Dec29

Quit publishing my info. I said stop! Now!

by Michael Farnum on December 29, 2011 at 12:50 am
Posted In: Privacy, Security

My wife and I homeschool, so we include our kids in a lot of extracurricular “stuff” to hopefully keep them well-rounded. One of the things my oldest son does is take a Lego engineering class at a small local school that caters to homeschoolers.

Last year, when we first signed up for the school, we found out that they published a report on the Web that listed the personal information (names of parents and kids, emails, street address, phone numbers, etc.) of all the families of the attendees. This was meant to be a resource for the attendees of the school, which is somewhat understandable since the homeschool community is fairly close knit. But when I saw that our info was included by default, AND that the report was secured by just a password, AND that password was emailed to everyone on the list, I kinda freaked a bit. So my wife sent out an email requesting that our info be pulled from the list.

I honestly expected a fight of some kind since I have seen small groups like this that just don’t get security and that a password just ain’t enough, but I was pleasantly surprised to find that they complied immediately with the request. All’s fixed, right? Well, it was for a few months. Now they are publishing a new list. But no big deal, right? We’ll just request to be removed again, right? Nope. Now they are acting as I expected them to last year. They are pushing back because, in their words, “they don’t have the time to reformat the report”. In fact, the email response in general was completely rude.

So I thought I would send off an email to them with a little bit of attitude of my own.

As to the matter of this directory, the last time the database was published, My wife and I were given the option of having our personal information deleted from the report. When we opted to be removed, there was no argument about whether or not anyone has the time to remove this information, and the request was acted upon quickly. So you can imagine our surprise when we received your reply when we asked to be removed again.

I understand that it takes time to format the report, and I understand that you are busy. But as a parent that pays tuition to your school, I fail to understand how this request can be so blatantly refused. In fact, I fail to understand why the information is needed by anyone outside of the staff at the school. If other parents have requested this information, then it should be provided on an opt-in basis, not by default.

While it may seem paranoid to you that we do not wish to have our personal information included in this database, I hope you understand our concern for privacy in this day and age. My career is in information security, so I know on a technical level how easily this type of report is compromised, and how the personal data can be misused.

Please remove our personal information from the report at your earliest convenience.

We’ll see what comes back.

Comments Off
Dec19

Viewing InfoSec from another angle – a personal reflection

by Michael Farnum on December 19, 2011 at 8:42 pm
Posted In: Security, Security Evangelism

A while back I tweeted about my acceptance of the Security Technology Advocate role at Accuvant.

To be clear, I am not going to be fully transitioned into the role until Jan 1, 2012. But I have been doing some work in the new gig, and I have already experienced a lot of changes on how I approach security and how I view my chosen profession. Let me ‘splain.

So part of my new role entails evangelizing Accuvant to the world. And one of the ways I will do that is to create content for the world to see, meaning blog posts, podcasts, webcasts, etc. And the best thing about creating that content is that I have a near endless source of expertise from Accuvant. We have l33t peeps from all angles of InfoSec, including security research, risk, compliance, network and web app pen testing, security technologies, secure infrastructure, development, and on and on (you can go view some of this material at http://www.accuvant.com/results/podcasts – forgive the shakiness please).

And while this is rewarding, it is also giving me a way of looking at InfoSec that I never have had before. What I mean by that is that I have almost always been an active part of InfoSec. I have either been a security consultant, engineer, or manager. I have had to delve into the world because I was immersed in it by necessity. I was looking for ways to improve my security or the security of others. I was looking for solutions to problems that plagued me or others. And while that entailed often talking to experts, be they from Accuvant or somewhere else, I was usually viewing their input as directly related to fixing something that was broken. And while I have interviewed a few folks over the years for the podcast or blog, I still was thinking of how their answers applied to issues with which I was dealing.

But now, for the first time, I am not always talking to security experts for the direct purpose of solving a problem (well, I am solving the problem of needing content to perform the duties of my job, but you get where I am coming from hopefully). I am talking to them to get opinions on topics that are relevant to the topic of security in order to solve the problems of others with whom I do not have a direct relation. Does that make sense?

Let me use Charlie Miller as an example (cuz he’s famous and stuff). I interviewed Dr. Miller a few months back at DerbyCon. It was a fun interview comparing IOS and Android security, and I approached it as one security professional talking to another security professional. But at the same time, it struck me that I was not really talking to Charlie as a fellow security professional in the traditional sense. I was not getting information from Charlie to take back to a client. I was simply performing an information gathering task for the purposes of indirectly giving other folks information. I was not going to directly take that data and apply it to a problem on which a client or I were working. I was going to let others do that. I was now becoming an “information broker” of sorts (most of what I have read defines “information broker” as someone who finds and provides analysis of the information, which I have not really done to this point).

