Defcon videos have been posted. Finally, I’ll get to see Fyodor’s talk on nmap!
another rambling non-technical postwhinerantsigh
I do Get It that IT needs to align with business. But that doesn’t mean I think everything is then rosy in the house and all the puppies are happy. It’s an easy thing to say, but a hard thing to adhere to (or easy, if you like statistics and can twist anything into a business value-add!).
My boss’ boss recently related a story about a VP who was tasked with turning around a company that had the right technology but the wrong business strategy. This included constantly evaluating whether the technology (and projects) is serving the strategy of the business.
That’s great, but to me that reinforces the idea that you only do enough in IT to accomplish the job, and that’s it. You let the rest languish and most likely don’t do any housekeepping. Housekeepping includes things that make security work: logging, alerts, detections, testing to make sure things you put up 6 months ago still work, audit settings, patches and updates (that don’t add any new features you care about), etc.
Yes, that is a way to go. For example you don’t need absolutely spotless event logs on your Windows servers. But that also is a way to foster a completely reactionary culture in regards to existing technology. I think that approach works more for new technologies and projects.
It just means that someone has to value security and housekeepping. And I’ll always go back to the idea that so few people value personal security in their lack of security measures for their own home, let alone for the business they own, until they suffer for it. It’s like finding your God only when you’re deeply fearing your own mortality (or feeling excessively guilty about something and need an explanation).
the security concept you want your boss to understand fully
Mubix posted an excellent question via Twitter today. Twitter promptly decided to poop out on me…but even so, I thought it a question worthy of blogging about.
mubixPolling the audience (serious answers please). If you could get your boss to understand one security concept fully, what would it be?
Take a few moments to think about that one. Grab a stess ball, sit back and sip some coffee, whatever it is you do when absorbing something, but just take a moment to think.
Lots of things come to mind. Trust no one! Audit and change management! Patch! Hire, retain, and train competent staff to do the heavy thinking! You can never have too much information (just bad consumption of it). Support the business securely.
I finally posted back the following:
@mubix Hard question, and worthy of a blog post. I’d say “You *will* have a security incident. Plan for it and plan to find it.”
I was hoping for something more profound like, “Wax on, wax off,” that would encapsulate a whole zen-like frame of mind where all security pieces fall into place. Alas, this was my contribution. At least I feel it states one of our fundamental laws of security, and sets the tone to properly detect, monitor, check, audit, and response to incidents.
a little late to the ie7 horrible interface party
I’ve casually used IE7 on a test work machine and on my gaming machine, i.e. not very much and certainly not enough to play around with the interface. Last evening at work we rolled it out to all desktop users. Holy sweet mother is that top bar a cluster of a mess! I normally wouldn’t mind it if I could fix it, but IE7’s customization is pretty much half-assed.
Optional menu bar? What are they smoking?
Can’t move the menu bar to the top where it belongs without a registry edit?
Can’t remove the Search box without a registry edit?
Can’t drag pieces up into the top bar?
The Home button is now broken away from the Back/Forward/Reload/Stop buttons?
Can’t edit or move the top bar?
Star (Favorites) buttons I can’t remove?
Again, I wouldn’t mind it if I were allowed to reset them all and move and disable what I want, but I don’t see a way to make this look decent at all! 🙁 I tend to be as mimimalist as possible with my browser, while still being functional. Small top bars, only 2 rows, and nothing that I don’t otherwise use regularly. I’m a computer user and thus I am fine using hotkeys or Menu bar dropdowns for occasional stuff. For tabbed browsing and a bar of Links that I only use on a work system, I’ll suffice with 3 rows of junk on the top. IE7 has me stuck with 4 at the moment.
And while I’m not against registry edits, it is obvious Microsoft did not intend for these options, and I dislike adjusting a corporate browser away from the standard settings.
disabling sslv2 because it is naughty
We now know how to test for SSLv2. How do you fix it?
IIS6: Well, go ask Microsoft. It is a registry edit and not a GUI option.
