Author: Michael Farnum

My name is Michael Farnum.

I am a Practice Principal at HP Fortify on Demand. I live in Tomball, Texas. I have been in the IT and InfoSec field since 1994. I am the founder and chairperson of HouSecCon, THE Houston Information Security Conference.

These are MY words, not my employer’s or anyone else’s.

Millennials prove that tech savviness does not always equal security awareness

Millennials prove that tech savviness does not always equal security awareness

Bleeping Computer has published an article all about how millennials are more likely to be a victim of phishing and online scams than Baby Boomers (a.k.a. old people). I am taking this story with a few grains of salt because they gathered the data via a survey (in other words, there’s no hard data). But the result is really not that surprising.

Think about it this way: many Baby Boomers work in a corporate environment where they (hopefully) are inundated with a message of “don’t click that!” Even if someone doesn’t work in corporate America, they are probably more aware in general due to news coverage, etc. AND they have been around longer to get that message.

Millennials, on the other hand, are often not in bigger corp jobs, and they don’t consume media the same way the older generation does. And, of course, they haven’t been around for as long, so some of those messages haven’t got to them yet. Plus, they just want to do their social thing without hinderances. In general, Millennials are probably up for taking more chances.

This is all speculation on my part, of course. But it makes sense when viewed through the lense of generational differences. This is why I would advocate for security awareness training in high school and college (along with basic financial classes). Something that can give awareness without always focusing on tech (because that changes a lot). It should give young people a general sense of awareness and a healthy sense of paranoia – basically, something that will make them think twice. Combine that with PSAs that pop up as ads in social media, streaming apps, etc. And as parents, we should also be teaching that kind of awareness. It’s not an easy thing to tackle, and human nature is always going to make us susceptible to scams. Maybe as Millennials become more seasoned, they will start learning some of those lessons.

But we shouldn’t have to rely on life lessons to teach future generations. We have to start teaching security awareness proactively at a younger age, or the lessons are going to keep getting taught the hard way. The bad guys want it that way. So let’s start disappointing them.

So call to action: do you have formal programs in your educational system, school high school, college awareness? Do your computer science classes at any level include information/cyber security in the curriculum? If so, is it a small part or a whole semester? If not, what kind of proposals do you have to fix that? What can we do to influence educators? Who do you know who is actively trying to fix this now?

Let’s have a discussion and see if we can make some headway.

An ongoing list of my blog posts at Alert Logic

An ongoing list of my blog posts at Alert Logic

In case you weren’t aware, I moved over to Alert Logic in May of 2017. I am in the technical product marketing group, which is essentially a job where I do various tasks that generally involve helping bring technical people and marketing people together (those two groups at infosec vendors often don’t speak each other’s language). It’s a fun gig so far with plenty of challenges.

One of the tasks that I have been assigned is writing informative articles on the Alert Logic blog (you can subscribe to the RSS feed also). Below is a list of the pieces I have written over there. Go check them out when you have a second. I’ll be updating this post as more go up there, and I’ll probably be including any other resources from other pars of the Alert Logic website that are technical in nature and generally relevant as a whole (i.e. not total vendor speak, which is not my job anyway). I’ll keep the most recent ones at the top for ease of finding the latest.

  • Posted on Sept 26, 2017 – Last tip of the 5 post series providing some tips on securing apps with SQL databases that are running on the cloud. This one is about intelligent and consistent log analysis.
  • Posted on Sept 20, 2017 – Part 4 of the 5 post series providing some tips on securing apps with SQL databases that are running on the cloud. This one is about basic cloud security blocking and tackling (identity and access management and patching).
  • Posted on Sept 19, 2017 – Part 3 of the 5 post series providing some tips on securing apps with SQL databases that are running on the cloud. This one is about the use of WAF and IDS in protecting your web applications.
  • Posted on Sept 15, 2017 – Part 2 of the 5 post series providing some tips on securing apps with SQL databases that are running on the cloud. This one is talking about static and dynamic testing (SAST and DAST) of applications.
  • Posted on Sept 12, 2017 – The first of a 5 part blog series providing some tips on securing apps with SQL databases that are running on the cloud. A lot of the tips apply whether or not you’re running your apps in the cloud, but we focus on cloud here, so there you go.
  • Posted on Sept 7, 2017 – An explanation of SQL Injection (SQLi). There are quite a few articles/posts out on the Web that explain this, but it is always good to have another take on it. And I give some pointers on how to fix SQLi, including code examples from Damn Vulnerable Web App. It’s another resource if you want to understand SQLi or need to give someone a pointer.
  • Posted on June 29, 2017 – Post about PetrWrap/NotPetya/GoldenEye/Whatever. This was my first post at Alert Logic. A lot of folks put some time into this one because of the fact checking that needed to happen about the outbreak. But it is a good breakdown.
Don’t turn your nose up to “old” infosec ideas

Don’t turn your nose up to “old” infosec ideas

I recently pinned a tweet to my Twitter account. The text says:

I often have to remind myself that ideas do not always need to be unique. Some things bear saying over and over again to take root.

I pinned that because I found myself turning my nose up at some ideas/articles/posts from smart people with somewhat dated subjects. I also found myself not writing or tweeting about a subject because I wrote about it a long time ago and I considered it old material. Essentially, I was dismissing anything that wasn’t new. What I figured out after a while is that a lot of those “old” ideas and thoughts still have merit.

Let’s take defense in depth for instance. An issue has popped up recently about AT&T Uverse routers being vulnerable (and I mean REALLY vulnerable). Home routers being vulnerable is not a new thing, but because this is Uverse, and because so many homes connect their home computers directly to the router either via hard wire or wireless, it is a big deal for these routers to be so easy to smack down.

My first thought when I saw the issue start being discussed was that there is no way I would ever connect my home computers/devices to my provider’s router. I always have an extra router on my network that I use as the point of connection. I make sure it is one with a good reputation for security (as much as I can with that market), has a strong firewall and other security features, and I update it regularly. This is defense in depth in my home.

But I didn’t write about it because it felt like an old argument (defense in depth). But you know what? Someone out there may not have thought to do this. Or they may not have heard about the AT&T router issue. Or they may have just been connecting directly to their provider’s router for convenience and my post changed their mind. Or maybe they are new to infosec and this kind of thing is still new to them. Who knows? The key point is that this is still a valid issue, and it is worth the time to talk about.

So TL/DR, don’t deprive yourself or others of your thoughts and ideas on infosec issues. Someone will get something out of it, even if it is just to remind them that they forgot about that “old” idea. Don’t ignore others when they talk about “old” ideas. Sometimes we old infosec folks need reminding too.

Medical records breach in Mass took place over 14 years

Medical records breach in Mass took place over 14 years

I just read this article about a medical records “breach” at a hospital in Massachusetts. The headline reads, “It took 14 years for this Massachusetts hospital to detect a data breach”. When I see something like that, I kinda pause a bit. Why would it take 14 years? That just seems ludicrous.

