The Employment Vulnerability, part 2

We all know TJX was irresponsible with customer data, but what can we determine through the Employment Vulnerability?  I got a call from a headhunter in mid-2006, the call was the beginning of an interesting story.

In mid-2006 a recruiter called and asked if I would be interested in a position as a Security Analyst; intrigued, I asked for details. After an exchange of emails, the recruiter told me that the position was with TJX, they were forming an information security team. That's right, over a year and a half ago TJX was starting to think about forming a team dedicated to information security. Then, as is often the case with recruiters, nothing- no more emails or phone calls. I shrugged and went on with life. 

I was a bit surprised when the same recruiter called me early this year and asked if I was still be interested in the position we had discussed last year. The recruiter said TJX had dropped the search last summer, but were suddenly renewing the Security Operations Center project in earnest and wanted to place people quickly. More out of curiosity than a desire to join TJX, I agreed to a phone interview a few days later.  Just minutes before the scheduled interview, I received a call from the recruiter who apologetically asked if we could reschedule the phone interview for later in the week because something was going on at TJX and they couldn't do the interview that afternoon.  Moments later, my newsgroups and email newsletters were telling the tale of the TJX data breach.

We did reschedule the phone interview, it went well- but nothing came of it.  The manager who conducted the interview was understandably reluctant to provide details about the internal situation, but it sure sounded like he had spent the week screaming "I told you so".  Maybe that was just my imagination, but I did sense more than a little frustration with senior management in his comments during the interview.  TJX outsourced all of their incident response and did not assemble an in-house security team.  Still curious about TJX's handling of the fiasco, I went to the TJX careers site and found several positions listed.  Their "job codes" consist of the two-digit year and a sequential listing number, and there were a handful of 06-low number listings for IT and Information Security positions- confirmation that the positions had been unfilled for almost a year. 

This fall TJX finally resumed the quest, they are seeking an IT Security Architecture Manager.  Bill Brenner wrote about this in the Security Bytes blog back in October and the position is still open.  Part of the job description includes:

"Responsible for developing and documenting a comprehensive information security architecture"

Developing a security architecture?  What a great idea!  It seems a bit late to roll out that idea, but maybe they don't want to rush into things.  I can't imagine why this position remains unfilled.  I wonder if TJX is still dragging their feet, or if they can't get any qualified takers.  Either one seems likely.

Back to the "employment vulnerability", I learned that TJX knew they needed to do something about security, but weren't concerned enough to do anything until it was too late- and even then they didn't build a team.  I also learned that upper management wasn't listening to their own employees about the problem.  We also know that they are advertising for a key position, but haven't found anyone in months.  And that some of the tasks which will fall on the shoulders of the new manager should have been done years ago.  While this doesn't compare to the data breach that got (and keeps) TJX in the news, it is another form of data leakage which doesn't look good for the company.

 

Jack

The Employment Vulnerability

Here's a dirty little secret: There are few areas where security and privacy are intentionally compromised more than in the recruiting and hiring process.

You've probably seen it yourself, job seekers give up personal information they wouldn't imagine sharing publicly- but no one really knows what safeguards a prospective employer has in place. Will those resumes and applications (and maybe background and credit checks) end up unshredded in a dumpster someday? Job seekers don't dare call employers on issues, because they want a job. A "security" company uses ChoicePoint for background screening; candidates submit to this because they want the position, but it taints their opinion of the company forever- and may compromise their confidential information.

The employers are not any better, they lower their shields and leak information profusely during the process.

Think about what you might see when you go for an interview:

• The type and installation of physical locks and barriers.
• Hmm, the card readers are screwed to the door with standard screws, not tamper proof ones.
• The presence of guards, greeters and cameras- and their blind spots.
• Does everyone have ID? Do guests (applicants)? Does anyone check them?
• Are there public spaces?
• Brands and models of computer and network hardware in use, probably some of the software, too.
• Presence of wireless networks.
  • Are those "enterprise" Linksys WRT54Gs!?
  • Did I leave Kismet running on my PDA?
• Doors propped open for the "smoker's lounge" (back door).
• Did the recruiter really just hit enter to wake up his machine?
  • No passwords on a machine accessing candidate data?
• And much more...

Then the interview starts and you are grilled on specific knowledge and general attitudes. Those aren't just random questions, they are specific answers, too. Those questions are answers about their systems, infrastructure, and policies. They won't ask about your knowledge of NT 4.0 unless they are still using it.

From the employer's perspective, when you interview someone you know that you have to expose at least a few details about:

• Internal systems and network architecture.
• Products, versions and systems in use.
• Staffing levels, workloads and distribution of duties.
• Hours of operation and coverage

Even advertisements give away information; "experience with Oracle mandatory" or "CCNP or CCIE preferred" could give someone a pretty good idea what plugins to load in their arsenal of attack (er, testing) tools.

Don't look down here for any real answers to the issues mentioned above, they are largely unavoidable. Improved awareness is probably the best way to address the Employment Vulnerability. Employers can be a little more careful vetting candidates before revealing too many sensitive details, and candidates can limit the amount of information they post publicly on job boards and other public forums- but to get the right person in the right position, information has to flow candidly.

Jack

Transitions

OK, so I've been more lax than usual in my blogging- I've been a bit preoccupied. I am leaving my employer of 22 years, 4 months and 4 days (not that I'm counting) and starting in a new position shortly. I will be joining Astaro Corporation later this month as an Support Engineer.

As much as I will miss my friends at my current job, I am really looking forward to joining the team at Astaro.

Jack

XKCD Network Malware "Terrarium"

ISC2 Board of Directors Election

This one is just for CISSPs-

The election for the ISC² Board of Directors is open through Friday, November 30. Although there are over 48,000 CISSPs globally, it is expected that only about 2500 of us will vote. Given the amount of grumbling heard about ISC², I find that appalling.

So, if you are eligible to vote in the election- please vote.

Information on the candidates and voting procedures are on the ISC² website at http://isc2.org

If you are interested in driving change at ISC², I encourage you to check out the positions of Rolf Moulton and Bill Murray at their website- and then vote for the candidates who best represent your views.

Thanks
Jack

Available vs Too Available, or how to simplify DLP

One thing that is largely missing from discussions of Data Loss/Leak Prevention is the idea that taking some data offline is a simple and effective means of preventing data loss. Information needs to be accessible in our "Information Age", but how accessible is too accessible?

