I missed this discussionary topic from Rich at Securosis the other week. I’m likely a bit late to join the convo, but I wanted to post a link here and throw some reactions. Rich basically proffered the idea of allowing a regulated agency to isolate or clean compromised systems (i.e. from threatening the safety/security of others).
Read his post and the comments for starters. Below, I’ll try to be brief and bulleted.

1. Safety and security. There is a big difference between those two terms. The firefighters in Rich’s opening analogy deal with safety. I have no argument that a firefighter can break into my burning house and further trash it in the interest of public or personal safety. But when it comes to security, we have a different topic, especially when security is ephemeral and fights with privacy. It is usually very clear when safety is impacted and far less clear when security is impacted and to what degree.

2. Is cybersecurity that dire an issue? We security geeks often act like an unpatched system spewing spam is the worst thing in the world, but is it? Sure, we don’t like it, but how does that weigh with other issues I bring up below, or with our privacy? We are really nothing as a free country without being able to protect our privacy to a degree.

3. Mistakes or corporate vs individual. Let’s say we have compromised systems and an agency is mandated to go in and burn the books at 451 deg…err…clean the system or shun that network node from the rest of the internet (isolation). What if that was a Google data center? Or Mom’s Crab Shack? or my home system? It won’t take but a handful of mistakes before this breaks down. And what if that were a false positive?

4. Agendas. I hate to be a pessimist sometimes, but we can’t even go to war without half the general public speaking up about agendas (right or wrong). And things don’t get better with smaller incidents (pork barrels?), they just get less exposed. “Gosh, I don’t know how my opponent’s campaign office got raided like that!” “Gosh, just go easy on that large company that employs a huge number of my constituents…” “Gosh, my district has an *epidemic* of compromised systems; we need to declare a cyber emergency and get more funding!”

5. IPS. One argument that still surfaces about IPS is their ability to suddenly shun false positives. In practice, it is difficult to do, but in theory, an attacker (or mistaken configuration!) can trigger an IPS to fire blocking protections and shun legit servers or networks. Remember SWATing? Eve calls 911 and gives Vince’s address so SWAT raids Vince’s house. Oops! This is very similar to the “mistakes” bullet above.

6. Potentiality. What if a system is potentially vulnerable to an attack? The debate on being proactive once “active” is allowed becomes muddier, and dangerous. ThoughtCrime, FutureCrime?

6. The Slope. We move very big steps closer to questioning the integrity of our Operating Systems. Should we proactively shun every Windows box not behing a network/firewall device? Why not just shun every non-perfect OS? We do like to batter and bash groups like Microsoft for their system’s insecurities, but let’s face it, such a product will never be perfect. Especially as a consumer product. I don’t like the road such actions move us towards.

7. Nothing to hide. Want to instantly drive a privacy advocate or even most hackers crazy? Utter the phrase, “Well, innocent people have nothing to hide.” If you still hold that argument aloft, I’m sorry in advance for your ignorance or tragic upbringing. I’d rather be surrounded by Mac zealots proclaiming their OS 100% secure…

8. Get off my systems. As an individual or a corporate entity, I would not be happy about someone being able to arbitrarily control my systems, even to “fix” them or “save” others. More on this on a follow-up post…

At the end of the comments, “Rob” posted what I think sums up my feelings, “I don’t like disagreeing with Rich, but I’d rather have a million botnets active on the internet than sacrifice the tiny remaining legal barriers to police invading my computers.”

I think we all know the news of another data breach, this time most likely at an online payment processor. My contribution to any thoughts on this is how quickly the information network in regards to breach rumors (and hopefully later actual details!) has become. It has been at least 4 days since I first heard these rumblings and only today is there some real information being presented by affected parties or VISA/Mastercard. And still no indication of who exactly is at the victim.

There is SSLFail. I’ve talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It’s like SSL implementations aren’t being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don’t care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.

SSLStrip is the tool he announced, but I don’t see it public yet. Moxie has other SSL tools, too. And I’m curious who still doesn’t set (CAs) or check (browsers) basicConstraints.

Bottomline: If you’re still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you’re on a network you can’t trust, you need to exercise reservation in your actions.

I didn’t realize the Information Security magazine was available online (pdf). Some highlights:

Schneier and Ranum go point/counterpoint on the topic of social networking and the workplace. Schneier has an excellently polished point, and I think Ranum has some good points, too, and properly attacked Schneier’s weak point on CEP transparency.

The 2009 Priorities Survey section wasn’t too interesting other than 75% reporting the Data Leak Prevention was a must-have. To me, this is like saying you need a complex man-trap…when there are plenty of open side doors and windows with nary a lock on them. DLP is definitely a conversation-starter whether you like it or not! The article continues on into access control, an equally twisted term. Are you talking issuing playful tokens or are you talking actually getting into who has access to what and how to limit that? Two very different ballgames..

