Security's Everyman

Security's Everyman

Friday, December 28, 2007

How do I log in again?


My AV guy went to a remote site yesterday to work on a system that had a virus that needed special attention to remove. When he got there he was shown the infected PC and the keyboard had a note taped to it. I think I need to republish the password policy and that segment of the User Awareness Program.

Thursday, December 27, 2007

Where's the Breech?!

I was driving back home yesterday from my in-laws with my wife and kids. As usual the girls didn't sleep and they were tired from the long Christmas weekend and they were fussy and grumpy. One would do something just to irritate the other and I was the one getting really irritated.

Shortly after we got on the road my cell phone rang. I answered it to be greeted by a recorded message saying "This is Visa calling to verify some activity on your card. Please call back as soon as possible at 800-br-549". Immediately a red flag went off in my brain. I had only used this card once and that had been several months earlier. In fact I got the card because I had a gift certificate for this online shopping site and they were giving you a "bonus" if you signed up for the card and used it to purchase your items. So I did. I was able to get what I wanted and still have about a $5 credit on the card. So I never even had to enter the card number into the system. The card came in the mail a few days later and I locked it away in a safe place and never even called to activate it.

I called the number that they gave me and it was promptly answered by a IVR asking for the card number of the card I was calling about. Being the ever alert security professional that I am I was not about to actually enter the number into a unknown system (that and the fact that I didn't have the card number with me). I decided that the best and safest way to handle this was to wait until I got home and find the card and get the number off of the documentation that they had provided.

I arrived home late last night and after unloading the car I found the "official" number to call for customer service and gave them a call. Once again I was greeted by an IVR asking for the card number that I was calling about. I entered the number and answered a few security questions before I was asked to verify recent activity. I patiently listened as the recorded voice read off one transaction. A $1 fuel purchase earlier that day. Now the red lights were flashing and bells were ringing. My card had been compromised. If you know anything about stolen credit card numbers then you know that one of the things that they bad guys do when they buy a fresh bunch of numbers is to test them with small transactions usually at gas stations because it is a low visibility place where they can test several cards with small chance of being caught.

I was then transferred to the fraud department where I answered more security questions and promptly had my card canceled. I was assured that I would not be responsible for this or any other charges on the card that may have occurred since the "test". I was told that a new card would be issued and that the credit bureaus would be notified of my misfortune so that they too can be on the look out for my credit well being. All is well.

Now, I've not been notified by any company of a compromise of credit card data since receiving this card so my question is "Where's the breech?". Where along the line did my card info get compromised? Was the online shopping site compromised? Was it the issuing bank? What about the bank that is used by them to process transactions? Maybe it was the clearing house or was it my computer? Since I never entered the number on my computer I don't think that is the problem so where is the problem? Maybe someone stole a copy of the bill that they send me every month (even though I have no transactions) out of the mail. Does this place also have more credit card numbers of mine? Will I be getting more calls on this nature?

I guess I'll have to pay "extra special" attention to my credit reports and my transactions for a while. You gotta love having one more thing to add to the list of things to pay more attention to. Oh well, I guess I should be happy that it was caught and caught early. It could have been a real nightmare.

Monday, December 17, 2007

The passing of a Music Legend

It's not often that I post something that is not Security or IT related but today I decided that this one was worth it. Yesterday morning (Sunday 12/16/07) Dan Fogelberg died of Advanced Prostate Cancer.

I grew up listening to his music and he was one of my favorite singer/songwriters. He wrote incredible lyrics and had a great way of making the music touch you and come alive. I don't think I have ever heard a song of his that I didn't like.

I remember when he released "High Country Snows" back in 1985. A friend lent me his cassette recording of it and I heard a song that has impacted me and been part of my life statement ever since then. The song is "The Higher You Climb". I'm going to post part of the lyrics here and hope that I don't get in trouble.

The higher you climb, the more that you see
The more that you see, the less that you know
The less that you know, the more that you yearn
The more that you yearn, the higher you climb

The farther you reach, the more that you touch
The more that you touch, the fuller you feel
The fuller you feel, the less that you need
The less that you need, the farther you reach
Those words have been in the back (and sometimes the front) of my mind for over 22 years and they have helped to push me to grow in whatever I do.

A couple of things to take from this are: 1) Listen to music that moves you and 2) if you are a male follow Dan's advice and get your Prostate checked regularly.

Dan you and your music will be missed.