 

Let's make this more tangible. Suppose you are headed out for a night in "the Big City", are you going to carry all of your financial records, safe deposit box keys and stock certificates with you as you navigate the subway?  Or will you carry just enough cash for the evening, only one or two credit/debit cards (maybe just one "firewall account" card), and tone down the jewelry?  Good choice- you NEED to have access to all of those high-value things, but you don't need immediate access at all times.  In fact, immediate access at all times is a pretty bad idea- that's why you have stuff locked away in the safe deposit box, right?

 

Maybe you don't need all of your data immediately available, either.  Maybe a virtual file or database server can host some of your data- and only be brought online as needed.  I know it isn't always that simple and that individual databases often house both mundane and confidential data, or house both frequently and infrequently accessed data (there's another issue, eh?), but think about taking data offline to protect it instead of just adding more layers of defense and complexity.

 

If you want a thorough introduction to DLP check out Rich Mogull's DLP primers at Securosis.  As Hoff pointed out, though, if it takes seven posts and 10,000 words to provide an introduction to something, it may not be ready for prime-time.

 

Jack

Announcing NYC chapter of NAISG

I chair the New England Chapter of NAISG and am happy to relay the news of a new chapter:

The National Information Security Group (NAISG) is pleased to announce the opening of the New York City chapter of NAISG. The chapter will be led by Tony Costa, who also frequents the New England chapter meetings.

Meetings will occur monthly in Manhattan. We anticipate a formal kickoff in January, but the membership list is already open. Please feel free to check out the chapter site at http://nyc.naisg.org/. (Some site updates still in the works.)

I find NAISG to be a great resource, and a great group of people. If you are in the NYC area please check out NAISG-NY.

Jack

DC401

There's a fairly new group in Rhode Island, DC401, the local Defcon group. According to their website, "DC401 is a gathering for folks interested in the alternate applications of modern technology, referred to properly as 'hacking'."

Meetings are held on the second Monday of each month in Providence at AS220. This month's presentation was by legendary security podcaster Paul Asadoorian (pauldotcom), on one of his favorite topics, hacking embedded devices. (Paul and co-host/cohort Larry Pesce co-authored "Linksys WRT54G Ultimate Hacking").

I'll be attending DC401 meetings as my schedule allows, if you are in the RI area I encourage you to check them out, too.

Jack

More security-related comics

The Day the Routers Died

I missed the first round of Shmoocon tix.

I was too busy yesterday and forgot about Shmoocon, so no tickets for Jack this month.  Join me in virtual line on December 1 at noon:

ShmooCon: Less Moose than ever!

Dogbert, Security Consultant

If only...

Jack

A Day of VMWare Seminars

I recently spent a day at VMWare seminars on server and desktop virtualization.  I knew going in that it would be mostly a sales pitch, but I hoped to learn a few things from the events.

It turned out that there were a couple of hours of good content.  Unfortunately, it took all day to get it out.

A few highlights-

One thing I am really tired of hearing is that you can "deploy servers in minutes instead of days or weeks".  Although that gem was trotted out repeatedly during the day, it was effectively rebutted by their own "customer success story" presenter.  An IT manager from LL Bean shared his experience with their multi-year VMWare migration and deployment.  He stated clearly that deploying servers takes  a minimum of a few hours, even if an appropriate VM is available for the task.  It turns out that he actually patches, updates, and optimizes the VMs for the specific task before deployment- and also considers network configuration and other related issues.  At least some of VMWare's customers have a clue.

One of the desktop deployment scenarios mentioned was letting developers and QAs deploy their own systems, which will be safe because of some sort of "fencing".  That might be true if the virtual machine library is always up to date and developers never need to add weird software you've never heard of or vetted.  And Unicorns will prance around the development lab, too.

At one point, while touting the new, lightweight 3i devices, it was mentioned that reducing the footprint between the guest and the hardware would contribute to a more secure virtual environment because [truth alert] the Service Console exposes over half of the known vulnerabilities in VMWare deployments and a lighter virtual environment would expose a smaller attack target.  That was refreshing.

A couple of cool things are on the horizon-

VMWare is going to integrate a patch management system into Virtual Center, initially it will only patch the host and hypervisor, but eventually it will also be able to patch Windows guest OSes, maybe even others.

Also, distributed power management is being developed which will allow servers to be redistributed and put into and out of standby to minimize power consumption.  I don't think I'll be seeing the benefits of this feature in small business, but it is still pretty slick.

As always, I think virtualization can be a great asset- if deployed properly.

Jack

A different kind of Zombie Server lurks ahead.

I'm not sure how I missed this, but I have finally realized that server virtualization
is going to be a security nightmare, creating a class of zombie servers that will be hard to kill. Now that it is fairly easy to get old software off of old hardware and onto modern, reliable hardware we may (will) end up with vast fleets of obsolete software living well beyond its normal life. The pain of hardware upgrades is often a driving factor in forcing software upgrades; "do it once, and do it right" may be out the window with simplified hardware upgrades. We can keep the old (obsolete, unpatched, and insecure) software running indefinitely, occasionally providing it with a fresh body to inhabit. Virtualization will become a form of life-support, creating vast armies of undead servers.

As insecure as they will be, thanks to the wonders of virtualization-enhanced Disaster Recovery, these zombies will be hard to kill, too- they'll just keep coming back to life.

Far-fetched? Wait 'till the bean counters figure out that they can force software to live longer (and perform better) by simply doing sporadic hardware refreshes.


Jack

Concern for Customers- gone wrong

I signed up for email updates from a small craft brewer and vintner a couple of years ago. The messages are infrequent and unobtrusive (as they should be), just updates on latest releases and special events- until this week. The list received a message from the vintner explaining that their webhost's servers had been hacked and that we should not visit their site until the system was cleaned up. Unfortunately, they included a live link to their website in the message.

I'm sure it wasn't intentional, their email client probably just converts anything that looks like a URL into a link, but the result was sending their entire list a link to a compromised site.

Of course I fired up VMWare, launched a Windows guest OS and headed over to the site to see what I could find- but they had already restored the webserver- no sign of malware. It is good that the webhost did the cleanup so quickly, but I was a little disappointed that I couldn't infect a machine to poke at later.

We still haven't received a "sorry folks, everything's back to normal" message from the vintner, either. I think there might have been better ways to handle the situation...

