Cyb3rs3c

DHS, the government, and "cyber" security

2011-06-07T10:05:00.000-04:00

The White House issued their "CyberDream" last month titled the "International Strategy for CyberSpace." The strategy is chock full of wonderful thoughts and ideas about what cyberspace should look like and even has a few really excellent threats leveled at people who may want to attack the US. The majority of the document seems to be a plea for other nations to share "our" vision. On one hand it would be amazing to have multiple nations sharing information and standing against those who would seeks to do harm or gain information illegally via the digital realm. On the other hand, why don't we just defend our own assets better. If I had an extra hand I might suggest a blend of the two.

Really, I doubt it will matter since the government will want to be in charge of the whole program including some of the highly technical aspects. This is evidenced by DHS being funded with over 40 million dollars and their attempts to continue to hire infosec personnel. What's wrong with that? I am so glad you asked, nothing would be wrong with that IF DHS is hiring new top-level decision makers along with the technical folks. If the same policy makers are in charge, nothing will change. They will hire bright and talented young technical folks then ignore their recommendations and lose them to the private sector. Also known as "status quo." Reading the DHS, and other government, initiatives on hiring they appear to believe that the only problem is the pay. That may be part of the problem, but the real issue I have seen is the promotion of the wrong personnel over time. The last government place I worked had dug a hole so deep and wide they didn't even know they were in a hole. Several manager level personnel possessed zero technical skill or knowledge yet were making decisions regarding technologies they didn't understand. They were also responsible for hiring but didn't know how to hire since this field has been overrun with certifications, "policy analysts", and general confusion.

How bad is it? That used to be difficult to quantify but take a look at the major breaches that have happened in 2011. HBGary, RSA, and Lockheed are security-centric shops with deep technical talent that were pwned with techniques taught in any pen testing class you might want to take. The Oak Ridge National Lab was taken hostage and had to be disconnected from the Internet for weeks. Many of these intrusions were blamed on "APT" but they were not advanced techniques and they certainly didn't persist for very long. What really happened is the age-old theory of "acceptable risk" is being put to the test. If your entire enterprise can be jacked when one person clicks a link or opens a file something is not quite right. I have performed enough penetration tests to know that this is common and the excuses for not implementing deep, separate layers of security are many both valid and otherwise.

What's the fix? Get red teamed or pen tested using real techniques. Make sure the people performing the tests offer mitigations and remediations for the vulnerabilities they discover and exploit. HIRE THE RIGHT PEOPLE and GET RID OF THE WRONG PEOPLE. I cannot stress that enough and I know hiring is difficult. If you don't know how to hire the right people, then you shouldn't be doing the hiring. I don't mean that at all in a rude or arrogant manner, simply ask for help and the infosec community will help you. I would be glad to assist your hiring, resume review, and interview process. I watched a government site two years a go replace a talented mid-level technical cyber ninja with a junior in college who knew nothing about security. Now I am all for bringing up new folks and teaching them but you must keep good technical people and hearing the phrase "we just need to hire people who get along, not anymore smarty pants" was discouraging. I believe the government CAN do it right if they want to. Challenge the status quo, admit when mistakes are made, and persevere. Hire the right contractors to assist you. For some of us it isn't about money, it's about doing security right to protect assets as a higher calling. You do it right, because it's right.

APT = inAPTitude please pass the FUD

2011-04-19T11:21:00.001-04:00

So, the Oak Ridge National Laboratory was absolutely pwned. How do we know it's "that bad" you ask? If they had to unplug from the Internet (read Facebook) for any amount of time, you know it's not good. I feel like we should address the immediate assigning of the breach to a determined nation state. Here's why I don't think you can call this APT now. For the record APT is defined well here: http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html

1. The incident analysis is ongoing. There's no way they have had time to give full attribution already. If they could, you wouldn't need to completely disengage from the entire Internet.

2. A phishing attack with and alleged IE 0-day is not that advanced. Anyone with basic skill in Metasploit or the Social Engineering Toolkit could have done this with a 10 year old payload and completely bypassed whatever A/V they think protects them.

3. That place is wide open. For the most part it's an academic research facility full of foreign nationals several of whom are from "sensitive countries", whatever that means. One walk across the lawn and you will see enough to know what I am talking about. This is not to say that anyone form a foreign country means the US harm.

4. That place gets owned all the time. I mean just use Google and you can read about it happening every few years. Despite this the same personnel and outdated protection schemes remain instantiated, welcome to the government.

5. The lab director states there was no large-scale exfiltration detected. If you had an advanced determined attacker, they could exfiltrate without you knowing. Seriously, what ports are you allowing outbound from your users. When they SSH tunnel out to avoid your proxy do you know what data is in said tunnel?

6. Even if you get some IP address in a nation we aren't cozy with, that isn't immediate attribution to said government. That could be someone in this country using one of their IP addresses as a pass through. Jumping to conclusions during an investigation is unhealthy and may give a false sense of closure.

I was saddened to learn this happened at ORNL. It was worse to have the director of the lab jump on the bandwagon of APT before the post-mortem analysis is complete.

Smart Grid Standards Groups

2011-03-22T16:23:00.001-04:00

One of my co-workers estimated there are approximately 46 groups working on standards for the smart grid. Above is a partial list of the folks trying to work this out. I, and others from EnerNex, regularly contribute to these groups within our own areas of expertise. It will be interesting to see how things boil down once you have to migrate from a standard to an actionable solution. So far the cooperative effort is excellent. For all those involved I offer a free Internet high five.

Mid Atlantic Collegiate Cyber Defense Competition (CCDC)

2011-03-14T15:00:00.005-04:00

Wow! Let me say that once more WOW! Thanks to all the companies and other entities that sponsor this event as the next generation of "cyber warriors" is being educated. Boeing contacted my company, EnerNex, to see if we would be interested in assisting with certain aspects of this year's competition. This was shipped over to me since I am a penetration tester/security analyst. I was unable to help with the smart-grid scenario that had been planned for the competition and felt really bad about that. I flew up there on my birthday feeling just terrible that I had not been able to assist in any way. When I landed I sent a message to Casey O'Brien and Tim Rosenberg offering to help however they needed. Big note to self, do that more often. I was moved in the White Cell for the competition, specifically I played federal law enforcement for incident response in an effort to teach the blue cell how to submit accurate actionable information to law enforcement. Now on to how the event played.

The Teams:

Red Cell: Attackers, crackers, hackers. Their goal is to penetrate your systems, gain and keep access and wreak havoc.
Blue Cell: Defenders, their goal is to respond to current attacks and prevent future attacks. There were blue cells from different colleges and universities.
White Cell: These were the folks judging the business injects and observing the team. Additionally, certain members were designated as federal law enforcement. LE members were allowed to give limited guidance if a team was really struggling.
Gold Cell: Operations. These members were responsible for making the equipment work, scoring the game and keeping everything running.

So what did they have to do? I am so glad you asked. Blue cells were given several nodes to defend based on a viable business scenario:

Business Scenario: Haven Electric CoOp (HEC)
Each year, the CyberWatch Mid-Atlantic CCDC presents a new exercise scenario and cutting-edge technologies that mimic those in the real world. This year’s scenario involves student teams working for the Haven Electric CoOp (HEC), a national electricity provider. With operations spread throughout the United States, HEC is a leading electric grid manager and reseller of Power Management Units (PMUs).
Because of risky investments, HEC has fallen on hard economic times and has been acquired by the U.S. government. Given the unstable future of the company, most of the IT staff has left for other jobs, while those remaining are less than effective. As a result, the government has brought in contractors to replace all the IT staff. The student teams are these contractors.
The student teams will be charged with maintaining and securing the network, while providing critical services and responding to the demands of clients, end users, upper management, and others. As employees of HEC, the students will also have access to the HEC Credit Union, where they can conduct their day-to-day banking.

Now what do they defend:

inside the firewall:

Ms-Exchange 2003

MS Win 2008 AD server - 10,000 user accounts

Open PDC manager

Hadoop

Splunk - Ubuntu 10.x

MyBanco - Ubuntu 10.x

OpenPDC DB - Ubuntu 10.x

LibkiWikiID - Fedora 14

outside the firewall:

Nagios

Kiosks

Splunk

Red team had a 30 minute head start so, if you haven't attempted to defend a network before, everything was already compromised by the time blue even "got to work." In addition to the aforementioned devices, each contestant wore a badge with an 802.15.4 ZigBee radio which beaconed every ten minutes with a predefined integer. The integer was power usage data so that, in effect, all players were wearing a smart meter that updated itself regularly. The meters were also in play and at the end of the first day, one blue cell member had somehow managed to use over 1 billion kilowatt hours. Larry Pesce built the badges and wrote the software that was used on them at a final price of $32 per badge, most excellent job by Larry. Some other nodes that weren't readily noticeable were two Cisco 7960 IP phones and a web-enabled surge protector which some red cell members took great delight in attacking.

At the end of day 1, there was a "corporate meeting" business inject requiring all blue cell to immediately leave the competition floor. For 10 minutes the red cell was allowed physical access to the blue pit where they wreaked havoc by taping Ethernet cables, swapping cables around, and running custom tools to add users and acquire password hashes. In ten minutes, the red cell successfully touched every blue cell node.

The days were long yet quite rewarding. I enjoyed helping the blue cells learn how to submit incident reports. Though I frustrated many of them by continually rejecting them for lack of evidence they began to learn that I needed who, what, when, how, and maybe why to give attribution to an actor(threat). They also had to learn that it isn't what they think they know, it's what they prove by providing corroborating evidence such as logs, files, and screenshots. Additionally, if a team was really struggling, I could provide hints and suggestions or in dire cases I could take the blue cell member aside and have some teaching moments as they struggled with the complexities of being assaulted not only in the cyber world, but in the business world as well.

Did you say the business world? Yes, I did. The "CEO" flew in to interview the team captains after he learned that some of his assets had been compromised. Each captain was given the "opportunity" to sit and tell the CEO the state of affairs of his network and data. Some young folks responded with poise, others literally shook in their chairs, and still others refused to have their follow-up meeting. This was also excellent training that should help close the gap I have seen where non-technical people are not getting promoted. This also gave me an opportunity to speak with some of the captains outside of "the pit" (competition floor) to explain some of the terms used by their CEO and help prep responses in his language.

This was the best training a future IT security professional can receive and I truly appreciate that EnerNex was kind enough to send me. Being able to assist in events like this gives me hope that things can get better in InfoSec. It's always a pleasure to share experience and knowledge with those who are seeking a career in this field. Many dedicated educators are attempting to do this but they need practitioners from the real world to assist and fill in the gaps. I look forward to assisting more in this area both at our local schools here and with some of the colleges and universities I interacted with at this competition. I met some great students, faculty, parents, and sponsors. I also had the wonderful privilege of working with Casey O'Brien, Tim Rosenberg, Matt McFadden, Gary Stoneburner, and many others. Please keep in touch everybody.

For the curious:

Blue Cells: http://www.midatlanticccdc.org/CCDC/students/

Sponsors: http://www.midatlanticccdc.org/CCDC/sponsors/ - we can't thank you enough

Pictures I took - https://picasaweb.google.com/griffse/MidAtlanticCCDC#

Smart Grid Security East

2011-03-08T11:03:00.000-05:00

I had a great time at this conference and got to meet some great folks. I also had the opportunity to be the first speaker on the first day which really helps the other talks as I set the bar pretty low. My two favorite talks were Travis Goodspeed leaving the crowd in stunned silence with some of his hardware ninjary, and Ido Dubrawsky from Itron during the AMI security workshop. Ido gave a great talk that was grounded in facts which is sadly lacking sometimes. Stephen Chasko and Ed Beroset also gave good talks from a vendor perspective. For the panel-style talks, I naturally enjoyed the penetration testers over most of the policy and strategy panels. I will have to say my favorite moment was a vendor offering perhaps a tiny bit of marketing hype being asked from an audience member "Are you saying you are guaranteeing absolute security from that point forward?" Of course, the vendor was not offering that and the talk proceeded smoothly. I enjoyed that because it represented the spirit of the conference. People spoke openly and disagreed with each other with facts and perspectives without anything devolving into chaos. There was even a meter vendor panel where they seemed to be working towards common goals regarding smart-meter security. A goal going forward is to get SCADA vendors involved and provide utilities with a way to share security-related information if they are experiencing an incident.

