My Security Planet » Items by michael

Items by michael

will this make someone feel good?

Posted: May 8th, 2012, 9:46am CDT by michael

Tags: [edit]

Jeff Snyder has a post up about (Handwritten) Thank You Notes. (note: security recruiter page, in case you're worried about web filters).

I think part of this is not about sending deserved thanks,* but the sort of human contact that really makes our day. Similar to a random (non-creepy) smile from a stranger to someone who goes just slightly out of their way to hold a door or learn your name if you're a regular in a store or location. Or better yet, give us a conscious, sincere compliment about something. I think I remember every time someone has complimented me on my car, or whatnot. We're all people, and it's natural to react positively and memorably to those who poke us the right way.

The article Jeff links to has 5 business etiquette tips, and I can't help but notice that they're of a similar human (humane!) vein. In fact, now that I read to the end of the article, here's the crux: "Will this make someone feel good?" You know, I actually like that as much as the common geek theme, "Don't be a dick." It's a bit of a positive note rather than the absence of negativity, but also doesn't use a word I tend not to use (if you know my full name, you know why!).

* And please don't just send Thank You's like firing off a form letter. Make them personal and try to actually *feel* it. It's sort of like never saying "thanks" or "excuse me" as a rote reflex, but always with conscious sincerity. (You can observe this failure in other people when they say thanks when *they* did something for you...)

facebook privacy issues still only slowly being realized

Posted: May 7th, 2012, 11:54am CDT by michael

Tags: [edit]

Via Emergent Chaos, I got linked over to a nice article on Consumer Reports about FaceBook privacy. Now, being a CR subscriber, I tend to really skip their tech/security/privacy articles because, well, their treatment always makes me nervous or leaves me with more questions than answers (similar to skipping their reviews on laptops/computers, because I build and evaluate my own based on criteria far higher than their focus). But this article about Facebook actually *taught* me a few things that I probably could suspect, but never actually fully appreciated:

Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?

And I like this quote from Zuckerberg, which sort of illustrates that we're often not talking about the same things when we talk about privacy:

...a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”

That's great to hear about users accessing other users information, but what about the data you use for your purposes and keep for however long?

lessons from others: a chumby engineer

Posted: May 6th, 2012, 12:55pm CDT by michael

Tags: [edit]

As kids, we don't listen to the advice of other people. We're too busy being independent thinkers, individuals, rebellious, and caught up in our own autonomous futures. We're also unconsciously sick of being constantly told what to do and molded by parents, institutions, and school.

Part of the process of getting older is appreciating the (value of, which itself is an 'adult' phrase, yeah?) experiences shared by other people, and our learning from mistakes and successes of others. This is probably why adults keep trying to "advise" kids, and we adults just don't get why kids don't listen. I also believe this sharing of experience is one of the best things about the Internet (and maybe one of the worst if you get idiots sharing poor experiences that make no sense or are rife with, well, idiocy).

Anyway, in comes an experience-sharing interview: "MAKE’s Exclusive Interview with Andrew (bunnie) Huang – The End of Chumby, New Adventures." I have a Chumby. While I'd known about the Chumby for years, I didn't actually pull the trigger on purchasing one until last year. Sadly, I jumped on just in time for the wagon to reach the end of the trail: the chumby is on the way out. While it still works, the Chumby is basically dead-thing-uhh-sitting, since its apps rely on the central server for updates and actual function. I see today the forum's aren't working, and my never work again for all I know... (also sadly, I do not have one of the cute, awesome, little bean-bag type plushy ones that I fell for years ago; mine is a hard upright piece of plastic...)

But Huang has plenty of advice to give in this long interview, where he talks about entrepreneurship, design, kickstarter, funding, pricing...

The hardware model is radically different from the software model. Software is innately scalable; you can acquire a hundred thousand users overnight. Monetizing the user base in software is trickier, but most software plays start with scale and then worry about money.

This sort of discussion is worth having in really any part of IT. Are you making infrastructure decisions based on what the business wants, or creating a space for the business to find uses for what you do? I'm no expert in this area, but sometimes you need to worry about how your infrastructre or solutions scale and are agile and fill multiple needs quickly, and let the business worry about the monetization, ya know?

In the face of ‘ship or die’, one should not be looking to ship the perfect product. It is more important to ship a product that’s good enough, than a great product that’s late.

I think we in security can relate to shipping unfinished products. But hey, that's the name of the game.

But that does show one of the flaws of fact-based reasoning. Engineers love to make decisions based upon available data and high-confidence models of the future. But I think the real visionaries either don’t know enough, or they have the sheer conviction and courage to see past the facts, and cast a long-shot. It’s probably a bit of both. Taking risks also means there’s a bit of luck involved.

the discussion of firewalls and antivirus

Posted: May 4th, 2012, 1:57pm CDT by michael

Tags: [edit]

Often, a 140-char Twitter post isn't enough to convey a message. In fact, sometimes accessible blog posts don't give enough meat to a discussion that deserves it. This can probably be said about the current discussions on firewall or AV (or more broadly: "old") security technology effectiveness. The bullet points usually aren't good enough to do a topic justice (which sometimes means we're arguing two different nuances of the same position...).

(Aside: I really hate how Google Reader links tack on extra crap behind a URL; which means I have to get rid of it when linking to stuff found via it.)

Anyway, Beau is back to blogging and threw out a post, "Firewalls and Anti-Virus Aren't Dead - Should They Be?" which itself is a response to one from Wendy Nather, "Why We Still Need Firewalls and AV."

(Aside: It might not be proper to call them antivirus tools anymore, but I also still use the term "video" when I mean DVD/Bluray, or to "tape something" as in record it. That's not meant as a dig, though it certainly makes me grin to think of this analogy.)

This is a necessary and healthy discussion to have, even if I am not terribly open to the direction (wet blanket comes to mine). I totally encourage any other bloggers out there to also chime in, because Wendy's closing question is really still unanswered, and it's the Big One, ya know? "So if you don't agree with me, and you've really stopped using these products, I'd love to hear about how you're addressing those classic threats, and what controls you replaced them with."

(Aside: This same feeling exists in the whole Down With Patching movement...)

I really require hard proof that techX isn't working anymore (I already agree it's not as effective, but that's different.). And I also require an alternative (something business/management learns you pretty quick) that matches the technology one-to-one and/or improves upon it. Many vendors think this means making Super Boxes that do so many things with covers on top of covers to shield me from the guts of the surgical tools, and I tend to disagree with that approach.

(Aside: I left a comment on Beau's post, and I'm thrilled to say I only needed one attempt at the captcha to post "anonymously" [or at all]. This is rare, and actually reduces my commenting in outside areas, like the HP evangelist blog which pisses me off to no end each time I try... Of course, InfoSecIsland gets no comments from me because of the login req...)

I do want to bring out just one part of Wendy's post at the end that I liked, "They [users] need to know what each security product will and won't protect, and they need to understand this in a non-technical way..." This is partly why it sucks to talk to security vendors today. Their products are too big and bloated for an elevator pitch that doesn't dive deep into hyperbole. And too complex to understand them well enough to sell them this way. They conflate their protection (DLP is notorious. Also I had a large endpoint security provider today use the words "100% secure" after rolling out their endpoint solution remotely...). And they latch onto compliance and media scares for attention (ok, I do the same thing, since compliance has given me more tools than I'd have without...). The vendors that do this leave a bad taste when dealing with anyone in the whole industry space, which is a shame. (Aside: Oh, and I think Beau actually agrees with both Wendy and myself [RE: paragraph 8 from his post], it just kinda kneejerk sounds like he doesn't.)

reactions to palo alto live-broadcast on byod

Posted: April 26th, 2012, 2:33pm CDT by michael

Tags: [edit]

I have a post about BYOD incubating (for weeks), but did want to post my thoughts on this.

Just checked out a Palo Alto Networks sit-down talk today with Nir Zuk (Palo Alto), Rich Mogull (Securosis), and Mark Bouchard (thank you for not making this over my lunch hour!) doing a live-video discussion titled, "Coming to Grips with Consumerization." Of course, I took some notes.

- users want to tailor their damn devices; the perception of mobile devices supports this where users may expect customization with mobile devices where traditional computers have less of this perception. I agree with this for the most part, especially if people are expecting to carry this *and* their own personal devices at the same time. People will want less devices, thus just one that covers both work and personal.

- this mobile issue isn't new. I don't have much to say about this, but once you really sit down, the fundamental issues here really aren't new. Protect data. Manage devices. That was true 10 years ago and is still true today. It's just more difficult today because of how BYOD/consumerization has evolved. This is a good thing to bring up early, since many (even me) get hung up on this being a brand new issue.

is the problem truly just lack of device management? This was a great discussion, and I think this is a huge, huge problem. If not the biggest one: we can't manage these damn devices people want to use for business purposes. Keeping in mind installed apps, blacklisted apps, bad uses/configurations, inappropriate use, etc, as part of this topic.

data assurance is a new key (somewhat). Again, no difference to traditional computers, only now we have less tools to assure this on these new mobile devices. Remote wiping is just not assurance enough.

"make sure bad things don't get into the device," quote from Nir. Kinda sounds like the same problem with any computer for a long time, yeah? Sadly, corporation protections have *less* tools to do this, even as Android/Apple give users better tools to manage their apps and stuff (with arguable oversight). Traditionally, we have device lockdowns, least privs, and endpoint protections. With these new devices, we don't have these tools really at all, or when we do, they're usurped.

some talk about network-based protection/inspection. While I love this idea because it sits squarely in the technical side of things, especially on the network/sec teams, I think it is dangerous to rely on inspection visibility for security in the future. There will continue to be pressure to encrypt and hide traffic in motion. And it's a whole new discussion about how we want privacy but also want visibility; we can quickly talk out both sides of our mouth.

doing infosec right from shmoocon

Posted: April 24th, 2012, 11:38pm CDT by michael

Tags: [edit]

"The reality is that there's a lot of fame in doing one little tiny thing [as a security offense researcher] and somehow being a hero for it. There's not a lot of fame in slogging through the shit, day in, day out, and *not* making the news. And when you're a defender, the goal is to not make the news."Myrcurial, Shmoocon 2012.