Apache http.conf: “SSLProtocol +All -SSLv2” or even “SSLProtocol -All +SSLv3” Further cipher tinkering can be done with the SSLCipherSuite directive.
For everything else, you need to consult documentation. In my case, I have Citrix Netscaler load-balancers in front of my web servers. In the port 443/SSL vservers->SSL tab->SSL Parameters, I would uncheck “SSLv2” and uncheck “Enable SSLv2 URL.” That second one is just the redirect for browsers wanting to make SSLv2 connections when SSLv2 is not wanted. Of course, this can also be done via SSH.
testing ssl strength
A common question on security surveys and often an item auditors love to point out because it’s “easy” is the question of SSLv2/3 support. SSLv2 is insecure and shouldn’t be used. Various sources can describe (pdf) the issues better than I, but I will say I don’t know if anyone has made SSLv2 attacks very practical, even if browsers dropped to SSLv2 anymore.
So how do you check what SSL version your web site supports?
1. SSLDigger available as a free Foundstone tool
SSLDigger is a GUI tool that accepts a site (or IP) and digs on the supported SSL ciphers. A nice tool, but it actually gives no distinction between what is SSLv2 and what is SSLv3. However, it does rate ciphers on how weak they are, which can be a nice guide if you’re digging down that deeply and enabling or disabling various individual ciphers.
2. THCSSLCheck
THCSSLCheck is a Windows command-line tool. THCSSLCheck takes things a step further and groups ciphers based on their SSL version, which is a nice indicator. Very clean!
3. OpenSSL
Yup, OpenSSL (Windows and Linux) can also check SSL strength, and might be the easiest test to understand. It also gives some content that it receives from the website. This is helpful if you have a proxy, filter, or load-balancer in the way that redirects SSLv2 connection attempts. The above two tools simply determine whether a cipher negotiation was successful, but they do not report any context. In my case, I have load-balancers in front of my web servers that answer to SSLv2 connections with a landing page saying we don’t support SSLv2. So, yes the scan showed a positive, but it’s not a real positive. OpenSSL will catch this if you wait a bit and hit enter a few times.
openssl s_client -connect www.mysite.com:443 -ssl2
“aldaraan server is the call of duty place to be!” something missing from x-box live
I recently got into X-Box Live (XBL) multiplayer matches in Left 4 Dead and this weekend Call of Duty: World at War.* I’ve been so far having a good time, but there is something missing in XBL multiplayer that I loved in my previous years of PC gaming.
I used to play Quake 1, Unreal Tournament I, and even the first Call of Duty, all on the PC. When you played multiplayer on those games, you would somehow get a list of servers hosting games and choose one based on various criteria, most likely latency, game settings, player population, and even reputation of the server. When you found a game that played well and was fun, you usually wrote it down or saved it as a favorite. This resulted in a list of frequented servers you played on.
Over time, I became a regular on my preferred servers, and I got to see other regular who were around on that server too. In fact, eventually you get to chatting with them and form a sort of gaming friendship (or rivalry). This was excellent as you could play with and meet several other players over time. This occurred in all three of those games I played majorly, and always resulted in clan invites, friendships made, and carry-over into IRC, forums, and IM. Sometimes you could play weeks before finally actually talking with another regular and chatting it up, having fun, etc. Every now and then you would even learn of other servers your friends liked, and thus expand your exposure.
In XBA, you typically dive into the multiplayer games and get thrown into a random game with a slot open, which is likely just an ad-hoc host in a farm of host servers. There are no server names, no preferences, no continuity to the multiplayer gaming experience; no home “turf.” If you want to make friends, you have to do so in the small window of time that you’re both in that particular game instance. And even then, you may not be playing on the same team on the next 3 maps!
Last night in Call of Duty there were over 200,000 people playing, and maybe 35,000 in my game type (Team Deathmatch since I’m new). The chances of me seeing any repeat action from players I’d seen before are exceedingly slim. Even in Left 4 Dead, I’ve only had a repeat player once (notably we both remembered each other).
