Tuesday, September 30, 2008

Cooperative Pirates

In an attempt to prove me right, Somali pirates have made headlines around the world again, this time by capturing a freighter full of tanks and other weapons.  The New York Times' original article has the details, and several follow up articles are on their Piracy at Sea page including the pirates' motives and the current standoff with US warships.

As I said in an earlier post, I've seen our modern destroyers and cruisers up close, and I know what comes out of the "box on the bow", this could end with a bang. A big bang.

Why haven't we solved this problem?  I still don't know, but maybe this will give the needed impetus to the global community to do something.



Monday, September 29, 2008

CSO Podcast

I was Bill Brenner's guest on this week's CSO Security Insights Podcast, we talked about a few of my favorite topics- such as the dangers of simple misconfiguration as opposed to "sexy new hacks" and we briefly talked about FOI.  It was a good conversation, a distillation of a few years worth of conversations Bill and I have had about balancing the value of hard-core security research with stepping back and simply covering the basics.

I did have a failure of my own, I meant to return to FOI but didn't- so I didn't credit Andy Willingham for coining the term, nor did I give Michael Santarcangelo credit for fueling the FOI discussion.  Sorry guys.



Compliance for Hackers

Some people spend their professional lives working with compliance issues and the minutiae of complicated regulations- but in small business, compliance is usually an occasional tormentor to be dealt with and then ignored as quickly as possible.  What a terrible waste of an opportunity.

Personally, I haven't had to deal directly with compliance issues since changing jobs last year, but I do still occasionally work with customers and clients as they battle the dark forces of the demon checkboxes.  But that is the wrong attitude; compliance is a pain, but we need to look at the issue in a different light- how to exploit it for our own purposes.  Besides simply checking off boxes, you can spin this to push through real improvements.  I've used compliance audits to initiate improved password policies, beef up backup systems (except I had to call it "disaster recovery"), improve physical security for HR files, and more.  Of course, you still have to do the work required for whatever compliance project you are facing, and you can't get too crazy with the tangential projects.  And, as a bonus, the smug satisfaction you get from subverting the process for your own goals can really make the rest of the project much more palatable.



Friday, September 26, 2008

Lies, Damn Lies, and Vendor Lies

Most of us need to work for a living, and no matter what we do, everyone is in sales.  Selling your product, selling your ideas, selling yourself, you are selling something.  And, there's nothing wrong with that.  Marketing and PR are a part of sales, getting the right message out to the right audience.  The right message highlights the strengths of your product, service, idea, or yourself.  That's OK, too- as long as you are honest about it.

Today I had the misfortune of enduring a webinar by some people who were either ignorant or dishonest.  Probably a bit of both.  [It is sad when giving someone the benefit of the doubt means you assume they are ignorant].  This vendor sells network security hardware and software, so you might expect them to have some understanding of layer 2.  Imagine my amazement when I heard them say that ARP cache poisoning could only be used to  sniff traffic, not to reroute traffic or for man-in-the-middle attacks.  Please don't tell the people who wrote Dsniff, Cain and Abel, or many other ARP spoofing tools, they would be disappointed to hear that.  That statement shows either an alarming ignorance of ARP spoofing and layer 2 networking or it is a blatant lie.

They also made other "inaccurate" statements in the presentation, like calling their product something it isn't and ignoring the lack of key components- and they have some really hair-brained ideas about virtualizing network security devices in a small business environment, but other than that...

Now here's the real problem, people were listening to them and believing this nonsense.  And the folks who believe this vendor are less secure because of it.

Sure, we are all responsible for validating what we hear, especially from folks trying to sell us something- but the fact that you are selling something does not make it OK to spread misinformation.

Buyer beware, indeed.



Wednesday, September 24, 2008

Grasping for Humor

It isn't funny. Really, it isn't, this whole political-economic crisis and bailout fiasco.  But these are bitterly amusing:




Tuesday, September 23, 2008

OOOOOhhh! Pretty pictures!

