Security's Everyman

Security's Everyman

Wednesday, July 30, 2008

A little public transportation snooping

I started riding the bus from where I live into town a little over a year ago. When I first started there were 3 departures each morning and maybe 60 people total used the bus. Now that gas is $4 a gallon there are 4 departures each morning and about 200 people are riding. Of course when you ride with the same people daily you get to know them a little and conversation flows a little easier. This can be a paradise for a social engineer. Just today 2 events occurred on the ride home that caught my attention.

The first involved a man who was looking for a ride to the town where I live. He does not live there and was going to meet someone. He started asking questions of some of the riders about where the bus stopped and when it usually arrives, etc.. Then he made a phone call presumably to the person he is going to meet. The talked about the specifics of meeting and at some point the person wanted to give him a different phone number to call when he got closer to town. He said that he didn't have anything to write it down with but he would try to remember it. After he hung up the phone a nice lady sitting in front of him handed him a slip of paper with the number on it.

My first thought was "boy, she sure is nosey" but then again she probably was just being helpful and couldn't help but overhear the conversation. You could even say I was being nosey since I'm telling you the details. :) Then I thought of how easy it would have been for a similar scenario to have taken place regarding company information. As I write this I remember a couple of conversations that a network engineer that works for a big telephone company in the area had. He was talking to another engineer trying to help him solve a problem and router names and IP's were given over the phone. Other details regarding routes and ACL's were also freely given on a crowded bus.

The next issue that occurred today involves the guy sitting next to me. The first issue is that he woke me up to ask if he could sit next to me. Now that I look around I see that there are no other empty seats so I'll let it slide this time. :) Next he pulled out his laptop and started writing code, reading and writing emails and opened a database. All right there for me to see. All of it is company related (yes, I looked and I wish I had the nerve of Johnny Long to take a picture). I've got a perfect view of his screen and can tell that he is working on the database that he opened. His emails are being sent to work detailing what he is changing in the database. The one good piece of news is that he at least has his wireless radio turned off. I first pulled out NetStumbler to see if I could see him.

This just all goes to show you that you never know who is listening or looking over your shoulder. You really need to be careful when in a crowd.

For everything else there's karma

Thursday, July 24, 2008

DNS 'sploit - Irresponsible?

This whole DNS issue has become a "circus" to put it in the words of Chris Hoff. First there was the ruckus around the fact the Dan Kaminsky was only releasing some details of the vulnerability. People called him names and said unkind things about him. Then he met with a group of people and gave them details. They agreed with him that it was a bad thing and that we needed to patch now. Those who said things about him apologized. Then people started publically speculating about what the problem could be. Those that knew were sworn to secrecy. The rest of us were left to make our own guesses or talk about what we heard others say it might be. Then Havlar Flake put his cards on the table and the guys at Matasano confirmed his speculation. That opened up a whole new series of discussions. Why did Matasano have a post read to go? Why did they post it and then retract it? Was it an accidental posting or done purposefully? Some got mad at them and others praised them for giving us the details.

Now HD Moore has released an exploit for Metasploit. This makes it much easier for script kiddies and others to now use this against unpatched DNS servers. It also makes it much easier for the bad guys who don't already have a exploit to get one to use against the rest of us. All of this has led to lots of discussion on the internet and twitter. Should HD Moore have released an exploit? But the bad guys probably already have one so what does it matter. If he didn't do it someone else would. Etc... Some of the comments are valid and some are just stupid. Some are speculating that HD, the Matasano team and others are trying to steal Dan's BlackHat spotlight. Then there is the whole arguement as to wether or not Dan should even have a BlackHat talk planned on this.

I am a proponent of tools such as Metasploit and Core Impact. I think that they serve a good purpose for those of us in information security. I use Metasploit myself to test my systems. Even if they can be used for bad that doesn't mean that they don't have their place in the world of technology. If we didn't have them to test our systems with then we wouldn't really know how vulnerable we are. But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released. There are LOTS of other ways to test if your system is vulnerable. You can go to Dan Kaminsky's site and test it there. If it's a windows machine you can run windows update. If it's a *nix system you can check to see when the last patch was applied. Lots of ways besides using Metasploit. Not to mention that it hasn't been that long since the patches were released. Lots of companies haven't patched yet due to testing, apathy, ignorance of the issue, etc.. From all I can tell AT&T still hase lots of unpatched servers used by the IPhones and DSL service. @Techdulla on Twitter commented that he called his ISP to ask them why they hadn't patched and one of their engineers said "What Patch are you refeering to?" I'm afraid that is the response of lots of DNS admins.

