The talk of the blogsphere and IT Security news sites lately has been about the comments that Bruce Schneier made at InfoSecurity Europe 2007.
Most of the talk has been people expressing their disbelief that he would make such a comment. They are saying things like "computers and the code that runs them are designed and developed by humans and therefore they will contain errors, flaws and mistakes. So how could he expect them to not be insecure?" Some are upset and they actually seem afraid that his comments will signal the demise of the security profession in a vein similar to Alan Greenspan making a comment that causes the stock market to rise or fall.
My first take on it is that of course it's an absurd comment. There is no way that systems and the code that runs them can be secure. If we had started with a security mindset from the early days of computers it would be a much more secure environment now but there would still be a need for security professionals because of the human factor. People make mistakes. Designers, developers, testers, implementers, and users all make mistakes that make it necessary to have security professionals.
My second take on his comment is that he is partly right. There is no real excuse for systems and code being released that is insecure out of the box. We have known the issues for years but vendors have chosen to ignore them so they can get products to market faster. They would rather send out faulty products and fix them later because it gets money in their pocket faster. Then they look like heroes when they patch something quickly. This is what is absurd. How would we feel if others did this. Imagine buying a car and having to have it patched regularly because the manufacture didn't check things like making sure the hood latch keeps your hood in place. How about buying a house that was build w/ half the nails because the builder wasn't sure if it needed all the recommended nails. How about buying a gas stove that has a newly designed gas regulator that was quickly sent to market. Finding that bug could be deadly.
I've commented before on the fact that vendors need to take more time in ensuring that their code is secure and that they need to do away with insecure practices. Things like default passwords in hardware that don't have to be changed, java upgrades that leave the old insecure code in place, and on and on.....
I make a pretty good living as a Security Professional and many of my friends and colleagues in the industry make lots more than I do. This is what is unnecessary. If vendors did their jobs then there would not be a need to pay security professionals the salaries that they often command. There also would not be a need for tech support staffs that are bloated and often inexperienced. There would not be a need for security conferences such as Infosecurity Europe 2007 and others.
There is no incentive for vendors to take extra time to ensure that their code is safe and secure. They know that when it hits the shelf it will be bought quickly. They know that once they release a service pack sales will again pick up. They know that there are hoards of Security Professionals out there working to ensure that vendor mistakes won't affect users. They also know that there are conferences that draw lots of people and they can attempt to sell more and more and more.
It's all about the money. Bruce is right. We shouldn't need many security professionals and we shouldn't have to go to security conferences. Software and systems should be secure, or close to it, out of the box. But we all know that it won't happen until there is no financial incentive for them to ship insecure products.
Monday, April 30, 2007
The talk of the blogsphere and IT Security news sites lately has been about the comments that Bruce Schneier made at InfoSecurity Europe 2007.
Thursday, April 26, 2007
I don't even know what to call this post. I'm still shaking my head in amazement. Last week I posted about the Google Calendar Leak and just told everyone to be careful. I didn't think much more about it then yesterday I was listening to Pauldotcom Security Weekly and they were talking about it. Larry was giving examples of searches that he had done and talking about the information that was found. So this morning I logged into my Google Calendar account and started searching for key words and looking at the information that was divulged. At first I just laughed at the little things that I saw. Conference call numbers, names, agendas, etc... A potential hackers paradise or Social Engineers dream.
As I looked more and refined my search a little more I found LOTS of other interesting things. Full names and addresses of companies and employees, Network addressing schemes, dates for upgrades and changes to security and network devices, etc... and these were posted by the supposed network and security teams!!!!!!!!!!!!! I think my head is going to explode!!!!!!!!!!!!!
As I was looking at some of the calendar entries I noticed links to wiki's and other sites that were tauted to have more details and information that the participants needed to review to get ready for the meetings. Then it hit me. What if someone decided to post a fake entry that had links to sites that hosted malware. Then someone, maybe a malcontent or maybe a security professional, is checking this out and they decide to see what other info is out there. Next thing you know you are compromised.
