An Information Security Place

Everyone seems to be commenting on the Counterpane acquisition by BT.  But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition from my not-too-long-ago viewpoint of a security manager.

First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.  They pitched to me about a year ago, and I was singularly unimpressed to say the least.  The sales person talked like she had been on the job about a week.  I don’t mean to be nasty.  Maybe she had not been there very long and was just learning the ropes, so I this might not be a fair critique (another thought - maybe she was just too stunned by my dashing good looks to get her thoughts collected - hmmmm).  But no matter what the case, she really seemed to have zero clue as to what she was saying.  And I expected a little more from Counterpane.  That was my first clue that they were not doing too well. 

Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.  So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.  If the latter reason was the case, then that also did not show positive for Counterpane.

And while the engineer she brought along seemed to be knowledgable, he also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (and what I talk about in my second point).  They just didn’t have anything that floated to the top.

The point is that an MSSP is an MSSP is an MSSP.  In the finer points of the trade, that statement is probably not totally true.  But in general, they all do the same thing.  So you have to have some fine point that makes you different, better, or just cooler.  And they did not have it.  By the way, I also met with LURQH and Solutionary.  They all had somewhat the same stuff.  Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.

Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.  First, just look at this page from their website.  Second, when they talked to me, they seemed to want to push their professional services down my throat.  They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.  This is what they seemed to think gave them the edge (I alluded to this above in point 1).  And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.  Maybe I put too much stock in what a couple of sales types were pitching.  Maybe they just picked up on something and thought they should pitch that side heavily.  But they way they spoke of it, I was literally waiting for an announcement with them changing focus.

Before I go on, I have to admit that this next point is a little bit “analyst-ish”.  I ask forgiveness from the people in the trenches.  OK, here goes…

Third (and this is again with all due respect to Mr. Schneier), you cannot bank your business on a hero figure, even one such as Bruce.  Yes, he is a security master and a legend.  Yes, he is brilliant.  Yes, he could whip Chuck Norris in a fight (uhhh, went too far - sorry).  But that really can only carry you so far.  You have to produce and keep producing.  You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.  A name just is not enough.

So, that’s my take on the deal.  I honestly was not at all surprised to see this happen.  I think BT is basically doing what the market is demanding, and they went the cheapest route possible.  No more, no less (crap, another analyst comment - I need to watch that).

Vet

I’ll be the first one that says TV shows and movies are hardly based on reality.  But when they screw up something that is near and dear to me, I get very upset. 

For instance, I was in the Army and Army National Guard for over 7 years.  Though I was never a career soldier, I still took it seriously, and I still do today.  Maybe too seriously.  I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer - that mistake is in too many military movies).

This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks.  Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.  There are all kinds of twists and turns in the plot.  The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him. 

Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help.  They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.  The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.  The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.  Of course, I am thinking, “where are the cameras that should be watching this guy?” 

Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.  There are racks of servers, switches, etc.   Then he sticks another device in the “mainframe”, and away they go. 

He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.  They capture the screens (with all pertinent information on the first screen - nice, huh?), thus saving them the effort of searching through records.

Yea, ok, right.  I know it probably shouldn’t bother me, but that just pisses me off.  At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”

Sheesh.

Vet

Take a look here.  I’m thinking about this one.  It is more from a server management and admin perspective, but it is really worth looking at.

Vet

Link

This is the trojan I mentioned in my last post.

Vet

Go check out this article at Dark Reading.  Looks like this group is creating a botnet with a trojan that has a cracked version of Kaspersky AV to clean machines (except for itself, of course) to make sure it gets all the bandwidth it can to send out spam.  It is called the SpamThru trojan. 

This is crazy.

Vet

I will be in training today and tomorrow on Bluecoat. 

I am impressed thus far, but I am having some serious trouble staying focused  because I keep getting calls on the RFP I posted about yesterday.  Oh well, the life of a pre-sales SE.

