I wrote this months ago but I guess I forgot to publish it. Maybe I wanted to proof it more? Who knows, but here it is. Any non-bullet points that are bolded were added by me just now.

The mess that was the 2010 Shmoocon podcaster’s meet-up audio is available. I totally could use not hearing Paul “shhh” on a mic ever again! The talking was pretty crazy and all over the place, even disrespectful (hey beer was involved so it’s forgivable), but I feel like they did touch on some extremely important questions. Questions I’d love to hear them discuss again in a more refined situation (arguably, a podcaster’s meetup is more party than panel, however!)

There are no correct answers to these topics! That is probably why opinions in these discussions can be very passionate and even violent! Sometimes in certain properly bounded contexts, there are correct answers, but mostly not.

(Late update: Personally, the more I listen to Chris Nickerson, the more I appreciate his frank opinions and where he has his head. It’s in the right place, and while I know he can have an acerbic sense of humor to some people, he’s increasingly one of those voices worth listening to if he tells you something.)

1. exploit vs not exploit – I’m not sure this topic was given its fair due, but I’m not sure everyone was on the same page in the discussion anyway. Andy Willingham gave this the once-over already in a blog post. The topic brings up good questions on what you do on a test and what is actually meaningful. I notice I didn’t really weigh in on this topic, and honestly the view from the fence is fine for me and probably reflects both my security and operations sides.

2. SMB vs large enterprise – There is a big gap that is hopefully becoming less the elephant in the corner and more one of the usual voices in the conversation. The world of the SMB in security is dramatically different from that of an enterprise or a city-state-nation. Approaches that work for large enterprises can be ridiculous for SMBs, and vice-versa. I think it matters that this came up multiple times. This still needs to come up, and the topic deserves a month of posts in itself.

3. properly presenting findings/recommends to a business – I’m finding it hard to word this topic, but it really runs the gamut of how you present security to an organization. And this digs at a very sensitive topic: security aligning to the business. I sympathize with all sides to this discussion. You could give the security teams and CSO their highly technical reports and let them distill it down to what is relevent. Or you could align yourself with the business and report your findings directly to someone like the CEO, in the CEO’s terms. Honestly, maybe pen-test teams need to have both capabilities and have that project manager/lead who is the one that acts as a temporary CSO in the absence of one. This is a great topic, by the way, and I think really demonstrates the art and the versatility today’s security experts need to have; both the technical chops and the strategic chops and the ability to know when to use each.

4. “good enough security” – I think it was Mick from Pauldotcom that brought this up, and it didn’t get enough treatment, although I think this is also just as passionately divisive a topic as any. When you accept that there is no ultimately “secure” state, or there is no “win” in security, then you really do subscribe to some form of “good enough security.” Where that proper line is drawn is really the art of risk management, and that line is probably far lower for SMBs than large enterprises. Security pros these days have to be able to get into the mode where it’s not just about violently defending every little insecurity, but about recognizing each issue as part of the whole. Bad password policy? Fix it!! Outdated SSLv2 cipher on an internal app that is 5 years old used by one team? Consider letting it slide. (Side note: This is where lack of real security chops can bite many people in the ass. It is inevitable that non-tech people will look at issues presented and demand fixes for each one, even the “low” priotity ones. This creates wasted effort and inefficiency…and so on.)

5. privacy differences between europe and the us – I thought this was an excellent question by Nickerson to spark some conversation on a topic I hadn’t really dwelled on before. Because Europe has a different emphasis on privacy for people, they have an entirely different mindset in regards to security in organizations. Not saying it’s all good, but the difference can be useful.

6. listening to internal security experts vs paying someone outside the company to say the same damn thing – Good point on this topic, and I think every penetration tester or consultant or third party needs to not just work to align with the business and talk in a way the CxO understands, but also empower and support those internal persons who make security happen. Recognize and empower (and not undermine!) the talented security folks out there. Build networks, exchange advice, encourage; don’t have an antagonistic relationship with them, plop down some mysterious report on a CxO’s desk, then walk away briskly. Try to change the way the CxO views her internal support staff so that we can Get Shit Done. But yes, it really, really sucks when a CxO pays top dollar to get a report that says the exact same thing I may have been saying for years.