Wednesday, April 25, 2007
DarkNet has an article about a diamond heist that took place in Belgium. It was successful due to social engineering. The thief spent several weeks getting to know the bank staff and earned their trust. By doing so he was able to walk off with about 14.5 million US dollars worth of diamonds. My favorite quote from the post is this,
My dear friend, education is the key..not more locks and bolts.The same holds true for Information Security. If our users don't know how to spot and handle phishers then we might as well just put up an open WI-FI to our network and post it in the paper.
We all know that the defenses we put in place are only as good as the way they were configured and the last patch that was released. All of it is for naught if our users are giving away the keys to the back door.
If you need some good User Awareness materials there are lots of places to look. Some are free and others range in cost low budget to big budget. A couple that I can recommend looking into are the Notice Board Awareness Newsletter, Microsoft has some pretty good free stuff, or you can talk to Michael Santarcangello about what his company offers. There are also lots of other options that you can find with a simple Google Search.
Tuesday, April 24, 2007
One of my favorite topics to read about is leadership. I like to think of myself as a leader and hope that what I do is looked on by others as leading. I try to apply the principles of leadership in all that I do. Whether or not my official position is a leadership position or not doesn't matter I still strive to be a leader.
In my opinion the security industry is in need of leadership. It is a industry that is widely varied in scope and objective. You have many different disciplines that often doesn't communicate with each other and often even openly criticizes or looks down on each other. If we are all fighting against a common enemy then why can't and don't we work together. Why should we each fight our own battles also fight each other?
Obviously leadership in an industry that is so varied and that is populated by people from all over the world, many of who aren't even "officially" in the industry, and many of who are rebels by nature is not an easy task. There won't be any one person who rises up and claims the title of "Security Leader of the World". What we need is for those of us in Security to step up to the plate and lead where we are.
Leadership isn't a position it's a life style. It's doing what you can, when you can, as you can. It doesn't require that you be the Team Leader, Manger, or VP. You can lead from where you are by simply doing what needs to be done. By being an example of how a security professional does his job we lead others. I'm not talking about all of the day to day tasks that we do so much as the way that we do what we do. It's the attitude that we have as we do our day to day duties. It's how we react when a situation arises that requires us to step up a notch from our daily responsibilities.
We need to remember that leading takes place where we are if we will remember some basic ideas. Leaders have the following characteristics and they use them in their everyday life both at work and elsewhere.
The following is used by permission from Dr. John C. Maxwell's free monthly e-newsletter 'Leadership Wired' available at www.injoy.com.
- Adaptability – Quickly adjusts to change.
Leaders in the middle may not be the first to know, but they are often the ones in charge of implementation. Adaptable managers in the middle are willing to embrace a change operationally even if they are not yet ready to do so emotionally.
- Discernment – Understands the real issues.
Good leaders cut through the clutter to see the real issues. A smart person believes only half of what he hears, but a truly smart person knows which half to believe.
- Security – Finds identity in self, not position.
Effective 360° leaders are secure enough in who they are to not worry about where they are. Instead of focusing on reaching a position, they focus on reaching their potential.
- Service – Gains fulfillment in serving everyone.
A servant leader serves the mission and leads by serving those on mission with him or her. The true measure of leaders is not the number of people who serve them but the number of people they serve.
- Resourcefulness – Finds creative ways to make things happen.
Creativity is the joy of not knowing it all. We seldom, if ever, have all the answers, but we always have the imagination to create solutions to our problems.
- Maturity – Puts the team before self. Nobody who possesses an unrelenting me-first attitude is able to develop much influence with others. A mature leader sees beyond his or her personal vantage point and has the courage to make sacrifices which advance the team.
- Communication – Links to all levels of the organization. We often think of communication in organizations as being primarily top-down. Leaders at the top cast vision, set direction, reward progress, etc. However, good communication is a 360-degree proposition. In fact, oftentimes the most critical communication comes from leaders identifying problems or solutions at the ground level and sending them up the chain of command.
Friday, April 20, 2007
The guys at Pauldotocm Security Weekly mentioned a paper about how the SiteKey service used by Bank Of America can be fairly easily bypassed and used to Phish your login credentials. The paper was done by Stop-Phishing Research Group at Indiana University. You can find the paper on Slight Paranoia. This is really good reading. I haven't read all the comments yet, but am hoping to get around to it later this weekend.
