An Information Security Place

I recently made an important self-discovery: I have an addiction to appliances.

Let me explain that this addiction is three-fold. First, I love the compactness and ease (at least it is supposed to be easy) of inserting an appliance into my network and having it already setup to do what I want it to do. Sure, I have to configure it, but at least I don’t have to build a server, then harden it, then apply all the patches, then, install the software, blah, blah, blah… It just makes things easier. Second, I love the web-based administration most of these appliances have. I hate client-server based admin apps. They just suck the resources right out of your management station. Third, I am a sucker for a dashboard. Nine times out of ten, these devices have a cool administration dashboard that gives you a LOT of info on a single startup page, and that page (if developed correctly) allows you to drill down from there.

I really need to look at this. My administrative costs are shooting sky-high, even with a security event management appliance (yes, another appliance!).

Sheesh…

Vet

There seems to be a little confusion on what versions of Symantec AV are vulnerable. SANS posted some info to help clear up the confusion.

Vet

Found a link to a very funny story. Apparently, some guy sold a laptop via eBay, and he seriously mis-represented (lied about) the state of the laptop, then refused to refund the money. But the fraudulent seller left a bunch of personal data on the drive, including bank account info and pictures. Now the jilted buyer is getting back BIG TIME!

It may be funny, but this definitely teaches another lesson: everybody needs to have some security awareness

NOTE - WARNING - CAUTION - DISCLAIMER: Though the pictures are generally safe, some may be found offensive - YOU HAVE BEEN WARNED! Here is the site.

Vet

Got this from Darknet. This is so sweet.

Vet

There are a lot of recent posts on Botnets with some great examples of security guys screwing with these scumbags. Since Christian at Limited Exposure already posted some links, I’ll be lazy and link to his post.

Vet

Mike Rothman talks about defense-in-depth in his Tuesday edition of the Daily Incite. He makes the following comment:

I’m a fan of layers (which maybe makes me a security dinosaur)…

Well Mike, if that makes you a dinosaur, then just call me Secureasauras. I am right there with ya’. I still think there is no alternative to defense-in-depth. My basic thought about this issue is this: hackers follow trends. If you start dropping the layers, then hackers will start attacking on that level. Keep the layers, and also look at new defense technologies.

I talked about this some on my RSA Conference post.

Vet

Have some of these…

but remember that the day is about them…

Vet

Go check this out. Too funny.

Vet

I have mentioned Martin McKeay quite a bit in my blog postings as a friend and a top-notch security professional and blogger. Well, Martin is definitely getting some well-deserved recognition out there for his blogging and InfoSec skills.

Martin has been quoted twice in two days on two different subjects by SearchSecurity.com. Yesterday he was quoted from his ComputerWorld blog post on the new open source replacement for Blue Security, called Black Frog or Okopipi.

Today he was quoted again at SearchSecurity.com from his post on the stolen Veterans’ records.

Congrats Martin.

Vet

Darknet.org is reporting about a serious flaw in Symantec Enterprise AV products this morning. They link to this advisory at eEye. There is a very serious threat of a worm taking advantage of this. eEye reported this flaw two days ago, but I see nothing on Symantec’s site so far about this flaw. That concerns me.

What struck me about this flaw is that eEye is not really reporting any details on the problem. I was mulling that over when I read Mike Rothman’s post about it (nice title, Mike). Go read it. it gives great perspective to the issue and gives some insight as to where the security community is going.

Vet

I just recorded and am posting my first podcast. It is a podcast for the Iran Winkler and NSA post from today, so it will be attached to that post in an update.

I don’t want to pay for a service yet, so I am doing it via archive.org. Downloads are slow from there, so I will keep the podcasts small for now. Also, the podcasts won’t be much more than a regurgitation of the post to which it is attached. I hope to move more into a discussion type of model like Martin McKeay’s Network Security Podcasts, but I am going to move kinda slow. Let me know what you think.