My first thought is, “Shouldn’t there be some kind of auditing happening at the hospital?” I posed the question to a hospital information security professional (this person has no connection to the hospital in question), and I was told that the employee likely “was in a team that had horizontal access to records” and that it is “almost impossible, short of tagging a record as a VIP (think a movie star, politician) and daily reviewing who touches the record to catch this.” Spot checking by Joint Commission that should happen during audits (the hospital is Joint Commission accredited according to this website) didn’t find it either.

What also struck me was that it wasn’t even the hospital who found the issue:

In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.

So how did the patient know or even suspect something funny was happening? Was there some activity in the electronic medical record that was visible to the patient? I asked the same information security professional as above for some thoughts on this point. Here’s the reply: “I suspect they occasionally snooped on people in the hospital. Not for profit but because they were nosy. And they talked to somebody about the procedure the person who reported this had and they were upset and tracked it down.” That seems plausible to me. I have had a couple of stints in healthcare as an IT professional, and I have seen first hand how gossipy people can get about patients (plus I am binge-watching past episodes of Grey’s Anatomy with my wife, so I know all about how hospitals operate).

A final quote from my anonymous information security professional leads to the main point of this particular situation: “End of day we have to trust people do not snoop. Sometimes they don’t keep that trust. That’s what sanction policies for for.” That is very true and reflects the way we have to think about security at all levels. You have to give people access so they can do their job. Locking things down to the Nth degree just makes it more difficult for them to do their jobs, so you have to trust at some point. Yes, there should be reasonable levels of control to stop these things from happening. But you’ll never stop it all. Review as much as you can. Train people to not do bad things. Expect that someone will eventually do a bad thing.

But seriously, please put in some deeper level of review that will hopefully enable you to catch this kind of thing in a little less than 14 years. 14 years? Seriously?

Protect Sensitive Data on AWS with Amazon Macie

Protect Sensitive Data on AWS with Amazon Macie

I’m a few days late on this, but I just read on the AWS blog that they launched a new service called Amazon Macie on August 14. According to the website, Macie is “a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.” Here are a few points that stood out for me:

  1. It looks like S3 is the initial data store for the service, and that is welcome news based on the recent high-profile data exposures caused by misconfiguration of S3 bucket policies.
  2. The pricing also seems reasonable (though you always have to watch out for costs with cloud services – they can sneak up on you quickly).
  3. The interface looks intuitive to get started. Some AWS services are not very intuitive and take for granted that you have a lot of AWS knowledge (which is not an unfair assumption for the most part). But the Macie designers seemed to consider that the exposures on S3 might just mean that some people might not know what the heck they are doing. You still will need to know about CloudTrail and other AWS concepts.
  4. The Macie dashboard gives a lot of good information and doesn’t appear to be be cluttered. Another nicely designed UX so far.
  5. Straight from the product page: “For data classification purposes, Macie utilizes CloudTrail’s ability to capture object-level API activity on S3 objects (data events).”
  6. Alerting seems to be very strong. Go check out the alerting page to see what all is available (there’s a lot there).

It looks like a few high-profile AWS customers are already using it (edmunds, Netflix, and Autodesk are the examples included in the marketing info), so AWS has done some due diligence with vetting this out. Machine learning is becoming more and more a norm in our lives these days, and the use cases are proving themselves out in a lot of cases. With so many different customers that could potentially use this with so many different kinds of data, it will be interesting to see some case studies come out over time to see if machine learning can be applied here with high success. I predict it will be successful and highly utilized.

Carbon Black having some customer data leaking issues

Carbon Black having some customer data leaking issues

My buddy Jim Broome at Direct Defense is stirring the pot a bit today with his latest blog post. Seems like that during an investigation of a potential breach they were performing for a customer, they accidentally discovered that it is possible to harvest some very sensitive data from the Carbon Black Cb Response product.

They discovered it when someone at Direct Defense was “analyzing a potential piece of malware using the analyst interface of a large cloud-based multiscanner”. When they started using that multiscanner to look for some similar pieces of malware to get context, they discovered some files that weren’t related to their customer. When they started digging, they found a bunch of very sensitive data that was getting uploaded to the multiscanner from Carbon Black. The reason all these non-malware files are on there is because of the way Carbon Black has structured it’s service. Jim explains it much better than I can, so I’ll just pull an excerpt from his post:

How could this happen? As previously stated, when a new file appears on a protected endpoint, a cryptographic hash is calculated. This hash is then used to look the file up in Carbon Black’s cloud. If Carbon Black has a score for this file, it gives the existing score, but if no entry exists, it requests an upload of the file. Since Carbon Black doesn’t know if this previously unseen file is good or bad, it then sends the file to a secondary cloud-based multiscanner for scoring. This means that all new files are uploaded to Carbon Black at least once.

Generally speaking, this isn’t such a big deal. Take a Windows update for example. The first customer of Carbon Black that gets a Windows update and then uploads it doesn’t leak much information. However, let’s extrapolate these along real-world lines. Not every file is a Windows update, and many of them contain sensitive details and change frequently. This degree of change is what spurred Carbon Black in its Bit9 form to create this system in the first place.

Imagine you have this solution deployed on a developer workstation. Each time a new piece of code is compiled, that new complied code is a file that nobody has ever seen. It gets uploaded. Now imagine a build or deployment system that packages up a bunch of executables (and configuration files). You could easily imagine the types of combined data that could constitute a “new file”.

Jim and I have talked about this in the past. One of the issues we’ve had in the past with some AV solutions is that a few had default settings that uploaded suspected malware into Virustotal (this is not on by default in Cb Response). As Jim says above, if something one of your developers wrote gets thrown up into the cloud because it smells like malware, then you are potentially throwing up sensitive data to the world. What kind of sensitive data? I’ll steal from Jim’s post again to explain:

  • Cloud keys (AWS, Azure, Google Compute) – which could provide you with access to all cloud resources
  • App store keys (Google Play Store, Apple App Store) – letting you upload rogue applications that will be updated in place
  • Internal usernames, passwords, and network intelligence
  • Communications infrastructure (Slack, HipChat, SharePoint, Box, Dropbox, etc.)
  • Single sign-on/two factor keys
  • Customer data
  • Proprietary internal applications (custom algorithms, trade secrets)
  • Jim sums it up nicely (as he usually does) by this line: “Welcome to the world’s largest pay-for-play data exfiltration botnet.” Ouch.

    Edit: added clarification above that Carbon Black does not have the file upload feature turned on by default. Also, Carbon Black has responded to Direct Defense.

    Edit: Direct Defense’s response to Carbin Black’s response

    Libertarian views and red herrings and people who should know better

    Libertarian views and red herrings and people who should know better

    Before you start reading this post, please make sure you don’t stop at the first two paragraphs. I am dredging up an old issue from early 2016, but it is relevant to some recent news.

    I have a fairly libertarian viewpoint on the world. So whenever I hear about a government asking for cooperation from a company to catch criminals, I don’t automatically start rooting for the government to get their way just because some bad guy might get caught. I take a step back and review the situation, then I make a judgement on what the government is asking for. That is what happened when the FBI asked Apple to break their encryption on an iPhone that belonged to one of the terrorists that were involved in the San Bernardino, California, shooting in 2015.