The thing that really caught my attention is that (as in all phishing attacks) this is possible because users don't pay attention. If you are on your own computer and aren't presented with the SiteKey image most people make the assumption that something happened and it is OK. So they nonchalantly reenter their information and suddenly they have been caught. Once again if we can just teach people the importance of paying attention when they are online we will eliminate most successful phishing attempts.
Jeremiah Grossman of White Hat Security has a good post about the rise in popularity of web based services and the dangers associated with putting so much information on other peoples servers. You can check it out here.
What strikes me about this is that we are so willing to put information in places that we have no control over. We assume that because the site has an SSL certificate and a name that sounds good we will give them more than enough information to become us. We also willingly give them enough information to rob us blind and put us into serious debt. Now I'm not suggesting that most of these sites are malicious or that your data is really in danger, but we really need to be more cautious who we give our information to and where we put it. All servers, all sites and all companies are vulnerable to attack. Even the big names that we all trust have problems and issues that are beyond our control.
Thursday, April 19, 2007
Researchers have found a new way to open others up to unsuspecting avenues of attack. I just have a hard time believing that this is a good idea. How long do you think it will be until someone has hacked this and now they have unfettered access to these laptops to do with as they please. I'm not sure that these guys have even given thought to the security implications of this or how to make sure that it is secure. There is no mention of security on their web site. They need to add to their FAQ under "What other applications exist for WiPeer?" Trojans, bot node and other assorted malware.
Wednesday, April 18, 2007
This article on ComputerWorld.com is just more proof that we need to continue to push forward with User Education. People need to be aware that ANYTHING that they post on the internet is subject to being found by other people. I know that they trusted Google to not share what they didn't want shared, but software has bugs that often aren't found until it is too late. People make configuration mistakes that accidentally expose info that wasn't intended to be exposed.
I realize that there are many people who will ignore all UE attempts and will do what they want. Even so I still believe that LOTS of people do things like this out of a lack of understanding of the possible dangers. In one example in the article the conference call number and PIN were posted by an employee of the companies IT department. Again, another example of how UE is needed by ALL employees. There are just too many from the CEO down to the person who spends all day pulling staples out of documents that just don't understand and need to be educated.
I woke up at my normal time this morning and made a cup of coffee. I started to read some before checking my RSS feeds. While the coffee was brewing I picked up my Blackberry to check my emails from overnight.
Nothing. This is not a good sign. I have several status messages that are automatically sent that shoud be waiting for me.
I sent myself a test message.
Got a big red X.
So I booted my laptop and logged in to check things. Both BES and email servers were running. Lots of weird messages on BES server. Nothing I had ever seen before. Tried a few things and was able to clear up some of the messages, but still not messages coming or going. Checked my email server and no problems there. Checked my email and all of my automated messages from overnight were there.
I know that I should have gone to Blackberry support but held off. Normally I would have been more receptive to going directly to the Blackberry support but this week has been full of things going wrong and I just figured that this was just another one. After about an hour of troubleshooting I remembered that a PIN message bypasses the server. So I sent my Boss a PIN. Again, big red X.
Now I put 2 and 2 together and decided that it was a RIM issue. So now I pulled up my RSS feeds and one of the first things I saw was this article from Network World. If I had checked my feeds first thing like I usually do I would have had a much more productive hour.
Tuesday, April 17, 2007
Michael "Santa" Santarcangelo is coming to Atlanta. He is going to be passing through Atlanta and we thought it would be a good idea for him to spend a few days in town and try to put together some training events.
He is has 3 different offerings that we are looking to plan.
- Speaking about Security - a 2 day course that teaches you how to refine your presentation and security speaking skills. He is offering this this at a 40% discount and also giving away a free coaching session for those who sign up. We are looking to have between 10 and 15 people for this class.
- Making a Life - How to do more with less (and have less stress) - This is a half day session that helps you learn how to find balance between work and life.