This quote comes from a great presentation called Doing InfoSec Right from Shmooncon 2012, which itself is chock full of truths. Call me a fanboy, but in my catching up on videos/presos this past month, I've caught several talks including James Arlen, and I gotta say the man rocks. (I was already a Potter fan, so I don't need to declare that.)

Doing InfoSec Right Pt 1 and Doing InfoSec Right Pt 2

Here are some bullet points that are whole-evening discussions in themselves:

- It's hard to get experience in defense, and the tools lag behind. This topic is important, but it should be prefaced with some role definitions. There is a place for offensive-minded security defenders, but also you should have admins and developers and QA who are admins first but are baking security in (or the service desk guys). These two general roles can easily be separate lives. This came up later as red team guys and blue team guys.

- Lack of innovation in defense. While I broadly agree with this, it's hard to agree too much when there are no ideas on what constitutes innovation. *What* should we be innovating? I might even buy that we *don't* need innovation, we just need more emphasis on security and better efficiencies (which modern mega-suite tools fail with).

- Lack of sharing in defense / lack of cons and presentations with defense.

- We have all these awesome tools, but no one knows how to use them right, nor has the time.

- knowledge of analysts vs the knowledge of the tools. This should be a bigger discussion because I could argue either way. We do need bigger tools, but I also believe we need the talent to fill in the cracks and be able to play with the packets when they need to.

- The people with heavy experience are the ones who are "above" the roles that are in the trenches. This also feeds into the smarter tools/dumber analysts discussion.

- The burning pain behind you.

- Offensive side is very good at sharing; defensive is not.

- Junkyard Wars analogy for defensive guys: time boundaries and limited things. I think this is an interesting analogy to inject into the above bullet about better tools and using them better and stuff. Or better yet, about having smart tools so we can have dumber analysts.

- Forensics vs defense. I just wanted to plop this down, since this is an interesting discussion point that was brought up twice quite briefly.

- No evidence of what works or doesn't work.

I think there is distance that can be had by injecting the idea that business, IT, and thus security is infinitely varied across all the orgs, businesses, and people out there. This might help explain why our solutions aren't as sexy as attacks against system A, etc. Things like patching may or may not work, but it certainly doesn't work for those who got pwned due to a lack of a patch. It's too late to make that point more succinctly and understandably...

managing security is like... (quick thoughts)

Posted: April 23rd, 2012, 3:35pm CDT by michael

Tags: [edit]

Back in high school I spent some extracurricular time to build a river model as a Biology project. Basically a huge sandbox that could be elevated and have a water pump circulate/recycle water through it to simulate the effects of a river. To me, security is like building that sandbox and planning it all out, but once you turn that water on, it goes damn well wherever it wants to go, taking paths of least resistance using decisions you didn't even know were possible. (Hence the usefulness of the model!)

People do the same thing in business and technology. Security puts down security measures (roadblocks, direction signs, suggestions, speed bumps, rules...), but people that want to do things a certain way will do them that way. The classic example is our current situation of using port 80/443 as universal tunneling ports. Security is blocking ports? Use the one they do open. Ops limits email attachments? Security filters out CC/PII in emailed attachments? Well, use your personal email account. Security/HR has web filtering? Use your smart phone and the guest wireless network to do your personal stuff.

And on, and on. It's not so much a security problem as it is just a path of least resistance problem. Like driving through a parking lot outside the lines and risking not seeing the car to your side, rather than driving within the 'rules.'

Which is funny, since we should also value creativity, outside-the-box thinking, innovation, and doing things new ways. Which is easily at odds with such rules.

This is why I've come to like Hoff's blog name: Rational Survivability. If you/your business continue to survive, that's really the goal, isn't it? Every now and then, I think he knows what he's talking about.

some dangers in logging and mssp adoption

Posted: April 23rd, 2012, 3:14pm CDT by michael

Tags: [edit]

Jack Daniel has a blog post about logging and MSSPs, "Wait, what? Someone has to look at those logs? ". He essentially makes one point that I (and others) have made for years about Managed Security Service Providers:

...in spite of some MSSP’s theoretical threat intelligence and perspective advantages, they simply do not understand the businesses they serve well enough to provide enough value to justify their expense.

Looking at an MSSP to do something you don't already do is one thing, but to replace an internal process (or something you *can* do internally) with an MSSP needs to have the risks weighed out. Too often an MSSP is looked at just to save money or just because the internal team isn't perfect (an expectation that is bad to have).

An MSSP will have dedicated people with a certain level of expertise and efficiency in monitoring your (and many other client) logs. But...

- you're just one of many clients (probably)
- they won't know what's really important to you or a throwaway system
- they will either require elevated rights into your systems to troubleshoot/assess
- or they will be so far removed that they burden your team more than normal with all sorts of pings/tickets on things to look at
- the only valid events will be the absolutely most painfully obvious issues; like an IDS or AV screaming about something. But anything subtle or normal-but-bad like a terminated employee VPNing in the day after they were terminated or a local system account in the DMZ suddenly trying to connect internally, is going to be missed in the noise.
- they're not going to act on your custom/strange logs

And I can pretty much guarantee that the MSSP will raise false positives and will miss true positives. Just like an internal team. But at least an internal team can learn, but business will probably just scream at the MSSP and either leverage SLA/credit or just sever the relationship and start the whole bloody thing over with someone else. One last thing: Having looked at SIEMs/logs for a while now (sort of a part-time duty in my current job), I'm pretty convinced they're best used to improve knowledge of the environment and for supporting operations. But for eventing on security issues? They're only as good as the logs you gather, and the only real benefit is sucking in IDS/AV/mail gateway logs and raising events on those (things that can already raise their own events anyway); a sort of meta-security tool. Or super-custom things you put in, like special filters on your web server logs, or whathaveyou. Still, good luck getting that all to gel properly without full time staff. That said, watching your logs is still one of the best things you can do, but it also must be combined with other things such as regular inventory and various vulnerability/change detection (like new local admin accounts or new AD accounts)....the list is endless on what can be useful.

the briefest of glances into large corp sec teams

Posted: April 23rd, 2012, 12:02pm CDT by michael

Tags: [edit]

Got passed this excellent quick article from the Seattle Times, "Buddies have 'awesome' job trying to crack Boeing security". The article talks about 2 of Boeing's security staff (would knowing who they even are be a security problem?) and a bit more broadly about security staff hiring practices in today's digital landscape.

...said last year at a conference that her company's most impressive cybersecurity hires have come from outside of traditional recruiting outlets.

tutorials on how to use metasploit

Posted: April 21st, 2012, 2:56pm CDT by michael

Tags: [edit]

Documentation, videos, and more on how to use Metasploit. And a link to the Metasploit Unleashed tutorial.

shape your own packets with scapy

Posted: April 21st, 2012, 2:54pm CDT by michael

Tags: [edit]

An introduction to scapy on the PacketLife.net blog.

from local admin to domain admin techniques

Posted: April 21st, 2012, 2:48pm CDT by michael

Tags: [edit]

Really quick and nice article from pentestmonkey: "Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)".

why security pros fail - seven problems

Posted: April 21st, 2012, 2:00pm CDT by michael

Tags: [edit]

Another old CSOOnline article link I've had sitting around is, "Why security pros fail (and what to do about it)." Per usual, here are bullets points and my reactions. Yes, this starts out juicy and hot.

Problem #1: Security Is Thought of as a Disabler - Yes, a touchy subject. When you talk to your local law enforcement, do you think they give a shit whether they're an enabler or getting in the way of criminals? I'll give a hint: they don't get evaluated on their customer service report cards. Basically, I hate the lie we tell ourselves about being enablers. We *do* get in the way. Deal with it.

That's not to say we should say no and say it proudly and fiercely, and I think the author would ultimately agree with me. We should be involved in business decisions and give guidance as necessary. This is as much an operations or leadership issue as security, though.

This is one place compliance is a good thing: We can point to requirements and use them to say no to things. You want to go to the cloud and that provider doesn't use SSL or other controls to protect data-in-motion? Our requirements say no.

Yes, talking about enabler vs getting in the way is a touchy subject with me. We ultimately need to deal with the fact that security gets in the way by definition. And move on.

Problem #2: Security Offers Only One Solution - I like this bullet point, and it's a great approach. As security people, we need to give the low-down on what a perfect situation may require, including the risks. But we should also give a dose or practicality and realism into our discussion. Yes, we could segment the shit out of the network, but we know that's costly in many ways, but here's what we'd realistically like to see...

Problem #3: Not Enough Humble Pie - Ok, another touchy subject is that of railing against FUD. In a way, railing against FUD *is* FUD, when you really sit down and get philosophical about it. This is another topic we have to accept and move the fuck on about. Yes, some people/vendors do take this to extremes, but please feel free to let them; sometimes we're expecting them to since maybe we didn't know about a particular threat until now. This does underline the need to inject practicality into discussions, though. Sadly, this good bullet point forgot its place and shouldn't have injected the FUD distration.

Problem #4: Believing the Customer Is Clueless - I don't actually get this bullet point at all and it probably requires context on his sources and their experiences and what they're specifically talking about. There are many times where a customer *is* clueless; why else would they bring in outside help? And just because they opt to not listen to certain suggestions, doesn't mean everyone is failing and dumb; just because you told me not to bet on RED for this spin, doesn't mean I am stupid if I do anyway. That's part of the Big Gamble in security.

Problem 5: Personal Cyber Ethics: Are You An Insider Threat? - Not sure I get this bullet point either, and sounds like a source had a personal situation with it. Every insider has ethics temptations. We also should define what security pro is before getting too far into this discussion. Does this include professional consultants or full-disclosure anonymous security "researchers?" I do believe there is a certain level of being above certain restrictions at work, that "normal" users are subjected to. But that is true about any technical or administrative or leadership position. I'm not saying they should be expempt from everything, but this bullet point discussion itself is a bad slippery slope. (A CSO shouldn't have much more access than any other C-level anyway...)

Problem 6: Career Burnout - This is a great problem to bring up, but the handling of it in this bullet is trash. Security is a high stress IT job, to be honest, for a variety of reasons (you'll never win, you always have to educate, you'll never get exactly what you want, you need to be an expert in many things...). No discussion about this should exclude the idea that maybe the career is not for you, if you're feeling excessively burnt out. And figure out and pursue what makes you happy.