Jack

Only XKCD...

...can make database security funny.

I want one!

I discovered a cool little toy today. Well, it looks cool, but we can't play with them yet.

I'm talking about the Bug Labs' BUG platform.

"BUG is a collection of easy-to-use, open source hardware modules, each capable of producing one or more Web services. These modules snap together physically and the services connect together logically to enable users to easily build, program and share innovative devices and applications."

"BUGbase is the foundation of your BUG device. It's a fully programmable and "hackable" Linux computer, equipped with a fast CPU, 128MB RAM, built-in WiFi, rechargeable battery, USB, Ethernet, and a small LCD with button controls. It also has a tripod mount because, well, why not? Each BUGbase houses four connectors for users to combine any assortment of BUGmodules to create their ultimate gadget."

Promised extension modules include GPS, a camera/videocam, touch screens, a mini qwerty keyboard and a teleporter. I'm not holding my breath for the last one, though.

What kind of monitoring, scanning, sniffing, attacking, whatever- device could you build with this rig?

I wonder if I can get my hands on one before Shmoocon?

Jack

Virtually impossible

I'm trying to virtualize some old legacy app servers for a client- NT4 boxes. I have used VMWare's Converter for Physical-to-Virtual migrations with great success on Windows 2000 and up, but it just doesn't like the NT machine's network settings- so I decided to try Microsoft's own physical to virtual migration tools and see if the outcome was better.

Short version:
Do not try this; not at home, not at work, not anywhere, not ever.

A few details of the Microsoft P2V "solution"-
First, start with a Windows 2003 Enterprise Server
Install and configure ADS (Automated Deployment Services)
(ADS requires either MS SQL Server or the MS SQL Desktop Engine- MSDE)
(ADS also requires IIS, the web server, to be installed!)
Install MS Virtual Server 2005
Install MS VSMT (Virtual Server Migration Toolkit)
Now you can start to think about configurations...
As an added bonus- MS VSMT only converts "server" OSes, not desktops.
And, VSMT only does live migration- the source server is shut down at the end of the migration and the VM is booted. That is a great testing scenario...
What is wrong with these people?

By comparison, VMWare's free Converter installs on -and converts- NT4 and up server and desktop OSes, can be "pointed at" a machine to convert or run locally on the machine (or even converted cold with a boot CD if you buy the management suite). Tweaking the networks doesn't look so bad anymore.

The security angle, you ask? There are a few obvious ones- such as building a complex system to convert the machines and then hosting them on the same complicated (and bloated) box, going live and dropping the old machine without testing the VM, and configuration fatigue. Configuration fatigue is when you are so tired of wrestling a system that you give up as soon as it works, telling yourself "I'll secure it later"- of course this thing is already live by that time, and "later" is too late for production system security.

Sorry to sound like an ad for VMWare, but the Microsoft answer is just plain wrong. Besides, you can use Vmware's Player, Server, and Converter for free.

Jack

SharkFest!

The good folks at Wireshark have announced SharkFest '08, the first annual (I know, I know- "first annual" irks me, too) Wireshark event.

"CACE Technologies hosts the 1st Annual SharkFest Event March 31 – April 2, 2008 at beautiful Foothill College in Los Altos Hills, California USA. Join us for 3 days of training and discussions on network analysis, troubleshooting, security, Wireshark development, communications dissection and more!"

I hope I can make it, but it is only six weeks after Shmoocon, and it is a long way from Cape Cod.

Of course, getting my wife interested in a trip to the SF Bay area in April will be a lot easier than DC in February.

See you there?

Jack

Pointless Security "Conversations"

There are many great sources of security information, but lately it seems that more and more of the commentary deteriorates to something equivalent to this:

It's a dog!
No it's not!
Is too!
I like kittens.
You just don't understand how dogs work.
Maybe if we feed it dog food...
And so on.

Meanwhile, dog or not, we're here looking for the paper towels, because we have to clean up after "it".



I don't want to discourage anyone from following blogs, forums, or any other source of information- but if you don't add your own BS filter, you will get frustrated and miss some great information.

My approach to dealing with this is twofold:
First, whenever commenting, I try to add to the conversation in a meaningful way and include relevant information where appropriate.
Second, I tend to skim over the pointless posts and avoid "feeding the trolls".

I will admit that sometimes I fall short and add incite instead of insight, but I'm working on it.

Jack

Microsoft Live Writer, Ultimate Blog Editor?

Microsoft has rolled out a beta of their Live Writer application- and it is great!  True WYSIWYG, including the themes, simple insertion of:

• bulleted lists
• numbered lists
• links (with several options)
• video
• images
• maps
• tables
• tags

Add offline caching and editing plus compatibility with Typepad, Blogger, Moveable Type, WordPress, LiveJournal and more- now you have a really good utility.

Not Open Source, but free (as in beer).

Jack

(Un)Common Sense

After grossly oversimplifying security issues with virtualization by saying that a little common sense could go a long way towards solving problems, it was suggested that I had

"fallen prey to some slick-willie marketing somewhere that suggests that "...a little common sense" is out of beta and ready for production. ;)."

At first I thought that my accuser was nuts, common sense is hardly rare and is certainly in wide scale production. Then I thought about the split between my "hobby" friends and the corporate world, it started to come together. Everyone has their moments of brilliance and stupidity, but join me at the next NE Blacksmiths Fall meet and you will see people who exemplify creativity, problem solving and yes, common sense. And they are really nice folks, too. What is it about the business environment that seems to drive common sense out of so many people? I certainly don't have the answer, but I think there is often a lack of "big picture" vision as we all focus on our own tasks.

Alone at the anvil, you are responsible for your work. Maybe that's it, bigger organizations blur the responsibility. I don't know for sure, but I do know that common sense is out there, just not always as much as we would like.

Jack

Another look at the IT community

As promised, here are a few of the local IT groups that I rely on for insight and incitement. They all have maillists, so you can participate even if you aren't really "local".

National Information Security Group, at naisg.org
NAISG is a great group with a diverse membership- from students and teachers to law enforcement personnel, systems and network administrators, consultants and security entrepreneurs. The mail list is a good resource for technical information, but the real value of the list is often the insight into the "why" rather than just the "how". Join the maillist here.
[Full Disclosure- I have been an active member since shortly after NAISG's founding, I serve on the Board of Directors and I am Chairman of the New England Chapter]

The following are not security-centric, but are very good groups:
Southern New England Network Users Group, at snenug.org
A fantastic resource for small to mid-sized business admins. Often MS focused, but a wide variety of topics come up. One of the best remaining resources for small business Novell gurus.