It is alive!  You no longer need to get a pre-release version of Nmap to get the topology mapping utility.  That's right, Zenmap (the graphical Nmap interface) can now literally draw you a picture of your network.  There are also multiple performance enhancements in the latest version, many based on developments made during Fyodor's "Scan the Internet" project.


Zenmap will not replace the command-line version of Nmap for daily use, but I will occasionally have a real reason to use the GUI now.



Saturday, September 20, 2008

Treasury Secretary Paulson, immune from prosecution

Good thing it is a chilly evening, my blood just started to boil.  Background: if you are on Twitter and have any interest in the US economy, you need to follow Christopher Penn, @cspenn (there are plenty of other reason to follow Chris, but his economic insights are the focus tonight).  A snippet of the bailout bill reads:

"Decisions by the Secretary pursuant to the authority of this Act are non-reviewable and committed to agency discretion, and may not be reviewed by any court of law or any administrative agency."

Go read Chris' blog post at http://www.christopherspenn.com/2008/09/21/game-over/.  It contains the full text of the bailout proposal and some commentary.  Short version, Treasury Secretary gets to make the law, and is therefore above the law.

Sleep well.



Wednesday, September 17, 2008


Yes, pirates. iStock_000006906495XSmall

But not Talk Like a Pirate Day kind of pirates, that's all good clean (well, maybe not always so clean) fun.


And certainly not pretty-boy Johnny Depp in "Pirates of the Caribbean" kind of pirates, either.

And what's with the beard? He doesn't even have enough of a beard to braid, anyway. (I assure you, I have expertise in this area).


No, I mean real pirates. Modern pirates, like these nice gentlemen who hijack, steal, kidnap, ransom, rape and kill.

Yes, piracy is a very real threat to modern mariners, private and commercial.

You may remember this story about the idiot pirates who opened fire on two US Navy vessels, a guided missile destroyer and a guided missile cruiser. (Having sailed past some of those ships in Norfolk, I cannot imagine how drugged or stupid you must be to screw with one of them- to take on a pair is beyond comprehension). Maybe you saw this recent story about the rescue of a couple of French sailors by French commandos. Those are the good stories, the rare ones with happy endings and criminals brought to justice. A quick Google search for "modern piracy" yields several enlightening results- as you might expect, Wikipedia has a decent primer, but I think the "Daily Vessel Casualty and Piracy Report " and this presentation on modern high-seas piracy from the law offices of Countryman & McDaniel are some of the best references. Although the presentation is now a bit dated, it still holds some very good information, and scanning the casualty reports for acts of piracy is chilling, especially factoring in that only about 10% of piracy is reported.

What amazes me is that piracy is still allowed to exist on a large scale. A unified, global effort could make a real difference, and quickly. When China chose to crack down on piracy several years ago (starting with a large and widely-publicized group execution of convicted pirates), it had an immediate impact in and around Chinese waters. One bit of hope comes from the above story of the French rescue, France has been a world leader in battling piracy and French President Nicolas Sarkozy has called for EU and UN action to curb piracy, especially in the waters around Somalia.

Piracy has always been a violent and dangerous vocation, and it has been suppressed when the pirates were put in more danger than their victims. Given the nature of the maritime environment, "hunt them down and kill them" has been a common (and effective) approach to piracy. I think with modern resources our goal should be to track and capture pirates, but the inherent danger of dealing with violent criminals at sea does mean that little quarter can be shown for those unwilling to surrender quickly.

Of course, there is no relevance to information security in this post- as we clearly have no serious or under-reported problems which we simply refuse to address in our industry. Arrr.


Monday, September 15, 2008

FOI follow-up

My original FOI (Failure of Investment) post was picked up in a private forum and sparked a little conversation. I let the thread take its course and then posted my thoughts. Since it was a reasonable follow up, I have excerpted it below:

It is interesting to see where this idea has gone in the past week or so. It started out with my frustration over the use of ROI and TCO as accurate *predictive* measurements. It think today's activity on Wall Street (and beyond) underscores the old adage that "Past Performance is Not Necessarily Indicative of Future Results". I am not arguing against looking back to try to analyze and learn from the past, but I have little faith in predictive technologies in a relatively new and continuously evolving industry- especially those necessarily based on guesses. You simply cannot account for all tangential and unexpected impacts. Centralizing management of your desktop anti-virus is obviously a good idea and a good investment- until your vendor issues a bad pattern and your IT team gets to repair or re-image all of your workstations. How did you predictively figure that cost into your ROI/TCO/OAA? (OAA = Other Abused Acronym)