If there’s any topic I’d love to have brought up because it fits with this motley crew of passionate voices, I’d have asked opinions on MSSPs vs internal staff, both for large enterprises but also SMBs.

I’m sure there are plenty, PLENTY, of other essays by far smarter people than me in this topic, so rather than let this languish in the “polish this up” bucket, I’ll throw it out as is because I know I’ll never truly ever finish this. Still, this actually reads fairly decently for a 30-minute stream-of-consciousness bit. Oh, and I know it’s not ten!

Ten Ways Internet/Computers have changed our culture deeply.

– I barely know what a phone book is anymore, if I want to find a location or phone number for a business or category of business that I need to visit, I’ll search for it on the web. This is a culmination of easy, extensive searching and ubiquitous web presence. Phone book? Ok, I’ve used it to find a mechanic on a Sunday…

– Dispelling irrational answers to questions – Back when I was a kid, you had four places to gleen information, in general: media, teachers, parents, public library. Media would have included newspapers, magazines, radio, and television. All of these meant effort and a certain expectation of trust. The web still requires trust, but I can much more quickly find corraborating stories and information and weed out the misinformation. While the web may not give accurate information all the time, it at least gives me a better chance of self-serving accurate information.

– I’m more in control of my time. While the Internet seems to suck time away with an infinite number of things to do and see, it does let me bring back time control into my life. Rather than wait for 30 minutes in the evening news to see the sports scores or tomorrow’s weather, I can get it immediately online. I can skip the things I don’t care about, and read more of what I do care about. I can shop and order products online, research and compare.

– I’m more in control of my tastes and interests. In my youth, I was only exposed to whatever was near at hand, for the most part. Musically, I only experienced what was available on the radio, television, or through friends, all of which precluded most anything that was not pop-oriented. With such portable media and access to anything I want, I can expand my boundaries and listen to musical media that I never, ever will hear on the radio in the central United States. As a kid, if I wanted to figure out the solutions to a particular video game, I had to wait for it to be released in book form, in a magazine, or advice from friends in my neighborhood. My neighborhood for interests is now limitless, and I don’t have to leave a game unsolved.

– My social network has grown. As a child, I had a finite number of people I knew and could spend time with, all of which had to be in close proximity to me, unless I picked up a pen pal. Today, I can get first hand information about life in China through knowing people either in chats or other social networks, or through their blogs and stories.

– My idea of a job has dramatically changed. I can’t actually imagine what I would do for work without the computerization revolution. I have not experience office work without automation or computers or digital information. I’m not that removed from such an archaic workplace, but it certainly seems a world away.

– I am a much more informed and well-supplied consumer. Rather than rely on a magazine, friends, or in-store help, I can self-serve online research on what products are good and which ones to avoid. Hell, I can also buy things online without getting up off my ass, either from storefronts or auction sites. In fact, not only can I research online, but if I want specific item ABCD, I don’t have to hunt my city for it and maybe walk away empty-handed. I pretty much *will* find it online, somewhere.

This is an incomplete thought I first jotted down a while back, but never fleshed out into some more coherent. I liked the thought though, and wanted to just release as is and get it off my “unpublished” list! I was reminded of this post by Rothman’s recent Securosis blurb about practice (way at the bottom). Thoughts added just now are in bold. Keep in mind this is incomplete, unedited, and unpolished. I ramble and mix things and even repeat things with wild abandon! Oh, and even now as I play some Starcraft 2 and get my ass repeatedly stomped in Platinum 1v1, I know that I can read and practice against the AI and read some more, but nothing will replace actual experience in going into another game and getting stomped and learning the hard way.

I’ve not made it a secret that I’ve been an avid World of Warcraft (WoW) gamer for years. I definitely don’t play as obsessively as I used to (for those in the know, I ‘hardcore’ raided MC, BWL, AQ40, and even some of Naxx40, then skipped ahead after a break to ‘softcore’ raid Hyjal and BT pre-nerfs; since then I’ve done a couple naxx25 clears and that’s it beyond 5m heroics and casual leveling), but even my casual playing sparks some interesting thoughts now and then, especially when it comes to “leveling up.”