Boston Linux Unix Users Group, blu.org
From beginners to experts; Unix, BSDs and Linux; this is the place for *nix information and insight.

Boston Area Windows Server Users Group, windowsboston.com
One of the largest Microsoft user groups, Windows Boston is also an affiliate of the Boston Exchange Server UG. All things Microsoft, and more.
[Full Disclosure- I'm an advisor to the Steering Committee]

Not that you asked...

But here are some random thoughts and mini-rants which may or may not have anything to do with Information security-

Making something more complex...
makes it more complex. More complex means more potential avenues of attack and makes it harder to understand and secure. More attack surface likely means LESS secure. If I add anti-virus, anti-spyware, host-based firewalls and IPS, NAC agents and more to my systems they have thousands (millions?) of additional lines of code that provide potential attack vectors (and real performance issues).

Often-violated business rule #1:
Make it easy for people to give you money.
(This mini-rant brought to you by the Cisco Service Contract Center).

Old InfoSec people are curmudgeons because they are tired of fighting the same battles over and over and over again. And because they aren't happy unless they aren't happy.

Often-violated business rule #2:
If you take someone's money, deliver what you promised them.
(This mini-rant brought to you by Symantec).

Breaking stuff is still fun. As is fixing stuff. And breaking it again.

Blatantly Obvious Business "Secret": Underpromise and Overdeliver.

Ubuntu is a great Linux distribution and the Ubuntu community is great, but they are in danger of becoming a religion. This would be a setback to Ubuntu, Linux and religion.

Vista both disappoints and scares me.

One of life's little mysteries: How can companies full of good people consistently deliver mediocre goods and poor service? (Insert your own sponsor, you know plenty of them, too).

Attention all engineers:
1) Please consider "It has to work" an implied specification for everything you do.
2) Building crap because you were told to does not relieve you of responsibility for the outcome.

If you "sell security", expect to be challenged.
If you fail the challenge, it is not the challenger's fault; thank them and learn from the experience.

Enough for now-

Jack

Security Anecdote Theater, episode 3

Some years ago my wife and I took the kids to an amusement park and we decided to ride the Ferris Wheel. Curious as to how the thing worked, I started looking at the mechanicals as we waited in line- lots of big parts, but a pretty simple design. The drive system was a few large electric motors driving the steel outer rings of the wheel via automotive tires and wheels.

It looked like a good setup, well thought out and obviously designed with safety in mind- then the Ferris wheel stopped. The tires driving the wheel were retreads. An enormous and expensive machine, and they cut corners on the drive system to save maybe $100 on the tires. I immediately began to wonder where else they had cut corners. We rode anyway, but the ride was a lot more thrilling than a Ferris Wheel should be as we discussed the possible scenarios for a stunning and catastrophic failure.

You probably won't find retreads in your shiny new network and security devices- but when you look around you may find that some corners have been cut. Even if you can't perform code review yourself, you can and should look at the hardware for obvious weaknesses and poke at the system with tools like Nmap and Nessus.
Better to find and address issues before you put the systems in production.

Jack

Real Threats to Virtual Systems

As the Virtualization Craze begins to resemble a runaway train, it is really time to stop and think about the security implications of virtualization.

The most important thing to remember is that:

• running software on OSes
• which are running in software
• on another OS
• or maybe on a hypervisor- software- between the hardware and OSes
• that is on hardware

ADDS complexity and attack surfaces, it cannot reduce exposures.

We are still susceptible to all of the vulnerabilities that already exist in physical installations- plus a new array of emerging vulnerabilities for the virtualization systems themselves.

The world of virtualization security is well beyond the scope of my blog, so I will refer you to the following resources to get started:

• Christofer Hoff's Rational Security Blog
• Pauldotcom's podcast interview with Intelguardians

Now is the time to consider the security impact of virtualization and plan virtual deployments accordingly. That's right, we have the opportunity to plan and deploy an emerging technology wisely.

Jack

Shmoocon IV announced

Shmoocon IV has been announced- it will be February 15-17 at the Marriott Wardman Park.

Hmmm, Valentine's day is February 14, my 28th anniversary is February 16.

Honey, wanna go to DC for a romantic getaway?

Jack

Blog Etiquette and target="_blank

Housekeeping, not security, this time. I like to read articles online and follow links without losing the original page. If I'm at a desktop machine with Firefox, that is easy. It gets annoying on PDAs and other portables- so I wish more people would use target="_blank" in their HTML anchor tags so that clicked links open in a new tab or browser window. That's what I generally do on this blog, write the tag so that my blog stays open when you click a link.

It turns out that some people are annoyed by the target="blank" function. I don't really get the objection, but that's life. And this is my blog, so I hope you'll understand that I'm doing what I want with it.

Jack

CISSP, Magic Incantation or Nonsense?

Certifications...

Blood pressure is already rising at the mere mention of the word, but stick with me. I have held a few certifications through the years: from ASE Master Auto Technician and Master Heavy Truck Technician many years ago; to MCSE+I on NT 4.0 and CCNA later (one obsolete and the other lapsed); and for the past few years CISSP. I had different reasons for getting each cert, and each served its purpose- but I think the CISSP has been the most valuable.

Some people see the CISSP as a farce, held by people who make a career out of the tedium of security, not "real" security; others think having a CISSP makes you a genius and a security guru. Both are wrong.

The CISSP exam is long and tedious, and it covers a bewildering array of topics. That's the point, a wide-ranging view of information security, not a nuts-and-bolts technical view, not a C-level executive view- but a general grasp of numerous facets of information security.

So, where's the value? It is threefold

• First and most importantly, you have to get outside of your comfort zone and think about ALL of information security to pass the exam. This can only be good.
  
• Second, you "join the club" and get access to resources not readily available to others.
• Third, it is a high-profile certification that many people recognize.