To put this in context (I read somewhere that was important), my background is in small business IT- where it is unlikely that the people in the trenches have the time or knowledge to perform thorough generation and analysis of data- and the decision makers are unlikely to have the time to expertise to act on such data if it were presented to them. In this environment it usually takes a failure to get focus on an problem, and if budget is allocated to solve the problem, it had better stay solved. If the same issue returns after the investment, that is much worse than a new problem because you have failed on multiple levels. Thus introducing the metric "Failure of Investment".

As I said in my post, in IT we are judged primarily by the overly-simple question "does it work?" (Really, we are- and if you do not believe that, it may explain why you are currently unemployed- the "A" in CIA is a trump letter). FOI adds "did you keep *that* from happening again?" to the measurement. Like it or not, that's a real improvement in security metrics for most people.

I never believed this situation was limited to small business, and feedback and commentary seem to confirm my suspicions.

Also, since his original post, Andy Willingham did a video interview with CSI (the Computer Security Institute).


Tuesday, September 9, 2008

FOI, Failure of Investment

Last week, right before heading into the Catskills for the blacksmith conference, I started an interesting conversation with some friends by tossing out the following acronym-laden opinion:

"Not that you asked, but IMHO: ROI and TCO are SWAG at best. And, they are rarely at their best"

Michael Santarcangelo (you know, the Security Catalyst) responded first, then a few others joined in- it was better than the normal "is there ROI on Security?" conversation- and since the smart kids were indulging me by considering my opinions I threw out this idea:

"The only viable measurement in security is failure."

Andy Willingham (you know him as Andy, IT Guy) took the idea and proposed the acronym FOI, Failure of Investment. And that's it, FOI, a real-world metric we can all understand.  In this post, Andy did a great job of explaining FOI.

In most of my IT career (small-mid business, auto dealers a specialty) I worked where margins are razor-thin and you really have to justify every expense.  Things aren't broken until proven broken, usually by a failure.  Firewalls, anti-virus, backup systems- these are just a few of the things I could only spend money on after an incident.  I call this the "I told you so" budget method.  Oh, yeah- and once you get that money, the problem had better not happen again.  Note that in this context, a new type of failure doesn't count as FOI unless you have invested in preventing that specific class of failure.

I've said many times that in IT we are judged primarily by the overly-simple question "does it work?".  FOI adds "did you keep *that*  from happening again?" to the measurement.  Like it or not, that's a real improvement in security metrics for most people.



Monday, September 8, 2008

A quick tip for IP name resolution

Ever have an IP address in your logs that you can't identify? No reverse DNS, ARIN/WHOIS come up useless, just can't figure it out?

Try opening a web browser and entering HTTPS://<IP address> into the address window.  With a little luck you will get a certificate error (due to mismatch, URL is an IP address, cert will have host/domain name)- look at the certificate and you have a domain and company name.  A little tedious, but very handy.



Thursday, September 4, 2008

Playing with Animoto

I'm on my way to the Atlantic Coast Blacksmith Conference this morning, so I thought I would leave you with this Animoto video of the New England Blacksmiths' Spring Meet.

Tuesday, September 2, 2008

If you aren't using the door, close it!

No, that's not latent fatherly advice, (and turn off that light!)- it is a reminder that a lot of systems have SSH ports open to the Internet, and the Internet is a dangerous place.

Yeah, we all know that- but did you remember to lock the door last time you used it?  I ask now because I have heard *anecdotally* (wink, wink, nudge, nudge) that lots of folks are getting SSH scanned heavily, including many login attempts.  Lines up well with this US-CERT advisory.  So take a minute to review what you have facing the tubes, and close what you can.

If you do need to leave SSH wide open, this might be a good time for reviewing keys and passphrases- and keeping an eye on logs.