In WoW, and really any other RPG game, there are a few key tenets to making the most of your effort. Surprisingly, these tenets can match exactly across to real life endeavors. And every time I put forth some effort to improve one of these tenets in WoW (leveling up a toon, making some gold…), I’m reminded of the opportunity cost of putting that effort into something more tangible like my security career. (Don’t get me wrong; I’m a lifelong video game hobbyist, and I’m not saying video games are useless, but it shouldn’t dominate one’s time, just like any other hobby pursued in leisure time!)

So if you find yourself stuck in an MMORPG gaming rut, start looking to translate that effort over to something useful in security. This may start with asking yourself what it is about gaming that is relaxing, and why security does not bring that same relaxation. If it relaxes, stimulates, and makes you happy, then your free time will be spent in it just as casually as a 4-hour trip into WoW.

1. Knowing your class. From here I was going to go into knowing your skills, strengths, and weaknesses. In WoW, a warrior class doesn’t try to heal, and translate that into security skills and roles…somehow.

2. Grinding (aka leveling up). This is pretty basic to any role-playing game: your character gets stronger the more experience he gets, aka “leveling up.” In gaming, “exerience” is usually a value, even if it is hidden behind the scenes, which accrues as you fight and kill monsters. As your experience increases, you gain more power, and can tackle more powerful monsters, which will gain you experience…and so the hamster wheel begins to turn. A more physical version of this is lifting weights and slowly increasing your limits as your muscles and supporting structure build and grow.

Sometimes this is a “grind.” “Grinding” in WoW means the slow cycle of killing monsters and doing the same ol’ quests to gain your experience; basically it becomes a long, boring grind…kinda like work!

Growth in a security career comes much the same way; the more experience you have, the better you are able to handle the challenges in front of you. Often, this is gained by simply doing security-related things. The more nmap port scans you run, the better you are able to tackle complex scans. The more you use Metasploit to expand your empire, the more you can dig into the lesser-known components of the tool and not get bogged down on strange gotchas. The more PCI audits you do and reports you make, the better and quicker you get with them, and the more value you can provide efficiently to your client.

We often don’t have an end goal in sight, but rather know that we simply want to level up.

3. Leveling up tradeskills. WoW has what are called “tradeskills.” These are skills you build up by doing that activity. For instance, Fishing and Blacksmithing are two tradeskills. You can fish better and do blacksmithing activities better by, well, doing them in the first place. For something like blacksmithing, the higher your skill, the better your opportunity to make really cool and valuable things.

In other words, if you want to be good and useful at something specific, you have to practice it and get better, especially when it comes to various skills you want to acquire. Unlike leveling up, most often this begins with an end goal in mind, for instance, being able to use a particular skill to create/do XYZ which will gain you money or notoriety.

You want to be good at public speaking? You have to do some public speaking. You want to be good at coding exploits? You have to code some exploits. You want to be good at picking locks? Obviously, you have to pick some locks. (Nicely, WoW has a lockpicking skill you can build!)

And just like starting out your skills at a puny level in WoW, you usually start small. You do some low-key public speaking. You walk-through an exploit tutorial. You pick training locks.

So if you want to be known as being good at some tools or aspect of security, you gotta practice it and build up your skill. This isn’t so much a part of your character and confidence like leveling up your character, but more like being good with the tools you have and want.

In WoW, you can leverage these grown “tradeskills” to make in-game money so you can buy cooler gear and weapons. In real life, well, these skills will get your nice REAL things.

3. Gearing up. In WoW, your character’s success relies more on just his level (aka amount of experience earned). Success, especially as you get further into the game, resides very much in the gear and equipment you’ve acquired for your character. You won’t be very successful with a low level sword, but if you find a badass high level sword which you can use, you’ll be nicely ready to do some damage to the next red slime that oozes your way. Gearing up means a few things. First, giving yourself a chance to get/buy/find the gear. Second, knowing what gear is useful to you.

