My 2011 prediction = more of the same

Since I am not able to predict the future and I don't have enough big picture expertise in InfoSec to make intelligent and plausible predictions, I am going to take the easy way out. I know it isn't exactly exciting and you might even call it lame, but I predict 2011 will bring more of the same. (I am not a poet, and I know it.)

1. Increasingly frequent financial data breaches ala TJX and Heartland
2. Malware, malware, and STILL MORE malware - and likely even more crafty varieties
3. Finally, the one that freaks me out most of all - more SCADA/Control System activity ala Stuxnet. Even without (alleged ;) government involvement, no doubt the bad guys took careful notes of the possibilities. The terrorists and government sponsored groups are likely pulling down additional copies of Siemens, Schneider, Rockwell, Modicon et al softwarez and likely also buying a representative bunch of PLCs to increase their mad skillz in pawning pumps, valves and variable frequency drives.

Best wishes to you and yours for 2011, and for those of us wearing the InfoSec white hats - as they used to say on Hillstreet Blues: "Let's be careful out there."

More Amusing Malware

So this one really cracked me up. My friend and co-worker Matt are chatting about this and that with an infected client sitting behind us running a virus scan when BOOM the computer came to life with another of your garden variety fake AV. It was funny and sad at the same time.

It gets better, after pulling the Ethernet plug out and watching to see what Matt calls the bad mojo was going to do next (several minutes passed, not much happening) then all of a sudden the following warning about an attack/threat from a specific IP.

If the bad guys can block threats even when the computer is offline, that is simply cool and yet unfortunately impossible. I love my job.

InfoSec FUD Marketing

I received this email recently and I think it hit on my last good nerve. C'mon people, do we really need this kind of crap going around in 2010?

If this email works to drum up business for a telecom/security/whatever consulting group, I would really like to find out who the people are biting on this particular fish hook. I would call them myself under the guise of Doug's Ninja Service LLC as I think I could also sell them some DLP snake oil or perhaps a bit of magic pixie dust that stops all future malware variants - in the cloud.

Censorship be damned

December in Michigan began with a snowstorm and a chill in the air that seems to be stuck inside my bones. While it does not seem to have affected my lukewarm heart, the jury is still out.

I thought that I would begin the last month of the year by posting a PDF of my absolute fave blog post of 2010. I can say that now because there is no possible way to upstage this gem.

Matt Olney of Sourcefire VRT fame posted a somewhat inflammatory but 100% spot on rant that was shortly thereafter removed. I made a PDF from the ever useful Google cache version and am posting it here until the ever witty and sharp tongued Mr. Olney asks me to remove it himself.

The Rise of the Citizen Cyberwarrior by Matt Olney

Cloudy with a chance of better security

I have been mulling over cloud computing a little bit lately. My thoughts (as usual) are pretty simplistic so far. I work in the small/medium environment where good InfoSec is rare as hens teeth. IMHO, the issues are primarily time and expertise. Small IT shops tend to be reactive and spend a lot of time firefighting. Proactive security is just plain hard, and when you are doing InfoSec as a sideline or a hobby within your daily work it is a million baby steps to reach a decent security posture ala 2010. Can it be done? Yes. Do I feel like I am there yet? Not even close, but moving in the right direction.

So take virtualization and then take cloud computing aka using somebody else's virtual infrastructure by way of the Internets. I am all about that. If it is possible for say Google Apps or Microsoft's "Cloud Power" to serve up COTS applications and protect data in a way that prevents people from the usual bad habits i.e. emailing themselves that spreadsheet full of PII, what is the downside? Plus if cloud computing means that we can move to a thin client desktop approach where few applications need to be installed after the inevitable malware infection(s), then my good friend Matt the desktop guy has a reduced suck factor. That's a win-win in my book.

At the risk of over-statement, do I really believe I can do security better than say Google, Microsoft or Amazon AWS? I guess it depends on how arrogant and/or delusional I am. Enough said.

