Category: Rant

Security Lesson from A Mouse Story

Security Lesson from A Mouse Story

I was going through some old blog posts, and one I found contained the following story:

Mouse Story

A mouse looked through the
crack in the wall to see the farmer and his wife open a package.
“What food might this contain?” The mouse wondered –
he was devastated to discover it was a mousetrap.
Retreating to the farmyard,
the mouse proclaimed the
warning.
“There is a mousetrap in the house! There is a mousetrap
in the house!”
The chicken clucked and scratched, raised her head and
said, “Mr. Mouse, I can tell this is a grave concern to you
but it is of no consequence to me.
I cannot be bothered by it.”
The mouse turned to the pig and told him, “There is a
mousetrap in the house! There is a mousetrap in the house!”
The pig sympathized, but said,
“I am so very sorry, Mr. Mouse,
but there is nothing I can do about it but pray.
Be assured you are in my prayers.”
The mouse turned to the cow and said, “There is a
mousetrap in the house!
There is a mousetrap in the house!”
The cow said, “Wow, Mr. Mouse.
I’m sorry for you,
but it’s no skin off my nose.”
So, the mouse returned to the house, head down and dejected,
to face the farmer’s mousetrap– alone.
That very night a sound was heard throughout the house –
like the sound of a mousetrap catching its prey.
The farmer’s wife rushed to see what was caught. In the
darkness, she did not see it was a venomous snake
whose tail the trap had caught.
The snake bit the farmer’s wife.
The farmer rushed her
to the hospital and she returned home with a fever.
Everyone knows you treat a fever with fresh chicken soup,
so the farmer took his hatchet to the farmyard for the soup’s
main ingredient.
But his wife’s sickness continued,
so friends and neighbors came
to sit with her around the clock.
To feed them, the farmer butchered the pig.
The farmer’s wife did not get well; she died.
So many people came
for her funeral, the farmer
had the cow slaughtered to provide enough meat for all of them.
The mouse looked upon it all from his crack in the wall with great sadness.
So, the next time you hear someone is facing a problem and think it doesn’t concern you,
remember –
when one of us is threatened,
we are all at risk.

I posted that back in 2006 (crap, I am getting old), and I said it had some security points. But the post also said that I was hungry when I was writing it (coincidentally, I am hungry right now also – huh, maybe I’m just always hungry…), so I didn’t break those down. Well fans, let me remedy that situation now. Here’s the lesson:

Your insecurity affects us all. If you know there is a security problem (whether that be by your own discovery or through someone else warning you), and you have the power to either fix it or influence someone who does have the power, then get ‘er done.

I know there are all kinds of caveats to that as far as risk, process, etc. But the raw edge needs to be there. Ignoring a problem does not make it go away. In today’s world of hactivism and hacking for hire, there are just too many attacks coming from too many angles. Test, fix, retest, fix, retest, fix, and so on. Stop screwing around.

This rant brought to you by @m1a1vet

Can IT Vendors be Objective?

Can IT Vendors be Objective?

Here is another guest post by WiFi Jedi

————————————————————————————

Can IT Vendors truly be objective? Or does everything they say have to be viewed through a lens of “they are trying to sell me something”?

Join me while I rant…

Personally, I think IT vendors can be objective.

Sure, we manufacture and sell things…

*Gasp* – We even profit from selling.

But that doesn’t mean we can’t be objective.

i.e. – I try to provide solid vendor-neutral information to the wireless community through my blog, http://wifijeidi.com.

(In fact, only 2 of the nearly 40 blog posts I have completed to-date have been about my employer, Xirrus.)

However, not everyone sees it that way.


Let me give you an example…

I requested press access to an industry event as a blogger.

However, I was told that I can’t get a pass of this nature because I work for a vendor.

Furthermore, I was told that bloggers of major publications (ComputerWorld, Network World, ZDNet, etc.) would qualify.

So I went out seeking a spot with one of these publications as one of their bloggers.

(I even had a solid lead directly to an editor with a reference from another well know blogger at one of these publications.)

However, I was turned down again. Because I work for a vendor.

 

My “commentary”…

Presumably, working for a vendor means that I can’t be objective. Which I personally think is %^&$*&!

Let’s take a look at some profiles of bloggers who have been picked up by these publications. I would like to take a closer look at two common blogger profiles: Value Added Resellers (VARs) and Independent Consultants.

I have noticed that if you work for a VAR, you can blog for major publications. Correct me if I am wrong – as a VAR, don’t you sell some vendor’s equipment, but not others? It would seem to me, in that position, it is possible to have nuances or conflicting agendas. At least working for a manufacturer, you know where my “official” loyalties are.

Other common profile for bloggers on these publications is that of an “independent” consultant. I would think a large portion of their livelihood depends on their ability to provide consulting services. If that’s the case, don’t you think they would blog about things that (at least indirectly) drive their own business? After all, their financial success is directly tied to the success of a single person – themselves. Working for a manufacturer (or any large organization) mitigates this factor because my financial situation is determined by the success of the group, and not by what I do or say to drive my own consulting business.

This isn’t intended as an attack on publications or their bloggers, just an honest discussion of how they can be objective, but somehow it is perceived that I can’t. What about my credentials?!?