Problem 7: Career Perspective Stuck in a Box - I like this item, but part of it doesn't sit well with me. I think we again have to define security pro: are we talking a middle-manager-like policymaker or someone in the trenches? That will dictate a huge difference in making efforts in the 5 preferred skills areas (attitude, relationsip, equipping, leadership, technical). I suppose this is in CSOOnline and thus more about CSOs...in which case, I agree.

It might sound like I have an issue with this article, but I really don't. I like the discussion and bullets, and am just being extra contrarian today.

10 tips for success pen testing programs

Posted: April 21st, 2012, 1:44pm CDT by michael

Tags: [edit]

A 2010 article on CSOOnline goes over, "Penetration tests: 10 tips for a successful program." I've had this in my "to-read" hopper for way too long. The author goes over 10 tips on getting started with penetration testing in your organization.

Penetration Test Tip 1: Define Your Goals - Unlike the author, I think the reality *is* that some goals are just to tick a compliance check box. Nonetheless, this bullet point should also include discussion on managing the expectations of a pentest. Are you looking for a 2-day blitz, a vuln scan, or deep dive into custom application/software testing?

Penetration Test Tip 2: Follow the data - I do agree with this, but sometimes a pentest is more than just focusing on the data, and rather focusing on access. For instance, if I can attack a system and get admin rights, and then domain admin rights, it really doesn't matter where your secret data is. I have access to it. But otherwise, yes, this bullet is valid.

Penetration Test Tip 3: Talk to the Business Owners - Can't really argue with this. Take inventory, get an understanding of software, and align with business, pretty much sums up this bullet with popular buzzphrases. Ok, 2 best practices and a buzzphrase.

Penetration Test Tip 4: Test Against the Risk - When it comes to pentesting, I'm a bit more annoyed when people limit scope based on various factors; in this case data/application value. A development server with no real data is still a risk if I can get into it, drop a keylogger/priv escalation on it, fuck it up enough to get an admin's attention enough to log in, and then scrape their creds/hash. In this bullet, I like how the author basically illustrates my point in bullet #1: you *can* start out with compliance checklist matching, and then expand from there as you truly value the security.

The rest of the bullet points pretty much stand on their own, and are good. I would add somewhere that pen-testing is an iterative process where you go through rounds of testing, adjust as needed, expand scopes, and dig further. Basically your normal OODA loop.

2012 verizon dbir cover challenge solution

Posted: April 10th, 2012, 9:40am CDT by michael

Tags: [edit]

2012 Verizon DBIR cover puzzle challenge? Detailed solution is available.

recent discussion points about security aligning to business

Posted: April 9th, 2012, 1:47pm CDT by michael

Tags: [edit]

Someone knew what they were doing when they put Nickerson, Ranum, and Hutton on a panel together; strong statements without punches pulled are common from those three (things that need to be said). And I'm not surprised subsequent coverage is getting some mileage.

Rafal Los posted about the talk, and pretty much makes statements one can't easily argue with (at least *I* can't since I agree). Also, Alan Shimmel jumped in with, Until You Walk A Mile In Those Shoes. (Note, all of the above links are excellent reads, and I can't wait to see some video from that panel as I'm sure it's chock full of points I can agree with.)

First, there is a bit of care that should be taken to give blanket statements that person X sucks and should be fired, based on one brief interaction or point example. You can even take a person who is doing well but has some self-image issues, and suddenly he'll give up because he was just told he sucks, when in fact he wasn't. I agree with this sentiment if one takes at *least* a cursory look at their body of work and business security posture and value to the business. But then we also need to look and see if maybe the *business* is just wanting a puppet security guy/team/initiative in the first place... I think Phil makes that point in the commants to Rafal's post. For all I know, we might collectively be doing a bang-up job of security, all things considered. Sure that 1 server didn't get patched, but maybe 6 months ago none of them were being patched...

The hot example of Nickerson asking an attendee's company mission statement is a pretty slick bit of trickery. How many people in any given audience will be able to, out of the blue, recite or otherwise explain their company mission statement? Not many. And how many of those mission statements are going to be shit? Enough of them. My company's mission statement is posted next to me. I could probably fit a daily hour of Doom/Quake-playing into the goals of the mission statement. Anyway, as Phil somewhat mentioned in respond to Rafal, I think a CxO should keep mission statements in mind, but other lower peons probably don't need it quite so close at hand; they should trust that their management is giving good enough direction in their own requests and projects handed down. But if that was a CSO who is normally unperturbed about being put on the spot, one could certainly slap his hand for not knowing the mission statement.

The question came out of railing against security by compliance or security by securing "everything" and such topics. The problem there is probably twofold:

1) Corporate networks are slowly built, and only "recently" has compliance been a driver. Sadly, most networks are probably way too flat. This means if compliance mandate A wants server 23 and all its peers secured to a certain level, then everything in that network has to be as well. Segregation for security purposes is well behind the curve, which compliance exposes by way of the economics of sastifying its needs. Scope, scope, scope...and big scope costs big money by way of resources and time.

2) Business-to-business (B2B) relationships are most easily answered by simple questions such as, "Are you in compliance with A?" That's far better than a vague and silly 23-page security questionnaire filled in by someone the security and IT teams don't even know. The businesses are pressured for these easy answers from the top down and sideways. Or each organization trying to explain their security approach. Think of it this way. If someone asks you if you have use perimeter firewalls, and you don't, you're going to have to spend a good amount of time talking about border router ACLs and various other technologies (and maybe even defend their value over and over) rather than spending 2 seconds to answer, "Yes."

I like what Alan Shimmel had to say in, Until You Walk A Mile In Those Shoes. We have a lot of security breakers who rail against security defenders, but don't really *get* the experience of being a long-term defender. (disclaimer: I'm not directly referring to anyone mentioned above, at all.) Security is already a losing proposition where it *will* fail someday and it *will* fail to be comprehensive. That's just how it is. And that's even before economics and business questions and human questions are brought up which prevent certain things from being accomplished or introduce new issues. At least I am enthused that many breakers these days are admitting their job is easy compared to the defenders.

wired's 5 things to work at home securely

Posted: March 29th, 2012, 8:40pm CDT by michael

Tags: [edit]

Wired has a quick list of 5 things you can do to work at home securely. Not only are the tips quick and good and worth passing to your telecommuters, but this article (through what must be a new partnership between CNN and Wired) was on the front page of CNN.com this evening, meaning it may have already gotten the eyeballs of some of your users.

stand in the gap

Posted: March 29th, 2012, 9:38am CDT by michael

Tags: [edit]

Gunnar Peterson has a great post: "Who Manages App Gateways? Who Indeed? Yo La Tengo - Call in Security DevOps". I'm going to dive into the 2 basic problems Gunnar has touched on, and also move a bit further overall. (Warning: I use slightly different terms than Gunnar, so App Gateway is analogous to WAF to me.)

1. The basic question is: Who manages the app gateways? Or, who manages the Web-App Firewall? Netops plugs the hardware in and makes sure it talks on the right networks in the right directions. Sysops makes sure it talks in a way that it can interoperate with the systems it need to and gets monitored for health. Then what? In my opinion, this is as far as most organizations who check the box for, "We have a WAF!" go. They set it up, get it successfully in the middle, and then no one has the chops to actually tune and configure the thing beyond crossing their fingers, turning on the defaults, and breathing easy when it doesn't break anything (all the while, it's not really doing anything except the barest, most ridiculous attacks like a 1000-character URL request).

I do think Gunnar trivializes this just a bit by comparing these middle-of-the-ground tasks to Texas leaguers; this assumes that either side alone could solve the easy problem/catch the ball. I'd suggest that neither side *can* usually easily solve the problem, and actually requires someone in the middle, or someone on one side with many skills. It might be more like two outfielders playing so far away from each other, than a ball hit fast right between them requires a huge burst of inhuman speed for either of them to actually get under.

The point is, there are these gaps that security cares about, but traditional IT in anything but the smallest (and largest?) shops is not staffed to fill.

2. Security need to be cross-functional experts in a lot of shit. Gunnar totally covered this, so I really don't need to, but it's pretty much truth, despite my bias. I tend to illustrate this with the idea that coders are first taught how to copy one string to another. Then they're taught more modern tricks on how to copy one string to another; the same simple concept, but with a few more tricks added on. Later on, they add the next layer of how to *securely* copy one string to another (if they're lucky). Getting that far requires extensive knowledge and even experience. And that's not even getting into being able to understand technologies outside the main one, such as DNS, server configurations, in-transit encryption, firewalls+in-transit communication needs.

Security is expected to understand code and the network and the server in such a way that they can configure very advanced technologies such as a WAF. And it's not just understanding general code, but understanding the *specific apps* being protected.

I personally measure my opinion of developers based on how they understand those last few things. If they repeatedly just don't get it, they're just coders to me. (They might be really good, but they're one-trick ponies.) But if they understand DNS, server configuration, and firewalls, at least to a general extend of knowing what matters to them, I deeply appreciate it. Those are your potential rock stars. Likewise, I adore sysadmins who understand code and can do cross-functional things like deep-dive into code traces on the servers and tackle memory leaks.

Or either of the above who have security skills and knowledge!

3. I think this lack of cross-functional understanding is another pressure on why the "cloud" (when it is just external hosting rebranded), has gained momentum. Developers have long made overtures to get administrative access to the servers that run their code, and hopefully sysadmins have rebuffed those overtures to do the server work on behalf of the developers. Have you ever walked up to a server that for the last 2 years has been adminned by a developer? Chances are pretty damn good that it looks about as good as a server adminned by a 14-year-old. That's not a dig, really. If I tried to add code to your app, I'd fuck shit up pretty awful as well, and my code would be heinous. (This could be twisted around to say neither side will get better without being allowed to get experience with the tasks, but that sort of cross-functional short-term inefficiency does not fit anything beyond small business.)

In steps hosting and the cloud, where developers can drive those projects because it involves code, which netadmins/sysadmins don't quite understand, and it might result in devs having administrative duties on these new servers. Which sounds great short term...

mubix reveals secrets on beating the red team

Posted: March 20th, 2012, 12:33am CDT by michael

Tags: [edit]

Mubix has posted up a great set of slides on how to win the CCDC, from the perspective of a red teamer. All of it makes sense, and it's great to get it down in a nice, concise preso, especially tips on team composition and duties. From a non-competition side, this makes a great exercise in quick response or a security strategy-on-steroids for someone heading into a new org or responds to attacks-in-progress.

