Tuesday, July 23, 2013

Hacker Summer Camp and @HackerRoad

Next week is “Hacker Summer Camp”, also known as BSides Las Vegas, Black Hat, and DEF CON week.  As you might expect, I’ll be at BSides most of next week, then heading over to DEF CON when we finish hiding all the bodies cleaning up and packing out.  We have a killer lineup for BSidesLV as always, and Irongeek will be recording the sessions so you can catch up if you won’t be joining us or miss one you want to see.

I’ll be giving a talk in the Common Ground track, a decidedly non-InfoSec talk:

The Erudite Inebriate’s Guide to Life, Liberty, and the Purſuit of Happineſs

An exploration of bitters, classic cocktails and other stuff

That will be on Wednesday at 16:30 in the Tuscany room.  I’ll also be joining the all-star lineup of Davi Ottenheimer, Raymond Umerley, Steve Werby, David Mortman and George V.  Hulme on Thursday at 12:30 in Florence G for a panel discussion on breach notifications, ethics, and law.

I’ll once again be participating in DEF CON Hacker Pyramid and beard competitions, and of course providing logistical support for the FAIL Panel.  But no pink camisoles this year.  Well, probably not.  Possibly something worse, though.

And finally, for a little entertainment, follow the adventures of video guy Steve and I as we drive from Cape Cod to Las Vegas and back.  Face it, you’ll just be pretending to work until next week, either in prep for the trip, or out of bitterness because you can’t go.  So follow the adventures on Twitter at @HackerRoad as we wander the countryside cursing the latest update to Google Maps for Android, stop at distilleries, and spread cheer wherever we go. Or something like that. Maps, photos, video, etc. will be posted to or linked from that Twitter feed.  (Yes, that’s the old Shmoobus account, rebranded for a more wide-ranging set of adventures).  The road trip is made possible by my awesome employers at Tenable Network Security, who are too smart to directly sponsor something this silly, but are kind enough to indulge me taking time for such madness.



Thursday, July 18, 2013

Missing the lessons

Listen up people, I enjoy a pointless socio-political sequential rant on Twitter as much as most folks (I say sequential rant instead of debate, because real debate rarely happens on Twitter)- but seriously, almost the entire InfoSec world is missing the lessons of Manning, Snowden, et. al. which are relevant to our goals of securing info.  Also, I see way too many people who should know better falling into media, troll, and pundit (hard to tell the difference sometimes, probably because there isn’t always a difference) trap of narrowing choices.

Let’s start with the choice flaw: if you are given an “either/or” choice and fall for it, you’ve let the punditroll define the terms of the conversation, and you’ve lost (or at least truth has lost, but what the hell, The Truth is sadly accustomed to losing).  Is [Snowden/Manning/U.S. Grant/George Washington] a hero, traitor, or demon? Yes and no to all of the above- it depends on your position and too many other factors.  Reject the either/or fallacy, and don’t participate in it.

Now, about the lessons- politics, justice, and all that stuff best decided on Twitter or Reddit (or 4Chan) needs to be set aside for a minute so we can look at the security challenge.  My first InfoSec reaction to both the Manning and Snowden breaches was WHY THE HELL DID HE HAVE ACCESS TO ALL OF THAT?!?!?  A few hundred thousand diplomatic cables and other sensitive info freely available at a forward military base- all of which could be accessed and copied by enlisted personnel without supervision- and without setting off any detections?  Treasure troves of Top Secret documents available to a junior contract employee of an intelligence contractor?   Epic failures of fundamental information protection.

The US Department of Defense knows better, but they failed miserably.  To their credit, they’re trying to fix those access problems, but that is not an easy task, and I fear that those beating the Drums of Cyberwar will distract the DoD from getting the basics under control.  And what about Boozed-Allen-give-us-the-Hamiltons?  We (literally we, US taxpayers) pay them a lot of money to screw up.  As I have said many times before, never outsource your core competencies, especially failure.

