Tuesday, December 23, 2008

Plate Spinning 101

There are many analogies in Information Security, someone mentioned plate spinning in an unrelated context, then this blog post hit me. Many jobs can relate to plate spinning, but follow me on this one. If you were a professional plate spinner your task would be to minimize the loss of your assets. To minimize loss, the plates must spin, or you will lose assets. If you lose too many assets, the show can't go on.

With proper training, personnel can learn to get all of the plates spinning. More importantly, plate spinners need to monitor and maintain operations, because without proper attention the assets ALL FALL DOWN. The plates are falling in many enterprise networks.

The following video is recommended viewing for Information Security practitioners. Please substitute "Information Security" for "Plate Spinning".

Monday, December 22, 2008

SUMO Linux on a Thumbdrive

From my colleague Jonathan Bennett~

Here are the steps I took:

1. Download TRK Linux

2. Install TRK Linux on thumbdrive:

trk2usb -d {DEVICE} (optional) -s 4000'

I did this because when I tried to create a bootable partition as number 4 as described here: http://klikit.pbwiki.com/Klikit-Live+on+USB+Stick it did not seem to work properly. I think now that maybe it did, but I didn't give it enough time.

3. Delete all TRK Linux files

4. Copy all SUMO files to the disk modify autoexec.inf so the thumbdrive doesn't identify itself as "SUMO Live CD"

5. Create /boot/syslinux directory. Download all files from http://sumolinux.suntzudata.com/syslinux/ and save them to the /boot/syslinux folder.

6. Run "Syslinux.exe -d /boot/syslinux :" from the syslinux folder (as administrator if using Vista)

I had to do this in Windows. Syslinux in Linux will not install because it doesn't like the structure of the FAT32 partition for some reason.


7. Boot to thumbdrive - be patient if the Syslinux prompt comes up to "boot:" sometimes it takes a couple of seconds to get to the menu.

8. I think following the commands on klikit's website should work for formatting the drive, just make sure that the space allotted is big enough to allow the whole DVD to be copied in.

------------------------------------------

Hit me up on Twitter Marcus J. Carey, let me know how this worked.

Sunday, December 21, 2008

Sense of Urgency: This is not a drill!

Where is the sense of urgency?

This article from Federal Computer Week has a knack for stating the obvious. Does this sum up where we are in regards to protecting our country from cyber-attacks?

Sorry for the snark below.

BREAKING NEWS: Cyberattack simulation highlights security challenges

Article says: The simulation also illustrated some challenges the Obama administration and next Congress will face in terms of cybersecurity, they said.

Marcus says: Challenges that we WILL face? Are we not facing them now? Have we not been facing them for years at this point? Did anyone miss the article linked below? Why did we need a joint exercise to illustrate problems that have been apparent for years?

http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

Article says: “There was a great realization that we are all in this together,” said Gerencser. “And what got uncovered in the game is that there were interdependencies that we didn’t quite understand or appreciate before.

Marcus says: You have to be kidding me. How long have we been doing this? Are you telling me that we are being attacked and are just getting to understand interdependencies? The answer is, "YES!".

Article says: “This will be an ongoing effort,” Langevin said. “The cyberthreat itself is ever changing and ever evolving, it is going to be very difficult to stay one step ahead of it, but that’s what our goal has to be.”

Marcus says: This is such a cliche moment. I wonder how much money this exercise cost. Is this something that we didn't already know? This is my tax dollars here at work.

Quick Conservative Number crunching:

230 people for a 48-hour exercise.

230 (personnel) * 40 (billable hours per person) * $225 (hourly rate + overhead) = $2,070,000.00

It probably cost much more than that :(.

My point is that we need to have this down by now. As my friend Eoghan Casey says, "We need to establish a home-court advantage on our networks!". This article illustrates that we are spinning our wheels. This is the equivalent of being in Iraq and pretending that you are practicing at Fort Hood. This is not a drill!