Security careers have the same dilemma. Some tools are going to be useful to you, but some will not.

Strangely, WoW doesn’t have unlimited inventory space for you to keep 1000 pieces of gear. In life, you really don’t have the aptitude and time to likewise hold onto and learn 1000 tools. Figure out what you need to improve, and pursue the tools that will help you succeed in your goals.

WoW players can put a ton of time into picking out, pursuing, and testing out their gear.

Oh, and don’t forget that you can get a bit literal with “gearing up.” A nice pair of slacks and a tie can increase your chances of getting what you need out of management, at times.

4. Socialization. The “MMO” part of the MMORPG genre means “massively multiplayer online,” meaning you’re playing with lots of other actual people around you. You can spend your time in a game like WoW and neven bother with anyone else, but you’ll only be able to learn on your own only so far, and you certainly cannot see most of the end-game content and challenges unless you socialize to some degree. Most often to experience end-game content, you have to join a guild (a group of players, much like a team) and start participating in group runs through tougher dungeons.

Obviously, careers are the same way. You can probably get by on your own for quite some time, but there will be many doors you simply can’t open or even get near without socializing with others in the career. Whether that is simply networking to find new opportunities, gaining contacts you can turn to when you need assistance, or finding smart people from whom you can learn new skills and knowledge. Better yet, this also means socializing with people more “newb” than you are; which gives you a chance to reinforce your own knowledge by regurgitating it to others to help them.

This is an incomplete post that I never published and don’t see myself truly completing. And rather than keep it in my list of nagging unpublished things, I thought I’d release it to the wild that is the blogs.

First, go read Rocky’s piece over at fudsec on changing the game. Then read Mortman’s response over at Securosis. Those two links started whatever thoughts I had below…I think some are points the authors were making, and others are my own responses…but I don’t recall. Any current thoughts I’ll bold.

This quick, dirty synopsis is for my own benefit to better dissect the point of the article, and also demonstrate what I took away, in chunks.

1. The Information Domain is manmade, and it is a domain where we can change the landscape, not be bound to changing for it.

2. We’re short-sighted, rather than long-sighted. We tackle immediate hurdles rather than perform city-planning.

3. Need to change from short-term fixes to long-term strategy.

4. 3 ways: leadership, research, information sharing.

5.Leadership: No one is jumping to save us. We need to lead the way.

6. “[Businesses] need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk [to the business, not necessarily to an asset].”

7. Too much of what we measure is point-in-time.

8. As infosec pros we have let compliance initiatives drive spending and have ridden along for the ride.

9. We lack the knowledge of the business and how to apply what we do in a meaningful way to the business. I still find this an arguable point. In some cases, the business needs to understand IT (and security) more to better understand business continuity… Nonetheless, this is usually the weakest point in topics like this, not because it is not true, but because it is arguable and situational. Can we always convince business to treat security more aligned with the business or part of the core business line? No. How often are we satisfied that security is good and top notch? Not often, if ever.

10. Vendors fall into the hole of non-innovative solutions that are just meeting our needs, without pushing forward. Vendors ned to be thought-leaders. In turn, vendors need to listen to their customers and deduce their actual needs. Consultants need to listen better. Vendors are in the same boat as internal security experts: trying to sell the idea. It would be far easier to be thought-leaders if security weren’t already perceived as dragging ont he heels of innovation and itself being drug into the boardrooms by breaches/regulations. Huge point about consultants!!! Need to listen better and the industry needs to ditch or teach the charlatans.

11. Get past the “way its been done.”

12. Research. We need to support research. Research should be revolutionary, not evolutionary.

13. Information Sharing. Collaborate with industry competitors.

At this point my notes ended.

Over a month ago, the 2010 Verizon DBIR was released. I’m still reading through it, but wanted to point out a low and a high point on the report. The low point (and by low, I’m not saying a horrible point, but rather just the lowest point in an already excellent and needed report!) of the report is including a significant amount of US Secret Service data. While this may prove over the years to be a very good inclusion, for now the USSS data obviously influences the percentages and totals. Of course, Verizon’s data set itself may have influences…so maybe the answer is to get more and more contributors and USSS is just the first.

