If you haven’t yet, I’d suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows’ Help Center, code can be executed by anything (I presume) that can invoke Help Center.

Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I’d hope effective security folks wouldn’t worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah…in an ideal world, right? 🙂

Liquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts…

Part I: Dumb Criminals, Smart Criminals

Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.

I’ll start out by not even commenting on the morality of what has transpired in the above article. I’ll start elsewhere.

There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing ‘white collar’ types of premeditated (or even random opportunistic) crimes…those are difficult to pursue!. They’re typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.

Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they’ve done by making dumb decisions or having dumb associations and misplaced trust.

Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.

A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.

Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?

Part II: Challenges in Organizational Security

“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.

I knew before reading the article that I wasn’t going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.

The sobering thought on this is…Manning had no real beef with what he was doing. He wasn’t getting paid, he didn’t seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that’s “all” it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.

But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why “cyberwar” doesn’t scare me as much as rogue insiders, depending on the organization in question.

What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.

And don’t make the mistake in thinking Manning is an outlier. He’s just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.

I haven’t even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn’t* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)

Part III: Information Just Wants To Be Free

“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”

Part of the underlying ‘hacker ethic’ deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.

Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.

Perhaps…

But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that “tendency toward freedom” that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, “Do no evil,” mentra, then there shouldn’t be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?

One thing I don’t do enough is make a mention when I add new (or missed!) sits and blogs to my link menu on the right. Certainly, not even *I* keep up with what is over there, let alone anyone else, despite it being a great place to spend a Saturday morning filling up your own RSS feeds with my links.

So here are a few new additions to my links and feed reader:

www.attackvector.org
securitythoughts.wordpress.com (not to be confused with securethoughts.com)
beechplane.wordpress.com

What are my requirements? Well, for my own personal feeds list, the blog has to add something to me or my knowledge. Honestly, I’m horrible with my feeds right now as I have 1000s of items unread (a few high-traffic feeds boost that up, btw, like the once-amusing “my life is average” feed), so adding more has become a small question-raising thing these days. Kinda like buying a new book. Will I really read it? Will it be worth reading? Will it then be worth keeping around after I have finished? (sectioning off one’s time is one of the two big components to what I call actually growing up!)

For links on the left side, I tend to add anything that pertains to info security, including personal blogs of people who are in security but don’t always talk security. I don’t remove much unless it may be a blog that hasn’t been updated for 5 years or a site that is simply dead and gone. Other, lower links are things I find interesting or may find interesting to reference in the future.

I also don’t make a huge list of all the actual “news” sites out there. I try to get the important ones and the basic ones that end up giving me all the news I really need. Adding tons more just ends up with lots of sites all saying and linking to the same things.

Robert Graham over at ErrataSec has a post in response to Securosis and Microsoft regarding secure development lifecycles. I’d have commented there, but they don’t allow anonymous comments…and I’ve been conscious to not browse around the web while logged into my usual account (something about correlation and tracking nonsense). And I look dumb posting as lvnewsreader. 🙂 So here’s my response:

Disclaimers: I’ve not thoroughly read the links Robert provided, so apologies if I sound dumb. I agree with everything Robert said in his post, so this isn’t really an argument so much as it is a situational “next-step.”

An SDL (or really any preventive security) really plays back into the great gamble of business; gambling with the risk of being breached or not (in whatever form).

But I think there *is* a case where prevention can demonstate a save of money: assume the risk of a breach is absolute. For Microsoft, I think we can safely say they will have weaknesses and thus patches to roll out. I’m pretty sure they can play the game of valuating the impact of those incidents, and probably spend on prevention and feel ultimately good about it. With Robert’s “sale” analogy, this would be the situation where your wife *was* going to buy that item today regardless of the sale, but she did actually save money (though possibly by sheer luck).

Assuming an incident is inevitable is easy to say, but hard to act on. Most organizations have years of no apparent critical security issues, and their mgmt will have a hard time accepting that suddenly the sky is falling. Just the same way many people think their home is secure, just because they’ve not witnessed someone wriggling the windows.

Side note: I really like Robert’s “sale” analogy. That’s actually a small pet peeve of mine. Sales aren’t meant to save someone money who is already buying something. It is meant to make a sale right at that moment that would not have been made anyway (or getting someone into a store to make other ancillary sales).

