Laptop Bag Review (Spire Torq)

I needed a pack that can carry a Dell M4500, a few hard drives, some wireless gear, and standard office-type junk. This pack is perfect, it's construction appears much sturdier than anything else I looked at. After 8 months of abuse, I travel a lot, it looks brand new. The laptop sleeve, and the hanging design, are perfect.

The interior has enough pockets and zippers for me to adequately separate my gear by function. I can get to what I want easily even when it is stuffed under an airplane seat. It seems to fit there fine and I can still rest my size 12 shoes comfortably next to it.

The exterior has the "must-have" features I couldn't find in other packs like compression straps, stowable waist belt, molle-type loops in the front, and rings for attaching things to the outside of the pack. For the outside rings, I attach a ball cap and a rain shell since I am allergic to umbrellas;-). The shoulder straps are very wide and padded as is the waist belt. This is critical for load distribution and a place where many other bags fall short.

I f I HAD to knock anything, the pack is so roomy and sturdy you might overpack it and it would be super heavy. I would also like to see the laptop sleeve modified to tote around your laptop brick somehow as well. For the exterior, I could see home some might want more molle but the four on the front are enough for me.

Cyber Security Sucks

Warning, rant ahead:

For several years as I have learned more and more about how computers, networks, and policy are interrelated. I have felt security in these areas is actually getting weaker. I listen to people just blame security issues on Bill Gates and think they are immune because they can bash a vendor.  This seems to be happening by over governing some aspects, under funding, and hiring of absolutely the wrong people. Today I saw a couple of blog posts that should let you know exactly how bad it is out there.

First, consider this from Taosecurity. If you don't believe that is our stolen technology staring you in the face, it is. APT is a really hip buzzword, but it's real and you better figure out what it is and where it is on your networks. I know a couple of govie orgs suffering from this right now but they are too arrogant to think it could happen to them so it will remain on their networks until.. well probably awhile.

Saving the best for last, I read about the carders.cc job. No, I didn't read the 900 cut-and-paste opinions on it, I read it from the d00dz who did it. Are you still confident about your security, wanting to trust your users, wanting to trust some 1337 guy you hired? Read this e-zine from the 0wned and Exp0sed crew. If that doesn't make you realize we all suck at security, I don't know what will.

I am not at all saying we, or anyone mentioned, is stupid. I am stating that the enforcement of the status quo must stop. We all need to learn more, do more, and weed out the lameness. Note in the zine that if you have used (installed) ettercap in the last five years, you might want to check your "shit." Do you know how many of us use that? ALL OF US!! That sucks!. These people went after several high-profile well-respected security pros, and their websites and 0wned them at will. If you think you're immune please share your awesomeness with the rest of us because this should make you realize how bad the state of security is. What this group did is wrong but things like this need to happen in order to get things moving in the right direction.

There are no internal applications

I read this post by Rafal Los (Wh1teRabbit) and wanted to agree completely. If you still believe you can have a firewall and an IDS and "trust" your users, you are inviting a problem. If you have a team that is convinced that nothing bad could ever happen to their infrastructure because they are 1337, you have a bigger problem. The blog post and comments focus on the fact that data is what needs protected, not just the location of the data. As mentioned in an earlier post, mobile computing and new threat and attack vectors are removing your borders for you.
Your people are your greatest asset and your biggest risk. Somebody in your organization clicks links, brings in infected USB drives, plays of Facebook all day, or actually wants to steal your data. I have been inside some supposedly very secure networks before where nothing but everyone's good intentions, and some veiled threats, stopped them from doing whatever they wanted. I don't just mean a penetration tester with network access, I mean anyone that knows how to open network neighborhood or send email. Talking with the management in these organizations resulted in some head nodding and furrowed brows but no change or desire to change. Every now and then a technical person would get frustrated and leave only to be replaced by a project manager or an "architect." At one place, a mid/senior-level analyst left and the management decided to replace him with someone  that had no security experience. One of the quotes overheard from that management group was "We don't need anymore smarty pants around here, we need someone who can get along with everyone." I agree that your team should function well together, just not at the expense of your data's security.
So, think of it this way:

1. Can a malicious insider, no matter how unlikely, steal your data?

2. Can a non-malicious insider bring a threat inside that compromises your data?

3. In either case would you even know if this had happened?

4. Why can it happen?

5. What can be done to lower the risk or impact?

Good luck planning for future security projects, don't forget to use the wiki leaks trend to increase your budget for next year.

Is your information security crushed by the org chart?

Funny cartoon. It's understandable that some organizations definitely wouldn't want their shortcomings broadcast for all the world to see. I am more focused on the first sentence, "Information security is a major priority at this company." That statement is heard a lot when you are a penetration tester and even when you are a "blue teamer" for a company. There are times when the best cyber security team can be stopped cold by an organizational chart. If the team is not properly positioned inside the organization and given the authority to implement policies and controls then nothing happens. Let's look at some examples I have witnessed in the past.

At many places there is no CSO or CISO to this day. At times this put the infosec nerds reporting to the CIO. The CIO is most often concerned with things working or availability. In addition he/she will develop a technological vision for future services and offerings within a company and how to make things better and/or faster. While this person may consider security as a component of their job, it is not their sole purpose and balance may be difficult to achieve. In one organization I saw a CIO who had been moved from either accounting or HR and made the CIO. They had no relevant technology experience yet had been placed in charge of all technology. At that point in time IT within the organization was stagnant and falling behind the technological curve. They had a security group, but no CISO so security suffered the same fate as IT in general. In a different institution I have seen the CIO report to a department head and not to the leadership of the company. Any c-level personnel should have the eyes and ears of the top two individuals or governing board of an organization. Without that, this CIO was effectively just a middle manager with a fantastic salary and title yet no actual authority. I know some folks hold to the idea that people can effectively wear multiple"hats" and have even seen that work in smaller businesses. My experience with larger companies has shown that trying that simply enforces the status quo, which may be their goal and that's fine, and does not foster effective internal communications and relationships. In the simple diagram below I have shown the c-level folks as equal peers reporting to the number 2, as a minimum, within this organization. I have seen other examples where security reported to the CFO or was incorporated into internal audit but those models were short-lived examples. I would love to get some examples from the real world with success stories.

