I just want to post and save a link to a discussion/essay that RSnake has written. In it, he talks about increasing the penalties for digital crime, maybe to an exaggerated level. It is worth a good read along with the comments.

Like security, I’m of a mind that there is no “solving” of digital crime in general. It is a fact of life and we have to find a moral equalibrium, just like any law enforcement category.

Sadly, I think the only way RSnake’s approach will work is if we remove one of the fundamental drivers of what makes many of us even use the Internet: the privacy. To achieve better punishments for more criminals, we absolutely must remove the anonymity, privacy, and transparent digital borders between nations.

This all goes back to what your “security religion” is. Are you a glass half empty kind of guy? Are you a “It’s not secure unless it is absolutely secure? sort of guy?” Or are you a glass half full person who sees value in partial security or incremental steps towards a goal that doesn’t need to be absolutely attainable? This is not just fundamental to a consistent approach to security solutions, but also fundamental for our attitude in our career.

I see Krebs (via Mogull) has posted about an astoundingly large payment processor data breach at Heartland Payment Systems and may affect 100 million credit and debit card accounts. By the way, do as I do: use your credit cards only when you need to! I don’t even use a debit card.

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

Some questions I have:

So, how did malicious code get installed and run unfettered for as long as it did?

What led to the suspicions that a breach had occured? It sounds like the malicious code was found only *after* experts were called in. Why were they called in?

What breakdown led to all of this? I hate asking this question, since too often we get zero details on how these things truly happen, as companies, people, and legalese cover it all up leaving the rest of us unable to truly learn from their mistakes.

Was the firm PCI compliant? This is mostly a trivia question, but it will get asked so I might as well join in. PCI compliant or not, there *will* be incidents, even large ones. But it is useful to see if PCI or compliance in general is just not working as the means and end. PCI and any compliance should be an “oh yeah, we got this on the road towards being more secure,” as opposed to being the driver or the goal.

What could have prevented or, better yet, detected this issue? This is part of the “let’s learn from their mistake” that never gets truly answered. I imagine some egress monitoring should have helped…100 million transactions a month all going back out to one or a couple locations should have been spotted, right? And if you do *that* much business, you should have damned good monitoring on systems for processes and digital integrity, right?

I sometimes skip posting about major events for a few reasons, two of which being I hate sounding like I’m just repeating what everyone else says, and any one who reads my blog should be involved enough to not use my blog for breaking news.

Anyway, the Downadup/Conficker worm has arrived and made its way into the mainstream media. I posted some info to my team and boss about it this weekend. Here are some links to more information (the more the better, especially for the analysis since no one source seems to get it all).

CNN article
F-Secure details
SANS info

Really, this whole worm occurence begs the age old question, “Did you update when you were told? Did you even know this was brewing?”

For us, this is still a somewhat non-event, although the widespread reality of this worm raises my concern over incoming laptops and VPN connections from home users, but not enough to keep me up at night, yet.

A SANS Diarist (Daniel Wesemann) details going from a packet capture to binary recovery to malware investigation. I’m particularly keeping this for the packet cap to binary conversion. One of many ways to skin the cat (skin the cap?).

Joel Spolsky recently posted his latest inc magazine article dealing with the topic of performance rewards. While I think he dropped the ball on the actual reward he offered, I feel he has good food for thought on the subject. Questions like:

How do you measure performance and contribution?
If you measure, how do you know you’re measuring enough pieces to get a proper view of the employee?
How do you reward contribution without stepping all over your other employees?
How do you reward such that a competitor can’t just match it and steal away the employee?
How do performance rewards influence the attitudes of the other employees?
Should you reward based on how their updated resume would look to someone else?
Do you want to run a socialist or capitalist company? (Ok, I’m stretching it there!)
I think Joel has a good approach when he talks about the intrinsic and extrinsic motivations. Money and peer recognition are cool, but ultimately geeks like me derive their motivation internally because we love what we do and want to do it well. Obviously, that is not for everyone or every company.