The way you play repeat games is to friend people you play with, immediately. This results in a watered-down friends list full of people you barely know, friending everyone you possibly could stand to play with again. And vice-versa (considering I still suck, I doubt this is a 2-way street yet!). Even then, you still usually have to join the games as an XBL party or risk playing against them or not at all because their game is full. This can make bad choices in friending people be awkward moments where you’d rather avoid them…
I wonder how clan matches work in this setting? Maybe I’m still missing things in my limited exposure…
Still, there is something to be said about the continuity of the gaming experience and community that forms from discrete servers. It would be nice if XBL had named servers, and if capacity was larger than the named ones, then maybe ad-hoc hosts can spring up for peak times to get all those people looking for a random game. Or just have such a huge pool of “server” names that they never run out.
“Aldaraan #10” is the place to be Friday nights!
* It is already annoying enough to hear 8 year old boys talking with impunity in game, let alone a game that now and then says, “Good fucking job, marines!” I find that many of my jokes and game jabber may not be suitable…
you’ve heard all of this before on pci dss
Fun times continue with PCI DSS. Anyone with an idea of security saw all of this coming (and this can be applied to any security checklist…):
1. PCI “compliant” firms suffer breach.
2. Companies/people question PCI.
3. PCI blames firms for not being perfect every moment of every day.*
4. PCI DSS is only guidelines, checklists, that don’t actually DO the securing in and of itself
We’ve all just been waiting for more inevitable data points on the grid of this argument.
The argument revolves around how PCI markets their DSS and how people accept it. If PCI markets it as a rubber stamp approval of ultimate security, they fail. If people expect PCI to be perfect, they fail. PCI can fix this by simply adding the byline: “…this is where you start with security, but this is not alone a guarantee of security.”
Of course, we all know how that will be taken: “If it’s not perfect, it’s useless!” Which is an immature (or common business) argument in a realm where perfection is not possible. Sadly, and this is where the media sucks (and rightly milks it for the hits/attention) and the General Public only has immature thoughts about security. But still, PCI fails for allowing the perception that its DSS will save you, even if that was their intention in the first place.
PCI is no better than any checklist or list of best practices.
* PCI can weasel out of any blame any given day. Just blame the QSA and/or the firm. This is another “law” of security, not just cyber but every sort of security from war efforts to the war on drugs: You can always naysay because there is no ultimate “win” and no ultimate definitions. Another “law” illustrates this, “You *will* suffer a security incident.”
satellite radio cool for a year or two
I recently got back on sat radio with Sirius/XM. Now I see they’re floundering? I can’t say I’m totally surprised. While the idea of “commercial-less” music and radio is brilliant and necessary, as well as the beauty of being able to listen to what I want as opposed to what happens to be in my midwestern farm-state area, that has to balance with the fact that it costs money vs free FM/AM radio, and household budgets are tightening.
I don’t think sat radio has a real market anymore; it was a transitional piece kinda like Blu-ray today. What I think will be the future is all of the web-based podcast and radio stations (like my favorite somafm). All it takes is the ability for my car to get on an internet connection and pump out a stream into my receiver. That’s it! Sat radio is still a closed system, even if they do have 3000 channels. Give me an open system like the Internet to choose my station… With Sirius/XM, I’m paying for 297 channels I typically don’t listen to, and the 3 I do listen to are sometimes playing things that suck and make me go back to my ipod or cowon or a disc. The most expensive channels (Howard Stern, Martha Stewart) I’ve never and never will listen to.
And it doesn’t even have to be a subscription fee system! Just charge for the cables/receiver to handle streams, and then pay for what many of us already have: sat data connections through something like our phones. If our fav stations want donations or fees, then so be it.
I get some “ok” stations on sat radio, but I’ll get exactly what I want at all times when given the freedom of selection from the entire Internet. Seriously, Pandora streamed to my car? Hawt.