Smartphones: Destroying your perimeter one device at a time

Sounds like an overstatement, I know. Smartphones are incredibly powerful devices that open up a world of possibilities for communications versatility on a tiny platform. Consider this statistic: "...48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business."   - http://ridethelightning.senseient.com/2010/11/cios-see-smartphones-as-data-breach-time-bombs.html

That's not a security-minded practice. I have been listening to C-level decision makers this year in conferences using phrases like "If you can't beat them, join them." "We must learn to work with social networks because this upcoming generation expects it." These are interesting perspectives and quite a shift from the website blocking and strict rules we all experienced just a few years ago. Perhaps they decided breaches were still happening then so why keep fighting the tide. Whatever the decision, the smartphone is the most significant piece of your enterprise that is walking around in someone's pocket, getting lost on the subway, or stolen. If you allow these devices to connect to your enterprise, are you fully aware of the device's capabilities? I don;t mean what the manufacturer said it can do, although that's a great place to start, I mean what is it actually capable of? Do you know if the security features touted by the vendor can be bypassed? Over the past several weeks there have been vulnerability reports issued for iPhone and Android Platforms. The last time I tested an iPhone the encryption was purposely defeated by the operating system kernel. If you allow Android phones they were designed to be flexible and open platforms, security was not the primary consideration. What kind of threats can this pose to your organization? My phone is the Google Nexus One running the latest, 2.2, OS. In addition to the phone's native capabilities, I have rooted it and installed a custom ROM. Performing these actions has given me complete control of the phone's hardware and allowed me to install Ubuntu 9.10. Once I had the Linux distro stable I installed nmap, OpenVas, and metasploit. I also installed etterrcap, wireshark, and a few other tools before running out of space but you get the idea. My phone was now as weaponized as a pen testing laptop. The only downside being storage and the typing was terribly painful.

I know your users will bug you until you must allow whatever platform they think is the coolest, I mean the one that makes them the most productive when not at their desks. As you implement these devices the risk they pose should be considered carefully and the platform should be thoroughly tested. If your organization is not capable of hacking on the devices, it may be worth the investment to contract an outsider so you know exactly what you are getting.

TSA's "signature-based " security

Infosec analysts have long been lamenting the shortcomings in signature-based security items like traditional antivirus. It would seem that the TSA has somehow managed to latch onto this philosophy even though it isn't working well in IT. Let's take a look at how the TSA is mirroring this with their decisions.
I recently went through security at FLL in Ft. Lauderdale security. As usual I was singled out and moved through secondary, or extra, screening. I would say this happens to me 90% of the time and always has. I don't complain and understand the gate agents are just doing their jobs and I would hope that most folks don't vent on them, they are not the problem. So I get taken out of the metal detector (md) line and moved to the "nekkid machine" (backscatter xray). I am not shy so the backscatter doesn't offend or bother me, while I am in there, I asked the agent if I could see the picture since it was such a hot topic. She stated that the pictures were displayed somewhere remotely and that I had to go stand on the footprints and await instruction. While I was standing there a very professional male agent began to recite the standard pat down procedure that might be necessary if the xray revealed that necessity. HE then got the call in his secret service earpiece that I needed to be physically inspected. He performed the pat down just like a cop would and off I went. Altogether it was 10 minutes to get through the line and the TSA folks were great. The problem is that most of this still seems like the illusion of security.
I say this based on a couple of different thoughts or observations. First, I know that I have zero desire to take over a plane. This skews my perception of the procedure but I understand they can't know that about me. I have noticed that there is some discrimination taking place as they cannot preform this same procedure on a Muslim woman. In order to be ethnically sensitive the agents have been told only to check their head and neck areas. We have now arrived at the root of the problem. When you give preferential, or discriminatory, treatment to any group you are doing it wrong. If the plane is in danger then we must put our foot down and say search people regardless of their ethnicity. If you want to do some research and pick the culture(s) that would attempt this type of attack you might become much more efficient. Or don't, I don't really care but you are wasting your time giving me a leg massage.
The TSA signatures are as follows:

Someone once hijacked a plane with a gun = no guns allowed on a plane and everyone has to walk through a metal detector

Someone had a device in their shoe = I have to see everyone's feet at security and put my shoes in a bin ( or not in a bin depending on the airport)

Someone had a few ounces of "bad" stuff = I can only have enough shampoo in my bag for three days AND I have to have everything in a ziploc as if the stuff can be verified visually.

Someone uses a printer cartridge to form an IED = no more printer cartridges

What will happen when someone has a bomb surgically implanted or hidden in an orifice? I don't want an answer really. The point is that these actions and reactions don't quite seem to add up, and over time the reactions seem to escalate. Currently you are allowed to carry enough stuff onto a plane (electronics, liquids, shrapnel) that none of the above measures would stop. I don't want to post any combinations but I can certainly have 7 3oz bottles of almost anything under the sun, a significant amount of batteries, a number of other "toiletries", and keys or other small pieces of metal.

These reactions seem similar to how IT security has decided to work. We wait for a threat to surface then ban a symptom and wonder about how to kill the root cause. Alternatively if there is a compliance or regulatory mechanism we check off the boxes for the least amount of money possible and call it a day. This is tough since most of our companies are trying to make money and security can be very expensive. For the IT security world, I would like to see more technical people getting promoted into management positions with budgetary authority. For the TSA, I have no idea what the right answer might be but good luck and don't follow the signature-based model.

