ShackF00

For those of us who have been in the infosec field for a while, we see a never-ending stream of weird behaviors and situations over the years that just don’t make any sense. Despite our best efforts to be optimistic, understanding, and “business-oriented”, there are a number of “infosec mysteries” that boggle the mind and assault the senses. Forthwith, I give you…Infosec Mysteries Volume 1.

1. Why are users still clicking on random attachments? Especially if the email is from someone they do not know, have never heard of, or purports to be one of their long-lost friends on Facebook?! This is undoubtedly one of the world’s greatest mysteries – how do we cure stupid? Many cars of convicted drunk drivers are equipped with alcohol sensors that detect blood alcohol level before they will properly start. Can we implement something similar for chronic offenders that hack, slash, and click their way to digital Armageddon? Is there a class of people out there that just cannot be trusted to use computers responsibly? This is similar to smoking in public for me – your exhaled smoke can have a negative effect on my health. Well, when these kinds of folks’ systems join the ranks of a bot army, it affects us, as well.

2. For all the intrusion detection systems I encounter in organizations, I estimate that 65% are used very little, even going so far as to call them “shelfware”. In addition, most staff using IDS today, that I encounter, are not properly customizing rule sets or even venturing to create their own rules, trusting the default rule sets and updates later provided by the vendor. So here’s the mystery – why the $%&! would you spend 5-6 figures (or more) on equipment that can act as cornerstones of your network monitoring capabilities and a) not get trained properly on how to use the stuff to its potential, and b) just ignore it after a period of time? I’ve seen this same phenomenon occur with other gear, but never so often as IDS.

3. So you’ve made an “investment” in antivirus. Who gives a shit? The stuff is CRAP, and it is BROKEN. The mystery – why are you not clamoring for, nay, DEMANDING, a whitelist solution? NOW!!?? With the proliferation of malware today, you are dealing with a new variant added to a “blacklist” every few seconds. Sounds really sustainable. Yep.

4. Here’s another doozie – the gradual desensitization of the public. In fact, this could be the greatest mystery on this list – how can TJ Maxx lose millions of credit card numbers, go through a scandalous public debacle, and actually see its share price go UP? The media has helped desensitize the public, unfortunately – “ho hum, another big data breach”. And we as security professionals have now come to realize that outrage is ephemeral. Ouch.

Information Security, Rants

So I was, as usual, inspired by everyday events and news to relate to the infosec community. In its own way, so many of the things we encounter day-to-day have parallels in our security community…but I digress. The topic of the day is “zero tolerance” policies. I recently read an article about a nice young man named Zachary Christie. He’s a good student, learning karate, and a Cub Scout. He’s also a criminal. Well, at least in the eyes of his school system. Why? He had the AUDACITY to bring a fork/spoon/knife camping utensil to school to use at lunch and show his classmates. Zachary, incidentally, is 6 years old. SIX.

I could understand a gentle reprimand. The ol’ “We have a policy here” talk. But Zachary didn’t get that. Nope, this hardcore 6-year old got suspended for 45 days! With the last week in solitary confinement for shanking a fellow inma…errrr, student! OK, I’m kidding about the last part. But the point should be clear – 45 days for this offense is actually punishing the student (very excessively), the parents (who will have to accommodate him with work schedules), and any rational, thinking person in the USA. That’s right, we’re all being punished because this makes us realize just how stupid we can be. And that hurts.

So. What about infosec? Well, we infosec people are policy creators and enforcers. Influencers, too, in many cases, but that’s less relevant here. I’ve had some really interesting conversations in the past with SANS students and Advisory Board members on this same topic. Some are all for draconian policies. Yaaar, matey, walk the plank! Others take a less heavy-handed approach. Which is right? Well, in my opinion (and we all know what THAT means), there are a few policy areas where we must be 100% black and white:

• Theft or intentional mishandling of sensitive data (PII, Trade Secrets, etc).
• Possession of child pornography.
• Intentional hacking or circumvention of access controls to do…anything.
• Espionage.