As usual, a few items to highlight:

1. You're not important enough to drop an 0-day on. Most likely your company isn't either, but at least at a competition like this, there's no upside to revealing otherwise unknown exploits. Sure, red teamers are going to be ninjas in some tools and definitely have some of their own scripts and pre-packaged payloads, backdoors, and obfuscation tools, but none of that is so super secret that you don't have a chance to anticipate or prepare for it. As Mubix says later on, know the red team tools.

2. Monitor firewall outbound connections. It's one (wasteful) thing to look at the noise being bounced off the outside interface on your firewalls, but seeing bad things outbound is a huge giveaway. You're not doing detection if you're not somehow monitoring outbound (allows and denies).

3. You still gotta know your own tools and systems. As Mubix repeatedly mentions, you need to know your baselines on the systems (normal operational users, processes, files) and be familiar with the systems and how to work quickly on them, configure them, troubleshoot, interpret the logs, and automate little pieces here and there with your own scripting skills.

lessons from another wordpress breach

Posted: March 8th, 2012, 10:00am CST by michael

Tags: [edit]

Hoff also has two posts about a recent incident his blog suffered: Why Steeling Your Security Is Less Stainless and More Irony…, A Funny Thing Happened On My Way To Malware Removal….

This is that perfect example where sharing information helps people. You get an idea of what failed, what mistakes are made, what human behaviors help or don't help, how an attack actually worked, etc.

Normally I would bullet through some of the points, but there's nothing terribly new here, and Hoff's posts are worth the time to read.

the winning losing security debate

Posted: March 8th, 2012, 9:17am CST by michael

Tags: [edit]

I saw the opening salvo on Twitter that caused the blog post, "You Know What’s Dead? Security…" from Chris Hoff, and he ended up penning a really good read.

I don't think it is worth much to talk about "winning" or "losing," ultimately. Security and insecurity are eternally linked to each other. This is maybe the first time where I like Hoff's blog name: Rational Survivability. It's really about surviving in an acceptable state, or rather, simply not losing. But there's no real win going on, and it might be too much to expect a win at any time.

I do think Hoff got a little sidetracked on the commentary on the security industry. I'll agree, in part, that the security industry isn't making solutions that are aligned properly. But I'll go on to say I'm not sure how a "product" of any type will ever truly be aligned enough to feel good about. These are just tools, and none will magically make someone think we're winning, in whatever context of the word or feeling. If anything, the security industry has a problem in trying to make their tools sound like they solve the world... There's also just a certain bit of irony stuck in there somewhere that Hoff typically pens about "cloud" stuff... :)

If I may dig further, I also dislike the thought of "innovation" in security. Security is a reactionary concept. It reacts to other innovations with attackers, or innovations in the things security is securing, for instance new technology or assets. That may not always happen in practice, but then again some activity just doesn't end up being rational.

the secrecy game

Posted: March 8th, 2012, 9:06am CST by michael

Tags: [edit]

Adam over at the New School of Information Security posted a good read: "How’s that secrecy working out?". We have a lot of people all happily about how the government is talking about information sharing. The elephant back in the corner is: When you involve the government, they want you to share with them, but they won't share with others and you can't share with others either. Essentially, it doesn't do any of us in the private area any good; in fact it makes things worse since it ties even more hands and causes people to pussy-foot around issues and details.

...because we (writ broadly) prevent ourselves from learning. We intentionally block feedback loops from developing.

One of the better posts I've read this year.

learning from irresponsible disclosure

Posted: March 6th, 2012, 11:10am CST by michael

Tags: [edit]

Gotta link to Robert Graham again over at ErrataSec for the piece: "The Ruby/GitHub hack: translated". There's too many good points to pass it up.

1. This is a great example of irresponsible disclosure in action. By attacking GitHub, not only is GitHub now less vulnerable, but more people (hopefully developers and security auditors) are aware of this problem. Sure, more awareness of the problem may mean more people use it against vulnerable sites, but the flaw was still in those sites. Vuln is present, but risk has gone up a bit...

2. The problem is inherent in the feature set that makes Ruby of Rails a boon to developers. Pretty much a great example of a design flaw that has benefits, but also has risk. Usability vs security.

3. It also means a flaw in one tool affects everything/everyone that uses that tool. GitHub was hacked as a reaction to Ruby on Rails rejecting the bug, GitHub's choice to use that platform, and their lack of securing (understanding?) a hole.

4. Putting the onus on site owners to blacklist and even understand the issues is probably not the right way to do things. I guess it's a way to go, but it certainly makes me make a disgust facial expression.

staying anonymous online is still hard

Posted: March 6th, 2012, 10:57am CST by michael

Tags: [edit]

Robert Graham has a nice addition to the discussion about Sabu/Lulzsec: "Notes on Sabu arrest". Maintaining anonymity online is hard. In the (increasingly distant) past I ruminated about staying anonymous online (1, 2, 3, 4). It's hard, takes a lot of work, and you need to maintain absolute vigilance so you don't screw up even once. I should really update and add to that series, especially in light of smartphones, GPS, web tracking giants...

self-preservation in the criminal underworld

Posted: March 6th, 2012, 10:04am CST by michael

Tags: [edit]

Via the LiquidMatrix article, "Sabu Rats Out Lulzsec ", I got over to the article on FOX, "EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader".

This succinctly illustrates one of the biggest tools that anyone has against criminals: the lack of trust amongst criminals, and their fear of justice system punishments. Clearly this requires there to be laws, and the pursuit of them, but ultimately a criminal always needs to be looking over their shoulder and being distrustful of their peers.

Even the increased level of anonymity the Internet provides is not always enough to keep social* criminals safe.

* Or those that can't stand on their own. In other words, if you have stolen goods, you still need to sell it to someone/somewhere, or have contacts to do SpecializedTaskB or whathaveyou.

this is why they don't make you read privacy terms

Posted: March 1st, 2012, 8:57pm CST by michael

Tags: [edit]

It's nice to see useful articles about digital security and privacy starting to grace major media these days. I especially liked this one found around the front page of CNN.com this evening: How to prepare for Google's privacy changes. I like the steps it shares at the bottom. And I really like this statement:

Google points out that the products won't be collecting any more data about users than they were before. And, in fairness, the company has gone out of its way to prominently announce the product across all of its platforms for weeks.

In other words: "You mindless sheep, finally you're going to get pissed about privacy issues that were already flippin' there!"

As I like to say, if your business model suffers when you have to reveal it to your customers, because of how they react, you need to sit back and do some soul-searching. Be up front about it and let consumers decide if its worth it. Don't just try to see what you can get away with, whether intentional or by feigned naivety.

interview with rsa's art coviello

Posted: March 1st, 2012, 11:37am CST by michael

Tags: [edit]

It's been a year, but you can read some more about RSA's woes last year from an article/interview with Art Coviello, Executive Chairman, RSA who is giving a keynote sometime around now over at the RSA conference.

I'm personally not sure I'm buying the part of the attacker not getting entirely what they wanted, or the parts about replacing tokens just because of the perception of lost faith from customers, and not because some secret sauce was stolen, putting customers at risk. I think this is continued smoke and capitalizes on the continued lack of actual detail on what was taken, which RSA has done since day 1. And covered up misdirected a bit by saying that people still buy their solution and they still sell them. In my guess, they changed the wrong things they were doing (keeping a seed list), which makes this true, but not relevant to the breach/response.

Misdirection...clearly I've been watching too many magic-related stuff online these days (I have!). Something involving Reddit questions with Penn & Teller on YouTube and reading an article some months ago about Teller and a little red ball trick... (Side note: I love how the Internet can stoke these almost childlike moments of learning and interest so efficiently.)

online whoring and the beauty of the internet

Posted: February 28th, 2012, 1:05pm CST by michael

Tags: [edit]

...Silicon Valley once was home to scientists and engineers — people who wanted to build things. Then it became a casino. Now it is being turned into a silicon cesspool, an upside-down world filled with spammers, liars, flippers, privacy invaders, information stealers — and their grubby cadre of paid apologists and pygmy hangers-on.

Pieces like this* (Hit men, click whores, and paid apologists: Welcome to the Silicon Cesspool) remind me why I always have this inexplicable bad taste in my mouth when thinking about tech journalists, "online influencers," and other people who don't seem to *create* or *do* anything other than chase page views, which itself doesn't seem like a viable long-term business strategy to me. (Evidenced by the utter lack of ads on my own site.) In a sort of subtle (maybe too subtle for the people in mind) switch, I much prefer those people who chase content, and the page-views just become incidental, and never eclipses the content.

(To pile onto things, I also hate articles like this: Apple PR’s dirty little secret. The situation pisses me off, but I also get pissed at the tech author who thinks way too highly of himself and whines in the article itself. Get over yourself and shut up.)

This is the sort of thing that really rocked Digg, or maybe didn't rock it directly, but it does contribute to various levels of lack of trust: transparency and conflict of interest. I don't like having to piece together for myself a conflict of interest, since that will absolutely destroy credibility in my eyes. At the very least, be up front about it, about your processes, and if you do sell spots on the front page or otherwise artificially adjust whatever, at least say so. I know Google's first few hits are paid placements, but they don't hide it either (well, not ENTIRELY anyway...they certainly do try to camoflage it...)

When I read a magazine and I can't tell if a page is an ad or not, I feel upset and distrustful of both the magazine but mostly the product on that page. I really hate having to see the word, "paid advertisement" on the top in order to tell, but at least they mags do that much!

Don't get me wrong, mags plug shit in their normal articles as favors or whatever all the time. Yeah, information security and tech magazines know this very well! Just like Congressmen introduce bills for lobbyists, just like I may gloss over a few negative traits to get a casual friend a job interview in my company, etc. This happens, but that doesn't mean I really like it. I just tend to try not to internalize and agonize over fights that can't be won, ya know?