Cyber Security Forum Initiative - Stuxnet Project

I recently had the privilege of collaborating with about 30 other InfoSec professionals to learn more about the Stuxnet worm. The results of our work can be viewed here:

 http://www.csfi.us/?page=stuxnet

One of the more exciting pieces of work is a video created by Joel Langill from EnGlobal. In the video Joel infects an actual Siemens WinCC PCS7.

Cyber Security vs. IT Police/Harassment where's the balance?

This is an interesting and sensitive topic and I will readily admit there probably isn't a "one size fits all" answer. With that in mind, I wanted to relate my thoughts based on experiences with both balanced and unbalanced cyber security programs with respect to playing big brother instead of defending their enterprise.

A good cyber security program must be able to respond in a timely fashion when personnel incidents occur. The logging and tracking of data is essential in order to prevent scenarios where verbal opinions are pitted against each other (he said/she said). These situation are quite unreliable since emotion can be injected into the scene. As an example let say you have two employees, employee1 and employee 2. If employee 2 approaches the designated representative with allegations of wrongdoing by employee 1, the designated representative should be able to use a clearly defined process to obtain the evidence required to investigate the incident. This process should have adequate separation of duties, accountability checks, and safeguards that prevent any one individual ( or single group within an organization) from misusing or abusing this ability. This speaks to "who is watching the watchers" within your organization. I once sat in a meeting where a group member stated "Once a month I run a script on instant message chat logs looking for dirty words." While I agree that I am not to use company resources for things like that, my response to that statement was "why?" Unless someone is complaining about productivity or harassment, that evolution seems like a waste of time and the attempt to impose your moral stance on others. I later learned that many others had nicknamed this person "the hall monitor" and the comment made much more sense.
In a perfect world, this monitoring would not be possible without initiating an investigation into alleged behavior and no one individual should have access to "police" the IM logs. So, how does this work with social media? Your employer absolutely reserves the right to observe what you post in a public forum in order to assess how your thoughts and actions can potentially impact their business. Additionally, a clear policy (from HR not IT) should be in place defining what is acceptable and what is not. Now we get in to the HR side of things. Your HR department exists to make your organization better by finding the right personnel for your organization. Additionally, they may define certain policies concerning the interaction of personnel within your organization. In some cases, HR departments have become an overarching group responsible for any type of internal governance or policy. I believe this is a mistake and that the governance of a resource should be under the purview of the resource owner. For example, IT resources should be governed by the CIO, financial resources should be the CFO, etc.. This governance is compromised and ineffective if the c-level personnel are not reporting to the heads of the enterprise or the governing body of the enterprise. I point this out having observed a few instances of IT security personnel handing over volumes of data to HR personnel in the past. Handing over web proxy data, when there is NOT an active investigation, would fall under my big brother/waste of money category. I categorize it this way for two reasons; one if the supervisor or other employee has not complained then this is not necessary and you are simply satisfying your curiosities about whether some individuals are on FaceBook as much as you are at work (they are). Two, HR personnel are unlikely to be aware that the HTTP protocol is stateless and those statistics are somewhat meaningless. I know the company that sold you that proxy software or device told you differently, but that was probably the sales dude while the technical guy sat silent. Without completely observing netflows, keystrokes, clicks, and the registry key "TYPEDURLS" you are doing a bit of guessing. An HR person is possibly doing a lot of guessing if the proxy stats alone are handed over. The job of IT/Cyber security should exist to defend an enterprise against threats (internal/external) in cooperation with other groups (IT, HR, ???). This defense can include the analysis of evidence collected from various sources some of which are not under the purview of your security personnel. This separation of duties allows for a balance of power within your organization. The security team should NOT be responsible for "spying" or observing behavior on an individual basis when there is not an active investigation. While this is a delicate balance I believe you can sum up your role with the following statement: "How does make safer from internal and external threats?"  followed by "Are there loopholes negating causing to actually be less secure?" I will follow with my tried and true removable media example observed in multiple environments:

" does not allow external (privately owned) removable media to be used in conjunction with company-owned assets." This is a good policy yet is just an exercise in writing if there is not some technical control to enforce it. Now this becomes further moot if you have the following:
" users may connect personal assets via the virtual private network (VPN) when working remotely." You have just allowed that removable media to the assets needed by the user. I can already hear "but we have via the VPN to prevent the badness." Outstanding, did you test that, does the user need that capability, why isn't that same mechanism used with your equipment so that the whole policy isn't needed?

How do you restore the balance if your organization is not functioning correctly? Start at the top, someone allowed this to happen and possibly encouraged it. Draw out what the program should look like and the processes that should accompany it. Demonstrate how the technical controls will enforce your policies and make your program better internally and less of a target externally. Ensure your personnel are up to date in their training and skillset. If YOU are not up to date and cannot recommend the correct technical control, GET TRAINING. This stuff isn't rocket science and you are not benefiting anyone by not understanding the full scope and impact of your position. Cyber security is a constant learning process; that's why the best conferences are training where the individuals give and take from each other in open forums trying to understand the gaps in what they have tried. Best of luck finding the right balance for your organization.

Electric Vehicle vs Gas

I keep hearing that it takes "a lot" of power to charge one of these things. With that said, I have also heard that no matter what and electric vehicle is cheaper to operate than a gas-powered vehicle. Can someone explain how much it will cost to charge one of these dudes? I currently spend about $250 in gas every month for 2 non-efficient vehicles. Based on ten cents per kilowatt hour, what would this vehicle cost me assuming I only charged it at home?

