Archive for January, 2009

A lesson learned from Cirque du Soleil

January 27th, 2009 Comments off

Really limber people

The family and I went to see Cirque du Soleil’s Kooza show on Sunday in Atlanta, and it was nothing short of amazing. I’ve seen one of their shows before, it was also amazing, and so I wasn’t surprised that the experience was phenomenal. I had a thought though (danger, Will Robinson, he’s thinking again!) while driving home. Just a musing, perhaps, but I always try to find parallels between everyday life activities and the information security realm that I dwell in so much.

The big epiphany I had is this – it’s all practice.

What do you mean, Dave? Well, in a nutshell, these people are just awesome at what they do. They perform under pressure, with thousands of people watching them, and their routines are complex. The tiniest slip can spell disaster for whole groups of perfomers, and so they have their acts down to a science. Of course they have talent, as well – perhaps just raw athleticism. But the fact of the matter is that they have gotten as good as they are by simply practicing fanatically.

What wisdom does this hold for us security folks? Well, here’s a challenge for you – what have you committed to being the best at? How much work do you really put into being the absolute best IDS analyst, malware reverse engineer, firewall administrator, log analyst, compliance guru, etc? Well, you won’t get there by just showing up for work every day. You need to practice. A LOT. What kind of home lab do you have? How much time have you spent on network platforms, just relentlessly hammering the CLI? Scripts? Got script fu? Why not?

The economic climate sucks. Jobs are getting hacked all over the place. Yet those who know they’re the best don’t worry about that. They’ll always have someone wanting to hire them. Why? Because they practice. That’s what gets you to the top, not just brains, not your incredible wit, and certainly not all those letters you plaster after your name. You can do it. If you don’t have “become the best at my profession” somewhere on your 2009 Resolutions, add it in. You can do it. </peptalk>


Categories: Musings Tags:

New Peer-to-Peer Anomaly Detection Tools: Hmmmm…..

January 23rd, 2009 2 comments

So once in a RARE while, I actually get something useful from the massive numbers of trade mags that show up at my house. You know, the ones you can get for free by saying that you’re an executive with a $100 million budget? 🙂

Network World tipped me off in the “GoodBadUgly” section to a new research project at the University of California at Davis. It uses peer-to-peer technology to detect anomalous behavior on systems, correlate it with behavior on other systems in the peer-to-peer network, and make decisions for active response with existing firewalls and IDS engines. Sounds kinda cool, right? Sure! My inner geek was curious, so I looked online and found an article with a little more detail at ComputerWorld.

On the surface, it sounds like a little more interconnected version of the Internet Storm Center (formerly known as DShield). Plus, the ability to interact with FW and IDS software based on some sort of behavior threshold reminds me of the Active Response functionality in Snort and other tools. Sounds cool. But……..I’m bothered for a few reasons. Let me explain:

  1. In the article, it explains that “[t]he software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour…The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was…”. I don’t know about anyone else, but I don’t want peer-to-peer software sharing IDS or FW details with other systems, especially random ones. This just sounds ripe for abuse.
  2. End users are not intended to modify the detection parameters. OK, I can go for that. But what about security geeks like me? A quote from one of the researchers just didn’t sit right with me: “We don’t want to have humans in the loop.” Huh?

So let me get this straight. I am trusting a distributed system that interacts with my known and trusted security tools (IDS, FW), sends data to random systems, and doesn’t let me interact or tune the detection engine. Anyone else having visions of HAL and SkyNet? Or am I just a paranoid dork?

Wait, don’t answer that. Happy Friday.

Categories: Information Security, Musings Tags:

Data Breach Madness!!!

January 22nd, 2009 2 comments

OMFG, here we go again. Every security and compliance dork in the universe has their blood pressure up a bit since the announcement by Heartland Payments that 100 million+ payment card numbers may have been exposed. Am I in this same state of craziness? Of course, I’m a full-fledged security and compliance dork.

But I’m thinking about this more than ever. Knee-jerk reactions aside, what should we think about this? I am of the opinion that the current mode of thinking around audit and compliance DOES NOT WORK. There, I said it. This notion of auditing an organization once, checking off the boxes, and then coming back later to find that the shit has hit the fan is SILLY, people! When are we going to get around to figuring out that auditing should be a constant thing!?

I’m biased. No two ways about it, I work for a company (Configuresoft) that makes software that will literally solve this problem, so I know it can be done. A “point in time” audit is really of very little use these days. In this latest breach, the biggest issue (based on info we have so far) seems to be that changes were made to a system (malicious software was installed to monitor transactions) and NO ONE NOTICED. So when did the problem start? I dunno. How long have you been compromised? Uh, I dunno. Why don’t you know? Gosh, I dunno! This should be a “career limiting move” for someone.

