Laptop Bag Review (Spire Torq)

I needed a pack that can carry a Dell M4500, a few hard drives, some wireless gear, and standard office-type junk. This pack is perfect, it's construction appears much sturdier than anything else I looked at. After 8 months of abuse, I travel a lot, it looks brand new. The laptop sleeve, and the hanging design, are perfect.

The interior has enough pockets and zippers for me to adequately separate my gear by function. I can get to what I want easily even when it is stuffed under an airplane seat. It seems to fit there fine and I can still rest my size 12 shoes comfortably next to it.

The exterior has the "must-have" features I couldn't find in other packs like compression straps, stowable waist belt, molle-type loops in the front, and rings for attaching things to the outside of the pack. For the outside rings, I attach a ball cap and a rain shell since I am allergic to umbrellas;-). The shoulder straps are very wide and padded as is the waist belt. This is critical for load distribution and a place where many other bags fall short.

I f I HAD to knock anything, the pack is so roomy and sturdy you might overpack it and it would be super heavy. I would also like to see the laptop sleeve modified to tote around your laptop brick somehow as well. For the exterior, I could see home some might want more molle but the four on the front are enough for me.

Cyber Security Sucks

Warning, rant ahead:

For several years as I have learned more and more about how computers, networks, and policy are interrelated. I have felt security in these areas is actually getting weaker. I listen to people just blame security issues on Bill Gates and think they are immune because they can bash a vendor.  This seems to be happening by over governing some aspects, under funding, and hiring of absolutely the wrong people. Today I saw a couple of blog posts that should let you know exactly how bad it is out there.

First, consider this from Taosecurity. If you don't believe that is our stolen technology staring you in the face, it is. APT is a really hip buzzword, but it's real and you better figure out what it is and where it is on your networks. I know a couple of govie orgs suffering from this right now but they are too arrogant to think it could happen to them so it will remain on their networks until.. well probably awhile.

Saving the best for last, I read about the carders.cc job. No, I didn't read the 900 cut-and-paste opinions on it, I read it from the d00dz who did it. Are you still confident about your security, wanting to trust your users, wanting to trust some 1337 guy you hired? Read this e-zine from the 0wned and Exp0sed crew. If that doesn't make you realize we all suck at security, I don't know what will.

I am not at all saying we, or anyone mentioned, is stupid. I am stating that the enforcement of the status quo must stop. We all need to learn more, do more, and weed out the lameness. Note in the zine that if you have used (installed) ettercap in the last five years, you might want to check your "shit." Do you know how many of us use that? ALL OF US!! That sucks!. These people went after several high-profile well-respected security pros, and their websites and 0wned them at will. If you think you're immune please share your awesomeness with the rest of us because this should make you realize how bad the state of security is. What this group did is wrong but things like this need to happen in order to get things moving in the right direction.

There are no internal applications

I read this post by Rafal Los (Wh1teRabbit) and wanted to agree completely. If you still believe you can have a firewall and an IDS and "trust" your users, you are inviting a problem. If you have a team that is convinced that nothing bad could ever happen to their infrastructure because they are 1337, you have a bigger problem. The blog post and comments focus on the fact that data is what needs protected, not just the location of the data. As mentioned in an earlier post, mobile computing and new threat and attack vectors are removing your borders for you.
Your people are your greatest asset and your biggest risk. Somebody in your organization clicks links, brings in infected USB drives, plays of Facebook all day, or actually wants to steal your data. I have been inside some supposedly very secure networks before where nothing but everyone's good intentions, and some veiled threats, stopped them from doing whatever they wanted. I don't just mean a penetration tester with network access, I mean anyone that knows how to open network neighborhood or send email. Talking with the management in these organizations resulted in some head nodding and furrowed brows but no change or desire to change. Every now and then a technical person would get frustrated and leave only to be replaced by a project manager or an "architect." At one place, a mid/senior-level analyst left and the management decided to replace him with someone  that had no security experience. One of the quotes overheard from that management group was "We don't need anymore smarty pants around here, we need someone who can get along with everyone." I agree that your team should function well together, just not at the expense of your data's security.
So, think of it this way:

1. Can a malicious insider, no matter how unlikely, steal your data?

2. Can a non-malicious insider bring a threat inside that compromises your data?

3. In either case would you even know if this had happened?

4. Why can it happen?

5. What can be done to lower the risk or impact?

Good luck planning for future security projects, don't forget to use the wiki leaks trend to increase your budget for next year.