- Setting Your Career Compass - This is also a half day session that helps you evaluate your skills and understand the situations in which you thrive. Designed to help you get a clear handle on your career goals.
Both of these are being offered at deep discounts. This is the first time Santa has taken these "public" and he is working out the kinks to prepare for his "Security Revival Tour" that is planned for this fall.
If you are interested in attending either of these or both of them drop me a quick email at email@example.com or email Santa at firstname.lastname@example.org
If for some reason you aren't familiar with Santa you can check out some of his stuff here.
Monday, April 16, 2007
OK, so it probably wasn't really since he is in Texas and I'm in Georgia. It sure did look like him though.
I was driving down the road and just as I started to turn right from the right hand turn lane the SUV next to me decided that he also wanted to turn right. The problem was that he wasn't in a turn lane. I ended up in front of him and I looked in the rear view mirror and this guy looked just like Farnum. I know my blog is gaining on his, but this is a drastic measure. If he had been wearing the Grinch outfit that Shimel gave him I think I would have wrecked.
An advisory group that I'm a part of has a discussion going on now regarding Identity management. This is a consumer advisory group so we're not talking enterprise ID management but consumer level. Helping mom and pop manage their various online identities. We all know the need for keeping separate identities for different types of web sites. It would not be advisable for me to use andyitguy for my ebay, banking and other financial sites. Having multiple online identities for different types of web sites is a good idea. I'm afraid that it's not a common practice among mom and pop though.
In my experience mom and pop are using mom and pop for their online identities no matter where they go. Banking, ebay, MySpace and everywhere else they go. Not only are they using the same ID they are using the same password. This is bad. Once the bad guys figure out their user ID and password for one site it isn't hard to figure out where else they go and easily get in there. Even if some sites require a "hard" password it's common practice to use a slight variation of their "normal" password. IE if your normal password is abc123 you may change it to Abc123#.
So where am I going? Back to stressing the need for user education. We have to continue to work on getting the word out to everyone that will listen to us. Those who won't listen have to be "tricked" by getting the word in front of them in other ways. The key is that we can't be quiet. We can't give up. We can't quit. We can work as hard as we are able to secure web sites, protect DNS servers, write secure code and everything else we can think of. That will help, but until we teach users how to surf securely our fight will be more difficult than need be.
Thursday, April 12, 2007
I haven't posted much lately. Partly because of being busy and partly because I just haven't seen much out there that really caught my attention. Some of the bigger news items I've let slip by because everyone else has commented on them and I didn't have anything else to add or the stories were just repeats of the same ole thing from the past. Things like Microsoft having to reissue defective patches, being too slow on releasing a patch, blah, blah, blah.
Anyway, that changed this morning when I ran across this post from fellow Trusted Catalyst member Perry Carpenter. I wrote last week about the CIA triad and Perry has found a different take or an expansion of the CIA triad and tells us about it. Very good and interesting reading. Shoot over and take a few minutes to read about the Parkerian Hexad. It's worth the time.
Friday, April 06, 2007
I was talking to someone briefly the other day about the CIA triad and it got me to thinking. Most security books teach it and many security professionals will agree that it is foundational to Information Security. As you all know the 3 legs are Confidentiality, Integrity and Availability. We all work hard to ensure that our data stays confidential, that it's integrity is maintained and that it is available to authorized users when it is needed.
What I want to talk about is Availability. What does it involve and what are we doing to ensure that data truly is available. Availability can be affected by the following (and more that I'm sure I will miss).
- Denial of Service Attacks
- Hardware failure
- Improper device configuration
- Man-in-the-middle attacks
- Corruption of data
- Removal/deletion of data (intentional and unintentional)
- Route poisoning (ARP,DNS, etc)
- Software bugs
The best way to assure the availability of information is to have a plan and to test it.
- What is your plan to prevent MitM attacks, Route poisoning, DoS attacks? Do you test your systems to ensure that these types of attacks can be fended off? Do you have a plan to mitigate them? What about an incident response plan? Has it been tested and carefully thought through?
- What about data corruption or deletion? You have backups but are they any good? When was the last time you did a test restore? What happens if your tape drive goes bad? Can you restore on a different model if necessary?
