An Information Security Place

How much more crap can Apple try to fool me into installing on my machine?  Makes we want to uninstall QuickTime and iTunes.  Are they trying to convert  PC’s into Macs?  Sheesh!!

Vet

OK, so the Matasano people accidentally let everyone know what the DNS flaw was.  I posted my thoughts on that at my CW blog.  But then I read Pete Lindstrom’s little post about the issue, and I just have to wonder what Pete is thinking.  Pete says this:

Here’s a thought: If you really want to keep a secret…

… I recommend against a press release, blog post, podcast, youtube video, public interviews, and comments. I know this is a bit radical, but I’m just sayin’…

Sort of like – the people who would really have to kill you if they told you something are smart enough not to tell you in the first place…

Wow.  So Mr. Lindstrom, how do you propose that Dan let people know they need to patch their DNS WITHOUT TELLING THEM?!?!?  Dan did everything he could not to let anyone but a few select "need-to-know" people about the flaw.  He told them so they could develop patches.  Then he announced it after they developed the patches.  He did a great job with this.

What he didn’t want getting out was the details of the attack.  But I am pretty sure Dan knew that this would happen eventually.  There are too many people out there looking at this now for it not to come out.  But hey, a man can hope, right??

So seriously Pete, think about it.  Dan was trying to keep the flaw itself a secret before he announced so patches could get developed, then he announced so people would would know there was a flaw and would patch, and then he was trying to keep the details secret after he announced so people had time to patch.  But he couldn’t NOT tell people and expect them to patch. 

Vet

My oldest son is a Lego freak.  He absolutely loves the stuff. So my wife goes out on the Internet (usually Amazon) from time to time to look for some good deals on the latest Lego sets.  One that my son has been looking at is the Mars Mission MT-51 Claw-Tank Ambush.  So my wife went to Amazon, and as a smart shopper, she looked at the reviews.  Below is one of the actual reviews. 

My son turned six last week and he has been excited about the new Mars Mission Lego sets since he first spotted them in the magazine. I, however, have been struggling with the themes of the set. First of all, if humans are exploring Mars, that makes US the “aliens,” not them. Second, why is there the assumption that “aliens” are automatically on the attack? I don’t like the human-centric assumptions and the explore-attack-conquer approach to learning about the rest of our universe. Maybe I’m being too sensitive but it seems like a slightly more balanced view of space exploration could have been presented with this set. Sure, they’re just toys; but they help children build a foundational understanding of our culture, our world, our universe.

This is taking political correctness to the extreme, I gotta tell ya’!  Worrying about people on Earth is one thing, but freaking out about aliens?  And you know what else is scary?  TWELVE PEOPLE FOUND THE REVIEW HELPFUL!!!!

All I can say is that I hope this person was just having fun.  Sheesh…

Vet

Man, am I getting hammered for my latest post over at Computerworld about the DDoS launched on the Church of Scientology! I really can’t engage in a lot of back and forth over there since it is not my personal site, so I will do it over here.

For all you people slapping me around over there, let me ask you something.  Do you advocate the use of DDoS attacks every time you don’t agree with someone?  I am seriously dismayed when an attack is downplayed such as this one.  Yes, the school was inadvertently attacked.  Yes, COS was the original target.  And maybe the attack only lasted for a few minutes.  And an apology may have been issued… BUT THAT IS NOT THE POINT!!!

This is illegal, and it is irresponsible.  Tom Cruise may be weird.  L. Ron Hubbard may have made up a cult out of whole cloth.  But they are still an organization that has the right to exist and practice their religion.  Just because they are strange does not give you the right to make the Internet your personal playground.  These things always end up affecting other people, even if it is for a few minutes.

Grow up people.  Quit hiding behind the anonymity of the Internet and do something about your issues the way grown ups do.  Call people.  Write letters.  Protest on their front steps.  Get the attention of the media and the people WITHOUT acting like brats.

Sheesh…

Vet

I had a client call me right before Thanksgiving in emergency mode (one of the Dallas clients that I am starting to work with).  Looks like he has a remote office that uses the local cable company as their ISP and connects back to corporate via a site-to-site VPN.  I found out that they have never setup a persistent IP address for their firewall / router.  Basically, they had been depending on the DHCP lease renewing rather than spending the money for a persistent IP (bad choice).   

This client is new to me, so I had no idea what their network is like.  My counterpart in Dallas (this has been his account for a while) was out for the week, and it was proving very hard to get in touch with him since his wife had just had a baby on that Sunday.  The client was understanding, but he was also starting to freak because the remote site had a few VPN tunnels terminated there because of a server at the location that was used for processing orders.  Anyway, to shorten this down so I can get to the point, I finally got in touch with the SE in Dallas and got it all straightened out (I will be fixing it again for him tonight since he finally decided to get a persistent IP), and the guy was happy.