Anyway, the point is I have never liked the whole "online influencers" problem. It's a greed play for money via pageviews, rather than driven by the love of the content (or ego play to compensate for poor self-image that drove them online in the first place). And because I don't like this sort of stuff, it's sort of why I don't think things like these are viable business models (or personal mental health models) in the long run, even though they are lucrative in the short run and are threatening to destroy things in their wake (traditional journalism, content-driven but under-funded 'little guys,' etc).

Hell, you can even chase non-monetary popularity if you want. Just don't be a whore.

One of the absolutely beautiful underlying concepts of the Internet is the playing field where someone can share something of quality, and you and I can find it. Where we're not just bound by physical limitations or horizon limitations where I can just look up more on it and verify information and such. It's not just information served to my eyeballs, but interactive and, at its best, a give and take situation that enriches lives in a wholesome way.

(Oh, and I believe ripping away anonymity won't help.)

This is strange. I'm being pessimistic and ranty about having an idealist slant on something? Anyway, End Rant! :)

* I already don't recall where I got linked to this article...

a bunch of great sec lessons from tripwire

Posted: February 25th, 2012, 7:35pm CST by michael

Tags: [edit]

I love me lists, and Tripwire dug deep to drop out a list of 25 things:* "25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them".

(* I say things because that title sucks. It's too long for Twitter use, so it gets shortened and passed around as various other juicier-sounding things, but is still a fun read. Likewise, you'll get halfway through the list and forget what the point was; are these myths? truths? just anecdotes? did this just get too long?)

This is a huge list and not everything is worth reconsidering, but I wanted to highlight a few things more things than I anticipated, probably because there are good lessons through the whole list. Some of these lessons could be a whole book chapter in themselves.

1: I got no errors so I’m sure the backup is valid - Test and verify. You're taking backups? Are you sure? And do you know for sure you can restore them when you need to? Having backups is probably the most important security *and* operations function, and verifying the process works shouldn't be done when the emergency hits. (I really, really hate when "outages" are excuses to call them half-assed [and usually woefully incomplete] disaster recovery/business continuity tests just because someone is averse to talking to the business about the interruption/work that occurs during the real test.)

2: Do you really need everyone to wish you “Happy Birthday?” - I actually think I uttered an audible, "wow" when I read this. It just bears highlighting in itself.

4: Yes, a UFO is an unidentified flying object, but it’s probably an alien - Great point, yet strange enough for someone with an ear to security, I'm usually the last to assume some form of strangeness is a hack attack. I guess I've seen way too many "strange" things turn out to be explained via completely innocent means (or unexplained, non-security events). As I like to say about law enforcement approaches: the simplest answer is usually the correct one.

5: I don’t care. I work in information security, not physical security - I simply like the reminder that, well, fucked up shit happens in the physical world, and you really can't predict it.

7: Let’s get the bad guys…all the bad guys - I'm not sure I liked this item; I had to read it several times and still am not sure I follow it or agree with it. I think maybe the bullet title is just awful since it doesn't match the anecdote. Still, even small things can be a problem, as I think a few other bullet points make mention of, but yes we should prioritze and we can't get to everything all at once.

10: We only offer secure access to our system, unless you want to use our test machine - I have to quote Wysopal because he's right. Read another way: least-fricken-privilege. This is one of the more common issues, imo, in business: people do and get away with whatever they *can* do or get away with.

“The lesson here is not to give your users a less secure way to get something done or they will pick it and be compromised,” said Wysopal.

11: This system was secure when I bought it - As I move further into my career, I realize the hardest long-term problem I'll face is likely just keeping up with changing technology. I'm just one job and a few years away from being grossly behind, ya know? I'm thankful I work in a progressive organization right now where we have many advanced tools and a mature IT budget and culture, but getting behind always scares me. Hell, I'm already behind on the desktop side, as I'm nowhere near as proficient at Windows Vista/7/2008 as I am everything older.

13: We’ll make it a security policy and everyone will follow it - I love both his points in this bullet: monitor (verify) and even educate your clients. For the latter, right now I'm actually having to defend an SSL certificate on a website that passes internal credentials and sensitive data to a client who doesn't want to spend the money to purchase one. If a client asks, the account managers and salespeople aren't going to say no! Normally I just do this, but more and more, larger corps are keeping tighter control of domain ownership...

14: Hurry up, we need to fix this problem right now! - Slow down and do it right. In the past 6 months we've had it pretty rough on my team, with lots of strange outages both self-inflicted or completely out of our control. I really dislike how, during an outage, a huge rush and pressure is put on to find creative ways to get things half up again. This often brings with it new challenges, issues, orphaned changes, and risk, and sometimes causes more problems than it fixes. If you have a plan, stick to it. Don't create new plans during an issue unless you absolutely have to. And if you do, relax, think about it, and work smarter rather than faster. (Really, this cuts both ways and gets back to value/business needs, but my more recent experiences are reflected in this opinion.)

15: Yeah sure, the USB key is secure - Just a great anecdote to drive home that bad things happen and people are ultimately a constant problem.

18: I’ll just dictate security and it’ll work - I think dictating security *does* work, but not when you're just dictating policy or procedures; only when you're backing it up with technological controls to enforce it.

19: People are usually very thorough when filling out survey forms - I cringe. I know Bob fills out security questionnaires from prospective clients. Bob barely knows what he's filling out. Bob also knows prospective clients barely look at the results anyway. Ultimately, what someone claims is somewhat meaningless without verifying it. I think that rings true in several of these bullets.

20: All vulnerabilities take priority over the business - Ahh, this rings of both truth I agree with, but also some of the more intense frustrating feelings that I disagree with. I think this is where you're on the bar of a seesaw that can't fully dip down on one side or the other. It's hard to read this without feeling that hot/cold duality, to both agree with Gene and disagree. Honestly, I think that's a healthy reaction to this...

21: Eventually, when I have time, I’ll encrypt that hard drive - Just another great anecdote, especially to higher-ups, that shit sometimes just happens. And when it does, it doesn't smell like roses like ya think...

22: No one is going to screw with my unattended computer in the office - We do this in my team, and it drives home the point quite nicely. I prefer to email their immediate manager, "I'd like a pay decrease. Thanks!"

24: Wow, a cool new untested security product! - The real point in this, to me, is that you can't just throw something out there in the name of security and expect it to just be unattended. I agree you should test, but you could spend a year testing something like an IPS, put it in, and still have a strange problem. You need to accept that security is an ever-moving balance between blocking things and allowing things, on an ever-moving landscape. It's like balancing on a pylon from a broken dock in the beating surf.

interviews and hiring and social interaction with strangers

Posted: February 24th, 2012, 4:46pm CST by michael

Tags: [edit]

Enjoyed this quick and entertaining article from Techdulla: "Hiring is hard." I've (obviously) been the interviewed in the past, and I've done some of my own interviews as well (usually with my manager, sort of as the technical evaluator). It's my opinion that interviewing for a job is an extremely stressful moment for most people, right up there with public speaking. I think we internalize way too much and stress way too much about how the other person (or audience) is thinking about us, and not enough on just presenting the content. While the content is admittedly ourselves, the judgement will come later on with a yea or nay on the job interview. Warning: This might be the introvert talking!

Interviewers can help with this process, and I think some care can be given to help ease the person being interviewed, at least just a little bit. Maybe try some informal ice-breakers or some directed conversation to get things flowing, ya know? Like talk about the company and position and yourself for a bit, rather than immediately putting the interviewed on the spot. It's not like the employee-manager relationship is always going to be this tense, stressful, rigidly formal situation. Some might think this is a good idea because it may reveal personality traits (good or bad) that can be subdued when talking to a stranger and/or an authority figure.

It's a whole other topic about dealing with the self-conscious issues when dealing with strangers or interviews. While I am quite an introvert and really suck with the small talk that extroverts excel at, I have gotten far better than I used to be; I think partly I'm comfortable with myself, but also realize deeper things like how such worry just doesn't matter, and whether someone likes me or not is not a big deal in the whole scheme of things that entail my own life; some people I'm compatible with, others not really. Basically, carry a conversation, be knowledgeable about the topic at hand, listen respectfully, don't put up false fronts, and try to be interested about the other person. Or at least learn to suppress those expressions and mannerisms that consciously or unconsciously signal to the other party that you don't want to talk to them at all; encourage just enough to get more information and evaluate whether that cute blonde is still worth chatting with at length.

These are not just thoughts about interviewing, but rather interaction in general, from dating to meeting strangers, to small talk in the bar.

I thought about making one of my New Year's Resolutions this year to make an effort at saying something to a stranger every day (beyond a general greeting) or some other nicety designed to challenge my introvertedness (practice, practice, practice) and improve my social skills, but decided I had enough stuff already lined up, and thought I could use some more planning on that one.

divulging encryption passwd could be protected testimony

Posted: February 24th, 2012, 2:43pm CST by michael

Tags: [edit]

The issue of forcing accused to provide hard disk encryption passwords is a pretty interesting topic these years. I just read today over on the H about how, in certain situations, password divulgence could be protected by our Fifth Amendment (protection against self-incriminating testimony). Definitely interesting.

I'm no lawyer, but there are plenty of fun issues. For instance, what if I don't know the password but is kept on a keyfob? Does this fall into key-and-safe issues? What about a combination safe where the combination is in your head? (Though, granted, I bet *someone* can get into that safe...) Or coded documents? Law is a greatly interesting field, but I'm also glad I didn't go down that road of study back in the day!

slightly challenging my distant view of rsa

Posted: February 24th, 2012, 2:26pm CST by michael

Tags: [edit]

RSA has never really been on even my long list of cons to attend. Too corporate; too marketing; not deep enough; too superficial; too many analysts... But Securosis has a post with advice on RSA, and I am glad for the honesty (e.g. avoid the parties, hallway track: they're not the same beast as geekier cons) and detail. The post even mentions that there are plenty of geek things to do, such as engineers to talk to and product demos and such, which is a great point, and one that may make a trip to the RSA conference worthwhile. Someday. It's still not in my plans!

