Security's Everyman

Security's Everyman

Tuesday, September 30, 2008

Playing catchup

I think this may be the longest stretch that I've had with no blogging. My last post was on Sept 14th. Since then I've gone on vacation and been preparing for vacation and catching up after vacation. Needless to say it's been busy. Hopefully Ill be back to regular posting now.

I'm going to do a "catch-all" post to try and comment on a couple of things.

I'm going to start off by going back just over 2 months to a post that Rebecca Herold made regarding awareness training and a part 2 here. I starred this in Google Reader and then forgot all about it. I'm bad about that. I need things screaming at me so I will remember to go back and read it. Anyway, she talks about the fact that we often fail to give adequate awareness training to those who need it most. Specifically those who deal with customers on a daily basis. Our Receptionists, call center reps, etc. These folks are on the front lines but are often ignored as we focus our awareness training on those who are in "check box" positions. What I mean by that is that those who work with PCI data, financial info, etc.. Somewhere there is a regulation that says "train these people or else". We train them so we can claim compliance and then give the crumbs to the rest.

The next item is actually recent and both of these were posted within the last 24 hours. Two different stories with the same theme. I saw this one on first and then a few minutes later this one on It seems that we still haven't learned basic security in many cases. What's really sad is that in both of these cases there is really no excuse for this happening. It seems that we are still disposing of devices that have not been sanitized. One case involves a British MI6 agent selling a digital camera on eBay that had all sorts of Top Secret data on it. There were pictures, fingerprints, names of terror suspects and other information. I can see this happening to someone who is a "regular" person (obviously not the top secret data but selling a camera with pictures still on it) but a MI6 agent. I'm sure they are trained in basic security such as this. The next article talks about a Cisco VPN Concentrator that was bought by Andrew Mason on eBay that was still configured to automatically connect to the central VPN concentrator at the company it originally belonged to. It's a good thing that Andrew is one of the good guys. According to him he had full access to the network by simply plugging it in and connecting to the internet.

A story that is close to home involves patient data for 45 people who were patients at Atlanta's Grady Hospital. It seems that their data was inadvertantly put on a unsecured web site instead of on a secured web site. There are lots of interesting facts and issues involved in this that you can read about here. First of all often companies give too many people access to their web sites to add content. Just as we don't give everyone access to our financial data we shouldn't give everyone, or even several people, rights to add content to web sites. There is way too much risk in insecure or unauthorized code/data getting put up. We have a hard enough time getting our web developers to write secure code much less allowing marketing to add content at will or any other department. The second problem that I see is that Grady outsourced the work to one company who outsourced it to another company who outsourced it to a 3rd company. I'm not totally opposed to outsourcing but this is ridiculous. Either legal didn't do their job in contract negotiations or they need to do a better job in ensuring that outsourcers are staying within the bounds of the contract.

One last thing that I want to comment on. Kudos to Jeremiah Grossman and Robert "RSnake" Hansen for the way that they handeled themselves when vendors requested that they not release information regarding their OWASP talk on clickjacking. It shows maturity on their part to be patient and not try to rush something out just to get name recognition. Not that either of them are hurting for name recognition.

There are lots of other things that have been going on over the last 2 weeks but many other bloggers have done a great job of covering them so hopefully you already know all you need to know about them.

Sunday, September 14, 2008

CSI Video Interview

Last week I was interviewed by Robert Richardson, the Director of the Computer Security Institute, about the FOI concept that I've written about a few times. The interview is now up and you can find it here.

Friday, September 12, 2008

I want my Cingular back!

Until AT&T bought Bell South a while back I had not had many dealings with them outside of a T1 circuit or two that I had to manage. Honestly I wasn't happy with them then and I'm even more unhappy with them now.

I've been a Bell South/Cingular customer for a long time. My first personal cell phone was with a company (I can't remember their name for the life of me) that merged with another company and became Cingular. I had always been pretty happy with them. Service and coverage were both good and dropped calls were rare. Then along came AT&T. Now coverage stinks and dropped calls are a common occurrence. I'm not sure what exactly changed to cause this. Did they knock down some towers to make coverage worse? Are they randomly pulling the plugs on some calls just to irritate customers? It seems to me that since they inherited a good network that things would only get better as they added their infrastructure to what already existed. Obviously I'm wrong there.

I also have a AT&T aircard that I use (or try to use) when I'm working remotely. Actually I was pretty happy with it at first. I'd go to my favorite local coffee shop to work and had good coverage and no real problems. The when that shop closed I had to move to other coffee shops to work and I can't find one that has decent coverage. I get 2 bars on a good day but mostly one. Try to run VPN with one bar. Not gonna happen. Then when I do get going I lose the connection and have to reinitiate it. There are 3 coffee shops within a short distance of my house that I've tried working from and all of them are in bad coverage areas. They are not all side by side either. They are spread out so that I should be able to find decent coverage. So now instead of driving 2 to 4 miles away to work I'm having to expand my reach. Last week I tried a coffee shop about 9 miles away and had poor coverage. Today I'm at another one about 7 miles away that sits right in between 2 interstates and still coverage is poor and it continues to drop. Even in downtown Atlanta I have problems.