On a lighter note. Have a Merry Christmas and Wonderful Holidays!

- Marcus J. Carey

Monday, December 15, 2008

WALL-E Security

This Hollywood Security moment brings us WALL-E. WALL-E is a futuristic tale in which humans rely on computers/machines for everything. The point of this movie is especially true today for many information assurance practitioners and organizations. When we rely on security tools to do everything, the image below portrays what eventually happens.

- Marcus J. Carey

Sunday, December 7, 2008

Stealing Data the Easy Way

As I entered the Athens Airport Business Class lounge, I asked if there was WiFi connectivity. I was told there was no WiFi, but I could help myself to the kiosk computers. I jumped at the chance to check out the security posture of these computers. I assumed that there would be security issues.

I wasn't disappointed with the amount of information I had access to, much of which I considered to be breaches of confidentiality for some previous users of the kiosk. The following pictures are just a sample, there was much more. If I were a bad guy, I could have stolen loads of data the easy way by just emailing the files to myself. I took the pictures here for security awareness efforts. Names have been hidden to protect the innocent.

The following are reasons why people shouldn't use free Internet kiosks:

1. The Windows Security Alert tells you that the system may not be up to date for security fixes.


2. The following "user agreement" means that everyone has access to anything you store on this computer.

3. Your browser history is usually intact and credentials are sometimes still valid.

4. People can read confidential documents you typed on the computer.


5. People may get a sneak peak at your lucrative sports contract.


6. People may get a copy of your C.V. and all of the personal information it contains.


7. People may get access to your accounts spreadsheet.


8. People can install malicious code into important directories.


9. Being a security professional I warned to attendants on duty about the issues that I had found. The lead attendant said, "If anyone is stupid enough to use the kiosk and do that, they should not be using the computers!".

Enough said!

-MJC

Tuesday, December 2, 2008

Incident Response on the iPhone

I was just thinking that some aspects of Incident Response can be done while mobile. It would be interesting if I was on the beach and able to troubleshoot issues on a mobile phone. Five years ago I created a project for my interns to allow remote command-line management of systems through AIM, which you could do from a mobile phone. Although it wasn't a "secure solution", it was pretty nice.

Thank you iPhone and TouchTerm, now I can do it securely. The iPhone does support VPN connections and TouchTerm allows you to establish SSH connections to systems from the iPhone (for $FREE)!


-MJC

Monday, December 1, 2008

Big Fat Greek Internet Cafe

Internet Cafes are often used to do illegal bidding. I had the pleasure of visiting this one in Athens, Greece. This one was 99% illegal (Even in Europe). From what I understand, this is common in Europe. I wonder if the U.S. has this sort of blatant illegal Internet activity in its Cafes. Law enforcement seems to be tougher in the States.

The young man working as staff was nice enough to pose for a picture. He allowed me take pictures of the place, since I was a tourist and never seen anything like this :).


All of the computers below had almost every computer game imaginable loaded on them. If the computer doesn't have a game on them, you could install whatever you wanted.


I did a bit of shoulder surfing to see exactly what users were doing. In the photo below, a young lady was downloading music on Limewire. Since she had earphones on, she didn't notice I was so close. She was blasting illegal tunes and enjoying every minute of it.



The Cafe sold blank CDs and DVDs, in case you wanted to burn anything you downloaded. All the content you want for 2 Euros per hour (Sweet!). Just imagine how much malicious code resides on this network.

- MJC

Sunday, November 23, 2008

SUMO Linux up for BitTorrent Download

SUMO (Security Utilizing Multiple Options) Linux v1.0

SUMO Linux is a bootable DVD from Sun Tzu Data which contains a compilation
of the best Information Security distributions:

Backtrack 3
Helix 2.0
Samurai Linux
DBAN
DVL

Click here to visit site >>> http://www.sumolinux.com <<<













-MJC

Tuesday, November 18, 2008

Scalable Security 101

If your organization relies on you or a product to be the single point of failure for all things, that's not a scalable model. When you leave or the product fails the pain begins. Plan for these losses and failures by cross-training and learning the shortcomings of solutions that you deploy. This is just the beginnings of Scalable Security.