That’s it. Yep, really. Supporting evidence plays a big role in most (if not all) of these, so even these may not be completely cut and dry. Generally, though, it’s a safe bet to have clear violation rules in place for any of these. What about others, though? What about all those myriad policies that we have painstakingly written that everyone in the organization hates? Some make sense, sure, but there’s probably some that should be visited on a per-case basis. Many people in many organizations hate security people. Some of you will say “so what?”. I say – you’re losing the game. People WILL get around you one way or another, and if they hate you they will try 10 times as hard. I’m not advocating being wishy-washy, and there are plenty of reasons (governance, compliance, industry standards, etc) why certain policies should have less “wiggle room” than others. But if we always approach policy with a “my way or the highway” attitude, we are going to isolate ourselves even more in infosec, and that’s a tragedy. Just something to think about. </rant>

Information Security, Rants

So this will be hard to swallow for some. Particularly those who idolize folks like Charlie Miller, Dino Dai Zovi, and Alex Sotirov. Or whoever you know that found some amazing hack and paraded it around to win themselves a few minutes of supergeek fame.

Business 101: You can’t forcibly create a market where there isn’t one. It doesn’t work, it never has, it never will. So for those “vulnerability researchers” who are complaining how they are getting the shaft from software vendors who won’t pay them for their software, I hate to break it to you, but you’re shit out of luck, methinks. I think you inevitably have one of three options:

1. Keep finding bugs because you love finding bugs. Get your little minute of fame, and maybe your new MacBook or whatever, and STFU.
2. Sell your bugs to WasiSabiLabi or iDefense or some other marketplace. Maybe even an underground marketplace if your ethics are questionable.
3. Stop doing it. Get out. Find a new hobby. Get some sun, maybe – slowly, though, that pasty skin will burn if you’re not careful!

In a recent article in SC Magazine, Dino Dai Zovi states the following:

“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone’s browser when it’s a nice, sunny day outside?”

Well, great question! Just DON’T! Seriously, are we all supposed to have some sympathy for folks who volunteer their time to find software bugs? Another dose of reality: all software has flaws. I can live with this. It’s just a part of business. So stop trying to make it seem like it’s these terrible, sloppy vendors who code so badly that SuperSecurityCoderMan has to come in behind them to show them all how bad things really are! Geez. Just SO SICK of this. I respect your skills, bro, but either help the community, take your 15 minutes and move on, or just stop with it already.

The other argument I hear is that “if I didn’t find this bug, some evil h@X0r would”. OK, let it happen. Seriously. If it happens, it happens, we can’t avoid the inevitable forever. But lose the martyr act. I, for one, am over it.

Information Security, Rants

A guy I used to work for in the infosec field (of course) was always telling me that “perception is reality”. In his eyes, you could win the political game within our company by simply putting up a good front. Even if we were totally screwed up within the infosec group, or didn’t know what was going on with a project, or didn’t have a plan, we could create the illusion of competence by proactively bombarding people with information, acting a little smug and pompous, and berating other people for not caring about security (dammit!)

Was this a sound strategy? No, this guy was generally a boob and I worked for him only a short time. However, it really did get me thinking about a few ways to interpret this in the infosec space.

1. Just because someone talks a good game does not mean they know what the f*** they are talking about. Frankly, I personally believe that a number of the people floating around in the “blogosphere” who are billing themselves as “security experts” should STFU. However, many people seem to feel that “they blog, therefore they have kung fu”. Perception, at least for the unwashed masses, is reality. Because you’ll never KNOW whether that cool blog guy actually has kung fu or not. And he knows it.
2. A more global one this time. Do you think that most consumers inherently believe that their data is safe with companies who have it? Or the opposite? I think most people just sort of trust that their data is safe. And then when there’s a data breach, the company apologizes, and we all think “oh, well, they’ll just get BACK to being secure and all will be well.” Hmmmm.

Let’s focus on #2 (#1 was pure rant). I had the pleasure of meeting and speaking with Michael Santarcangelo of Security Catalyst about two weeks ago. He and I had lots in common, and hit it off well. One major point we agree upon was the total lack of outrage (in other words, the general complacency) of the populace WRT data breaches and data security overall. TJX loses 90 million people’s data, and people are still shopping there with no issues at all. Did they actually lose any customers? What about all the other breaches? Does anyone really care? Who really feels the pain? Who assumes the liability here?

OK, OK, I know this is sounding like a rant here, too, but really it’s just a question of whether people’s skewed perception of data security (it’s not that big a deal) in essence leads to the reality that it ISN’T that big a deal. This runs counter to all the ranting we do as security people, and of course no one will ADMIT that losing data might not really have long-term impacts at the moment. I’m certainly not saying we should give up the fight. And this doesn’t apply to data like sensitive intellectual property, health data, etc. Mostly payment card data, which can almost be considered ephemeral in some senses. But I ask – does perception equal reality in this case? Why or why not?