    In that case, because Apple did not have the ability to break the encryption, the FBI was asking Apple to create a new version of their software that would give the FBI the ability to bypass the iPhone’s protections. I was adamantly opposed to this idea because of precedent of allowing the government to bully a private company. And also, if that version got out, what did it mean for the rest of us who depend on that encryption of that device for our privacy?

    Yet on the latest edition of the Risky Business podcast, I was told by the Australian Prime Minister’s cyber security advisor Alastair MacGibbon that my second concern from above is a “red herring”. And I was told by Patrick Gray (as he has said over the few podcasts) that people who are concerned about the government asking for stepped down cryptography are “losing their minds” or have “spun off the planet.”

    I consider Mr. MacGibbon’s statement to be one of two things (you can chose which one you prefer, but I have my ideas on which one is correct):

    1. a wildly naive view by someone who is an expert in this field (which is the same thing I said to another person who should know better back when the case was still in full swing)
    2. a bureaucratic statement that is being issued by someone who was appointed by political masters, hence he cannot give a straight answer to the question.

    As to Patrick saying we’re all nuts for thinking that the gubment might be considering legislating stepped-down encryption, just listen to the podcast interview for about 2 minutes. Patrick asked a very direct question, and the bob-and-weave strategy came out immediately. And it seems like it caught Patrick off guard. It’s almost like he expected a straight answer from a political appointee. Patrick, you’re likely correct when you said in your well-written post that Australians “don’t really have the same libertarian streak” as us Yanks (he said US cousins, but I liked “Yanks” better). That is partly because of that kind of non-answer from a bureaucrat that we get all the time. We just don’t trust ’em!

    The long-and-short of this that I do not put it past any government to ask for the stepping down of crypto. It is very easy to justify a lot of bad ideas with the good idea of protecting the citizens of your country. Dictators and tyrants have been doing it for centuries. And people keep buying it wholesale. I do agree that there needs to be some form of cooperation from companies when the government is trying to get answers in investigations. But if that comes in the form of reduced encryption (and that seems to be the only answer in some of these cases), then count me out. Patrick lays out other ways that government can get communications without breaking encryption, which is also pretty dang scary. We know it exists (EternalBlue anyone?), but it doesn’t mean it is justifiable (Patrick didn’t justify it either, BTW).

    A few qualifiers before I end this:

      Patrick did a great job keeping after Mr. MacGibbon to get a straight answer. This is one of the main reasons I listen to Patrick’s podcast and respect the hell out of his abilities as a journalist.

      I was very happy to read this from Patrick’s post:

      Let me put this bluntly: If this is what the government winds up suggesting, then by all means hand me a bullhorn and show me where to point it. It is a ridiculous idea that would erode so many of the security gains that we’ve made over the last decade.

      While our Australian cousins trust their gubment a little too much for my taste, at least they aren’t just blindly trusting them with the keys.

      Also, let me add that I don’t know Mr. MacGibbon. Patrick vouches for him, so I have to respect that. I am simply stating how I see this in the context of this issue and this interview. It just feels very “bureacratic-y”.

    Great post on the RNC AWS file leak discovery from UpGuard

    Great post on the RNC AWS file leak discovery from UpGuard

    UpGuard’s post on their discovery of the RNC data is trending big time on the netsec subreddit. I highly recommend going to read the post if you want to know what they found. But in a nutshell, it all centers around the misconfiguration of permissions to the AWS S3 bucket where the database was stored.

    I would like to say that the carelessness that was shown here is surprising, but unfortunately it’s not anything new. As I get deeper into the cloud, I see more and more parallels from my straight networking days. Permissions have always been an issue with networks in general, and now that Amazon, Microsoft, and other cloud providers are making it so easy to provision resources in the public cloud, the implications of faulty permissions are huge. This is just one example of a slew of problems, but it just so happens to be a VERY BIG example. We’re talking the potential exposure of data on nearly all 200 million US registered voters, plus the inner workings of the GOP in the last election. And no one really knows how long it was out there.

    One last thing: when you go read the post, be sure to read the whole thing. Not only does the article talk about what was exposed; it also goes into the implications of that exposure that go beyond just your basic “muh data” There is some very targeted… almost metadata… about people that are derived from some sophisticated data analytics, which could lead to some very specific targeting. Kinda eerie.

    My opinion of my first Gartner event in my 23+ year long career

    My opinion of my first Gartner event in my 23+ year long career

    I’m sitting here in the beautiful Gaylord National Resort and Convention Center in Washington D.C., nice and comfortable as I look out over the cool little “town” they built inside this gargantuan building. While I enjoy the artificial scenery, I am also thinking about the week I just spent at the Gartner Security and Risk Management Summit that was held here at the Gaylord (it’s wrapping up now). And frankly, it kinda surprises me to think that this was my first Gartner event. I have been in the IT and Security industry since 1994, and this is my first one. Maybe it’s because RSA, BlackHat, HouSecCon, DerbyCon, and BSides events have been my focus because most of my friends are there (and because I spend a lot of time organizing HouSecCon). Maybe I view those as more meaningful as far as security tech goes (RSA might not fit in that category for some). But I think it is more likely because, over the years, I have often joined with others in viewing the analyst business with disdain (I’ve expressed some negative views over my career). I have only recently (in comparison to the rest of my career) started working for vendors. So combining that with some of somewhat – but not overly – harsh opinions on analysts in the past, and I think it kinda makes sense why this is my first one.

    Saying all of that, I’d like to list out some quick impressions:

    1. I found it to be a generally good event. Very well organized. Some of the sessions had some great info, though the ones I saw were mostly on trends versus anything hard-hitting. That is the nature of the analyst business, so that is fine. As a vendor, the info can be very helpful.

    2. Almost all the talks were succinct and not laced with “here are my credentials and why I am awesome”. Some might chalk that up to arrogance of analyst, but I found it refreshing in comparison to some of the talks I have attended in other conferences. Look, you’re up there talking. I will pretty much assume you’re knowledgable in your field. I will judge your talk almost completely on the content of the talk, not on how long you’ve been working or your certs.

    3. Every talk I saw was well laid out and logical and ended with either time to spare or right on time. Gartner has trained their folks well.

    4. You don’t go to these talks for entertainment. You go for information. I can enjoy a good talk where someone is keeping me laughing, but I value a talk that gives me the information I am looking for and gets it done.

    5. The information was valuable. That doesn’t mean you take the analyst’s word as gospel. In fact, there were numerous points with which I disagreed. It does mean you use it as a data points to make a decision (which is what Gartner and other analyst firms are there for).

    6. The 1-on-1 meetings I had with analysts were very helpful. This is the first time I have worked directly with analysts as a vendor representative, and I was impacted by the difference in those talks. But my main point is that the analysts were all very… human. They weren’t stodgy or impersonal. The talks were enjoyable and professional.

    7. The 1-on-1s were kind of like speed-dating. I’ve heard numerous people make that comparison as I have started learning this new area, and it is very true. Get in there, see if you like, them, see if they like you, make a future appointment to meet again if the talk went well so you can get to know each other better, then go meet your next potential relationship.