As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible. Just as the guys at Matasano were irresponsible for having a ready to go post with details on the DNS vulnerability HD acted irresponsibly by releasing a exploit for this. We can't just do something to be the first on to do it. We have to act in a responsible manner or we risk losing the credibility that we have built within the community of other information security professionals.

Now I'm going to ask your opinion. I'll put up a poll shortly that I'd like you to participate in. Here is the question and the answer choices.

Should HD Moore have released an exploit for the DNS Vulnerability?
A. Yes, we deserve to have it
B. Yes, if he didn't someone else would
C. Yes, the bad guys already have their own
D. No, it was irresponsible of him to do so
E. No, it's too early and several people haven't patched their servers yet.
F. No, we don't need WhiteHat exploits.

Wednesday, July 23, 2008

Good stuff in the SCC

I just wanted to take a minute and point you to a couple of good conversations going on in the Security Catalysts Community.

Stop by and check these and the other posts out. This is a great place to get information, interact with other security professionals and stay on top of your game.

Tuesday, July 22, 2008

DNS Problem

OK, so the news is out. Someone has figured out what it is that Dan Kaminsky discovered in DNS that has so many people concerned. Now that we know what the problem is that means that the bad guys know. If the bad guys know it's only a matter of hours (quiet possibly by now) before a exploit is released into the wild. That is bad news.

Even if you have patched your servers it could be bad news for you. Why? Because your DNS server relies on other DNS servers to tell it where web sites are. If your DNS server get bad information from a compromised DNS server it's game over. What are the chances that your DNS server will communicate with a unpatched, vulnerable DNS server? My guess is that the chances are pretty good. If you look at my little poll (which is a very small sampling of my readers and extremely small sampling of those who manage DNS servers worldwide) 42% have not patched their servers yet because they are still testing the patch. This number hopefully is smaller by now since they have had time to complete testing.

What has me worried is all of those who manage DNS servers and don't follow blogs, tech news sites and other forms of communication that would get the word to them. How are they going to know to patch their servers? I've not seen anything in the main stream media talking about this. Vendors don't have a good way of communicating with customers when problems such as this arise, especially those who download free software that doesn't require registration.

There is a lot of speculation around the release of the details of the issue. Should Halvar Flake have posted his speculations on his blog? Should the blogger at Matasano have posted his reply (which was promptly removed from the site)? People are arguing about whether or not Halvar was right or wrong in what he did. Others are complaining because Dan didn't release more details to the public. There is a place for all of this bickering and speculation but now is not the time. Now is the time to ensure that everyone patches their DNS servers and that we get the work out so that everyone knows that this needs to be done.

So get on the phone, compose emails, use Twitter or any way you can to make sure that all of your friends and contacts who manage DNS servers know about this. Call you ISP and ask them if they have patched yet and if they haven't then consider using a DNS server that you know has been patched. You can use Open DNS or another ISPs DNS servers that you know have been patched. Those of you who manage DNS servers may want to consider clamping down on who you allow your DNS servers to communicate with. This is a standard good practice any way but now you may want to be even more careful.

I'm not crying "the sky is falling" and I'm not trying to spread FUD (fear, uncertainity and doubt) but this has potential to be bad. It is something that needs to be taken seriously and dealt with. When you get this many people who are respected in the industry all saying the same thing then it needs to be heeded. When you get this many vendors working together to release a patch simultanously then we need to apply the patch.

Tuesday, July 15, 2008

Viacom takes the high road

According to this article on ComputerWorld.com Viacom has agreed to allow Google and YouTube to obfuscate the user names and IP addresses of those who view videos on YouTube. That is good news for all of us whether or not you feel that you have something to hide. It is still not a good thing that the Judge felt that our privacy had no place in this but hats off to Viacom and Google for working out this agreement.

One thing that we have to keep in mind is that when we allow our rights to be eroded little by little we will wake up one day and realize that we no longer have any rights. This is how we end up in places we don't want to be. Every time we give something up or compromise a core value, belief or right we open up the way for a little more to be taken away at another time. A good example from life is telling a "little white lie". We think that it won't hurt but then we have to remember what we said, who we said it to, who knows the truth, etc... Then if we are called on to defend it we have to either fess up or continue to lie and slip further down the slippery slope.

To tie this into information security this is also how a hacker works his way into our network. He starts out looking for a small flaw or vulnerability and then over time he increases his level of rights and authority. We have to be diligent to keep our systems, applications and infrastructure in good order to prevent him from finding and exploiting flaws. If we compromise little things then later the big things will come back to bite us.

