how to work a crowd

Posted on August 20, 2009 by michael

I wanted to repost something I saw on LiquidMatrix that I think is easily missed amongst the other security headlines they post: How to Work a Crowd (~6 minute video).

Lord knows I’m not a socialite. I’m a happy introvert which causes me to be a bit quiet. You wouldn’t know that from how I might interact online, but online is vastly different…and I’ve been doing this online thing for 15+ years in various forms and commitments, so it’s pretty old hat for me. This video is actually a nice reminder that very simple things really do work. And knowing is half the battle…

So here are some more tips off the top of my head, not just me throwing them out to anyone reading, but thoughts to remind *myself* of things to continuously work on.

– Smile/eye contact. This is something I’ve particularly been working on recently.
I used to do this naturally as a kid, but having the last name “Dickey” and being a reserved, smarty nerd was complete invitation for the less pleasant treatments in public schools. That, along with puberty (yay!), and maybe some other personal tidbits in my nuture/nature changed my behavior and I tended to avoid and not smile as I grew up. I actually did actively want to stick to myself rather than invite conversation. So, smile, make and hold eye contact, and that is usually invitation to either smile back or break the ice. Besides, as an introvert, you can’t go wrong with this and you might be rewarded for it.

– Get someone talking about themselves and be truly interested.
Ever go on dates? The best dates come in two flavors (not counting scoring). First, fun dates where you just have a blast and have something to do that you both can enjoy, without being all that deep. Second, dates where you talk together and learn about each other (the ol’ dinner dates). Everyone has stories and loves to talk about themselves. The best dates occur when you talk only enough to keep the other person talking about their past/interests/self, and you listen properly attentively and take mental notes. There’s always time to share your own opinions and thoughts and stories later on (besides, why blow your mystery early on?!). (Having told my stories and opinions a multitude of times online and offline, you eventually get over that need to vomit them out immediately once a chance arises.) Simple conversation. No encounter or date goes terribly well without conversation, unless you’re a model or movie star.

– Learn to avoid the small talk.
I hate small talk; I really do. It’s useless and impersonal and typically uninteresting. Yes it *is* windy out, thanks for commenting. Sometimes small talk is necessary and it takes effort to steer from the initial tendency to small talk over to something far more interesting and personal. This is a skill I have yet to hone, but is on the list! Try to talk about something of immediate interest to the other person, like their witty Jinx shirt, the event you’re attending, the sticker on their laptop cover, or someone else nearby you can both share a laugh at. One thing to look out for: small talk is a common opener, so be sure to not scowl when it is offered, but just learn to steer away from it. I might hate it, but that might be other people’s schtick!

– Just let go.
There’s a reason alcohol starts so many parties and loosens lips (yeah, pun..uhh..intended): lowered inhibitions. Try to lower your inhibitions on your own. Who cares if you make an ass of yourself? It’ll make for a funny story later on. Who cares if you fuck up and look dumb? Do one will die and life will move on. Who cares if you misjudged someone’s interest and got an eye-roll and cold shoulder? Nothing ventured, nothing gained. Extroverts do this naturally, but us introverts have an amazingly hard time with this, myself included. As said in the above video, most everyone else is just as nervous as you are. Take a deep breath, send the inviting body language signals, and actively dip a toe in the water.

By the way, humans are the only animals that blush; or need to (Twain, I believe). Keep that in mind.

– Embrace public speaking.
This is easier to do in school when such opportunities are often unavoidable, and they come in two flavors: First, just speak up in class when a question is posed. If you’re wrong, so what? The teacher will appreciate the opportunity/chance. (I had a blast in Philosophy/Literature courses and got prof recommends for it, just because I participated whether I was right or wrong.) This is a form of public speaking and you’ll find your voice quickly. Second, speaking in front of others, front and center! If you’re in a group and need to give a presentation, volunteer to be the speaker. Seriously, you might shake while up there, but that usually is because you don’t care for what you’re speaking about or because you’re just not used to it. It really will go away if you solve both those issues, and you solve the second by simply getting up and doing it a few times. So, if you have a speech to give in college to a small class of people who likely won’t even be listening, embrace it fully and go for it. We all know how often such opportunities are never forced on us later in life and we end up just hiding and avoiding them! The end result is knowing how to hold yourself with someone’s eyes on you, and how to speak without sounding like a muttered whisper.