This post is just a small collection of related thoughts, mostly pulled from Twitter posts. I don’t consider Twitter something to re-reference later on, and a poor choice to save thoughts. Much of this is inspired by recent media-whoring about Facebook and privacy issues. A recent XKCD comic illustrates an aspect of my feelings about the subject.

I have a long-standing distrust of people and corporations in general, especially public companies. This is pretty much wrapped up in one of the more dangerous of the seven deadly sins: Greed. I turned away from Yahoo when they went public and started focusing more on money than on users. The same goes for my feelings on Google. Social networking is pretty much in the same boat.

social networks are the leftovers from the dotcom boom; the ones that got users (the first step). But they’re no more successful, yet.

The dotcom boom came with lots of interesting ideas, but busted when they were exposed to not be very viable as a business, and in many cases simply didn’t get enough eyeballs on their ideas (grocery deliver service? awesome! but not scaled up enough). There is still a latent boom-bust situation going on for the past 10 years in the form of social networking. Social networks and other “social” playgrounds online have garnered enough eyeballs (or clicks, hits, attention, whathaveyou) to survive despite having business models that are as shaky as anything from the actual dotcom boom. Sure, some of them can probably make money, but they certainly have to be careful to do so without killing themselves by driving away their users. How many people think Hulu or YouTube will still be relevant if they charge subscriptions? Or news sites?

(Aside: It’s funny how important these services have become to the Internet masses; how deeply they will defend them, but how detested they become when money is requested. Some may call users fickle. Some may say this is the essence of competition, since someone will always host things for free. But does that mean large centralized social networks are inviable and only smaller, self-sustaining, splintered groups can thrive? I’m sure there are parallels to be drawn with music, movie, and software pirating…)

Z[uckerberg] is doing web startups wrong. You make it free, get popular, get money, then sellout b4 privacy and a biz plan blow [you] up.

This is my opinion. If you can’t be viable in the long-term without lots of soul-searching and probably stepping on your own users, you’re probably better off building up your value and getting out while its high. Kinda like how Kevin Rose probably should have unloaded Digg.com. Or MySpace unloaded, or YouTube. If you found a company or site, get your user base huge, get your value up…you’re probably better off cashing out before it cashes you out. Zuckerberg should have gotten out by now before the house of cards started wobbling.

yes, zuckerberg, there is a simpler way to control your info. stop trying to weasel it out of people to support your business model.

This is part of why I distrust public companies, or companies that are looking (maybe desparately) for profit: They will do whatever they can get away with. No Facebook user should be surprised about Facebook privacy issues, or how Facebook tries to weasel around the issues and keep their access into your life while trying to make it look like they’re helping your privacy. They’re not. How else do you think they’re making money? Same goes for Google with searches and everything else they try to do. Invading your privacy is their business model. This has always been a business model, only these days we have very automated and highly technical and highly hidden ways of being victimized by it (networked appliances reporting back to motherships, what programs you watch, sites that index and analyze your information, search logs, tracking cookies, spyware, and so on…)

I dislike someone who complains about privacy when they dig or have dug themselves deeper into something like Facebook (either it’s important enough for you to do something about it, or it’s not important enough for it to chew up your energy and time to worry about). Or complain about privacy when they’re the damned owner of the damned site. Privacy is not hard. The hard part is maintaining the illusion of privacy while trying to maximize your penetration of it. (Kinda like getting that bar slut drunk…)

I’m not sure why I’ve not seen this story before, but this is a downright fascinating diamond heist article over on Wired.

Chief Monkey has linked to an excellent case study in corporate banking fraud. The story takes a few pages to work into the juicier details, but it is worth the burn to get through it.

The network still has a perimeter, but the business and its users have less of a perimeter. If you can check email from any system, than your email password can be snarfed by any of those systems if they’ve been victimized by a drive-by trojan. This can often lead to further attacks, even up to logging into a VPN session from a remote location! People like to think of one-time attacks and siphoning of valuable data, but few think about an attacker looking over your shoulder and reading your emails and data continually.

I wonder if the VP in the story had any personal fraud attacks against her as well, or if the company account was the juicier target. In the end, yes, home users (and their systems and networks) elevate my nervousness considerably.

