At DojoSec the mission is to spread security knowledge in all forms of delivery. Our newest effort is called DojoSec Sessions which will feature screen captures and presentations from top-notch security professionals. DojoSec presents Jeremy Brown with an excellent presentation on Finding Vulnerabilities with Static Analysis. Thanks Jeremy for your contribution!
Monday, December 7, 2009
Monday, November 30, 2009
Mobile Communications Security Symposium
REGISTER ASAP - The Capitol College Innovation and Leadership Institute will host the Mobile Communications Security Symposium on December 4, 2009 from 8 a.m. to 12 p.m., on campus, in the Avrum Gudelsky Memorial Auditorium. There is no cost to attend this event. To learn more about the program and the speakers, please visit http://www.capitol-college.edu/news-events/news- headlines/698 .
To register for the symposium:
Send an email to ili@capitol-college.edu
Subject: Register, Mobile Comm. Security Symposium
_MJC_
Wednesday, November 25, 2009
Marcus' Mailbag: Policy, Enforcement, and Monitoring
I received the following email on Commercial vs. Open Source, Policy, Enforcement, and Security Monitoring. I'm posting this email in order to share some of the views. It could be perceived as a bit of a rant, but I'm posting it below because it could spark some thought and conversation. Let me know what you think. If you have problem with the grammar, please rely on context clues. _MJC_ :)
=-=-=-=- BEGIN E-MAIL -=-=-=-=
In the Network security field they are vendors that sell products. They claim the products will catch the bad guys, disassemble malware and save the world. All we need to do is buy their products.
Then they are those Open Source vendors that sell support of some open source tool like Clam AV or Snort all we need to do is use it right and we are safe and they sell themselves as consultants. This model for doing business is not new, In the Financial services industry you have those who claim to be financial planners and when you go and see them they do a budget workup with you and then sell you commission based products like life or medical insurance. Then you have those who claim to be fee based financial planners (much like the open source pimps) and sell you things like Term insurance or no load mutual funds you supposedly pay for their expertise.
The problem with these approaches is they are PRODUCT based. The real solution is a mindset and action to get the desired results not some product Open Source or otherwise.
Network Security is not brain surgery. You need policy, enforcement and monitoring. If those 3 are not done then things break down.
Policy that is not enforced is useless, it's just as bad as if there was no policy at all. In fact if you have a policy you are lured into a sense of false security. If there is no Policy users know they are left to fend for themselves. At [ XYZ ] we don't have a problem in areas like Europe where privacy laws demand they users not be monitored or punished for breaking policy. It's the areas where we have the strictest policies that we have problems.
Enforcement - If policies are not enforced then it is useless. Same with dealing with problem areas of the network. If management turns a blind eye towards tunneling and insists on using systems that are not locked down. Giving most users admin rights and walking on egg shells and not going after employees equally for violations you will never secure the network.
Monitoring - I know a few companies we work with and problems arise and you find out that they have a special internet connection that is not being monitoring. They have this special RESEARCH network they can surf porn on. They tether their laptops with their Blackberries or use a SSL tunnel to do whatever they want on the network. Especially in the technical companies the very ones that should be examples and protecting their networks are doing these things. I have seen individuals have their IP addresses Whitelisted so they could watch movies all day claiming they are doing company business then we all wonder how malware got on the network.
Products do not protect or defend the real network. They point out the obvious and until someone pokes their finger at the sore and lets the world know they need to change network security is a charade. Even DojoSec with it open source pimps is not making things better unless it goes after the above mentioned issues.
That's my 2 cents...
=-=-=-=- END E-MAIL -=-=-=-=
Tuesday, November 24, 2009
Virtualization is Great for Forensics
The rumblings suggesting that "The Cloud" and Virtualization is an enormous hindrance to digital investigations are exaggerated. These claims sound like scare tactics to me, I think virtualization makes incident response to computer crime much more efficient. The goal of incident response is to preserve as much information as possible. Software such as Live View from CERT is great because it allows investigators to boot disk images.
Virtualization is cutting out the middle man here, as an investigator I'd rather have a virtual machine instead of a disk image. Virtual machine copies provided by service providers provide a "self contained crime scene", since the virtual machine is frozen in time including the memory. At DojoCon 2009, Richard Bejtlich shared a story were investigators responded to an incident working with a Cloud Provider and were greeted with a shrink wrapped crime scene.
Anyone who as ever used a product such as VMware may have copied and moved images, this is a good thing. It seems that when some are dedicated to screaming about problems, they may be ignoring a great solution staring them right in the face.