I like the spirit of David Storms’ 10 tips to protect your company in a down economy (if you get the eEye newsletter, this is the story that didn’t get linked!). With the economy stagnating (or going down), I think many companies have put new projects on indefinite hold. At least in the tech area, I’ve not heard of huge swaths of layoffs unless the company is already bloated. So this might mean staff levels are frozen, but staff still need to get things done. With possibly less projects, it might be worthwhile to take on some free/open tools and leverage them instead of some bloated, expensive big-box that doesn’t really confer much true security knowledge. #8 about properly terminating employee accounts should really be #1 this year. With remote access and layoffs, many people will have knee-jerk thoughts of revenge or fear and may act on those ideas before access is properly terminated. Just this week we had 11 layoffs and those of us who hold those access keys learned about them all at the time of or after the fact. Gambling with fire!

We can’t talk about much in security without the silly thought that we might be “spreading FUD.” That is largely because shit just isn’t as secure as people think it is or expect it should be! Of course, there are two types of FUD: True FUD and False FUD. ..A discussion for another time perhaps!

More FU…errr…insecurity talk will be had at a presentation I wish I could see: Adam Laurie’s Satellite TV Hacking at Black Hate DC. An article about it is over at The Register.

An exploit against MS09-002 (IE7) is in the wild. This is a vuln that may lead to code execution in the context of the user. Thanks for the heads up on Twitter!

Today I needed to adjust the script that maintains my web environment. A developer needed a folder inside a website to be redirected to a different URL. This is easily done in an IIS MMC with just a few clicks. Since the dev needed any call to or inside that folder to go to a specific destination (and not carry over the trailing path), the box is checked for “the exact URL entered above.”

But my web install script deletes all sites and rebuilds them nightly. So, I need it to also rebuild this redirect.

In IIS6, it is easy to list out all of the children objects in a site, such as Virtual Directories. But if something has not specifically been given an object ID in the metabase, you can’t edit it like an existing object. In IIS6, regular old subfolders inside a site are not objects by default. You have to make them objects, in this case an IIsWebDirectory, before you can manipulate them.

This script snippet connects to an existing website, creates the IIsWebDirectory object, and sets the httpredirect property. Note that the folder may or may not actually exist in the site hierarchy yet. That’s ok! Also, the “, EXACT_DESTINATION” is the piece that makes the necessary check mark.

$iis = [ADSI]”IIS://localhost/W3SVC”

$findsite = $iis.psbase.children | where { $_.keyType -eq “IIsWebServer” -AND $_.ServerComment -eq “mywebsite” }

$site = [ADSI]($findsite.psbase.path+”/ROOT”)

$targetredirect = “/different/path, EXACT_DESTINATION”

$directory = “MySubFolder”

$newwebdir = $site.psbase.children.Add($directory, “IIsWebDirectory”)

$newwebdir.psbase.commitchanges()

$newwebdir.put(“httpredirect”,$targetredirect)

$newwebdir.psbase.commitchanges()

Part of troubleshooting this is echoing back psbase.properties to see what values I needed. This little piece will help, especially when you make the change manually and refresh this to see what changed. Get $iis, $findsite, and $site before doing this:

$homer = $site.psbase.Children | Where {$_.KeyType -eq “IIsWebDirectory”}
foreach ($donut in $homer) { $donut.httpredirect }
or
$homer.psbase.properties

My Tuesday quick rant. I’m not a big fan of schizophrenic IT departments (not a fan, but sometimems reality has to be tolerated). These are IT departments that one week want things fast and agile (like a cowboy!). Then the next week they realize fast often means mistakes, misconfigurations, and missing pieces that weren’t planned for, so the goal is suddenly to be slower and more deliberate (woot change management!). Then the next week, something needs to be done immediately in a cowboy state…

Not a fan of that…especially when the deliberate state makes the cowboy sprints much more painful and vice versa.

For future reference, some notes on hardening Apache. In case this post ever dies, it references these notes, and also points to some deeper tips.

I’ve long proclaimed email is dead (ok, it’s very slowly dying). It is great, but wasn’t ideal or forward-thinking enough (I can easily say that now that we’re beyond the forward!). IRC had it right early on, but just wasn’t and isn’t accessible enough… IM is excellent, but you often lose the buffering ability when someone is offline.

At lunch the other day I overheard a group of older adults talking and they delved into the topic of communicating with younger kids/adults. “They just don’t check their email like they used to. You have to text or post on their Facebook to get their attention.”

It’s true, right? Email is still dying and giving way to texting, IM, and social networking (aka Twitter, Facebook). Say that to anyone in a corporation and they may argue, but I’ll argue back that corporations (and later government) are the slowest entities to change. We’ll drag email on for another 10 years, most likely.

So last night I checked out my Twitter feeds again. Yeah, pretty hopping especially during and post-Shmoocon! In fact, I notice I still get new people following me very regularly. Seems I should jump back in! Hell, I also noticed I had some LinkedIn requests and Facebook requests (when the crap did I open a Facebook?!)…I may not dive totally into the latter one, but Twitter is just too powerful and cool paired with texting to keep drifting away from it.