Can Sirius/XM save themselves? Sure, but only if the music/radio industry as a whole doesn’t stop them. Sirius/XM already has all the logistics to beam me somafm or Pandora. They just need to license it. And that’s where I think the industry will politically block them. I don’t think the general music industry dare reverse their years-long fights against online broadcasters…bastards.
big brother, little brother
Last night I finished reading Little Brother by Cory Doctorow. The book is centered around security, privacy, and hacking as a survival trait. The technical bits and pieces are excellent, and the entire premise is easily plausible. It is an easy read, engaging, and technically awesome. The book is firmly geared towards teenagers. While there are some underage drinking, drug references, and minor sexual content, this is nothing compared to what goes on in the lives and minds of maturing teens today. Even so, I would recommend it to any teen with a passing interest in technology (even if you just use MySpace for fun), as well as any adult who has such interest in protecting privacy, freedom, and digital security.
On a side note, it makes me smile with enthusiasm at what it must be like to be a teenager or younger, growing up firmly in the midst of all this social networking and technology surrounding every facet of our days. I get a bit giddy at what someone with unlimited time and imagination can do with electronics and our digital world; it’s awesome!
private security efforts vs government security efforts
In my previous post I reacted to Rich Mogull delving into the idea of a government agency being allowed to clean or isolate compromised systems. I wanted to pull out one idea and just bring it up without hopefully beating it to death; a “something to think about” moment.
Compare and contrast the feelings of a government having the ability to control, clean, or isolate your computer system with the ability for a corporate security officer to control, clean, or isolate your computer system at work. I won’t wax on about it, but just sit back and think about it beyond just who owns the assets, but also the value of some measure of privacy both at home or at work. It’s a good exercise! We get very passionate about privacy at home, so should we bother with thinking about it a litle bit for workers at work?
allowing the government to clean or isolate infected systems
I missed this discussionary topic from Rich at Securosis the other week. I’m likely a bit late to join the convo, but I wanted to post a link here and throw some reactions. Rich basically proffered the idea of allowing a regulated agency to isolate or clean compromised systems (i.e. from threatening the safety/security of others).
Read his post and the comments for starters. Below, I’ll try to be brief and bulleted.
1. Safety and security. There is a big difference between those two terms. The firefighters in Rich’s opening analogy deal with safety. I have no argument that a firefighter can break into my burning house and further trash it in the interest of public or personal safety. But when it comes to security, we have a different topic, especially when security is ephemeral and fights with privacy. It is usually very clear when safety is impacted and far less clear when security is impacted and to what degree.
2. Is cybersecurity that dire an issue? We security geeks often act like an unpatched system spewing spam is the worst thing in the world, but is it? Sure, we don’t like it, but how does that weigh with other issues I bring up below, or with our privacy? We are really nothing as a free country without being able to protect our privacy to a degree.
3. Mistakes or corporate vs individual. Let’s say we have compromised systems and an agency is mandated to go in and burn the books at 451 deg…err…clean the system or shun that network node from the rest of the internet (isolation). What if that was a Google data center? Or Mom’s Crab Shack? or my home system? It won’t take but a handful of mistakes before this breaks down. And what if that were a false positive?
4. Agendas. I hate to be a pessimist sometimes, but we can’t even go to war without half the general public speaking up about agendas (right or wrong). And things don’t get better with smaller incidents (pork barrels?), they just get less exposed. “Gosh, I don’t know how my opponent’s campaign office got raided like that!” “Gosh, just go easy on that large company that employs a huge number of my constituents…” “Gosh, my district has an *epidemic* of compromised systems; we need to declare a cyber emergency and get more funding!”
5. IPS. One argument that still surfaces about IPS is their ability to suddenly shun false positives. In practice, it is difficult to do, but in theory, an attacker (or mistaken configuration!) can trigger an IPS to fire blocking protections and shun legit servers or networks. Remember SWATing? Eve calls 911 and gives Vince’s address so SWAT raids Vince’s house. Oops! This is very similar to the “mistakes” bullet above.
6. Potentiality. What if a system is potentially vulnerable to an attack? The debate on being proactive once “active” is allowed becomes muddier, and dangerous. ThoughtCrime, FutureCrime?
