Tuesday, October 21, 2008

Keep Your Eyes On The Road

I saw this driver on the road this morning. I took this picture with my iPhone. As you can see the driver ran off the road dead-on to a pole. If you click on the image you can see that the driver is okay and standing in front of the car texting on his mobile phone.

I couldn't help but assume that he was driving while texing (DWT) and ran off the road. Whatever the driver was doing he wasn't paying attention behind the wheel. There is a security lesson in this for sure. The driver obviously had a destination or goal to reach when they started their commute.

Many security operations have goals and policies to achieve those goals. Policy is definitely different in each organization because each place has different assets. With so many challenges and silver-bullet solutions it is easy to lose sight of the goal. What exactly are we trying to protect again?

Another problem is that some organizations don't have policies, standards, and procedures documented. Without any standards in place organizations can never acheive any measurable level of of success. Some organization have security just to have security with no big picture.

There are many ways the Security Policy Life Cycle has been articulated, but to make a long story short:

1) Find out what assets you are protecting.
2) Establish security policy/goals/standards to protect the assets.
3) Establish procedures and guidelines to meet Step 2.
4) Implement (Don't take your eyes off the road)
5) Measure success (Audit).
6) Articulate findings (Are you protecting assets?).
7) Rinse and Repeat, Back to Step 1.

Sunday, October 19, 2008

Who Needs a Shredder?


If you have an open fireplace you probably know you can get rid of documents the old fashioned way "Burn them!". Some of the "personal use" shredders are dreadfully slow and can be expensive ($200+). For a great alternative to get rid of sensitive personal documents I recommend purchasing a small fire pit.

Many high security facilities use fire to destroy sensitive documents. At my first duty station in the Navy I had the pleasure of collecting "burn bags" and destroying them.
The fire pit always attracts a crowd so you can get some conversation and roast marshmallows while you secure your private information. Something like the fire pit above will only run you around $70. That's great for entertainment and security.

Sunday, October 12, 2008

The Compliance Gorilla

There are many compliance standards, and of course, auditing is a good thing. I've talked with many security professionals recently about the big picture. Sure the goal is to harden systems and auditing does provide a means to measure that goal.

The criticism of auditing reminds me of criticism directed to the No Child Left Behind Act. Many organizations are happy with just being compliant. When the focus is only on compliance, the organization's overall security posture suffers by focusing solely on systems. The network pieces are "compliant" but what about the internetworking of these systems?

My problem with most compliance efforts is the fact that the overall network security posture can be totally inadequate, or worse, non-existent. The result of this problem is indefensible networks. Since everyone is talking about the Gorilla, what should we do about it?

Keeping Up "Secure" Appearances

As I was in the airport on the way back from Copenhagen, BBC World News was playing on one of the displays when a familiar pop-up appeared on the bottom right hand portion of the screen. Obviously there was a networked computer sending video throughout the airport.


Although I don't know the overall network security posture of the airport, this didn't look good. Of all security hardening procedures, "Up-to-date Antivirus" is pretty high on everyone's list. Sometimes good security is simply appearing to be secure. In the military they teach you that the appearance of a hard target can deter attacks. In security we must get the little things right.

Securing the Family

The latest craze to hit the bumper sticker market seems to be the "I'm going to tell everyone about my family as stick-figure thingies". These things are popping up more and more daily. How can I say this?

Bad Idea.

In the picture below this vehicle has "The ****** Family" name on top of five stick figures. On the bottom of these stick figures are the names of each family member.

The "need to know" principle should be applied here. Only people required to know what I deem personal information in this case "need to know". There is no good reason to ride around with family identification on your car.

If you have friends, family, or co-workers with these stickers on their car, please pull them aside and tell them bad guys use this type of information to hurt innocent people. The same type of information leaks are made at corporate levels.

Johnny Long highlights many of these types of vulnerabilities in his latest book No Tech Hacking.

Seeing is Believing

Something I always like to do when discussing security is whiteboard and visualize what is going on. That's the beauty of Wireshark when it comes to traffic analysis, you can see what's going on. This brings me to my Hollywood Security lesson. As I said before, I learn security lessons from television and this time it was a football game that brought a point home.

The Scenario
I was in my front lawn making my way in from an errand when a neighbor ask me if I was watching the University of Oklahoma vs. University of Texas football game. The game was heading into to fourth quarter and it was close he informed me. I'm a Texas native and a fan of the Longhorns. Texas has had some problems with Oklahoma and I just couldn't be bother watching the game. I just new Oklahoma was going to win, after all they were the top ranked team in the country.

The Lesson
Reluctantly, I tuned in to the game and Texas pulled off an upset. This reminded me of the advice I always gave my students in Network Security classes. I always encourage my students to look at traffic because you never know if communications are happening as they should be. I assumed Texas would lose before every taking a look.