    8. Gartner analysts seem to fall into very well-defined lines as to what areas of the industry they cover. It’s seems to follow the OSI stack verbatim in many cases, and that makes sense for the sake of organization. The problem is that my new employer (Alert Logic) doesn’t fall neatly in those lines. So we often find ourselves talking to a bunch of different analysts to get full coverage. Not necessarily a bad thing, but it can men even MORE meetings than the typical vendor has to go through. It will be interesting to see that unfold in the next few months.

    So, that’s it. If you’ve been in the industry a while and have done a bunch of Gartner/analyst events, this is all probably old hat for you. Hopefully others find it helpful when making decisions on whether to go or not (as a vendor or just an attendee).

    An Information Security Place Podcast – 01-22-14

    An Information Security Place Podcast – 01-22-14


    Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been happening. From RSA, NSA, QSAs… security is busy! Show notes below!

    Show Notes:

    InfoSec News Update –

    • 123456 is the new best of the worst – Link
    • RSA Conf and those skipping it this year – Link
    • Fixing a flawed VA medical records system: Tenacity pays off for a researcher – Link
    • Do you believe the Obamacare website is secure? These guys don’t – Link1, Link2, Link3
      • Discussion Topic – The Failure Themes of the Target Breach:

      • Massive Props to Brian Krebs on his coverage of the whole debacle –
      • AntiVirus Takes it on the Chin …Again – Link
      • Egress Filter Much? – Link
      • Credit Card Processing Fundamentally flawed – Link
      • EMPHATIC POINT OF THE PODCAST!! Complacent with Compliance … again PCI!= security

        Music Notes: Special Thanks to the guys at RivetHead for use of their tracks –

      • Intro: “Stay Alive“ – Rivethead
      • Segment 1 – “CricketBat” – RivetHead
      • Segment 2 – “Burn Us Down” – Early Morning Rebel
      • Outro: “Zero Gravity“ – RivetHead

      Link to MP3

    Giving Grammy security advice

    Giving Grammy security advice

    So Grammy got a computer. No, not my Grammy. Just some random Grammy out there got a computer. How do I know? Because someone who set up her computer wanted their family to know that Grammy got a computer and now could get emails. So that person sent out an email to “Mom” and a few other folks from Grammy’s email, letting them know that Grammy was now high tech and ready to rock on the Intertubes, Googles, and Facebooks. But that person inadvertently sent the email to my gmail account.

    It’s actually a common mistake. I got my gmail account real early when you still had to get invited. So I got to choose an address that could work for a lot of folks with my last name (I’ll be waiting for everyone to guess it and start sending the spam). So here’s what they sent:

    Grammy email

    I’m not one to let a mistake like this go. One, because I didn’t want Mom to miss out on Grammy’s email address. And two, I thought Grammy might need a security primer to get her going with the new computer. So I decided to reply (with respect of course):

    Grammy email reply

    Grammy, I doubt you’ll ever see this post. But I wish you all the best. Stay secure.

    An Information Security Place Podcast – The HouSecCon 2013 Episode

    An Information Security Place Podcast – The HouSecCon 2013 Episode


    Quick show this time. Jim, Dan, and Michael are all at HouSecCon 2013 in Houston, TX on October 18. They found a quiet room away from all the conference noise and recorded a fast podcast. Jim and Dan talk about their talks, and Michael talks about the fun and stress of being the HouSecCon organizer. Michael also shares some details about his new gig with HP Fortify on Demand.


    Music Notes: Special Thanks to the guys at RivetHead for use of their tracks –

    • Intro – Stay Alive – Rivethead
    • Outro – Zero Gravity – RivetHead

    Link to MP3

    An Information Security Place Podcast – 09-06-13

    An Information Security Place Podcast – 09-06-13


    We’re in rare form today. A lot of fun sprinkled with the occasional good nugget of information security news and discussion.

    Show Notes:

    InfoSec News Update –

    • New OSX Metasploit Module or Time is not on your Side! – Link
    • If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the “admin group”), and the user has ever run the “sudo” command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970.

    • Communication is key – Link
    • Hacking Fantasy Football – Link
    • China Shifts to newer Exploits – Link
    • Now that folks are patching CVE-2012-0158

    • FTC smacks Internet-Connected home security cameras – Link
    • CSRF Protection wiithout nonce or random tokens – Link
    • British Parliament loves them some Pr0n! – Link
    • Samsung adding security to Android – Link
    • Gartner pushing SAST & DAST T together – Link
    • The blog is old, but this years Magic Quadrant has them merged into a
      single report. Is this a good or bad thing?

    • HouSecCon Update! – Link

    Discussion Topic –

    1. 10 Golden Rules of the Outstanding CISO – Link

    Music Notes: Special Thanks to the guys at RivetHead for use of their tracks –

    • Intro – Stay Alive – Rivethead
    • Segment 1 – Synchroncity II – RivetHead
    • Segment 2 – Deaf Ears – RivetHead
    • Outro – Zero Gravity – RivetHead

    Link to MP3

    For All Parents – My First Day of School Sermon

    For All Parents – My First Day of School Sermon

    I put this on Facebook today, and I wanted to share it here on my blog. I have very strong feelings about this if you can’t tell.

    From me as a parent to other parents:

    A lot of people are celebrating the first day of school today. For those of you genuinely celebrating your child’s first day of school or their return to school by:

    – giving them encouragement;
    – loving on them;
    – telling them all will be fine;
    – telling them you’ll be there when they get back to help them with their homework;
    – letting them know that you are proud of their accomplishments;
    – being genuinely happy that they are getting an education

    You are doing it right. Keep up the excellent parenting!

    But for those of you who:

    – are ecstatic that your kids are finally gone;
    – are on Facebook saying how giddy you are because you don’t have to put up with them for 8 hours;
    – are like the group in front of a Houston-area neighborhood that my family witnessed celebrating en masse this morning by giving high fives and dancing in the street after their kids got on the bus…

    You make me physically sick and extremely sad.

    Your children are not a chore. They are your CHILDREN. If you can’t stand to be around them, then it is YOUR fault, not theirs. If that is how you treat your children behind their back, then you might as well just tell them you can’t wait until they’re out of your house so you can kick back and drink a cold one and watch TV without having to fix someone’s dinner or put on a band-aid or hug away some tears or help with a math problem or generally give a crap about their existence or well-being.

    They likely already know anyway. Seriously, kids are not stupid. They just don’t express it to you because they don’t really know that it should be different. So just tell them and get it over with so they’ll definitely know where they rate in your life. Might as well be honest, right? That way they can get on with figuring out that this is how life is and they’ll be prepared to treat their own kids that way one day.

    Or maybe you’ll get a heart when you see them cry and start appreciating them. Maybe…

    [UPDATE] This video is the kind of crap of which I speak. This is sickening to me. She wants more Mommy time? I get wanting a break. I really do. For the record, my wife and I homeschool our children. They are typically with us 24/7. Do we breathe a bit more at the end of the day when we get to sit down and enjoy some time watching TV or catching up on the day? Of course. But we don’t CELEBRATE. Tracy Moutafis, you should be ashamed. But somehow I doubt you are.