Is your information security crushed by the org chart?

Funny cartoon. It's understandable that some organizations definitely wouldn't want their shortcomings broadcast for all the world to see. I am more focused on the first sentence, "Information security is a major priority at this company." That statement is heard a lot when you are a penetration tester and even when you are a "blue teamer" for a company. There are times when the best cyber security team can be stopped cold by an organizational chart. If the team is not properly positioned inside the organization and given the authority to implement policies and controls then nothing happens. Let's look at some examples I have witnessed in the past.

At many places there is no CSO or CISO to this day. At times this put the infosec nerds reporting to the CIO. The CIO is most often concerned with things working or availability. In addition he/she will develop a technological vision for future services and offerings within a company and how to make things better and/or faster. While this person may consider security as a component of their job, it is not their sole purpose and balance may be difficult to achieve. In one organization I saw a CIO who had been moved from either accounting or HR and made the CIO. They had no relevant technology experience yet had been placed in charge of all technology. At that point in time IT within the organization was stagnant and falling behind the technological curve. They had a security group, but no CISO so security suffered the same fate as IT in general. In a different institution I have seen the CIO report to a department head and not to the leadership of the company. Any c-level personnel should have the eyes and ears of the top two individuals or governing board of an organization. Without that, this CIO was effectively just a middle manager with a fantastic salary and title yet no actual authority. I know some folks hold to the idea that people can effectively wear multiple"hats" and have even seen that work in smaller businesses. My experience with larger companies has shown that trying that simply enforces the status quo, which may be their goal and that's fine, and does not foster effective internal communications and relationships. In the simple diagram below I have shown the c-level folks as equal peers reporting to the number 2, as a minimum, within this organization. I have seen other examples where security reported to the CFO or was incorporated into internal audit but those models were short-lived examples. I would love to get some examples from the real world with success stories.

Smartphones: Destroying your perimeter one device at a time

Sounds like an overstatement, I know. Smartphones are incredibly powerful devices that open up a world of possibilities for communications versatility on a tiny platform. Consider this statistic: "...48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business."   - http://ridethelightning.senseient.com/2010/11/cios-see-smartphones-as-data-breach-time-bombs.html

That's not a security-minded practice. I have been listening to C-level decision makers this year in conferences using phrases like "If you can't beat them, join them." "We must learn to work with social networks because this upcoming generation expects it." These are interesting perspectives and quite a shift from the website blocking and strict rules we all experienced just a few years ago. Perhaps they decided breaches were still happening then so why keep fighting the tide. Whatever the decision, the smartphone is the most significant piece of your enterprise that is walking around in someone's pocket, getting lost on the subway, or stolen. If you allow these devices to connect to your enterprise, are you fully aware of the device's capabilities? I don;t mean what the manufacturer said it can do, although that's a great place to start, I mean what is it actually capable of? Do you know if the security features touted by the vendor can be bypassed? Over the past several weeks there have been vulnerability reports issued for iPhone and Android Platforms. The last time I tested an iPhone the encryption was purposely defeated by the operating system kernel. If you allow Android phones they were designed to be flexible and open platforms, security was not the primary consideration. What kind of threats can this pose to your organization? My phone is the Google Nexus One running the latest, 2.2, OS. In addition to the phone's native capabilities, I have rooted it and installed a custom ROM. Performing these actions has given me complete control of the phone's hardware and allowed me to install Ubuntu 9.10. Once I had the Linux distro stable I installed nmap, OpenVas, and metasploit. I also installed etterrcap, wireshark, and a few other tools before running out of space but you get the idea. My phone was now as weaponized as a pen testing laptop. The only downside being storage and the typing was terribly painful.