Saturday, July 12, 2008

Information Security Poll on the DNS Patch

I haven't done a poll in a while and decided that the DNS issue was a good time to bring back the poll. I have a simple question "Have You Patched Your DNS Server?"

The reason that I'm asking is because I want to know just how quickly everyone has reacted and whether or not some of you think that it's not a big deal. Also, if you have internal DNS servers that don't get updates from the internet I'm curious as to whether you still patched due to potential insider threat issues.

Wednesday, July 09, 2008

Don't bring a gun to a knife fight

This story on Foxnews.com was just too good to pass up. I had to find some way to tie it into information security. It seems that this woman had seen one too many mice and decided that the best way to deal with them is Clint Eastwood style. Bring out the 44 Magnum and see what damage can be done. Fortunately for the mice the only real damage was done to the woman and her friend. My favorite quote from the story is this "The mice escaped the shooting unharmed".

Companies often approach security issues in a similar fashion. They have incidents (virus, web site defacement, lost tape, etc) and they let it go for a while without doing much about it and then all of a sudden they react or more likely overreact. They start doing things like full disk encryption or deploying a new $80,000 device without doing a risk analysis or determining what else could be done to mitigate the problem in a way that better serves the company.

For example, the company that I work for has lots of laptop users. They take their laptops home, on vacation, leave them on their desk, go to the coffee shop, etc. There is a good chance that someone will lose or have their laptop stolen. Is full disk encryption something that I need to deploy to all laptop users? Maybe. Maybe not. When you look at the fact that very little data that we have is not freely accessible through open records requests then that reduces the chance that a lost or stolen laptop will have sensitive data. So do I spend 10's of thousands of dollars on FDE or do I ensure that the data is protected using what we already have? Do I put things in place that makes it very difficult for users to get data that they are not supposed to have? Then I reduce the footprint of laptops needing FDE and make it more manageable and affordable.

This is just one example of how a "obvious" answer to a problem may not really be the best answer. Just as using a 44 Magnum isn't the best way to get rid of mice.

The information security industry is stuck in a rut and needs to stop and reconsider what and why it is doing things. It needs to step back and get a fresh view of things before making a decision or a recommendation. Those of us who are in the industry need to think instead of react and we need to lead the charge within our companies when other departments or management starts of bring a gun to a knife fight. Don't be afraid to challenge the status quo and to be to one who challenges conventional thinking.

Thursday, July 03, 2008

No silver lining behind these clouds

Although I'm not a official "Web Worker" I subscribe to the Web Worker Daily RSS feed. They often have good tips and hints that make online life a little easier. Today they have a post about Online document services such as Google Docs. As cloud computing becomes more and more popular there are more and more services coming online and there are more and more documents being stored in the cloud. I have a Google Docs account and have a few things out there but not much and nothing that I would consider personal or sensitive. I doubt that I ever will put anything of that nature out there. I just don't trust the model.

The WWD article focuses on the privacy policy of 3 of the most popular services, Google Docs, Zoho, and Acrobat.com. They are curious what each has to say about privacy, document ownership and such. Actually it's pretty scary when you read the "highlights" that the article mentions. Once again Google scares the bejesus out of me with their policy. When I read something like this it makes me like Google less and less even though I still use their services for things such as this blog and my RSS reader. As I mentioned I also have a Google Docs account, a Gmail account and a  Google calendar. I rarely use the last 3 any more. I just can't quiet bring myself to use them regularly. Oh yeah, I also have a YouTube account and probably another thing or two that Google now owns. I think that if I were to look into really using a free online document service I'd have to give serious consideration to Zoho over Google or Acrobat.com. I don't like what I see in the privacy policy of those two. Of course I haven't read all of the policies for any of them so I may not like any of them.

These things scare me for other reasons also. Lack of control over what happens to them. The fact that they are in the cloud means that there is more opportunity for others to get to them and either steal them or alter them. Not to mention that even though I'm very cautious I'm still human and still make mistakes from time to time. I'd hate to put something sensitive or personal out there and forget to mark it private. Do a Google search (there's another one I use all the time) for public calendar events or docs and see what you find. It will make you shake your head in wonder of what you will find. I guarantee most of those were never meant to be seen by the general public. They are there because of a mistake made by a person.

Anything online has it's inherent security weaknesses. It's still the Internet and no matter how secure you try to make it there are those who will prove you wrong. In my opinion personal, sensitive and business related data does not belong in the cloud.