-MJC


-- Post From My iPhone

Leaving the Backdoor Open


This is a classic case of implementing one security measure only to leave the attacker with an easy vector for compromise.

In this photo I took today, a security minded driver placed “The Club” theft prevention device on their steering wheel to prevent someone from stealing the car. As you can see the driver also left a trunk full of clothes and other items exposed.

Is this happening in your network?

Tuesday, November 11, 2008

The Digital Age meets the Pony Express


I saw this along the road last week. I had to take a picture and share with everyone. The irony of course is that it shows how much communication has changed over the years. This photo is priceless.

Monday, November 10, 2008

Who Is The Audience vs. Who It Should Be?

When I attend security events I want to see a more diverse group of attendees. I need to see the people on the front lines; junior and senior systems administrators. I want to see them go back to their organizations and teach others what they have learned.

Are you a team player? I want to challenge all network security professionals to mentor one person. Tell that person to mentor someone. That is the only way we can start to protect our assets. I don't think people understand how bad the situation is in the security space. We need to step up our security game in a major way.

We need to take the knowledge to the audience that needs the message.

Thursday, November 6, 2008

DojoSec November 2008 Wrap-up

DojoSec November 2008 went well. I want to thank the Sun Tzu Data Newsletter members who attended the event. Also, I'd like to give a special thanks to all the friends of Sun Tzu Data for lending a hand.

Brian Baskin delivered an excellent talk on Bit Torrent (BT). Few in the industry understand BT as well as Brian. His research on the technology is mind-boggling as he is able to break the technology down to binary and hex with clarity. Thanks Brian :)!

Bruce Potter followed up with great talk raising eyebrows on the "Current State of Information Assurance". Bruce made some excellent points regarding the lack of progress in the computer security industry over the last 20 years. Bruce opened a lot of eyes with his analysis of the industry as well as his legendary delivery.

Bruce drilled home the point that if someone is properly equipped and wants to attack your organization; you're 0wn3d (owned). In this talk, Bruce highlighted statistical analysis techniques he has used with Netflow data to find compromised systems in real-world network intrusions. Thanks Bruce!

Pictures from DojoSec November 2008

Here are a couple of pictures from DojoSec November 2008.

























Saturday, November 1, 2008

Bad Things Come in Small Packages

I had the pleasure of handling one of Nico Darrow's NEMEMIS miniature attack platforms. This thing is pretty sweet. In these images you can see that this device about the size of some external hard drives.

For its small size it packs a heck of a punch. It runs a linux based distro full of goodies for penetration testing. It has wired/wireless network, monitor, and two USB ports that could be used for a mouse and keyboard.

Imagine the damage you can do with this puppy :)


















The "Key" to Identity Theft

I have seen many things hanging from keys, but recently I've been paying more and more attention to security at all levels. We all see people throwing their keys down on their desks, boardrooms, and even on basketball courts.

Last year I even advised a guy not to leave his mini credit card on his keychain in plain view. I just look at these things for awareness, but there are many criminals praying on what we leave on our keychains. Many military and veterans where their "dog tags" on key chains.

As a vet I notice military issued "Dog Tags" instantly. I had a colleague leave his keys in a conference room. His military tags had the following information on them.

1. Full Name
2. Social Security Number
3. Allergic to Penicillin

I walked up to him in his cubicle and mentioned his allergy to him. Of course he was surprised I knew this detail. I then handed back his keys and pointed to the tag. A malicious person could have done far worse with this information. When trying to secure organizations and even our personal lives, we must think as the bad guy would think.