Besides working for a vendor (for several months), I have also worked as a consultant and auditor (for many years). I hold over a dozen IT certifications, ALL of which are vendor-neutral. On my LinkedIn profile, I have the coveted “500+ connections”, many of who are employed by my competition – Aruba, Meru, Motorola, etc. I started my blog to serve as a thought leader and I am a frequent speaker at industry events, professional organization meetings, and universities.

If you know someone at an IT publication that is willing to have me as a wireless networking and security blogger, have them contact me at douglas.haider@xirrus.com

Wait, I had better not use my corporate email address. That might signal I can’t be objective. 

Instead, have them contact me at douglashaider@hotmail.com

I have an "opinion" – buy my stuff

I have an "opinion" – buy my stuff

I will start out this post by saying that I generally am a fan of SC Magazine.   Though the product reviews are not very good, they often have informative interviews with some folks whose views I respect.  But I had to guffaw a bit with the Nov 2008 edition when I got to the opinion section, and specifically the article by Richard Moulds.

The reason I LOL’ed at this article was not because the article was wrong.  Mr. Moulds talked about how enterprise encryption was the last line of defense, where if "other security and access control systems fail, if the data is encrypted – it is probably safe."  I agree with that.  I also do not disagree with his assertion that key management is "central to deployment on any encryption-based system."  Makes perfect sense.  Mr. Moulds also says that key management must protect keys but should also make them accessible and highly mobile.  Again, no disagreement.  Just about everything in the article makes sense when talking about an enterprise data encryption system.

No, I don’t agree with the content of the article.  What I disagree with is the placement of the article.  I disagree that this article should be placed in the "opinion" section of SC Magazine because Mr. Moulds is an EVP in Thales Group, which recently purchased nCipher.  And nCipher, according to their website, "provides state-of-the-art encryption management to the world’s most trusted enterprises."  So what else do we expect Mr. Moulds to say about encryption?  That it sucks?  That you shouldn’t look into it?  Sheesh.

SC Magazine’s editorial page says this about what kind of articles it will accept in the opinion page:

SC Magazine does accept vendor-neutral contributions for its monthly Last Word and Opinion sections. Offering viewpoints on timely and sometimes controversial subjects, these may also include some pragmatic advice to help readers deal with everyday problems.

If you can’t see through that smokescreen, then you need to get better fog lamps.  Please SC Magazine.  In the future, do not allow vendors to write opinions in your magazine about the very technology they sell.  It doesn’t give me much of a warm fuzzy that the writer’s opinion is genuine, and it makes me question the integrity of you publication.

Vet

Company names getting crazy

Company names getting crazy

I get a lot of foreign-language spam, and most of it gets sent to junk and deleted.  So while searching through my email today, I ran across these three emails.  The bottom two emails are identical, but when I saw the first couple of words, I thought they were foreign and almost hit the delete key.  Then I noticed they were from companies with crazy names.

image

Is it just me, or are these company names getting crazier and crazier?  Do they run these things through a random word generator or something?  And sometimes I wonder why they even bother since they are probably just going to get bought in a couple of months anyway.  Might as well just call them "Company A".  Does the name mean that much?  I know sometimes I get kinda confused when a tech company name does not reflect at all what they do or produce, but come on.  Anyway…

</rant>

Vet

Evidence of Mac Elitism and Snobbery

Evidence of Mac Elitism and Snobbery

Why is it when you praise Vista or slam Mac, you are a dumbass and a MSFT shill, but when you praise Mac and insult Vista, you are a wonderful and enlightened person?  This comes from observation of the blogs over at Computerworld (blatant plug – I blog over there as well).

Look at Seth Weintraub’s blog.  His blog is called Apple, Ink.  He writes about Apple and the wonders contained therein.  Look at his ratings.  Very few are anything less than +20, with many +30 and above.

Now, look at Preston Gralla’s blog.  His blog is called Seeing Through Windows.  He is typically pro-MSFT and even fairly anti-Mac.  Now look at his ratings: -100, -103, -182… Sheesh.  And he gets flamed every time in his comments as well, constantly being accused of being on the MSFT payroll. 

I don’t have a Mac.  I run XP on my laptop, and my wife’s new Dell has Vista.  And honestly, I wanted to try a Mac when we started looking for a new computer.  But the reason I didn’t buy one was because of price.  An Apple would have cost me twice as much money.  I can’t use the learning curve argument because Vista and Office 2007 changed everything up and drove my wife batty.  But at least it was a lot cheaper than a Mac, and it is damn fast (quad core, 3 gigs RAM, 7200 RPM SATA, HD, 128 meg nVidia video card, etc etc).

So if you own a Mac and you think it is the best thing since sliced silicone, then more power to you.  Just get off your preppy horse with a quasi-Mohawk and an earring and quit telling us PC owners that we are stupid.  Sheesh…

Vet

The Internet changes everything

The Internet changes everything

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society – the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

Pwned customer Still running rampant

Pwned customer Still running rampant

I went out to see one of our customers this week who had their web app pwned a while back.  This is the second client since I have been with Accuvant that we were trying to help via our security assessment services who got smacked around before they could make up their mind to spend the money or not.  It has been several weeks since they were attacked, and they are still running around like school girls with their hair on fire. 