There is some good reading on Lenny Zeltser's blog around how the risk factors in the Cloud are not all unique in comparison to other disruptive technologies. As for me, I can't wait to stick my head and hands in the cloud(s) - and keep them there.

Fake AV - Phunny Fail

If you are in IT these days you likely see your fair share of fake/rogue antivirus malware, be it @ work or home (or your beloved Aunt Edna - you know the one who always forwards you the Nigerian 419 scam emails wanting to know when to expect the big payoff.)

Last week at work a co-worker received a drive-by 'gift' of goodness on his XP box. We use WSUS for the Microsoft patches and Symantec Endpoint Protection for client side I'net 'security'/AV and your mileage probably sucks as bad as ours. We're still trying to win the battle on Adobe / Apple patching, not there yet but moving along.

Anywho, this particular fake AV crapware does something really quite hilarious - it changes your desktop wallpaper to a FUD factor alarmist litany of bad things that can happen if you disregard the pleas of the badware to detach yourself from your hard earned $50 which will be guaranteed to do nothing but lead to someone spending more money (with your card number.)

If you believe the above warning - all those movies/MP3s you deleted are STILL THERE and "could break your life!" It is too bad the author's English was not up to par. Some days you just gotta laugh, 'cause the crying gets old after a while. And while I hate malware as much as the next guy, no one I know of has ever died from an infection.

Image courtesy of the Rogue Antispyware blog, a great resource for all the latest Fake AV news.

I don't wanna be 'that guy'

I was thinking the other day, reflecting really. I do that once in a while but I'm no Jack Handey. I was thinking about a few times recently where I have been either confronted (by my better half) or felt convicted internally about my behavior as far as either exaggerated or extreme statements I have made on topics that raise my blood pressure. I do not wish to be a robot or shell of a man who has no emotion, but I was surprised on a couple of occasions at the strength of my own reaction - overreaction is more like it.

There are times in life when we all see our own ugliness. When the mirror is raised and we are at our worst, or at least close to it. I am grateful that God reveals these things to me, call it what you like if you are not a believer - intuition / insight / etc. The facts here don't change.

I do not want to be that guy (the jerk with the funny hat). The me who is impatient with people at work who are maybe a bit slow on the uptake, who don't agree with me on a matter that seems obvious (from my perspective), or the InfoSec No Team. You know, the folks who relish explaining ad nauseum why something cannot or should not be done instead of offering up constructive alternatives and/or suggestions as to how something could be done securely or at least more securely. Or sarcastically telling everyone who will listen (or not get away fast enough) about how piss poor and totally pawnable this or that system/software/OS is.

Dan Lohrmann addresses this in several of his blog posts, I am a big fan of Dan's openness and honesty especially in matters related to relationships - the squishy but critical soft skills those of us in IT sometimes fail to give adequate time and effort:
http://blogs.csoonline.com/the_customer_is_clueless_not

So at the risk of sounding like a dork cheerleader, join me in committing to doing better with patience and hearing people out to gain perspective. Think back to the times you have learned things from people you had perhaps written off as total n00bs.

Help me help you

Warning, this is a rant. Overall I do like my job, and in general I like people. Yet I have to ask why is it that there are times it is so hard to communicate and to help someone understand that there is what I will simply call individual responsibility. This idea is on occasion completely lacking in the minds and hearts of otherwise rational human beings with a basic level of God-given intelligence.

To the user in this state of cluelessness: If you are unable or unwilling to assist your friendly neighborhood IT person/department with such fundamental principles as where you store your work related files, or what the frig you named a file (even one single word that you are certain was in the file name), then I am sorry to say that you are on your own.

And when it comes to InfoSec and DR/BC the same rules apply. If you don't have the ability to care about where your files are and whether they are being backed up, and you are OK with leaving your password post-it under your keyboard then I must advise you that I will find it hard to muster any sympathy or empathy when (not if) you get powned. In fact it will take every bit of my already limited supply of self control to not shout I TOLD YOU SO when the inevitable happens.