– Be interesting.
This might be hard to always do, but if you can get away with it, go for it. Wear a shirt that gives someone else an opportunity to see an interest of yours (Lan party shirt? You’re a gamer!) or something else that may give clues. If you’re fashionable, be fashionable. Or if you’re like me, wear your interests on your sleeve. (Even my car screams infosec since that’s what my plate says.)

By the way, you’re not a social engineer if you can’t work a room…just sayin.’

re: 8 dirty secrets of the it security industry

Posted on August 20, 2009September 30, 2016 by michael

Note: this article may have first appeared in ComputerWorld, written by Joshua Corman himself in Jan 2009. I’m not sure why most of it is taken almost word-for-word and reposted (with 1 new dirty secret) these 8 months later…

Bill Brenner has a piece on Joshua Corman’s 8 dirty secrets of the it security industry. I thought I’d weigh in with some thoughts while sharing the article.

Dirty Secret 1: Vendors don’t need to be ahead of the threat, just the buyer
Individual people may reach levels of financial satisfaction and turn their attention to actually making a difference (see Jerry Maguire), but almost any group of people forming an ephemeral organization will ultimately see that organization driven by dollar signs. The more so if they are a public company. Sadly, that’s how it is. Although I think that is a tangential point to this “dirty secret.”

I’ve rewritten my paragraph about vendor-buyer expectations and relationships about 4 times now, and I keep arguing basically both sides of the coin. So I’m just going to leave it be. 🙂

Dirty Secret 2: AV certification omissions
I truly do understand this criticism. I don’t necessarily have to agree with it, but I do understand that some people think this, and that’s fine with me. To me, this might come down to what you expect your AV-type products to do. Do you expect them to catch everything, or do you expect them to be fallible, but catch most things you’re likely to care about? Or at least add some value to your overall layered security posture. So, yes, I understand we can still push our AV vendors to detect more, but I understand we may take that unrealistically too far.

Dirty Secret 3: There is no perimeter
Ugh. It’s still so freakin’ trendy to say there is no perimeter. What I love are the next two lines, “That’s not to say there is no perimeter. It’s just that companies are foggy on what the perimeter truly is…” At any rate, that’s accurate to say that our perimeter has changed dramatically in 15 years, but there is still a perimeter. Do you have a scope for PCI? There’s a perimeter. Do you have different networks with dissimilar trust levels? There’s a perimeter. Maybe we get tripped up on the connotation of a perimeter being an *outer* boundary rather than an internal boundary as well. I dunno, but the point holds up: define the perimeter, and make sure you’re not just thinking security on the outer boundary is enough.

Dirty Secret 4: Risk management threatens vendors
I think this stems from how amazingly different businesses are and how amazingly different their IT environments are. If a vendor can set your risk levels for you, they will drop their product in and pocket your money. But if you have your own levels set, chances are they can’t perfectly match up to you. They may try, but theny you end up buying products with so many goddamned features built to satisfy all the goddamned risk levels of their desired clients… Yeah, you know what I meant.

But, on the flip side, risk management might be a benefit in some cases where a product nicely matches a portion of the risk levels a business wants to address, rather than a “well, it’s good enough for now” attitude.

Dirty Secret 5: There is more to risk than weak software
The secret itself is not really arguable, but the statement that, “the latter two [weak configurations and people] are far more dangerous risks than the big bad software security flaw of the week,” is actually an arguable point. It might be argued that even most software flaws stem from weak configs or people. Or one might say many of the damaging attacks these days are software flaws, or potentially could be if someone isn’t patching diligently (let me point you to Metasploit as an example of the power to r00t via software flaws). The point is good, however, that there is more to risk than just software flaws.

Dirty Secret 6: Compliance threatens security
I think we’ve all gotten on the same page about compliance these days: compliance raises the bottom line (the lowest common denominator), but is not itself necessarily “security.” It raises awareness and starts to set the stage for actual security value.