Vet

Here is an interesting article by Ira Winkler at Computerworld. I know it goes against my opinion of this issue, but when I see Bruce Schneier, Ira Winkler, Martin McKeay, and Alan Shimel all having alternate opinions, I have to make sure I have looked at this close enough.

I think Mr. Winkler has hit this harder from a legal standpoint than I have seen from most security professionals who have weighed in on this. And if you look at my post on this, you will see that my only real hangup with this program is that they did not search out warrants for this information. I have heard many legal arguments for and against this program. I am not a lawyer, but I have to say that many of the people making legal arguments defending this program have had to stretch a little to make their case. I really don’t know why this administration could not have gone to FISA with this. Maybe from the political side they knew they would get blasted by the media if they got warrants for this, and they hoped this would not get leaked if they did it on the sly. I just don’t know. I do know that that argument does not excuse it.

What I do know is that the more research I do on this, the more I see that the NSA is collecting mass quantities of data on what appears to be our citizens, and that is not good because it can be used for nefarious purposes. With the gathering of phone numbers and possibly gathering of Internet traffic from major carriers, it all gets to be just too much.

What I don’t agree with Mr. Winkler on is the allusion to Hitler or Stalin when concerning this current administration. I don’t think George Bush intends on using this for anything other than legitimate purposes. You can call me naive, but that is what I believe. However, I am not so naive that I believe there are no other people in the current administration or future administrations that would use this data outside of what the President intended, so it still makes it scary.

The one thing that still stops me from outright damning this whole NSA spying program is this: what else are we supposed to do? How can we catch these terrorists who are among us (and I think Mr. Winkler is being naive by not taking this threat seriously enough - “We have snakes in our midst, yet we are chasing a mythical beast with completely unreliable evidence”) without gathering intelligence in this way? I do not believe this evidence is useless. I think you gather whatever you can, and then you analyze it. I have never been, and I doubt I ever will be, and NSA analyst, so I am probably WAY over my head when going against Mr. Winkler on this. But if shredding through mass quantities of evidence yields results, then you have to defend it to some degree. Believe me when I say that if Mr. Winkler would show me that this is not true, then I would be more than willing to listen and change my mind if convinced.

Basically, no one I have read in the security field has proposed a better solution. It is very difficult to nail these scumbags down without some leeway in gathering evidence. As I have said, this is a different world, and we have to do things differently.

So I am riding the fence more than I was. I want to catch the terrorists, and I don’t know how else to do it, but I really am worried about the amount of evidence the government is gathering on me. I guess only time will tell which way I go on this.

[Update]: Listen to a podcast of this post. Please be patient for download.

Vet

Read this article from Computerworld. Red Cross is warning 1 million donors that they may be vulnerable to identity theft because of a single person who stole the social security numbers and other personal information of 4 donors and used the info to open credit card accounts and make purchases of over $1,000.

The article says:

The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.
I have to commend the Red Cross for their remediation actions. The Red Cross quickly learned their lesson and fixed this problem (“Only names, phone numbers and birth dates are now accessible by blood drive recruiters). Moreover, even more kudos go to the Red Cross because they have gone much farther than they needed to by warning 1 million donors, even though it is likely that the breach is limited to 8,000 donor records to which this criminal had access.

So, even though there was a failure in principle of least privilege, the Red Cross seems to have done a very good job in remediation. Now I hope they move forward to take a look at their database security and security in general to stop this from happening again.

Vet

Bravo to Mr. Schneier and Mr. McKeay on their posts (here and here) about the Diebold election machine security flaws.

The Diebold guy says that no “evil and nefarious election officials” exist. Uhhh, yeah, right. Nice try.

This one deserves another sheesh.

Sheesh…

Vet

As I noted in my previous post, I won’t use third-party
patches. However, if I did, I would use an ACTUAL PATCH, not a registry hack.

This article at DarkReading.com talks about a patch for the flaw. It is not a patch, it is a registry hack or tweak. It is essentially the same thing Microsoft suggests by running Word in safe mode.