Now the real question – will Heartland Payments see any loss of business? Despite all the hoopla, does anyone even care? We’ll make a big deal out of this, apologies will happen, security geeks will squawk day and night for a few months about how “important” this is, blah blah blah. Anyone looked at how TJX is doing? Just fine, thanks, they’ve had absolutely ZERO permanent effects from losing lots of our data. Until someone finally imposes crippling penalties on these companies, we’ll continue to see the cycle of
breach–>freak out–>”we’re so sorry”–>time lapse–>forgetfulness

And last time I checked, we have absolutely no cure for apathy. Damn, I feel about as optimistic as Bruce Schneier right now. Yuck.

Categories: Information Security, Rants Tags:

The Most Inspiring Thing You’ll See This Week

January 15th, 2009 Comments off

Love him or hate him, Tim Ferriss posts some really great content to his blog at Check it out, you may enjoy reading some of his insights if you haven’t checked him out yet.

This post is short. Bottom line – Nick Vijicic is one of the most inspirational people I have ever seen. Want to put things in perspective? Check out this post and the video at Tim’s site here:

Categories: Musings Tags:

The EFF’s SSD Project

January 13th, 2009 Comments off

I was alerted to the EFF’s Surveillance Self-Defense (SSD) Project yesterday by Dr. Infosec’s blog and felt compelled to post my own thoughts on this. In a nutshell, the project (still in “beta” BTW) is intended to educate people about government inspection of their data and communications, what the law says about it, and what you can do about it.

I’d love to think I have some “non-security” people reading this blog. If that’s you, and you’re reading this, please know that this is NOT the paranoid ranting of a security geek, this applies to all American citizens, and at some point you’ll need to understand this just like everyone else, if not for your personal data then most definitely for business data that you’re a custodian for (on a work laptop, for instance).

For my fellow security crazies, welcome. Pull up a chair. Let’s chat. I’m going to provide a brief synopsis of the program’s major categories with my thoughts on each.

Risk Management: In this section, the project breaks down concepts that all security folks know and understand well. The first is your assets – what are you trying to protect? Once you know that, you’ll need to understand the threats to your assets, in a few dimensions – the confidentiality, integrity, and availability of your assets should be obvious. The other categories that threats could impact include consistency (are the assets always behaving the same way?), control (is management of the assets controlled?), and audit (can i assess the security of the assets?).Then you need to assess the risk to your assets based on the threats – how likely is it that the threats will manifest, and what damage would ensue? For example, if you are a regular international traveler, it’s highly likely that at some point your laptop will be inspected by border agents somewhere. Finally, know your adversaries. US customs agents? Industrial spies? Wily h@x0rz? The voices in your head? You get the drift. All of these components will paint the risk picture you need to understand how to better defend yourself.

Data Stored on your Computer: This section first lays out what the government can do (here in the US). First things first – the Fourth Amendment stands strong! You should demand a lawyer if anyone tries to search you or anything in your possession. This right has not been suspended by the Patriot Act or any other government mandate, and it applies to any person in the US, citizen or not. There’s a discussion of the Reasonable Expectation of Privacy covered in this Amendment, as well. A great point about laptops – they are considered opaque containers, and thus are protected:

“Laptops, pagers, cell phones and other electronic devices are also protected. Courts have generally treated electronic devices that hold data as if they were opaque containers.”

More about different types of search and seizure are listed, and the information about warrantless searches is really important for us all to understand. Bottom line – when traveling, seraching your laptop without a warrant is considered “routine” and can be performed without a warrant!

One solution to this problem is to bring a blank “traveling” laptop and leave your personal information at home. You could then access the information that you left at home over the internet by using a VPN or other secure method to connect to a server where you’ve stored the information.

However, bringing a clean laptop means more than simply dragging files into the trash. Deleting files will not remove them from your hard drive.

Another solution is to use password-based disk encryption to prevent border agents from being able to read your files. However, if an agent asks you for your password, and threatens to detain you or seize your machine for further investigation, most travelers will just give in and offer the password. The consequences of refusing to disclose a password under those circumstances are difficult to predict with certainty, but non-citizens would face a significant risk of being refused entry to the country. Citizens cannot be refused entry, but could be detained until the border agents decide what to do.

The other major “chunk” of this section talks about what you can do to protect yourself. Here’s a quick and dity list:

  • Develop a data destruction and disposal policy – includes items like clearing your browser and IM cache, shredding CDs, and actually deleting data permanently on hard drives.
  • Master the basics of data protection: Use authentication and access controls
  • Learn how to use passwords: All sorts of password tips – including a controversial one from Chuck Norris, I mean Bruce Schneier, to keep passwords written down in your wallet.
  • Encrypt data: ‘Nuff said.
  • Protect against malware: Again, ’nuff said.

Data on the Wire: As in the previous section, this one is broken into two sub-categories titled “What can the government do?” and “”What can I do to protect myself?” In a nutshell this section drills into wiretaps, pen register and “trap and trace” devices, etc. The section on how to protect yourself was really good. A few things I learned:

  • Any “wire” communications (voice, VoIP like Skype, and cell) are more protected than email or SMS. No wiretap == no bueno for the govt in a court.
  • SMS is risky – easy to intercept, possible for the govt to use without a probably cause warrant, etc. Now I’m going to have to educate all my crazy anti-govt friends to use Skype.  Dammit.
  • The Triggerfish mobile tracking technology can pinpoint your cell phone’s location when you’re not using it, and often even if it’s turned off. To be safe, you should remove the battery altogether.