Yes, they are making a lot of progress (much of it due to us having a couple of guys helping them out for the last 4 weeks).  But the point is that they could have avoided all this craziness and stress if they would have made the right choice in the first place.  Like I have said in the past, business decisions have to be made.  But when you are a financial company that serves a lot of customers, you need to make sure due diligence is performed.  Sitting on your hands is not an option.

Vet

You can take take the "A" out of security, but you can’t take…wait… what?

You can take take the "A" out of security, but you can’t take…wait… what?

Since I haven’t been doing a lot of serious posting for a while, it has been a while since I had an altercation with The Hoff on anything.  But now it is in full swing, and I have to say that I have missed this a lot!

So here’s the deal for those of you just joining the program.  There was an article posted a couple of days ago that said business people were becoming more concerned with availability than security.  I expressed my incredulity here with a very simple and direct question.  I got a quick verification of my point by Mr. Wismer, and I felt I had done my duty in protecting the CIA Triad once again.  I think the first time I posted about this was back in March of 2007, when OpenBSD people were discounting a buffer overflow vulnerability in their code as NOT a security issue.  This simply befuddled me because availability, in my old world, is an inseparable part of security (And Chris, it does mean what I think it means – “old” doesn’t mean we are old, maybe just conservative).  I wrote this off to some people trying to get away with skewing statistics so they looked better on the security reports at the end of the year.

Of course, I could not have been more wrong in thinking that my day of heroic pursuits was done.  First, I got the scalpel from Dr. Chuvakin (I know, I know… he’s not that kind of doctor – but it sounded cool.  And seriously… PHYSICS??).  Then I got drop-kicked by The Hoff on my blind side (which, incidentally, is the direction from which Chris always hits – not complaining at all, he just seriously has a really cool mind that makes him have wonderfully refreshing lines of thought).

So I saw all of this, weighed responding against how much work I had to do so I could have family night with the wife and kids, and I decided to work.  So by the time I got around to hitting back, I really didn’t feel like arguing too much.  But I did a little bit, and that quick quote can be found here. Chris responded and called me a redneck. 🙂  Mr. Wismer entered the fray again. Chris posted about it so it would have better visibility.  Anton presumably has better things to do (I don’t blame him at all).  And one more comment by Chris, and here we are… sheesh…

OK, now that you are all caught up and have read all of the comments and posts with serious interest, here’s my response… What were we talking about?  Oh yeah, information security…

So I thought originally that Hoff missed my point on the first comment he made.  He seemed to think that I thought the “C” and the “I” should come before the “A”, just like all us old dogs with allergies.  Of course, that is not what I meant at all.  I was actually arguing that people keep taking the “A” out of information security (search for CIA Triad on your favorite search engine).  So now this article pops up, and I really got a little peeved. 

Now, as to Anton’s point, this article was from more of a business centered IT magazine.  So I get it from that angle.  Chris even argues from that angle as well.  But still, Chris’ first take on my argument was not correct, and I felt that I needed to clarify that.  I think in some weird way, we were actually agreeing.

But my overall point in all of this is that I think the definition of information security has been skewed as security has been more and more commoditized.  And I don’t necessarily disagree with the skewing because I think the definition has actually become almost all-encompassing and has removed a lot of stovepipes that needed to go away.  EVERYONE touches security now.  From the switch guy to the server gal to the router dude to the firewall chick.  Sure, the “security” group may tell those people what buttons to push, but the “on-the-front-lines” people still push the buttons. 

In the same way, there really is no pure security solution out there now.  Too many products serve duel purposes.  Almost every product, whether it be an application or an appliance, has security built in.  It may be nothing but a marketing gimmick so the word “secure” can be placed on the website, but no one disagrees that it is there.  Take for instance the switch.  Not too many years ago, switches did nothing but push packets.  Now they are becoming an integral part of security through 802.1x and other NAC functions.  Take the firewall and router.  Those two products, at least for the SMB, are becoming a single product.

And because of that, many companies consult on IT practices as well as security practices because you really can’t separate the two anymore.  IT frameworks build in security now (ITIL and COBIT).  Chris says risk management encompasses security, and I see his point.  But my take is that security is the whole, and ALL the other areas are pieces.  Yes, people still code and expect the network to protect the code, but that is becoming less common.  I see it everyday just as you do Chris.  I see people getting pwned due to application vulnerability.  Just ask Jeremiah Grossman and my friend David Nester from HP who is now posting on this blog.

Security has to be thought of almost before anything else.  Have an idea that is going to revolutionize the IT world?  My first question is, “How do you secure it?”  And that means, “How do you make sure it is available while at the same time making sure everyone’s data doesn’t get leaked?”

Vet

Getting slammed in my CW blog

Getting slammed in my CW blog

Man, am I getting hammered for my latest post over at Computerworld about the DDoS launched on the Church of Scientology! I really can’t engage in a lot of back and forth over there since it is not my personal site, so I will do it over here.

For all you people slapping me around over there, let me ask you something.  Do you advocate the use of DDoS attacks every time you don’t agree with someone?  I am seriously dismayed when an attack is downplayed such as this one.  Yes, the school was inadvertently attacked.  Yes, COS was the original target.  And maybe the attack only lasted for a few minutes.  And an apology may have been issued… BUT THAT IS NOT THE POINT!!!