So I talked to the account manager and the Dallas SE, and I learned a few things about the account.  First of all, this guy was running (obviously) a mish-mash of ISP’s at his sites, so management of that sucked when a site went down or had other issues since he had to keep all those ISP’s info.  Also, he used to have a couple of people on staff to work on their IT issues, but he let them go a while back, even though the company is in growth mode and doing well.  And I learned that the AM and the Dallas SE had tried to get this guy to buy Netscreen Security Manager (he has Netscreen 5gt’s in his remote sites and a NS25 at corporate) to make his network manageable.

So essentially, even though this guy was growing and was adding sites, he wanted to run everything on the cheap.  And he was depending on us to fix his problems when he had them, even though Accuvant is not a break / fix type of company.  We do everything project based – the only real flexible assets we have are our SE’s like me, and we are supposed to be pre-sales only, so we were basically helping the guy out on the hopes of new business.

So I went up to meet the guy after we got everything straightened out in the hopes of getting the guy to bite off on some enterprise-level networking.  Of course, I should have known better.  I have known guys like this all my IT career.  They will do everything in their power to get something for free, and they won’t quit until you realize you are getting screwed by doing a bunch of free work.  And though I can’t say I blame the guy, it also aggravates me that this guy could not recognize that he was becoming too large an organization to manage in this kind of piss-poor manner.  I understand making business decisions, but at some point the term “cheap” starts coming into play.

If you want to be an enterprise, act like one in all respects.

Vet

I was in IAH (Bush Intercontinental in Houston) today waiting for a plane to Denver, and I passed by the departure / arrival screens in Terminal E to check on my flight.  Most of the screens were populated, but this was on the middle screens:

Nice to see they are using the ultra-secure VNC.  Makes me wonder if whoever was on the other end had any idea this was showing in the terminal.

Vet

I was going to write about this (and here), but I was actually working today and missed it until I got home.  I knew something was going on when I came home and Outlook showed that it was downloading 312 messages (I normally get 50 – 60 in my personal email).  

Sheesh…

[UPDATE]: A forum has now been created for the people in the list that still want to network with each other but don’t want to have their email inboxes filled up.

Vet

OK, I am officially depressed.  Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:

My overall impression from the first day of briefings can be summarized in this manner.

• Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
• Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
• The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.

Holy crap.  What in world am I doing then?  I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless.  Well, I guess in order to maintain my integrity, I should just quit.

Sheesh.

Vet

I was driving the ol’ trusty minivan yesterday with the family.  We were in the middle of a 7 hour drive, coming back from seeing my parents over Memorial Day, and the kids were watching a DVD of the new Teenage Mutant Ninja Turtles Fast Forward series.  One particular episode starred a character that was some kind of digital entity that acted like a virus and was trying to get to a main frame computer. 

The Cody character (great-grandson of the old Casey Jones character – for you old TMNT fans) was telling the entity that the main frame was protected by “a gazillion firewalls”, so there was basically no way she could break in.  She then said that she wouldn’t have to break in if Cody would just give her the password.

OK, I know this is a kid’s show, but come on!  A gazillion firewalls (whatever that means) can be bypassed by a single password?  This should be rated TV-M for graphically stupid security.  I know I will teach my kids different as they get older, but I am going to have to fight through all this mush inserted by shows like this. 

Of course, the violence and “almost-cursing” (the Turtles regularly say “OH SHELL!!” and “WHAT THE SHELL!!”) are totally fine.

Vet

A client called me at 8:30am yesterday in a panic because they have the Rinbot worm running around in their network. The client is actually a former employer of mine, and they still have much of the same hardware and software when I was there 6 years ago, which means Dell Pentium 3 400Mhz servers and NT 4.0. They kept cleaning up their servers and getting re-infected, so something was getting missed. They have servers spread out between their corporate site and their colocation facility, and the link between the two is a fiber link that has no firewall or any real segmentation at all. So, getting all the servers clean has proven problematic.

The recommended patch for NT to stop Rinbot didn’t work, so I had them temporarily disable the IPC$ share on their important servers, and today we are going to try Determina’s HIPS product to see if we can stop it and identify where it is coming from. We’ll see what happens.

It’s been a while since I have had to fight one of these buggers. It was actually quite refeshing. Something different, and it brought back memories.

Here’s a pretty cool blog post about Rinbot.

Vet

So Determina released an advisory about a bug they found in IE in Vista. They ran a simple ActiveX fuzzer against it, and it crashed. They were surprised that it worked, and so am I. However, that is not the whole story.