    An Information Security Place Podcast – 8-20-13

    An Information Security Place Podcast – 8-20-13


    We’re back to work.

    Show Notes:

    InfoSec News Update –

    • Scan the Entire Internet in less than 45 minutes!! – Article Link and tool link
    • Zuckerberg’s Profile Hacked – Link
    • FDA Issues Guidelines on Wireless Medical Devices – Link
    • OWASP Top 10 Update – Link
    • Malware Sandboxing Not Working – Link
    • Sparty: MS Sharepoint and Frontpage Audit Tool – Link
    • HouSecCon Update!Link

    Discussion Topic –

    1. The Threat of Social Engineering – Jigsaw FTW
    2. Link 1
    3. Link 2

    Music Notes: Special Thanks to the guys at RivetHead for use of their tracks –

    • Intro – Stay Alive – Rivethead
    • Segment 1 – – RivetHead
    • Segment 2 – – RivetHead
    • Outro – Zero Gravity – RivetHead
    • Link to MP3

    New talk – The Solution vs The Silver Bullet

    New talk – The Solution vs The Silver Bullet

    I have developed a new presentation that I gave for the first time yesterday at the Texas Technology Summit in Houston. The title and synopsis are below.

    Title: The Solution vs The Silver Bullet (or InfoSec Industry != InfoSec Practice)

    Synopsis: The information security industry and information security practice are two concepts that should not be confused. The industry is for making money. The practice is for securing your organization. While the two certainly overlap on a Venn Diagram, there are large areas where never the two shall meet. The infosec practitioner needs to know how to discern where the practice stops and the industry starts. Otherwise, the Silver Bullet mentality will take over, and the practice becomes unmanageable. Join Michael on this talk to discover how to start down the path of discernment. Michael will give practical ideas on dodging the Silver Bullet cycle or getting out of it if you are there already.

    The Texas Technology Summit is more of a general IT show with a good amount of security focus. I picked that venue for this talk because I wanted to test the talk first on that kind of general crowd. I wanted to see if it resonated with folks who might have security as a part of their job, but not be solely focused on security. Turns out that it did. I had great feedback that addressing security as a complex system rather than a checklist helped them with their approach to building a security program. I also talked about determining your organization’s current and desired security maturity levels, and using that data to help make decisions. That was also very well received.

    I did have a couple of people at the show who are straight security professionals who I know and respect. They were very positive about the talk as well. So now I am going to try it on a security-focused crowd at NAISG DFW next week. We’ll see how it goes there. I may do a bit of tweaking between now and then, but overall I am happy with the talk. I’ll post a recording if I get one while I am there.

    Innovation Sandbox at RSA – a Lesson in Security AND Oratory Skills

    Innovation Sandbox at RSA – a Lesson in Security AND Oratory Skills

    While attending the 2013 RSA Conference last week, I took a chance and attended the presentations in the Innovation Sandbox Showdown. If you haven’t been to these or aren’t familiar with them, this is where security startups show their wares to a panel of venture capitalists and infosec experts for the title of “Most Innovative”. The catch is that each vendor representative has 3 minutes to do a presentation about their company. After they finish, they have 2 minutes to answer questions from the panel. These time limits are STRICTLY enforced, meaning that the mic is turned off when the time ends. No exceptions.

    As I watched the showdown, a couple of points started forming in my head. The first was from the standpoint of a security professional with an interest in new security technologies. The second was from the was from the standpoint of an orator. So let’s start with the first one.

    First – The Security professional

    Each of the vendors seemed to attack the big issues of today, like cloud, malware, browser security, BYOD, etc. But you know what? I’m just a little tired of it all. Every year, we have more vendors. And every year, they fall away. And as I write this section of this post, I just want to stop and scream. So many products, and I keep getting reminded of Jeremiah Grossman’s post about increasing the attack surface with more security products. Yes, I know this doesn’t exactly equate. Every time a product comes out does not mean you are going to put it in your network. But there is this overload that has been coming and coming, and we have reached it.

    So many of these issues – like BYOD – can be fixed using stuff you have in your security toolbox now. That doesn’t mean there isn’t a need for point products sometimes. But like Jeremiah said, bad guys shift tactics. And the more products there are guarding your network, the more they look for holes in those products. So it is smart to look at what you have and be smart about what you buy for security. Yes, we need innovation. But innovation is not limited to product vendors. You can innovate within your own enterprise. You can act differently, be more proactive, watch more closely, and use the tools you have. Let’s stop the cycle of buy, install, follow the shift, buy, install, follow the shift. Start hardening, start reviewing your risk, start learning your business, start determining your gaps, start creating a program.

    Are there problems that can only be solved with a new product? Probably. But first we start doing things right instead of perpetuating the fraud that we have to constantly rely on others to innovate for us.

    Second – The Orator

    I have performed quite a few talks over my career. I have talked to fairly large audiences (200-300), and I have spoken with small, intimate audiences. Both have different challenges. With those talks, I have had plenty of time to prepare for the presentation. I practiced my talk, polished my slides, and then ran through it again. I have also done Toastmaster-like events where you have a random topic, little time to prepare, and only a few minutes to talk. The Innovation Sandbox has elements of both. Like Toastmasters, you don’t have a lot of time to talk. But like typical talks, you have time to prepare for the talk (i.e.practice), and you have time to polish the message.

      Prepare, Prepare, Prepare – then Prepare Some More

    Bobby Unser (Al Unser’s brother) said, “Success is where preparation and opportunity meet.” What struck me was how little the speakers seemed to prepare, and how badly their presentation was done. Even with this huge opportunity to speak in front a crowd that could possibly spell success for their company, they did not prepare. I just don’t get that.


    Run the presentation with folks outside your company. Don’t talk in the echo chamber, or all you will get back is people saying it is great, it is wonderful, we’re gonna kill the ball with this presentation. Seriously people, you must let others hear the talk. Get feedback. Figure out where your doing stuff wrong, where you can adjust. Figure out out to get your message down in 3 minutes. And some advice: if you let others hear your stuff and they have no criticism, there are two possibilities: your presentation is phenomenal, or you picked the wrong people to listen to your presentation. In the immortal words of Sheldon Cooper, “Of those two scenarios, which one do you think is more likely?”

      Attack the Problem

    Many wanted to talk more about their management team, like a great management team was all your company needs to attract venture capital or get people’s attention. I get that it is probably a factor, but as someone pointed out on Twitter (paraphrasing because I can’t find the tweet): “If your management team is famous, they need no introduction – if they’re not, they still don’t.” In other words, focus on the perceived problem and how you solve it. I had a really hard time figuring out a lot about their companies with the presentations. Most of my questions were answered when folks on the panel started asking their questions. That is fail-city in my book.

    All right, I’m done ranting. I feel clean again. For now…

    Evangelism and Projecting your dislike of religion

    Evangelism and Projecting your dislike of religion

    Wake up people, you are falling into the same old theistic behavior that we all as evolved sentient beings should eschew, neigh, …loathe. INFOSEC is not a religion and YOU are not the FUCKING POPE ok?