Come on, guys. Sheesh…

Vet

I just read this interview by ComputerWorld with Bret Arsenault, Microsoft Corp.’s chief security advisor. Though I have had some complaints about Microsoft’s release timings in the past, I think I agree for the most part with their current system. Sometimes a month is a long time to wait, but as long as the threat is low, I can wait.

I won’t use third-party patches. I just think they are too risky, and I don’t want to have to clean up something later, so if the threat potential is not too big, I will wait. I want the patch to be quality, and Microsoft has done a great job for a while now with the quality of thier patches.

I don’t agree with his idea that people will be protected if they just keep their AV signatures updated. Those protections won’t guard against a zero-day attack, which (as far as I am concerned) is upon us.

Of course, a quicker patch won’t protect us against that either. So I do agree that a defense-in-depth strategy is the best way. If you have a good IPS and AV, they should both come out with signatures fairly quickly. If you segment well, then you can stop the spread of this type of attack. If you, if you, if you… kind of endless, but it is still the best way to protect your organization.

Vet

Type a math problem in Google (square root of 144 or something) and see what happens. I didn’t know about Google Calculator.

I discovered it because I had a brain fart on how many weeks there were in a year (go ahead and laugh). So I typed in “how many weeks in a year” in Google, and I got this.

I know, I am easily entertained.

Vet

Just read this article about CMP sites getting “turked” (maybe I should get a copyright on that term…hmmm). The CMP IT staff said the fix was “nothing phenomenal, pretty run of the mill.” I found this comforting and disconcerting simultaneously.

I found it comforting because I heard some speculation that this Turk was possibly using a zero-day to attack these sites. It looks like this dispells that theory.

I found it disconcerting because the “…flaw came from some old code from a third-party vendor, which apparently had been overlooked on previous security audits.” I know they don’t want to give away what they use, but I want to know what it is in case I have something running it.

Vet

Martin McKeay just posted a link to this article. Looks like “the material represents personal data of all living veterans who served and have been discharged since 1976″. Well, that includes me, my buddy Martin, several of my family members, and every friend that I served with.

John Kerry said he was going to propose legislation to have the VA pay for credit monitoring for all those affected. I won’t hold my breath until that it passed.

Here is a direct link to the FAQ page on www.firstgov.gov. I have an issue with a few things on this page:

1. Some spouse information was also on the laptop. If / when they pay for monitoring, are they going to include the spouses?

2. “…the VA is taking all possible steps to protect and inform our veterans.” That’s a load of crap. If they were, they would be paying for monitoring now, no questions asked.

3. They suggest 4 steps to take if you suspect suspicious activity on your accounts. I don’t see anything in there about contacting the VA. They give a 1-800 number to call about this, but it looks like it is for info only. Hmmm… Guess they don’t want to know.

Yea, this looks like a boondoogle.

Vet

This is a pretty good article at Information Week about the power of analyst blogs. Since I am fairly new to the blogging world (at least a new contributor), I am still being amazed at the power that bloggers can yield.

Vet

Martin McKeay just posted about this article. Martin says that he is a veteran and that he is concerned about his records being compromised. I am a veteran as well, so this concerns me greatly. I wonder if they have ANY idea of whose records were on that laptop.

Sheesh…

Vet

Somebody used a small botnet and Adsense to generate some dollars. Go here to read about it. Here is another one.

Vet

This post is just crazy.

Vet

Christian Koch at Limited Exposure posted on NAC this morning. It has some good resource links.

He talks about Alan Shimel at StillSecure, which looks like a good product. Christian says he will be writing a review soon about StillSecure. I am looking forward to that, since I am planning on testing their product as well.

Vet

SANS published some updates to their post following the Word vulnerability. It has some good resource links.

Vet

Stay safe. See you on Monday.

Vet

I haven’t read the full article yet, but I thought it needed to be posted.