_MJC_
Monday, November 23, 2009
Google Hacking Renders Redaction Futile
Lately, I've been looking at tons of SQL injections and SWF login blog posts and screen captures. I notice most hackers attempt to redact the compromised URLs. However, in most cases there is enough information from the screen captures to find the sites.
The attempt to redact the information is an attempt to protect the innocent. The latest instance of this was a blog post on a Symantec SQL Injection that yielded tons of information including serials and passwords. The image below is a screen capture posted within the blog post.
Next, I visit Google and type: site:symantec.com intitle:Teacher Sima
This is just basic Google Hacking here, nothing advanced. This is something I've been instinctively doing when I see something like this.
So the question is "Why redact?"
_MJC_
Thursday, October 29, 2009
Metasponse Talk at Techno Forensics
My friend Joshua Marpet recorded video of me doing my Metasponse talk at the Techno Forensics Conference at NIST on his iPhone. He'll be sending me the complete video so I can post it as one. Although I could take my own video equipment everywhere with me, it sometimes feels stage. This is as real as it gets. Thanks Joshua!!
Marcus J. Carey - Metasponse Talk @ Techno Forensics Conference from Marcus J. Carey on Vimeo.
Wednesday, October 14, 2009
Cloud Computing and Sunburn
Can you get sunburn if it’s cloudy outside? The answer is yes, because the clouds don’t block the dangerous rays that burn and cause cancer. Many people believe that the clouds give their skin protection against the sun. This is a big mistake that I’ve found out first hand many times recently. So I tend to put on sun block before I go outside for long days. Our skin is a major asset because it is the first line of defense against infection. We are personally responsible for protecting our asset by applying sun block when needed.
In the information technology industry, Cloud Computing has reminded me of the false sense of security that real clouds have given us. Recently the T-Mobile/Microsoft Sidekick data loss debacle has put into question the reliability of Cloud Computing and Cloud Storage. It is important to remember, when we outsource services and infrastructure to the Cloud, we don’t outsource responsibility.
The T-Mobile Sidekick issue affected many consumers. Just imagine if this was a billion dollar sales organization which lost sales leads, bad news. Several Google Apps services have been disrupted lately, thank goodness there has been no data loss associated with those outages. If Google were to lose my critical data, whose fault would it be for no back-ups? The old saying goes, “When you point your finger at someone, there are three fingers pointing back at you.”
I believe that Cloud solution providers will do their best job (hopefully) to maintain confidentiality, integrity, and availability of their client's data. When it comes down to it, each organization still must accept responsibility and accountability for their critical assets. If you moved to the Cloud, your business continuity and disaster recovery plans should reflect the worst case scenario.
This means you should have some sort of limited backups that your organization controls. At least perform an assessment of what the minimum requirements are, and then make plans accordingly. I’m not telling you anything new here, it takes a bit of effort. Who are we kidding? Hard drives fail, tape backups didn’t backup anything, back-ups fall off trucks, dog ate my homework, etc…
No one, not even the Cloud, is going to do your pushups for you. Cloud Computing won’t keep your organization from getting burned.
In the information technology industry, Cloud Computing has reminded me of the false sense of security that real clouds have given us. Recently the T-Mobile/Microsoft Sidekick data loss debacle has put into question the reliability of Cloud Computing and Cloud Storage. It is important to remember, when we outsource services and infrastructure to the Cloud, we don’t outsource responsibility.
The T-Mobile Sidekick issue affected many consumers. Just imagine if this was a billion dollar sales organization which lost sales leads, bad news. Several Google Apps services have been disrupted lately, thank goodness there has been no data loss associated with those outages. If Google were to lose my critical data, whose fault would it be for no back-ups? The old saying goes, “When you point your finger at someone, there are three fingers pointing back at you.”
I believe that Cloud solution providers will do their best job (hopefully) to maintain confidentiality, integrity, and availability of their client's data. When it comes down to it, each organization still must accept responsibility and accountability for their critical assets. If you moved to the Cloud, your business continuity and disaster recovery plans should reflect the worst case scenario.
This means you should have some sort of limited backups that your organization controls. At least perform an assessment of what the minimum requirements are, and then make plans accordingly. I’m not telling you anything new here, it takes a bit of effort. Who are we kidding? Hard drives fail, tape backups didn’t backup anything, back-ups fall off trucks, dog ate my homework, etc…
No one, not even the Cloud, is going to do your pushups for you. Cloud Computing won’t keep your organization from getting burned.
Subscribe to:
Posts (Atom)