They also have a post up with some eats recommends, which I know I always personally appreciate when I can quickly get a thumbs up or thumbs down quickly. It sucks to experience that craptastic fake chinese place first hand. (I need to be careful with my wording, lest I start making it sound as if "liking" something on a "social network" is a good thing that I should be participating in all the time. I love me first-hand opinions, but the author and content and context [e.g. poor Amazon reviews because shipping sucked] still need to be considered as opposed to a raw score...)

checking out 8 lessons from the nortal hack

Posted: February 21st, 2012, 4:40pm CST by michael

Tags: [edit]

Via Infosecnews mailing list, I read 8 Lessons From Nortel's 10-Year Security Breach. Let's visit these items!
,br> 1. Don't Treat Nortel As The Exception - This is a good item itself, but it gets smeared with the stain of having to talk about APT. As item #8 implies, don't limit yourself to just talking about APT.

2. Keep Proving You're Not Nortel - This follows the need to have permanent, ongoing security.

3. Create A Robust Information Security Program - A good point, but please at least mention the need for staff in addition to tools.

4. Expect Defenses To Fail - Can't say this enough, since it never really sinks in to unwashed managerial levels.

5. Don't Fail To Investigate Data Breaches - Fair enough, but this is also a really big cultural and political problem, not to mention an empowerment one. One thing to learn from Nortel is that even the CEO levels need to capitulate to the security team. Honestly, the IT team knows a lot about a company (and has great access), but a robust security team probably knows or could potentially know even more. Accept it and embrace it for maximum value from your staff. This is hard, though, since analysts may see lots of little things that make no sense and they have to choose which to investigate, or may spend too much time tunning things to create black holes in an effort to be more efficient, or quite simply don't want to create more work for themselves (unethical, but that's human nature).

6. Conduct A Thorough Forensic Analysis - The next line is better: "Likewise, don't expect breach investigations to be cheap. But short-term savings--skimping on conducting a thorough forensic analysis after a breach, for example--can have long-term repercussions, as Nortel discovered." Tell a CEO you'll need his laptop for a week to do forensics on a suspected issue. His reaction will tell you everything you need to know about a company's security culture.

7. Expect Greater Accountability - Not sure if this will create accountability or simply just be more noise that desensitizes people to insecurity. Still, look forward to more economic pressures accountability...

8. Defend Against More Than China - Good point, but I really wish they had mentioned US, domestic, or even hackers in your own backyard.

my bigger concerns when I hear a company has been hacked

Posted: February 18th, 2012, 6:58pm CST by michael

Tags: [edit]

A British student has been jailed for hacking Facebook:

Scotland Yard said in a statement that the breach had occurred "over a short period of time" in April of last year. The court was told that Mangham had obtained the information after hacking into the account of a Facebook employee while the staff member was on vacation...

"This was not just a bit of harmless experimentation," [Judge] McCreath told Mangham. "You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance."

And what exactly happens to a large, tech-friendly corporation that allowed a single hacker to access the "very heart of the system" in what sounds like a live-or-die breach to that company? Internal reviews, probably an employee with a slapped wrist (perhaps), and nothing else that I can tell. Well...at least they found the attack (presumably).

the discussion on continuous patching

Posted: February 18th, 2012, 2:16pm CST by michael

Tags: [edit]

First, go read Rafal Los' post over at the HP blogs: Continuous patching - is it viable in the enterprise?, along with the comments. I really deeply dislike the commenting system on their platform (even moreso on my Linux desktop, let alone the damn captcha and moderation rules...), so I'll make reactive comments here, largely because it's a great discussion.

(Disclaimer: I'm super sensitive to downtime discussions right now, since my company is suddenly super sensitive to it, resulting in more work by my team, more after-hours work by my team, and lots of confusion on how to satisfy "no downtime" mandates with "make progress" expectations. It's painful in the SMB world where expectations between biz and technology [and even security!] are still in a world of upheaval this decade.)

1. Hindsight is always valuable, but in too many cases with technology risk in business, we're just going to keep bouncing between contradictory "hindsight lessons," which result in analysis paralysis. At some point, you just need to buck up and do it and stop playing business politics about it.

2. Patching is "simple" (even though it can be easily over-thought and subjected to analysis paralysis) and everyone can put in their 2 cents, from IT geeks to the lowest users to the highest execs. Yet we can't even begin to agree on it. Just like so many things in security, we need to stop looking for the "right" answer to the problem. It will always be different. If there was one correct answer, it would hit us all like a truck to the face and discussion would be over. That said, this discussion is still useful.

3. "Patching" in an organization isn't just about approving patches in WSUS, or even testing them. It might also mean getting them configured in a central management tool like Altiris, or image files and the like. For my SMB, smaller more frequent patching (presumably at on-demand intervals) really sucks and would probably result in only bothering with major upgrade releases.

4. When we're talking the web world, sure downtime may be minimized as systems are updated, but that doesn't mean users feel all honky-dory when a "patch" changes their app layout (thanks Google Reader/Gmail, Twitter, etc...). That may not be "downtime" to managers, but may as well be downtime for users. And we may not even be talking yet about developers making constant little changes to web site code, or at least more frequent changes. It's always fun when frequent changes are made and a problem isn't found right away to correlate to that last update. It's also fun when users update their own shit on their systems, leaving a business in an unpredictable desktop state.

5. What is the goal of patching? To fix bugs that my users don't see and fix security holes that aren't currently letting in attackers, or roll our new features that my users would like? One of those gets traction, the other does not, when management becomes sensitive to downtime.

6. I like that last comment from Chris Abramson. I dislike the part about bringing up AV signature updates (not a patch process, more of a data update), but I do like the part about baking in stability and separation so that one update doesn't bring the host part down. And while noble, I echo the sentiments that it takes many years and many resources to even begin to do. Not something that today's fast-moving business and technology and developers can do, or are willing to do.

why we can't have good things

Posted: February 14th, 2012, 10:06am CST by michael

Tags: [edit]

Two scenarios.

Dev: "I can either do this the more secure way which will take me 3 hours to set up and test, or I can just do it this less secure way that is already in place which will take me 5 minutes. Which would you like to pay me to do?"

And...

Dev: "Here's a quick mock-up of what your website will look like. This is functional, but not all the protections and back-end work is done yet."

Stakeholder: "This looks great! Perfect! Don't touch anything, this is how it should be."

Dev: "Wait, this isn't done, this is just the really quick-and-dirty version."

Stakeholder: "Nope, don't change anything else. This looks perfect!"

Dev: "But it's not done."

Stakeholder: "That's ok, I already have your time earmarked for other tasks that don't look done yet. If we can blast through this, we'll impress the client and they'll be happier."

Dev: "But..."

Stakeholder: "If the client isn't asking for it, stop putting time into it!"

using reaver to attack wps

Posted: February 14th, 2012, 8:49am CST by michael

Tags: [edit]

Ian Hayes has a blog post up in which he details using Reaver to attack WPS.

being a pest about insurance and security

Posted: February 13th, 2012, 1:36pm CST by michael

Tags: [edit]

I am sympathetic to those who compare info security to insurance, but there are gaping holes in such an analogy which sometimes lead people down the wrong paths. Ultimately, the real point of the comparison is to attack the idea the security enables or generates revenue or something. Unless security is something you do as a business, it's going to be a cost.

I'm going to drastically oversimplify some things here, and I don't have experience in the underlying nuts and bolts of insurance, but humor me for a few minutes.

1. Being covered by insurance implies means you'll be compensated if something goes bad (the "risk of contingent, uncertain loss" [wikipedia]). This would lead someone to think if they invest in security, then when an incident happens, they will get money back somewhere. While this might (arguably) work when specifically talking about actual 'cyberinsurance,' this doesn't seem like a healthy way to look at your own internal security expense/duties. This then has nothing to do with prevention or detection or mitigation. Sure, those may be qualifying factors, but that's security, not insurance. If I, as a CEO, spend money on security and I still get hacked, I better not be expecting compensation anywhere.

2. Nothing's standard in IT. One of the biggest challenges to, well, anything in IT at all is the fact that every shop does things just a little bit differently, with lots of magic customized glue holding things together. Perhaps today's SaaS/IaaS/Cloud will level the playing field a bit, but we're a long, long ways away from being able to value anything properly. We have a hard enough time in specific industries. You can go to 10 companies in the same industry space and of similar sizing, and a deep dive into their security postures will probably yield 10 incompatible reports. (Note I mention a deep dive, not some piddly 2-day pen test and PCI-worthy interview process and vuln scan that harps on the same 12 things, but an actual analysis and hand-holding look beneath the covers.)

3. You don't even need to be hacked to have your bottom line affected. Take last week's Google Wallet disclosures. I'm not sure if anyone has actually attacked anyone with it (let alone Google), but just the presence and media attention has caused Google to take notice and even halt a line of their business while they attend to it. Try valuing that.

Anyway, I've exhausted my brain already on this, must be low on fuel or something, so I'll just leave this as is.

good articles to read on a monday morning

Posted: February 13th, 2012, 9:17am CST by michael

Tags: [edit]

Wendy is awesome. Her posts are awesome. I wanted to link to two must-reads. I'll quote soundbytes, but really every paragraph drips of awesome.

First, let's skip ahead to, "In 50 gigabytes, turn left: data-driven security."

"Yes, automation is getting better, but it's not there yet. There are still too many alerts taking up too much time to sort through (particularly in the tuning phase). IT staff get hundreds of emails a day; they can't handle more than two or three alerts that require real investigation. (By the way, this is why operations often can't respond to something until it's down -- it's the most severe and least frequent kind of alert that they receive all day, and they don't have time to chase down anything lower-level, like a warning message that hasn't resulted in badness yet.)"

There's a parallel here to another piece I just read today via the PCIGuru blog: People in the Loop: Are They a Failsafe or a Liability?, by Dan Geer.

And also check out Wendy's Insecure at any speed:

"What this indicates to me is that our IT infrastructure -- from the networks to mobile -- is inherently, badly insecure. And we're so far down the road in its widespread implementation that it will be decades before the problem is substantially fixed, even assuming we started today with all software developers and manufacturers. Nobody is going to pay to replace what's running just fine today -- until someone loses a figurative eye."

I love her explanation of telling security pros vs operations staff about business insecurity, and how their reactions are so different. You can pretty much tell someone's background by their resigned or indignant reactions to the same ol' news.

In the latter post, Wendy essentially talks about baking security into technology from the start. While I do agree with this, I'm not holding my breath on it. In fact, I just am not sure this will actually ever happen, even on a small scale.