I was also privileged to connect with several gentlemen and ladies considered by many to be the leading experts in the efforts to make the smart grid secure. I cannot list them all but literally everyone I met was making a contribution to this effort. I can't wait to see the next event, it should be even better.

The Song Remains the Same

2011-02-17T11:39:00.000-05:00

So Stuxnet was a "game changer" because we saw a private separated network get JACKED! Let me share some of the responses I have heard:

"They shouldn't have been using Windows"
"Stuxnet was no big deal if you weren't the target"
"There are enough other people that are vulnerable, they probably won't come after us"
"We have firewalls, IDS, and AV."

These comments come from vendors, CISOs, and security architects. Hi, you are missing the point. If you focus on the specifics of the attack these are somewhat accurate statements. If you look at the framework of the attack it should make you aware that you are at risk. Some components of Stuxnet were very generic and can provide a framework for future attacks. Check out this page by Ralph Langner: http://www.controlglobal.com/articles/2011/IndustrialControllers1101.html

Here's a question to ask your CISO or security team lead or whoever you have entrusted your security to.:

"How can our firewall (also include AV, IDS, etc) be defeated?"
"How can an attacker exfiltrate data once they are inside?"
"Can you (security d00d) exfiltrate data without anyone knowing?"

If you saw the report on Night Dragon, you saw another example of energy being targeted. The target was compromised via SQLi and the attack progressed using fairly standard simplistic techniques. No ofeense to the target is meant here, I am targeting the mentality mentioned above. These folks had firewalls, AV, proxies, and policies. Their controls were overcome at every step with what the incident responders called "simple" techniques. Simple is a relative term and the timeframe of the attack is not discussed. If this attack took place over a span of weeks it is relatively easy to recreate. If this attack was done in a matter of days or less, it was well-planned and executed.

Critical Infrastructure Hacking FUD

2011-02-07T16:30:00.001-05:00

Let's take a minute and talk about some of the FUD being slammed all around regarding critical systems hacking. We are talking about the electric power system, water, and other utilities or critical infrastructure. This article came out last week: http://www.wired.com/threatlevel/2011/02/hoover/ Stating that hackers can't do weird stuff to Hoover Dam. That article is accurate. Twitter exploded the same day with infosec and pen testers screaming "yes we can!" This is also accurate. We have to temper some of the almost outlandish claims we attackers make with the "you can't touch us" claims of infrastructure.

Why is the wired article true:

1. Separated networks - The Hoover Dam (critical infrastructure sites) are not web apps that you can just stick in a web browser.

2. Infrastructure stuff breaks all the time - These people are trained to respond to outages a lot better than the IT in some organizations.

3. Hackers aren't breaking news - Infosec incidents get published all the time and, sometimes, utilities take notice and plan for these things.

Why what the hackers are saying is true:

1. Remember Stuxnet? - Those targets were air-gapped and didn't touch the Internet.

2. Resiliency != Security - Infrastructure people will say "when was the last time your lights went out?" when the question really is "When was the last time someone wanted to make your lights go out?"

3. Hackers evolve - When people start figuring out patching, web apps and client side attacks shift to the front. When people get leery of those techniques bring on insider threats and social engineering.

You have to get both sides of the story to understand the problem. If you are using computers, networks, and software you have risks. Reducing your attack surface by using air-gapped and private networks is an effective layer of defense. That said, security is never "done." It is an ongoing issue and it must be tested continuously. Insiders cannot be trusted, sometimes this is because of bad intentions, and sometimes it is because people make mistakes. We also have instances where you have say a SCADA operator granting remote sessions and connections for service or maintenance on the system, or they figure out some way to surf the web from their console. In case you have the world's best workers who never look for a way to goof off, we have the removable media attack vectors. I will leave a nasty USB drive in your parking lot or Starbucks and watch who picks it up etc.

Does your blue team tell you they can't be breached? If so, go find a red team and let a real-world scenario play out with them, you might learn that your team is as great as they say they are. You might find that they are unaware of certain vectors into your systems. For example, let's pretend you are performing a test of a "closed system" and everything initially seems to indicate that this is true. Then you notice you can resolve DNS names like Google, but you cannot not get to the Internet via a web browser, the system isn't touching the Internet right? WRONG! Your assigned DNS servers, initially RFC 1918 addresses, become public IP addresses when you reboot while connected to the "private" network. Out of curiosity, you try to touch those servers from your home ISP and you can. This is news to your client since they had been assured otherwise by the provider. Maybe it even said that in their SLA.

If you read the link regarding the Hoover Dam, someone who appears to be from the public affairs office is posting comments about how that cannot happen. You will see other folks asking how employees communicate and are part of the electric smart grid if they are so isolated. You cannot have it both ways. There's an example of someone touring a power generation facility and asking about security and the operator saying "We aren't connected to the Internet." The person touring asks how they receive communications and directives from their main facility which is several miles away. The operator points out that they receive e-mail on the control system machine. Now this is where perspectives will really diverge. For me, it's not the same to say you don't touch or use the Internet when you are, hopefully, using some sort of VPN tunnel. I view separate as not touching, tunneling, sharing a switch/router, or even the same network rack. SEPARATE. Don't get me wrong, I understand how extremely cost prohibitive it would be to build out your own personal WAN but it can be done. For the govie "cyber" security architects, there are a lot of good models to look at. Companies who have customers and dollars to lose take security pretty seriously.

So can hackers open the gates of the Hoover Dam? No one has let me test it so all I can say is "maybe." The attack probably won't be attempted from some kid's basement but that doesn't mean it cannot be done. A lot of people say they aren't connected to Internet when they really are. All systems have vulnerabilities but not all vulnerabilities can be exploited with the same level of ease. Be a critical thinker and get both sides of every story.

Logging, Monitoring, and Defending (IDS/IPS)

2011-02-01T10:33:00.000-05:00

Yesterday one of the email lists I monitor was debating the best IDS/IPS for large-scale implementation and the Einstein project managed to surface. I followed the topic for awhile but there wasn't much debate however it did bring up some of the more interesting points I have noticed over the past decade in infosec. Some places still don't want IPS, they are content with IDS and just want to reduce their response time and have forensic evidence available when attacks occur. The biggest debate I see is how to choose a product to defend with. This used to be a private vs. open-source argument, and sometimes still is. Lots of people decide to implement SNORT so they only have to buy some hardware, other buy SNORT via SouceFire and get some support. Other folks like to get a pure commercial solution which can be capable of much higher detection speed depending on how fast you need to go. The current rulers in IPS for the commercial world are Juniper and Tipping Point. McAfee is coming on strong after purchasing a competitor, re-branding and getting up to speed. What I found most interesting was that someone brought up using a government-made system. Historically, the government doesn't have a great track record for keeping things secure. Not all government entities are created equally since different personnel work at different sites and agencies so we will have to wait and see how this group does. Personally, I like COTS solutions when you are defending large-scale implementations for the speed and support. That isn't to say your people aren't capable of deploying something different and being secure.

Whatever way you choose to go, don't end up like the diver in the picture. They have on all the necessary gear yet are unaware of the clear and present danger(picture is fake). You will NOT implement an IDS/IPS and be secure simply because of its existence. You absolutely must log what happens and figure out a way to monitor your traffic. There are aggregation and correlation products out there that can take your vulnerability scans and/or customized input so that you don't have to be alerted when a Linux exploit is headed towards a Windows platform and vice versa. The goal for your implementation is to help your security posture. The ability to log is critical but logging doesn't mean monitoring, and monitoring isn't always effective if it isn't actually human readable. Without a, in my experience, significant amount of customization and tweaking an IDS will be spewing way too many alerts for an analyst to track. You may be doing your parsing with custom scripts, vendor filters, or a combination of the two.

I am anxiously waiting to see which way the smart grid will choose to go. It seems like the current feeling is that nothing would be able to monitor the massive amount of traffic and nodes (millions) that might be generated on some of these networks. Hey IPS vendors, we are looking at you.

Wiping hard drives to stop wasting money

2011-01-27T12:20:00.000-05:00

I saw this post today and can't believe this myth is still out there. Here's the scoop, go ask an IT person "How many times do I have to wipe a drive to completely erase it?" You will hear many answers and the most popular will likely be 3 times, 7 times, it can never be erased. Let's clear it up. If you make one pass correctly your mission is accomplished. This is how magnetic media works, feel free to test it yourself with the forensic/data recovery tool of choice. How does wasting money come into play?

I was once part of a project testing multiple web proxy vendors. A work policy stated that hard drives could not be returned to vendors and all drives had to be degaussed then shredded. This was for non-classified material that would be tough to even call sensitive. One vendor was set to charge around 16k for the drives in their product. In order to avoid this charge I began asking if there was a waiver process, how it worked, and if the policy was in-house or from a more "legal" entity. Sure enough, there was a waiver process. I filled out the (un) necessary forms and also attempted to explain why this may not be required in the future in order to save my company and the vendor money. No amount of demonstration or discussion seemed to convince people that seven passes, degaussing, and shredding were the only way to maybe prevent our data from falling into the hands of the empire. This was a two-week process with regular chastisement received by me for even attempting to return a drive. At the culmination of the project I erased the drives manually using dd and then handed them to our other forensic examiner to ensure he could not retrieve data. The data was gone, the drives returned and we managed to save thousands of dollars. As I gave the final status report one of the managers stated "We probably could have saved $16,000 if we had just followed the policy." Feeling offended by that I retorted "If the policy is technically inaccurate or wrong, we should fix the policy because it makes us look stupid." Not my most humble moment.

As far as I know that company continues to destroy drives in the name of security that could be recycled, reused, or returned . This effort likely costs millions of dollars annually and provides landfills with many tiny shards of metal that will never break down. Policies are good things when they are accurate.

Acceptable Risk (What's it going to take for security to be important?)

2011-01-24T12:05:00.000-05:00

It was an interesting weekend in the cyber-security world to say the least. Some guy who goes by"srblche srblchez" began selling .gov, .edu, and .mil websites or more accurately control to those sites. For attribution I am pulling information from multiple sources such as:
Rafal Los' interview with the dude:
http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Exclusive-Q-amp-A-with-hacker-quot-srblche-srblchez-quot/ba-p/18361

Brian Krebs blog:
http://krebsonsecurity.com/2011/01/ready-for-cyberwar/

Martin Bos (purehate_) found the real site here:
http://www.srblche.com/

Some of the , excellent, points from information security pros are the hair-pullingingly frustrating "I told you so when I tested your environment." I think every pen tester and blue teamer out there has felt this at one point or another. Several talks I saw online last year focused on the fact that we haven't adequately communicated to the decision makers how security impacts their mission or their bottom line. This is completely true. I have seen pen-testing reports that are purely technical and not readable by management executives. Rafal asked "What will it take?" Based on the way we teach economics, and the gazillions of people getting their MBA, it will take a direct tie to putting dollars into the company's pocket. CFO/CEOs want you to be able to answer this question:
"If I invest dollars how much will I earn?" or "If I don't address vulnerability how many dollars will I lose?"

These are not easy questions to answer and a penetration test only brings part of the answer. The larger answer comes from business case analysis and understanding a failure scenario surrounding the vulnerabilities discovered. Until security equals dollars in a pocket then it will be tough. We will continue to fight the "acceptable risk"

This line of thinking comes from my experiences attempting to align security with business mission. I once wrote a five year strategic plan for an organization aligning the mission of security with the mission of the organization and it was completely disregarded. The point is not that my work was not used, the point is that it didn't even generate discussion. No talk, no action. In fact they put someone in charge of security that clearly stated there were almost no problems with their current mode of operations despite test results to the contrary. Even moving beyond that, the group had little funding despite security being "important" to this organization. Sadly, this was not a unique situation. The companies I have seen do security the best were those that know their reputation is on the line and understand that a breach would lose them customers(dollars). Sadly, this would exclude the types of sites that were compromised.