- What steps are in place to ensure that devices are configured properly? Do you have procedures to ensure that they are configured and tested? Is the configuration backed up and documented in case of hardware failure? How quickly can you get the device back up and running or replaced? Say you lose a server with all your user files. You have a spare that you can restore to quickly, but what about ensuring that the users can connect to the new device. It likely has a different IP address and name than the original box. What are you procedures for uninstalling applications and patches that cause problems?
Michael Santarcangello has just released episode 2 of the Family Security Series. This month the topic is "Running as a non-administrator". Santa covers things such as:
- How to determine if you are running as an administrator
- How to create a non-admin account and start using it
- Why running as an administrator is not a good idea
Thursday, April 05, 2007
What is the big deal about WEP being even easier to crack? It has been cracked since 2001 and we've know that it isn't secure. When it first was cracked it was still a very involved process that took lots of time to accomplish. For many it wasn't worth it. The as it got faster and easier it became a bigger problem and most corporations began to move away from it to WPA and WPA2.
Now that some German researchers have found a way to crack it in under a minute the whole world seems to be in a panic. Technology news sites are reporting this like it's a breaking story that is earth shattering news. Bloggers are talking about it like it's something we've never seen. Maybe I'm way off base, but I think we are wasting our time talking about it and even researching it.
What I think we need to focus on in not how to crack what is already broken but how can we protect what is using it. I'd love to see WEP go away but it won't happen anytime soon. There are too many implementations in small companies and by legacy and low processing power devices. It's here for a while and we need to figure out how to make it work in as safe a manner as possible.
Now, I'm not a wireless security expert and I may be off base here, but I like to keep things positive. We have to look at the negative so we can see what is wrong, but then we have to look at how to fix it. Look for the positive and move in that direction. Network World has an example of what I'm talking about. This article about a WEP cloaking technology is what we need to be focusing on. I have no idea if this will really work or not, but it's a step in the right direction.
When you are planning to mobilize your forces and embark upon a campaign, if you do not first think about the calamities of danger and destruction, you will not be bale to reap any advantage.
This is a revised version of a post I did last month. I brought it back up in response to some posts that have been floating around the SCC forums. Santa asked us to tell our story so I decided to retell mine with a little more detail. I won't be offended it you choose to pass on reading it this time.
My earliest experiences with computers (not counting Pong) was on a Apple IIc. We used it to keep basic records and such for a softball league that I helped run when I was in high school. I loved it because it was so much more user friendly than the PC's at school. I hadn't played with them because the DOS environment looked too complex for me. I had very little confidence in my intellectual abilities at that stage of my life. Soon after that I took a class in college. I think it was called "Basic Computing". It scared me to death and I swore computers off from then on. Even though I made a B in the class I just didn't get it.
Fast forward to 1995. I moved back to Atlanta to get my Masters Degree and went to work for a company I had worked for years earlier. It was a manufacturing environment and they put me in the Electronics department. Again, I was scared because I considered that kind of stuff over my head. I quickly learned that I could do the work and did a good job at it. There were several Computer Geeks in the department. They all talked computers and built their own so I learned by listening and talking to them. Then I started helping them build systems and decided that this wasn't such a scary field after all. I got my first computer and started learning. It was a clone 8088 that had two 3 1/4 floppies and a 5 1/2 floppy. No hard drive and a 3 meg memory card that was bigger than some servers I now have. I was behind the times but I was making headway.
It was also around that time that the company decided that they needed to start thinking about having their own network and IT manager. They talked to me about the position because I was the only one in the group that had social skills to work with Management. So I decide to focus my MBA on MIS and go from there. Then reality set in and the fact that the company President didn't like me ruined those plans. It was also around that time that my college roommate called with a job in IT no experience required.
I packed up moved to Dallas and that is where I started my original post.
I first started out working for a company that sold telephone banking systems. They were OS/2 based and used primarily Rexx and VScript for the voice coding. I was an installer at first and then moved into the Tech Support department. One thing I had to do was learn basic programming and this is where I learned that I was NOT a programmer. Programmers think differently than the rest of us. :) While I was there I started learning Novell because at that time most small to medium banks still ran Novell networks.