Privacy, We don't need no stinkin' privacy

At least that is apparently what Judge Louis Stanton of the U.S. District Court for the Southern District of New York thinks. He has ordered Google to turn over 12 terabytes of data to Viacom. This data contains PERSONAL information on all YouTube users who have created an account and viewed videos. This data contains user ID's, IP addresses and viewing/uploading history. Obviously this does present a teeny bit of a privacy concern. The good Judge Stanton dismissed Google's privacy concerns as "speculative". That's like saying if you put a unpatched Windows XP machine on the internet w/ a public IP address you MIGHT get pwned. Give me a break.

Viacom has NO need for all of this information. If they want to know who uploaded what that is a different story. To say that they need to know who watched what is a violation of our privacy rights. This article from ComputerWorld reporter Heather Havenstein has a good write up on the ruling along with this quote from Michael Arrington

"Handing over user names and a list of videos they've watched to a highly litigious copyright holder is extremely likely to result in lawsuits against those users that have watched copyrighted content on YouTube," he wrote. "[The judge] clearly doesn't understand that far more data is being transferred than is necessary to comply with Viacom's core stated concern, which is to understand the popularity of copyright-infringing v. non-infringing material.

"Viacom has asked for far more data than that, and there's only one use for that data: to sue individual users (or shake them down via the threat of lawsuit, which has been perfected by the RIAA) who have watched a few music videos or television shows on YouTube,"

That's right, he said coming after you and me for watching these videos. Some would say that is far fetched but when you look at what the RIAA has done to some who share music then you kinda begin to think that there is some credence to this.

This is also just more proof that those in the legal profession need to have a better understanding of technology and the implications of what may happen when they order things such as this. Fear that this data may be used beyond the scope of the order are not speculative. Even if Viacom doesn't use the data to come after viewers it could be compromised and then users could be blackmailed or publicly embarrassed for their viewing habits.

I don't think like that

One of the things that I've said for years is that people who write code think differently than the rest of the world, especially those of us who come from a networking background. The thinking differential within information technology gets even fuzzier. Network guys think differently than server guys who think differently than database guys who think differently than developers, who think differently than the security guys etc... In recent years it also expanded to include those of us who focus on policy and process and program development. Actually it seems that no one understands those of us who do this.

Years ago I realized that I am NOT a programmer. My mind just does not work like that. As time went on I came to the realization that more and more I think less technically and more strategically. So now more than ever I really don't think like a programmer. I'm still able to look at code and and make out (basically) what is going on. Just don't ask me to write the code. I promise you it won't get your desired results. Unless your desired result is to make me look very foolish.

I just read this from Errata Security where fellow Atlantan, Robert Graham, talks to us about how hackers think differently than your average coder. He makes so good points and reinforces the theory that when you have a Pen Test done or have a code review done you are often better off hiring a hacker. Maybe not a real black hat hacker but someone who thinks in the same way. Someone who thinks concretely instead of abstractly. If you talk to the guys who work for Errata, Secure Works, and lots of other security companies you will discover that the people that they hire are not your average Joe. (I hope I don't offend anyone reading this) :). These guys just think differently and that is their advantage.

When a coder writes code he writes it to accomplish a specific goal. When a hacker attacks code his goal is to make it do something that it wasn't intended to do. Robert does a good job of explaining the differences between those with a hacking mindset and those who are coders. I like this statement that Robert made,

The consequence of this is that coders rarely understand how their code actually works. This is why Java is so often unbearably slow - the coders don't understand what the software is really doing.

They understand how to make it do what they want but they don't understand how what they did can also be used against them later. They think about what they want it to do and don't go beyond that to think about what else it could do. The same problem exist in other areas of IT. Most network guys think about how to make a switch or router route and segment traffic in the most effective way. They don't think about how setting up this VLAN with a connection to that VLAN can reduce the security of each VLAN. They don't think about how putting a command in a router can allow a hacker to gain access to the router or to the network that it is sitting in front of. Firewalls are another area where someone who understands networking but doesn't think "security" can easily misconfigure. One wrong port opened can spell 'pwned' for your network.

So what's the answer? If you lead teams then encourage them to learn to think like a security pro or a hacker. Get them quality training, encourage them to read blogs and other writings by hackers. If you have the resources and time set up a "play" lab for them to hack on and learn on. You won't be able to teach everyone how to think like a hacker or even a good security pro, but if you can change the way they think even a little bit it can go along way in helping you to secure your environment.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.