Here are the points for people in charge:

Hire the right people - People who are seeking to learn perpetually and understand that security yesterday is being pwned tomorrow. A project manager or policy maker should not be making technical decisions they do not understand.
Fund these people - Security should be 15-20 % of your IT budget every year. If you haven't seen an equipment upgrade or product requisition for a few years, something is wrong.
Yesterday's technology (firewalling, IPS, DMZ, A/V) needs help - Anti-virus programs are necessary but don't rely on them If you think updated definitions protect you, look up Shikata Ga Nai.
The "help" is your people - Talented infosec people are your only defense. No device you buy is a silver bullet and salespeople will say anything to get a sale. If you don't believe me get a DLP solution and winzip and see for yourself
Test your environment with real scenarios - Don't prescribe the environment to the testing entity. Make it as real as possible or you will never know where you actually stand and be lulled into a false sense of security.
Policy without a technical control is faith - Don't just tell people what not to do, actually prevent it. "We don't allow portable media." is a lot different than "We really hope people aren't using portable media and we will fire them if they do."
Policies and controls must line up - Don't tell your people to have and 8 character password with mixed case and special characters then make them have a password with six characters, single case, and no special characters. (yeah, I have seen this)
Security policies should be written by security people, not HR - If you don't understand the policy, more specifically how to break it, you probably shouldn't write it.
There are more but I 'm tired.

Stuxnet is a US-Israeli joint operation

2011-01-18T11:10:00.000-05:00

The NY Times published an article which does not cite named sources. This is normal and acceptable in journalism, I won't beat that horse. I would like to point out that it is all speculation at this point.

The buzz about this started over the weekend and the “confidential sources” part is what’s keeping it interesting. It is worth noting that the source could be Iran itself. The clues in the code, dates and “Myrtus”, could just as easily be a smokescreen. Some speculate those clues were planted to throw investigators from the actual trail. Here’s Iran saying we did it:
http://www.msnbc.msn.com/id/41121090/ns/world_news-mideastn_africa/
Interesting points I observed about the video.
1. No Iranian is shown, scientist or not, in footage with the reactor
2. All signs on walls and doors are in English.
3. Everything in Persian or Farsi or showing Islamic symbols is just paper taped to the walls

"Cyber Warfare"

2011-01-18T10:41:00.001-05:00

This term has been thrown around a little and yesterday the Organization for Economic Cooperation and Development (OECD) released a report saying that "true cyberwar is unlikely." Here's an excerpt that was sent to me for comment:

“There is nothing new in what the hacktivists are doing,” Mr. Sommer said. “It really should not be exaggerated. It’s really more like the kind of thing Greenpeace does.”

“We have to get used to the fact that popular protests, as well as skirmishes between nations, are going to have a cyber dimension,” he added. “Some people say cyberespionage is just a few clicks away from cyberwar. It’s not; it’s just another way of spying.”

Report challenges cyberwar doomsday scenarios
New York Times January 17, 2011
https://www.nytimes.com/2011/01/17/technology/17cache.html?_r=2&ref=global

A new study commissioned by the Organization for Economic Cooperation and Development says a true cyberwar is unlikely, and that -- unlike scenarios painted by many recent books and articles on the topic -- advanced countries could recover from such a conflict within days, even hours. "You have this sort of competition between writers to say, 'I have a scarier story than you do,'" said co-author Peter Sommer of the London School of Economics.

I agree that sometimes infosec folks can get into the habit of telling the scarier story. If that scarier story is true though shouldn't we take heed? I responded with the following:

This is an interesting take and really just seems to be a language issue. I suppose it all depends on how you define "war" and "warfare." Mr. Sommer's quote "... skirmishes between nations, are going to have a cyber dimension,” is war in some people's eyes. Also, if it's "..just another way of spying" do wars ever start because of more traditional espionage? I also don't really understand the Greenpeace reference since they don't really attempt government-level espionage. As for the statement that "... advanced countries could recover from such a conflict within days, even hours." That's a great point, cyber-based attack would only be devastating if followed by a tactical operational attack to take advantage of the service disruption. The ability to disrupt, or intercept, communications to and from your target would give you a significant advantage. This ability has brought about encrypted communications by default for the military while critical infrastructure has not yet seen the need for this. One of the issues we discuss with our customers when penetration testing is to assess the impact of the operational decisions made based on information received from a field-connected device. Can I get a human, or machine, to initiate an action if I provide false data?

In 2008 Russia attacked Georgia and used cyber attacks as part of their campaign. I wonder if that would be considered cyber warfare by the authors or just a skirmish? Then, to be fair, I wonder how Georgia would define it.
http://www.zdnet.com/blog/security/coordinated-russia-vs-georgia-cyber-attack-in-progress/1670

I believe cyber "war" is a reality and will be used as a component of real large-scale attacks in the future. What do you think?

We lost a good man yesterday

2011-01-16T08:36:00.002-05:00

The attached song is one I play when my heart is grieving but my spirit is rejoicing. When I saw Mercy Me perform it the first time they shared the heart-wrenching story of how it had been written and it seems appropriate today.
Jason Kennard died last night in a car accident. When I was in the praise band at The Church at Sterchi Hills, his wife Lisa would always ask for prayer that the Lord would convict Jason and he would be saved. During this time, we built a new building and had a week-long revival to celebrate the opening. During the revival Jason came to hear one of the messages and received Christ as his savior. It was one of the greatest moments God has allowed me to witness. Shortly after this, Lisa was in Florida and Jason "dropped dead" of a massive stroke while home alone with his young children. I remember clearly sitting in the ER waiting room at St. Mary's hospital waiting for Lisa to return home from Florida so that Jason's life support could be removed. While we waited, and prayed, Jason showed some level of responsiveness which then prevents life support from being cancelled. Also during that time, one of Jason's friends contacted Lisa and told her that God had told her that Jason would be raised up from this because the Lord had plans for him. She quoted Jeremiah 29:11 "..For I know the plans I have for you,” declares the LORD, “plans to prosper you and not to harm you, plans to give you hope and a future."(NIV) I had the wonderful opportunity to spend every afternoon for the next two weeks watching Jason be healed by the hand of God. Each day he became more responsive and gave everyone a visualization of faith. Jason beacame a faithful servant of the Lord, leading his family and being the man God had called him to be. He was a walking miracle and one of the examples God showed me of walking through the fire of life's trials and emerging as a better man on the other side.
Please keep Lisa, Zack, Whitney, and Seth in your prayers. We know that Jason has been raised up by the Father and healed but our earthly hearts still hurt for the man we will be missing.
Grace and Peace to you.

Compliance != Security

2011-01-06T11:51:00.000-05:00

We have so many compliance regulations and auditors now that information security should be getting exponentially better every year. PCI just came out with a new standard, HIPAA received an overhaul recently, and who knows how many other NIST standards are being re-written and re-worked. This is not the case; we see compliant entities are hacked all the time. Worse, they are hacked with what seems like the same old techniques. Disclaimer: I know some talented auditors and they understand where the pitfalls and shortcomings are, do not blame the auditors.

I understand, and sympathize, with the fact that some you have to be compliant to some organization. I also believe that compliance was (is) a good idea and that it means well. What appears to happen is that compliance becomes something you can purchase. We also believe that a compliance-based certification makes our auditor an expert. Business owners want to know "How secure can I be for n dollars?" "How much will it cost to be secure in area x?" For some reason we (security dudes) have not adequately conveyed, (or maybe we have) that this is not a static black and white area. Threat and attack vectors shift and change from day to day, hour to hour, and sometimes form one minute to the next. Is there an effective way to combat this without bankrupting your organization? Can this be done without implementing a police state on your users? Yes, it can. Can you be "hacker proof,” ever relax, and do things the same way you always have? No, you cannot. Working together with the right information security personnel, policies, procedures, and technical controls, you can bring balance to the force.

When preparing for an audit, remember that an auditor can be used to enhance your security posture. One organization I have seen in the past viewed an auditor as an enemy and spent weeks planning how to lie and hide things. It would have been less expense and effort to be compliant. The auditor you choose, or is chosen for you, can also determine your security posture. An auditor with experience as a penetration tester is likely to ask better questions when using the unfortunate checklists. An auditor who is only trained to observe a checklist may view things differently. For example, firewalls are typically required by compliance mechanisms. An auditor thinking like a hacker is used to overcoming and bypassing firewalls and may choose to audit your rule set or assist with configuration changes. You may have a best-of-breed monster firewall but if you have 700 exceptions then you may be leaking data. Web proxies are another good example. You may have every user flowing through a proxy to prevent abuse, drive-by downloads, and policy enforcement. An auditor with a penetration testing background may think to ask how many SSH tunnels (users possibly bypassing the proxy) are exiting your network where a standard auditor may not think of this. Remember, not all CISA, CISM, and QSAs are created equally. If you need an auditor, send me an email I know several excellent folks that are also active pen testers.

Next, make sure you do prepare for compliance, or certification & accreditation audits. How you prepare is critical. While you should make sure you are prepared for the auditor's checklist, do not stop there. Do not assume an attacker will be using that checklist or that the creator of that checklist thinks like an attacker. As a best practice, have an independent third party red team your environment. Penetration testing from multiple perspectives can provide excellent insight concerning your security posture. Being tested externally and internally from black\white\crystal box perspectives will provide you with a comprehensive understanding of where you stand. When I say third party I mean completely not affiliated with your organization. If you are a govt agency, I am not referring to your agency's IG or internal audit. Hire people who will think like a bad guy but are not part of your blue team efforts. There are several reasons for not using your own people; I will list a few here:

Your people are familiar with your culture and environment. While this can be a good thing, it can skew results by overlooking points of failure or vulnerability.
Pride may come into play. How forthcoming will your people be in pointing out issues in a program they have spent years "perfecting."
A third party does not stand to lose (or gain) from your organization's internal culture. (Performance reviews, bonuses, profit sharing, etc.)
A third party will see if your paper policy is effective. A policy without a control is an exercise in writing and awareness.

I am sure there are more but my ADHD has kicked in and I lost interest.

Most importantly, remember that threat and attack vectors change rapidly. You passed your audit today, you got red teamed and remediated every single finding; good job but remember what the attacker could not break yesterday they can today. Information security is a never-ending profession and requires constant vigilance and dedication. Make sure you (and/or your team) are constantly learning. Stay on top of new threats and attacks by listening to the security researchers out there. If you and your people are behind, get some training and/or hire some consultants to get you up to speed. The only thing that will make you secure is you and your team.

Interesting Acquisition Trends

2011-01-05T13:47:00.003-05:00

Let's take a look at some of the mergers, acquisitions, and takeovers that have taken place recently.I no particular order, here are the big ones that come to mind.

Intel snags McAfee - Don't forget that McAfee had also been buying up IDS, Firewall, and DLP solutions prior to this.

HP acquires ArcSight - ArcSight is a small company but regarded as best of breed in what they do.

HP acquires TippingPoint - Also known as 3Com, anyone remember them? Tipping Point is regarded by some as a best-of-breed IPS.

Dell grabs SecureWorks - Very interesting move for Dell.

I am sure there are more of these but these all stuck out as companies which want to be able to provide, now or sometime in the future, some sort of complete solution for their customers. This business model will be interesting to watch. Will the people who spend the money prefer one solution "silver bullet" or will they see this as all their eggs in one basket? What happens to people who want a Dell data center with Tipping Point IPS and/or ArcSight SIEM? This also blurs the lines between competition and interoperability.

Laptop Bag Review (Spire Torq)

2010-12-29T09:10:00.000-05:00

I needed a pack that can carry a Dell M4500, a few hard drives, some wireless gear, and standard office-type junk. This pack is perfect, it's construction appears much sturdier than anything else I looked at. After 8 months of abuse, I travel a lot, it looks brand new. The laptop sleeve, and the hanging design, are perfect.

The interior has enough pockets and zippers for me to adequately separate my gear by function. I can get to what I want easily even when it is stuffed under an airplane seat. It seems to fit there fine and I can still rest my size 12 shoes comfortably next to it.