I then took a position at a Bank as the Network Admin for one division of the company. This was a whole different challenge because it was a Windows shop and I knew very little about networking in the world of Microsoft. While there I also learned why it was important that I learn about the OSI model when working on my Novell CNE cert. I learned about routing and switching and discovered that there was much more to the world than OS/2. While there I also came to realize that having a firewall was not all that was needed to secure a network. I was promoted to Corporate Network Admin and assumed more responsibility for security. We didn't have anyone actually in charge of security so I talked to the CIO and unofficially became the security guy. It was here that I really started reading, studying and learning about security.
The next job I took had the promise of learning and practicing more and more security. Promises often don't come turn and this was one of them. I did do lots of security related jobs with customers but it never really panned out to be what I hoped so I moved on.
That lead into my current position of Network/Security Engineer. That pretty much means that I do it all. At least I'm responsible for it all.
Along the way I discovered that I will never know all there is about security. There are areas that are just not my forte. People often ask me what they need to do to get into security. My advice is to tell them to find their passion and focus on that. If it's not directly related to security find out how security fits in and start doing it. Become the security expert in your area. Don't try to learn it all. Don't try to go where the "hot" jobs are at the moment. You will only be successful if you are doing what you really like and what you are passionate about.
Tuesday, April 03, 2007
ComputerWorld is reporting that RFID enabled vending machines have been installed at the Atlanta Airport. They work with RFID enabled credit and debit cards. They say that the transactions are fast and secure.
What really caught my attention was that the data collected will be used for marketing purposes. Even the possibility of having personalized messages on the vending machine itself. I can see it now.
"I see that you usually eat a candy bar with your drink. May I suggest a Snickers Bar today?"
If that were true my wife would send a personalized message for them to use with me.
"Why are you eating junk? I thought you were going to start exercising!"
Maybe I don't like this idea after all.
Since I've started blogging I've met lots of interesting people. Many of them I've bantered with on the blog, many of them I've traded emails and IM's with and a few of them I have developed a friendship with. Two of those are Mike Rothman and Michanel (Santa) Santarcangello. So I'm proud to pass along the good news that the two of them have teamed up to create the Security Education Network. You can read Rothmans release here.
I've known for a while that they were working on something together, but did not have any details. Now that the details are out and the announcement is official I'd like to say Congratulations to them and also encourage all of you to take a look at what they have to offer. I know that I will be an active participant in the SEN. I'll spend time in the lobby adding my 2 cents in and participate in Salons when I can.
I'm excited about the potential that this offers the security community. I know that as someone who has limited training money and time it is good to have other cost effective options beyond books and sub-par training CD's. I'm also excited about the opportunity to "fine tune" my skills on the "soft" side of security. Things that will help me advance my career outside of the technical field into becoming a Pragmatic CSO.
Darkreading.com has a story that expands on the DOE PC loss. If you haven't heard the DOE has lost at least 20 PC's many of which contained classified data.
In the article they talk about how many large corporations would be glad to be able to account for all but 20 of their PC's. Workers move around in building from desk to desk or often they move from office to office. In some companies when a worker moves, even to a new office, their PC goes with them. When this happens often IT never knows about the move.
There are plenty of things that can be done to mitigate the risk from this. Policies about moving equipment and such have their place. Of course there is technology available that will both prevent a moved PC from connecting to the network and also alert you if a system connects on a different port. Much of the technology is expensive, time consuming to implement and requires the personnel to manage it.
Personnel moves can cause your inventory and asset tracking to go awry, but what other ways can it cause "real" security problems? The first one that comes to mind for me is when the equipment "disappears". It gets taken home or sold. What happens to the data then? What about when the PC does make it to the new location often the data is then exposed to new threats. People in the new office now have the potential to gain access to data on that PC that they are not authorized to view.
Asset tracking is a miserable responsibility that can have direct impact on a companies security posture. Not having adequate policies, procedures, controls and monitoring in place can allow the unauthorized access, loss and transmission of data. So like it or not it is an important part of Information Security that we have to keep an eye on.
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.