The remaining sections deal with storage of information by 3rd parties, foreign intelligence and terrorism investigations (where you get tortured with pictures of Dick Cheney naked) and defensive technology. This last section is perhaps the most valuable to n00bs – it covers lots of fundamentals on browsers, encryption, anti-malware, email and IM, wireless, etc.

Highly recommended. If you are new to the EFF overall, consider donating – I do annually, and it’s a good cause.

Categories: Information Security, Rants Tags:

Bruce Schneier FTW!

January 8th, 2009 Comments off

Short post: I just HAD to share this with everyone, has to be the funniest list of crypto-geek humor I have ever read, all at Bruce Schneier’s expense. Thanks to Anton Chuvakin for pointing this out to me. Enjoy!

Categories: Humor, Information Security, Musings Tags:

A Shout Out to The Academy

January 7th, 2009 1 comment

I think most of us will agree that Heath Ledger’s portrayal of The Joker in “The Dark Knight” was nothing short of amazing. He had a lot of great lines in there, but one stood out (to me). When talking about his mastery of the criminal mindset and general villainy, he said “When you’re good at something, you should never do it for free.” In many ways, I agree with him.

However, my friend Peter Giannoulis up in the Great White North (aka Canada) is doing just that. He’s creating something for the entire security community in the form of his product and tool configuration videos at If you haven’t checked them out, I highly recommend you do so. In fact, as we discovered at the SANS Toronto 2008 conference, TheAcademy is pretty much the nexus of the universe. Don’t get that joke? You just had to be there. 🙂

Well, he’s actually gone a step further, looking to help the community that really needs security help most of all – the REST of the world. That’s right, Peter is looking out for Grandma, who’s like a little defenseless bunny out there in the shark-infested waters of the Internet. His new site,, aims to educate home users on common security checkups and simple things they can do to prevent and detect malware on home systems.

Kudos to him, I say – he’s one of the best security geeks I know, and yet he IS doing something for the general good. We should all follow in his footsteps for 2009.


Categories: Information Security Tags:

‘How to Win Friends & Influence People’ for Security Professionals

January 4th, 2009 3 comments

Yep, that’s right – I got all serious with the whole “security professionals” thing. Here in SecurityLand, we’re all trying REAL hard to take ourselves seriously these days, and that’s not wholly bad. But what I’m about to tell you is not for the faint of heart – and definitely not for those of you who take yourselves SO seriously that you walk a little funny and I’m missing my broom handle.

The key to being successful in security is to work WITH people. Thinking you have some “power” to say NO to business unit folks (you know, the ones that actually make your company money?) is a completely wrong mentality these days. No, I’d go so far as to say that the REAL risk management professionals of the world, some of whom are more technical, others more on the analytical and processing side of things, are good at understanding that you are solely around to provide INPUT and OPINIONS. Let me ‘splain.

No one really likes the concept of security people controlling things. Not the business unit people, the operations people, the programmers, nobody. So it’s easy to get a bad rap in the security biz when you take that approach. I used to laugh with one of my colleagues named Tom at a Company-That-Shall-Not-Be-Named about the horrible nepotism that went on – the CIO’s brother-in-law knew someone who had a software company, and that guy knew some good consultants, and the next thing you knew, a critical enterprise application was being coded and implemented by Joe Bob’s Bait, Tackle, and Software.

The funny thing? We couldn’t change a thing about it. The CIO wanted it to happen, she had the influence, and we just had to figure out how to implement the damn thing. What does all this lead to?

It’s the concept of working WITH people instead of against them. We security folken tend to think we’re smarter than the average bear, and hey – maybe we are in lots of cases. But a bunch of smart people endlessly poo-pooing stuff gets you exactly NOWHERE in business. Business is risky. Companies take chances. They deploy stupid apps to lure in new customers. They try ridiculous marketing campaigns to get leads. You will not change that, so here’s my goal for all of us – work on helping these people do what they’re going to do anyway…SECURELY.

This means a bit of a paradigm shift for the average security person. You have to go into a project planning meeting, or a tollgate in an existing project, with the intent to say YES, with perhaps a caveat or three. Not NO. Nope, nobody likes a NO person. How about “Yes, but with X”. Compromise. Point out the ways things could be done with lower risk, and find the happy middle ground where you get a little more security, they get a little more development work and an extra week of project time or the cost of a pen test, whatever, but work on being a help instead of a hindrance, and you’ll go far.

Over time, people will loosen up a bit. They’ll actually listen to you. You’re there to help, remember? Think of yourself like an internal consultant to the business units and operations teams, and make customer satisfaction your primary goal. Eventually, security will actually get better with this approach, I have seen it with my own eyes.

Categories: Information Security, Musings Tags: