Sunday, November 23, 2008

SUMO Linux up for BitTorrent Download

SUMO (Security Utilizing Multiple Options) Linux v1.0

SUMO Linux is a bootable DVD from Sun Tzu Data which contains a compilation
of the best Information Security distributions:

Backtrack 3
Helix 2.0
Samurai Linux

Click here to visit site >>> <<<


Tuesday, November 18, 2008

Scalable Security 101

If your organization relies on you or a product to be the single point of failure for all things, that's not a scalable model. When you leave or the product fails the pain begins. Plan for these losses and failures by cross-training and learning the shortcomings of solutions that you deploy. This is just the beginnings of Scalable Security.


-- Post From My iPhone

Leaving the Backdoor Open

This is a classic case of implementing one security measure only to leave the attacker with an easy vector for compromise.

In this photo I took today, a security minded driver placed “The Club” theft prevention device on their steering wheel to prevent someone from stealing the car. As you can see the driver also left a trunk full of clothes and other items exposed.

Is this happening in your network?

Tuesday, November 11, 2008

The Digital Age meets the Pony Express

I saw this along the road last week. I had to take a picture and share with everyone. The irony of course is that it shows how much communication has changed over the years. This photo is priceless.

Monday, November 10, 2008

Who Is The Audience vs. Who It Should Be?

When I attend security events I want to see a more diverse group of attendees. I need to see the people on the front lines; junior and senior systems administrators. I want to see them go back to their organizations and teach others what they have learned.

Are you a team player? I want to challenge all network security professionals to mentor one person. Tell that person to mentor someone. That is the only way we can start to protect our assets. I don't think people understand how bad the situation is in the security space. We need to step up our security game in a major way.

We need to take the knowledge to the audience that needs the message.

Thursday, November 6, 2008

DojoSec November 2008 Wrap-up

DojoSec November 2008 went well. I want to thank the Sun Tzu Data Newsletter members who attended the event. Also, I'd like to give a special thanks to all the friends of Sun Tzu Data for lending a hand.

Brian Baskin delivered an excellent talk on Bit Torrent (BT). Few in the industry understand BT as well as Brian. His research on the technology is mind-boggling as he is able to break the technology down to binary and hex with clarity. Thanks Brian :)!

Bruce Potter followed up with great talk raising eyebrows on the "Current State of Information Assurance". Bruce made some excellent points regarding the lack of progress in the computer security industry over the last 20 years. Bruce opened a lot of eyes with his analysis of the industry as well as his legendary delivery.

Bruce drilled home the point that if someone is properly equipped and wants to attack your organization; you're 0wn3d (owned). In this talk, Bruce highlighted statistical analysis techniques he has used with Netflow data to find compromised systems in real-world network intrusions. Thanks Bruce!

Pictures from DojoSec November 2008

Here are a couple of pictures from DojoSec November 2008.

Saturday, November 1, 2008

Bad Things Come in Small Packages

I had the pleasure of handling one of Nico Darrow's NEMEMIS miniature attack platforms. This thing is pretty sweet. In these images you can see that this device about the size of some external hard drives.

For its small size it packs a heck of a punch. It runs a linux based distro full of goodies for penetration testing. It has wired/wireless network, monitor, and two USB ports that could be used for a mouse and keyboard.

Imagine the damage you can do with this puppy :)

The "Key" to Identity Theft

I have seen many things hanging from keys, but recently I've been paying more and more attention to security at all levels. We all see people throwing their keys down on their desks, boardrooms, and even on basketball courts.

Last year I even advised a guy not to leave his mini credit card on his keychain in plain view. I just look at these things for awareness, but there are many criminals praying on what we leave on our keychains. Many military and veterans where their "dog tags" on key chains.

As a vet I notice military issued "Dog Tags" instantly. I had a colleague leave his keys in a conference room. His military tags had the following information on them.

1. Full Name
2. Social Security Number
3. Allergic to Penicillin

I walked up to him in his cubicle and mentioned his allergy to him. Of course he was surprised I knew this detail. I then handed back his keys and pointed to the tag. A malicious person could have done far worse with this information. When trying to secure organizations and even our personal lives, we must think as the bad guy would think.

Default Login and Password

This is the problem that will not go away. I was in the discussion with a Security Engineer from a major vendor who happens to be the number one vendor in their space. He informed me that I could not change the password on a security appliance and to leave it at default.

So the hacker in me quickly thought that if I did a banner grab for this vendor's appliance across an enterprise I could compromise this device where ever it existed. This appliance is highly deployed, so it is a bit scary to me. The fact that it came from a major "security vendor" was even worse.

This is Security 101 here :(

The reason he said that you couldn't change the password was, "It's an appliance!". I'm like, "Okay????".

This goes to all vendors, administrators, and security professionals.


Sorry for shouting. :)