So I want my Cingular back. I want to go back to good coverage and to times when dropped calls and connections are rare. I want to go back to the good ole days!

Slow to criticize, quick to applaud

I usually try to criticize too quickly but occasionally I do. I don't think that my criticism of Apple yesterday was quick considering their past record that I mentioned in that post. However I did have my doubts as to how they would handle the bad driver issue and how quickly they would correct it. Today I see that they have already fixed the problem and are sending out updates to ITunes.

According to my secret source (OK, so it's not a secret source but I've always wanted to have one) Ed Bott has a new post up talking about the fix and his experiences with installing ITunes now that the fix has been released.

Good job Apple. I had my doubts but you proved me wrong.

Thursday, September 11, 2008

FOI in depth

OK, so what started out as a funny comment on Twitter has started to turn into something. The FOI (Failure of Investment) concept has been picked up on by a few others who have added to it, questioned it and some think it has a future. I read one post in particular that I wanted to comment on and expand my thoughts a bit. So instead of doing it via a comment on the blog I decided to do it here. Before I go any further I recommend that you hop over to Jack Daniel's blog at Uncommon Sense Security and read his thoughts on this. After all he was kind of the brain child behind this. I'll wait patiently for you to read it and then I'll continue.

Oh good, You're back.

Today, Sara Peters, who blogs at Security Provoked the blog of CSI (Computer Security Institute) picked up on the FOI concept and said that she liked it but wasn't sure she bought it yet. One of her concerns was the FOI focused too much on straight security and not enough on risk management. I would say to her that FOI is all about risk management. After all security is managing risk. If we don't support the business, by understanding it and it's goals, then we have failed. If we don't look at what we are doing in light of the business objectives then we are not securing the business but we are securing the technology which misses the mark. Security for the sake of security is no security at all.

Can we continue to trust Apple?

If you've read my blog for very long you probably know that I'm not a big fan of Apple, inc. I think that they have some very cool technology and in many ways I'd love to actually have some of it. A Macbook Pro would be nice to have because I think it's a really good laptop. I'd love to have a IPod Touch because it gives me the flexibility of using it as a mp3 and video player as well as allowing me to surf the Internet via wireless networks. Yet, I just can't bring myself to buy any of them because I just don't trust them.

Apple has shown itself time and again to only care about themselves and not their customers. They appear to be willing to do whatever it takes to further their agenda even if it means being dishonest and underhanded. They will even try to ruin the careers of security researchers if it will keep their public image intact. They are willing to try and increase market share for their Safari browser by sneaking it in an update.

I've heard and read horror stories about support when you have to send things off for repair. I've heard them deny that a vulnerability exists and then quietly fix it a month or two later. Then they have the gall to say that the fix wasn't for the earlier announced vulnerability but for something that was not publicly known. They don't seem to care that they release patches that don't fix what they say the patch fixes.

To me this all says that Apple, inc has an ethics problem and when it is this blatant I have a hard time doing business with them. It definitely affects the level of trust that I have in them. The question is will you and other customers continue to trust them?

Why do I ask this? It seems that once again Apple is sneaking things into their updates that they don't feel the need to inform us about. Ed Bott does a good job of chronicling issues with the latest release of ITunes 8 and some things that are happening when you think that all you are updating is ITunes and Quicktime. If what he and others are saying is true then not only is Apple sneaking things into the update process but they are also causing all sorts of problems with windows systems. How will Apple deal with these problems? That is the big question here. Not so much the fact that they are installing things beyond ITunes, although that is an issue that they need to deal with.

I've not installed ITunes 8 yet and won't until I know that the problems are fixed. Why do I use ITunes at all since I'm not an Apple fan. Because I bought a IPod Nano from my Brother-in-Law a few years back and I use ITunes  because it came with the IPod. At that time I actually still had some respect for Apple. When my IPod dies I imagine I will get a different mp3 player and ditch ITunes all together.

Monday, September 08, 2008

Voting Security

The other day I was looking on ITunes for a new information security podcast. I ran across a couple that I thought I'd download and see if they were worth subscribing to. One of them is called the Data Security Podcast and I listened to it this morning on the way to work. The podcast was pretty good, at least good enough that I'll listen to a couple more episodes before deciding if it will stay on my list or regulars.

One thing that they talked about was how Ohio has come up with some new regulations of electronic voting security. Things like not allowing poll workers to transport machines and related items (cards, etc) in their personal cars and not allowing them to store them at home overnight. Then they went on to talk about the potential badness that could occur by this happening. What really intrigued me was a suggestion that they made. They thought that it would be a good idea for information security professionals to volunteer to work the polls on election day. Their premise is that many information security professionals have a good understanding of the risks associated with electronic voting and may be able to keep an eye on things and help to keep the polls more secure. Of course the potential for bad to happen because of this possible could increase if hackers also volunteered to "help" at the polls. I think all in all that it is a good thing for us to get more involved in the democratic process in any way that we can.