The resources of ISC² (seminars, conferences, career resources etc.) may be of value to you and the CISSP-only maillist can be a great source of information. What I find most valuable on a day-to-day basis is simply being able to append the "magic letters" to my name when dealing with corporate drones. Some know what it means, some only think they do- but they certainly do not expect to see them behind the name of the average small-business IT administrator. It is sad, but the CISSP has been a handy stick to use when trying to whack intransigent vendors. I don't always get the answers I want, but the BS factor drops dramatically when big business IT and security people think they have a worthy adversary. (I would rather be a valuable customer than a worthy adversary, but that's a rant for another day).

Information on the CISSP certification is available at the ISC² website.

Also, while not directly related, there was a recent bit of confusion about the nature of the CISSP- Daniel Miessler recently wrote a negative post on CISSP; I don't think he really understands the cert. Martin McKeay later responded with a good commentary on Daniel's post.

Jack

Your password is too short.

Forget complex passwords, you can't remember them- so you write them down (and lose the note). Besides, they are not that hard to break anyway. I won't bore you with all of the math* , but a really long passphrase will be more secure and easier to remember than a short, complex password. (Unless you use something lame like "p@ssw0rd", which is easy to remember and will be cracked by any viable dictionary attack).

This isn't just a hairbrained idea of mine, check out Mark Burnett's comments in this "Contrary Wisdom from Syngress Authors" video:
The whole clip is good, but did they have to leave Bruce looking like that?

Another thing, it is OK to write down your passwords. Just not on yellow stickies on your monitor- treat them like money, keep them in a safe place and destroy the old note when you change passwords.


Jack

* Alright, here's the basic math-
number of possible characters^{(length of password)}.

Assuming 62 possible characters for a simple set (a-z, A-Z, 0-9), and 94 for a full set with punctuation and other special characters- your eight digit "complex" password has 94⁸ or 6.09568939 × 10¹⁵ possible passwords. A "simple" alphanumeric twelve digit password is significantly stronger with 62¹² or 3.22626676 × 10²¹ possible combinations. Simply using a long nonsense phrase (no quoting Shakespeare or Darth Vader here, please) with all lower case letters and a space (to make it readable) results in a 27 character set; at sixteen digits we get 27¹⁶ or 7.97664431 × 10²² possible passwords, stronger than either of the above.

"Real" security people just don't get it.

Black Hat, DefCon, CCC and yet another pile of news about the largely theoretical from really smart people, bah! Virtual this, hyper that, advanced counter-rotating BS.

Out here in the real world of small business, things are different. We struggle with security battles that most "experts" think were won years ago- and the problem is not that we are behind as much as the "experts" and vendors (and a big chunk of the IT press) are out of touch. They might as well be academics. (My view of smart people is summarized in my first post).

Look kids, remote code execution in user space, followed by privilege escalation and eventual total compromise with an "undetectable" rootkit isn't that impressive in a world where you can guess half of the passwords (if they even have passwords). Sure, I can sniff your car's keyless locking and ignition system's RFID and steal your car- but if the keys are in the ignition of every other car in the parking lot, I'm just showing off. And wasting time.

Don't think this is a big deal? According to the US Small Business Administration [PDF], a little over half of all private sector jobs are in small business and small businesses have generated between 60 and 80 percent of all net new jobs created annually in the past decade. That is a bunch of people(58.6 million in '04) in a bunch (26.7 million plus) of little companies- which means a really big (and growing) bunch of computers. Unfortunately, the pressures on small business are great- about a third are gone in the first two years and over half don't make four years. That means IT budgets are very tight, and security is considered a luxury by many. These systems are often no better protected or maintained than home systems, yet have valuable business data on them. And yet, we still need simple, reliable and secure systems- and we still won't have them. But we do have theoretical arguments about theoretical vulnerabilities and exploits.

At least I'm not bitter about it.

Jack

Partners and Security, Part 3B

In the words of Homer Simpson, "DOH!"

I overlooked one of the best and easiest sanity checks for web apps-
if there are forms on the site, especially ones with menu selections, see if your inputs are passed to the address bar when you advance through the site. If they are, you may be able to check for simple input validation problems.

NOTE- Passing info to the URL is not necessarily a bad thing, it just depends on what is passed and if it needs to be validated. For example, it is great that Google Maps lets you throw addresses into a URL to get the maps you want, but a bank that lets you see more information than you should is a problem.

I once found a website where I could select the number of records to display when retrieving a report- I had the choice of five, ten, or twenty records per page in a drop-down menu. When I chose the number and submitted the form, the choice appeared in a string in the resulting URL. Unfortunately, I could simply go to the address bar and change the number to anything I wanted and get the appropriate results- in other words, they didn't validate input. Without going any deeper, I knew that this app was questionable. I reported it to my employer and the company with the problem site. My employer understood immediately, the other company took some effort.

We are severely limited in what we can do to check other's web sites and applications, this is a simple test that can expose fundamental problems without "hacking" the application.

Jack

Yet another reason to take security seriously

One of the more compelling, yet less obvious, reasons for taking security seriously is to prevent it being forced down our throats, complete with flawed requirements. GLBA, HIPAA and Sarbanes-Oxley are examples of what happens when our lawmakers feel there is a problem and they try to legislate an answer. Don't get me wrong, these laws were designed to address real problems- but their execution is far from perfect.

Let's pick on Enron for an example: If there had been some accountability in the boardroom and at the accounting firm, maybe Enron would not have become, well, Enron. And, maybe Arthur Anderson would still exist, and maybe corporations throughout the US would not have to spend buckets of cash complying with this law. But, Enron was Enron, and Anderson did what they did (and didn't do), and SarbOx is the law- for better AND worse.

If we don't accept our responsibility to secure our systems we could end up with more legislation mandating how we run our businesses. Well-intentioned, but poorly crafted, regulations or personal responsibility- that should be an easy choice.

Jack

Security Excuse Bingo

Friday evening humor-

Security Excuse Bingo

Jack

SCO loses, Novell (and almost everyone else) wins!

An article at Groklaw has the good news:

"Hot off the presses: Judge Dale Kimball has issued a 102-page ruling [PDF] on the numerous summary judgment motions in SCO v. Novell. Here is what matters most:

[T]he court concludes that Novell is the owner of the UNIX and UnixWare Copyrights."

I'm sure there will be appeals, but this should be the beginning of the end of this chapter in the FUD wars.

Yes, there is a security angle here. One less bogus legal threat hanging over our heads for using Open Source software. Don't forget, just about everyone uses some Linux somewhere- on cell phones, media devices, network appliances and of course computers.