Information Security, Rants

Well, the weekend was not without PANIC (!!) and CONSTERNATION (!!). Saturday morning found me sitting at my desk, getting a little work done, and needing some information from the Oracle of the Internet. Looking for some info on Cisco switch commands, I was presented with a list of search results that were <GASP> all infected!!!

Imagine my sheer horror. The Internet was surely coming to a complete halt. Some evil mastermind had taken over all sites on the Web. Game over. To console myself, I went to Twitter to see who I could complain to at this early hour, and found that others were experiencing the same problem, albeit with a slightly lowered panic quotient. Hmmmm….the problem ACTUALLY could be Google, not a widespread evil plan to overthrow the Internet. Fast forward an hour, Google was operating just fine again. Thank Goodness!

The moral of this blurb: I am a pathetic little man. Losing Google for one hour actually caused me some frustration. You may not cook it in a spoon and inject it, or smoke it in a little glass pipe, but Google has successfully accomplished the Internet equivalent of addicting people to drugs. Ouch.

The next comment from the weekend is about a great old comic I saved from 2006 in Computerworld. I couldn’t find it anywhere online, so I scanned it in (apologies if it’s a little grainy, tried to keep it small). Given that my name is, well..Dave, I absolutely love this one. Just remember, folks, every time you connect to a WiFi hotspot you don’t recognize, God kills a kitten.

Enjoy.

Humor, Information Security, Rants

OMFG, here we go again. Every security and compliance dork in the universe has their blood pressure up a bit since the announcement by Heartland Payments that 100 million+ payment card numbers may have been exposed. Am I in this same state of craziness? Of course, I’m a full-fledged security and compliance dork.

But I’m thinking about this more than ever. Knee-jerk reactions aside, what should we think about this? I am of the opinion that the current mode of thinking around audit and compliance DOES NOT WORK. There, I said it. This notion of auditing an organization once, checking off the boxes, and then coming back later to find that the shit has hit the fan is SILLY, people! When are we going to get around to figuring out that auditing should be a constant thing!?

I’m biased. No two ways about it, I work for a company (Configuresoft) that makes software that will literally solve this problem, so I know it can be done. A “point in time” audit is really of very little use these days. In this latest breach, the biggest issue (based on info we have so far) seems to be that changes were made to a system (malicious software was installed to monitor transactions) and NO ONE NOTICED. So when did the problem start? I dunno. How long have you been compromised? Uh, I dunno. Why don’t you know? Gosh, I dunno! This should be a “career limiting move” for someone.

Now the real question – will Heartland Payments see any loss of business? Despite all the hoopla, does anyone even care? We’ll make a big deal out of this, apologies will happen, security geeks will squawk day and night for a few months about how “important” this is, blah blah blah. Anyone looked at how TJX is doing? Just fine, thanks, they’ve had absolutely ZERO permanent effects from losing lots of our data. Until someone finally imposes crippling penalties on these companies, we’ll continue to see the cycle of
breach–>freak out–>”we’re so sorry”–>time lapse–>forgetfulness

And last time I checked, we have absolutely no cure for apathy. Damn, I feel about as optimistic as Bruce Schneier right now. Yuck.

Information Security, Rants

I was alerted to the EFF’s Surveillance Self-Defense (SSD) Project yesterday by Dr. Infosec’s blog and felt compelled to post my own thoughts on this. In a nutshell, the project (still in “beta” BTW) is intended to educate people about government inspection of their data and communications, what the law says about it, and what you can do about it.

I’d love to think I have some “non-security” people reading this blog. If that’s you, and you’re reading this, please know that this is NOT the paranoid ranting of a security geek, this applies to all American citizens, and at some point you’ll need to understand this just like everyone else, if not for your personal data then most definitely for business data that you’re a custodian for (on a work laptop, for instance).

For my fellow security crazies, welcome. Pull up a chair. Let’s chat. I’m going to provide a brief synopsis of the program’s major categories with my thoughts on each.

Risk Management: In this section, the project breaks down concepts that all security folks know and understand well. The first is your assets – what are you trying to protect? Once you know that, you’ll need to understand the threats to your assets, in a few dimensions – the confidentiality, integrity, and availability of your assets should be obvious. The other categories that threats could impact include consistency (are the assets always behaving the same way?), control (is management of the assets controlled?), and audit (can i assess the security of the assets?).Then you need to assess the risk to your assets based on the threats – how likely is it that the threats will manifest, and what damage would ensue? For example, if you are a regular international traveler, it’s highly likely that at some point your laptop will be inspected by border agents somewhere. Finally, know your adversaries. US customs agents? Industrial spies? Wily h@x0rz? The voices in your head? You get the drift. All of these components will paint the risk picture you need to understand how to better defend yourself.