Why do I think Joel dropped the ball with his example? Because that intern walked away with absolutely zero reward from Joel; instead walking away with what amounts to a coupon for a store you may or may not want to shop at again. Granted, his real reward (especially as an intern) are the line items on his resume and knowing Joel was impressed. I’m also not a big fan of ‘stock’ in its various forms. I’m not a huge fan of only doing peer recognition (unless it winds up as a resume line item) because it really has little monetary value (the fundamental reason almost everyone works) and can become so unvalued in other ways over time and if mismanaged. And I can go both ways when it comes to performance-based rewards.

Obviously Joel does other little things beyond direct monetary compensation to make work enticing and fun for his programmers; making it a place they *want* to work. So maybe he doesn’t truly need to think too hard about monetary performance-based reward schemes and instead keep doing what he does. Maybe give Noah an extra gift of some sort, but don’t otherwise break the cooperative culture that he obviously values. Maybe the reward or lack of one should not be a reason his workforce remains present and motivated.

At the bottom of the article, click the link to go to the base page if you want to read other comments posted directly to the article.

If you want to get my feathers ruffled up a bit, bring up the topic of SSL and browsers. The whole situation is a mess, and I blame the browser makers (and partially our extended use of the web outpacing SSL updates) for muddying up the waters. Did we *really* need EV SSL and browsers throwing error messages on *everything* that wasn’t EV SSL? It’s just silly… Half the problems (sure, that’s my scientific measure) with SSL arise because of the browsers and the “market” for PKI. Sure, for consumers, they should be on the lookout for self-signed certs. For geeks that manage network devices and internal sites, self-signed certs are a daily reality.

I need to stop on that rant before I look more foolish than normal!

A new site, SSLFail.com, by Marcin and Tyler illustrate the issues SSL and web browsers (and admin teams that try to manage them) have. Not only does the site present images of failures in SSL usage, but they also have informational posts if you want to learn more about SSL and the nuances involved with it. To be honest, if you manage any device that uses SSL (web, network, VPN…), I’d suggest checking the site out. Hell, even if you just like to sit back and laugh at the security failures (or admin issues) other people have, check it out, too!

To circle back around to an earlier link to a packetlife challenge/contest notice, the answers are now up. What did I learn? Well, I didn’t know Wireshark could decode SNMPv3 data if I had the proper info. In fact, I couldn’t even do it with my installed version of Wireshark. I had to update to get the features. Cool challenge. Simple, but not necessarily elementary.

Articles like this one on the IRS in NetworkWorld (channeling a GAO report) often leave me shaking my head in disgust. And no, it’s not because the IRS has security issues (we all do!).

“The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008.”

Fine, I agree we need to keep nipping at the heels of the people who should be securing digital assets.

But I disagree with the general tone of this article that implies three unhealthy things to me:

1. “Let’s hire contractors to knock away these final 49 items, and that will be when we release them.” – I don’t like this because it implies what much of business thinks: Put in the time, and then it’s done, game over, let the contractors all go. Yes, some things in security require time and then you’re done for that technology cycle, but too much has to be ongoing. It is dangerous to put too much emphasis on a milestone like this. People and oversight and maintenance are probably more important than the initial implementation. There’s really less breathing easy after you check those last 49 things.

2. “Man, just do those final 49 things. All it takes is to just flip that switch and turn those things on.” – Security often takes time, especially in a large, critical entity that likely cannot absorb long downtimes or huge sweeping changes. Even in small companies, relatively “simple” things like permissions can result in dramatic business changes. They may be necessary, but they are not often quick.

3. “There are only 49 weaknesses left, and then we don’t have to worry anymore.” – This gets back to point 1, but is a slightly subtle difference. Rather than saying the checkmarks are a milestone, but rather assuming the checkmarks are all you ever need to do.

The article may mean well, but I find it implies a dangerous, unhealthy tone and attitude. It really is not just the article, but all checklist-driven security eventually reaches that tone when overemphasized.