Jack

Captain Privacy Strikes Again!

Captain Privacy, aka Martin McKeay, has blogged about the latest changes to the law on NSA surveillance. He has summed it up better than I could, so just go over to mckeay.net and read his post on the topic.

Jack

Verisign laptop theft

This one is over the line. A former Verisign employee had a laptop stolen from their car and the laptop may have contained employee data. An article at SearchSecurity.com has the details, including tidbits like "The laptop may have contained such personal information as names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses".

But don't worry, "The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password". Besides, "there's no indication of fraudulent activity thus far".

This is a respected security company, not some naive retailer. There are too many questions to fathom here.

• Whose laptop was this?
• If it was Verisign's, why did the ex-employee still have it?
• If it was the ex-employee's, why was company data on it?
  
• Why does a former employee still have this info?
• Why does anyone need this kind info on a laptop?
• Why wasn't the data encrypted if there was a reason to have it on a laptop?
• Why was the laptop left in the car overnight?
• Who believes that a Windows username and password will protect anything when an attacker has unlimited physical access?
• When will people learn?

Verisign has quite a few job openings listed on their careers site, I wonder how much this will hurt their recruiting efforts? I'm glad I'm not in HR or PR at Verisign this week.

Jack

Exploring the IT Community

How's your training budget? How about the budget for consultants and analysts? Yeah, I don't get to spend much either.

It is ok, though, there are plenty of great resources available for little or no money through user groups and similar organizations. I have the luxury of being in the Greater Boston area where we have an abundance of great user groups, but they are everywhere.

A couple of ways to find them-
On the (mostly) Windows front, Culminis Alliance has a good User Group Locator.
Linux user groups are everywhere, take a look at Linux.org for a good starting point.
Also, there are a growing number of Ubuntu LoCo (Local Community) teams.
If you happen to be in the Greater Boston area, check out Boston User Groups for a list of regional groups (full disclosure, I am the Vice President of Boston User Groups).
Don't be put off if your particular interest doesn't have a group of its own in your area, check it out and see if there might be some overlap.
Also, on the security front, there are groups like ISSA and the FBI's InfraGard.

Next time, some of my favorite local groups. Even if you aren't in the area, check out their online offerings and maybe join the maillists.

Jack

Educational Commuting (Podcasts)

I spend a couple of hours a day in my car commuting and traveling between locations. Podcasts are a great way turn "car time" into productive time. I listen to many, here are a few that I can't do without, give them a listen and I think you'll agree.

Pauldotcom Security Weekly.
Informative and Entertaining (always both, not always in that order). Sometimes not "work-safe" listening, but always worth listening to. A group of security pros offer up technical tips, how-to segments, discussions of current security news, the occasional interview and even "storytime" hacker stories.
http://pauldotcom.com/

Cyberspeak.
"Two Former Federal Agents Talk About Computer Forensics, Network Security and Computer Crime." Another informative and entertaining podcast, mostly focused on computer forensics but covering a mix of topical and technical security news. Brett and Ovie also frequently feature interviews, again usually forensics focused, but not always. Always worth the listen, even if you don't handle incident response and forensics.
http://cyberspeak.libsyn.com/

The Network Security Podcast.
The blogs and podcasts from Martin McKeay- Martin is a prolific blogger, podcaster and video podcaster. Although he has an information security focus, with PCI a frequent topic, Martin also ventures into other areas- I especially enjoy his coverage of electronic voting systems and his exploits in the guise of his alter-ego, Captain Privacy. Martin's "creative output" has recently been re-invigorated, and I'm glad about that.
http://www.mckeay.net/

Security Now.
"Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte."
Security Now has some great great information, especially some of the earlier shows on encryption and the foundations of TCP/IP. This show targets the "power user", not the security pro- keep that in mind as you listen, otherwise you may find yourself screaming at your MP3 player occasionally.
http://www.twit.tv/SN

Happy Listening-
Jack

But Jack, isn't that hypocritical?

Maybe you are thinking "Why are you poking at business partners before looking at your own network?" Maybe that seems unfair or hypocritical.

Here's my logic- first, there are plenty of resources for helping to secure your systems (and I hope to add to them later), but not many that look outside- and almost none that apply to the small guy checking up on the big guys. Also, we pay some of the partners- franchisors, vendors and others- and that gives us the right to hold them accountable. We're the little guy, we are often required to use their systems, we can't opt out and still do business. These are their systems and it is their responsibility to secure them.

It is our responsibility to protect our systems and our interests. To me, that includes holding our partners accountable.

Jack

Partners and Security, Part 3

Continuing with our cursory look at our partners...

Navigate through the site, look for clues. Hover over links, note if the pages are scripted (file names and URLs ending in .asp/.aspx, .cgi, etc.) or basic html.

Look for help pages, do they give away anything? Is there help available before you log in? Are password recovery procedures listed? Anything questionable there?

Look for forms- fill out a few poorly and see if they handle mistakes gracefully. NOTE, I am not suggesting you try to break the application, do not enter "or one equals one" type entries in an attempt to hack the system. You don't have (are are highly unlikely to ever get) permission, so be nice. We are looking for common mistakes and simple oversights on the part of the developer(s).

If you do find errors, look at the error messages, they can tell you quite a bit. Google the errors, you may find some well known problems have been ignored.

Next time, we start using some tools to dig a little deeper into the website or application.

Jack

A Convert!

My wife is an intelligent woman (her fondness for me notwithstanding), but she has a "low-tech" job and is not particularly fond of computers. She does grudgingly admit that computers are good for some things, like email, searches and maps (but not much else). One of her work-related activities involves helping resolve personnel and contractual disputes- and that requires wading through a bewildering mass of contractual, policy and labor law documentation. She recently learned of an initiative to move most of the relevant documentation online and provide online management of active issues. Upon hearing of this wonderful new system, her first words were "How secure will it be?". A convert! In spite of the potential relief this would bring, her first thought was about the security of employment records.

She elaborated on her concerns- not only was she worried about the security of the website, she pointed out that the website in question currently required a username and password. Unfortunately, since the site doesn't currently have anything of value, she doesn't use a good password and doubts anyone else does- and doubts that will change.

She gets it. Maybe not the nuts and bolts, but the ideas. I don't know how much impact her concerns will have on the overall project, but in the big picture, every voice counts.