Now, the USSS dataset influence is addressed many times in the DBIR itself. Which actually brings up the high point: the presentation. I love the way this report is worded, almost conversationally. They are candid with the data, point out conclusions, and even fuzzy places where you should maybe take the resultant data with a grain of salt due to whatever reasons. I totally appreciate that! In past years, I could make some inferences from the data that were not covered in the text, but I feel like this year the authors did a great job of analyzing and conversing about the data. I don’t actually feel like I can or need to infer my own conclusions. (Granted, you have to read the text to get that point, as the figures/graphs themselves can be misconstrued when out of context, in some cases.)

Also, the cover has a hidden message again, this year. This continues to lend “geek cred” to this report, along with the conversationally honest writing.

I apologize if you’ve submitted any recent comments. I’ve been swamped the past few months with work, and my free time has been spent decompressing with things like beer, pocasts, hookers, StarCraft 2, and so on. I just dumped about 10k comments which I quickly skimmed through, so I’m sure I dumped some legitimate ones on accident.

Keeping up on the latest security happenings, comments being submitted, and my own postings has been spotty at best. Things are looking to settle down just a little bit here, so hopefully I can get my own news-reading caught up as well. My RSS feeds are utterly out of control!

There’s been a surprising amount of discussion about the recent Windows DLL hijacking vulnerability, often focusing on whether this is a Big Deal or something stupid. I won’t bother linking to anything or even joining in any further except to expound on my post earlier.

The DLL hijacking is interesting because, well…it’s like walking up to someone you have no reason to mistrust. You shake his hand, but while you do so, someone (maybe his evil twin who was following him) wings a hook beyond your peripheral vision and WHAM! kidney punch. Now, good twin had no idea evil twin was around, and was sincere in his greeting and handshake. But you left yourself open by shaking that hand, and evil twin dropped you to a knee for it.

We can often curse ourselves for shaking hands with the app/guy/file that throws the hook. You run an exe and that’s your problem. You run a streamed media file with malicious code, and that’s still mostly your problem (and partly the fault of the vulnerable app you used to open it). But in this case, you could open a completely innocent file, and get kidney punched.

That’s the important gist of the hijacking vuln, to me. That and the importance this places on patching 3rd-party Windows apps that are vulnerable to this method.

The Month of Abysssec Undisclosed Bugs (MOAUB) has begun. Since this includes (or maybe fully encompasses) the people behind exploit-db and offensive security, we can probably expect plenty of explanation on the bugs, especially the planned binary analyses.

Seeing things like this and the people behind it, it makes me a little annoyed to be in operations for an SMB. Ops means knowing a bit about a lot of things, but rarely having the time to go into the deep dives often necessary for real security knowledge. I envy and support anyone who has that ability and time! /whine

Ever solve a problem, then 6 months later need to solve it again but don’t recall how you solved it previously? That is the sort of housekeeping I’m doing with this post. I make no guarantee that the site or tool mentioned below is safe/secure for your use. Always take necessary precautions.

Have an Excel file that has password protected sheets or workbooks? I found a handy set of macros to facilitate unprotecting such files over at straxx.com. To be safe, I’d suggest unlocking the files, copying the contents out to a new file, and make sure no strange macros get carried over. I didn’t witness any, but better to be safe. And do this all on an expendable system. [excel password crack unprotect]

How can the recent Windows DLL hijacking issue affect me? Or rather, can it be used to specifically target vulnerable applications?

A disclosure this afternoon involving KeePass certainly does show you can target specific applications. For instance, if you can get someone with KeePass to attempt to open a KeePass file and load your malicious DLL, you can execute code…such as installing a keylogger/filemon to track what your victim uses to open that super-secret KeePass database.

Note an important issue here: While this vulnerability was announced by Microsoft, Microsoft may not be able to fix this underlying issue. Which really breaks many vulnerability management practices in enterprises that don’t do a good job keeping inventory of installed applications and their own updates/patches/vuln announcements.