The exterior has the "must-have" features I couldn't find in other packs like compression straps, stowable waist belt, molle-type loops in the front, and rings for attaching things to the outside of the pack. For the outside rings, I attach a ball cap and a rain shell since I am allergic to umbrellas;-). The shoulder straps are very wide and padded as is the waist belt. This is critical for load distribution and a place where many other bags fall short.

I f I HAD to knock anything, the pack is so roomy and sturdy you might overpack it and it would be super heavy. I would also like to see the laptop sleeve modified to tote around your laptop brick somehow as well. For the exterior, I could see home some might want more molle but the four on the front are enough for me.

Cyber Security Sucks

2010-12-27T10:54:00.001-05:00

Warning, rant ahead:

For several years as I have learned more and more about how computers, networks, and policy are interrelated. I have felt security in these areas is actually getting weaker. I listen to people just blame security issues on Bill Gates and think they are immune because they can bash a vendor. This seems to be happening by over governing some aspects, under funding, and hiring of absolutely the wrong people. Today I saw a couple of blog posts that should let you know exactly how bad it is out there.

First, consider this from Taosecurity. If you don't believe that is our stolen technology staring you in the face, it is. APT is a really hip buzzword, but it's real and you better figure out what it is and where it is on your networks. I know a couple of govie orgs suffering from this right now but they are too arrogant to think it could happen to them so it will remain on their networks until.. well probably awhile.

Saving the best for last, I read about the carders.cc job. No, I didn't read the 900 cut-and-paste opinions on it, I read it from the d00dz who did it. Are you still confident about your security, wanting to trust your users, wanting to trust some 1337 guy you hired? Read this e-zine from the 0wned and Exp0sed crew. If that doesn't make you realize we all suck at security, I don't know what will.

I am not at all saying we, or anyone mentioned, is stupid. I am stating that the enforcement of the status quo must stop. We all need to learn more, do more, and weed out the lameness. Note in the zine that if you have used (installed) ettercap in the last five years, you might want to check your "shit." Do you know how many of us use that? ALL OF US!! That sucks!. These people went after several high-profile well-respected security pros, and their websites and 0wned them at will. If you think you're immune please share your awesomeness with the rest of us because this should make you realize how bad the state of security is. What this group did is wrong but things like this need to happen in order to get things moving in the right direction.

There are no internal applications

2010-12-02T14:42:00.000-05:00

I read this post by Rafal Los (Wh1teRabbit) and wanted to agree completely. If you still believe you can have a firewall and an IDS and "trust" your users, you are inviting a problem. If you have a team that is convinced that nothing bad could ever happen to their infrastructure because they are 1337, you have a bigger problem. The blog post and comments focus on the fact that data is what needs protected, not just the location of the data. As mentioned in an earlier post, mobile computing and new threat and attack vectors are removing your borders for you.
Your people are your greatest asset and your biggest risk. Somebody in your organization clicks links, brings in infected USB drives, plays of Facebook all day, or actually wants to steal your data. I have been inside some supposedly very secure networks before where nothing but everyone's good intentions, and some veiled threats, stopped them from doing whatever they wanted. I don't just mean a penetration tester with network access, I mean anyone that knows how to open network neighborhood or send email. Talking with the management in these organizations resulted in some head nodding and furrowed brows but no change or desire to change. Every now and then a technical person would get frustrated and leave only to be replaced by a project manager or an "architect." At one place, a mid/senior-level analyst left and the management decided to replace him with someone that had no security experience. One of the quotes overheard from that management group was "We don't need anymore smarty pants around here, we need someone who can get along with everyone." I agree that your team should function well together, just not at the expense of your data's security.
So, think of it this way:

1. Can a malicious insider, no matter how unlikely, steal your data?

2. Can a non-malicious insider bring a threat inside that compromises your data?

3. In either case would you even know if this had happened?

4. Why can it happen?

5. What can be done to lower the risk or impact?

Good luck planning for future security projects, don't forget to use the wiki leaks trend to increase your budget for next year.

Is your information security crushed by the org chart?

2010-11-23T12:39:00.000-05:00

Funny cartoon. It's understandable that some organizations definitely wouldn't want their shortcomings broadcast for all the world to see. I am more focused on the first sentence, "Information security is a major priority at this company." That statement is heard a lot when you are a penetration tester and even when you are a "blue teamer" for a company. There are times when the best cyber security team can be stopped cold by an organizational chart. If the team is not properly positioned inside the organization and given the authority to implement policies and controls then nothing happens. Let's look at some examples I have witnessed in the past.

At many places there is no CSO or CISO to this day. At times this put the infosec nerds reporting to the CIO. The CIO is most often concerned with things working or availability. In addition he/she will develop a technological vision for future services and offerings within a company and how to make things better and/or faster. While this person may consider security as a component of their job, it is not their sole purpose and balance may be difficult to achieve. In one organization I saw a CIO who had been moved from either accounting or HR and made the CIO. They had no relevant technology experience yet had been placed in charge of all technology. At that point in time IT within the organization was stagnant and falling behind the technological curve. They had a security group, but no CISO so security suffered the same fate as IT in general. In a different institution I have seen the CIO report to a department head and not to the leadership of the company. Any c-level personnel should have the eyes and ears of the top two individuals or governing board of an organization. Without that, this CIO was effectively just a middle manager with a fantastic salary and title yet no actual authority. I know some folks hold to the idea that people can effectively wear multiple"hats" and have even seen that work in smaller businesses. My experience with larger companies has shown that trying that simply enforces the status quo, which may be their goal and that's fine, and does not foster effective internal communications and relationships. In the simple diagram below I have shown the c-level folks as equal peers reporting to the number 2, as a minimum, within this organization. I have seen other examples where security reported to the CFO or was incorporated into internal audit but those models were short-lived examples. I would love to get some examples from the real world with success stories.

Smartphones: Destroying your perimeter one device at a time

2010-11-23T11:22:00.000-05:00

Sounds like an overstatement, I know. Smartphones are incredibly powerful devices that open up a world of possibilities for communications versatility on a tiny platform. Consider this statistic: "...48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business." - http://ridethelightning.senseient.com/2010/11/cios-see-smartphones-as-data-breach-time-bombs.html

That's not a security-minded practice. I have been listening to C-level decision makers this year in conferences using phrases like "If you can't beat them, join them." "We must learn to work with social networks because this upcoming generation expects it." These are interesting perspectives and quite a shift from the website blocking and strict rules we all experienced just a few years ago. Perhaps they decided breaches were still happening then so why keep fighting the tide. Whatever the decision, the smartphone is the most significant piece of your enterprise that is walking around in someone's pocket, getting lost on the subway, or stolen. If you allow these devices to connect to your enterprise, are you fully aware of the device's capabilities? I don;t mean what the manufacturer said it can do, although that's a great place to start, I mean what is it actually capable of? Do you know if the security features touted by the vendor can be bypassed? Over the past several weeks there have been vulnerability reports issued for iPhone and Android Platforms. The last time I tested an iPhone the encryption was purposely defeated by the operating system kernel. If you allow Android phones they were designed to be flexible and open platforms, security was not the primary consideration. What kind of threats can this pose to your organization? My phone is the Google Nexus One running the latest, 2.2, OS. In addition to the phone's native capabilities, I have rooted it and installed a custom ROM. Performing these actions has given me complete control of the phone's hardware and allowed me to install Ubuntu 9.10. Once I had the Linux distro stable I installed nmap, OpenVas, and metasploit. I also installed etterrcap, wireshark, and a few other tools before running out of space but you get the idea. My phone was now as weaponized as a pen testing laptop. The only downside being storage and the typing was terribly painful.

I know your users will bug you until you must allow whatever platform they think is the coolest, I mean the one that makes them the most productive when not at their desks. As you implement these devices the risk they pose should be considered carefully and the platform should be thoroughly tested. If your organization is not capable of hacking on the devices, it may be worth the investment to contract an outsider so you know exactly what you are getting.

TSA's "signature-based " security

2010-11-15T14:44:00.000-05:00

Infosec analysts have long been lamenting the shortcomings in signature-based security items like traditional antivirus. It would seem that the TSA has somehow managed to latch onto this philosophy even though it isn't working well in IT. Let's take a look at how the TSA is mirroring this with their decisions.
I recently went through security at FLL in Ft. Lauderdale security. As usual I was singled out and moved through secondary, or extra, screening. I would say this happens to me 90% of the time and always has. I don't complain and understand the gate agents are just doing their jobs and I would hope that most folks don't vent on them, they are not the problem. So I get taken out of the metal detector (md) line and moved to the "nekkid machine" (backscatter xray). I am not shy so the backscatter doesn't offend or bother me, while I am in there, I asked the agent if I could see the picture since it was such a hot topic. She stated that the pictures were displayed somewhere remotely and that I had to go stand on the footprints and await instruction. While I was standing there a very professional male agent began to recite the standard pat down procedure that might be necessary if the xray revealed that necessity. HE then got the call in his secret service earpiece that I needed to be physically inspected. He performed the pat down just like a cop would and off I went. Altogether it was 10 minutes to get through the line and the TSA folks were great. The problem is that most of this still seems like the illusion of security.
I say this based on a couple of different thoughts or observations. First, I know that I have zero desire to take over a plane. This skews my perception of the procedure but I understand they can't know that about me. I have noticed that there is some discrimination taking place as they cannot preform this same procedure on a Muslim woman. In order to be ethnically sensitive the agents have been told only to check their head and neck areas. We have now arrived at the root of the problem. When you give preferential, or discriminatory, treatment to any group you are doing it wrong. If the plane is in danger then we must put our foot down and say search people regardless of their ethnicity. If you want to do some research and pick the culture(s) that would attempt this type of attack you might become much more efficient. Or don't, I don't really care but you are wasting your time giving me a leg massage.
The TSA signatures are as follows:

Someone once hijacked a plane with a gun = no guns allowed on a plane and everyone has to walk through a metal detector

Someone had a device in their shoe = I have to see everyone's feet at security and put my shoes in a bin ( or not in a bin depending on the airport)

Someone had a few ounces of "bad" stuff = I can only have enough shampoo in my bag for three days AND I have to have everything in a ziploc as if the stuff can be verified visually.

Someone uses a printer cartridge to form an IED = no more printer cartridges

What will happen when someone has a bomb surgically implanted or hidden in an orifice? I don't want an answer really. The point is that these actions and reactions don't quite seem to add up, and over time the reactions seem to escalate. Currently you are allowed to carry enough stuff onto a plane (electronics, liquids, shrapnel) that none of the above measures would stop. I don't want to post any combinations but I can certainly have 7 3oz bottles of almost anything under the sun, a significant amount of batteries, a number of other "toiletries", and keys or other small pieces of metal.

These reactions seem similar to how IT security has decided to work. We wait for a threat to surface then ban a symptom and wonder about how to kill the root cause. Alternatively if there is a compliance or regulatory mechanism we check off the boxes for the least amount of money possible and call it a day. This is tough since most of our companies are trying to make money and security can be very expensive. For the IT security world, I would like to see more technical people getting promoted into management positions with budgetary authority. For the TSA, I have no idea what the right answer might be but good luck and don't follow the signature-based model.

Cyber Security Forum Initiative - Stuxnet Project

2010-11-15T12:02:00.000-05:00

I recently had the privilege of collaborating with about 30 other InfoSec professionals to learn more about the Stuxnet worm. The results of our work can be viewed here:

http://www.csfi.us/?page=stuxnet

One of the more exciting pieces of work is a video created by Joel Langill from EnGlobal. In the video Joel infects an actual Siemens WinCC PCS7.

Cyber Security vs. IT Police/Harassment where's the balance?

2010-11-08T10:47:00.000-05:00

This is an interesting and sensitive topic and I will readily admit there probably isn't a "one size fits all" answer. With that in mind, I wanted to relate my thoughts based on experiences with both balanced and unbalanced cyber security programs with respect to playing big brother instead of defending their enterprise.