My only bit of caution would be to anyone who starts crucifying banks too much about their security. There is no measure that will magically protect against fraud. It is entirely a scale between security and usability. Some banks fall low on that scale and get burned (hopefully!) for it. Other banks may slide up the scale too far only to get burned because they’re slowing down, flagging, or outright blocking abnormal but legitimate transactions for important customers. What do you do in those cases? Given different perspectives, I think most people would opt for the least economically costly options from their respective perspectives. Just think about that for a while… People complain about bank security, only up to a point where it inconveniences them too much, then complain more when it still fails, and so on. That’s not a rhetorical game I like to play…(maybe I just like to play a few more moves ahead, I dunno…)

I’m not trying to defend lax, or even negligent, bank security so much as I want to attack overzealous sunday morning security quarterbacking that just perpetuates the problem of a wildly swinging security pendulum that can’t find any peaceful middle ground.

Mogull over at Securosis has posted, “Is Twitter Making Us Dumb? Bloggers Please Come Back.” He makes great points on the usefulness of blogging (the great PCI debates are a recent occurrence of “blog debates” spilling into real life), and some of the comments make great points as well, such as how Facebook steals away some of the energy.

Behind on my rss feeds

My own observations are slightly similar, although I admit I’ve had less time these days to keep up with my rss feeds and make interesting posts here. I still troll Twitter and other places, but typically those are not necesarily surrogates to a good blog or even cross-blog discussion, and I typically can participate in Twitter without much actual commitment time and attention-wise.

Maybe we’re all just reading blogs less often, which in turn reduces the emphasis on blogs and our own opportunities to start cross-blog discussions.

Conferences

One area I’ve seen grow considerably in the last couple years is discussion and participation in security conferences. Perhaps all those discussions and talks is tiring, but also serves the same purpose that blog discussions may otherwise have given. Why blog when you’re at a conference having the same discussions every 3 weeks?

Less new faces

I’ve also seen a drop-off on new blogs to follow in the security space. This may be a function of my lacking of time and energy put into reading my rss feeds, and I agree that I tend to gravitate to the same feeds over and over. This doesn’t mean security is dwindling, especially as I’ve talked to plenty of interesting people on Twitter that I didn’t know previously.

It is possible we ask a lot of new faces in security. Where, in the last 4 years, having any content on a “security” blog was enough to get you followers, today do you need to be dropping news, novel new ideas, or 0days every week? I’d hope not. We really need generic discussion as much as or more than the jaw-dropping stuff. But it’s that generic discussion that may be getting satisfied elsewhere.

Look at podcasts and conference roundtables or Twitter discussions or mailing list questions. We still have a huge capacity and energy to talking about the “generic” stuff; even stuff that has no real correct answer, but impassioned opinions on either side. It just seems to be taken to blogs less and less often.

Inherent broken records

“Cloud” notwithstanding, perhaps we just have less interesting topics to talk about. I myself am guilty of this, as I often have ideas tumbling around in my mind, but I’m well aware they’re ideas that not only have *I* had for a while now, but others have had and voiced as well. Security is not a game to win, and we’re going to have some of the same inherent deficiencies for years, decades, to come. You can really only bring them up so many times before you get sick of the obvious.

One other thing I’m guilty of: commenting vs blogging

Every time something like this comes up, I’ll have a minor discussion with myself. Do I make a long-winded comment on someone’s blog to join or initiate discussion (which maybe only he and I will see) or do I post on my blog here under the haughty assumption that my blog is worth their time to read for my viewpoint, or that they’ll even see it?) Or should I engage them more directly rather than wait for them to find my little slice of opinion? How will both of us remember to re-read the comments to see if an update has been made? (This is one reason I tend to have many web browser instances open, some are just open for me to refresh for comment responses!)

This is why I am still partial to being a forum and chat (or, in a sense, Twitter) regular. A forum is essentially a dynamic, central RSS feed of ongoing discussions and blog posts. Unlike blogs where only new topics percolate to the top, hot topics percolate to the top on a forum. And if you have one central place to go for participation, it becomes rather natural (which is also why I suggest less sub-forums).