So the subtext on the t-shirt above reads: because their ignorance is your job security. True that, I shut up now...

Had an all around good time in Cleveland last week @ the (8th annual) Information Security Summit 2010. I had not previously attended this event, I was impressed. Good mix of speakers/topics and not too many vendors. I was grateful my employer allowed me to do the pre-conference training Mon/Tue/Wed.

Monday was a pretty good overview of 'next-gen' firewalls. Well, specifically Palo Alto Networks firewalls but they didn't push their product hard and the concepts behind application aware firewalls makes sense as a way to have better control of the things you want to allow vs. those you don't.

Tuesday/Wednesday was the highlight of the week for me, Intro to Malware Analysis taught by certifiable reverse engineer ninja Tyler Hudak. Tyler works for Richard Bejtlich at a little outfit known as General Electric. The course was very well thought out, great curriculum/flow and a good deal of hands-on with some of the current tools of the trade. Just enough to make me want to do more of this myself, while still realizing that it is an area of InfoSec where keeping skills sharp and moving to the next level is no small feat.

My favorite talk for the conference would have to be David Kennedy's Social Engineering Toolkit demo and evangelism soapbox. Mr. Kennedy created the SET and the demo struck fear in most of the people in the audience, me included. SET is no doubt an amazing tool, and David makes a strong case for SE becoming a standard part of pentesting.

800LB Gorillas Piss Me Off

So maybe I've been living under a rock for 6 months, but as my previous boss used to say on occasion, "what a d^ck move." I was working on a VPN issue today and I found that while I was sleeping Cisco reversed their statement there would NOT be a 64 bit IPSEC client for 64 bit Windows Vista/7. Ahem, so they released it in late April after many companies including the one I work for blew a wad of cash on buying SSL VPN licenses. Yeah, so 64 bit XP can't run it but how many people are running 64 bit XP? No offense if you are, but there just aren't that many of you.

Makes me about as happy as when M$ said Exchange public folders are going away for good years ago. At least until everyone started drinking the SharePoint kool-aid and then SURPRISE, just kidding. We'll let you keep your public folders. I am a SharePoint fan, but still.

Grrr..... Happy Monday to me.

Sourcefire Razorback

I had meant to post this some months ago when fall seemed far away, but the announcement (timed for Black Hat) of Sourcefire's brand new thing aka Razorback caught my interest. The meaty articles are still somewhat lacking, but this brief markety bit on Dark Reading makes it sound worth a look. And true to form from the people who brought you Snort, the new 'mean pig' logo is just cool. Now if only one of the guys I used to work with would volunteer to help me get it up and running...

Windows XP SP2, Thanks for the Memories

So this week brought the last security patches for Windows XP SP2. Interesting that XP SP3 will be supported until 2014. The 2020 date was somewhat misleading but is explained here:
http://www.zdnet.com/blog/bott/xp-in-2020-not-even-close-read-the-fine-print/2270

Hard to believe XP came out in 2001 and SP2 came out in 2004. Time to think about Windows 7, and the pain of getting rid of, replacing or re-writing those legacy apps. As I heard someone say the other day, the only constant is change.

From the mildly interesting department...

After having an internal DVD writer drive that burned mostly coasters, I broke down and bought a new one even though it is only a few times/year I burn DVDs for photo backup or new OSen to try. The Lite-On drive I bought features a new technology called 'smart-erase'. Supposedly it makes sure data is not recoverable. Seems like a good idea, but I wondered if it has been tested by any 3rd parties.

A few Google searches found nothing except a markety spiel from the CompUSA website:
"But what makes the Lite-On Internal DVD Writer stand out from the crowd is its unique feature: SmartErase. SmartErase is an advanced technology to give users the ability to permanently erase the data on DVD±R (DL) and CD-R discs that can withstand any recovery attempt. Thanks to SmartErase, users now can rest assure that their private and sensitive data is securely erased and cannot be recaptured."