Dirty Secret 7: Vendor blind spots allowed for Storm
I both like and dislike this item. It’s very specific to Storm as an example and has a tone that beats on AV some more. But is the problem an AV one or an OS one? I’m not sure. What I can probaly say is complexity and people are the big issues here. More complex? More cracks for things like Storm to slip into and hide.

Dirty Secret 8: Security has grown well past “do it yourself”
This is easily the most confusing item in this list. I believe there is still a lot of do-it-yourself involved in security, but I think most of that is about talented staff leading the drive, as opposed to doing something like maintaining your spam blacklist yourself.

where to get microsoft patch information

Posted on August 19, 2009 by michael

Every month I get to review Windows patches, assign risk expectations, and start rolling out patches. I want to quickly highlight some of my sources of information on Windows patches.

1. isc.sans.org
The ISC is usually my first stop because they have a nice, compact grid that gives me a very quick overview of how many patches have been released and maybe how big a deal they may be (here’s August’s post). I really dig the mention of any active exploits in the wild.

2. Microsoft Bulletins
Obviously Microsoft’s patches are released with accompanying bulletins like this one from August 11 for MS09-039. Since I want technical information most of the time, I dig right into the Mitigations, Workarounds, and FAQ sections. If a CVE is involved, I’ll often check it out as well, along with other links in those (often vague!) advisories.

3. Microsoft Security Response Center (MSRC)
Microsoft has come a long way in their disclosure of patch and vulnerability detail. It’s like we’ve been out in the cold for years, but now every month we get a mug of hot chocolate with our patches, and it truly warms the soul. Not only is there a wealth of information here now, but I totally missed that they also do webcasts where they describe patches and common questions regarding them.

4. Microsoft’s Security Research & Defense Blog
This blog does not go over every single vulnerability or patch, but often goes into deep dives on some of the more important ones. In between patches, they also drop other information of interest to security geeks. Both this and the MSRC, in my mind, are indispensible right now.

5. The rest of the blogosphere.
I then tend to pick and choose other sources of information from my RSS feeds list. Some blogs post regularly every month, others are far more hit-and-miss, but I have no problem feeding my continued desire to read anything and everything.

20 openssh best practices

Posted on August 19, 2009 by michael

Almost everyone getting started in techical security how-to articles goes through their “securing SSH” phase. Hell, everyone has their handful of things to do when securing SSH. Usually these go from 3 suggestions up to maybe 7. This article at CyberCiti goes into 20 ways to run a more secure OpenSSH server.

Fine, some of them are suggestions that you certainly may opt not to deal with, but there is a pretty darn good amount of detail here to get started and feel good about SSH security.

security and user-friendliness both have to give ground

Posted on August 7, 2009 by michael

It is trendy to rage against security impeding people’s habits and convenience. “We need to make security user-friendly and unimpeding!” Well, that’s great, but keep in mind the flip side: some people’s habits and ‘user-friendly practices’ are bad ones.

When a side door is propped open with a bucket, is that a bad habit? Probably. Should security be attentive to this user need? Maybe. Maybe it should be a two-way door guarded by a camera and guard like the front door? Then again, that’s a business decision to make, not necessarily a security or even “pro-convenience” decision.

This is just a knee-jerk reaction to reading an essay espousing the need for security to be more attentive to user convenience. I’m just wanting to make sure we have a balance, not too much either way.

i-hacked links from defcon

Posted on August 7, 2009 by michael

i-Hacked.com also has a nice round-up of links from Defcon. Most interesting are the pics, tools, and some music! I can’t get this at work, but if it is DJ Great Scott’s set from the Black Ball and if it is like his previous works, it should be pretty kick ass.

Strangely, I’m still looking for CTF recaps. Not that I’ve spent much time looking…

twitter down, actually got some work done

Posted on August 6, 2009 by michael

Twitter supposedly being DDoSed certainly puts the cloud in a bit more perspective. At least I hope so. Cue up a couple months of journalists opining over DDoS preventions now…

hacker headlines from blackhat and defcon 2009

Posted on August 6, 2009 by michael

Missed Black Hat / Defcon like me? (Ok, I only really missed Defcon, I’m not paying for Black Hat…) Then catch up on the headlines listed at Security4all. (via Liquidmatrix)

some backtrack 4 tools and bits

Posted on August 4, 2009 by michael

Looking for a categorized list of tools for BackTrack? Check the BackTrack wiki.