Sunday, December 16, 2007

So Long to "In The Trenches" Podcast

Back in 2005 I got my first IPod and discovered podcasts. I did a search for technology podcasts and one of the first, if not the first, one I found was In The Trenches with Kevin Devin and George Starcher. At the time I was truly "in the trenches" and found the content to be relevant and enjoyable to listen to. Even since moving out of the trenches I've continued to listen just because I felt that it was a quality show plus it helped to keep me grounded.

Well Kevin and George have decided to hang up the mic and have recorded and released the last episode of "In The Trenches". I know that I'm gonna miss hearing it every week and want to wish both Kevin and George all the best in their lives and careers.

Thanks Guys for all the hard work and good content.

Friday, December 14, 2007

New Blog Tagline

Last week I went to a luncheon put on by StillSecure and Force10 Networks. I was hoping that Shimel would be there but he had other commitments. I got to meet some great people with both companies, get a good, free meal and some swag. One of the things that they gave out was T-Shrits that had a quote on the front that I loved.

I like you. I just don't trust you.
I checked with Alan to make sure that it wasn't a company slogan and see if I could use it as the new tag line on my blog. It's not part of StillSecure's official slogan or anything and Alan said that they didn't have a problem with me using it. So it's now on my blog as the tag line.

Possibly the BIGGEST Security Story of 2007

When you are dealing with Rich and Chris you never really know what is real and what may be a giant Christmas Hoax. If this story is true then this is the biggest security story of the year. It also goes to prove that your have to be VERY careful, even when dealing with friends, when it comes to opening attachments and clicking on links. So Mom don't get offended that I didn't click on the link to the cute Christmas site that you sent me this morning.

Thursday, December 13, 2007

The UTM Argument

There's a (discussion, debate, argument) going on regarding UTM's and multi-purpose firewalls. Actually it's probably cleared up by now, but I'm going to put my 2 cents worth in anyway since Cutaway did ask me to (I was just too busy to do so at the time). This all started when Cutaway made a post the had some misunderstanding in it. Then he asked for some clarification from several other bloggers, He said:

I wanted to cover this because UTM is actually a different animal then what I was originally addressing. Although I do not have any experience with Unified Threat Management, as a blogger I don’t feel ashamed jumping into it. I am sure that Chris Hoff, Rich Mogull, Lori MacVittie, Andy Willingham, or Alan Shimel will correct me if I am misguided.
Then Hoff and Rothman both responded in somewhat harsh ways and it just kept going from there with Farnum jumping in and dragging me in with him.

Now that I have a few minutes I want to give my take on it. I agree with Cutaway that there is the potential for devices that are labeled UTM to be problematic. Now, whether or not they are truly a UTM device is to be debated. Is Astaro a UTM? What about some of the other smaller vendors who have all in one devices? Do only the "big boys" such as CheckPoint, Juniper, and Cisco have real UTM's?

This is what I think caused the misunderstanding. Lots of vendors call their products UTM's and lots of them are just hardened Linux boxes with various features added to them. Cutaway tried to find out what is it that defines a true UTM instead of a firewall w/ additional features but that got lost in the shuffle. The comment that I made on Cutaway's blog was in regards to the boxes that are multipurpose in practice but not specifically designed that way. I would much more readily trust a CheckPoint box over an Astaro box to protect my enterprise. Why? Because as Farnum says it's a proprietary OS that has been designed to handle different functions in a secure and efficient manner.

So, when is a UTM not a UTM? I guess that all depends on your point of view. I consider a UTM to be a box that has several security features built in (firewall, IPS, VPN, NAC, ACL) to be a UTM. I don't consider them all to be on equal ground when it comes to reliability or secure functionality. You do get what you pay for in most cases. I doubt that most of the smaller vendors have true separation of duties between each function of their device. So if one is compromised then getting to the others is not a big deal.

To answer Cutaway's question, yes there is a difference in a UTM device that has been built from the ground up for that purpose and one that has been "retro fitted" to handle multiple functions. There is a difference in the security of them and the complexity of them. Just as there is a difference in a OS that is built for home use and one that is designed to handle classified government documents. If you are looking to deploy a UTM to protect the enterprise then you need to get a enterprise class UTM and not settle for something that sounds good.