East Tennessee Cyber Security Summit Review

This week I attended ETCSS 2010 on October 19 - 20 here in Knoxville. This was my first visit to this conference and differs significantly from the "training" conferences I usually attend. I heard a lot of different people talk about Info/Cyber Security with some conflicting points of view. Overall I would say the conference is well worth attending but don't expect a lot of technical information or demonstrations. Two of the elements that were quite exceptional were the mock court exercise where a real world case was on display with the defense attorney luring the prosecution into stating how much they relied on MD5 hashing and then demonstrating an MD5 collision. That was quite a cool moment and Craig Ball, the mock defense attorney, really did a great job.
I also really enjoyed hearing Dr. Ron Ross from NIST discuss Enterprise Architecture and "Defense in Breadth."  Dr. Ross spoke well of the problems that some companies view as small "chinks in the armor" which are really more like "hey you forgot to put your pants on." As an example of this I will interject a personal recollection. I observed the following security posture sometime in the past. The organization fanatically wanted to protect their intellectual property and spared no, almost anyway, expense to do it. Some of their protective measures included Whitelisiting the Internet, reviewing EVERY email that left their domain, knowing EVERY document that was printed, and doing a great job of preventing unauthorized USB drives from being present on their systems. In contrast the same place used WEP for their wireless infrastructure, not the guest network either, one of the whitelisted sites was Facebook, and had the wireless had virtually no separation from their wired network. There was also zero separation of the network internally, once you had an IP address on the inside you could roam anywhere and no one would really know. They viewed the WEP problem as too expensive to overcome in the near future and an acceptable risk. As an attacker I would view this organization as having zero obstacles for me to overcome in order to get inside their network. Defense in Breadth would seek to teach organizations like this that cyber security is almost becoming an all or nothing. You either do it all and do it well or just don't try. I know this sounds like gloom and doom but with the proliferation of attack vectors and the automation of many exploits it's becoming really easy to circumvent protections that may have slowed down an attacker in the past. Kudos to Dr. Ross and NIST for pointing this out.
At the end of each day there was an expert panel that would field questions from the audience. The knowledge and skills of the panel members led to great advice on procedure and policy for your enterprise but they were unable to field a couple of technical questions from the audience. I thought that was funny since it appears that more and more the people in charge of cyber security were not ever in the trenches. A friend of mine in the industry, who was not at the conference, told me a couple of weeks ago that infosec has been overrun with parrots and talking heads that "retweet" what they hear or read sometimes without understanding what things mean. I certainly don't mean to imply that there is zero value for administrative/policy oriented folks, just there there needs to be a better balance in some cases. For example I once obseerved an organization where there were approximately 15 infosec people and 70% of them had zero technical background or ability. The technical people often had 2-3 different project managers trying to get info from them so the non-technical group could turn out status reports and updates that were relevant. It may have been more efficient to allow the technical folks to manage their own projects and time in addition to increasing the number of technical people. Perhaps there was some cost benefit in the model that was present however the security posture of the organization had suffered in the past because of it.
There were two talks on insider threats that were good. This is a serious problem that is not getting enough attention. I am definitely becoming a fan of the zero trust model where every node is a suspect. Unfortunately, some folks are viewing this as offensive and think the users of your network will have their feelings hurt but we need to get over that. First, it's not that you think they are all evil just that mistakes happen. Second, they are all evil or at least susceptible to coercion for a large some of money or perhaps extortion to protect their own interests. Either way you are just taking that responsibility away from the endpoint or user and providing the right environment which will reduce the insider threat. 
Lastly, I saw a presentation that was a teaser for taking the SANS SEC 542 web application testing class that was more along the lines of demonstration and "how-to." That looks like a good course and, if I can, is definitely the next certification I would like to get. this talk talked about what web app vulnerabilities are common, what tools can identify them, and what can be done to mitigate or remediate these issues. For a one hour talk it gave quite a bit of insight and demonstration. Good job Jim Purcell!
Like I said earlier, overall the conference is good, well attended, and well organized. None of the talks were "bad", just stuff that wasn't new or that we have all heard a few times in the past. As always, a conference is a great place to meet people that are in your industry and build your social network to learn what may be working and not working in certain areas. I think I would like to a see a conference were people talk about what didn't work for them. Probably no one would be willing to talk about their organization like that but it would be cool to hear the honest side. It would be extra cool if people would say "we tried (insert product name) or (some architecture) scheme and it totally sucked, hackers ate our lunch for two weeks while we tried to fix it." Then they could detail how it was fixed.

Don't be a "bait ball"

When small schooling fish are attacked they swarm together into a bait ball. As they get picked off by tuna, sharks, and seals from below they are also getting eaten by birds from above.

I bring this up because I recently heard some decision makers saying "Well there are a lot more vulnerable targets than us, maybe the hackers will just leave us alone." This is typically in response to an audit finding or a vulnerability that was successfully exploited during a penetration test that isn't cheaply and easily fixed. I have also heard from cyber security "professionals" in the past but that is typically a response from a non-technical person.

Don't let your business be part of the bait ball.

Forensic images by private investigators

I sent the following email awhile back:

Ms. Vest,

Does the state of Tennessee currently require a private investigator's

license to conduct computer forensics work as a contracted third party

where the evidence will be used in court. Additionally, if the forensic

analyst is called on to testify as a subject matter expert must the analyst then

meet the PI requirement? Thank you for your time and attention.

Best Regards,

Slade Griffin

I didn't expect to get this answer:

Mr. Griffin:

Ms. Vest forwarded your email to my attention for response.  Licensing

is required for any individual who performs any of the services outlined

in TCA 62-26-202((6)  “Investigations company” means any person who

engages in the business or accepts employment to obtain or furnish

information with reference to:

(A)  Crime or wrongs done or threatened against the United States or any

state or territory of the United States;

(B)  The identity, habits, conduct, business, occupation, honesty,

integrity, credibility, knowledge, trustworthiness, efficiency, loyalty,

activity, movement, whereabouts, affiliations, associations,

transactions, acts, reputations or character of any person;

(C)  The location, disposition or recovery of lost or stolen property;

(D)  The cause or responsibility for fires, libels, losses, accidents,

damages or injuries to persons or to property; or

(E)  The securing of evidence to be used before any court, board,

commission, officer or investigating committee.