(Don’t get too upset if you don’t agree with something I say here; I likely won’t get too deeply into the discussion. There is far too high a chance that most discussions consist only of straw man arguments, or even trying to be too general without admitting to exceptions…read the many comments about this case and you’ll see them rife with logical fallacies. Wait, are mainsteam comments anything but? heh!)

The case against Terry Childs has come to an initial close as he has, predictably, been found guilty. I expect that, while guilty, there is still the chance of other grievances that Childs can raise against the city of San Francisco and his superiors and how all of this was handled. At least, I kinda hope so because my continued impression is that Childs is as much a victim as he was the problem, i.e. the victim of absolutely horrible management, both from a technical and a non-technical aspect.

Chief Security Monkey has a nice article with some comments reposted on his blog, which I suggest reading through. Update: This is a great ComputerWorld interview with one of the jurors.

I have a pending comment on that site, but wanted to just record some of my own thoughts here.

Management is fully to blame for this situation, both for horrible policies and for probably conditioning Childs in a way that made this escalation inevitable. These are people who should be banned from ever managing other people ever again. Or even manage anything technical. They obviously don’t get it. It saddens me that while Childs broke the law, these managers won’t get similarly tried and branded.

Childs is, of course, also to blame. He should have just walked away. Or he should have given up the access and taken the blow from management (which likely would have resulted in firing). But I can’t necessarily blame him for leaning into the wind stubbornly. That’s just how some people are. But yes, strictly speaking, he broke a section of penal code, hence I’m not surprised nor much saddened that he was found guilty of that part.

I expect Childs and this whole situation was the product of a very stubborn-to-a-fault (righteous?) admin, failure management, and psychological conditioning.

Yes, that conditioning part is the one where I take a leap of faith, but I expect my leap is not all that large. If, in the past, Childs was either harmed or even blamed for lapses in his network due to someone else’s changes, then I am not at all surprised that this escalated into him refusing to let anyone else into the network. Did he have anything to hide? Doesn’t look like it. Was he trying to hold the city hostage? I didn’t get that impression. Was he trying to make sure it kept running so he wouldn’t get in trouble when some moron took it down and blamed him? Probably. If I held you ultimately responsible that my coffee cup is not spilled over, you’ll probably try to keep everyone away from it to prevent the spilling, especially so if someone spilled it a few days ago when you weren’t looking and I blamed you for it.

But, in the end, while I see lots of idealistic responses and comments about this situation, I think it is far, far, far easier to talk about excrow and continuity than it is to actually walk that walk, both from an administrative but also a managerial perspective. It takes work, knowledge, politicking, and proper people management to even begin to start. And I think far too many people who make comments to that nature, don’t follow their own ideas in practice, both from a godlike administrative access but also for smaller things like inconsequential accounts, processes, systems, programs, scripts, and so on. It is the nature of things that when someone leaves, there is a gap and loss of some information…no amount of planning will truly overcome that with regards to highly skilled or specialized job roles.

But that’s me, and I’m a cynic. 🙂

Adrian (Lane) authored an absolutely awesome article atop the (damn, no more ‘a’ words to use…) latest Securosis friday summary post.

It had started innocently enough…

Yeah, just go read the story! If you’re worked in IT for 6 months or more, you know how this goes, on various levels. From small requests snowballing into larger requests, to creep in network, to “temporary” things becoming permanent things, to how despite how much you strive to do things one way, all it takes it one (even innocent!) person to do it another way and it breaks down consistency…and so on.

Episode 10 of the Southern Fried Security podcast is available and it includes a great discussion with DarkOperator about getting started and getting involved in security. Skip ahead to 13:30 for the start of that discussion. In short, get involved in a positive manner, and if you’re already in security or have some knowledge, contribute and pass it on! Check the podcast out for all the discussion points.

Renesys has a fun blog post discussing networking “cybernuke” scenarios. Pretty good points, and I like how similar the monoculture of option 3 mirrors that of desktop OS environments. One of the points that resonates with me is any “cybernuke” that someone wants to detonate would certainly disrupt their own experience on the Internet.

The case against Terry Childs, former San Francisco network admin, is hopefully coming to a close soon, and I’m anxious to hear what the jury decides.