Vet 

…but it is also one big pain in the neck!  I have been thrown into the process of answering an RFP (request for proposal) for a city government down here in Texas, and I cannot begin to tell you how tedious and ridiculously complicated the whole process can be.  RFPs can be complicated enough with corporations.  But when you get one from a governmental entity, you have so many other things to worry about (there are a ridiculous number of special considerations and conditions when you do work for governments).

Another thing I am finding out first hand is that many government workers (not all, but I wouldn’t think it too far from the truth in saying most) are functionally inept in their positions, at least when it comes to technical matters.  Though I have had some inkling of this from talking to peers over the years, it amazes me when I see it so closely. 

First of all, the RFP is very poorly written.

Second, it is incomplete.

Third, when you try to ask questions to work out the inconsistencies, the answers are often, “Because I say so”, or “Don’t question why our network is setup as it is.”

I don’t know if we will win this contract or not.  If we don’t, then we have wasted a LOT of man hours.  I guess it is worth the payout if it happens, but I have to wonder if anyone has figured out the cost of NOT getting one of these and compared it to the potential profit.  I am sure someone has. 

And if you are thinking that I make a salary, so it doesn’t matter, then think again.  I have about 4 projects for which I am either scoping or actively talking to clients to complete.  Two of these are sure things, and two are 50% or above on probability.  And these aren’t some small deals you can just sneeze at.  There is good money to be made here. So the more time I do this dang RFP, the less time I am working on some potentially good profit for Accuvant.  All to work on a deal that no one has a good idea whether it will come through.

Oh well, business is business!

Vet

For anyone not aware, the new IE7 is going to be pushed out auto-magically by MSFT with auto-updates.  Juniper does not support IE7 or Vista yet with its SSL VPN product.  Here is the release by Juniper:

PSN Issue : Microsoft will soon be releasing Internet Explorer Version 7 (IE7) and Windows Vista. 

Solution: Please be advised that neither IE7 nor Windows Vista are supported in the current releases of the Juniper SSL VPN Products (IVE/SA products). The following plans are in place to add supportability.  

*     IE7 support will be added to the IVE 5.3 and 5.4 branches in maintenance releases in the month of December. 

*     Windows Vista support will be available in Q1 2007.  

We recommend that users of the IVE/SA products do not upgrade to IE7 until the appropriate release is made available and is installed on your device. 

Microsoft offers a tool that will prevent the auto update of Windows machines to IE7. Please see Microsoft’s web page for more details.

If you use Juniper’s SSL VPN, download this tool (issued by MSFT) to block the download of IE7.

Vet

Here’s what they sent me:

There was a SYNC FLOOD where we were only receiving ACK to our webserver, so our Rio Rey, which is our anti-DDOS box, did not reject, because it was seen as legitimate traffic. Due to the nature of the problem, we were required to block approximately half of the internet at the Cisco level.

Anyone know what this Rio Rey product is, or maybe this is just their hostname?

Vet

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction - I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of ”action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.

Vet

Email string between Matt Heaton (Bluehost CEO) and me on the DDos.  Not a lot of info, but here it is (start at the bottom):

 

It was directed at one specific IP, not a domain name.  The IP was a shared IP with over 800 domains on it so it was not possible for us to just block the incoming traffic to that IP.

Thanks,

Matt Heaton / Bluehost.com

On Oct 5, 2006, at 11:53 AM, Michael R. Farnum wrote:

Matt,

Thanks for the reply.  Did the attack appear to be directed at a certain site that you host?  Was it directed at a certain IP or an IP range?  I understand if you can’t divulge information, but I want to gather as much info as possible.

Thanks,

Michael

---

From: Matt Heaton [mailto:matt@bluehost.com]
Sent: Thursday, October 05, 2006 11:57 AM
To: m1a1vet@infosecplace.com
Subject: Re: Recent DDos on Bluehost

There isn’t really much to know.  We mitigated most of the attack even though it looked horrible from many customers side we had blocked upwards of 80% of it.   The entire attack was a total of more than 8000 ips all originating in asian countries with Japan, and Taiwan being the majority of the attack.  It was sending more than 800,000 packets every 5 minutes and consuming more than 350 Mbit of bandwidth.  It was a HUGE attack.  I hope this helps.