The Private Investigators Licensing and Regulatory Act does not have an

exclusion or exemption for computer forensic specialists, or digital

forensic investigations.  The ony exclusions available are specified

under TCA 62-26-223.

Thank you for contacting this office.  Please advise if additional

information is required.

Beth

Beth Smith Bell, Administrative Assistant

Private Investigation and Polygraph Commission

If you are not a licensed private investigator, this doesn't look good. On the plus side, I am going to get my license and a Ferrari. 

Twitter gets JACKED

Ed Skoudis gave a talk at Hack in the Box last year where he lamented how sad it was that SQL injection was still going on. I would like to add Cross Site Scripting to that lamentation today. I was logged into Twitter this morning and suddenly started seeing a similar "re-tweet." I jumped on the Google and saw several early write ups saying Twitter was getting pwned. Here is the tweet I got:

www.t.co/@"onmouseover="document.getElementById('status').value='RT MiguelTarga';$('.status-update-form').submit();"class="modal-overlay"/

"onmouseover", you have got to be kidding me. I booted into a system I didn't care about and ran the cursor over the code; bang I was retweeting. That's slick, no clicking invovled. A successful stored XSS attack on a major site in 2010, awesome. Here's a quick write-up on XSS if you don't know how it works: http://en.wikipedia.org/wiki/Cross-site_scripting
 I switched over to m.twitter.com to watch the rest of the action since javascript isn't enabled on that site. The Twitter team responded quickly and cleared everything up within a reasonable amount of time. This should help prove that social media does not belong inside your network.

Strange Job Offer Timing

To be clear I am not currently job searching, that I know of, and this is just an observation. Over the past two or three weeks I have gotten about 10 job-related phone calls. These seem to come and go and I often wonder why so many happen at one time from different companies and different "recruiters." Two of the phone messages I got were barely intelligible as the caller was not proficient with English. Two were to work for the Department of Energy and I told the recruiters no thank you. The last was to head to Wilmington Delaware, which I also declined. I realized I didn't know much about Wilmington so I read their web page: http://www.wilmingtonde.gov/ and also looked at the wikipedia entry: http://en.wikipedia.org/wiki/Wilmington,_Delaware . The section on crime was a bit scary and the picture of the library was awesome.

Insider Threats, Policies and more.

USB HID Attacks

So, all the hackers are running around saying "hardware is the new software." Better than that, they are proving it to be true. I saw a post this summer about the "Rubber Ducky" attack the folks over at HAK5 are working on. If you aren't familiar with the rubber ducky stuff, check out episode 709. The potential for these attacks is amazing. Let's pause and think about HID.

HID stands for Human Interface Device, this is a fancy way of saying PC input devices. For the purposes of this discussion we are specifically referring to keyboards and mice. These days when you plug in a USB mouse or keyboard, what happens? It works! No authentication, no authorization, maybe minimal auditing in some environments. So what if that device you plugged in wasn't a keyboard or mouse but was simply reporting itself as one of those. For the 1337 folks reading this I get that you understand the potential, for the non-nerds that are reading I just inserted a device that is mimicking your keyboard. Now I am hearing the naysayers already: "We have autorun turned off." "We have least-user privileges.." etc.. Let me respond to that with: it doesn't matter. This is direct memory access, your user object is not relevant. Irongeek, Adrian Crenshaw, gave a great talk this year at Defcon. Check out his website, and this page specifically. He named his attack Programmable HID USB Keystroke Dongle: PHUKD. I apologize for the language but that name sums it up quite well. Here's an excerpt from Irongeek:

So, why would a pen-tester want one?

1. Likely types faster than you can, without errors. This is important when physical access time to the target system is limited. 

2. Works even if U3 autorun is turned off. 

3. Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and the box is popped as Dave Kennedy likes to say.

5. The HID can also be set to go off on a timer when you know a target will be logged in, or by sensor when certain conditions are met. 

6. You could embed a hub and a flash drive in your package so that you have storage and the programmable USB HID all in one nice neat package.

7. Embed your device in a USB toy or peripheral (lots of spare room in a printer or dancing USB penguin) and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.

8. After your Trojan USB device is in place, program it to "wake up", mount onboard storage, run a program that fakes an error to cover what it is doing (fake BSOD for example), do its thing, then stop (leaving the target to think "it's just one of those things").

Awesome dude! Now you are asking, "how do I defend against this?" There are some ways to stop unrecognized devices from being activated but that's only devices that weren't previously installed. Lots of these offerings are also commercial tools which only work on Windows and are also not cheap. Speaking of Windows, don't go thinking you are safe if you use some other operating system. This style of attack will work on any platform that recognizes USB HID. This means every modern operating system is a potential victim.

I expect to see some defenses start popping up soon. Until then, you better start deciding how to defend against this and keep in mind that telling your employees "Don't use USB devices on your work computer" doesn't actually prevent them from doing it. You need that policy in place, but you must have a technical control backing it up and enforcing it. You also can't just go enforcing without the policy, so make sure you have both of them ready to deploy at the same time. If you are a Windows environment and you want some control, check these out:
Checkpoint Poinstec
Lumension Device Control

New Operating System

I am now running Backtrack 4 R1 and enjoying the improvements that have been made to the base functionality. I still don't think I would recommend it as a primary OS for just playing with a computer, but I do like having it readily available without using a VM or a separate partition. It still isn't easy to get OpenOffice.org or a screensaver working but it can be done. The underlying OS is Ubuntu 8.10 and it's running the 2.6.34 kernel. It definitely isn't as slick as Ubuntu 10.4 but it's not supposed to be. Once I get some other things working I will post some "how-to" videos for those of you who might want them.

"Why Vulnerability Research Matters"

Please read this article. I cannot believe, that's a lie, we are still having this discussion. Do people really think that if there was no sponsored or white hat vulnerability research that there would be no black hat hacking? Without getting too political this seems like gun control all over again.

Smartphones and their cameras.