I’m finally getting around to reading the NetworkWorld article that cited Fortify Software Inc. co-founder Brian Chess as essentially saying that penetration testing as we know it today is dying/dead. The article further states, “Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.”

Talk about confusing!

I think the assertion is correct that customers want preventative tools. I want preventative tools wherever possible. But I think there are three incorrect assumptions here. First, that preventative tools can possibly prevent or even anticipate every potential hole (or even most of them!). Second, that preventative tools are something more than just a band-aid on other issues. Third, that companies know all their weaknesses already.

The article (and Mr. Chess) make it sound like the security buck stops at “preventative tools.”

There is value in preventing issues, but there is no way penetration testing is going away or even beginning to die or dwindle for many years. Too many corporations still thirst for knowledge on their security stances and weaknesses, or for more leverage to higher-ups for budgets or project direction.

Prevention, detection, testing…these and more are all parts of a solid security posture. No one trumps the others, nor does one lag behind as dying or even changing.

Here are a couple statements on my view of pen-testing.

If you have little existing security, pen-testing helps give direction and information on where to make improvements.

If you have a security plan in place, pen-testing helps give third-party validation to the results, while also potentially exposing weaknesses that were overlooked (the more eyes that read this post, the more we can say all the typos were caught!).

Linkage to The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (pdf). I clicked through thinking, “Wow, 25, did you leave enough out to make a ‘Bottom 25’?” But as I skimmed through it, it seemed like a pretty logical listing and a decent read as well. If I had a suggestion, it would be to dump the cute analogies in the Discussion sections of each entry and replace it with a technical example or two.

And include, “economics” and “shortcuts” and “cheap coders” as dangerous errors too. 🙂

A couple points I want to throw out for a Monday:

1. Security takes knowledge.
2. Security takes time.
3. Insecurity arises when shortcuts are taken. (Yes, you fall into this area, web developers!)
4. It is no surprise security permissions (in general) are lax, because they suck to manage.
5. We all started in a place where we didn’t have expert knowledge.
6. Don’t overinflate your abilities. This is where ‘paper CISSPs’ harm our field, not because they aren’t experts yet, but because they profess to know more than they do.

In recent weeks, Snosoft’s (Adriel Desautels) blog has delved into the topic of fraudulent security experts and how corporations can tell if they have a quality security expert (or vendor). I applaud the effort, even if he is preaching to the choir and may be tackling issues that are universal and have no absolute “oh-my-god-epiphany-that-will-change-the-world” answers. Those posts and a headache-inducing security permissions issue I tackled today prompted this post.

I had a longer essay presenting those 5 topics above, but I think I’ll just let them sit alone. Anyone reading my blog can either outright agree, or think for themselves on how those points apply. Just one hint: “knowledge” can refer to both technical as well as business knowledge.

When posting a quick series on a blog, which number do you start with? Do you use “1” for anyone who gets updates and reads them immediately, or reads them from oldest to newest? Do you start with the last one, so it reads properly in a reader or on the blog itself? Do you make it all one post, which diminishes the stand-alone value of all points? (Kinda like mashing 4 ideas into one paragraph, the first and maybe last get special value and the rest are mushy potatoes in the middle.) Ultimately, blogs fail…but hey, we all have things to say, even if no one is listening.

What is it about the Internet that has most changed our lives and society? Well, I would surmise that it is our ability to self-serve information-finding. In 1990, what did we depend upon for information? Today, I can self-serve by looking it up.

What is the next “Web?” Well, probably immersive virtual environments, even though it seems a bit counter-intuitive on some levels. For instance, Sony’s Home will be interesting to watch develop. On some levels virtuali environments work, like online training experiences or meetings. On some levels I imagine it doesn’t work, go to an arcade in Home just to play a game…why the extra lobby/step?

For future reference, SourceMap: “SourceMap is designed to scan to a port from multiple different source ports, to aid in finding weaknesses in firewall rule sets. It is possible to scan ports on a host from all 65535 source ports, somthing that nmap could not do. SourceMap is a mutil threaded perl wrapper arround nmap.”