I fall on the side of those people who don’t dismiss this case with a hand wave; I think it makes an important statement about management, policies, security, and IT operations.

I’ve been in similar, but far, far smaller, situations where I had to expand access or duties beyond myself to other people. And there are very real times where doing that leads to a degredation in the quality of the work, even up to someone being dumb and bringing down a network or device! I understand his position, even if I wouldn’t have defended it to quite such a degree!

I’ve also seen extremely protective admins whose strangle-hold on their operations starts introducing new avenues of risk, especially in terms of business continuity.

Of course, going too far in the other direction where things are spread out amongst so many other people adds in yet different risks in, well, too many people with God knowledge… Work long enough in IT, and everyone at some point experiences that non-technical manager doing idiotic things just because he has the access…which only conditions the behavior Childs exhibited!

A week ago I posted about how if security wasn’t hard, everyone would do it. This is quickly becoming my mind’s theme for this spring.

I’d take this a step further as well: If there was some silver bullet, ultimate truth, or Answer for security, we’d have found it already and when we heard it our brains would crack and we’d drop to our knees in all-praising wonder at The Answer.

Alas, there is no Answer.

That’s not to say all discussion is pointless; quite the opposite. We certainly need discussion, but we also should realize that like a function in calculus, we can only approach and draw near to real Answers, not realize them entirely.

It helps to also see a quote from A. P. Delchi posted by Chris Nickerson (which I can’t believe I didn’t re-post on here already!):

“GOD,

grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”

There is no answer, but we should still work torwards it as much as we can, but not so much that we can’t step back, respectfully clap each other on the back and have a drink.

Ugh. You know, sometimes in security there are heavy issues you just don’t want to have in front of your face, but then you walk away and come back and see them again, and it instantly brings the pot back to a boil (not an angry boil, just a boil).

That is how I feel when I write and erase and rewrite about articles about Cormac Herley’s [pdf] paper last year. I walked away to lunch, decided not to post, and started closing my windows until I got back to the originator for today: the Boston Globe with this tagline: “You were right: It’s a waste of your time. A study says much computer security advice is not worth following.”. (via Liquidmatrix) Yeah, I knew the moment I saw this paper, that it would make misguided headlines just like this (to its credit, the headline is the worst part, and likely not even written by the author but rather an editor).

It is not so much the article as it is the 120+ comments atttached to it, which lend importance to the topic…most of whom have no idea about the costs involved in building an infrastructure correct the first time versus how pretty much all of them are built today: grown. Over time. Over years. A one-off app written 4 years ago suddenly gets a few late features added which makes it mission critical for 75% of your staff…and so on.

I agree with what Chandler Howell (NewSchoolSecurity) said; actually two things he said. First, the paper seems incomplete, or at least basically tries to monetize the bitching of users, but doesn’t seem to have any idea what to do about it (like so, so, so many other rantsattempts…we get the fact that security has an inverse relationship to convenience…duh!). Second, at the end he mentions making security as transparent to the user as possible. Yes.

Of course, that means tipping the scale between user education vs technological (in this case, what I read as transparent) controls closer to the technological controls side. Larry Pesce also opined (Fudsec) about this in regards to the futility of user education. Perhaps user education does still have a point. The paper makes an attempt to demonstrate that user “stupidity” is a rational behavior. But would user education actually demonstrate why that rational behavior is in fact wrong? (“Rational” is being used in the “justified” sense.) Is it rational for users to open email messages, or should that actually *not* be the rational action when the user knows and accepts that someone from Nigeria probably wouldn’t be emailing them?

Nonetheless, read the comments on the Boston Globe article for the “user” viewpoint. Read the comments on the other articles I posted for security professional opinions. Yes, something is wrong, but I think much of it still has to do with: people making mistakes; economics (which has various influences here!); cost (again, various angles); and how IT does business fundamentally. (Mycurial had a great comment on the Fudsec article) Really, unless security has true demonstratable value to your organization, it *has* to be lagging behind attackers, technology, implementations, and IT in general. (I know, that’s an arguable point!)

Anyway, this is me sharing my growling. 🙂 …and adding another rant! I can rant about people ranting who don’t have any solutions, but I’m answering back with more ranting with no solutions as well. I guess the most I can hope for is some cathartic release!