Isn't it handy to have that Palm/Blackberry/iPhone/Android or whatever device that allows you to automatically upload pictures to FaceBook, Twitter, or anywhere public? I think these devices are pretty awesome and definitely help keep us all connected. Did you also know that your device is probably telling everyone exactly where you took your pictures? These phones are using a metadata structure called Exchangeable image file format or Exif. If you want to get particularly nerdy, you can read this link to understand more about that format. For those of you who just want a non-technical description, this is information about your image file that is stored "within" the picture file. Some of that information can be that location the picture was taken. For example, here's a picture of my brother and I at my sister's wedding:

This picture was taken with my Android-powered Nexus One. Examining the Exif data reveals the following:

 [Make                                ] = "google"
 [Model                               ] = "Nexus One"

 [GPSLatitudeRef                ] = "N"
 [GPSLatitude                     ] = 39 deg 37' 0.000"
 [GPSLongitudeRef             ] = "W"
 [GPSLongitude                  ] = 106 deg 5' 0.000"
 [GPSAltitudeRef                ] = Above Sea Level

 [GPSDateStamp                ] = "2010:02:20"

This shows the type of device, location and date. To disable this "feature" check your phone's camera settings and if you don't see a setting there, you may have to disable GPS functionality completely when taking pictures. If you need more information, look up your device, write to the manufacturer, and/or read this. 

Cool Product Updates

Guidance software has partnered with Lofty Perch and released an updated version of EnCase designed to help folks in the critical infrastructure world. I am interested in checking this out since modifying the software is only part of the battle. The SCADA, PLC, and other embedded devices still have to track, audit and store the data accurately for the forensics to be worth anything.

Metasploit and Rapid7 have been churning out massive functionality with VxWorks exploits, PHP meterpreter functionality, and many more. Metasploit is growing by leaps and bounds since the Rapid7 acquisition. I would love to get a hold of Nexpose and try some of this stuff out. If anyone has some experience with these software packages I would love to hear about it.

Wikileaks and Cyber Security

I'm back and catching up

I had an interesting time in Detroit. I heard some great presentations, some interesting perspectives, and gave two very brief talks. The insider threat talk went well; I like watching the operational security guys nodding their heads in agreement. The managerial guys also nod their heads but it's more of a "the would be nice if it didn't cost money" type of nodding. Regardless, I met some cool folks who definitely want the smart grid to be built securely. A few of them were vendors which is always cool, I love it when a vendor looks past the bucks and purposes to do things the right way. The second, unrehearsed, talk was to start up a new task force within OpenSG for network security. The group I am currently part of has been re-writing several of the DHS Catalog of Control Systems Security recommendations in an attempt to make them more actionable. In some cases this involves combining, in others controls are expanded. Either way, the group is coming up with some great verbiage that should definitely help folks in the future when they know "what" they are supposed to do and need the "how" to do it portion. Our new document should produce the "how", and the network security TF should be able to continue that work and pass it on as other groups continue to develop standards and requirements. This should provide a good foundation for the collaborative efforts that have been on going for quite some time and help to provide a common language and framework with respect to security.It's a privilege to be included in this effort, and I am getting to work with a number of exceptionally brilliant people that are teaching me a lot.

For the InfoSec people fighting the good fight

For those of you out there who "get it", "know what matters" and are fighting for adequate funding I humbly give you this Internet high five:

Insider Threats

I am heading to Detroit next week and will be presenting on "Insider Threats." There's a lot of cool research out there about this topic:
http://www.thetechherald.com/article.php/200831/1629/Analysis-of-Internal-Data-Theft
http://www.cylab.cmu.edu/research/chronicles/2008/cappelli.html
http://www.govinfosecurity.com/webinarsDetails.php?webinarID=67

What's funny, or sad, is that with all of that research I still haven't seen a lot of movement to mitigate this issue.  I once submitted a memo to my management regarding a vulnerability I exploited internally and was told to ignore it. The vulnerability gave anyone with physical access to a Windows Vista or Windows 7 PC SYSTEM-level access in about 60 seconds. In fact my immediate supervisor made some statement about "...Windows sucks" and " we trust our users." I will demonstrate this vulnerability, and the associated exploit, during my talk.
As I read though all of the talk on "Insider Threats" I see quite a focus on identifying the bad guy or girl. While I don't think that should ever be ignored, I feel there is an over emphasis here. Just prevent the data from being stolen or accidentally leaked. The truth is that we, yeah me included, have far too many privileges on our work computers and networks. We have all whined loud and long enough that people think we NEED twitter to perform our jobs. I have even been asked as a web-proxy admin to give someone access to Second Life at work. My supervisor replied with " {name removed} is a good kid, give him what he needs." After an hour of explaining what Second Life was, my boss didn't even know, he half-heartedly decided against it. Don't get me wrong, there is a place for trusting employees and it isn't easy to draw the line but always trusting all users to make the right decision {or never make a mistake} isn't how an infosec d00d should view the world. I think the best cure for that would be to let that person swap places with a helpdesk-type person for a day.

Anyway, here's the exploit running on Vista prior to any authentication:

Here it is on Windows 7:

I had already logged into this machine, but you get the idea. The way GIMP takes screenshots wasn't allowing me to take this shot the way I wanted so I got 0ld Sk00l, and took a pic. The reall problem these days isn't your OS though, it's the human element. You can almost equate it with social engineering but instead of trying to get your mark to provide you with access, credentials or what have you, You are trying to convince them to care about the dangers of losing data. For many years it was believed that gaining "root", "SYSTEM", or "Administrator" access was the key. This went away several years ago because data became the target. Unfortunately the defensive mindset hasn't yet shifted in some environments. I recently asked John Strand and Paul Asadorian a question during their "For the Last Time, The Internet is Evil" presentation. The question went like this:
" d00ds, what is the key to getting the organizations and personnel who review penetration testing results to understand the dangers and take action to implement the recommended changes?"
John replied:
"We have to create failure scenarios to show what happens if that one computer or one piece of data gets compromised."
Paul Chimed in with:
"It's will take a paradigm shift at the management level to understand these risks beyond the dollar signs."