Data Stored on your Computer: This section first lays out what the government can do (here in the US). First things first – the Fourth Amendment stands strong! You should demand a lawyer if anyone tries to search you or anything in your possession. This right has not been suspended by the Patriot Act or any other government mandate, and it applies to any person in the US, citizen or not. There’s a discussion of the Reasonable Expectation of Privacy covered in this Amendment, as well. A great point about laptops – they are considered opaque containers, and thus are protected:

“Laptops, pagers, cell phones and other electronic devices are also protected. Courts have generally treated electronic devices that hold data as if they were opaque containers.”

More about different types of search and seizure are listed, and the information about warrantless searches is really important for us all to understand. Bottom line – when traveling, seraching your laptop without a warrant is considered “routine” and can be performed without a warrant!

One solution to this problem is to bring a blank “traveling” laptop and leave your personal information at home. You could then access the information that you left at home over the internet by using a VPN or other secure method to connect to a server where you’ve stored the information.

However, bringing a clean laptop means more than simply dragging files into the trash. Deleting files will not remove them from your hard drive.

Another solution is to use password-based disk encryption to prevent border agents from being able to read your files. However, if an agent asks you for your password, and threatens to detain you or seize your machine for further investigation, most travelers will just give in and offer the password. The consequences of refusing to disclose a password under those circumstances are difficult to predict with certainty, but non-citizens would face a significant risk of being refused entry to the country. Citizens cannot be refused entry, but could be detained until the border agents decide what to do.

The other major “chunk” of this section talks about what you can do to protect yourself. Here’s a quick and dity list:

• Develop a data destruction and disposal policy – includes items like clearing your browser and IM cache, shredding CDs, and actually deleting data permanently on hard drives.
• Master the basics of data protection: Use authentication and access controls
• Learn how to use passwords: All sorts of password tips – including a controversial one from Chuck Norris, I mean Bruce Schneier, to keep passwords written down in your wallet.
• Encrypt data: ‘Nuff said.
• Protect against malware: Again, ’nuff said.

Data on the Wire: As in the previous section, this one is broken into two sub-categories titled “What can the government do?” and “”What can I do to protect myself?” In a nutshell this section drills into wiretaps, pen register and “trap and trace” devices, etc. The section on how to protect yourself was really good. A few things I learned:

• Any “wire” communications (voice, VoIP like Skype, and cell) are more protected than email or SMS. No wiretap == no bueno for the govt in a court.
• SMS is risky – easy to intercept, possible for the govt to use without a probably cause warrant, etc. Now I’m going to have to educate all my crazy anti-govt friends to use Skype.  Dammit.
• The Triggerfish mobile tracking technology can pinpoint your cell phone’s location when you’re not using it, and often even if it’s turned off. To be safe, you should remove the battery altogether.

The remaining sections deal with storage of information by 3rd parties, foreign intelligence and terrorism investigations (where you get tortured with pictures of Dick Cheney naked) and defensive technology. This last section is perhaps the most valuable to n00bs – it covers lots of fundamentals on browsers, encryption, anti-malware, email and IM, wireless, etc.

Highly recommended. If you are new to the EFF overall, consider donating – I do annually, and it’s a good cause.

Information Security, Rants

I have a fiercely independent streak. I like raising hell, I don’t want to be quite like the other doubles-tennis yuppies of the world, and foremost, I firmly believe that I am in control of every single aspect of my life.

I can be as good at something as I want to be.

I can learn anything I want to.

I will never tolerate a shitty, micromanaging job or boss. Ever.

There’s plenty of money out there – go get it.

If you are out of shape, that’s your fault, and you WILL suffer from it, most likely. Change this. Now.

Sounds simple, more or less, right? This is a much-abbreviated version of the true life philosophy I adhere to, but it’s a few of the key points. I am never satisfied with things either – and that’s OK. You can always improve, and there’s almost always someone better at something than you are.

Where the hell am I going with this? Well – here:

http://www.ganas.com/declaration_mov_flash6.swf

This lady captured a lot of the Shackleford mojo in a presentation that is worth seeing. You’ll enjoy it, promise.

Musings, Rants