A good cyber security program must be able to respond in a timely fashion when personnel incidents occur. The logging and tracking of data is essential in order to prevent scenarios where verbal opinions are pitted against each other (he said/she said). These situation are quite unreliable since emotion can be injected into the scene. As an example let say you have two employees, employee1 and employee 2. If employee 2 approaches the designated representative with allegations of wrongdoing by employee 1, the designated representative should be able to use a clearly defined process to obtain the evidence required to investigate the incident. This process should have adequate separation of duties, accountability checks, and safeguards that prevent any one individual ( or single group within an organization) from misusing or abusing this ability. This speaks to "who is watching the watchers" within your organization. I once sat in a meeting where a group member stated "Once a month I run a script on instant message chat logs looking for dirty words." While I agree that I am not to use company resources for things like that, my response to that statement was "why?" Unless someone is complaining about productivity or harassment, that evolution seems like a waste of time and the attempt to impose your moral stance on others. I later learned that many others had nicknamed this person "the hall monitor" and the comment made much more sense.
In a perfect world, this monitoring would not be possible without initiating an investigation into alleged behavior and no one individual should have access to "police" the IM logs. So, how does this work with social media? Your employer absolutely reserves the right to observe what you post in a public forum in order to assess how your thoughts and actions can potentially impact their business. Additionally, a clear policy (from HR not IT) should be in place defining what is acceptable and what is not. Now we get in to the HR side of things. Your HR department exists to make your organization better by finding the right personnel for your organization. Additionally, they may define certain policies concerning the interaction of personnel within your organization. In some cases, HR departments have become an overarching group responsible for any type of internal governance or policy. I believe this is a mistake and that the governance of a resource should be under the purview of the resource owner. For example, IT resources should be governed by the CIO, financial resources should be the CFO, etc.. This governance is compromised and ineffective if the c-level personnel are not reporting to the heads of the enterprise or the governing body of the enterprise. I point this out having observed a few instances of IT security personnel handing over volumes of data to HR personnel in the past. Handing over web proxy data, when there is NOT an active investigation, would fall under my big brother/waste of money category. I categorize it this way for two reasons; one if the supervisor or other employee has not complained then this is not necessary and you are simply satisfying your curiosities about whether some individuals are on FaceBook as much as you are at work (they are). Two, HR personnel are unlikely to be aware that the HTTP protocol is stateless and those statistics are somewhat meaningless. I know the company that sold you that proxy software or device told you differently, but that was probably the sales dude while the technical guy sat silent. Without completely observing netflows, keystrokes, clicks, and the registry key "TYPEDURLS" you are doing a bit of guessing. An HR person is possibly doing a lot of guessing if the proxy stats alone are handed over. The job of IT/Cyber security should exist to defend an enterprise against threats (internal/external) in cooperation with other groups (IT, HR, ???). This defense can include the analysis of evidence collected from various sources some of which are not under the purview of your security personnel. This separation of duties allows for a balance of power within your organization. The security team should NOT be responsible for "spying" or observing behavior on an individual basis when there is not an active investigation. While this is a delicate balance I believe you can sum up your role with the following statement: "How does make safer from internal and external threats?" followed by "Are there loopholes negating causing to actually be less secure?" I will follow with my tried and true removable media example observed in multiple environments:

" does not allow external (privately owned) removable media to be used in conjunction with company-owned assets." This is a good policy yet is just an exercise in writing if there is not some technical control to enforce it. Now this becomes further moot if you have the following:
" users may connect personal assets via the virtual private network (VPN) when working remotely." You have just allowed that removable media to the assets needed by the user. I can already hear "but we have via the VPN to prevent the badness." Outstanding, did you test that, does the user need that capability, why isn't that same mechanism used with your equipment so that the whole policy isn't needed?

How do you restore the balance if your organization is not functioning correctly? Start at the top, someone allowed this to happen and possibly encouraged it. Draw out what the program should look like and the processes that should accompany it. Demonstrate how the technical controls will enforce your policies and make your program better internally and less of a target externally. Ensure your personnel are up to date in their training and skillset. If YOU are not up to date and cannot recommend the correct technical control, GET TRAINING. This stuff isn't rocket science and you are not benefiting anyone by not understanding the full scope and impact of your position. Cyber security is a constant learning process; that's why the best conferences are training where the individuals give and take from each other in open forums trying to understand the gaps in what they have tried. Best of luck finding the right balance for your organization.

Electric Vehicle vs Gas

2010-11-08T09:24:00.000-05:00

I keep hearing that it takes "a lot" of power to charge one of these things. With that said, I have also heard that no matter what and electric vehicle is cheaper to operate than a gas-powered vehicle. Can someone explain how much it will cost to charge one of these dudes? I currently spend about $250 in gas every month for 2 non-efficient vehicles. Based on ten cents per kilowatt hour, what would this vehicle cost me assuming I only charged it at home?

East Tennessee Cyber Security Summit Review

2010-10-21T11:49:00.000-04:00

This week I attended ETCSS 2010 on October 19 - 20 here in Knoxville. This was my first visit to this conference and differs significantly from the "training" conferences I usually attend. I heard a lot of different people talk about Info/Cyber Security with some conflicting points of view. Overall I would say the conference is well worth attending but don't expect a lot of technical information or demonstrations. Two of the elements that were quite exceptional were the mock court exercise where a real world case was on display with the defense attorney luring the prosecution into stating how much they relied on MD5 hashing and then demonstrating an MD5 collision. That was quite a cool moment and Craig Ball, the mock defense attorney, really did a great job.
I also really enjoyed hearing Dr. Ron Ross from NIST discuss Enterprise Architecture and "Defense in Breadth." Dr. Ross spoke well of the problems that some companies view as small "chinks in the armor" which are really more like "hey you forgot to put your pants on." As an example of this I will interject a personal recollection. I observed the following security posture sometime in the past. The organization fanatically wanted to protect their intellectual property and spared no, almost anyway, expense to do it. Some of their protective measures included Whitelisiting the Internet, reviewing EVERY email that left their domain, knowing EVERY document that was printed, and doing a great job of preventing unauthorized USB drives from being present on their systems. In contrast the same place used WEP for their wireless infrastructure, not the guest network either, one of the whitelisted sites was Facebook, and had the wireless had virtually no separation from their wired network. There was also zero separation of the network internally, once you had an IP address on the inside you could roam anywhere and no one would really know. They viewed the WEP problem as too expensive to overcome in the near future and an acceptable risk. As an attacker I would view this organization as having zero obstacles for me to overcome in order to get inside their network. Defense in Breadth would seek to teach organizations like this that cyber security is almost becoming an all or nothing. You either do it all and do it well or just don't try. I know this sounds like gloom and doom but with the proliferation of attack vectors and the automation of many exploits it's becoming really easy to circumvent protections that may have slowed down an attacker in the past. Kudos to Dr. Ross and NIST for pointing this out.
At the end of each day there was an expert panel that would field questions from the audience. The knowledge and skills of the panel members led to great advice on procedure and policy for your enterprise but they were unable to field a couple of technical questions from the audience. I thought that was funny since it appears that more and more the people in charge of cyber security were not ever in the trenches. A friend of mine in the industry, who was not at the conference, told me a couple of weeks ago that infosec has been overrun with parrots and talking heads that "retweet" what they hear or read sometimes without understanding what things mean. I certainly don't mean to imply that there is zero value for administrative/policy oriented folks, just there there needs to be a better balance in some cases. For example I once obseerved an organization where there were approximately 15 infosec people and 70% of them had zero technical background or ability. The technical people often had 2-3 different project managers trying to get info from them so the non-technical group could turn out status reports and updates that were relevant. It may have been more efficient to allow the technical folks to manage their own projects and time in addition to increasing the number of technical people. Perhaps there was some cost benefit in the model that was present however the security posture of the organization had suffered in the past because of it.
There were two talks on insider threats that were good. This is a serious problem that is not getting enough attention. I am definitely becoming a fan of the zero trust model where every node is a suspect. Unfortunately, some folks are viewing this as offensive and think the users of your network will have their feelings hurt but we need to get over that. First, it's not that you think they are all evil just that mistakes happen. Second, they are all evil or at least susceptible to coercion for a large some of money or perhaps extortion to protect their own interests. Either way you are just taking that responsibility away from the endpoint or user and providing the right environment which will reduce the insider threat.
Lastly, I saw a presentation that was a teaser for taking the SANS SEC 542 web application testing class that was more along the lines of demonstration and "how-to." That looks like a good course and, if I can, is definitely the next certification I would like to get. this talk talked about what web app vulnerabilities are common, what tools can identify them, and what can be done to mitigate or remediate these issues. For a one hour talk it gave quite a bit of insight and demonstration. Good job Jim Purcell!
Like I said earlier, overall the conference is good, well attended, and well organized. None of the talks were "bad", just stuff that wasn't new or that we have all heard a few times in the past. As always, a conference is a great place to meet people that are in your industry and build your social network to learn what may be working and not working in certain areas. I think I would like to a see a conference were people talk about what didn't work for them. Probably no one would be willing to talk about their organization like that but it would be cool to hear the honest side. It would be extra cool if people would say "we tried (insert product name) or (some architecture) scheme and it totally sucked, hackers ate our lunch for two weeks while we tried to fix it." Then they could detail how it was fixed.

Don't be a "bait ball"

2010-10-07T12:19:00.000-04:00

When small schooling fish are attacked they swarm together into a bait ball. As they get picked off by tuna, sharks, and seals from below they are also getting eaten by birds from above.

I bring this up because I recently heard some decision makers saying "Well there are a lot more vulnerable targets than us, maybe the hackers will just leave us alone." This is typically in response to an audit finding or a vulnerability that was successfully exploited during a penetration test that isn't cheaply and easily fixed. I have also heard from cyber security "professionals" in the past but that is typically a response from a non-technical person.

Don't let your business be part of the bait ball.

Forensic images by private investigators

2010-09-27T16:47:00.002-04:00

I sent the following email awhile back:

Ms. Vest,

Does the state of Tennessee currently require a private investigator's

license to conduct computer forensics work as a contracted third party

where the evidence will be used in court. Additionally, if the forensic

analyst is called on to testify as a subject matter expert must the analyst then

meet the PI requirement? Thank you for your time and attention.

Best Regards,

Slade Griffin

I didn't expect to get this answer:

Mr. Griffin:

Ms. Vest forwarded your email to my attention for response. Licensing

is required for any individual who performs any of the services outlined

in TCA 62-26-202((6) “Investigations company” means any person who

engages in the business or accepts employment to obtain or furnish

information with reference to:

(A) Crime or wrongs done or threatened against the United States or any

state or territory of the United States;

(B) The identity, habits, conduct, business, occupation, honesty,

integrity, credibility, knowledge, trustworthiness, efficiency, loyalty,

activity, movement, whereabouts, affiliations, associations,

transactions, acts, reputations or character of any person;

(C) The location, disposition or recovery of lost or stolen property;

(D) The cause or responsibility for fires, libels, losses, accidents,

damages or injuries to persons or to property; or

(E) The securing of evidence to be used before any court, board,

commission, officer or investigating committee.

The Private Investigators Licensing and Regulatory Act does not have an

exclusion or exemption for computer forensic specialists, or digital

forensic investigations. The ony exclusions available are specified

under TCA 62-26-223.

Thank you for contacting this office. Please advise if additional

information is required.

Beth

Beth Smith Bell, Administrative Assistant

Private Investigation and Polygraph Commission

If you are not a licensed private investigator, this doesn't look good. On the plus side, I am going to get my license and a Ferrari.

Twitter gets JACKED

2010-09-21T14:09:00.000-04:00

Ed Skoudis gave a talk at Hack in the Box last year where he lamented how sad it was that SQL injection was still going on. I would like to add Cross Site Scripting to that lamentation today. I was logged into Twitter this morning and suddenly started seeing a similar "re-tweet." I jumped on the Google and saw several early write ups saying Twitter was getting pwned. Here is the tweet I got:

www.t.co/@"onmouseover="document.getElementById('status').value='RT MiguelTarga';$('.status-update-form').submit();"class="modal-overlay"/

"onmouseover", you have got to be kidding me. I booted into a system I didn't care about and ran the cursor over the code; bang I was retweeting. That's slick, no clicking invovled. A successful stored XSS attack on a major site in 2010, awesome. Here's a quick write-up on XSS if you don't know how it works: http://en.wikipedia.org/wiki/Cross-site_scripting
I switched over to m.twitter.com to watch the rest of the action since javascript isn't enabled on that site. The Twitter team responded quickly and cleared everything up within a reasonable amount of time. This should help prove that social media does not belong inside your network.