I love both of those answers. I do understand information security can't be a bottomless pit that you throw money into, but experience has shown me that few organizations adequately fund initiatives in that realm. As I have stated previously, a lot of places out there are committed to maintaining the status quo. To them I say "Thanks for keeping my job as a pen tester fun and exciting." My next entry will be on the FAIL mode auditing and certification are stuck in. As always, this is not the fault of the auditor but at the funding and upper-management level.

Nexus One Awesomeness

Several months ago I purchased my Nexus One and started goofing with it and installing all manner of applications. Once I finished messing with things like wallpaper and ringtones I decided to go a step further. Last weekend I rooted the phone and installed Ubuntu. The phone now runs a full Ubuntu 9.10 install without the GUI. So far, I have installed NMAP, OpenVAS, and I am working on Metasploit. I also managed to get a packet sniffer installed, but I am quickly running out of space on my Sandisk 4GB MicroSd card. I am ordering a 16GB card and will then perform a reinstall and see what kind of platform I have available. The Android OS is truly amazing and powerful. I have also learned that the Broadcom chip is 802.11 b/g/n compatible and has FM RX and TX. Additionally, the camera is capable of shooting in 720p. I am still working on enabling the functionality in those last two sentences but I am pretty pumped about the phone's capability.

Local Conference

I don't yet know what the speakers will be presenting but there's a good lineup. I also really like the "..is the sky really falling?" theme they have going on. If you are wondering how "bad" the state of InfoSEc is, here are some links to keep you up at night:

http://inguardians.com/pubs/FriendlyTraitor.pdf

http://travisgoodspeed.blogspot.com/2010/07/reversing-rf-clicker.html

http://inguardians.com/pubs/AMI_Attack_Methodology.pdf

http://inguardians.com/pubs/toorcon11-wright.pdf

http://www.willhackforsushi.com/

Attacks are becoming very focused with less of a "shotgun-style" as technologies advance. The things Travis Goodspeed is doing with some of his hardware hacks reinforce the idea that security remains an afterthought in several areas. As long as security remains an afterthought, it will be difficult to provide reliable security. Fortunately, there are people dedicated to ongoing security research and the responsible disclosure of the vulnerabilities they find. If you haven't already, subscribe to some of the authors above, they are doing some amazing research that should open a few eyes.

Know your smartphone

So many people are buying smartphones, I thought it might be wise to throw in a cautionary note about just how powerful these devices are. The smartphone of today is more powerful than the laptop of a few years ago. Along with the widespread adoption of these devices come the increasing of their risk profile. That is to say that the more popular something is, the better a target it becomes for those who have less than good intentions. Currently there haven't been any really nasty attacks seen in the wild yet. The devices are definitely prime targets, and you can be sure that the bad guys are working hard at trying to figure out how to leverage this technology in order to get at your information. This article discusses some potential nastiness on the Android platform. Security vulnerabilities have been well advertised on the iPhone which have, or should have, prevented their widespread adoption for corporate use. Currently the Blackberry remains the most "secure" platform for business use by employing active encryption of the contents at the expense of the "cool" factor that Android and iPhone show off. the iPhone 3GS offered encryption but the operating system kernel automatically decrypted the contents of the phone when you extract the data for analysis. Effectively, this means the iPhone is NOT compliant with the standard corporate policy requiring encryption at the device level; but don't take my word for it. To be fair, I don't believe Android even makes the veiled attempt that Apple makes and makes their sdk freely available to the world. Device-level encryption for both of these platforms needs to be off-loaded to a third party to adequately secure your data.

So, beyond your data NOT being secure, take a minute and think about how inter-woven this device is into your life. How much data, personal and professional, is on there. If I had complete access to your phone what could I learn about you, your family, or your work. I don't know you, but I bet it's a lot ;-). This week, Google removed two applications from all Android-based phones to protect their users. There is some debate on whether this is Google's business or not but that's not an interesting argument to me. I will follow this up with a video that demonstrates application installation on the Android platform and how we should be aware of what we install and the access that application should or should not need to the different functionalities on your phone. As a good rule of thumb try to remember that no one is as interested in protecting your data as you are. That means that if you're not interested, then no one is going to do that for you.

Current Projects in Smart Grid Security

I have been immersed in smart grid projects and have been learning a lot about this industry. here are few of the many projects I have been fortunate enough to be a part of.

I am currently a security engineer for the Smart Grid Engineering team at EnerNex. I am supporting cyber security and systems architecture for the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), Open Home Area Network (OpenHAN), and Smart Grid Networking (SG-Network) groups. I have been contributing to the UCAIug Home Area Network System Requirements Specification, SG Network System Requirements Specification, Distribution Management (DM) Security Profile, and other blueprint documents for the Smart Grid Security (SG Security) group. I also recently joined the Smart Grid Interoperability Panel (SGIP) as a member of the Cyber Security Working Group (CSWG) which is developing a comprehensive set of cyber security requirements for the smart grid. Mostly this means I listen to incredibly brilliant people prepare and engineer the smart grid while trying to learn as much as I can about how electric power works. Occasionally, I have some input based on past experiences concerning cyber security best practices or security architecture. It's truly an honor to be working on these projects with such a diverse group.

Vulnerabilities

I have been listening and watching some really good talks online about discovered vulnerabilities and new threat and attack vectors. While you must take hacker and pen tester claims with a grain of salt, there is something to be said for some of the tools and demonstrations I have seen over the past year. In particular, I am impressed with the social engineering efforts I have seen. I am really looking forward to trying out some of the tools I saw last week which really demonstrate what lack of user education and awareness can do when coupled with a little bit of technological ingenuity. These methods would likely have a 75% or higher success rate and, when successful, will completely compromise your target. Now I guess the question some will have is "How do I prevent it?" I love to hear that question, it's much more refreshing than hearing "that can't happen here" or "we're the best.." and yeah I have heard people boldly state that.