This is illegal, and it is irresponsible.  Tom Cruise may be weird.  L. Ron Hubbard may have made up a cult out of whole cloth.  But they are still an organization that has the right to exist and practice their religion.  Just because they are strange does not give you the right to make the Internet your personal playground.  These things always end up affecting other people, even if it is for a few minutes.

Grow up people.  Quit hiding behind the anonymity of the Internet and do something about your issues the way grown ups do.  Call people.  Write letters.  Protest on their front steps.  Get the attention of the media and the people WITHOUT acting like brats.

Sheesh…

Vet

Put in an enterprise system BEFORE you become enterprise level

Put in an enterprise system BEFORE you become enterprise level

I had a client call me right before Thanksgiving in emergency mode (one of the Dallas clients that I am starting to work with).  Looks like he has a remote office that uses the local cable company as their ISP and connects back to corporate via a site-to-site VPN.  I found out that they have never setup a persistent IP address for their firewall / router.  Basically, they had been depending on the DHCP lease renewing rather than spending the money for a persistent IP (bad choice).   

This client is new to me, so I had no idea what their network is like.  My counterpart in Dallas (this has been his account for a while) was out for the week, and it was proving very hard to get in touch with him since his wife had just had a baby on that Sunday.  The client was understanding, but he was also starting to freak because the remote site had a few VPN tunnels terminated there because of a server at the location that was used for processing orders.  Anyway, to shorten this down so I can get to the point, I finally got in touch with the SE in Dallas and got it all straightened out (I will be fixing it again for him tonight since he finally decided to get a persistent IP), and the guy was happy.

So I talked to the account manager and the Dallas SE, and I learned a few things about the account.  First of all, this guy was running (obviously) a mish-mash of ISP’s at his sites, so management of that sucked when a site went down or had other issues since he had to keep all those ISP’s info.  Also, he used to have a couple of people on staff to work on their IT issues, but he let them go a while back, even though the company is in growth mode and doing well.  And I learned that the AM and the Dallas SE had tried to get this guy to buy Netscreen Security Manager (he has Netscreen 5gt’s in his remote sites and a NS25 at corporate) to make his network manageable.

So essentially, even though this guy was growing and was adding sites, he wanted to run everything on the cheap.  And he was depending on us to fix his problems when he had them, even though Accuvant is not a break / fix type of company.  We do everything project based – the only real flexible assets we have are our SE’s like me, and we are supposed to be pre-sales only, so we were basically helping the guy out on the hopes of new business.

So I went up to meet the guy after we got everything straightened out in the hopes of getting the guy to bite off on some enterprise-level networking.  Of course, I should have known better.  I have known guys like this all my IT career.  They will do everything in their power to get something for free, and they won’t quit until you realize you are getting screwed by doing a bunch of free work.  And though I can’t say I blame the guy, it also aggravates me that this guy could not recognize that he was becoming too large an organization to manage in this kind of piss-poor manner.  I understand making business decisions, but at some point the term “cheap” starts coming into play.

If you want to be an enterprise, act like one in all respects.

Vet

Does security nirvana exist?

Does security nirvana exist?

I know, I know.  I can answer that question with a resounding “NO” and get on with things.  But seriously, what does it take to even approach security nirvana?  I mean really, there are so many people spouting theories about where we need to go to make the Internet secure.  Then there are a bunch of frickin’ criminal scum suckers over in Russia and China and America and wherever doing everything thing they can to keep fifteen steps ahead of us trying to plug the holes.  And then I take a closer look to see if we really are even plugging the holes (selling product sure as hell doesn’t do it). 

Seriously folks, I know the answer to the question.  But how can we keep going down this road if we can’t even approach a state where we don’t have to look over our cyber shoulder every night and day?  What are we fighting for?  Where did the fight turn into a battle for money instead of a battle for security?  I also know we live in a capitalist society.  I AM a capitalist.  Nothing wrong with making a buck.  But I feel like such a cog among a bunch of cogs.  Where the hell is the wheel??  

I know I sound depressed.  And maybe I am a little.  Maybe it is just because it is 12:35AM right now.  But I just feel like so many of us have lost sight of what it takes to make things secure.  Products have a fit in security.  But with so many of us pushing product after product after product and not looking at security overall, where are we getting to?  When did the industry turn into a churn and burn machine?  This feels like a uphill battle, both ways, in the snow.

I know Alan will probably call me a young, naive punk again (OK, he didn’t call me a punk), but sometimes I have to stop and make sure SOME of my ideals are still there.  otherwise I just become a big glob of compromise, picking up the lint and dirt on my way to security hell…

Vet

If you tell a fact in forest and you haven’t written a security book, is your fact wrong?

If you tell a fact in forest and you haven’t written a security book, is your fact wrong?