Strange Job Offer Timing

2010-09-17T08:51:00.000-04:00

To be clear I am not currently job searching, that I know of, and this is just an observation. Over the past two or three weeks I have gotten about 10 job-related phone calls. These seem to come and go and I often wonder why so many happen at one time from different companies and different "recruiters." Two of the phone messages I got were barely intelligible as the caller was not proficient with English. Two were to work for the Department of Energy and I told the recruiters no thank you. The last was to head to Wilmington Delaware, which I also declined. I realized I didn't know much about Wilmington so I read their web page: http://www.wilmingtonde.gov/ and also looked at the wikipedia entry: http://en.wikipedia.org/wiki/Wilmington,_Delaware . The section on crime was a bit scary and the picture of the library was awesome.

Insider Threats, Policies and more.

2010-09-14T12:08:00.000-04:00

USB HID Attacks

2010-08-27T09:16:00.000-04:00

So, all the hackers are running around saying "hardware is the new software." Better than that, they are proving it to be true. I saw a post this summer about the "Rubber Ducky" attack the folks over at HAK5 are working on. If you aren't familiar with the rubber ducky stuff, check out episode 709. The potential for these attacks is amazing. Let's pause and think about HID.

HID stands for Human Interface Device, this is a fancy way of saying PC input devices. For the purposes of this discussion we are specifically referring to keyboards and mice. These days when you plug in a USB mouse or keyboard, what happens? It works! No authentication, no authorization, maybe minimal auditing in some environments. So what if that device you plugged in wasn't a keyboard or mouse but was simply reporting itself as one of those. For the 1337 folks reading this I get that you understand the potential, for the non-nerds that are reading I just inserted a device that is mimicking your keyboard. Now I am hearing the naysayers already: "We have autorun turned off." "We have least-user privileges.." etc.. Let me respond to that with: it doesn't matter. This is direct memory access, your user object is not relevant. Irongeek, Adrian Crenshaw, gave a great talk this year at Defcon. Check out his website, and this page specifically. He named his attack Programmable HID USB Keystroke Dongle: PHUKD. I apologize for the language but that name sums it up quite well. Here's an excerpt from Irongeek:

So, why would a pen-tester want one?

1. Likely types faster than you can, without errors. This is important when physical access time to the target system is limited.
2. Works even if U3 autorun is turned off.
3. Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and the box is popped as Dave Kennedy likes to say.
5. The HID can also be set to go off on a timer when you know a target will be logged in, or by sensor when certain conditions are met.
6. You could embed a hub and a flash drive in your package so that you have storage and the programmable USB HID all in one nice neat package.
7. Embed your device in a USB toy or peripheral (lots of spare room in a printer or dancing USB penguin) and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
8. After your Trojan USB device is in place, program it to "wake up", mount onboard storage, run a program that fakes an error to cover what it is doing (fake BSOD for example), do its thing, then stop (leaving the target to think "it's just one of those things").

Awesome dude! Now you are asking, "how do I defend against this?" There are some ways to stop unrecognized devices from being activated but that's only devices that weren't previously installed. Lots of these offerings are also commercial tools which only work on Windows and are also not cheap. Speaking of Windows, don't go thinking you are safe if you use some other operating system. This style of attack will work on any platform that recognizes USB HID. This means every modern operating system is a potential victim.

I expect to see some defenses start popping up soon. Until then, you better start deciding how to defend against this and keep in mind that telling your employees "Don't use USB devices on your work computer" doesn't actually prevent them from doing it. You need that policy in place, but you must have a technical control backing it up and enforcing it. You also can't just go enforcing without the policy, so make sure you have both of them ready to deploy at the same time. If you are a Windows environment and you want some control, check these out:
Checkpoint Poinstec
Lumension Device Control

New Operating System

2010-08-23T16:28:00.000-04:00

I am now running Backtrack 4 R1 and enjoying the improvements that have been made to the base functionality. I still don't think I would recommend it as a primary OS for just playing with a computer, but I do like having it readily available without using a VM or a separate partition. It still isn't easy to get OpenOffice.org or a screensaver working but it can be done. The underlying OS is Ubuntu 8.10 and it's running the 2.6.34 kernel. It definitely isn't as slick as Ubuntu 10.4 but it's not supposed to be. Once I get some other things working I will post some "how-to" videos for those of you who might want them.

"Why Vulnerability Research Matters"

2010-08-23T15:32:00.001-04:00

Please read this article. I cannot believe, that's a lie, we are still having this discussion. Do people really think that if there was no sponsored or white hat vulnerability research that there would be no black hat hacking? Without getting too political this seems like gun control all over again.

Smartphones and their cameras.

2010-08-16T09:45:00.001-04:00

Isn't it handy to have that Palm/Blackberry/iPhone/Android or whatever device that allows you to automatically upload pictures to FaceBook, Twitter, or anywhere public? I think these devices are pretty awesome and definitely help keep us all connected. Did you also know that your device is probably telling everyone exactly where you took your pictures? These phones are using a metadata structure called Exchangeable image file format or Exif. If you want to get particularly nerdy, you can read this link to understand more about that format. For those of you who just want a non-technical description, this is information about your image file that is stored "within" the picture file. Some of that information can be that location the picture was taken. For example, here's a picture of my brother and I at my sister's wedding:

This picture was taken with my Android-powered Nexus One. Examining the Exif data reveals the following:

[Make ] = "google"
[Model ] = "Nexus One"

[GPSLatitudeRef ] = "N"
[GPSLatitude ] = 39 deg 37' 0.000"
[GPSLongitudeRef ] = "W"
[GPSLongitude ] = 106 deg 5' 0.000"
[GPSAltitudeRef ] = Above Sea Level

[GPSDateStamp ] = "2010:02:20"

This shows the type of device, location and date. To disable this "feature" check your phone's camera settings and if you don't see a setting there, you may have to disable GPS functionality completely when taking pictures. If you need more information, look up your device, write to the manufacturer, and/or read this.

Cool Product Updates

2010-08-11T14:37:00.000-04:00

Guidance software has partnered with Lofty Perch and released an updated version of EnCase designed to help folks in the critical infrastructure world. I am interested in checking this out since modifying the software is only part of the battle. The SCADA, PLC, and other embedded devices still have to track, audit and store the data accurately for the forensics to be worth anything.

Metasploit and Rapid7 have been churning out massive functionality with VxWorks exploits, PHP meterpreter functionality, and many more. Metasploit is growing by leaps and bounds since the Rapid7 acquisition. I would love to get a hold of Nexpose and try some of this stuff out. If anyone has some experience with these software packages I would love to hear about it.

2010-07-29T08:33:00.000-04:00

Wikileaks and Cyber Security

2010-07-28T11:32:00.003-04:00

I'm back and catching up

2010-07-26T14:50:00.000-04:00

I had an interesting time in Detroit. I heard some great presentations, some interesting perspectives, and gave two very brief talks. The insider threat talk went well; I like watching the operational security guys nodding their heads in agreement. The managerial guys also nod their heads but it's more of a "the would be nice if it didn't cost money" type of nodding. Regardless, I met some cool folks who definitely want the smart grid to be built securely. A few of them were vendors which is always cool, I love it when a vendor looks past the bucks and purposes to do things the right way. The second, unrehearsed, talk was to start up a new task force within OpenSG for network security. The group I am currently part of has been re-writing several of the DHS Catalog of Control Systems Security recommendations in an attempt to make them more actionable. In some cases this involves combining, in others controls are expanded. Either way, the group is coming up with some great verbiage that should definitely help folks in the future when they know "what" they are supposed to do and need the "how" to do it portion. Our new document should produce the "how", and the network security TF should be able to continue that work and pass it on as other groups continue to develop standards and requirements. This should provide a good foundation for the collaborative efforts that have been on going for quite some time and help to provide a common language and framework with respect to security.It's a privilege to be included in this effort, and I am getting to work with a number of exceptionally brilliant people that are teaching me a lot.

For the InfoSec people fighting the good fight

2010-07-16T12:20:00.000-04:00

For those of you out there who "get it", "know what matters" and are fighting for adequate funding I humbly give you this Internet high five:

Insider Threats

2010-07-16T12:14:00.000-04:00

I am heading to Detroit next week and will be presenting on "Insider Threats." There's a lot of cool research out there about this topic:
http://www.thetechherald.com/article.php/200831/1629/Analysis-of-Internal-Data-Theft
http://www.cylab.cmu.edu/research/chronicles/2008/cappelli.html
http://www.govinfosecurity.com/webinarsDetails.php?webinarID=67

What's funny, or sad, is that with all of that research I still haven't seen a lot of movement to mitigate this issue. I once submitted a memo to my management regarding a vulnerability I exploited internally and was told to ignore it. The vulnerability gave anyone with physical access to a Windows Vista or Windows 7 PC SYSTEM-level access in about 60 seconds. In fact my immediate supervisor made some statement about "...Windows sucks" and " we trust our users." I will demonstrate this vulnerability, and the associated exploit, during my talk.
As I read though all of the talk on "Insider Threats" I see quite a focus on identifying the bad guy or girl. While I don't think that should ever be ignored, I feel there is an over emphasis here. Just prevent the data from being stolen or accidentally leaked. The truth is that we, yeah me included, have far too many privileges on our work computers and networks. We have all whined loud and long enough that people think we NEED twitter to perform our jobs. I have even been asked as a web-proxy admin to give someone access to Second Life at work. My supervisor replied with " {name removed} is a good kid, give him what he needs." After an hour of explaining what Second Life was, my boss didn't even know, he half-heartedly decided against it. Don't get me wrong, there is a place for trusting employees and it isn't easy to draw the line but always trusting all users to make the right decision {or never make a mistake} isn't how an infosec d00d should view the world. I think the best cure for that would be to let that person swap places with a helpdesk-type person for a day.

Anyway, here's the exploit running on Vista prior to any authentication:

Here it is on Windows 7:

I had already logged into this machine, but you get the idea. The way GIMP takes screenshots wasn't allowing me to take this shot the way I wanted so I got 0ld Sk00l, and took a pic. The reall problem these days isn't your OS though, it's the human element. You can almost equate it with social engineering but instead of trying to get your mark to provide you with access, credentials or what have you, You are trying to convince them to care about the dangers of losing data. For many years it was believed that gaining "root", "SYSTEM", or "Administrator" access was the key. This went away several years ago because data became the target. Unfortunately the defensive mindset hasn't yet shifted in some environments. I recently asked John Strand and Paul Asadorian a question during their "For the Last Time, The Internet is Evil" presentation. The question went like this:
" d00ds, what is the key to getting the organizations and personnel who review penetration testing results to understand the dangers and take action to implement the recommended changes?"
John replied:
"We have to create failure scenarios to show what happens if that one computer or one piece of data gets compromised."
Paul Chimed in with:
"It's will take a paradigm shift at the management level to understand these risks beyond the dollar signs."

I love both of those answers. I do understand information security can't be a bottomless pit that you throw money into, but experience has shown me that few organizations adequately fund initiatives in that realm. As I have stated previously, a lot of places out there are committed to maintaining the status quo. To them I say "Thanks for keeping my job as a pen tester fun and exciting." My next entry will be on the FAIL mode auditing and certification are stuck in. As always, this is not the fault of the auditor but at the funding and upper-management level.

Nexus One Awesomeness

2010-07-14T09:33:00.000-04:00

Several months ago I purchased my Nexus One and started goofing with it and installing all manner of applications. Once I finished messing with things like wallpaper and ringtones I decided to go a step further. Last weekend I rooted the phone and installed Ubuntu. The phone now runs a full Ubuntu 9.10 install without the GUI. So far, I have installed NMAP, OpenVAS, and I am working on Metasploit. I also managed to get a packet sniffer installed, but I am quickly running out of space on my Sandisk 4GB MicroSd card. I am ordering a 16GB card and will then perform a reinstall and see what kind of platform I have available. The Android OS is truly amazing and powerful. I have also learned that the Broadcom chip is 802.11 b/g/n compatible and has FM RX and TX. Additionally, the camera is capable of shooting in 720p. I am still working on enabling the functionality in those last two sentences but I am pretty pumped about the phone's capability.