When they mentioned the problem to MSFT, they came to the conclusion that it is just a stability problem and not worthy of fixing in a security release. Determina agreed by this statement in the advisory:

We have confirmed that this issue can be used to cause the instance of Internet Explorer to exit when viewing the specially crafted Web page. We have confirmed that there is no possibility to use the bug to do anything beyond that, e.g. execute code.

As such it is more along the lines of a stability issue and would be treated along similar issues reported into Microsoft using the Online Crash Analysis system.

OK, this just befuddles me. Since when did people start ignoring the “A” in the CIA Triad? Availability is essential to security. I made this point in an email discussion thread I am currently involved in:

Microsoft complained that the flaws that flaws HD Moore found in IE were stability problems and merely resulted in crashes rather than actual vulnerabilities. Remember the CIA triad, people. Confidentiality, Integrity, and AVAILABILITY. If a company relies on web applications for its livelihood, you can bring said company to its knees if you make IE unavailable. It is still a security problem.

Any stability problem deserves to be classified as a security problem if the possibility of denying access to data or services exists. And there are many compnaies out there that rely on web services for their livelihood.

Microsoft, FIX IT!

Determina, go take a class in security.

Sheesh.

Vet

Since Alan posted his sadness at the Pittsburgh Steelers loss of coach Bill Cowher, I guess I can post my depressed state over the Cowboys loss to Seattle on Saturday. I am not going to write forever about why they lost or who is to blame (mostly because this is supposed to be an InfoSec blog). It suffices to say that they have simply been beating themselves for the last 2 months.

But, I will always be a Cowboys fan. They are still the most succesful franchise in NFL history (eight Super Bowl appearances – more than any other team – and 5 wins – tied with the Steelers and the 49ers).

And while Romo did blow it, he still has a future with Dallas or any other team. He is very talented and just needs some experience (which he got plenty of this last season).

And while I am talking about the NFL… I know I listed a few things about myself that many others didn’t know (and probably didn’t really care about) when I got blog-tagged, but here’s one more. If you are a Super Bowl historian or just plain NFL fan, you probably know about this bit-o’-football-trivia (quoted from page 2 of ESPN’s Goats, Gaffes, and Blunders site):

Jackie Smith

A member of the Pro Football Hall of Fame and a five-time Pro Bowler with the Cardinals, Smith is most remembered for his infamous dropped TD pass in the 1979 Super Bowl while playing for the Cowboys. Dallas trailed Pittsburgh 21-14 in the third quarter, when Roger Staubach found a wide-open Smith, the team’s backup tight end who hadn’t caught a pass during the regular season, in the end zone. But he dropped the pass and Dallas settled for a field goal in a game it eventually lost by four points.

Jackie Smith is my third cousin.

Vet

CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She  says:

…maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.

What was that?  What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.

Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.

I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:

The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

Man, I am so happy we are done with DDoS attacks.

OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.

Holy crap, my head is about to explode.

Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.

Vet

I’ll be the first one that says TV shows and movies are hardly based on reality.  But when they screw up something that is near and dear to me, I get very upset. 

For instance, I was in the Army and Army National Guard for over 7 years.  Though I was never a career soldier, I still took it seriously, and I still do today.  Maybe too seriously.  I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer – that mistake is in too many military movies).

This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks.  Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.  There are all kinds of twists and turns in the plot.  The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him. 

Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help.  They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.  The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.  The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.  Of course, I am thinking, “where are the cameras that should be watching this guy?” 

Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.  There are racks of servers, switches, etc.   Then he sticks another device in the “mainframe”, and away they go. 

He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.  They capture the screens (with all pertinent information on the first screen – nice, huh?), thus saving them the effort of searching through records.

Yea, ok, right.  I know it probably shouldn’t bother me, but that just pisses me off.  At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”

Sheesh.

Vet

OK, let’s imagine you are an international company that has a product used by thousands of companies  all over the world.  Hundreds of people call you daily to get support for your product.  Your HQ is in Florida.  You know a hurricane (actually, a Tropical Storm) is heading your way.  In fact, you have had SEVERAL days of warning.  Do you, or do you not, redirect calls to an alternate call center?  My vote: you do!

Obviously Citrix doesn’t think the same way.  I am writing this post at friggin’ midnight because I have been working on a Citrix issue, and I can’t contact Citrix in the US because they are closed due to the weather, and “thanks for the understanding”.  No advice to call another country (like Australia) or even an attempt to redirect calls.  Just “too bad, so sad”. 

Come on, Citrix.  This is crap and you know it.  I hate it that another storm is hitting Florida, but who is running the show over there?  Sheesh!