While not widely known in InfoSec circles, I choose to believe that CompUSA has long been known for the accuracy of security information about the products they sell. Who says ignorance is not bliss.

This got me thinking a bit about encrypted USB devices, primarily flash drives. If you haven't checked out TrueCrypt, I would recommend you do. If it is good enough for Bruce Schneier, it is good enough for me. That is all. Good night.

References:
CompUSA Quote
Image: Lite-On Corporation Smart-Erase
Special un-kudos to Lite-On for not replacing the Joomla favicon for their site. While it isn't hard to figure out which CMS a website is using (hint: view source + Google), why make people work for it?

InfoSec quotes from unexpected sources

I was sorting some old textbooks recently, and found my Pascal book from way back when at Calvin. Yes, children, that was before Java and C++ were the standard languages kids learned. The photo is of Swiss-born Niklaus Wirth who created Pascal.

I decided I could recycle the COBOL book from Grand Valley, but the Pascal book has some good history in the first chapter with cool old photos of things like the ENIAC, and quotes from the past and present spread throughout. This one gave me pause:

"It became increasingly apparent to me that, over the years, Federal agencies have amassed vast amounts of information about virtually every American citizen. This fact, coupled with technological advances in data-collecting and dissemination, raised the possibility that information about individuals conceivably could be used for other than legitimate purposes and without the prior knowledge or consent of the individuals involved."
- President Gerald R. Ford,
quoted in Pascal Programming and Problem Solving by Sanford Leestma & Larry Nyhoff

Photo of Niklaus Wirth from http://en.wikipedia.org/wiki/Niklaus_Wirth

Adobe Auto Updater

Lo and behold what is that on my home PC? Adobe launched their new auto-updater on the IT equivalent of Tax Day which (sometimes) sadly comes every month, yes I mean Microsoft Patch Tuesday.

A post on the Adobe Acrobat blog tells the tale.

I suppose I should give them some kudos as between Adobe Reader and Apple Quicktime from people who know things I don't the OS isn't the favorite attack surface for the bad guys/gals any longer. Javascript 'enhanced' PDF anyone? Enjoy the extra 'goodness'...

However I am just trying to figure out if this updater needs local admin perms, and if it does how can this be done with group policy without being an AD ninja.

Stoppin' the Badness

Last night I went to a security solutions event, BlueCoat and SourceFire were the vendor presenters. BlueCoat has a pretty cool product that is a 'hybrid web gateway' in market-speak. Basically it is a SaaS Internet filter/proxy appliance that taps the Internet habits of ~67 million users worldwide to decide what is good and what is 'badness' as the BlueCoat guy called it. There's a hilarious cartoon intro to the product online. Nice to see a company that can harness the power of humor instead of staying boring 100% of the time.

Apparently over the last 3 years BlueCoat has been building their user base for this cloud based crowd-sourcing of web traffic and then uses a combination of automated analysis, threat history, and some human analysis where needed to analyze what sites or parts of sites should be blocked. They also have a free version of the proxy software for home users called K9 that uses the same back end database/threat list:
http://www.k9webprotection.com/

The presenter shared how when he put the software on his 13 year old son's new laptop that within 2 days he heard the software make a barking sound (without warning him in advance that he had gone big brother) and then waited for the explanation. He said 1st his son threw a friend under the bus, but then did fess up.

The SourceFire preso was also interesting, some talk about security needing context and some current threat discussion. SourceFire's IDS/IPS seems to have a good product and interface, at least when compared to the only IDS/IPS I have experience with which is Cisco Intrusion Manager Express (IME) for which I have feelings between apathy and distaste (1).

References:
1. The head of IT at Davenport was the first person I heard use the phrase 'between apathy and distaste' speaking about how users felt about their email system before moving to Google Apps.