Default Login and Password

This is the problem that will not go away. I was in the discussion with a Security Engineer from a major vendor who happens to be the number one vendor in their space. He informed me that I could not change the password on a security appliance and to leave it at default.

So the hacker in me quickly thought that if I did a banner grab for this vendor's appliance across an enterprise I could compromise this device where ever it existed. This appliance is highly deployed, so it is a bit scary to me. The fact that it came from a major "security vendor" was even worse.

This is Security 101 here :(

The reason he said that you couldn't change the password was, "It's an appliance!". I'm like, "Okay????".

This goes to all vendors, administrators, and security professionals.

DEFAULT PASSWORDS ARE NEVER A GOOD THING !!!!!!!!!!!!!

Sorry for shouting. :)

Tuesday, October 21, 2008

Keep Your Eyes On The Road

I saw this driver on the road this morning. I took this picture with my iPhone. As you can see the driver ran off the road dead-on to a pole. If you click on the image you can see that the driver is okay and standing in front of the car texting on his mobile phone.

I couldn't help but assume that he was driving while texing (DWT) and ran off the road. Whatever the driver was doing he wasn't paying attention behind the wheel. There is a security lesson in this for sure. The driver obviously had a destination or goal to reach when they started their commute.

Many security operations have goals and policies to achieve those goals. Policy is definitely different in each organization because each place has different assets. With so many challenges and silver-bullet solutions it is easy to lose sight of the goal. What exactly are we trying to protect again?

Another problem is that some organizations don't have policies, standards, and procedures documented. Without any standards in place organizations can never acheive any measurable level of of success. Some organization have security just to have security with no big picture.

There are many ways the Security Policy Life Cycle has been articulated, but to make a long story short:

1) Find out what assets you are protecting.
2) Establish security policy/goals/standards to protect the assets.
3) Establish procedures and guidelines to meet Step 2.
4) Implement (Don't take your eyes off the road)
5) Measure success (Audit).
6) Articulate findings (Are you protecting assets?).
7) Rinse and Repeat, Back to Step 1.

Sunday, October 19, 2008

Who Needs a Shredder?


If you have an open fireplace you probably know you can get rid of documents the old fashioned way "Burn them!". Some of the "personal use" shredders are dreadfully slow and can be expensive ($200+). For a great alternative to get rid of sensitive personal documents I recommend purchasing a small fire pit.

Many high security facilities use fire to destroy sensitive documents. At my first duty station in the Navy I had the pleasure of collecting "burn bags" and destroying them.
The fire pit always attracts a crowd so you can get some conversation and roast marshmallows while you secure your private information. Something like the fire pit above will only run you around $70. That's great for entertainment and security.

Sunday, October 12, 2008

The Compliance Gorilla

There are many compliance standards, and of course, auditing is a good thing. I've talked with many security professionals recently about the big picture. Sure the goal is to harden systems and auditing does provide a means to measure that goal.

The criticism of auditing reminds me of criticism directed to the No Child Left Behind Act. Many organizations are happy with just being compliant. When the focus is only on compliance, the organization's overall security posture suffers by focusing solely on systems. The network pieces are "compliant" but what about the internetworking of these systems?

My problem with most compliance efforts is the fact that the overall network security posture can be totally inadequate, or worse, non-existent. The result of this problem is indefensible networks. Since everyone is talking about the Gorilla, what should we do about it?

Keeping Up "Secure" Appearances

As I was in the airport on the way back from Copenhagen, BBC World News was playing on one of the displays when a familiar pop-up appeared on the bottom right hand portion of the screen. Obviously there was a networked computer sending video throughout the airport.


Although I don't know the overall network security posture of the airport, this didn't look good. Of all security hardening procedures, "Up-to-date Antivirus" is pretty high on everyone's list. Sometimes good security is simply appearing to be secure. In the military they teach you that the appearance of a hard target can deter attacks. In security we must get the little things right.