    That’s a quote from Krypt3ia on his blog entitled “Infosec is not a religion”. He says this in his rant about the use of the term “evangelist” in security.

    Krypt3ia is even nice enough to define the term for us. Now I know Krypt3ia is smart enough to know that a term can be used creatively so that it does not fall into the traditional use of the term. But his obvious hatred of religion (displayed by the quote above) doesn’t allow him to get around this, and it is unfortunate.

    Is the term overused? Yes, I think it is. That is why I chose the title “Advocate” instead (thanks to Michael Santarcangelo for the help with the title). Has it turned into a buzzword or sorts? Maybe. But should people who have the title of evangelist be ashamed somehow? No, they shouldn’t. Should people who “take” that title for themselves be ashamed? No. It might be a little corny to take it for yourself, but it is not something to be ashamed of.

    If someone is using the term “improperly to suit your needs of being center stage and telling everyone from the fucking mount what “they” should be doing” as Krypt3ia says, then why is he throwing his bile against only this term? Plenty of people put themselves forward as experts who are far from it, and they don’t always call themselves evangelists. Plenty of people want center stage (I’m not immune to that, and I’m pretty sure Krypt3ia is not immune either if his diatribes are any indication).

    This is really just a case of projection. Krypt3ia doesn’t like religion, and he can’t stand to see the term used so much. It irritates him, so he blows up (he does that a lot, which is part of his charm). And while my use of the term “psychological projection” is not an exact fit for the clinical definition, I think I can use it here to fit my desired message, which is: Get a grip dude. It is just a term.

    An Information Security Place Podcast – Episode 04 for 2012

    An Information Security Place Podcast – Episode 04 for 2012


    Holy crap, we recorded an episode. That’s all I got to say about that…

    Show Notes:

    InfoSec News Update –

    • Howard Schmidt is Retiring – Link Here
    • Vulnerability Stats of Publicly Traded Companies – Link Here
    • Tool Update – Threadfix from Denim Group – Link Here
    • The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
    • The WAF Wars – Link 1 / Link 2 / Link 3
    • PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
    • App for scanning faces to gauge age at bars – Link Here
    • Business Logic Testing defined – Link 1
    • ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

    Discussion Topic –

    1. Should specific security efforts be validated when the program as a whole is crap? Link Here

    Music Notes:?Special Thanks to the guys at RivetHead for use of their tracks –

    Tour Dates:

    1. June 1 – Dallas – Curtain Club

    Intro – RivetHead – The 13th Step”
    News Bed – RivetHead – “Beautiful Disaster”
    Discussion Bed – RivetHead – “Difference”
    Outro – RivetHead – “Zero Gravity”

    Link to MP3

    An Information Security Place Podcast – Episode 03 for 2012

    An Information Security Place Podcast – Episode 03 for 2012


    Today’s show is Michael interviewing Kevin Riggins. Kevin is an Enterprise Security Architect for a Fortune 500 financial services company. Kevin and Michael have some great conversation about Kevin’s job, what he is doing at RSA, where he blogs, the book he coauthored, etc. (look below in the show notes for links to everything).

    Then a fun discussion starts about cloud, risk, mobility, risk in the cloud, risk in mobility, risk of mobility integrated with the cloud, and so on. Good stuff all around.

    Here’s some links to stuff about Kevin and other stuff we talked about in the show.

  • Management Team Member for the Society of Information Risk Analysis – link
  • Coauthor on The Cloud Security Rules – link
  • Kevin blogs at Infosecramblings – link
  • Twitter pages – link and link and link
  • An Information Security Place Podcast – Episode 02 for 2012

    An Information Security Place Podcast – Episode 02 for 2012


    Thanks go to Jeremiah Grossman for sitting down with Michael for some great discussion. Jeremiah is the CTO at Whitehat Security and a very well known figure in the InfoSec industry. Jeremiah and Michael talk about Hawaii, sharks, security philosophy, RSA, stage fright, Jeremiah’s TED talk (not published as of the posting of this entry), and the age of the InfoSec industry and whether young folks are coming into the fold.

    You can find Jeremiah at Whitehat (link above) and his blog, and you can follow him and on Twitter as well. Jeremiah will be giving a talk and participating on panel at RSA as well, so be sure to attend those if you are going to the RSA Conference 2012.

    H.323 “hacking” without coding in 2006

    H.323 “hacking” without coding in 2006

    Recently some news came out from NY Times and HD Moore where he was doing some targeted scanning and found a bunch of open H.323 videoconference systems open and ready for viewing. What he found was that a lot of these systems are deployed outside of the firewall on the Internet without any security and with auto-answer turned on, and these were sometimes installed in sensitive board rooms, etc. Then, along came some videoconferencing guy who said some of HD’s claims were bunk. Then Rapid7 and HD fired back, and yada, yada, yada (you can read a better run down here at Computerworld).

    What I find funny about this is that this has been an issue for a long time. Back when I was an InfoSec manager, I put in a videoconferencing system in 2006 to facilitate some communication with a sister company. When we set it up originally, I found that there were a lot of issues with putting an H.323 device behind a firewall. NAT broke it pretty easily, and I ended up putting it on the outside of the firewall for a time when we needed to setup a session, and I tore it down immediately after (we ultimately setup a private T-1 between us so we would have no issues – there was some sensitive info going across the line in those sessions). But when I was getting it setup for the first time and doing some testing, I found that the Polycom unit I was using had some test sites already in the address book. So I connected to a few of those to make sure things were working. I even had folks on the other end try to connect to me (yes, there were people on the other side just kinda hanging out. In fact, there were a few sites where it was like, you guessed it, a Google+ hangout – it was kinda fun and weird at the same time).

    But after discovering that, I decided to turn on a bit of Google-fu and see if there were other sites out there that were also open. And again, the answer was yes. Google linked to a lot of sites (like this one) that had a list of “test” H.323 locations ready for connection. But what I quickly found out was that many of these “test” units did not seem to be for testing purposes at all (or maybe they had been at one time but someone forgot to secure them after they had been repurposed to a “real” site). Many were companies that often had these VC units setup in sensitive areas. Some of these had their audio and connected TV’s turned on, and people in the room would notice when a connection occurred. But very often i found that some had their audio and TV’s turned off, or the folks in the room ignored the connection signal. Basically, what HD said here:

    …we did prove that most VC equipment provided little or no warning when an attacker dialed into the system. In most cases, the television set is off unless a call is expected. If the television is off, there is little indication that a call is in progress. The reason for this is two-fold;

    First – the base unit, not the camera, is usually what has an indicator that turns on when a call is in progress. The base units are often stashed behind a cabinet, near the floor, or generally out of sight.

    Second – newer cameras (specifically, the Polycom HDX series) are extremely quiet while being panned or zoomed and the only indication they provide is the direction they are facing. We conducted a “blind” test where the conference room VC unit was accessed during a Rapid7 general staff meeting. Twenty minutes into the meeting, nobody had noticed the camera swinging from the rest position to pointing at a participant’s laptop screen, zoomed in to capture his email and keystrokes.