OK, I was going to leave this one alone, but it is just bothering me so much. A couple of weeks back, I wrote a blog post about a comment I had left on a post by Douglas Schweitzer’s at his Computerworld blog. Douglas said in his post that a bot was “essentially just another term for an infected computer.” I took issue with this and wrote a comment as such, then I posted the comment on my blog. I also noted that I wasn’t slamming Douglas in any way. I just felt the error needed to be corrected. Douglas argued on his blog that it was semantics, and that is probably true to a degree, but oh well. I let that go (actually I tried to post another comment on Douglas’ blog, but I think I put too many links in to prove my point because it never popped up – probably looked like spam).

But then out of the blue I get a comment tonight from somebody named David. He says, “And how many computer security books have you written? That’s what I thought…”. My comment to David was:

What the hell does that have to do with the price of tea in China? Do you worship Douglas or something?

Now, I realize that was probably not the most constructive of comebacks, but this really pisses me off. I guess my correct statement about what a bot is does not count because I have never written a book about security. How utterly moronic and completely stupid can you get? That is like saying you have to write a book on weather before you can say a tornado breaks stuff!

If it is because I was correcting someone that has written security books before, that is just as stupid. Writing a book does not make you infallible.

Vet

An RSS tip for bloggers

An RSS tip for bloggers

PLEASE, PLEASE, PLEASE do not truncate your post in your RSS feed. I use Blogbridge so I can pull down my feeds and read them when I am running around and don’t have Internet access. When I get to your blog and I see something interesting, if the post is cut off in the feed, I can’t get to it. Drives me frickin’ crazy!

OK.  I’m done.

Vet

Medical firms losing data – Dude, where’s my teeth?

Medical firms losing data – Dude, where’s my teeth?

Anyone heard of any action against these medical companies under HIPAA regulation? Neither have I.

This is the problem with government trying to fix a problem. While I agree with the basic attempt HIPAA is making at securing personal medical data, it just makes no sense to have anyone try to comply when nothing happens if you don’t.

And when a few CEO / CFO / COO types see this story and don’t see even any attempts at prosecution in the next few months, then they will start rethinking about their investment in security

Another thought is that these companies are HIPAA compliant and still have problems. If that is so, then it goes to show you that compliance does not equal security.

Vet

Confidentiality, Integrity, and AVAILABILITY

Confidentiality, Integrity, and AVAILABILITY

So Determina released an advisory about a bug they found in IE in Vista. They ran a simple ActiveX fuzzer against it, and it crashed. They were surprised that it worked, and so am I. However, that is not the whole story.

When they mentioned the problem to MSFT, they came to the conclusion that it is just a stability problem and not worthy of fixing in a security release. Determina agreed by this statement in the advisory:

We have confirmed that this issue can be used to cause the instance of Internet Explorer to exit when viewing the specially crafted Web page. We have confirmed that there is no possibility to use the bug to do anything beyond that, e.g. execute code.

As such it is more along the lines of a stability issue and would be treated along similar issues reported into Microsoft using the Online Crash Analysis system.

OK, this just befuddles me. Since when did people start ignoring the “A” in the CIA Triad? Availability is essential to security. I made this point in an email discussion thread I am currently involved in:

Microsoft complained that the flaws that flaws HD Moore found in IE were stability problems and merely resulted in crashes rather than actual vulnerabilities. Remember the CIA triad, people. Confidentiality, Integrity, and AVAILABILITY. If a company relies on web applications for its livelihood, you can bring said company to its knees if you make IE unavailable. It is still a security problem.

Any stability problem deserves to be classified as a security problem if the possibility of denying access to data or services exists. And there are many compnaies out there that rely on web services for their livelihood.

Microsoft, FIX IT!

Determina, go take a class in security.

Sheesh.

Vet

Cisco and Cybertrust team up on PCIDSS

Cisco and Cybertrust team up on PCIDSS

Seems like Cisco has partnered with Cybertrust in creating some kind of PCI-geared hardware package / solution. Cybertrust is supposedly giving this amorphous hardware blob (I guess a hardware package can be customized for each scenario) the PCI checkmark. OK, so which company is going to purchase this package for its stores and tell its auditors, “we’re PCI complaint because we bought this crap”?

From their news release:

Part of the Cisco PCI Solution for Retail, a set of recommended and audited network architectures that can be tailored for each retailer’s specific store footprint and application needs, Cybertrust has provided its PCI subject matter expertise to validate that the Cisco solutions are optimized for PCI compliance. The Cisco PCI Solution architectures provide guidelines that help retailers manage the complexities associated with the PCI Data Security Standard.

Rrrrriiiiight….

Computerworld Australia warns against this as well.

Vet

OK, am I being too defensive?

OK, am I being too defensive?

I am attending the RSA conference in February as press because of my Computerworld blog. I applied at the RSA Conference site, and they accepted me. And like Martin has been posting, I have been getting multiple requests for interviews, breifings, etc. from security companies that are attending.

Well, today I received an email from a public relations firm that did not tell me who they represented. Here’s the text of the email:

Hi Michael,

I saw that you were attending RSA on behalf of Computerworld. I’m just curious – are you attending for content for your blog postings or are you acting in more of a reporter capacity for Computerworld at the conference and planning to write on hard news and discussions with folks who have a presence and activity at the conference?

I don’t know about you, but I was offended by this question. So, because I blog I am not legitimate? Here is my response:

It is for my CW blog and my personal security blog.