In Information Assurance we sometimes make assumptions that things are working or something will fail without even verifying or validating them. Either way this is a mistake. I was happy that my Longhorns reminded me of this lesson.

"Hook 'em Horns!"

No Cost Software for Flash Demos

There are a number of no cost options for demos. All of the following create Flash compatible screen capture with audio. There are three different options and licenses. These all work well especially for the price.

GNU
Camstudio (Windows) - Camstudio is the GNU/Free Software solution. Personally I am a champion of GNU Solutions. I have used Camstudio and it works well for screen and audio captures.

Freeware
Wink (Windows/Linux) - Distributed as freeware for personal or business use. I've seen many demos using Wink although I haven't used it yet.

Free (for now)
Jing (Windows/Mac OS X) - Techsmith who is behind Camtasia Studio has launch the Jing Project which is free for now. It is a scaled down version of Camtasia and works well on the Mac.

The old saying is that "You can show someone better than you can tell them!" is so true. With these couple of solutions you can do it at no cost with a quality return.

Saturday, October 11, 2008

Evilgrade = Pure Evil + Upgrade

I have to give credit to Pauldotcom for doing a tech segment on Evilgrade on the Pauldotcom Security Weekly podcast recently. After hearing about Evilgrade I was interested in gaining more information on how the tool worked.

Evilgrade from Infobyte Security Research is a framework similar to Metasploit Framework (MSF) except it's specifically designed to exploit software updates. The tool uses a couple of techniques including DNS manipulation and rogue upgrade servers to exploit update services of many applications including Notepad++ and Java. So you may patch your system from vulnerabilities and at the same time get a little bit extra out of your update. That's bad for you but good for an attacker.

See the Demo at your own risk > http://www.infobyte.com.ar/demo/evilgrade.htm

It also looks like Evilgrade will get gobbled up into to MSF eventually. MSF is like the Energizer battery Bunny of "security" tools, just keeps going, going, going.......

NSA's Mac OS X Panther Security Configuration Guide

The NSA's Apple Mac OS X v10.3.x "Panther" Security Configuration Guide.

After reviewing the guide I felt sorry for all the Macs that have to be mutilated to perform in a secure environment.
According to NSA:

"All wireless capability, such as AirPort and Bluetooth, should be physically disabled in secure environments. Disabling or modifying the hardware will likely void the warranty on the machine if not performed by an Apple Certified Technician."

It gets much worse for the poor Macbooks in the document. This is no surprise of course when you have to be in a secure environment. The thing that makes a Mac great is all the goodies that you would have to disable to comply with NSA's standard.

Why not just get a PC instead :) ?

Kung Fu Panda

This Hollywood Security lesson is a spoiler.

The Scenario
The main character Po, upon completing his martial arts training is allowed to read the contents of a treasured scroll. This scroll is suppose to contain secrets to allow him to be the unstoppable Dragon Warrior. When he opens the scroll to his amazement the scroll is blank.

The Lesson
Security Professionals and Organizations constantly look for silver bullets when it comes to information assurance. Many are obsessed with certifications or the next hot security tool. Sure we need training and tools for information warfare just as the Po learned his craft. Most importantly we need to have confidence, skill, resources, and knowledge to prevail when challenges arise. The Dragon Warrior is already inside of us.

Speed Racer

The kids ordered Speed Racer on pay-per-view and of course I got pulled into the movie. This brings us to another Hollywood Security lesson:

The Scenario
Speed Racer's older brother Rex Racer tells the young Speed that he must listen to his car in order to achieve maximum results.

The Lesson
As security professionals our vehicle is our organization. We must listen to our organization in order to achieve a good security posture. A firewall is a technical solution for networking just as a car is a technical solution for transportation. We just can't rely on technical solutions in security, our ears are our best assets.

Mobile Blogging

I just downloaded Blogpress to my iPhone, now blogging from it. Cool!


-- Post From My iPhone

Friday, October 10, 2008

Forbidden Kingdom

For your first installment of Hollywood Security (may contain spoilers):

On the way back from Copenhagen last month I had a chance to watch a couple of movies on the plane. Forbidden Kingdom stars Jet Li, Jackie Chan, and Michael Angarano in a funny karate flick.

The Scenario
Michael Angarano stars a kung-fu movie buff who goes back in time. He ends up having to learn kung-fu for sheer survival. The kid is a know-it-all just because he's seen so many movies. At one point Chan's character pours water non-stop into Angarano's cup until it is overflowing. Even though the cup is overflowing Chan still keeps pouring, pouring, pouring, until the kid asks what is going on.

The Lesson
Chan tells the kid that he can't learn anything because his cup is already full. The lesson is simple because I know many Security professionals may fall into the "I think I know it all" trap. We need to all leave room in our cups for learning tomorrow.

Hollywood Security & The Art of War

Many blogs have a niche. I was thinking about things that would make this space stand out. I use a lot of analogies when I do presentations or teach. People have told me that I can break things down to the lowest level. I use things such as movies quotes to draw comparisons.