    After connecting to a couple of them and hearing and seeing snippets of very sensitive discussions and realizing that these cameras were very good at zooming into documents, I decided to stop it. I am kinda bummed that I didn’t write about it in my blog back then (at least I don’t remember doing so, and I can’t find it in my archives), but oh well. I didn’t do any cool coding like HD did, and I am pretty sure this would still be a problem today anyway.

    So basically, HD is right, and the VC dude is wrong. This is a problem. I know. I have seen this first hand by my own actions. I heard things that I wish I would not have heard about (maybe that is why I didn’t publish anything back then). Not crazy guvment secrets or anything, but it still was information that I could have used to hurt folks or profit from if I was that kind of person.

    So IT and security folks, take a look at your videoconferencing setups. Realize that there are a lot of bad settings turned on by default, so make sure you lock them down. Get them off the Internet. Pay attention to where they are located. This can cause you a big headache.

    [UPDATE: After re-reading my post and after reading the first comment, I want to say something. I am not saying that HD didn’t do something cool, and I am not trying to disparage his work in any way. HD uses code, and he does it very well. I don’t have the mad skillz that he does, and putting those scans together is pretty dang cool. I am glad someone with his platform showed that this was an issue that needed to be addressed. I was merely trying to point out that the issue has been around for a while and that I found it in other ways that didn’t involve coding.]

    Symantec’s latest statement on source code theft

    Symantec’s latest statement on source code theft

    This is from a local Houston Symantec source, but is widely available to everyone. Current on date of posting. We’ll see what shakes out.

    “Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is approximately six years old. Symantec’s own network was not accessed, but rather that of a third-party entity. This does not affect Symantec’s Norton products for our consumer customers. We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. Symantec recommends that users keep their solutions updated which will ensure protection against any new possible threats that might result from this incident. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

    A blog post by @m1a1vet

    Security Lesson from A Mouse Story

    Security Lesson from A Mouse Story

    I was going through some old blog posts, and one I found contained the following story:

    Mouse Story

    A mouse looked through the
    crack in the wall to see the farmer and his wife open a package.
    “What food might this contain?” The mouse wondered –
    he was devastated to discover it was a mousetrap.
    Retreating to the farmyard,
    the mouse proclaimed the
    “There is a mousetrap in the house! There is a mousetrap
    in the house!”
    The chicken clucked and scratched, raised her head and
    said, “Mr. Mouse, I can tell this is a grave concern to you
    but it is of no consequence to me.
    I cannot be bothered by it.”
    The mouse turned to the pig and told him, “There is a
    mousetrap in the house! There is a mousetrap in the house!”
    The pig sympathized, but said,
    “I am so very sorry, Mr. Mouse,
    but there is nothing I can do about it but pray.
    Be assured you are in my prayers.”
    The mouse turned to the cow and said, “There is a
    mousetrap in the house!
    There is a mousetrap in the house!”
    The cow said, “Wow, Mr. Mouse.
    I’m sorry for you,
    but it’s no skin off my nose.”
    So, the mouse returned to the house, head down and dejected,
    to face the farmer’s mousetrap– alone.
    That very night a sound was heard throughout the house –
    like the sound of a mousetrap catching its prey.
    The farmer’s wife rushed to see what was caught. In the
    darkness, she did not see it was a venomous snake
    whose tail the trap had caught.
    The snake bit the farmer’s wife.
    The farmer rushed her
    to the hospital and she returned home with a fever.
    Everyone knows you treat a fever with fresh chicken soup,
    so the farmer took his hatchet to the farmyard for the soup’s
    main ingredient.
    But his wife’s sickness continued,
    so friends and neighbors came
    to sit with her around the clock.
    To feed them, the farmer butchered the pig.
    The farmer’s wife did not get well; she died.
    So many people came
    for her funeral, the farmer
    had the cow slaughtered to provide enough meat for all of them.
    The mouse looked upon it all from his crack in the wall with great sadness.
    So, the next time you hear someone is facing a problem and think it doesn’t concern you,
    remember –
    when one of us is threatened,
    we are all at risk.

    I posted that back in 2006 (crap, I am getting old), and I said it had some security points. But the post also said that I was hungry when I was writing it (coincidentally, I am hungry right now also – huh, maybe I’m just always hungry…), so I didn’t break those down. Well fans, let me remedy that situation now. Here’s the lesson:

    Your insecurity affects us all. If you know there is a security problem (whether that be by your own discovery or through someone else warning you), and you have the power to either fix it or influence someone who does have the power, then get ‘er done.

    I know there are all kinds of caveats to that as far as risk, process, etc. But the raw edge needs to be there. Ignoring a problem does not make it go away. In today’s world of hactivism and hacking for hire, there are just too many attacks coming from too many angles. Test, fix, retest, fix, retest, fix, and so on. Stop screwing around.

    This rant brought to you by @m1a1vet

    An Information Security Place Podcast – Episode 01 for 2012

    An Information Security Place Podcast – Episode 01 for 2012


    Wow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

    Show Notes:

    InfoSec News Update –

    • The Hacker News Hacking Awards : Best of Year 2011 – Link Here
    • Japan’s Anti-Virus Virus – Link Here
    • Nginx (pronunciation: “engine-ex”) becomes #2 web server
    • Saudi hackers break into Israeli site – Link Here
    • 3 Surefire Ways to Tick Off an Auditor – Link Here
    • OWASP AJAX Crawling Tool – Link1 / Link2

    Discussion Topic – 2012 Breach Report

    1. Care2 Discloses Breach; Company Has Nearly 18 Million Members – Link Here
    2. AntiSec hit California and NY Law Enforcement Sites – Link Here
    3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank – Link Here

    Music Notes:Special Thanks to the guys at RivetHead for use of their tracks –

    Tour Dates:

    1. Jan 6 – Dallas – Curtain Club
    2. Jan 27 – Dallas – Trees
    3. Jan 28 – Dallas – Trees
    4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
    5. Mar 3 – Houston – BFE Rock Club
    6. Mar 24 – Fort Worth – The Rail Club
    7. May 5 – Dallas – Renos Chop Shop

    Intro – RivetHead – The 13th Step”

    News Bed – RivetHead – “Beautiful Disaster”

    Discussion Bed – RivetHead – “Difference”

    Outro – RivetHead – “Zero Gravity”

    Link to MP3

    Quit publishing my info. I said stop! Now!

    Quit publishing my info. I said stop! Now!

    My wife and I homeschool, so we include our kids in a lot of extracurricular “stuff” to hopefully keep them well-rounded. One of the things my oldest son does is take a Lego engineering class at a small local school that caters to homeschoolers.

    Last year, when we first signed up for the school, we found out that they published a report on the Web that listed the personal information (names of parents and kids, emails, street address, phone numbers, etc.) of all the families of the attendees. This was meant to be a resource for the attendees of the school, which is somewhat understandable since the homeschool community is fairly close knit. But when I saw that our info was included by default, AND that the report was secured by just a password, AND that password was emailed to everyone on the list, I kinda freaked a bit. So my wife sent out an email requesting that our info be pulled from the list.

