Monday, July 12, 2010

This will be interesting.

The week of Las Vegas madness that encompasses Security BSides, BlackHat and DefCon is approaching.  I am fortunate enough to be speaking twice that week-

I will be leading Security Speed Debates at 10am on Thursday, 7/29 at Security BSides.  It is an idea I have blatantly stolen from AusCert, but ours will be better, at least partly because we don’t talk funny.  I will be joined by the lovely and talented Josh Corman and Dennis Fisher (you decide which one is which) plus a “player to be named later”.  We will each have one minute to make our cases for or against a variety of incendiary topics, then we’ll give a couple of folks watching the spectacle a chance to add their opinions.  To make it more interesting, the panelists will be assigned pro or con positions, on the spot, by coin toss.  The goals are to 1: have fun, and 2: encourage conversation.

I will also be moderating a panel discussion on PCI at DefCon at noon on Sunday.  Yes, PCI at DefCon.  We have a killer team lined up for the panel, see the lineup and summary here.  I’ll be joined by James Arlen, (aka Myrcurial), Anton Chuvakin, Joshua Corman, Alex Hutton, Martin McKeay, and Dave Shackleford.  How’s that for a team?

I think our synopsis sums it up very well:

“PCI at DefCon? Are you on drugs? Sadly, no- compliance is changing the way companies "do security", and that has an effect on everyone, defender, attacker, or innocent bystander. If you think all that 0-day you've heard about this week is scary, ask yourself this: if a company accepts credit cards for payment, which is a more immediate threat- failing an audit or the possibility of being compromised by an attacker? That is one of the reasons "they" do not listen to "us" when we try to improve security in our environments- as real as they are, our threats are theoretical compared to failing a PCI assessment. Systems are hardened against audit, not attack. Sadly, this is often an improvement, but this can also reduce security and provide a template for attackers. This panel will discuss and debate strengths and weaknesses of PCI, expose systemic problems in PCI-DSS, and propose improvements.”

If you’ll be in Vegas for the fun, consider checking these out, they should be fun.


Friday, July 9, 2010

Wildly successful social engineering

Someone has done some wildly successful social engineering.  Amazing, actually.  I am not talking about the “Robin Sage” social media/social engineering case where a lot of people who should know better gave up a lot of information in a lot of different ways.  That may be interesting (we’ll see when it is presented), but even though some of the results were sensitive, that is building on a lot of prior work.
I am talking about the coverage of that story, where the reporting has largely been horrible, gullible, naive crap.  Sorry folks, but yes, that includes coverage from people I like.  If you believe a lot of what you read, you would think that a lot of people were “duped” into following/friending/linking/whatevering Ms. Sage.  This shows a gross lack of understanding of both social networking and the security community- both on the part of the journalists, and to a lesser extent, the researcher.
The people who “over-shared” really are a problem, and it may be interesting to see what Thomas Ryan (the person behind Robin Sage) presents at DefCon.  It looks like s/he got a lot of sensitive information from people who should know better- three letter agencies, military, and more.  Interesting, but “people are stupid and gullible” is not really ground-breaking, nor is mining/abusing social networking to prove this point a new idea either.  It does sound like the scope and scale may be noteworthy.  But not new, and being a skeptic, I’m not sure it is newsworthy.
Where things fall apart is the nonsense over stories which pretty much proclaim that MILLIONS OF SECURITY PROS DUPED, and point to the number of friends/links/etc. the virtually perky Ms. Sage gathered.  I would like to point out four things:
  1. Different people use social networks in different ways.  Just because someone accepts your connection request does not mean they are fooled by you.  They may not even care if you are real or fake.
    • Maybe they (sadly common) think that more connections means they are more important.
    • Maybe they are public figures of some kind, and accept most requests as a matter of policy.  If people are careful with what information they share, there is nothing wrong with this. Nothing. It is voluntary, get over it.  It is how Social Media and Social Networking work for many people.  If you don’t like this approach- don’t use it.
    • The decision to accept may be based on connections offered (via friend-of-a-friend linking) instead of being based on the person making the request.  Again, if you are cautious about what you share, there isn’t a risk here- even if it is a pretty shallow move.  Robin certainly had some interesting friends/links to entice people.  Put another way: Some days, the wingman scores.
  2. Once Robin Sage became fairly visible, the drama got interesting and a lot of people began following/linking to the myriad of Robin Sages (yes, there were clones and evil twins, too) just to watch the train wreck.  I was one of these, and like many others I had my suspicions- but didn’t care if she was real, fake, or just another troll, there was entertainment.  People were not duped, they grabbed a beer and some popcorn and watched the show.
  3. Robin Sage was called out.  Spotted.  Thoroughly outed.  Many thought “something was fishy”.  Some people did actual research and provided real details.  People had to connect/accept to do the research and confirm their suspicions.  The press almost completely missed this critical point.  They also missed the fact that once this was widely known, even more people connected to and followed Robin to watch the evolving train wreck mentioned in point 2.
  4. Mr.. Ryan apparently convinced (socially engineered) much of the media into thinking this was something it wasn’t, then and the result was not journalism, it was an embarrassment.
And this is just the worst of it this week.  Half baked ideas, giant (and flawed) leaps of logic, obvious vendor spin, and more were on parade this week.  Maybe it was the heat and no one could think clearly.  Maybe it was Vacation from Healthy Skepticism Week and no one told me.  I don’t know, but I’m not happy about it.


[Note: since posting, the question of linking to specific examples has come up. I debated it while writing this post, but in the end I decided that the issue was so pervasive that calling out specific writers or articles would not have been productive.]