Local Conference

2010-07-07T09:56:00.000-04:00

I don't yet know what the speakers will be presenting but there's a good lineup. I also really like the "..is the sky really falling?" theme they have going on. If you are wondering how "bad" the state of InfoSEc is, here are some links to keep you up at night:

http://inguardians.com/pubs/FriendlyTraitor.pdf

http://travisgoodspeed.blogspot.com/2010/07/reversing-rf-clicker.html

http://inguardians.com/pubs/AMI_Attack_Methodology.pdf

http://inguardians.com/pubs/toorcon11-wright.pdf

http://www.willhackforsushi.com/

Attacks are becoming very focused with less of a "shotgun-style" as technologies advance. The things Travis Goodspeed is doing with some of his hardware hacks reinforce the idea that security remains an afterthought in several areas. As long as security remains an afterthought, it will be difficult to provide reliable security. Fortunately, there are people dedicated to ongoing security research and the responsible disclosure of the vulnerabilities they find. If you haven't already, subscribe to some of the authors above, they are doing some amazing research that should open a few eyes.

Know your smartphone

2010-06-26T09:01:00.002-04:00

So many people are buying smartphones, I thought it might be wise to throw in a cautionary note about just how powerful these devices are. The smartphone of today is more powerful than the laptop of a few years ago. Along with the widespread adoption of these devices come the increasing of their risk profile. That is to say that the more popular something is, the better a target it becomes for those who have less than good intentions. Currently there haven't been any really nasty attacks seen in the wild yet. The devices are definitely prime targets, and you can be sure that the bad guys are working hard at trying to figure out how to leverage this technology in order to get at your information. This article discusses some potential nastiness on the Android platform. Security vulnerabilities have been well advertised on the iPhone which have, or should have, prevented their widespread adoption for corporate use. Currently the Blackberry remains the most "secure" platform for business use by employing active encryption of the contents at the expense of the "cool" factor that Android and iPhone show off. the iPhone 3GS offered encryption but the operating system kernel automatically decrypted the contents of the phone when you extract the data for analysis. Effectively, this means the iPhone is NOT compliant with the standard corporate policy requiring encryption at the device level; but don't take my word for it. To be fair, I don't believe Android even makes the veiled attempt that Apple makes and makes their sdk freely available to the world. Device-level encryption for both of these platforms needs to be off-loaded to a third party to adequately secure your data.

So, beyond your data NOT being secure, take a minute and think about how inter-woven this device is into your life. How much data, personal and professional, is on there. If I had complete access to your phone what could I learn about you, your family, or your work. I don't know you, but I bet it's a lot ;-). This week, Google removed two applications from all Android-based phones to protect their users. There is some debate on whether this is Google's business or not but that's not an interesting argument to me. I will follow this up with a video that demonstrates application installation on the Android platform and how we should be aware of what we install and the access that application should or should not need to the different functionalities on your phone. As a good rule of thumb try to remember that no one is as interested in protecting your data as you are. That means that if you're not interested, then no one is going to do that for you.

Current Projects in Smart Grid Security

2010-06-25T10:28:00.002-04:00

I have been immersed in smart grid projects and have been learning a lot about this industry. here are few of the many projects I have been fortunate enough to be a part of.

I am currently a security engineer for the Smart Grid Engineering team at EnerNex. I am supporting cyber security and systems architecture for the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), Open Home Area Network (OpenHAN), and Smart Grid Networking (SG-Network) groups. I have been contributing to the UCAIug Home Area Network System Requirements Specification, SG Network System Requirements Specification, Distribution Management (DM) Security Profile, and other blueprint documents for the Smart Grid Security (SG Security) group. I also recently joined the Smart Grid Interoperability Panel (SGIP) as a member of the Cyber Security Working Group (CSWG) which is developing a comprehensive set of cyber security requirements for the smart grid. Mostly this means I listen to incredibly brilliant people prepare and engineer the smart grid while trying to learn as much as I can about how electric power works. Occasionally, I have some input based on past experiences concerning cyber security best practices or security architecture. It's truly an honor to be working on these projects with such a diverse group.

Vulnerabilities

2010-06-25T09:29:00.005-04:00

I have been listening and watching some really good talks online about discovered vulnerabilities and new threat and attack vectors. While you must take hacker and pen tester claims with a grain of salt, there is something to be said for some of the tools and demonstrations I have seen over the past year. In particular, I am impressed with the social engineering efforts I have seen. I am really looking forward to trying out some of the tools I saw last week which really demonstrate what lack of user education and awareness can do when coupled with a little bit of technological ingenuity. These methods would likely have a 75% or higher success rate and, when successful, will completely compromise your target. Now I guess the question some will have is "How do I prevent it?" I love to hear that question, it's much more refreshing than hearing "that can't happen here" or "we're the best.." and yeah I have heard people boldly state that.

There's no new method of prevention, Information Security (or Cyber Security) is not difficult or overly complex. It consists of understanding current threat and attack vectors, knowing where your organization is deprecated or deficient, and mitigating or remediating those deficiencies. The problems pop up when you either hire the wrong people to defend your enterprise or you hire the right people and do not give them the funding and authority they need to accomplish their mission. Having worked in several different environments, it's pretty rare that the absolute wrong folks are hired but it definitely happens and you might be surprised at the types of places that have that issue. More often, I have witnessed the lack of authority and funding for security. Now, we could go into what make people "right" or "wrong" for these positions but if you work in infosec and don't know what I mean when I say that then I can't really help. It's kind of like being able to point out that one annoying relative every family has; if you can't identify who that is in your family, it's probably you. If it's you, no problem there's plenty of training and reading that can bring you right into the loop if you want to be there. I recommend SANS for training, and their certification process. If you really want a deep dive from the community you are doing yourself a disservice if you don't check out DefCon and BlackHat. Other good cons include Shmoocon and CanSecWest. I am sure there are more but these are what came to mind. If you know of some good cons that really educate folks please post them. The more information we can get out there together, the better we can defend our infrastructures.

Awesome!

2010-06-25T09:03:00.003-04:00

SANS Training coming up

2010-06-23T17:58:00.002-04:00

Check out this link to my upcoming SANS training here in Knoxville. Save some time and money and take a SANS mentor class locally.

Adobe is finally patched

2010-06-23T17:52:00.002-04:00

Last week Adobe released a patch for some vulnerabilities that have been plaguing the Internet since June of last year. Adobe has products that make for great attack surfaces because it works on Windows, Linux, and Mac. The latest exploit was cross-platform making the attack pretty scary by allowing an attacker to take complete control of your system.

In order to protect your computer, go to their website (http://www.adobe.com/) and download the flash player update. This update is for Adobe Flash and is considered a complete re-write of their flash player. The flash player vulnerability was quite serious and can be exploited through a web page or a pdf document. If you want to know more about the update/vulnerability, read this page.

Laptop Backpack

2010-06-16T11:36:00.002-04:00

About a month ago I began a search for a laptop bag for my 15.6" Dell laptop. I had no idea it would turn into a quest to find just the right features, and how rare some of these features are. Since I plan to be traveling I wanted to make sure the pack was large enough to carry two laptops and an overnight change of clothes. Because I wanted a fairly large pack, it needed to have compression straps also. This eliminated the wildly popular and functional Wenger series that I had been eyeing. Although they had great capacity, and the ability to stand independently, they lacked a few other essentials. That was a big letdown because those are nice bags. I particularly liked the steel cable handle they put on the top. The other essential feature I wanted was the ability to attach a carabiner, d-ring, or s-biner. I carry a rain shell instead of an umbrella and like to attach it to the outside of the bag. I considered a waist belt optional but if it had a waist belt it had to be more than a half-inch strip of fabric AND it had to be stowable.

The ONLY bag I found to satisfy all of this criteria are the bags made by Spire USA. Even the bags made by North Face, Mountain Hardware, and other "real" packs lacked several features. If they had the features, they didn't seem to be well oriented for IT-related use. The Spire Torq seems perfect for me. Initially, it was hard to transition from a messenger bag, but I have persevered.

The stuff from Spire isn't cheap, but it's worth it.

Accessdata Merging with CT Summation

2010-06-14T09:23:00.002-04:00

I got this link in an e-mail today:
http://www.accessdata.com/downloads/media/AD_Summation_MERGER.pdf

I am a big fan of AccessData's Ultimate toolkit, and other forensic software, but was shocked to see they were merging with someone else. I hope both companies do well and I will begin researching CT summation soon. My guess is that Accessdata just wanted a bolt on EDiscovery solution. If so, brilliant move.

Smart Grid: How we got here and where we might be headed

2010-05-19T15:34:00.002-04:00

This is a great video on why a smarter grid is necessary and what some of the difficulties will be. Additionally, Mr. Gunther discusses many of the possible benefits and answers questions at the end.

Smart Grid Security

2010-05-18T13:21:00.002-04:00

Here are some great videos about what the Smart Grid (SG) is and where it is headed. I suggest subscribing to their blog if you are at all interested in this topic:

Network Penetration Testing and Ethical Hacking

2010-05-10T10:06:00.002-04:00

I will be leading a SANS Mentor class for 10 weeks starting July 20,2010. Please check out the information here:
http://www.sans.org/mentor/details.php?nid=22013

Excerpts:
Find Security Flaws Before the Bad Guys Do
Security vulnerabilities, such as weak configurations, unpatched systems, and botched architectures, continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.

Differentiators
This SANS course differs from other penetration testing and ethical hacking courses in several important ways:
We get deep into the tools arsenal with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.

Who Should Attend
Penetration testers
Ethical hackers
Auditors who need to build deeper technical skills
Security personnel whose job involves assessing target networks and systems to find security vulnerabilities

Job Offers

2010-04-10T08:57:00.002-04:00

I received two separate offers this past week thanks to the grace of God. We are praying about the decision, and anxious to see where God is leading us.

Interestingly enough I have also had some fruitful conversations with several people regarding my last position and how it ended.

Job Hunt

2010-04-06T08:24:00.002-04:00

I can totally sympathize with the guy in the cartoon. Aside from that, I have been interviewing for several different types of positions. Some are for penetration testing and consulting which I feel is one of the most fun jobs in the world. Others are for "Security Architect" type positions which give you an overall view of an infosec program and the different layers an organization has in place. Lastly, I have looked at a few security analyst positions where you do a little bit of everything for an organization. These are all critical roles and all opportunities for me to learn new things especially for the individual organizations based on how they do business. A few of the opportunities are contract-based positions which would allow me to start up my own vulnerability assessment, penetration testing, and compliance business. I can definitely say that all of these are quite intriguing and I am looking forward to the opportunity to continue learning and move forward. The toughest part are the moving as we were hoping to stay in Knoxville. Thus far, here are the possible locations:
California - contract
Ohio - contract
North California - perm
Florida - perm
DC - both
Texas - perm

Cyber Security Warfare

2010-04-06T08:08:00.003-04:00

Over the years I have had the opportunity to see many different cyber security or information security programs. It would seem that most folks in the field are now used to preparing for the type of information warfare that is either underway against their enterprise or they are preparing for what they see happening to others. As infosec programs adapt, evolve and expand I see a greater emphasis on good layered, or defense in depth, security. It's great to see programs that "get it" and their desire to move towards a proactive approach rather than the traditional "whack-a-mole". Special thanks to one of the dudes who interviewed me for the whack a mole phrase.

As an infosec professional, it's very refreshing to see this shift in thought. Many times in the past I have seen or heard the many excuses that plague this field. So often budgets are not allocated for security or the wrong personnel are placed in the wrong position to affect needed change. As information warfare continues to escalate it's been comforting to see so many organizations that truly desire excellence in their programs from philosophy to implementation. I have also talked with several government entities or government contractors that are definitely ready to win the war against those people, groups, or nations that would want to use our data for harm against this great country. Better Internet neighborhoods are something I always wanted to see in the past but that I felt couldn't happen based on some of the issues I had run into over the past 7 years. I have hope now as I see these teams pushing towards their common goal.