Ina ddition, SynJunkie is still going over BackTrack tools in detail on his blog. Grats on the cert efforts!

a darknet coming to a browser near you soon?

Posted on July 24, 2009 by michael

I hadn’t heard of this until I read a blog post from Jeff Hayes about it (the excerpt is from the eweek article):

HP security researchers are presenting Veiled, a darknet or private file-sharing and communications network, at Black Hat. Veiled can be accessed by any device with a browser, from a PC to an iPhone.

This sounds like a very intriguing idea for personal users. But as a corporate goon, this definitely has me giving a small groan.* Truly, while those of us really plugged in get older and deeper into the workforce and expect to be able to use our computers nearly as freely as we do our home ones, advances like this give more credence to tighter controls at the workplace. Security is not just about us vs Bad Guys, but also stemming the tendency of information to be free and widespread. (A strange duality if you think about it! And even stranger for those thinking in terms of global [macroscopic] security!)

I’ll be looking forward to more details from Hoffman and Wood as their BlackHat presentation date passes. This is certainly an intriguing development.

* Yes, even I know plenty of ways to bypass restrictions we’ve put in place, but it’s the “average user” that I am most worried about. Technically-savvy users are sometimes intentionally malicious, but I feel “average users” are far more often accidentally malicious. (This is backed only by my own intuition.)

security pros unhappy in their jobs

Posted on July 24, 2009 by michael

Saw this article over on DarkReading:

Kushner and Murray say they were surprised by security’s high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs.

I’m not surprised by low numbers, for a few reasons that I can throw out with no backing research:

pros from a technical background that may not like being dedicated to writing policy
“we know better” when it comes to the state of security.
we’re geeks; and too often we are either happy when we get everything that we want, or unhappy when mgmt can only fund anything less than 100%.
as geeks and as security geeks, we’re in a growing research-laden industry where new things are being discovered and developed. I’m sure many of us don’t like the day-to-day drudgery work that may come from watching graphs, monitors, and alert dashboards. Many are driven by the discovery, even if it just means self-learning new things.
organizations don’t properly know what to do with security/security pros as much as security pros may not know how to show value. We’re still struggling to sell the idea that security is a process and you don’t gain as much as you think just because you have a one-time project with lots of “security-in-a-box” purchases.
we really do have a lot of passion, but that also means we do get affected when we see security fails. And fails so often. And stupidly…

I wonder how many security pros would say they are satisfied with the security efforts/level of the networks and organizations they work with on a regular basis (either their employer or the companies they advise/test/consult for).

I also pulled this quote out:

Kushner says his biggest takeaway from the survey was that security pros are not really mapping out their career paths. “That generally leads to unhappiness, and you wind up in a job you don’t really like,” he says. The key is taking a position that provides the skills and development you need, he says.

I agree and disagree with that sentiment. I agree that one should know what job will make you happy or unhappy, or will move you towards a goal if you happen to have one, and which jobs will not. But I’m not sure “security pro” is something that needs a career path for all people.

There are security pros who probably could use a career path written down so they can move on to CISO/CSO or even lead researcher in the field they want to get into. But there are so many of us that have no desire to manage or, as we often see it, buy into the corporate bullshit and get away from actually *doing* something directly. And plenty that can easily find jobs doing what they enjoy without moving “up” from technical hands-on ranks.

Besides. We deal with security. When was the last time you asked a security geek if they’re happy with the state of their security? I don’t think we ever have “writer’s block” when it comes to ideas to implement or improve things. It’s kinda part of who we are just as much as being a measure paranoid is.

rock out with your hack out

Posted on July 16, 2009 by michael

Pauldotcom has a spot where they use the phrase, “rock out with your sploit out.” A great spin on the phrase “rock out with your cock out” (and goes great with “hack naked” which is one of the best hack/sec slogans out there with “trust your technolust” and “hack the planet“).