Thanks,

Matt Heaton / Bluehost.com

On Oct 5, 2006, at 6:02 AM, Michael R. Farnum wrote:

Matt,

I couldn’t get to my website (infosecplace.com – hosted at Bluehost) because of the DDos on one of your servers yesterday.  My website is a blog dedicated to Information Security, and I would love to write about this incident.  Is there any way you would be willing to share some non-confidential information on the incident so I could have kind of an “exclusive”?

Not sure how this squares with this email from Bluehost support:

We are currently experiencing a DOS attack on this server, and so we have blocked a portion of the internet from being able to access the server. If you are in one of the IP octets that were blocked then you will not be able to access the server because our router is blocking you. Once the DOS attack stops you will be able to continue accessing your site.

Obviously I am not working from Asia, so I don’t know why I would have been blocked.  So I think that explanation was bogus at best and just meant to keep people off their backs.  So my site was definitely down to more than just me.  But that’s what support lines do, right?  Obviously, they didn’t know they were dealing with a man of superior intellect and a keen sense of information security!!!  Right….

Vet

So McAfee is buying Citadel.  These guys have got the right idea.   If McAfee can integrate this into  their NAC solution to a point where the desktop has automatic patching when it is sent to a remediation zone, then I will recommend McAfee to everyone.

Furthermore, I still cannot understand why in the world other NAC providers don’t buy a Citadel and integrate it into their NAC solution.  I asked for this CONSTANTLY when I was in security operations, and no one had it.  I cannot be the only guy asking for this. 

Vet

It looks like at least one server at bluehost.com was DDos’ed yesterday.  Bluehost.com hosts my website, so I was unable to reach my site for most of the day.  They said that the site was up, but they had to block large segments of the Internet from which the attack was coming, so I guess I was on one of those segments.  If you couldn’t get to infosecplace.com yesterday, then you were also on one of those segments.

I am trying to get some details about the attack and will let you know if I get any details.

Vet

I have stated that I do not like thrid-party patches.  Here are some reasons:

• It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes. 

 

Now, there is a possibility that one of these reasons may no longer be an issue.  SC Magazine has an article talking about the new MSFT flaw and the patches that have been released byDeterminaa and ZERT.  Both of these organizations claim that their patches do not need to be uninstalled to apply the official MSFT patch.  If that is true, then the third issue from the above list is a non-issue.  Now, that “if” is really big, and you would have to limit your patching to those organization that build their patches in such a manner.

Now, I know something about Determina.  I have seen this product installed, and I know basically how it performs.  Essentially, it creates a shield around processes in memory, almost running each process in its own virtual memory space.  It then does not allow any unauthorized access to those processes.  It is basically a host-based IPS, but it does not rely on signatures to stop attacks.  It is a pro-active solution, and from what I have seen, it is a good product that allows you to relax your patching posture.

However, if they are fixing the flaw in the same manner, then they are not actually patching but are actually just shielding your system from the attack.  So I would not call this a patch at all.  However, it does work.  To test it yourself, first go here to test if your browser is vulnerable.  WARNING: if your browser is vulnerable, then it WILL crash.  I have run the test, and it DOES crash your browser (of course, you’re fine if you are running Firefox, which I suspect many are that are reading this blog).  Now that you have seen it crash, you can go download Determina’s “shield” from here.  Run the MSI.  Close all instances of IE, then go back to the test site and run it again.  You should not be affected this time.

I did not run the ZERT patch (if that is what it is) because it looked a lot more complicated in its execution and I did not want to risk it.  The Determina fix was packaged neatly in an MSI as well, so I have to believe that it is much easier to push out than the ZERT fix.

So make your own judgements with this new breed of third-party fixes / patches / shields.  I still don’t advocate them completely, but if they work as the Determina and ZERT fixes claim, then I am less hesitant than before. 

Vet