And though I may just be feeling defensive, and I also suspect you are not being purposefully belittling, many bloggers would take issue with the tone of your question. Blogging is a completely legitimate news source and is considered by many to be “hard news”. I think this is proved out by RSA accepting so many bloggers as press. And “discussions with folks who have a presence and activity at the conference” are excellent sources for blog posts. In fact, I am interviewing a couple of people for my blog, and these people are security professionals and security industry executive types.

Just because bloggers post their opinions (because we both know “hard news” reporters never report their opinion, right?) does not mean we are not a valid news source.

Any body else take this as I did? Am I being too defensive?

Vet

Requiring sex offenders to register IM names and email addresses

Requiring sex offenders to register IM names and email addresses

I just wrote a post over at Computerworld entitled The Security of Web 2.0 – an Oxymoron. Then I find this story about Senators McCain and Schumer proposing legislation that will require sex offenders to register their IM names and email addresses. I need to read more about this bill. Like typical security legislation passed by our government, this one appears on the surface to be nothing but security theater and something else to boost Schumer and McCain’s appeal before the presidential elections.

Think about it. How difficult is it to create a different IM name or email address?

The registration provisions would make failure to notify the authorities of all e-mail addresses a felony punishable by up to 10 years in prison.

Uhhh, so? These perverts are already breaking the law and facing jail time and some serious nastiness in the big house (child molesters supposedly don’t fair well in prison – though I have no proof of that). What makes anyone think they are going to change their ways because of another law?

Don’t get me wrong. I am fully on board for catching these “people”. I have children and would unleash all hell if one of these sick, twisted individuals even came close to one of my kids. But another law on the books that effectively does nothing to help the situation is just words on paper. Just make the behavior illegal (which it is) and make the punishment such that if the perv is caught he never sees the light of day again (there are a couple of punishments that would fit that description – you decide which one is right for you).

Vet

Ding Dong…DDoS is dead!

Ding Dong…DDoS is dead!

CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She  says:

…maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.

What was that?  What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.

Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.

I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:

The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

Man, I am so happy we are done with DDoS attacks.

OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.

Holy crap, my head is about to explode.

Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.

Vet

Security Blogs and Politics

Security Blogs and Politics

 

Before you read this post, go take a look at my “Rules” for my blog.

 

OK, now that you are back, let me piss off some people.  During this election season, I have to say that most of the security bloggers out there stayed out of the fray by sticking to what their blogs are about, namely: security.  And my blog rules state that I will do the same.  Basically, if you want to discuss a law or other political issue that pertains to security, then fine.  I will do the same.  Martin McKeay and I have had our friendly blog disagreements concerning phone tapping, phone tracing, tracking terrorists, and privacy stuff.  Alan Shimel and I have done the same to a degree.  All that is fine because that kind of stuff is relevant to security.  You can make judgements and assumptions as to our political leanings based on what we have posted (and maybe the region of the country we each live in), but that is no guarantee as to where we stand because we have made no definitive statements on the subject (I haven’t read all of Martin’s or Alan’s stuff, but I haven’t seen it in any of the stuff I have read).

I say this because I read a couple of posts from security bloggers during this last election season that, in my opinion, are just a little off.  One post was by the Great One, Mr. Schneier himself.  He says he is glad to see the Republicans get some of the brunt of the electronic polling problems.  He backs off of that kinda quickly, but it shows his bias clearly.  Another is by a blogging buddy of mine, Christian Koch (might not be a buddy after I writie this, but I hope all is still well).  In his post, he doesn’t even try to hide his feelings at all (not saying that he should have to, but you will see where I am going with it below).

First of all, I want to say that I respect everyone’s views, even if I don’t agree with them or understand them.

Second, if you have a blog, then it’s your fingers doing the typing, so you have full freedom to write about anything you want.  I get that, and I would never say you can’t. 

However, don’t we, as security bloggers, owe it to our readers to stay a level above all this mud slinging and give content that is relevant to security?  It seems a tab bit like false advertising if you have a blog that is advertised as a security blog and you use it to blast a politician or a political party because you don’t like their politics.

And another reason not to show which side you are on is because it tends to taint your readers’ opinions of you from then on.  If you try to come at an argument with logical, non-biased opinions, your debate will still be tainted by your blantantly-stated political beliefs.  That is no better in my mind than if you stated that you liked TippingPoint IPS better than anyone else’s, then tried to go into a debate about IPS products and tried to stay neutral.  There is nothing wrong with stating your opinion on the matter because you are free to say what you want.  But your opinion will be tainted from then on.  And you would never again be able to be neutral on the debate (at least, not for a long time) because you can’t switch to neutral once you have got in gear.

Anyway, my two cent’s worth.  You may think I am just frustrated because I did not like the outcome of the election.  But you really can’t make that statement, because I have never said which side I am on, regardless how many clues you think I have given.  So there!

And Christian, just to hopefully ease hurt feelings, I thought the cartoon in your post was pretty funny.

Vet

Election Day is almost here

Election Day is almost here

Some points:

  • Whether or not you are worried about all the problems with electronic voting machines, you need to go vote. 
  • Whether you are Republican, Democrat, Green Party, Libertarian, or Independent, you need to go vote.
  • Whether or not you are fed up with Washington, you need to go vote. 
  • Too many people have paid the ultimate price to give you the right to vote for you to sit on your ass watching TV tomorrow. 
  • It is your duty.