Securing the Family

The latest craze to hit the bumper sticker market seems to be the "I'm going to tell everyone about my family as stick-figure thingies". These things are popping up more and more daily. How can I say this?

Bad Idea.

In the picture below this vehicle has "The ****** Family" name on top of five stick figures. On the bottom of these stick figures are the names of each family member.

The "need to know" principle should be applied here. Only people required to know what I deem personal information in this case "need to know". There is no good reason to ride around with family identification on your car.

If you have friends, family, or co-workers with these stickers on their car, please pull them aside and tell them bad guys use this type of information to hurt innocent people. The same type of information leaks are made at corporate levels.

Johnny Long highlights many of these types of vulnerabilities in his latest book No Tech Hacking.

Seeing is Believing

Something I always like to do when discussing security is whiteboard and visualize what is going on. That's the beauty of Wireshark when it comes to traffic analysis, you can see what's going on. This brings me to my Hollywood Security lesson. As I said before, I learn security lessons from television and this time it was a football game that brought a point home.

The Scenario
I was in my front lawn making my way in from an errand when a neighbor ask me if I was watching the University of Oklahoma vs. University of Texas football game. The game was heading into to fourth quarter and it was close he informed me. I'm a Texas native and a fan of the Longhorns. Texas has had some problems with Oklahoma and I just couldn't be bother watching the game. I just new Oklahoma was going to win, after all they were the top ranked team in the country.

The Lesson
Reluctantly, I tuned in to the game and Texas pulled off an upset. This reminded me of the advice I always gave my students in Network Security classes. I always encourage my students to look at traffic because you never know if communications are happening as they should be. I assumed Texas would lose before every taking a look.

In Information Assurance we sometimes make assumptions that things are working or something will fail without even verifying or validating them. Either way this is a mistake. I was happy that my Longhorns reminded me of this lesson.

"Hook 'em Horns!"

No Cost Software for Flash Demos

There are a number of no cost options for demos. All of the following create Flash compatible screen capture with audio. There are three different options and licenses. These all work well especially for the price.

GNU
Camstudio (Windows) - Camstudio is the GNU/Free Software solution. Personally I am a champion of GNU Solutions. I have used Camstudio and it works well for screen and audio captures.

Freeware
Wink (Windows/Linux) - Distributed as freeware for personal or business use. I've seen many demos using Wink although I haven't used it yet.

Free (for now)
Jing (Windows/Mac OS X) - Techsmith who is behind Camtasia Studio has launch the Jing Project which is free for now. It is a scaled down version of Camtasia and works well on the Mac.

The old saying is that "You can show someone better than you can tell them!" is so true. With these couple of solutions you can do it at no cost with a quality return.

Saturday, October 11, 2008

Evilgrade = Pure Evil + Upgrade

I have to give credit to Pauldotcom for doing a tech segment on Evilgrade on the Pauldotcom Security Weekly podcast recently. After hearing about Evilgrade I was interested in gaining more information on how the tool worked.

Evilgrade from Infobyte Security Research is a framework similar to Metasploit Framework (MSF) except it's specifically designed to exploit software updates. The tool uses a couple of techniques including DNS manipulation and rogue upgrade servers to exploit update services of many applications including Notepad++ and Java. So you may patch your system from vulnerabilities and at the same time get a little bit extra out of your update. That's bad for you but good for an attacker.

See the Demo at your own risk > http://www.infobyte.com.ar/demo/evilgrade.htm

It also looks like Evilgrade will get gobbled up into to MSF eventually. MSF is like the Energizer battery Bunny of "security" tools, just keeps going, going, going.......

NSA's Mac OS X Panther Security Configuration Guide

The NSA's Apple Mac OS X v10.3.x "Panther" Security Configuration Guide.

After reviewing the guide I felt sorry for all the Macs that have to be mutilated to perform in a secure environment.
According to NSA:

"All wireless capability, such as AirPort and Bluetooth, should be physically disabled in secure environments. Disabling or modifying the hardware will likely void the warranty on the machine if not performed by an Apple Certified Technician."