The sad part is I can't read posts like this without hearing my phone ring with 3 vendors proffering their wares as "the turnkey/plug-n-play solution" to any of the above issues before they even know what sort of business they just called.

trustwave 2012 global security report is out

Posted: February 9th, 2012, 3:56pm CST by michael

Tags: [edit]

Check out the TrustWave 2012 Global Security Report, a summary/analysis of breaches investigated by TrustWave and other good information. Feel free to submit bogus registration information.

reviewing my short list of security steps for smbs

Posted: February 6th, 2012, 11:35pm CST by michael

Tags: [edit]

Recent news about law firm attacks/hacks has renewed interest in the surprising unsurprising plight of small business, especially in regard to law firms, in recent articles. For instance, should a law firm employing maybe a dozen people have tight security, "just enough" security, or barely any? I think that's hard to say. Many of these firms are going to be lucky to have a single IT-minded staffer all to themselves or to have software to do their main line of business (e.g. case management software/file storage), let alone to be secure.

So I thought it might be poignant to revisit an old post of mine where I review "5 security steps for small businesses." Hell, even my "10 security steps for home users" is getting old.

You know you've been blogging a while when you can't remember your own posts, and when you do find them, they're way older than you thought they were!

So, how do my steps hold up? I'm not even done with this post, and I really think I need to update my list.

1. Backups. Still has to be the first suggestion. Even if you get hacked, you can still keep going if your data is backed up.

2. Network firewall on the Internet link. Gunnar calls this outdated technology (I can't resist!), but it's still going to be a necessary line of defense. The "pain" of the lack of this is far removed today than it used to be, though, where households had 1 computer or businesses had just a few systems and they had their balls hanging out on the Internet with public IP addresses passed right on through. In addition, so many attacks right now are coming in through the app layer (and straight on into your precious database) or through email-borne vectors. Old, but still going to be necessary.

3. Desktop Antivirus. No one really puts much weight on this, but you still don't tell people it's ok to not use it. If absolutely nothing else, you're going to be considered negligent if you're caught without it.

4. Patch Management. Yes, please. More, please.

Wow, I clearly cheated a bit on the next "one."

5.1. Physical Security. This is usually easy for most people because it's maybe the easiest to understand, and unless you get serious, is not really technical. If you go beyond a lock system, you won't roll your own solution but instead talk to security professionals. Why not do the same with the systems? For a law firm, this should include secure waste disposal.

5.2. Inventory/Baselining. I'm not sure I'd keep this, but it does end up being a foundational task for any intermediate or advanced security projects.

5.3. Get Help. I think this should be a necessity on any list. It appears the dramatic #10 on my suggestions for home users, and I think it should bookend every such list.

5.4. Wireless Security. This is still important, but not as gaudy and interesting as it was when retailers were being siphoned off from parking lots. Likewise, today's "APT" and "organized" online hacktivists aren't typically performing physical proximity attacks. Yet it's hard to drop this down too far, lest an SMB leave their wireless pants around their ankles...

I think I will look into that revised list of steps for SMBs...this feels woefully inadequate today, which itself is strange, since things don't seem to have changed *that* much, have they?. I struck that last part, but wanted to preserve the thought. When you're looking at security right in front of your nose, it's hard to see that things really are changing. I like lists and exercises like this, because it allows one to step back and get a different perspective on things, in more than one way. Get back to the roots and fundamental problems/steps, but also empathize with the position of an SMB and their capabilities (or lack of), limitations, and pain points...

comment fail for a rehashed throught on talent

Posted: February 5th, 2012, 9:12am CST by michael

Tags: [edit]

I've tried for a good 15 minutes to post a comment on the HP site, but I'm being cockblocked pretty hard by captchafail (the sound one literally just made me laugh and give up; also reload and you'll see maybe 1 real word out of 20, and about 1 in 8 that throw in symbols or punctuation, wtf) and a general inability for Linux+Firefox to actually get the comment to work on this site. So...I'll post it here!

This is in response to Blending in with the furniture - responsibility vs capability in the CISO role.

"Great intro, and I think you framed the situation pretty much exactly for many CISO's or even security-minded persons in SMBs that don't have dedicated teams.

If I had to throw out a guess/suggestion on where you'll go to be a catalyst for change, I'd toss out the ability to have truly talented staff. That's not to say you need rockstars in the community, but rather strong IT-minded people who can troubleshoot issues and advise the rest of IT on things. I really think security people are often treated much like consultants, even when they're internal. Things go wrong? Blame security and their tools. But the secret side to that is it gives your team a chance to help out directly. It's not about showing up the other IT teams as being dumb, but rather positioning your team as being the experts and good people to turn to for difficult problems.

I feel that the quality of a CISO's staff, which may be related to how much budget you can spend on decent people (or keeping the gems you unearth), will be a direct relationship to success.

Ancillary: Being able to identify the talent in other IT teams, and not alienating and antagonizing them, but rather getting those key people to be allies with.

some thoughts on happiness and technology today

Posted: February 2nd, 2012, 11:33am CST by michael

Tags: [edit]

Via securosis I read that really good article: "Happiness Takes (A Little) Magic". I won't rehash his points, but I think there is still more to these stories than appears in that one. The biggest ones: to each their own happiness, and actively choose how your spend your time and work towards achieve feel happiness with it.

(Disclaimer: This has nothing to do with information security, or even technology...and reading this is likely a waste of time for everyone, including me.)

1. To each their own, you know? It's one thing to say, "XYZ makes *me* happy," but another problem entirely to write a piece about happiness in a way that smacks of trying to convince the world that your view of happiness is the universal or correct one. Or just the "correcter" one. This is a failing of religion and some people in general, where there is self-doubt until such a time as other people agree with you. And if the whole entire world agrees with you, then you can relax, because clearly you're right. If that article got 5 pagehits and 0 comments, does that make it better or worse than the one that gets 1m hits and 500 comments in a week? Or I just need to let the tone of the piece go, and move on. :)

2. The junk food news/information is definitely a problem. It's why I never spent much time on Fark. It's why I'm loathe to "hang out" on IRC again. It's why I never got into Digg or Reddit or other news sites where the news may be interesting, but just doesn't matter to me or my life. It takes effort to stick to useful news rather than unuseful (useless!) stuff when you're on the Internet. It takes time to cull the useless bits from a newsreader or learn to quickly scan usefulness in a Twitter feed. I'm finding value is consciously and unconsciously spending time on things that matter. And I already feel dirty browsing YouTube videos and realizing I just lost 3 hours for no real gain.

(Then again, there is a real world analog to this. If you spend 3 hours at a bar meeting 60 people, only maybe 5 are worth your time. Or maybe all the time spent driving to get to those beautiful outdoorsy places that make you feel spiritual. Or those dozen other places that you thought would be beautiful, but just gave you a rash. Or the tourist traps akin to 40m-hit YouTube videos. Great, you can say you've seen it, but was it *really* that good for you? Yes, to each their own...)

Honestly, I think this is an age issue for me. Even just a few years ago, I didn't really give a shit what I spent my time doing. These days, I'm more conscious of my shortening time in this world. Hobbies are fine and distractions/entertainment are fine as well, but I'm trying hard to keep them somewhat bounded. My main weakness is really just video gaming.... As long as I'm truly enjoying the moments, I think that's the most we can ask for.

2.5 I'm also finding a place for things that let me consume technology in a smarter or faster way. As a youngin, I used to tailor the shit out of my Windows UI with WindowBlinds or various other tweaks whose names escape me. But I quickly moved away from that because every new system or every rebuild would require all that time input again, and the time spent is just not worth it. Being able to quickly set up hotkeys to do mundane tasks that will get me done with computer work is a blessing, but eye candy is useless. I think this is one of the places the "cloud" wants to be, but is still trying to figure out how to do it and be profitable at the same time. It's not there, but it's a step... That may be a sub-resolution for this year or maybe the next: to more fully adopt hotkey tools and automate even more things that I do at work and play... (But not automate it in a way that saves some time, but just moves the time spent to maintaining that automation, like scripting/coding often get trapped into.)

Simplify, simplify.

3. There's this space of people who make money and expect to make money doing very little, i.e. lounging around online, calling themselves social media experts, pursuing page hits, and writing about themselves like they're more important than most others. I tend to feel like many of these people are one half-step away from a shattered self-image and deep depression and financial disaster. I don't know the numbers, but it seems like so many of these people may have a few good things to say that are worth reading, but most of it is drivel and useless and a waste of my time. And certainly not worth providing some money to. Sure, play a violin beautifully in the tunnel and I'll chip in a 20 spot. Give me good conversation in a bar and I may buy you a beer. Give me a good article, I'll consume and move on. For so many, I think you're better off getting a "real job" than trying to do the laziest thing you can. (Clearly, this does not apply to everyone as there are truly effective, hard-working, and highly profitable people whose sole product is online media or writing. I'm generalizing unfairly.)

4. I think there is merit in saying human beings need a little bit of adventure, but I also believe we need a little bit of ownership and production and creation of something. Basically, a tangible result of our efforts and sense of self-value. Sort of a microscopic mirror of the problem that the US is moving away from being a manufacturing country and more of an-I-don't-know-what country. (Consuming and ueslessness? Thinking? Information?) Creating a blog and other online content and chatting and comments should help support real life interactions or at least fill voids temporarily as needed, but none of that is really tangible enough to provide long-term happiness for many people. "I blog for a living" still, to me, even as technologically in-tune as I may be, seems like an awful way to make a living. Sure, there are some who are very useful on a weekly basis and earn it as a real journalist, but for every 1, there is likely a thousand who need to stop lying to themselves and actually create or do something real, ya know? And in turn, stop contributing to the noise.

Then again, I may just have my panties in a bunch this week (HQ power outage all day due to carrier mistake will do that) and have some unfair opinions. But I think that's increasinfly my right for advancing in age.

another view on how sopa illustrates the process in action

Posted: January 19th, 2012, 9:40am CST by michael

Tags: [edit]

Bare with me for a moment while I make a statement or two that I'm just throwing out there, but not really meaning to defend with any huge force, especially considering this is one of theonly times I can recall where I've defended politicians or Congress... (and before anyone exercises their right to be dumb and not understand what I'm saying, I oppose SOPA as well.)