Fuzzy Promises

Nothing is ever as you want it to be and never as good as it seems. I should know better, but I guess I got a little giddy and naive. I trusted Ask.com to help protect my privacy when I do Internet searches. I don't have anything to hide in my searches. I'm not looking for bomb making tips. I'm not trying to find out where the next terrorist training camp will be held. I'm not looking for porn or anything else that I wouldn't want my friends or family to know about (except when I'm looking for a gift for my wife, then she can't know until after the fact).

I decided back in July to change my primary search engine to ask.com because they announced that they would be introducing a new feature that erases your search information and other normally gathered information. I trusted them to do that and to do it completely. I trusted them to do the right thing. I should have known better. Thanks to the guys at the Emergent Chaos blog I now know more about the truth. I should have done as they did and read the privacy policy but I didn't. They are boring and too long, but it would have been a good idea in this case. It seems that they are erasing your info but only from their database. They are still sending it to Google via Google ads. They say that Google is contractually limited in what they can do w/ the data, but they still have it. Why not just give it to them right up front? Google is a better search engine and if they are getting the data anyway why use Ask?

Does this mean that I'll change my primary search engine back to Google? Probably. I haven't made up my mind yet. I'm still irritated and try not to make decisions when my mind isn't clear. I guess I need to also do that when giddiness and excitement fog my thinking also.

Christmas List, End of Year Wrap-up, Predictions for 2008

My Christmas List
I've noticed that the older I get the more content I am with what I have. My Christmas list isn't very long and most of the items are things that I don't need and they are too expensive to ask friends or extended family to get for me. Here it is in order of preference:

  1. 2009 Dodge Challenger (I can't wait until these things hit the street)
  2. 1967 Chevy Camaro SS Convertible (call for specifics)
  3. 2008 Harley Davidson Fat Bob Motorcycle (Not the Fat Boy the Fat Bob)
  4. 17" Apple Mac Book Pro with 4 gig of Ram and 250 gig Hard drive (just because)
  5. 160 Gig Apple IPOD (my 4 gig nano still has space on it)
  6. Magellan Maestro 4210 Portable GPS (not sure what I'll do w/ it but I want it)

Now for my thoughts on 2007 and what happened in IT and Security.
It was a big year for me in terms of my career. Early in January I was notified by ISC2 that I passed the CISSP exam and was now officially certified. Also, I had been wanting to move my career from a "in the trenches" roll to more of a strategic planning roll and it kind of snuck up on me. I was laid off in May and found a Network Security job that quickly became one where I was asked to create an official security plan and lay the ground work for the overall program. So I've touched very little technology in the last 7 months and have become good friends with policy, procedures and compliance. It's been fun although I'm itching to get some 1's and 0's under my fingernails again. :)

There were lots and lots of big stories mostly dealing with data loss, theft or breaches. It seems that every week there was something new happening that gave us reason to hold tighter to our wallets to ensure that our bank accounts weren't emptied or our Identity wasn't stolen.

In my humble opinion one of the best things to happen in 2007 is the Security Catalyst Community. Why? Because there is a quiet storm brewing there. Most people who are in the community only see the surface of what is happening. There are people in the community who are serious and passionate about security and they are actively working to make some changes. There are some people in there who stop and think and make others think. I think that in the near future this group of people are going to make significant strides towards making a difference.

What will next year bring?
I really don't know. I'm not an analyst who looks at trends and acquisitions and such and comes up with predictions. I know that there will be good bad things with regards to security. I know that companies will introduce new products and technologies that will make great strides towards making us more secure and then the bad guys will figure out ways to get around them. People will continue to make bad choices in regards to their online habits and cause problems for themselves and others.

What does this mean? It means that we have to continue to be on our toes, we have to work together to protect the internet, we have to continue to think about what we do, why we do it that way and is there a better way. I think 2008 will bring lots of new ideas on how to do things better. They may not (probably won't be) technology focused. They will be people focused and conceptually focused. More people will question why instead of just following the crowd. This may not be good news for vendors because we will discover that we don't need new products to do things that we really don't need done.

Privacy is a goner!

When I wrote my post on the SSN fiasco earlier this week I started to title the post
"Is Privacy Dead?", but I decided against it for lots of reasons. It's an over used
statement, it's been used before on other blogs, etc. Then today I listened to the
latest episode of Secuirty! Now and what was the title? "Is Privacy Dead?" It was an interesting episode that was very light on "true" security content (many would say that all episodes are light on true security) but had some interesting information.

