Tuesday, December 23, 2008

Plate Spinning 101

There are many analogies in Information Security, someone mentioned plate spinning in an unrelated context, then this blog post hit me. Many jobs can relate to plate spinning, but follow me on this one. If you were a professional plate spinner your task would be to minimize the loss of your assets. To minimize loss, the plates must spin, or you will lose assets. If you lose too many assets, the show can't go on.

With proper training, personnel can learn to get all of the plates spinning. More importantly, plate spinners need to monitor and maintain operations, because without proper attention the assets ALL FALL DOWN. The plates are falling in many enterprise networks.

The following video is recommended viewing for Information Security practitioners. Please substitute "Information Security" for "Plate Spinning".

Monday, December 22, 2008

SUMO Linux on a Thumbdrive

From my colleague Jonathan Bennett~

Here are the steps I took:

1. Download TRK Linux

2. Install TRK Linux on thumbdrive:

trk2usb -d {DEVICE} (optional) -s 4000'

I did this because when I tried to create a bootable partition as number 4 as described here: http://klikit.pbwiki.com/Klikit-Live+on+USB+Stick it did not seem to work properly. I think now that maybe it did, but I didn't give it enough time.

3. Delete all TRK Linux files

4. Copy all SUMO files to the disk modify autoexec.inf so the thumbdrive doesn't identify itself as "SUMO Live CD"

5. Create /boot/syslinux directory. Download all files from http://sumolinux.suntzudata.com/syslinux/ and save them to the /boot/syslinux folder.

6. Run "Syslinux.exe -d /boot/syslinux :" from the syslinux folder (as administrator if using Vista)

I had to do this in Windows. Syslinux in Linux will not install because it doesn't like the structure of the FAT32 partition for some reason.

7. Boot to thumbdrive - be patient if the Syslinux prompt comes up to "boot:" sometimes it takes a couple of seconds to get to the menu.

8. I think following the commands on klikit's website should work for formatting the drive, just make sure that the space allotted is big enough to allow the whole DVD to be copied in.


Hit me up on Twitter Marcus J. Carey, let me know how this worked.

Sunday, December 21, 2008

Sense of Urgency: This is not a drill!

Where is the sense of urgency?

This article from Federal Computer Week has a knack for stating the obvious. Does this sum up where we are in regards to protecting our country from cyber-attacks?

Sorry for the snark below.

BREAKING NEWS: Cyberattack simulation highlights security challenges

Article says: The simulation also illustrated some challenges the Obama administration and next Congress will face in terms of cybersecurity, they said.

Marcus says: Challenges that we WILL face? Are we not facing them now? Have we not been facing them for years at this point? Did anyone miss the article linked below? Why did we need a joint exercise to illustrate problems that have been apparent for years?


Article says: “There was a great realization that we are all in this together,” said Gerencser. “And what got uncovered in the game is that there were interdependencies that we didn’t quite understand or appreciate before.

Marcus says: You have to be kidding me. How long have we been doing this? Are you telling me that we are being attacked and are just getting to understand interdependencies? The answer is, "YES!".

Article says: “This will be an ongoing effort,” Langevin said. “The cyberthreat itself is ever changing and ever evolving, it is going to be very difficult to stay one step ahead of it, but that’s what our goal has to be.”

Marcus says: This is such a cliche moment. I wonder how much money this exercise cost. Is this something that we didn't already know? This is my tax dollars here at work.

Quick Conservative Number crunching:

230 people for a 48-hour exercise.

230 (personnel) * 40 (billable hours per person) * $225 (hourly rate + overhead) = $2,070,000.00

It probably cost much more than that :(.

My point is that we need to have this down by now. As my friend Eoghan Casey says, "We need to establish a home-court advantage on our networks!". This article illustrates that we are spinning our wheels. This is the equivalent of being in Iraq and pretending that you are practicing at Fort Hood. This is not a drill!

On a lighter note. Have a Merry Christmas and Wonderful Holidays!

- Marcus J. Carey

Monday, December 15, 2008

WALL-E Security

This Hollywood Security moment brings us WALL-E. WALL-E is a futuristic tale in which humans rely on computers/machines for everything. The point of this movie is especially true today for many information assurance practitioners and organizations. When we rely on security tools to do everything, the image below portrays what eventually happens.

- Marcus J. Carey

Sunday, December 7, 2008

Stealing Data the Easy Way

As I entered the Athens Airport Business Class lounge, I asked if there was WiFi connectivity. I was told there was no WiFi, but I could help myself to the kiosk computers. I jumped at the chance to check out the security posture of these computers. I assumed that there would be security issues.

I wasn't disappointed with the amount of information I had access to, much of which I considered to be breaches of confidentiality for some previous users of the kiosk. The following pictures are just a sample, there was much more. If I were a bad guy, I could have stolen loads of data the easy way by just emailing the files to myself. I took the pictures here for security awareness efforts. Names have been hidden to protect the innocent.

The following are reasons why people shouldn't use free Internet kiosks:

1. The Windows Security Alert tells you that the system may not be up to date for security fixes.

2. The following "user agreement" means that everyone has access to anything you store on this computer.

3. Your browser history is usually intact and credentials are sometimes still valid.

4. People can read confidential documents you typed on the computer.

5. People may get a sneak peak at your lucrative sports contract.

6. People may get a copy of your C.V. and all of the personal information it contains.

7. People may get access to your accounts spreadsheet.

8. People can install malicious code into important directories.

9. Being a security professional I warned to attendants on duty about the issues that I had found. The lead attendant said, "If anyone is stupid enough to use the kiosk and do that, they should not be using the computers!".

Enough said!


Tuesday, December 2, 2008

Incident Response on the iPhone

I was just thinking that some aspects of Incident Response can be done while mobile. It would be interesting if I was on the beach and able to troubleshoot issues on a mobile phone. Five years ago I created a project for my interns to allow remote command-line management of systems through AIM, which you could do from a mobile phone. Although it wasn't a "secure solution", it was pretty nice.

Thank you iPhone and TouchTerm, now I can do it securely. The iPhone does support VPN connections and TouchTerm allows you to establish SSH connections to systems from the iPhone (for $FREE)!


Monday, December 1, 2008

Big Fat Greek Internet Cafe

Internet Cafes are often used to do illegal bidding. I had the pleasure of visiting this one in Athens, Greece. This one was 99% illegal (Even in Europe). From what I understand, this is common in Europe. I wonder if the U.S. has this sort of blatant illegal Internet activity in its Cafes. Law enforcement seems to be tougher in the States.

The young man working as staff was nice enough to pose for a picture. He allowed me take pictures of the place, since I was a tourist and never seen anything like this :).

All of the computers below had almost every computer game imaginable loaded on them. If the computer doesn't have a game on them, you could install whatever you wanted.

I did a bit of shoulder surfing to see exactly what users were doing. In the photo below, a young lady was downloading music on Limewire. Since she had earphones on, she didn't notice I was so close. She was blasting illegal tunes and enjoying every minute of it.

The Cafe sold blank CDs and DVDs, in case you wanted to burn anything you downloaded. All the content you want for 2 Euros per hour (Sweet!). Just imagine how much malicious code resides on this network.