These are a few of my favorite things

2010-03-23T18:12:00.001-04:00

Who are you online?

2010-03-23T17:24:00.002-04:00

I decided to see "who I was."
Little spot I did on the news

Linked In Profile

http://www.blogger.com/profile/03745684330633068990

Social Networking stuff

Whitepapers I co-authored

Some article about one of the whitepapers.

One of my certifications

I am sure there is more out there, but I got bored looking.

Job Search

2010-03-05T07:33:00.002-05:00

My job hunt has been going quite well with five opportunities being actively researched right now. the current titles I am researching/interviewing for are researcher, assessor, project consultant, Information Security Architect, and cyber security analyst. God is really taking care of us right now and I am very grateful for that. The project consultant position would be 3-6 months and may actually let me get my own business up and running. We are praying about this daily and just want to see where the Lord leads us during this search.

The potential for the consultant position also has me wanting to get a website up and running if anyone can assist with that. If your organization is in need of information security analysis, testing, architecture, and remediation please get in touch with me.

Information Security today

2010-02-15T17:28:00.004-05:00

While I am job hunting, I thought I would jump on and see if any of my readers are in need of an information security/assurance professional. Sadly it appears most organizations are well behind the curve when it comes to protecting their data. I wonder how many CEO and CFO guys are wondering if their company's data is secure or just wondering what all of us geeks are telling them every day. In these days of risk and compliance initiatives, several industries need to hire someone full time just to manage their information security program. If you are an organization, or individual, that needs someone to scope your program and make sure all of your bases are covered just let me know. I would be happy to come in and see whether or not I can offer anything for you or your organization.

How to Manage IT Geeks

2009-09-14T07:46:00.002-04:00

Read this article. Too true!

"C-Level " Professionals Jumping Ship

2009-08-19T08:59:00.003-04:00

Well, I wouldn't say they're actually jumping ship but people are leaving at quite a frenetic pace right now. This is what happens when you hire people that are passionate about what they do for a living yet do not have the authority needed to get the job done. Sadly, this is all too common in information technology as a whole and especially within information security. Too often I think you get unqualified people who mismanage money because they lack the subject matter expertise to properly spend it. It is a given at the executive level that your technical skill sis probably not on par with those who work for you so listening and discerning becomes the critical skill when seeking funding. Being able to justify the funding requests is also a massive hurdle and this is often when we find out that an accountant is actually in charge of everyone.

This post from Richard Bejtlich's blog does a good job of explaining both the need for money and what you can do with it once you have it. So, what's the point here? The point is that you must find talented people to run your program and empower them, fund that program, and have a vision of what that program should look like. There must be a reasonable balance between security and convenience and you must always "sharpen the saw." Trying to have an infosec program without all of those elements is like trying to have fire without heat, fuel and oxygen.

Johnny needs help

2009-07-15T11:02:00.002-04:00

If you don't follow Johnny Long on Twitter, (http://twitter.com/ihackstuff) or via his webpage, (http://johnny.ihackstuff.com/) I would encourage you to check him out. He's a great contributor the the Cyber Security field and also runs a neat organization. Hackers for Charity (HFC) is an organization that, I think, does some good in the world. You can read about them here:
http://johnny.ihackstuff.com/hackers-for-charity/about-us/

Federal IT Spending

2009-06-30T16:05:00.000-04:00

Interesting graph.

http://it.usaspending.gov/

How to Suck at Information Security

2009-06-28T07:50:00.002-04:00

This is one of the funniest things I have ever read:

http://isc.sans.org/diary.html?storyid=5644

Cool Vendors

2009-06-27T08:51:00.002-04:00

At three of the four places I have traveled to over the past month, I have had the opportunity to meet a lot of vendors. As usual, there were a lot of new technologies and some really neat products to see out there. Unfortunately, you can never buy them all and the best thing for this year might not be the best in the long run for your organization. Some of the vendors I met that seem to be thinking long term for their product space and developing some great stuff are as follows:

Tipping Point

Juniper

Sunbelt Software

Cenzic

ArcSight

Tenable

McAfee

Some of these folks have really been putting some dollars into research and development as they try to keep up with the ever-changing threat landscape. A few of them are branching out of their "comfort zone" and attempting to be much more comprehensive solutions. There is really some impressive technology on the horizon and on the shelf now. Thanks to these vendors, and the ones I am sure I forgot, as they try to help us provide a good layered model for the different environments we try to protect.

Finally Back

2009-06-27T08:40:00.002-04:00

I finally made it back and have had quite an interesting week. The person I report to at work has decided to move on and I wish him well. I'm looking forward to seeing who will take the position and what their vision for us might be.

I was also able to get quite a bit of movement on one of my projects which will greatly help our current security posture. I had expected the project to not move quite so smoothly, as budgeting for the project has come and gone more than once. It also looks like the current money will allow a second, much needed, project to come to fruition.

I've also noticed that some folks have started reading this blog. I wondered how long it would take to ramp up. I thought the awesome picture would have made it go a little faster.

Where's Waldo

2009-06-20T08:29:00.003-04:00

I have been enjoying my week at SANSFire in Baltimore taking the Network Penetration Testing and Ethical Hacking class.I haven't been pen testing fro quite a few months and was shocked at how quickly I had forgotten basic skills that used to be second nature. Fortunately my instructor, John Strand, is a great teacher and the course materials are written simply enough for even me.

During the past month I have gotten to meet several interesting groups of people that do some great things. More than one of those groups has extended an offer to let me join them and that is always extremely tempting. Currently, I have decided to stay where I am to try and make the program better. I really like where I work and think the place has loads of potential if we can just crawl out of 1999. We have some hurdles to overcome but I'm confident we can get where we need to be. Four weeks ago I spent six days in Henderson Nevada, last week was in Albuquerque New Mexico, and this week is Baltimore Maryland.

I believe this confidence comes from overcoming the very awesome mullet pictured on this blog.

IT Security Spending

2009-06-16T08:42:00.002-04:00

I recently asked Richard Bejtlich why people with money haven't grasped the "Information Warrior" mentality. Much to my surprise he replied on his blog. Thanks Richard!

http://taosecurity.blogspot.com/2009/06/how-much-to-spend-on-digital-security.html

You Were Pwned

2009-06-12T08:02:00.001-04:00

Red vs. Blue

2009-06-12T07:29:00.003-04:00

I just returned from a collaborative incident response exercise hosted by one of my sister sites. The threat landscape for cyber has not evolved, it has become a completely different animal. Host, or disk-based, forensics are no longer adequate and if you lack the ability to bit shift through a live memory image you are never going to see the newer more sophisticated attacks. This past week, I watched secure gmail get read on the wire, machines that appeared perfectly normal "phone home" to a remote location, and things which can't be mentioned here. Windows, Mac, and Linux pwned with ease by quite an elite group of nerds that were writing their exploits on the fly and plugging them into Metasploit for ease of execution. What did I do? I was the "blue cell" or defending team and acted as incident coordinator as the "red cell" was given 8 hours to attack us. During the initial 8 hours blue was only allowed to defend at layer 2 and our firewalls were set at "IP Any Any", and we scrambled to secure Windows, Linux, SCADA, Mac, and I think maybe a raccoon was even in there. The best part, when the "firing" began the blue cells didn't even know what was on their network or how it was architected.

If you would like to try this sometime, I would suggest you get a hold of Whitewolf Security. They set up the "range" and acted as exercise control(EC). As the blue cells noticed that we were set up to get pwned, some complaints began to get voiced. Fortunately, my hand didn't go up first and our EC leader made one comment about fairness "STFU." You may wonder why the blue cells were not actually allowed to defend from a traditional perspective, The short answer is that we have decided to "train like we fight." The computer you respond to is normally already jacked so you have to be in incident response mode when you get there. This exercise a gave a very real perspective on what that feels like.

Awesome Sauce!

funny website

2009-06-10T00:59:00.001-04:00

I met a guy who makes up funny crap like this:

http://www.moanmyweather.com/

Information Security and Budgets

2009-06-05T08:30:00.003-04:00

I guess the question is "Can I have a good infosec program without spending a lot of money?" Well, "a lot" is a fairly relative term. I can say that cyber/information security programs are largely under funded pervasively in the industries that I have observed. Very few organizations including federal, local, and state governments adequately invest enough funds to defend their data. People with money to lose like banks, hospitals and businesses do a better job but even then maybe two of my customers over the past several years really put some cash into their defenses.

The quick answer is that you will get what you pay for. If you are a smaller organization, less than 500 nodes to defend, you might be able to defend yourself with one ninja and some open-source tools like Bro IDS, Snort, IPtables and the like. Once you grow beyond this, most of these require more interaction than you can afford personnel wise as you would have to dedicate an employee to IDS and one to firewall etc.. Investing in a commercial solution at this point will often provide more cost savings after the initial purpose as it allows your security analysts to multi task. I have often heard the "numbers" articulated as IT being 20% of your overall budget, and IT SEcurity being anywhere between 10 - 20% of that number. Once they are funded, where they sit in you rorganization's structure also becomes crucial. Hit me up for an org chart if you want one and I will customize it based on your organization's size, mission, and perceived needs.This is also better for your employees since they will not get bored with a single facet of security analysis and will tend to remain sharper over the long term. The question you get once you have greast analysts is "How do I keep these well-rounded, sharp security analysts?" That's will be somewhat unique to each individual, but the easy answer is "listen to what they say." They will often let you know what they need to do their job, an dmost people work in the field because they enjoy it.

Windows-Based Scanners

2009-06-05T08:11:00.003-04:00

For years there was only the ISS Internet Scanner, and it was truly a best of breed product. About three or four years ago, the ISS engine got so bloated that scanning a single /24 network could take hours. Tenable had a Nessus scanner for the Win platform but it also seemed fairly clunky and GFI Languard had a product but it wasn't really a competitor. The new Nessus Security Center is a really comprehensive tool for all platforms, but the back end is still *nix. The question might be, why do I need a Windows-based scanner and how come the win scanners don't work as well? I like to use Win-dee-oze and Linux for vulnerability scanning because the way they handle TCP is different. I personally think one of these platforms handles it much better, but I will leave that up to the reader. Nonetheless there is some merit in testing a platform frmo the same operating system for efficiency and effectiveness.

Currently, I am evaluating the latest Nessus against the Foundstone Scanner pictured above. McAfee is making some great strides in the security field having branched out from the anti-virus world a few years back. The Foundstone scanner has an efficient engine, and an intuitive interface. As always, results will be compared against the various scanners I have available in order to see who is the most comprehensive.

Stay tuned for some IPS comparisons in the near future between Tipping Point, McAfee, Cisco, and Juniper.

WebProxy and Intrusion Prevention Products

2009-06-01T22:00:00.003-04:00

Many intrusion prevention products are currently claiming they can sustain speeds of 10Gbps while still fully inspecting the data that flows through them. Upon closer inspection I am learning that several of these devices don't actually come close to that without either significant "tuning down" of the data they inspect, or the augmentation and load balancing with a second device. All of the sales personnel continue to claim 10Gbps and the infamous "best of breed." Thus far I have evaluated the presentation from Juniper and Tipping Point. Shortly, I will have either McAfee or Cisco come in to give their pitch as well.

The best part is that I am doing all of this while simultaneously evaluating Web Proxy or Secure Internet Gateway appliances. I currently have a McAfee WebWasher appliance installed and am enjoying testing it. It will be gone soon though and I will install a BlueCoat in its place for further testing.

Details to follow.

Penetration Testing

2009-06-01T22:00:00.001-04:00

I am preparing a review of several pen-testing tools, stay tuned!

Welcome to Cyb3rS3c!

2009-06-01T21:59:00.001-04:00

Hi, I decided to create a blog dedicated to Cyber Security in order to share my observations and learn more about the state of information warfare. I look forward to learning from other members of this community.