I understand that this is not a simple challenge, but if you can’t answer

“Who has access to what, under what conditions, and with what monitoring and safeguards?”

you have a problem.  Probably more than one.  And no, I do not expect you to be able to answer that about everything you need to protect.  But maybe, just maybe, the stuff that can embroil multiple nations and in political and diplomatic turmoil if leaked- that stuff, you should put a little thought into protecting it.  Maybe you don’t protect (or fail to protect) anything that sensitive, but you probably help protect things which if lost would cause people (including you) to have A Really Bad Day.  Skip the next round of pundit listening or troll feeding and think about that.


Monday, July 1, 2013

Please, let it go.

I though it would calm down after RSA earlier this year, all the hype and nonsense about “active defense” and “hacking back”.  But is hasn’t.  Sure, there have been ebbs and flows, but the nonsense continues.  I guess it’s my turn to add to it.

If you have had your first serious discussions about “active defense” and/or “hacking back” in the past year or so you are either new to the business, or are negligent.  Period.

If you make the claim that “active defense” is only a euphemism for “hacking back”, you are either hyping an agenda, or selling a (probably outdated) security model.  Or perhaps you’ve just been misled by the previously mentioned shysters.  By my count that’s three flavors of wrong, although one may be slightly less bitter.

Let’s start with “active defense”.  It is not a new idea, and it doesn’t necessarily mean hacking back.  It may encompass counterattacks, but there are a lot of active defenses far short of attack.  Call it what you want, active defense, or offensive countermeasures (as John Strand and Paul Asadoorian have called it), or devious defense, or maybe just “not lying there and taking it passively”.  If an action causes you or a system to take a corrective or defensive action- that is “active”.  Try too many bad passwords- we’ll lock the account.  That’s active (if somewhat lethargic) and very old.  IPS?  IDS triggering scripts to block traffic?  Those are not new, and are not passive.  (Although, as Chris Hoff posits in a recent post, most inline defenses are deployed in passive mode).  In Ye Olden Days we could even take the “active” defense of contacting an ISP and asking them to block someone (yes, kiddies, once upon a time this actually worked, albeit sporadically).  How about tools like Ben Jackson’s cool WebLabyrinth- that’s certainly active.  Sure, you can cross over to things like setting traps which report back to you when files are taken, or hiding malware in tempting looking docs- but those are one end of a long scale, and still fall short of directly attacking your attackers.  And about that “attacking your attackers” thing- if you have ever defended a network under attack and not done a little “thought exercise” about buying some temporary relief via counterstrike… well, your heart is more pure than mine and many others I know.  Also, if you believe that digital counterstrikes haven’t been an “off-menu” offering for some boutique (and probably not-so-boutique) consultancies for quite a while… let’s just say you can stop waiting for the Easter Bunny.

Oh, and the “but, but, attribution”, “blaming victims”, and “attacking innocent bystanders” stuff?  Yeah, no.  I’m so sick of this nonsense I’m going into dangerous territory and using an inappropriate and incendiary metaphor. You’ve been warned.

If you you fail to secure your firearms and someone steals them, then uses them in the commission of a crime…

(I told you it was going to be bad).  Backing away from extreme hyperbole now- my point is that if you can identify a source or relay point in an attack, you have likely identified a negligent party who is probably also a victim, but I’m not giving them a blanket grant of innocence.  This does not necessarily mean I support attacking them, but let’s be honest about their unwitting complicity in Crimes Against the Internet.  To me, this changes the nature of what *might* be an acceptable counterattack from “rm –rf” to “shutdown –h now”.  Yes, yes- it isn’t illegal to be negligent on the Internet, but the laws are so far behind the technology that they are largely irrelevant until YOU get caught up in them.

A few months ago Dan Geer took a pro- “offensive defense” position on the Risky Business podcast episode 273.  It is worth a listen, and I largely agree.  I’m not suggesting you start attacking things unless and until the laws change and your organization has serious and candid conversations on the ramifications of your actions- it is not a course of action for the unskilled or faint of heart.  For most, I think effort would be better spent improving defense and response instead of engaging in digital combat, but for some I believe it could be a viable option.  For some, it has been and will remain a viable option (debate ethics, legality, and liability all you want, that doesn’t change the fact that it has happened and will continue to happen).

Now can we please have some adult conversations about these topics, and stop the faux-naivety and real hype?  Oh, wait, InfoSec.  Right, nevermind.