 

Go vote.

Vet

TV / Movies and security

TV / Movies and security

I’ll be the first one that says TV shows and movies are hardly based on reality.  But when they screw up something that is near and dear to me, I get very upset. 

For instance, I was in the Army and Army National Guard for over 7 years.  Though I was never a career soldier, I still took it seriously, and I still do today.  Maybe too seriously.  I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer – that mistake is in too many military movies).

This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks.  Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.  There are all kinds of twists and turns in the plot.  The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him. 

Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help.  They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.  The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.  The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.  Of course, I am thinking, “where are the cameras that should be watching this guy?” 

Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.  There are racks of servers, switches, etc.   Then he sticks another device in the “mainframe”, and away they go. 

He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.  They capture the screens (with all pertinent information on the first screen – nice, huh?), thus saving them the effort of searching through records.

Yea, ok, right.  I know it probably shouldn’t bother me, but that just pisses me off.  At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”

Sheesh.

Vet

Selling security to government may be profitable…

Selling security to government may be profitable…

…but it is also one big pain in the neck!  I have been thrown into the process of answering an RFP (request for proposal) for a city government down here in Texas, and I cannot begin to tell you how tedious and ridiculously complicated the whole process can be.  RFPs can be complicated enough with corporations.  But when you get one from a governmental entity, you have so many other things to worry about (there are a ridiculous number of special considerations and conditions when you do work for governments).

Another thing I am finding out first hand is that many government workers (not all, but I wouldn’t think it too far from the truth in saying most) are functionally inept in their positions, at least when it comes to technical matters.  Though I have had some inkling of this from talking to peers over the years, it amazes me when I see it so closely. 

First of all, the RFP is very poorly written.

Second, it is incomplete.

Third, when you try to ask questions to work out the inconsistencies, the answers are often, “Because I say so”, or “Don’t question why our network is setup as it is.”

I don’t know if we will win this contract or not.  If we don’t, then we have wasted a LOT of man hours.  I guess it is worth the payout if it happens, but I have to wonder if anyone has figured out the cost of NOT getting one of these and compared it to the potential profit.  I am sure someone has. 

And if you are thinking that I make a salary, so it doesn’t matter, then think again.  I have about 4 projects for which I am either scoping or actively talking to clients to complete.  Two of these are sure things, and two are 50% or above on probability.  And these aren’t some small deals you can just sneeze at.  There is good money to be made here. So the more time I do this dang RFP, the less time I am working on some potentially good profit for Accuvant.  All to work on a deal that no one has a good idea whether it will come through.

Oh well, business is business!

Vet

Dang you Citrix! Dang you to Heck!

Dang you Citrix! Dang you to Heck!

OK, let’s imagine you are an international company that has a product used by thousands of companies  all over the world.  Hundreds of people call you daily to get support for your product.  Your HQ is in Florida.  You know a hurricane (actually, a Tropical Storm) is heading your way.  In fact, you have had SEVERAL days of warning.  Do you, or do you not, redirect calls to an alternate call center?  My vote: you do!

Obviously Citrix doesn’t think the same way.  I am writing this post at friggin’ midnight because I have been working on a Citrix issue, and I can’t contact Citrix in the US because they are closed due to the weather, and “thanks for the understanding”.  No advice to call another country (like Australia) or even an attempt to redirect calls.  Just “too bad, so sad”. 

Come on, Citrix.  This is crap and you know it.  I hate it that another storm is hitting Florida, but who is running the show over there?  Sheesh!

Vet

Today’s technology vs. “what would be great!”

Today’s technology vs. “what would be great!”

I am going to try to make this short since Treasure Hunters is about to come one, so here goes.  I posted yesterday on my Computerworld blog about some stuff I wrote for a friend of mine on two-factor authentication.  I checked back today to see if I had any comments, and I did (woo hoo for me).  I read the comment, and here is part of what I got:

What is needed is “smart” content that works with multiple trust levels, that self-authenticates not only the content but the user as well. This is done using a modified token inside the content. It also creates an audit trail within a token receipts for archiving.

Content-centric security allows content to be securely transferred globally and outside the enterprise, without centralized authority. No, there is no standard but this approach solves most, if not all, of today’s issues concerning authentication.

OK, this really gripes me.  First off, there is so much of this “we need this” and “we need that” and it would be great if…” and “this would solve so many problems” that I am going to puke.  I am just tired of hearing it.  Yea, there are a lot of things out there that need to be done, but since when does a “need to be” turn into something tangible overnight?  Not to mention the fact that this guy sounded like he was trying to sell something and then didn’t even link to a website or anything.

I am not arguing whether this guy is right or wrong.  I am not arguing whether or not the state on InfoSec needs to change (it does).  Basically, I just want people to be realistic and deal with what is available today.  I am not asking for status quo.  I just want people to recognize that us guys and gals in the trenches need to use products that are on the market now.  If we were supra-geniuses that could make up new technology to protect our network while sleeping, then we would do it.  But we aren’t and we can’t (I guess I should speak for myself).  We rely on those people who research this stuff to do that. 