As if there isn’t already enough uncertainty about browsing the web in general, take a read on recent posts from Armorize about some (to put it lightly) malware being served via widgets…with a large exposure base on Network Solutions’ parked domains. Part 1: the infection delivery; part 2: more on the malware; part 3: follow-up.

As the years go by, I have become less interested in the workings of malware on the desktop (call me jaded, but I consider it a total loss once it starts) and more interested in the delivery mechanisms and how malware gets injected into servers; or how servers get popped either directly or as unwitting facilitators (I work more with servers than desktops, so maybe this interest is natural). These reports by Armorize are a bit confusing to read in this regard, but from the sounds of it, either a widget server is being subverted or Network Solutions still has problems with someone owning (to some degree) their systems (or both). NetSol has been beleaguered this year with attacks.

Hosting someone else’s code. Including widgets from other people that consume content from other sites. Reduced budgets and increased cost-cutting. These are the sorts of things that demonstrate our unintended expansion of the trust we need to have in others and other code for our own security. Complexity doesn’t make things easier!

I can’t remember if I’d mentioned it before, but I will now since I’m snarfing many of the links to add to my own list. Wasim over at Security Thoughts has a nice list of vulnerable web apps you can learn from.

As much to remind myself as point out to anyone else, Google’s hackable website, Jarlsberg, has been renamed to Gruyere. Yes, there is a pronunciation note on the front page (btw, it’s a cheese).

It’s impossible to ignore shrdlu’s posts; they’re entertaining and truthful. For instance:

They assume that security staff actually have CONTROL over their systems.

Most products are predicated on this assumption—here, just install this agent and you’re done. Put this on the single choke point in your network and you’re done. Just whitelist what users can install and you’re done.

I’ve always been unable to explain how larger organizations can implement some of these things (I’ve worked in SMBs). You have one choke point? Hell, even I have at least 4, let alone other networks I have to eat up span ports for. That’s either costly or a gigantic mess. You have the ability to install and/or configure things? I do, but I know if one mistake digs into Availability then I get reamed. When you work in both operations and security roles, you learn quickly which one is more important! My guess is enterprises don’t do it very well at all like I expect; they just have the budgets to throw money at the issues and enough mgmt layers to spread the pain and BS.

As shrdlu mentions, it’s not at all surprising that the more “successful” security products are the ones that watch the network or require the least pain (read: involvement by anyone else) overall. This is why I’m a very, very, very strong believer in Network Security Monitoring and perimeter control as always being a very important thing for security.

Oh, the title of this post alludes to the thought of what role should security have. Should it just be a SOC where they have no control or administration rights? Or should they be veritable corporate gods? In my opinion, it should be far towards the latter. They may not always get their way, but they should be able to be empowered to straighten crooked paths.

(Look out, the cynical bus is driving by!)

The big elephant in the PCI room is simply how fucking expensive truly meeting the requirements is (for SMBs and others). Between capital costs and process changes and slowing down business and staff knowledge/training and manhours…it’s not nearly as small a pill to swallow as ya might think. And even if you get it done, the people behind it have a few more grey hairs, have burned plenty of political credit, and have new drinking problems! (Or you work in a large enterprise so it’s slightly easier to swallow.) More than likely they also now have dire staffing issues.

Mike Richardson has a great blog post about implementing PCI DSS standards in a web hosting environment. The end result? It’s dishearteningly expensive and not in demand.

What really sucks about admitting PCI is expensive? I’m also saying *security* is expensive. And it is! Then again, pressing 150lbs is tough, too, but you’ll get there if you start at 75lbs and work at it. (Don’t mock me in regards to my analogy!)

Compliance is still just part of what I call the big gamble in security (and enterprises). You know you should do more, you know you should look at that log today, you know your staff should be properly checking their controls, you know you’re not allowing your QSA to see the whole picture…but you gamble that things will be fine and continue on as you otherwise do, following the path of least resistance that you can get away with. Entire organizations operate that way, let alone executives, managers, and employees.