Friday, September 05, 2008

How NOT to work securely from a coffee shop

Many of you are aware that my favorite independent coffee shop closed about a month ago. Since then I'm having a hard time finding a good place to work from when I don't go into the office. I've tried another local coffee shop that is just too small and uncomfortable to work from. I've tried 2 different Starbucks that have very poor reception for my AT&T air card so VPN is out of the question. Today I decided to drive a little farther to another Starbucks to try it out. Air card reception is good, coffee is good, atmosphere (music, tables, light, etc) is good. So I'm pretty happy.

When I got here there there several people sitting around so I found a table next to a wall with an outlet and set up shop. The table is one of three along a long booth seat. The middle table was empty and the other end table was occupied by a lady who also was set up to work. Papers were out, cell phone on the table, laptop up and running.  Shortly after I got here a friend of her's walked in and spoke to her. After getting his coffee he came back and asked her if she had a minute to talk. She said sure and he said lock your laptop and come with me.  She looked at him like he was a little off in the head and said "What do you mean?" He told her to password protect her laptop so that this guy (looking at me) won't steal all of your personal info. I looked at him and said "Good advice, I am a hacker". Then, of course, I told him that I was one of the good guys. So she locks her laptop and they go to the parking lot.

While she is in the parking lot with this guy all of her stuff is right here. Laptop, purse, cell phone, papers (insurance settlement related I gathered from her phone conversations), purse (which I'm sure had here wallet with license, credit cards, etc). They were gone for several minutes, plenty of time for someone with less morals and ethics to do lots of damage. After a while she come back and unlocks her laptop and goes back to work. After a few minutes she places a call and starts talking about work stuff. I heard her mention a claim settlement and then she seemed to realize that she was in public so she gets up and walks to the back of the store. Again, everything is left right there but this time her Laptop is not locked. She can't see the table she was at and I can't see her. Another perfect opportunity to take something, read something, load keystroke logger, get CC #'s etc.... It's a good thing I'm a good guy.

After about 15 minutes she comes back and goes back to work. Again after just a short time she's talking on the phone and tells the person that she can go to her car and print something out. I guess she has a 12v converter in her car. So she unplugs her laptop, picks up her purse and leaves the building. She's getting better but she left her phone and papers sitting there. In a few minutes her phone rings and it's all I can do not to answer it. I resist and a few minutes later she returns with her purse and laptop. Plugs back up and gets to work.  She stayed with her stuff for the rest of the time she is in the store, that is right up to the time she is ready to leave. She shuts down, unplugs and stacks everything up in a nice and neat stack. Then she goes to the bathroom with her stuff nicely stacked up and ready to be walked out the door. The shop was empty by now except for myself, the lady and a couple of employees who were not in sight.

This is a perfect example of what not to do. She made so many mistakes that I started to wonder if maybe this was some sort of a sting operation. I envision agents in the parking lot waiting with hands on guns for someone to do something illegal. Maybe someone with a high power lens across the street snapping pictures. If so then they failed to make a bust today. Maybe next time they will have more luck. :)

Security ROI - The debate continues

It seems that blog topics are cyclical and raise their head every few months. A couple of the hot ones are full disclosure and ROI both of which have reared their ugly heads lately. ROI has been on the front pages again in the last few days and it seems that as usual we can't agree on whether or not there is such a thing as security ROI. The purist say that it doesn't exist because it doesn't meet the "true" definition of ROI. The "revisionist" say that there is ROI on security but you have to measure it differently. Yada, yada, yada, the debate goes on and on..............zzzzzzzzzzzzzzz.

Yesterday it hit Twitter and several people jumped in and commented but one that really struck me came from my friend Jack Daniel. He said that the true measure of security is failure or as the new buzz word says "Security Fail". That hit a cord with me and I have to agree 100%. That is the true measure of security whether it be a device, application, or program. If you fail you lose. So Jack and I coined the new term FOI, Failure of Investment. When it comes to buying, implementing, or doing anything in regards to security the value of the investment is determined by success or failure. Not how much it cost vs. saved. Not how easy it is to deploy or manage. Not how much time it saves, etc.... The real measure is made when it protects or fails to protect.

It may be that it does a great job of protecting most of the time but the one failure may be it's (or your) demise. Now we have to define failure though. In my mind failure doesn't come because a new flaw was discovered in your AV, firewall, IDS/IPS, or other security device or app. It comes when that flaw isn't managed properly by either the vendor or your team. If the vendor fails to respond properly and the vulnerability is exploited then they fail. If they do respond properly and you fail to implement the fix or if you fail to look for and implement other measures to protect yourself during the vulnerability window then you fail. 

As we all know failure can be fatal to your job. So it's in our best interest to quit debating and trying to define Security ROI and to focus on preventing FOI.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.