I am not sure if the impact of this is coming out in this article. It is kind of difficult to define this feeling if you the reader have not been there (or maybe it isn’t difficult to define and you are nodding your head an saying “dang, this guy writing down some awesome thoughts here – I wish I could be that awesome”). And I know that Brian Kerbs, Bill Brenner, and folks like them that do this all the time (albeit much better than I), will be expressing a collective “duh”. But it really has made a difference in how I see the industry, even in just a short period of time.

Honestly, though I say it has affected how I view the industry, I really don’t have a grip on what those effects will be yet. I don’t know what this will do to my career. I sincerely do not want to move out of being an information security professional, so I will do my best to keep up my skills to some degree. And I don’t know how this will affect how I approach problems in the future, or how I will interact with people who ask my advice on security issues. I mentioned two of the top journalists in the InfoSec field above. To the best of my knowledge, neither of them were security practitioners before they started covering InfoSec (that is not meant to be a knock on either of those gentlemen – both have my highest respect). So it makes me wonder how that will affect my approach.

Will it make me ensure that those experts I interview know of my experience before we talk? In the past, I experienced disdain from “experts” during interviews when I was wearing a press badge at a conference. I wanted deeper insight, so I asked very technical questions that they were not used to getting from journalists, and that made them change the way they looked at me pretty quickly (and prompted a couple of “who are you” kind of questions).

I’m just not sure yet. But however I move forward, I am excited about the change.

Comments Off
Nov28

Using Siri for assisting with network monitoring

by Michael Farnum on November 28, 2011 at 2:59 pm
Posted In: Holy Crap!, Security

siriproxy-snorby from Dustin Webber on Vimeo.

You just HAVE to like this

└ Tags: ,
Comments Off
Nov22

Be an InfoSec Berean

by Michael Farnum on November 22, 2011 at 4:49 pm
Posted In: Marketing, Security

In the Bible (no, this is not a sermon – yes, this is InfoSec relevant), there was this group that Paul ran into called the Berean Jews. (Acts 17:10-15 if you want to look it up). These Bereans were shown in the scriptures to be diligent people who checked the facts. Verse 11 says:

Now the Berean Jews were of more noble character than those in Thessalonica, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true. (emphasis added)

So basically, the Bereans were not going to accept anything at face value. They immediately went back to scripture and checked out to see if what Paul was saying was true, and then they made up their minds.

Now what got me thinking about this particular group and how it applied to InfoSec was the article at Infosec Island by Scot Terban entitled “Infosec: The World’s Largest Rube Goldberg Device”. Scot has some pointed things to say about the different vendors and “experts” selling they toys and wares in the industry, and his points are good. But this theme has been in InfoSec (and other industry) blogs since I started reading them (I have written a few myself): do not fall for the sales pitch and the marketing.

This is just good common sense, right?Then why in the name of Mordor do we have to keep saying this? Is this for the benefit of the new folks in the industry? Is this because people just like a good rant session? Is it because someone STILL has not learned this lesson? Is it because there are a lot of lazy folks out there?

Now I am not hitting Scot here. I have zero problem with writing the post (and in fact, his overall theme was not about this really at all). It just struck me that if you have to be reminded to be an “InfoSec Berean” when the sales person calls or when you read an article comparing different technologies, then you are wrong. No, we don’t have a convenient set of scriptures to go to (except for NIST or something like that, which Scot points out). This is more about doing your due diligence to prove or disprove claims made by sales or marketing. Get some documentation. Get some references. Do a proof of concept (not always practical, I know). Make sure there is proof of the claims. Don’t accept it at face value, just like the Berean Jews.

And, in my finest adult-preachin-at-you voice, don’t make me tell you again!

 

└ Tags: , , ,
Comments Off
Jul13

An Information Security Place Podcast – Episode 07-2011

by Michael Farnum on July 13, 2011 at 7:26 am
Posted In: Podcasts

 

Today we have an interview for you. Michael had a great time sitting down with four gentlemen (they might not all agree with that term) from SpiderLabs over at Trustwave. The aforementioned SpiderLabs folks were Nicholas Percoco (@c7five), Steve Ocepek (@nosteve), Matt Jakubowski (@jaku), and Zack Fasel (@zfasel) – those are Twitter aliases for you newbs out there.

They went over their respective histories, talked about SpiderLabs and their leetness, discussed a few talks that they are doing at DEFCON, talked about their party at DEFCON that will be held in a super-secret location, and went through about 50 SpiderLabs insider jokes.

Michael is also pretty sure someone (Zack) was enjoying adult beverages (Zack) during the recording (Zack), but he might be wrong…

Enjoy the show. And once again, thanks to Rivethead for the tracks. Go out to their website to see the latest on them, where they are playing, and all their news.

└ Tags: ,
Comments Off