I think most of us have known for a while that remaining anonymous and retaining full
privacy is a thing of the past. Just when we think we have found the way to hide our
tracks someone else finds a way to follow us. Just about everything that we do is
monitored. Our TV viewing habits, phone calls (or at least who and when), what we buy, what web sites we visit, when we go through a toll booth w/ a "FastPass" type of
technology, who we IM and text message, what music we download, what movies we rent
and on and on and on. These are just a short list of things that someone is watching.

What is bad about this for the average person is that there is little in the way of
control as to what happens to the data. Rarely, if ever, do you have a say in what the company that has the data will do with it. They may sell it, store it, give it away, use it to "profile" you, make recommendations on ads to push to you, products to sell you, which department of the government to pay you a visit. :) It's just mind boggling.

Why can't we just live our lives and remain somewhat anonymous? Why do all these companies need to know so much about us? I know the answers to these questions. At least the reasons that they give, but I just want to be me. I just want to buy my milk and bread without being told that other people who bought milk and bread also bought beer and chips.

We have to rethink what we decide to try and keep private about ourselves. Do we care
that the grocery store knows that we always buy a certain type and flavor of Ice Cream? Is it worth saving 50 cents a tub? Probably for most of us. The same goes for our browsing and buy habits online. Most of us aren't doing anything that we don't want others to know about so we don't care.

What is the problem then? The problem is that we risk becoming apathetic and then when something that really matters comes along we let it go without asking why or doing something to prevent it. The loss of something usually starts out small and then slowly gets bigger and bigger until it's gone.

So, who has your data? Who knows what you do? It may not matter now but I think that you need to care and take steps to limit it.

  1. Ask why a company needs to know this much about you in order for you to save a few cents.
  2. Ask what other options you have other than giving out PII about you.
  3. Ask then what data they collect, what do they do with it and who do they share it with.
  4. Ask what controls do you have over the data and what they do with it.
Then make a decision.
  • Do you go ahead and give in?
  • Do you not give out what you don't have to?
  • Do you "opt out" of what you can?
  • Do you make up some of the information so they can't track the "real" you?

They aren't going to quit collecting data and the bad guys are getting better at getting to it so you have to decide what to do. Protect what you can and make plans to recover if something bad happens with what you can't protect.

Patch Management Poll Results

Judging from the voter turnout for this weeks poll you would think that it was a local government election. Voter turnout is usually in the 10% arena and this week it was closer to about 3%.

Here are the results:
How does your company handle Patch Management?
A)Research, Test, Deploy w/i 30 days 27%
B)Research, Test, Deploy with no set time frame 18%
C)Deploy all soon after release 0%
D)Deploy all after a month or so if no bad effects made known 27%
E)Use MS Update w/ automatic installation 18%
F)We don't need no stinkin' patches 9%

The good news is that most of you are patching your systems and I imagine the one who
voted for (E) is either lying or works in a one may shop running Linux and needs to
patch it.:) The better news is that most of you actually have a plan beyond using MS
Update with no over site. The really good news is that no one said that they were blindly deploying the patches soon after release. Wait, except for those who chose E. :( The bad news is that since so few of you actually voted that makes me wonder if you aren't patching and just don't want to admit it.

There won't be anymore polls this year. It's getting close to the end of the year and
lots of people are going on vacation and when it comes to reading blogs and such I
imagine that lots of people will just give them a quick glance and only actually
read them if they look really interesting or exciting. Actually taking action and
making a choice on a poll is probably asking too much.

Tuesday, December 11, 2007

Ask.com delivers on promise

Back in July I said that I was changing my primary search engine to ask.com because they were actually going to do something to protect privacy by not storing search information. Today they have delivered on that promise. Dave Lewis of the Liquidmatrix security digest had a write up the the new ask eraser feature at ask.com.

When enabled it completely erases all history of your search from ask.com. Pretty cool. It's good to see a company really doing something. I just hope that in a few weeks or months we don't discover that they were just blowing smoke up our................ well, you know.

Monday, December 10, 2007

Have SSN's outlived their usefulness?

Everywhere you look someone has lost data that contains SSN's. It's on a spreadsheet, on a USB key, in a database, in a text file or email. We treat them like they are just a number that has no real value. Everyone asks for them from your insurance company to the phone company. Why does anyone other than our employer need our SSN? I've blogged about this before and had a poll about their use but I still don't have any clear answers.