So friggin’ stop arguing with me every time I say multi-factor authentication is a good idea!  It is what we have today.  Just because it can be compromised in some fashion does not mean I should take it out of my network.  Once again, DEFENSE-IN-DEPTH!!  It is another layer.

I am not against research and looking for something new.  I just am tired of being preached at about how something is better when it ain’t even sold by anyone yet!  Sheesh.

Vet

Is Microsoft too good to use fuzzers?

Is Microsoft too good to use fuzzers?

Just got through reading this article at Security Focus. So basically, fuzzers are becoming more and more prominent in finding flaws in applications (they have been around a while, but they are now gaining notoriety with the general populace). More and more flaws are coming out on all sorts of applications, but the main focus is on Microsoft products, with the lion’s share being found on Office products.
This makes sense because Office is used so widely. People trying to make a buck are going to search for flaws on a widely used product, unless they have a specific target in mind and know what other apps they use. You could also say this makes sense because Microsoft makes such crappy products, and you would be partially correct. Fuzzers have been used to find flaws in non-MSFT apps as well (Flash, Shockwave, RealPlayer, etc.), so the threat is not just with Microsoft products.

But the point here is this: if the baddies are concentrating their fuzzing efforts on Microsoft products, where is the news that Microsoft has started actively using fuzzers to find flaws in their code? Where is the news that the giant has hired HD Moore to start an active campaign to find flaws in their products so they can start fixing the issues before they are used by baddies?

Look at this quote from the article:

Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint’s Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft’s Office, so their efforts to date have been limited.

Does this mean since the good guys can’t find the flaws that the baddies won’t either? No. The flaws will be found eventually. It means that Microsoft has the opportunity to find the flaws before anyone else because they know more about the code than any one else. Microsoft needs to step up and start finding and fixing more flaws using other tools besides their own.

Vet

Watch your back, but DO YOUR JOB!

Watch your back, but DO YOUR JOB!

Bear with me here.

I drove a tank in my Army days, and one of the things I learned was that the M1A1 Abrams tank was built with a low profile so it would be less visible to the enemy. But notice one word in that sentence: enemy. You don’t build it with a low profile to be less visible to your allies because you don’t expect them to be shooting at you.

The same principle is true in security. You build your infrastructure with a low profile so as to avoid attacks. You shouldn’t rely solely on a low profile, but it is a good layer. And again, you are putting these measures in place to protect against baddies, not your friends.

Now, in the first scenario, friendly fire sometimes happens. You put things in place to minimize this from happening. In the second scenario, this type of friendly fire happens when an insider unmaliciously screws up. You also put up defenses in a network to protect against dumb users.

But what happens when you are maliciously attacked by your “friends”? Well, good commanders make sure they have defenses against this as well. But you really don’t put in major defenses against this scenario. It is not a common enough occurence on which to spend a high amount of resources. (A point to note: in war, if an ally becomes a turncoat and shoots at their own side, it is not termed “friendly fire”)

Here’s where I am going with this. Martin McKeay linked to this article in this post. It is the nightmare of nightmares for a security manager: Asking the powers-that-be to invest in security then getting fired because they didn’t invest and your security got breached. Bad, bad stuff.

But in the very first comment to the post, a commenter said, “He pushed too hard to do the right thing and made himself too visible and unpopular.” High visibility may have got this guy fired. Only that security manager and the CEO know whether this is actually what happened. But that doesn’t matter. What matters is that the advice the commenter is basically giving is to keep your head down and do your job. This flies directly in the face of some of my recent advice on my series for making yourself a more successful security manager / admin.

I will stick by my advice: make yourself visible, let others know what you are doing. I have never said push until you piss someone off, but that will happen sometimes. It may have got this guy fired, but if he had not pushed and documented that he pushed, do you think he would have a chance in H-E-Double-Hockey-Sticks to bring suit against his previous employeer? Nope.

So, protect against the attack, remain visible, and watch your back. Don’t try to get along just to keep your job. I would rather DO my job than just kEEP it. But that’s just me.

Vet

InfoWorld posts article on rising number of SQL attacks – ooooook….

InfoWorld posts article on rising number of SQL attacks – ooooook….

OK, I am usually fairly impressed by InfoWorld’s articles and other writings.  I get the magazine, I subscribe to their news feed.  But this InfoWorld article read like it should be in the Times or something.  They put a title of “Hackers Striking Databases in Record Numbers”, give us a couple of stats, and then go on to explain SQL injection attackes.  Who is InfoWorld’s target audience?  

Here’s something from the “About” section of InfoWorld’s website:

InfoWorld Media Group delivers in-depth coverage and evaluation of IT products for technology experts involved in major purchase decisions for their companies. InfoWorld reaches the most influential readers through its integrated online, print, events, and research channels.
 
InfoWorld provides specialized IT coverage for the CTO, senior-most company executives who are deeply steeped in technology expertise and experience.

I am not usually one to attack, but this is ridiculous.  If you are a “senior-most company executive” who is “steeped in technology expertise and experience”, then you know what a SQL injection attack is.  This article really does not give any useful information.  Couldn’t there have been some more in depth detail on some of the attacks?  It just felt like the top paragraph was written, then there was a cut and paste from some other article.

Vet

Bitnami