6. The Slope. We move very big steps closer to questioning the integrity of our Operating Systems. Should we proactively shun every Windows box not behing a network/firewall device? Why not just shun every non-perfect OS? We do like to batter and bash groups like Microsoft for their system’s insecurities, but let’s face it, such a product will never be perfect. Especially as a consumer product. I don’t like the road such actions move us towards.
7. Nothing to hide. Want to instantly drive a privacy advocate or even most hackers crazy? Utter the phrase, “Well, innocent people have nothing to hide.” If you still hold that argument aloft, I’m sorry in advance for your ignorance or tragic upbringing. I’d rather be surrounded by Mac zealots proclaiming their OS 100% secure…
8. Get off my systems. As an individual or a corporate entity, I would not be happy about someone being able to arbitrarily control my systems, even to “fix” them or “save” others. More on this on a follow-up post…
At the end of the comments, “Rob” posted what I think sums up my feelings, “I don’t like disagreeing with Rich, but I’d rather have a million botnets active on the internet than sacrifice the tiny remaining legal barriers to police invading my computers.”
the breach rumor grapevine is ripening
I think we all know the news of another data breach, this time most likely at an online payment processor. My contribution to any thoughts on this is how quickly the information network in regards to breach rumors (and hopefully later actual details!) has become. It has been at least 4 days since I first heard these rumblings and only today is there some real information being presented by affected parties or VISA/Mastercard. And still no indication of who exactly is at the victim.
more attacks against ssl
There is SSLFail. I’ve talked about SSL before. Jay Beale has been presenting on similar issues. And now Moxie Marlinspike has given another eyebrow-raising talk at Black Hat about SSL and HTTPS attacks (pdf). It’s like SSL implementations aren’t being asked if they want a gut punch or a face punch, but rather just getting both. Some of his material is similar to what Beale does, and while I don’t care who was first, the fact that multiple people are pointing these out is noteworthy itself. Mubix tweeted (twitted? twatted? oh my) a link to the video preso.
SSLStrip is the tool he announced, but I don’t see it public yet. Moxie has other SSL tools, too. And I’m curious who still doesn’t set (CAs) or check (browsers) basicConstraints.
Bottomline: If you’re still not scared of SSL MITM attacks at your local hotspots, you need to be. In fact, any time you’re on a network you can’t trust, you need to exercise reservation in your actions.
information security mag online
I didn’t realize the Information Security magazine was available online (pdf). Some highlights:
Schneier and Ranum go point/counterpoint on the topic of social networking and the workplace. Schneier has an excellently polished point, and I think Ranum has some good points, too, and properly attacked Schneier’s weak point on CEP transparency.
The 2009 Priorities Survey section wasn’t too interesting other than 75% reporting the Data Leak Prevention was a must-have. To me, this is like saying you need a complex man-trap…when there are plenty of open side doors and windows with nary a lock on them. DLP is definitely a conversation-starter whether you like it or not! The article continues on into access control, an equally twisted term. Are you talking issuing playful tokens or are you talking actually getting into who has access to what and how to limit that? Two very different ballgames..
I like the spirit of David Storms’ 10 tips to protect your company in a down economy (if you get the eEye newsletter, this is the story that didn’t get linked!). With the economy stagnating (or going down), I think many companies have put new projects on indefinite hold. At least in the tech area, I’ve not heard of huge swaths of layoffs unless the company is already bloated. So this might mean staff levels are frozen, but staff still need to get things done. With possibly less projects, it might be worthwhile to take on some free/open tools and leverage them instead of some bloated, expensive big-box that doesn’t really confer much true security knowledge. #8 about properly terminating employee accounts should really be #1 this year. With remote access and layoffs, many people will have knee-jerk thoughts of revenge or fear and may act on those ideas before access is properly terminated. Just this week we had 11 layoffs and those of us who hold those access keys learned about them all at the time of or after the fact. Gambling with fire!