This works very well. My close friend Johnny Long has an awesome talk called Hollywood Hacking that drills this point home. As I see movies that I learn something from I will share the lessons through this blog.

I'm not just talking about techie or sci-fi. I learn lessons from all genres including Children Movies. If nothing else television and movies ensure that I learn something new everyday.

I will also draw content out of the Art of War to blog about security as well. As you can tell with my company name I'm kind of into the "Sun Tzu - Art of War" thing. The overall mission is to use this blog as tool to convey my crazy way of looking at things.

DojoSec Wrap-up

Last week Sun Tzu Data offered the first DojoSec minicon event in Columbia, Maryland. The idea came to me earlier this year and with the help of some great friends we made the first event very successful.
DojoSec's purpose is to bring together top Security professionals in the Maryland-DC Corridor for monthly mini conferences. It gives the opportunity for locals to hear from speakers who often appear at major conferences in a familiar setting. The line up included some well known names for two great talks. Chris Daywalt and Eoghan Casey presented a talk on Enterprise Entrenchment.

In short, Enterprise Entrenchment is when attackers maintain footholes in networks and exploit them over extended periods of time. Chris and Eoghan will be presenting this topic at the SANS confererence in Vegas this week. It was nice getting the scoop on this talk.

Johnny Long introduce many to charity he started Hackers for Charity and presented his "No-Tech Hacking" talk. The No-Tech talk was especially relevant since some Johnny's research for the talk and the book was done in the local area. This is why the DojoSec events are great with so many great speakers right here in our "backyard". The next event is scheduled for November 5th.

My Top Windows-based GNU Software

I am a Mac user, but we all know that we have to use Windows from time to time. I run a Windows XP virtual machine in VMware Fusion on my Mac.

When I must use Windows this is my list for my top GNU solutions. This set of tools make my Windows experience much better.
  1. 7-zip - Archive manager that kicks WinRAR's butt 7 days a week.
  2. Cygwin - I just have to have my BASH shell and Perl at all times.
  3. Notepad++ (Notepad Plus Plus) - It takes the pain away from dealing with (Note|Word)pad.
  4. Wireshark - Formerly Ethereal. Yeah I'm a packet head.
  5. Snort IDS - Snort can be a packet head's best friend.
  6. Mozilla Firefox - I'm typing this in it right now.
  7. NoScript - "Hopefully" keeps my (browser|Mac) from getting 0wn3d.
  8. VLC - Highly compatible video player
There are so many. More to come.

MJC

Not Your Father's Nessus

Like many, I have used Nessus time and time again to scan networks for vulnerabilities. I just had my eyes completely opened to all of the capabilities that Nessus has grown to accommodate. I had the opportunity to attend Tenable Network Security's Enterprise Security Monitoring and Compliance Auditing courses this past week. In the words of Kung Fu Panda, Nessus is full of "awesomeness and handsomeness".

Once you purchase Nessus' Professional Feed you can audit your network for compliance against tons of standards. I now have a really good appreciation of how one can really fine-tune Nessus. Nessus can add value to any consultant in the auditing, compliance, or pentesting arena. I'm not joking the auditing this was awesome. Having looked at other auditing solutions I can tell you you can not beat the price.

The course also covered Tenable's Security Center, Log Correlation Engine, and the Passive Vulnerability Scanner. Together all these this would be a welcome addition on any enterprise. Knowing the roots of Tenable and where Nessus is now it was very inspiring as a small business owner. I highly recommend their courses to Security personnel.

P.S.

One tip from the course if you haven't tried it before.

Try out the filter button on your completed scans on the Nessus client. It's kind of new.

Saturday, October 4, 2008

Security is an Universal Language

Over the last year I've had the pleasure of traveling to Iceland, Norway, and Denmark for Security events. During those travels it should come as no surprise that computer crime is an international problem. Here a couple of thoughts on what I've learned over these trips.

Language Barrier
Since most foreign countries I've visited speak uncommon (globally) languages they have a nice defense against phishing attacks. In order for an attacker to attack users in those countries is not as easy as throwing something into a translation engine. The actual context of their language not only foils many phishing attacks as well as recon methods like Google Hacking. Other than that tech jargon and buzzwords are the same in all the places I've visited. Thank goodness it seems that everyone speaks my native tongue.

Vendor Trust
I usually don't believe everything a software/hardware vendors say. As the old saying goes "Trust but verify". There seems to be an overwhelming trust of the big corporations abroad, probably to a fault. Taking a second to think about it, this is not just a foreign problem.

GNU and Open Source

I have met some extremely skilled foreign talent who use GNU and Open Source (OS) tools. Talking to people I don't get a sense that foreign IT personnel have embraced GNU/OS on a large scale. I love to demo GNU solutions because when I leave them, I want them to have tools that they can work with and eventually use them to improve their organizations.