Sony releases new piece of shit that doesn’t work. NSFW due to profanity, so put your headphones on.

EthicalHacker.net has a new challenge up. This is may be a first, I get to see it with plenty of time to submit something! Normally I see these after the fact or with 2 days to deadline. Oh, and The Brady Bunch was one of those shows that I watched but never liked; kinda like being forced to eat brussel sprouts as a kid; you sometimes have to, but it leaves a horrid taste in your mouth.

In case someone has strangely missed this story, Chris Padget has made some headlines for a recent video where he reads and clones RFID tags around the San Francisco area. Read the comments for some good discussion (amidst the ignorant noise).

This is a very big issue for three reasons. First, obviously we need to care what may or may not be disclosed from the tags. Is it personal? Is it just a number that is looked up? This is probably the easiest issue to resolve.

Second, even if the item is just a number that is looked up, all it takes is some relatively simple database tracking or data points to start stumbling over the lines of privacy. #3482749 is Michael Dickey. #3482749 is shopping at Wal-Mart at 7:30pm. #3482749 stopped for a shake at McDonald’s at 8:15pm. And so on… And it wouldn’t take much to track this. If all the legit scanners that get issued are dumb but ping back to the master database system, the database just needs to log the location of the scanner that pinged in.

Third, just how easy is it to clone a tag and fool scanners? Kinda like me opening up a Facebook page for someone else, I might be able to do quite a bit of damage to someone’s profile or reputation by wandering around with a cloned ID just for the heck of it. Or maybe I’ll just clone my own and give it away on the streets and generate so much noise… In fact, how defensible would that tag information even be, legally, if I can generate doubt like that? Can I overpower my own RFID tag by transmitting a stronger signal and drown out my card?

Besides, let’s face it, as a shop owner I might want to buy some cheap RFID reader and put it near the front door just keep my own tabs on who my repeat visitors are based on their number. And it’s just a hop-step away from keeping a personal record of them so they can pay quicker by keeping their credit card on file and just charging them based on the number on the RFID. Come on, there’s a whole industry of people salivating at the possibilities of such tracking and ID…

And if “do no evil” Google will happily cross the line of privacy in pursuit of the profits, so too will others. It will just take some curious entity that is large enough to connect data points and suddenly that slippery slope is rushing by fast enough to burn our ass.

In short, it’s not just about the data given off by an RFID tag, but also how that data can be correlated. And how much the general public is made aware of the risks of unshielded tags or unquestioned tracking.

I’m a bit surprised to see talk of BackTrack4 since it seemed like BackTrack3 is barely a year old. Alas, a new version can only be a good thing! Shmoocon attendees got to check out a pre-release version and I wouldn’t be surprised if they did an IRC channel pre-release outing as well. Hopefully sometime soon BT4 will be widely released to the public or available to me via some other channels.

I had a few small quibbles about BT3 over BT2. I was unimpressed with the tossing away of the stealthy boot up. BT2 was very quiet on the wire, while my experiences with BT3 involved it starting up and immediately wanting an IP from the first network it saw. The BT3 hard disk installer was still pretty unintuitive, although the forums are invaluable for figuring it out.

BT4 goes back to the stealthy startup (omg newbies, you gotta start network!), and from what I gather will be much friendlier for a more permanent distro-like install (I’m assuming, here). I enjoy the livecd a lot, and someday I’m sure I’ll enjoy a USB install more, but some of us really don’t mind at all loading it on some older laptop for permanent use and tinkering. A vmware image as well? That might be worthy of a little jizz in my pants!

Anton Chuvakin posted over a week ago about some possible reasons why Heartland Payment Systems had their data breached. After his 5 examples, he concludes that none of them specifically follow that PCI failed or is irrelevent. In a way, he is correct, but what we’re doing here is playing with semantics vs perception. (Something we who throw around the term “hacker” often should be very intimate with.)

If PCI didn’t fail in any of those cases, one could argue that PCI will never fail us. That means PCI compliancy doesn’t offer much beyond any other list of Best Practices. Best Practices that are required. We’ve known for some time that PCI is just a general guideline. But there is either a perception problem on those adopting PCI, or a presentation problem by the PCI Gods that are requiring it.

If PCI can’t be blamed for anything, then what value is there? If PCI doesn’t allow a CTO to shift blame onto it (or a QSA) when things go wrong, there are plenty who then see no value in it. In which case it is just a requirement to meet in the least painful/costly fashion possible (which does not preclude simply lying about it). And then there truly is no value in it for those persons.

I don’t agree with that position, but it exists whether I like it or not.

Maybe the underlying concept we need to continue to hammer out is: Security is not easy.* Security is hard work. Security is not always cheap. Security costs money. I’m sure there is a haiku in there somewhere…

* Just think of all those painful experiences trying to align secure practices to people and a business. Years of those experiences, trying to guide the moving waters of a river to where you want them to flow. There are small and large security battles lost every day, and poor individual decisions made constantly and gambles accepted. We’re certainly not in it bcause the job is easy!