I know your users will bug you until you must allow whatever platform they think is the coolest, I mean the one that makes them the most productive when not at their desks. As you implement these devices the risk they pose should be considered carefully and the platform should be thoroughly tested. If your organization is not capable of hacking on the devices, it may be worth the investment to contract an outsider so you know exactly what you are getting.

TSA's "signature-based " security

Infosec analysts have long been lamenting the shortcomings in signature-based security items like traditional antivirus. It would seem that the TSA has somehow managed to latch onto this philosophy even though it isn't working well in IT. Let's take a look at how the TSA is mirroring this with their decisions.
I recently went through security at FLL in Ft. Lauderdale security. As usual I was singled out and moved through secondary, or extra, screening. I would say this happens to me 90% of the time and always has. I don't complain and understand the gate agents are just doing their jobs and I would hope that most folks don't vent on them, they are not the problem. So I get taken out of the metal detector (md) line and moved to the "nekkid machine" (backscatter xray). I am not shy so the backscatter doesn't offend or bother me, while I am in there, I asked the agent if I could see the picture since it was such a hot topic. She stated that the pictures were displayed somewhere remotely and that I had to go stand on the footprints and await instruction. While I was standing there a very professional male agent began to recite the standard pat down procedure that might be necessary if the xray revealed that necessity. HE then got the call in his secret service earpiece that I needed to be physically inspected. He performed the pat down just like a cop would and off I went. Altogether it was 10 minutes to get through the line and the TSA folks were great. The problem is that most of this still seems like the illusion of security.
I say this based on a couple of different thoughts or observations. First, I know that I have zero desire to take over a plane. This skews my perception of the procedure but I understand they can't know that about me. I have noticed that there is some discrimination taking place as they cannot preform this same procedure on a Muslim woman. In order to be ethnically sensitive the agents have been told only to check their head and neck areas. We have now arrived at the root of the problem. When you give preferential, or discriminatory, treatment to any group you are doing it wrong. If the plane is in danger then we must put our foot down and say search people regardless of their ethnicity. If you want to do some research and pick the culture(s) that would attempt this type of attack you might become much more efficient. Or don't, I don't really care but you are wasting your time giving me a leg massage.
The TSA signatures are as follows:

Someone once hijacked a plane with a gun = no guns allowed on a plane and everyone has to walk through a metal detector

Someone had a device in their shoe = I have to see everyone's feet at security and put my shoes in a bin ( or not in a bin depending on the airport)

Someone had a few ounces of "bad" stuff = I can only have enough shampoo in my bag for three days AND I have to have everything in a ziploc as if the stuff can be verified visually.

Someone uses a printer cartridge to form an IED = no more printer cartridges

What will happen when someone has a bomb surgically implanted or hidden in an orifice? I don't want an answer really. The point is that these actions and reactions don't quite seem to add up, and over time the reactions seem to escalate. Currently you are allowed to carry enough stuff onto a plane (electronics, liquids, shrapnel) that none of the above measures would stop. I don't want to post any combinations but I can certainly have 7 3oz bottles of almost anything under the sun, a significant amount of batteries, a number of other "toiletries", and keys or other small pieces of metal.

These reactions seem similar to how IT security has decided to work. We wait for a threat to surface then ban a symptom and wonder about how to kill the root cause. Alternatively if there is a compliance or regulatory mechanism we check off the boxes for the least amount of money possible and call it a day. This is tough since most of our companies are trying to make money and security can be very expensive. For the IT security world, I would like to see more technical people getting promoted into management positions with budgetary authority. For the TSA, I have no idea what the right answer might be but good luck and don't follow the signature-based model.

Cyber Security Forum Initiative - Stuxnet Project

I recently had the privilege of collaborating with about 30 other InfoSec professionals to learn more about the Stuxnet worm. The results of our work can be viewed here:

 http://www.csfi.us/?page=stuxnet

One of the more exciting pieces of work is a video created by Joel Langill from EnGlobal. In the video Joel infects an actual Siemens WinCC PCS7.