Help me help you

Warning, this is a rant. Overall I do like my job, and in general I like people. Yet I have to ask why is it that there are times it is so hard to communicate and to help someone understand that there is what I will simply call individual responsibility. This idea is on occasion completely lacking in the minds and hearts of otherwise rational human beings with a basic level of God-given intelligence.

To the user in this state of cluelessness: If you are unable or unwilling to assist your friendly neighborhood IT person/department with such fundamental principles as where you store your work related files, or what the frig you named a file (even one single word that you are certain was in the file name), then I am sorry to say that you are on your own.

And when it comes to InfoSec and DR/BC the same rules apply. If you don't have the ability to care about where your files are and whether they are being backed up, and you are OK with leaving your password post-it under your keyboard then I must advise you that I will find it hard to muster any sympathy or empathy when (not if) you get powned. In fact it will take every bit of my already limited supply of self control to not shout I TOLD YOU SO when the inevitable happens.

So the subtext on the t-shirt above reads: because their ignorance is your job security. True that, I shut up now...

Had an all around good time in Cleveland last week @ the (8th annual) Information Security Summit 2010. I had not previously attended this event, I was impressed. Good mix of speakers/topics and not too many vendors. I was grateful my employer allowed me to do the pre-conference training Mon/Tue/Wed.

Monday was a pretty good overview of 'next-gen' firewalls. Well, specifically Palo Alto Networks firewalls but they didn't push their product hard and the concepts behind application aware firewalls makes sense as a way to have better control of the things you want to allow vs. those you don't.

Tuesday/Wednesday was the highlight of the week for me, Intro to Malware Analysis taught by certifiable reverse engineer ninja Tyler Hudak. Tyler works for Richard Bejtlich at a little outfit known as General Electric. The course was very well thought out, great curriculum/flow and a good deal of hands-on with some of the current tools of the trade. Just enough to make me want to do more of this myself, while still realizing that it is an area of InfoSec where keeping skills sharp and moving to the next level is no small feat.

My favorite talk for the conference would have to be David Kennedy's Social Engineering Toolkit demo and evangelism soapbox. Mr. Kennedy created the SET and the demo struck fear in most of the people in the audience, me included. SET is no doubt an amazing tool, and David makes a strong case for SE becoming a standard part of pentesting.

800LB Gorillas Piss Me Off

So maybe I've been living under a rock for 6 months, but as my previous boss used to say on occasion, "what a d^ck move." I was working on a VPN issue today and I found that while I was sleeping Cisco reversed their statement there would NOT be a 64 bit IPSEC client for 64 bit Windows Vista/7. Ahem, so they released it in late April after many companies including the one I work for blew a wad of cash on buying SSL VPN licenses. Yeah, so 64 bit XP can't run it but how many people are running 64 bit XP? No offense if you are, but there just aren't that many of you.

Makes me about as happy as when M$ said Exchange public folders are going away for good years ago. At least until everyone started drinking the SharePoint kool-aid and then SURPRISE, just kidding. We'll let you keep your public folders. I am a SharePoint fan, but still.

Grrr..... Happy Monday to me.

Sourcefire Razorback

I had meant to post this some months ago when fall seemed far away, but the announcement (timed for Black Hat) of Sourcefire's brand new thing aka Razorback caught my interest. The meaty articles are still somewhat lacking, but this brief markety bit on Dark Reading makes it sound worth a look. And true to form from the people who brought you Snort, the new 'mean pig' logo is just cool. Now if only one of the guys I used to work with would volunteer to help me get it up and running...

Windows XP SP2, Thanks for the Memories

So this week brought the last security patches for Windows XP SP2. Interesting that XP SP3 will be supported until 2014. The 2020 date was somewhat misleading but is explained here:
http://www.zdnet.com/blog/bott/xp-in-2020-not-even-close-read-the-fine-print/2270

Hard to believe XP came out in 2001 and SP2 came out in 2004. Time to think about Windows 7, and the pain of getting rid of, replacing or re-writing those legacy apps. As I heard someone say the other day, the only constant is change.

From the mildly interesting department...

After having an internal DVD writer drive that burned mostly coasters, I broke down and bought a new one even though it is only a few times/year I burn DVDs for photo backup or new OSen to try. The Lite-On drive I bought features a new technology called 'smart-erase'. Supposedly it makes sure data is not recoverable. Seems like a good idea, but I wondered if it has been tested by any 3rd parties.

A few Google searches found nothing except a markety spiel from the CompUSA website:
"But what makes the Lite-On Internal DVD Writer stand out from the crowd is its unique feature: SmartErase. SmartErase is an advanced technology to give users the ability to permanently erase the data on DVD±R (DL) and CD-R discs that can withstand any recovery attempt. Thanks to SmartErase, users now can rest assure that their private and sensitive data is securely erased and cannot be recaptured."

While not widely known in InfoSec circles, I choose to believe that CompUSA has long been known for the accuracy of security information about the products they sell. Who says ignorance is not bliss.

This got me thinking a bit about encrypted USB devices, primarily flash drives. If you haven't checked out TrueCrypt, I would recommend you do. If it is good enough for Bruce Schneier, it is good enough for me. That is all. Good night.

References:
CompUSA Quote
Image: Lite-On Corporation Smart-Erase
Special un-kudos to Lite-On for not replacing the Joomla favicon for their site. While it isn't hard to figure out which CMS a website is using (hint: view source + Google), why make people work for it?

InfoSec quotes from unexpected sources

I was sorting some old textbooks recently, and found my Pascal book from way back when at Calvin. Yes, children, that was before Java and C++ were the standard languages kids learned. The photo is of Swiss-born Niklaus Wirth who created Pascal.

I decided I could recycle the COBOL book from Grand Valley, but the Pascal book has some good history in the first chapter with cool old photos of things like the ENIAC, and quotes from the past and present spread throughout. This one gave me pause:

"It became increasingly apparent to me that, over the years, Federal agencies have amassed vast amounts of information about virtually every American citizen. This fact, coupled with technological advances in data-collecting and dissemination, raised the possibility that information about individuals conceivably could be used for other than legitimate purposes and without the prior knowledge or consent of the individuals involved."
- President Gerald R. Ford,
quoted in Pascal Programming and Problem Solving by Sanford Leestma & Larry Nyhoff

Photo of Niklaus Wirth from http://en.wikipedia.org/wiki/Niklaus_Wirth