It gets much worse for the poor Macbooks in the document. This is no surprise of course when you have to be in a secure environment. The thing that makes a Mac great is all the goodies that you would have to disable to comply with NSA's standard.

Why not just get a PC instead :) ?

Kung Fu Panda

This Hollywood Security lesson is a spoiler.

The Scenario
The main character Po, upon completing his martial arts training is allowed to read the contents of a treasured scroll. This scroll is suppose to contain secrets to allow him to be the unstoppable Dragon Warrior. When he opens the scroll to his amazement the scroll is blank.

The Lesson
Security Professionals and Organizations constantly look for silver bullets when it comes to information assurance. Many are obsessed with certifications or the next hot security tool. Sure we need training and tools for information warfare just as the Po learned his craft. Most importantly we need to have confidence, skill, resources, and knowledge to prevail when challenges arise. The Dragon Warrior is already inside of us.

Speed Racer

The kids ordered Speed Racer on pay-per-view and of course I got pulled into the movie. This brings us to another Hollywood Security lesson:

The Scenario
Speed Racer's older brother Rex Racer tells the young Speed that he must listen to his car in order to achieve maximum results.

The Lesson
As security professionals our vehicle is our organization. We must listen to our organization in order to achieve a good security posture. A firewall is a technical solution for networking just as a car is a technical solution for transportation. We just can't rely on technical solutions in security, our ears are our best assets.

Mobile Blogging

I just downloaded Blogpress to my iPhone, now blogging from it. Cool!


-- Post From My iPhone

Friday, October 10, 2008

Forbidden Kingdom

For your first installment of Hollywood Security (may contain spoilers):

On the way back from Copenhagen last month I had a chance to watch a couple of movies on the plane. Forbidden Kingdom stars Jet Li, Jackie Chan, and Michael Angarano in a funny karate flick.

The Scenario
Michael Angarano stars a kung-fu movie buff who goes back in time. He ends up having to learn kung-fu for sheer survival. The kid is a know-it-all just because he's seen so many movies. At one point Chan's character pours water non-stop into Angarano's cup until it is overflowing. Even though the cup is overflowing Chan still keeps pouring, pouring, pouring, until the kid asks what is going on.

The Lesson
Chan tells the kid that he can't learn anything because his cup is already full. The lesson is simple because I know many Security professionals may fall into the "I think I know it all" trap. We need to all leave room in our cups for learning tomorrow.

Hollywood Security & The Art of War

Many blogs have a niche. I was thinking about things that would make this space stand out. I use a lot of analogies when I do presentations or teach. People have told me that I can break things down to the lowest level. I use things such as movies quotes to draw comparisons.

This works very well. My close friend Johnny Long has an awesome talk called Hollywood Hacking that drills this point home. As I see movies that I learn something from I will share the lessons through this blog.

I'm not just talking about techie or sci-fi. I learn lessons from all genres including Children Movies. If nothing else television and movies ensure that I learn something new everyday.

I will also draw content out of the Art of War to blog about security as well. As you can tell with my company name I'm kind of into the "Sun Tzu - Art of War" thing. The overall mission is to use this blog as tool to convey my crazy way of looking at things.

DojoSec Wrap-up

Last week Sun Tzu Data offered the first DojoSec minicon event in Columbia, Maryland. The idea came to me earlier this year and with the help of some great friends we made the first event very successful.
DojoSec's purpose is to bring together top Security professionals in the Maryland-DC Corridor for monthly mini conferences. It gives the opportunity for locals to hear from speakers who often appear at major conferences in a familiar setting. The line up included some well known names for two great talks. Chris Daywalt and Eoghan Casey presented a talk on Enterprise Entrenchment.

