored up some problems with Totem and Mplayer not being able to play some media files like WMV files.
Basically just ironing out lots of little issues and problems this weekend. My external (NTFS) drive still is a bit picky. Sometimes I can write/delete files, but sometimes some files just won’t delete. I’m tempted to just run a backup of the data, format the drive in FAT32, and be done with it. I know I’m not really utilizing the powers of NTFS on it anyway, even in Windows. A thought to toss around…in the meantime, I’m becoming more familiar with mount/umount.

Sometimes even I get some spam mail that makes me blink and think for a moment. I received an email about an order I didn’t make on Newegg.com, a site that I frequent fairly regularly. The email came to my email account registered on the site, and had no links, only an attached .pdf.exe file. I even logged into Newegg.com just to make sure there were no purchases. I then checked the headers on the email that purportedly came from info@newegg.com and it instead came through an email server at bunsen.com, which forwards over to the official web site of The Muppets. In checking records, yup, the originating server appears to be part of the go.com network, which is part of Disney. But in checking my mail server logs, I see this email actually came from a system on a cable connection in Turkey.
While we talk a lot about security and how things can be circumvented and broken, rarely do we get down deep enough to talk about how trust is being affected.
I cannot trust the content of email.
I cannot trust the values in the email fields.
I cannot always trust the headers shown to me when I dig deeper.
I cannot trust the sender.
I possibly cannot trust Newegg.com with my info.
I might have distrusted The Muppets and Go.com and Disney.
I might not trust dns and whois information.
I might distrust foreign servers.
In the end, sometimes you can only wrap yourself in the comfort of the trust implicit in the protocols underneath the Internet, the logs of the devices and services offered…which is typically beyond the reach of your average user…