    I honestly expected a fight of some kind since I have seen small groups like this that just don’t get security and that a password just ain’t enough, but I was pleasantly surprised to find that they complied immediately with the request. All’s fixed, right? Well, it was for a few months. Now they are publishing a new list. But no big deal, right? We’ll just request to be removed again, right? Nope. Now they are acting as I expected them to last year. They are pushing back because, in their words, “they don’t have the time to reformat the report”. In fact, the email response in general was completely rude.

    So I thought I would send off an email to them with a little bit of attitude of my own.

    As to the matter of this directory, the last time the database was published, My wife and I were given the option of having our personal information deleted from the report. When we opted to be removed, there was no argument about whether or not anyone has the time to remove this information, and the request was acted upon quickly. So you can imagine our surprise when we received your reply when we asked to be removed again.

    I understand that it takes time to format the report, and I understand that you are busy. But as a parent that pays tuition to your school, I fail to understand how this request can be so blatantly refused. In fact, I fail to understand why the information is needed by anyone outside of the staff at the school. If other parents have requested this information, then it should be provided on an opt-in basis, not by default.

    While it may seem paranoid to you that we do not wish to have our personal information included in this database, I hope you understand our concern for privacy in this day and age. My career is in information security, so I know on a technical level how easily this type of report is compromised, and how the personal data can be misused.

    Please remove our personal information from the report at your earliest convenience.

    We’ll see what comes back.

    Viewing InfoSec from another angle – a personal reflection

    Viewing InfoSec from another angle – a personal reflection

    A while back I tweeted about my acceptance of the Security Technology Advocate role at Accuvant.

    To be clear, I am not going to be fully transitioned into the role until Jan 1, 2012. But I have been doing some work in the new gig, and I have already experienced a lot of changes on how I approach security and how I view my chosen profession. Let me ‘splain.

    So part of my new role entails evangelizing Accuvant to the world. And one of the ways I will do that is to create content for the world to see, meaning blog posts, podcasts, webcasts, etc. And the best thing about creating that content is that I have a near endless source of expertise from Accuvant. We have l33t peeps from all angles of InfoSec, including security research, risk, compliance, network and web app pen testing, security technologies, secure infrastructure, development, and on and on (you can go view some of this material at – forgive the shakiness please).

    And while this is rewarding, it is also giving me a way of looking at InfoSec that I never have had before. What I mean by that is that I have almost always been an active part of InfoSec. I have either been a security consultant, engineer, or manager. I have had to delve into the world because I was immersed in it by necessity. I was looking for ways to improve my security or the security of others. I was looking for solutions to problems that plagued me or others. And while that entailed often talking to experts, be they from Accuvant or somewhere else, I was usually viewing their input as directly related to fixing something that was broken. And while I have interviewed a few folks over the years for the podcast or blog, I still was thinking of how their answers applied to issues with which I was dealing.

    But now, for the first time, I am not always talking to security experts for the direct purpose of solving a problem (well, I am solving the problem of needing content to perform the duties of my job, but you get where I am coming from hopefully). I am talking to them to get opinions on topics that are relevant to the topic of security in order to solve the problems of others with whom I do not have a direct relation. Does that make sense?

    Let me use Charlie Miller as an example (cuz he’s famous and stuff). I interviewed Dr. Miller a few months back at DerbyCon. It was a fun interview comparing IOS and Android security, and I approached it as one security professional talking to another security professional. But at the same time, it struck me that I was not really talking to Charlie as a fellow security professional in the traditional sense. I was not getting information from Charlie to take back to a client. I was simply performing an information gathering task for the purposes of indirectly giving other folks information. I was not going to directly take that data and apply it to a problem on which a client or I were working. I was going to let others do that. I was now becoming an “information broker” of sorts (most of what I have read defines “information broker” as someone who finds and provides analysis of the information, which I have not really done to this point).

    I am not sure if the impact of this is coming out in this article. It is kind of difficult to define this feeling if you the reader have not been there (or maybe it isn’t difficult to define and you are nodding your head an saying “dang, this guy writing down some awesome thoughts here – I wish I could be that awesome”). And I know that Brian Kerbs, Bill Brenner, and folks like them that do this all the time (albeit much better than I), will be expressing a collective “duh”. But it really has made a difference in how I see the industry, even in just a short period of time.

    Honestly, though I say it has affected how I view the industry, I really don’t have a grip on what those effects will be yet. I don’t know what this will do to my career. I sincerely do not want to move out of being an information security professional, so I will do my best to keep up my skills to some degree. And I don’t know how this will affect how I approach problems in the future, or how I will interact with people who ask my advice on security issues. I mentioned two of the top journalists in the InfoSec field above. To the best of my knowledge, neither of them were security practitioners before they started covering InfoSec (that is not meant to be a knock on either of those gentlemen – both have my highest respect). So it makes me wonder how that will affect my approach.

    Will it make me ensure that those experts I interview know of my experience before we talk? In the past, I experienced disdain from “experts” during interviews when I was wearing a press badge at a conference. I wanted deeper insight, so I asked very technical questions that they were not used to getting from journalists, and that made them change the way they looked at me pretty quickly (and prompted a couple of “who are you” kind of questions).

    I’m just not sure yet. But however I move forward, I am excited about the change.

    Be an InfoSec Berean

    Be an InfoSec Berean

    In the Bible (no, this is not a sermon – yes, this is InfoSec relevant), there was this group that Paul ran into called the Berean Jews. (Acts 17:10-15 if you want to look it up). These Bereans were shown in the scriptures to be diligent people who checked the facts. Verse 11 says:

    Now the Berean Jews were of more noble character than those in Thessalonica, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. (emphasis added)

    So basically, the Bereans were not going to accept anything at face value. They immediately went back to scripture and checked out to see if what Paul was saying was true, and then they made up their minds.

    Now what got me thinking about this particular group and how it applied to InfoSec was the article at Infosec Island by Scot Terban entitled “Infosec: The World’s Largest Rube Goldberg Device”. Scot has some pointed things to say about the different vendors and “experts” selling they toys and wares in the industry, and his points are good. But this theme has been in InfoSec (and other industry) blogs since I started reading them (I have written a few myself): do not fall for the sales pitch and the marketing.

    This is just good common sense, right?Then why in the name of Mordor do we have to keep saying this? Is this for the benefit of the new folks in the industry? Is this because people just like a good rant session? Is it because someone STILL has not learned this lesson? Is it because there are a lot of lazy folks out there?

    Now I am not hitting Scot here. I have zero problem with writing the post (and in fact, his overall theme was not about this really at all). It just struck me that if you have to be reminded to be an “InfoSec Berean” when the sales person calls or when you read an article comparing different technologies, then you are wrong. No, we don’t have a convenient set of scriptures to go to (except for NIST or something like that, which Scot points out). This is more about doing your due diligence to prove or disprove claims made by sales or marketing. Get some documentation. Get some references. Do a proof of concept (not always practical, I know). Make sure there is proof of the claims. Don’t accept it at face value, just like the Berean Jews.

    And, in my finest adult-preachin-at-you voice, don’t make me tell you again!