Vet

Martin McKeay doesn’t agree with me on the NSA issue, and, as I pointed out on my last post, neither does Bruce Schneier. Martin just sent me an email and pointed out Bruce’s latest article at Wired news. I know a lot of people who do agree with me, and I know a lot of people who don’t.

And that is what makes this country great: Martin and I can disagree and still be friends. Of course, Martin will be carted off to jail when the NSA, FBI, CIA, and the Secret Service find out that he disagrees with President Bush, so it won’t matter in a few days.
BTW, if you read the “My Blog” post, you know that I do not want to discuss politics or religion here. Strictly security talk. So I am really not taking a political stand here. I just don’t believe this is a big deal.

And in all seriousness, I have nothing but the highest respect for Martin McKeay and Bruce Schneier.

Vet

What is the big deal about the NSA collecting information and determining dialing patterns?

I was reading this column at Security Focus, and it brings out some great legal points and gives some really good information (even if it did make my eyes cross at times). But Mr. Rasch did not attempt to conceal his ire at the government for collecting these records, so his attempt at giving legal recourse advice was tainted from the start. Here’s a quote:

“If any of these telephone numbers were located in the United States, the NSA would then attempt to learn what these numbers were, and who these people had called. Thus, if you operate a local Dominoes pizza, and received a call from someone who received a call from someone who the government suspected was associated with a terrorist, then Dominoes would make it to the list of suspects.”

That is ridiculous to the extreme. This whole reaction is just another knee jerk among the media and information security professionals. The former only cares about selling papers, and the latter just needs to calm down and look at this with some common sense (remember, I am one of you, so I have this tendency to freak about these things as well).

I don’t have a law degree, nor do I have the time to pour through case files to attempt a determination of the legality of the NSA “spying” program. Though I would have liked to see the Bush Administration get warrants for these requests, I can’t say that this whole thing bothers me much. Why do I care if the President knows that I called my mother last Sunday? Why do I care that some analyst at the NSA knows I called the video store to see if they had Chicken Little in stock (good movie, by the way).

One person I expect has looked at this closely is Bruce Schneier, and I am sure he has. Yet he still surprises me with his look at this. I understand why he might call this “unchecked military and police power”. But when he quoted Matthew Yglesias’s ridiculously paranoid and simply shameful post, I actually lost a little respect for his analysis of this.

We have to look at today’s world from a different perspective. We are at WAR. So many people seem to forget that. And we are at war with cowards who have NO compunction against using technology to kill you, me, my children, your children, and anyone else who they deem as “infidels”. These are people who will use a computer just as quick as using a suicide bomber. How do we fight that with our slow system of checks and balances? I know our governmental system is the best in the world, but IT IS SLOW. That is not a knock against it, just a realistic observation. I might be going down a slippery slope here, but isn’t everything a slippery slope? I just don’t know how we can win this war (remember, this is not a war isolated to a single country or just one region of the world) and keep our people safe by slowing down or killing our intelligence gathering abilities.

Just keep in mind that this is not collecting of personally identifiable information. This is not the tapping of phones and listening to every citizens’ calls. This is not the NSA knowing anything about you that is not already known to someone else. These “reports” that suggest that this may be something more are typically just conjecture. If hard evidence arises that George Bush will be listening to the call I am about to make to my wife, then I will be upset. Until then, I don’t care that he knows I called her.

Update: I have since posted about this again, and I am riding the fence a little more than before.
Vet

I am really starting to take a hard look at this security convergence issue. Many committee members at TRISC seem to recognize this, so they invited a few physical security folks to speak. I saw both of the presentations, and they were very interesting. I liked the respect given to information and network security by the physcial security people, and I believe the physical security people deserve that respect right back from us on the IT side.

These stovepipes need to be broken down so we can move forward. Regulations are starting to make this necessary, but many “old school” people on both sides are going to try to hinder this (mainly from the organizational level, since there are some standards coming out to address this).

I will have some more thoughts on this later as I look more deeply into the subject.

Vet