In short, Enterprise Entrenchment is when attackers maintain footholes in networks and exploit them over extended periods of time. Chris and Eoghan will be presenting this topic at the SANS confererence in Vegas this week. It was nice getting the scoop on this talk.

Johnny Long introduce many to charity he started Hackers for Charity and presented his "No-Tech Hacking" talk. The No-Tech talk was especially relevant since some Johnny's research for the talk and the book was done in the local area. This is why the DojoSec events are great with so many great speakers right here in our "backyard". The next event is scheduled for November 5th.

My Top Windows-based GNU Software

I am a Mac user, but we all know that we have to use Windows from time to time. I run a Windows XP virtual machine in VMware Fusion on my Mac.

When I must use Windows this is my list for my top GNU solutions. This set of tools make my Windows experience much better.
  1. 7-zip - Archive manager that kicks WinRAR's butt 7 days a week.
  2. Cygwin - I just have to have my BASH shell and Perl at all times.
  3. Notepad++ (Notepad Plus Plus) - It takes the pain away from dealing with (Note|Word)pad.
  4. Wireshark - Formerly Ethereal. Yeah I'm a packet head.
  5. Snort IDS - Snort can be a packet head's best friend.
  6. Mozilla Firefox - I'm typing this in it right now.
  7. NoScript - "Hopefully" keeps my (browser|Mac) from getting 0wn3d.
  8. VLC - Highly compatible video player
There are so many. More to come.

MJC

Not Your Father's Nessus

Like many, I have used Nessus time and time again to scan networks for vulnerabilities. I just had my eyes completely opened to all of the capabilities that Nessus has grown to accommodate. I had the opportunity to attend Tenable Network Security's Enterprise Security Monitoring and Compliance Auditing courses this past week. In the words of Kung Fu Panda, Nessus is full of "awesomeness and handsomeness".

Once you purchase Nessus' Professional Feed you can audit your network for compliance against tons of standards. I now have a really good appreciation of how one can really fine-tune Nessus. Nessus can add value to any consultant in the auditing, compliance, or pentesting arena. I'm not joking the auditing this was awesome. Having looked at other auditing solutions I can tell you you can not beat the price.

The course also covered Tenable's Security Center, Log Correlation Engine, and the Passive Vulnerability Scanner. Together all these this would be a welcome addition on any enterprise. Knowing the roots of Tenable and where Nessus is now it was very inspiring as a small business owner. I highly recommend their courses to Security personnel.

P.S.

One tip from the course if you haven't tried it before.

Try out the filter button on your completed scans on the Nessus client. It's kind of new.

Saturday, October 4, 2008

Security is an Universal Language

Over the last year I've had the pleasure of traveling to Iceland, Norway, and Denmark for Security events. During those travels it should come as no surprise that computer crime is an international problem. Here a couple of thoughts on what I've learned over these trips.

Language Barrier
Since most foreign countries I've visited speak uncommon (globally) languages they have a nice defense against phishing attacks. In order for an attacker to attack users in those countries is not as easy as throwing something into a translation engine. The actual context of their language not only foils many phishing attacks as well as recon methods like Google Hacking. Other than that tech jargon and buzzwords are the same in all the places I've visited. Thank goodness it seems that everyone speaks my native tongue.

Vendor Trust
I usually don't believe everything a software/hardware vendors say. As the old saying goes "Trust but verify". There seems to be an overwhelming trust of the big corporations abroad, probably to a fault. Taking a second to think about it, this is not just a foreign problem.

GNU and Open Source

I have met some extremely skilled foreign talent who use GNU and Open Source (OS) tools. Talking to people I don't get a sense that foreign IT personnel have embraced GNU/OS on a large scale. I love to demo GNU solutions because when I leave them, I want them to have tools that they can work with and eventually use them to improve their organizations.

Friday, September 12, 2008

Dive Deeper Oslo and Copenhagen

Sitting here in the Copenhagen airport after two successful security events. More on the events later.