Recently in the news we read about the breach at the Oak Ridge National Laboratory and one of the pieces of data that was stolen was visitors SSN's. Why did they have to give their SSN to visit? If we don't trust them enough to have "normal" identifying methods then why were we allowing them to even visit? Why wasn't this data encrypted? Why was it still in a state where it was easily accessible since the newest data was 3 years old and the oldest was 18 years old? This is just completely unacceptable for any responsible party to continue to have "vulnerable" data after all that has gone on in the last few years. The government should be leading the way in showing us how to secure and actually doing it. Not leading the way in showing us how to lose data.

The other thing that really gets to me is when companies want you to give out your SSN when applying for their service. WHY!!!!!! Why do they need to know my SSN just to hook up my phone or allow me to watch TV! Then when you object they act like they have no choice but if you push hard enough they will give you an alternative. What I want to know is why not offer the alternative as the only (or at least first) choice. Why not remove the choice of giving your SSN. There are other ways to prove a person's identity or their "risk rating".

I know that many have said that SSN's are so compromised that the only real choice is to throw them away and start over with something else. Some say why bother protecting yours because more than likely it is already publicly available. I say I DON'T CARE!!!!!!!!!!!!!! What if it is easy to find my SSN? IT'S STILL MINE!!!! I should be the one that determines who can and can't have access to it and use it. NOT THE PEOPLE WHOSE SERVICE I AM SEEKING TO PAY FOR!

We have to change our perspective on things. We have to quit having such a nonchalant attitude about our personal information and other things that matter to us. We have to quit rolling over and playing dead and acting like we have no other recourse but to give in. I know that SSN's are a US issue but other countries have similar methods of identification that are just as vulnerable and just as abused.

I had a conversation with a lady a few months ago who worked in IT for a school system and she was commenting on how many Latin students in the elementary school had SSN's. I said that they were probably born here by immigrant parents but she insisted that most of them had been here less than a year. Then I said that maybe that it was a ITIN (Individual Taxpayer Identification Number) since they look like SSN's and go in the same field on most forms. Again she insisted that they weren't ITIN's but real SSN's. If that is true then what does that say? Either they are stolen, their parents lied to get them one or SSN's have become completely meaningless and that getting one is no harder than filling out a form.

Maybe they have outlived their usefulness?

Monday, December 03, 2007

Incident Response Poll Results

The Incident Response Poll closed last week and I was out of town over the weekend so I didn't get a chance to write up the summary. Here are the results:

When it comes to Incident Response does Your Company

Have a formal and tested plan
8 (25%)
Have a plan that hasn't been tested
2 (6%)
Has a general idea what they will do
9 (29%)
Not have a plan
12 (38%)
67% of you answered either "Has a general idea what they will do" or "Not have a plan". That's not very encouraging. It shows that we have not done a good job in conveying the need to management. Perhaps you don't think that the need is that great. I live in a world filled with compliance and most regulations out there require an IR plan. That alone should be enough for you to take to management. Not to mention the sheer lack of understanding of what needs to happen to respond to a breach. If you don't have a plan then how will you know what to do? Do you disconnect the system from the network or leave it connected? Do you power it off or leave it on? Do you have to notify the police? The FBI? A financial institution? Your Customers? Your employees? The media? If you don't know now how do you think you will know when the time comes and you are in the heat of the moment?

A IR Plan details all of this. It tells you what to do and what not to do. It tells you who you need to notify and how to do so. It tells you how to stop breach from continuing and how to clean it up. All of these things and much more are included. Things that can make the difference in a successful incident response and one that is a dismal failure. A successful one is one that your company survives and continues on with little impact. A failure may mean that the company has to shut their doors and go out of business. It may mean that the company survives you you don't. It may drastically alter the way your company does business. That may be good or it may be bad.

If you yourself don't understand the need in a IR plan PLEASE, PLEASE, PLEASE!!!!!! do some research and discover the need. If you do understand the need but haven't been able to communicate it effectively to management PLEASE, PLEASE, PLEASE!!!!!! do some research and find someone who will help you be able to do that. The Security Catalyst Community is a great place to start with that. There are people there who will be able to help you understand the need and be able to communicate it effectively.

For the rest of you that have a plan I only have a little to say. First, congrats to you and your companies for seeing the need and doing something about it. Second, please ensure that it is kept up to date. An outdated plan is almost as bad as not having a plan. Third, if it hasn't been tested please talk to management about testing it. Even if it's just having several people review it and ensure that it makes sense that is better than nothing.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.