Yesterday, many sites went black in protest of SOPA. In addition, many people are upset about such legislation even being proposed, citing corporate interests and corrupt Congress and technological idiots in Congress.

Personally, I love what happened yesterday, but not because the Internet swelled up and got seen on the front pages of every mainstream news outlet. Rather, I love that this is exactly how the process is supposed to happen.

Congress doesn't jot down new legislation and throw it into the hopper to be perfect and the answer. It's discussed, changed, challenged, sometimes approved, and sometimes stricken down through the checks and balances system as well as peer and public discourse.

Yes, "politics" does influence things, but the idea of throwing SOPA out there, discussing it, reacting to public opinion when it swells, and maybe even rejecting bad ideas, is part of our democratic process.

In other words, be sure to focus your wrath a bit. Don't just assume Congress politicians are idiots (at least not based on this one issue; since I also think many of them are idiots). Even submitting idiotic laws and acts is part of the process which hopefully keeps them from doing more harm than good in the long run.

personal notetaking dilemma and the rise of the cloud

Posted: January 13th, 2012, 9:41am CST by michael

Tags: [edit]

When I look around my desk at work, I can see paper. I'm a notetaker. I have been since grade school. I re-use little calendar pages to take notes on, and they accumulate. While I'd love to reduce this clutter, I'm not ready to try and replace everything, such as my Moleskines. Few things are faster for taking notes than grabbing a piece of paper, a pen, and jotting something down. Few things are faster to re-reference than grabbing a piece of paper and, for example, looking at the checklist of things I have left to do on website build XYZ. Grepping my notes is harder, though. As is trying to remember a shopping wishlist while at the store when the notes are on my desk or at home on a whiteboard.

I have more little electronic devices than I'll admit to you. Few of them get a ton of use. Part of that is the pain of using one device for a while, and then attempting to consume the same things on another device. Notes taken on a tablet are not as easily ported over to my personal laptop or my phone. And so on. Lots of people seem to be satisfied with using email to shuttle things back and forth, but that seems archaic and dirty to me.

I also have a desire to not put myself ino a position of device-dependency such that lack of that device makes me helpless. For instance, I'm already dependent on my cell phone, specifically the contact list. I don't even know my parent's phone number off the top of my head (though yes I have a little piece of paper in an address file). I'd hate to be even worse off if I don't have an Internet connection nearby, or mobile hot-spot, or just an electronic device. (Story: My power recently went out, and I drained the battery on my Nook Tablet, which reminds me that I can always read physical books or magazines if I still possess the ability to create fire...)

[Aside: Magazine consumption on my tablet is a mixed bag. I like this experience, but I'm screwed on the process of ripping out a page for future reference like I can when I own the book, or maybe even taking a screenshot of a page when I'm flipping through it in the store, which I do every work day over lunch.]

All of this puts pressure on digital consumption in my life. And I also believe this is collectively a huge reason why "cloud" is on the rise. More people have more devices, and more devices that are mobile. They're sick of maintaining their PC (though arguably most smartphones are just as challenging and frustrating to maintain). They want data/experience across multiple devices without needing experience in server/network administration.

Unfortunately, it's still cumbersome, and the market has so many solutions that it fragments everyone and adds risk that your chosen solution will just die in a year or two. Likewise, you have lockin (iTunes, B&N store for the Nook...) or differences in experience (phone vs PC web browsers) or inability to install things (iPad-only apps). And lack of trust/privacy/assurance that you're not being sold/used/exposed.

I've had EverNote on my radar for a while now, but I think my work desk situation is going to prompt me into trying it out finally. Of course, this makes me sigh in exasperation as I can probably exfiltrate data from work out to my personal systems at home, but I guess the ability to stop that is becoming more and more of a fairy tale as the months go by... Perhaps this situation is always arguable; I mean, an employee can leave a company and take everything along with him in his head, yeah?

Anyway, I had more to say in this post, but halfway through, work duties interrupted, and getting back to this has sapped my Muse...

illustrating the facepalm of security discussions

Posted: January 12th, 2012, 12:40pm CST by michael

Tags: [edit]

If you'd like a quick dose of why discussion in the security circles goes in, well, circles, check out the "Rate Stratfor's Incident Response" thread taking place on the full-disclosure mailing list. The real headache-inducing pieces take a few responses to get to, but eventually the discussion piles into hiring hackers, security economics, and perfect security. Unfortunately, some of the discussion is driven by one or more people who fail a bit at critical thinking in discussions like this, but it still illustrates some of the pain in security, especially how people coming in from different perspectives are just as correct as others from other perspectives. And this is just discussion and not real action! (I'm ignoring any difficulty in non-english responses, but that is also a troublespot in the small, global community of security).

Granted, there are some non-industry people in the list, and some who don't really sound like they've had a real deep technical job (or have any business sense), but certainly there are plenty of decent participants.

when pci makes you feel dirty

Posted: January 12th, 2012, 10:54am CST by michael

Tags: [edit]

Wired has a really strange story about Cisero’s Ristorante and Nightclub being fined for PCI violations (and alleged breaches?), having money taken from them, then sued by their bank, and thus counter-suing their bank and effectively putting this whole PCI security process under a legal magnifying glass.

PCI sounds fine, it really does. But once you start looking at the various steps on their own, it really makes you feel dirty. It's even dirtier when you start talking about arbitrary costs, rules, changes, and general lack of communication up and down the chain.

This may not be so much a problem of PCI, as opposed to a problem with how PCI is used by the merchants, banks, and Visa/Mastercard. No one wants to eat these costs, and the less-skilled persons (merchants) end up being responsible for highly technical issues.

Definitely a story to keep an eye on.

india gov backdoors into mobile devices

Posted: January 8th, 2012, 12:27pm CST by michael

Tags: [edit]

If you don't think this sort of backdoor stuff happens as a requirement to do business with communications networks (and increasingly technology devices), you're not keeping up with the times.

The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices.

Communications eavesdropping, device backdoors, and external/subpoena access to data should always be on your mind. No site or company is going to risk those recriminations on your behalf when pressed.

overhack on network log monitoring

Posted: January 6th, 2012, 8:27am CST by michael

Tags: [edit]

Network traffic analysis and log analysis post is up over at OverHack. Good stuff, and I completely agree with the intro paragraph.

Doing actual log analysis is trickier than most supervisors think it is. You want to know when someone gains domain admin rights, eh? Ok, you have to watch all created accounts. You have to watch for existing account changes that slide an account into the domain admins group, or into any other group nested inside there. You have to watch for someone sliding a group into the domain admins group. You have to watch for strange account usage and failed logins to any accounts in the domain admins group. And you can't just look for suspicious things, but you should track down every instance, even if it appears to match your account naming schemes.

Oh, and you can't just do this once a week with a delta on accounts present. If an attacker created an account, used it, and then deleted it, will you notice? And we're just talking about one (important) sliver of log data!

seriously, a quote

Posted: January 5th, 2012, 2:08pm CST by michael

Tags: [edit]

"Take your craft seriously, but don't take yourself seriously."

My Security Planet » Items by michael

Feeds

Items by michael

Posted: May 8th, 2012, 9:46am CDT by michael

Tags: [edit]

Posted: May 7th, 2012, 11:54am CDT by michael

Tags: [edit]

Posted: May 6th, 2012, 12:55pm CDT by michael

Tags: [edit]

Posted: May 4th, 2012, 1:57pm CDT by michael

Tags: [edit]

Posted: April 26th, 2012, 2:33pm CDT by michael

Tags: [edit]

Posted: April 24th, 2012, 11:38pm CDT by michael

Tags: [edit]

Posted: April 23rd, 2012, 3:35pm CDT by michael

Tags: [edit]

Posted: April 23rd, 2012, 3:14pm CDT by michael

Tags: [edit]

Posted: April 23rd, 2012, 12:02pm CDT by michael

Tags: [edit]

Posted: April 21st, 2012, 2:56pm CDT by michael

Tags: [edit]

Posted: April 21st, 2012, 2:54pm CDT by michael

Tags: [edit]

Posted: April 21st, 2012, 2:48pm CDT by michael

Tags: [edit]

Posted: April 21st, 2012, 2:00pm CDT by michael

Tags: [edit]

Posted: April 21st, 2012, 1:44pm CDT by michael

Tags: [edit]

Posted: April 10th, 2012, 9:40am CDT by michael

Tags: [edit]

Posted: April 9th, 2012, 1:47pm CDT by michael

Tags: [edit]

Posted: March 29th, 2012, 8:40pm CDT by michael

Tags: [edit]

Posted: March 29th, 2012, 9:38am CDT by michael

Tags: [edit]

Posted: March 20th, 2012, 12:33am CDT by michael

Tags: [edit]

Posted: March 8th, 2012, 10:00am CST by michael

Tags: [edit]

Posted: March 8th, 2012, 9:17am CST by michael

Tags: [edit]

Posted: March 8th, 2012, 9:06am CST by michael

Tags: [edit]

Posted: March 6th, 2012, 11:10am CST by michael

Tags: [edit]

Posted: March 6th, 2012, 10:57am CST by michael

Tags: [edit]

Posted: March 6th, 2012, 10:04am CST by michael

Tags: [edit]

Posted: March 1st, 2012, 8:57pm CST by michael

Tags: [edit]

Posted: March 1st, 2012, 11:37am CST by michael

Tags: [edit]

Posted: February 28th, 2012, 1:05pm CST by michael

Tags: [edit]

Posted: February 25th, 2012, 7:35pm CST by michael

Tags: [edit]

Posted: February 24th, 2012, 4:46pm CST by michael

Tags: [edit]

Posted: February 24th, 2012, 2:43pm CST by michael

Tags: [edit]

Posted: February 24th, 2012, 2:26pm CST by michael

Tags: [edit]

Posted: February 21st, 2012, 4:40pm CST by michael

Tags: [edit]

Posted: February 18th, 2012, 6:58pm CST by michael

Tags: [edit]

Posted: February 18th, 2012, 2:16pm CST by michael

Tags: [edit]

Posted: February 14th, 2012, 10:06am CST by michael

Tags: [edit]

Posted: February 14th, 2012, 8:49am CST by michael

Tags: [edit]

Posted: February 13th, 2012, 1:36pm CST by michael

Tags: [edit]

Posted: February 13th, 2012, 9:17am CST by michael