Jack

Mental Health, InfoSec and Playing with Fire

Someone said that all work and no play makes Jack a dull boy. That is a bit trite, but I do find that a break from work is a healthy thing. One of the hobbies that I don't really have the time to indulge is blacksmithing- but every summer the Cape Cod crew of the New England Blacksmiths demonstrates the craft at the Barnstable County Fair and I have been participating for the past few years. Even if I don't yet have the skill to turn out master works of art, there is something very satisfying about heating a chunk of metal in a forge and then whacking it with a hammer.

There is even a direct InfoSec link- I don't do it at the fair, but dropping the platters from a hard drive into the forge is a pretty good method of secure data destruction.

Jack

Partners and Security, Part 2

Digging a little deeper into the security of business partners...

After reviewing the information you received, it is time to start looking a little deeper. Most of my experience is with web sites and web applications used for communications with vendors and franchisors, so that is where we will start.

Start with the basics. How do credentials get assigned? Are you sent a username and password in an email? (this is both very common and very bad). Do you have to reset your password at initial login? Do they even let you reset your own password? Does every user get their own credentials, or are you expected to share? Are logins encrypted? Are all transactions encrypted? Is the certificate valid?

Sadly, a large number of sites, even among financial institutions, will fail some of these checks. Companies that spend significant resources securing their "public" websites will frequently cut corners on their partner/affiliate websites, as if we aren't coming in from the same Internet. The whole Insider Threat concept is lost on them. Random attackers may not know what they can access once they are "inside", employees of partners already know what they are looking for.

Although some of the information you want is not as obvious in a web app as it is in a web site, you can still get what you need. Sometimes you can "break out" of Internet Explorer based web apps by simply pressing Ctrl-N; a new browser window will open with headers, footers and toolbars- revealing full URLs, certificates, etc. If that doesn't help with your applications, don't worry, you will need to fire up a sniffer and a proxy sooner or later anyway and they will give you what you need.

Next time, a little looking around before we break out the tools.

Jack

BeanSec!

I finally made it to a BeanSec!
BeanSec! is not to be confused with any other security group, meeting or conference- it is more of a social event, held on the third Wednesday of each month at the Enormous Room in Cambridge. But- it is a social event for security geeks. Want to know more? Then go!
Your genial host (for most evenings) is Christofer Hoff.

I had a great time and met some cool people. Sadly, I doubt that I'll make it to very many BeanSecs- they happen the same evening as two of my favorite user groups, SNENUG and BLU. I was already conflicted enough having to choose between the Southern New England Network Users Group and Boston Linux & Unix. Of course, they don't meet in a bar...

Thanks Chris!

Jack

iEnough iAlready with the iPhone!

The final word on the iPhone is at Will it Blend?



Yes, they do.

Jack

The good things about small business IT

Sure, it is fun complaining about trying to implement security in small business IT, but there are some real advantages that help offset many of the problems we face.

People are a great example- we get to know them. You don't have to like all of them, but knowing a bit about the personalities in your company can bring some valuable insights. New exploit in the wild? You already know who your "high risk" end users are- you can focus on the people and machines that are the most likely to be exploited because of the nature of their work or their habits. You also know which users will actually listen when you tell them that no one is sending them anonymous eCards, so don't open them- and focus your efforts on the, let's just say "harder to train" end-users.

In small business, we have to do it all. On the other hand, in small business we get to do it all. We handle most projects from end to end and have a better understanding of complete systems because of the added perspective. We also get to know our networks and systems very well. We learn what to expect when lightning strikes or the power goes out. We have a pretty good idea which applications might break on Patch Tuesday and can plan accordingly. If we stop, think and apply this knowledge before we start new projects, we can prevent problems and create a more secure environment.

Small businesses often offer a better quality of work life than big corporations. It is still possible to find loyalty in smaller companies. Small companies are more likely to be flexible with schedules and other intangibles. At my "real job", we have just over one hundred employees; about a quarter have been with the company over eight years and four of us have been here over twenty. That doesn't count the owners or their family. And that's in an industry with an average annual turnover above fifty percent. I don't think you will find many corporations that can put up numbers like that.

Yes, sometimes we have to battle to simply get a password policy, forget having a good one. Sometimes we simply have to cut corners (so do the big guys). But there are real opportunities in small business IT, so use them to your advantage.

Jack

Time for an introduction

How rude, I haven't really introduced myself yet.

I am Jack Daniel. Really. It was dad's name, too. Long story for another day, but it has nothing to do with the black label/square bottle guy.

I am "the computer guy" for a family of small businesses south of Boston, Massachusetts. I have performed many different jobs throughout the years. IT has been part of my work since the late 80's and has been full-time since the late 90's. Like most small business IT people, I handle a wide variety of things, from changing toner cartridges for those "special" end-users to desktop support to network, server and security design, deployment and maintenance. I have been interested in information security for a while and have spent the past several years trying to absorb as much security information as I can.

I was not a hacker or even a computer enthusiast in school. In those days and for several years beyond, I was a car guy. But, it turns out that an interest in "how stuff works" and how to "build, break and fix stuff" translates well from one field to another- so I was well served by my years as a mechanic. There were several years of various management positions between twisting wrenches and twisted pairs, but please don't hold that against me.

I am also a technology "community activist". Since discovering user groups many years ago I have been active in several groups and have assumed some leadership roles in the local user group community. Community participation in general, and user groups in particular, will be a recurring theme in this blog.

When not working on or playing with computers I have a few non-tech hobbies that I wish I could spend more time with- wood carving, boat building and blacksmithing. Another group of things around the recurring themes of "how stuff works" and "build/break/fix stuff".

That's enough for now-
Jack

Are the vendors clueless, or are we?

One of the companies I support recently leased several new multifunction fax machines. From a security perspective, the experience was astounding. The vendor seemed to have no clue about the insecurity of the devices or the implications to our network that such machines could have. The vendor also had no respect for the network. They were annoyed that they couldn't just plug into any open jack and get on the network- and their "network guy" didn't understand why anyone would want to control network access. When I clawed my way up the support ladder to someone with a bit of security awareness, I was assured that I could contract with their consulting division and they would secure the devices for a "reasonable" fee. Call me crazy, but I think it would be "reasonable" to ship the things secure in the first place.