One drunken night I wondered if “rock out with your hack out” was used anywhere. A very empty Google search later surprised me: it wasn’t used anywhere notable. Whoa…

when does vuln research turn bad?

Posted on July 15, 2009 by michael

This post inspired by reading a story from Rich Mogull (Securosis) about VoIPShield deciding to effectively sell exploits. In case it is unclear, I’m initially in agreement with Rich’s sentiments.

At what point do you cross that strange line? I hesitate to give that line a name, since it might change the connotation a bit, but the line name I had in mind initially is “black hat.” Take these scenarios into consideration:

1. Security research firm (SRF) finds vulnerabilities and fully and freely reports them to the victim vendor and maybe the world at some point as well.

2. SRF finds vulns but only reports them to vendors, fully and freely.

3. SRF finds vulns and fully and freely reports them to the world immediately.

4. SRF finds vulns but only sells them to the victim vendor.

5. SRF finds vulns but decides this adds to their value as an SRF and keeps them secret as part of their stash of “we can own you during an assessment” tricks.

6. SRF purchases other vulns to add to their stash of tricks.

7. SRF finds vulns and adds them to their proproetary exploit tools that they sell to anyone.

8. SRF finds vulns and sells them to interested parties, whether they be the vendor or not.

9. SRF finds vulns and uses them to attack vulnerable sites/apps to steal information, i.e. criminal gain.

Quite often, we demonize criminal black hats because they’re realizing monetary gain at someone’s expense against the law. But where do vulnerability shops fall into the whole realm of things? Especially those who will sell vulns to the public. That’s like full-disclosure with a price tag…so in a way that is a monetary gain while possibly supporting criminal activity. Now, exploit-offering sites probably have indirect gain to their moderators and authors even if there is no charge, simply because of the knowledge and notoriety gains.

Maybe you can draw the line on whether utility is being experienced or not, i.e. is the general public more secure for your actions? Is there a legitimate value to your security efforts? If not, then we should all be working for free, right? Or what about intent? I might be making guns, but my intent is not to kill people even if I close my eyes while selling this gun to an obviously mental lunatic. So does that mean regulation of exploits be a government matter (like it is in some countries, for better or worse).

It’s an interesting road to think closely about…

my quick comments on milw0rm outage

Posted on July 8, 2009 by michael

It’s been a tiring week for news in the infosec world this week.

Between the DirectShow vulnerability and milw0rm faltering (and going down fully)…and it’s not even Thursday…

Here’s hoping milw0rm comes back up and str0ke gets some trustworthy and skilled help to keep it operative at the high level of quality it has had (I’ll third mubix being involved!). Not only has the content been top-notch (the burgeoning videos section comes to mind) but it has been an extreme help for researching vulnerabilities and exploits. I know, kids can get their hands on stuff like this and do mischief, but I truly feel that it does more harm than good to hide information under layers of moral grey lines.

Not only that, but if we keep hiding shit, we can’t allow more truly skilled security professionals to grow. And let’s face it, so many of us are hugely self-taught or community-taught. We need information to be open so we can keep making informed experts and share knowledge. Otherwise we just become elitist and closed-door…and everyone else has to repeatedly re-invent the wheel.

As far as rumors of FBI pressure on the hosting provider for milw0rm, you would really think law enforcement would prefer “the enemy” to remain on the open in places you can watch too. Milw0rm, at least in my point of view and experience, has been far more a positive to security than it has been a boon for those who spread insecurity. By far. Not even close.

links and info about directshow 0day (msvidctl.dll)

Posted on July 7, 2009 by michael

The Windows 0day against DirectShow (msvidctl.dll) has been moving like wildfire the past 24 hours. I’m only going to blitz a few links on this topic:

Metasploit has a module ready for it (can’t link while at work).
POC exploit that pops up calc.exe
another POC

A couple bits of yoinked code. I don’t recommend running these as they are both taken from live sites hosting bad stuff (the links here are just fine though!):
http://en.securitylab.ru/poc/extra/382195.php
http://4lt4l.blogspot.com/2009/07/directshow-0day-in-wild.html

terminal23.net

ghosts in the wire (or rock out with your hack out)