Vet

Martin McKeay posted a few days back about keylogging software on client’s of HSBC Bank.  Bruce Schneier pointed out this article this morning about the same issue.  Both came to roughly the same conclusion: this is ridiculous.

Yes, there are things the bank can do to help with this, but come one, where is the personal responsibility for the clients?  Sheesh.

Vet

Politics can be fun, and it can be real ugly, and often both at the same time.  And in this digital age, everyone has a chance to get involved, including script kiddies that have a political axe to grind.  Go read the story here.  But what got me about this whole deal was this quote from Dan Geary, who runs Lieberman’s site:

“This is a direct disruption of a federal campaign,” he said.  “I have to see us go to an era where security is primary instead of the primary focus being new and innovative ways to get the message out.”

Uhhh, that deserves a big “duh”.  Dude, you run the website.  I am sure you are an activist and want to get Senator Lieberman re-elected, but running the website and securing the website is your job.  Frankly, that quote sounds more like something a politician would say rather than a web admin.  If you don’t know that you are going to be dealing this kind of stuff, then the good senator hired the wrong guy.  Sheesh.

Vet

I am going to try to make this short since Treasure Hunters is about to come one, so here goes.  I posted yesterday on my Computerworld blog about some stuff I wrote for a friend of mine on two-factor authentication.  I checked back today to see if I had any comments, and I did (woo hoo for me).  I read the comment, and here is part of what I got:

What is needed is “smart” content that works with multiple trust levels, that self-authenticates not only the content but the user as well. This is done using a modified token inside the content. It also creates an audit trail within a token receipts for archiving.

Content-centric security allows content to be securely transferred globally and outside the enterprise, without centralized authority. No, there is no standard but this approach solves most, if not all, of today’s issues concerning authentication.

OK, this really gripes me.  First off, there is so much of this “we need this” and ”we need that” and it would be great if…” and ”this would solve so many problems” that I am going to puke.  I am just tired of hearing it.  Yea, there are a lot of things out there that need to be done, but since when does a “need to be” turn into something tangible overnight?  Not to mention the fact that this guy sounded like he was trying to sell something and then didn’t even link to a website or anything.

I am not arguing whether this guy is right or wrong.  I am not arguing whether or not the state on InfoSec needs to change (it does).  Basically, I just want people to be realistic and deal with what is available today.  I am not asking for status quo.  I just want people to recognize that us guys and gals in the trenches need to use products that are on the market now.  If we were supra-geniuses that could make up new technology to protect our network while sleeping, then we would do it.  But we aren’t and we can’t (I guess I should speak for myself).  We rely on those people who research this stuff to do that. 

So friggin’ stop arguing with me every time I say multi-factor authentication is a good idea!  It is what we have today.  Just because it can be compromised in some fashion does not mean I should take it out of my network.  Once again, DEFENSE-IN-DEPTH!!  It is another layer.

I am not against research and looking for something new.  I just am tired of being preached at about how something is better when it ain’t even sold by anyone yet!  Sheesh.

Vet

OK, I am usually fairly impressed by InfoWorld’s articles and other writings.  I get the magazine, I subscribe to their news feed.  But this InfoWorld article read like it should be in the Times or something.  They put a title of “Hackers Striking Databases in Record Numbers”, give us a couple of stats, and then go on to explain SQL injection attackes.  Who is InfoWorld’s target audience?  

Here’s something from the “About” section of InfoWorld’s website:

InfoWorld Media Group delivers in-depth coverage and evaluation of IT products for technology experts involved in major purchase decisions for their companies. InfoWorld reaches the most influential readers through its integrated online, print, events, and research channels.
 
InfoWorld provides specialized IT coverage for the CTO, senior-most company executives who are deeply steeped in technology expertise and experience.

I am not usually one to attack, but this is ridiculous.  If you are a “senior-most company executive” who is “steeped in technology expertise and experience”, then you know what a SQL injection attack is.  This article really does not give any useful information.  Couldn’t there have been some more in depth detail on some of the attacks?  It just felt like the top paragraph was written, then there was a cut and paste from some other article.

Vet

So the question is this: who is to blame when a crime is committed?  Do you convict the gun or the crook when he robs a bank?  Do you convict the crowbar or the crook when he pries open the door to a home and steals the jewelry?  Do you convict the brick or the crook who uses it to smach a window in a store and steals a TV? 

We know the answer to those questions.  The crook is the criminal, not the tool.  So bravo to Alan Shimel for this post where he stomps a mudhole in some folks for blaming Open Source code for security problems.  Yes, Open Source tools are easier to come by than commercial products, but does anyone really think that script kiddies and other baddies would have no means to get those commercial products if Open Source tools were not available?  Please…

Vet