OK, Jack , how bad were these things? These machines have 466MHz CPUs, 384MB of RAM, and 40GB hard drives. How's that for a potential attack platform distributed throughout your network? A simple Nessus scan not only reveals numerous significant vulnerabilities, it locks up the management interface on the devices and they need an extended power-off to recover full functionality. At first I was only frustrated with the vendor. We are paying them to compromise the security of our environment, and they will fix their own shortcomings if we pay them even more. How can they get away with this?

Then it dawned on me, they get away with it because we let them.

Jack

Happy Birthday USA

Wednesday, July 4
It is ten in the morning and I'm drinking sangria and listening to classical guitar on Internet radio. A great start to the holiday.

Internet radio wasn't among the driving forces behind the American revolution, and certainly isn't the most pressing problem facing the republic today- but the threats to Internet radio are real and some may have far-reaching implications for anyone who creates content and wants retain control over their material, whether it is music, text or code. No political diatribe here, but if you are interested, look into the issue and act as you see fit. If you are not sure where to start, I would suggest savenetradio.org.

Happy July 4
Jack

Security and Business Partners

We all have to trust our business partners to take security seriously, but how can we be sure they live up to our expectations? We might not have the leverage that some big companies do, but we do have some tools available to help us. In the next few posts I will discuss some tips to help address security issues with your vendors and other business partners.

First, the easy ones- ask them for copies of their privacy and security policies. Next, ask for direct security and compliance contacts (not just their regular support information). While it is important to have this information, it is also important to make them realize that you are concerned and checking up on them. We all tend to behave better when we know we are being watched.

Look over the information you receive, and note the things you don't receive. Ask questions and raise concerns. If anything is especially troubling, bring it to your employer and explain why (without hysterics) you think it is a problem.

To be continued...

Jack

Security Anecdote Theater, episode 2

Peter Ross, a master blacksmith at Colonial Williamsburg tells a story that I enjoy retelling-

Early in his career at Williamsburg, Peter was asked to make a reproduction of a lock from the Williamsburg collection. He carefully disassembled the original lock, inspected and measured every piece, and then made faithful reproductions of each component. When he tried to assemble the lock nothing fit. He filed, bent and reworked each piece until it finally went together and worked. Once the lock was complete, Peter was understandably impressed with his work and showed it off proudly. After the initial glow wore off, however, Peter noticed that the original lock was much nicer than his- it didn't show all of the signs of reworking and correction that his did. He reconciled himself to the obvious fact that the colonial era blacksmiths were simply better at the craft than he was.

As his skill and knowledge of the craft evolved Peter began to realize that his shortcoming was not in skill, but in perspective. Peter approached the task with the knowledge that careful measurement and replication will yield an exact duplicate- the modern view of manufacturing applied to an ancient craft. The original blacksmith made the first part of the lock from available material with little worry for exact measurements- because the second piece would be made to fit the first, and so on. The next lock made would probably look similar, but the parts wouldn't be interchangeable- but as long as both locks worked it didn't matter.

The colonial blacksmith had limited supplies of material and often had to reuse scrap due to the expense and scarcity of new stock. He also didn't have ready access to all of the tools that were available to smiths in England and the rest of Europe. The craft may be different, but in small business IT we face a similar situation- we often have very limited resources and must make do with what is available.

So, the next time you find something you would like to copy- whether its a network topology, directory services infrastructure, VPN deployment or even a hand-forged lock- start with your current situation in mind and work towards a functionally similar system. Make sure all the pieces fit together with each other and your environment, just don't get hung up on trying to make an exact duplicate.

Jack

Worrying is productive

You are overwhelmed and so am I. This is the state of IT, especially in one-person shops. So, how do we begin to address the dozens of things we know we should?

And as far as security, making progress often seems impossible. One of the key problems is that in small businesses we don't have dedicated security personnel, we do it all- but we are judged almost exclusively by the overly simply question "does it work?". Not "is it secure?", nor "is it compliant?", just "does it work?". This makes spending the time to plug holes and getting the resources to address security issues difficult (at best).

So, what can we do about security? Worry about it. Do not obsess about it, just worry a little, it is a great first step. Go to seminars; read books, papers and blogs; listen to podcasts or whatever you can fit into your schedule- and learn what to worry about. This will not magically make the Spare Time Fairy appear in your life and grant your wishes, but it should start to make you think before you act. And that is the point, to start factoring security into your decisions before you make them so there is less cleaning up to do later.

If a little worrying helps you get there, so be it.

Jack

The Ghost in the Browser

This one is not new, but it is worth repeating. A team of researchers from Google (Google researchers? Doesn't Google already know everything?) released a paper on their study of web-based malware. Read it. It is OK if it takes a few passes to digest bits of it, it appears to be written by smart people. (See my first post if you wonder what that means).

Link here to the nine page (440KB) PDF

Out of the billions of URLs scanned, Google found 4.5 million of interest. 10% of those were demonstrably bad, pushing code to client machines- and another 16% were questionable. That is 450,000 "evil" URLs and 700,000 questionable ones. How many have your users visited this week?

This is why web filtering is important, keeping malware off your network. Keeping employees away from bad things is just a bonus.

Jack

Security Anecdote Theater, episode 1

I frequently travel from Cape Cod to Rhode Island, which means I drive Interstate 195 regularly. On I-195, shortly after you enter RI from Massachusetts, there is a nondescript, single-story block building on the right, near an overpass. It was pretty small, but they added on a couple of times- building out each time, not up. After decades in the same location, the company recently moved to a larger facility. Odd that they gave up a convenient and high-visibility location instead of just building a second floor. Especially considering that they are an elevator company.

Actually, it isn't odd at all. Elevator parts tend to be large and heavy, carting them around on a single level makes much more sense than moving them up and down- even if you happen to be in the elevator business.

So maybe the answer that appears obvious, the answer that you are familiar with- is not the best answer.

Jack

Non Sequitur

This one-panel comic does a better job of summarizing the nature of security than anything I have seen. The distilled essence of real-world security.



It has been suggested that the cat door is a metaphor for port 80...

Jack

Getting Started

Well, you're here, so I guess I should write something profound and/or witty.

Instead, I'll write this- If you want to move forward, be wary of smart people. Don't ignore them, but don't try to follow them, either. Gather what you can from them and move on.

Me? I want to see and learn from clever people, the people who get things done, often in less than ideal circumstances. These are the people I want to learn from and emulate.

Jack