Lesser of Two Weevils?

With thanks to Master & Commander for the post title, I am thinking today about client protection suites. So you have your pick of all the usual suspects for antivirus/antispyware and add in the network protection features like firewall and maybe host IDS/IPS. Stir it all up and you have some good complexity going for the average small/medium shop.

If you accept that most of the solutions are relatively equal in their (in)ability to protect you from what my co-worker Matt likes to call 'goodness'. [Goodness (n.) - all the crap you get from surfing the web such as drive-by downloaders, droppers, keyloggers, bots, etc.]

Now look at the extra PITA of a management interface learning curve and how to make sense of the reporting options and find the glitches. Tired yet? Me too. Now think about switching to Microsoft Forefront Client Security 2010 and the integration with WSUS for easy updating. Plus what I have seen of Microsoft's free home av/as client Security Essentials (and before that OneCare) I believe they are getting enough data from home users to be able to do as well (arguably) as McAfee, Symantec and the rest of the usual suspects.

Pretty tempting, one ring to rule them all. To me it seems like a no brainer, provided there is a 3rd party scanning engine on the web security gateway/email filter (i.e. Kaspersky or another) to get a 2nd opinion on what is good or bad.

Now if only they would announce the RTM date for the 2010 client I could try to forget all that I know about big yellow client stuff. I could use that brainspace for other things like homebrew trivia or homework stuff.

Weevil image courtesy of Rentokil.com and their awesome blog post: I can has bugs?
Anybody in the pest control biz who loves lolcats has to be good.
http://www.rentokil.com/blog/

Critical Mass

A thought that occasionally comes back to me is at what point does the size of a company create challenges that are not - or perhaps cannot be addressed? Where is the sweet spot between too small to actually do security well and too big to have a handle on what is happening at any given moment?

In the small/medium space (say < 250 full time employees) where I have lived most of my cubicle dwelling life there has been understanding/support of some of the security basics such as antivirus/antispyware, firewalls, email & Internet filtering, OS patching, but beyond that it is hard to justify and get buy-in for the budget dollars needed to take things to the next level of maturity. Between the cost of some of the better solutions for IDS/IPS and SIM/SEM/SIEM plus the need for IT staff time/expertise to monitor as well as understand what requires attention and what is just noise is a tall order.

On the ginormous side of the world, how do large global companies address bureaucracy/enormity/complexity with 10,000 plus employees? Thinking about how to manage or even get my puny mind around tackling InfoSec at that scale/scope makes me dizzy.

I have no answers on this topic, only more questions.

Image courtesy of Wikipedia article on Complexity Science:
http://en.wikipedia.org/wiki/Complexity
&
http://www.art-sciencefactory.com/complexity-map_feb09.html
(Very cool t-shirts here.)

Watching the Watchers

At the March meeting of the Grand Rapids ISSA the topic of accountability was raised. The idea being that InfoSec professionals and most IT staff have a lot of access/permissions/etc. A necessity to a degree, but in small/medium shops which is where I've spent most of my working life so far the fact is that there isn't much in the way of firm policy and procedures around checking on other IT staff or other employees within the organization.

No easy answers here, and there is a basic degree of trust required in any org for anything to get done. I am not at all pro micro management but at the same time it seems there needs to be some intentional attention given to keeping each other (i.e. IT dept peers) on the right track. Just because I have access to sensitive information such as payroll (how much does that guy make?) and HR documents (did she get written up for that one thing) does not mean I should give into my own curiosity. Least privilege is a wonderful thing but seldom do smaller departments take this to the degree that is needed, and it is a real PITA managing perms when roles and needs change. Most stuff is more open then it perhaps needs to be simply b/c everyone is spread thin and fire fighting the majority of time.

This one made me go hmm a few times in the last couple weeks.

Well, the sun is shining and it is time to get some fresh air. Then head to the library to start writing a paper for my DU class.