There's no new method of prevention, Information Security (or Cyber Security) is not difficult or overly complex. It consists of understanding current threat and attack vectors, knowing where your organization is deprecated or deficient, and mitigating or remediating those deficiencies. The problems pop up when you either hire the wrong people to defend your enterprise or you hire the right people and do not give them the funding and authority they need to accomplish their mission. Having worked in several different environments, it's pretty rare that the absolute wrong folks are hired but it definitely happens and you might be surprised at the types of places that have that issue. More often, I have witnessed the lack of authority and funding for security. Now, we could go into what make people "right" or "wrong" for these positions but if you work in infosec and don't know what I mean when I say that then I can't really help. It's kind of like being able to point out that one annoying relative every family has; if you can't identify who that is in your family, it's probably you. If it's you, no problem there's plenty of training and reading that can bring you right into the loop if you want to be there. I recommend SANS for training, and their certification process. If you really want a deep dive from the community you are doing yourself a disservice if you don't check out DefCon and BlackHat. Other good cons include Shmoocon and CanSecWest. I am sure there are more but these are what came to mind. If you know of some good cons that really educate folks please post them. The more information we can get out there together, the better we can defend our infrastructures.

Awesome!

SANS Training coming up

Check out this link to my upcoming SANS training here in Knoxville. Save some time and money and take a SANS mentor class locally.

Adobe is finally patched

Last week Adobe released a patch for some vulnerabilities that have been plaguing the Internet since June of last year. Adobe has products that make for great attack surfaces because it works on Windows, Linux, and Mac. The latest exploit was cross-platform making the attack pretty scary by allowing an attacker to take complete control of your system.

In order to protect your computer, go to their website (http://www.adobe.com/) and download the flash player update. This update is for Adobe Flash and is considered a complete re-write of their flash player. The flash player vulnerability was quite serious and can be exploited through a web page or a pdf document. If you want to know more about the update/vulnerability, read this page.

Laptop Backpack

About a month ago I began a search for a laptop bag for my 15.6" Dell laptop. I had no idea it would turn into a quest to find just the right features, and how rare some of these features are. Since I plan to be traveling I wanted to make sure the pack was large enough to carry two laptops and an overnight change of clothes. Because I wanted a fairly large pack, it needed to have compression straps also. This eliminated the wildly popular and functional Wenger series that I had been eyeing. Although they had great capacity, and the ability to stand independently, they lacked a few other essentials. That was a big letdown because those are nice bags. I particularly liked the steel cable handle they put on the top. The other essential feature I wanted was the ability to attach a carabiner, d-ring, or s-biner. I carry a rain shell instead of an umbrella and like to attach it to the outside of the bag. I considered a waist belt optional but if it had a waist belt it had to be more than a half-inch strip of fabric AND it had to be stowable.

The ONLY bag I found to satisfy all of this criteria are the bags made by Spire USA. Even the bags made by North Face, Mountain Hardware, and other "real" packs lacked several features. If they had the features, they didn't seem to be well oriented for IT-related use. The Spire Torq seems perfect for me. Initially, it was hard to transition from a messenger bag, but I have persevered.

The stuff from Spire isn't cheap, but it's worth it.

Accessdata Merging with CT Summation

I got this link in an e-mail today:
http://www.accessdata.com/downloads/media/AD_Summation_MERGER.pdf

I am a big fan of AccessData's Ultimate toolkit, and other forensic software, but was shocked to see they were merging with someone else. I hope both companies do well and I will begin researching CT summation soon. My guess is that Accessdata just wanted a bolt on EDiscovery solution. If so, brilliant move.

Smart Grid: How we got here and where we might be headed

This is a great video on why a smarter grid is necessary and what some of the difficulties will be. Additionally, Mr. Gunther discusses many of the possible benefits and answers questions at the end.

Smart Grid Security

Here are some great videos about what the Smart Grid (SG) is and where it is headed. I suggest subscribing to their blog if you are at all interested in this topic:

Network Penetration Testing and Ethical Hacking

I will be leading a SANS Mentor class for 10 weeks starting July 20,2010. Please check out the information here:
http://www.sans.org/mentor/details.php?nid=22013

Excerpts:
Find Security Flaws Before the Bad Guys Do
Security vulnerabilities, such as weak configurations, unpatched systems, and botched architectures, continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.

Differentiators
This SANS course differs from other penetration testing and ethical hacking courses in several important ways:
We get deep into the tools arsenal with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.

Who Should Attend
Penetration testers
Ethical hackers
Auditors who need to build deeper technical skills
Security personnel whose job involves assessing target networks and systems to find security vulnerabilities

Job Offers

I received two separate offers this past week thanks to the grace of God. We are praying about the decision, and anxious to see where God is leading us.

Interestingly enough I have also had some fruitful conversations with several people regarding my last position and how it ended.

Job Hunt

I can totally sympathize with the guy in the cartoon. Aside from that, I have been interviewing for several different types of positions. Some are for penetration testing and consulting which I feel is one of the most fun jobs in the world. Others are for "Security Architect" type positions which give you an overall view of an infosec program and the different layers an organization has in place. Lastly, I have looked at a few security analyst positions where you do a little bit of everything for an organization. These are all critical roles and all opportunities for me to learn new things especially for the individual organizations based on how they do business. A few of the opportunities are contract-based positions which would allow me to start up my own vulnerability assessment, penetration testing, and compliance business. I can definitely say that all of these are quite intriguing and I am looking forward to the opportunity to continue learning and move forward. The toughest part are the moving as we were hoping to stay in Knoxville. Thus far, here are the possible locations:
California - contract
Ohio - contract
North California - perm
Florida - perm
DC - both
Texas - perm