1) Where does your data live?

On many deployments we’ve done the biggest problem we have is no one knows where the log data lives. People have made changes to default configurations, put the log files on a SAN or simply on another partition, and the current administrator has no idea where they are. In a big enough environment this can be very problematic. At one recent deployment we wrote a script that basically listed out various partitions on a machine and sorted the file types so we could sift through it (using Splunk) looking for IIS logs. You have to figure out where and what type of data you want to collect before you can do anything else. This is the first and arguably most important question you need to ask. As with most things, I recommend a checklist or form of some kind to collect the answers. It can really simplify the process.

2) How big is your big data?

It is really important to know how much data you’re going to be looking at, not just because Splunk charges you based on indexed volume (in gigs) per day, but because you’re going to be searching this data and the more you have, the longer the search. This will also help you design your architecture and scale more effectively. Do not go into a Splunk project without having asked this question and have at least gotten a general idea. The answers to these questions will also help you in the future when you’re designing dashboards, saved searches and deciding what to accelerate and what to schedule when. It is probably the trickiest question to answer too because odds are you have no idea how much data you will be collecting per day. There are some things you can do to get close to an answer. You could setup a syslog server, collect data for a week or so from target devices, and then see how much data you have. That’s about the best you can do. It won’t be exact, but it will be good enough to get the general idea we need for this question.

3) What, specific, questions do you want to ask of your data?

Data is a really great thing, it can answer a lot of questions (I’m a huge data nerd). The problem is you need to know what you want to ask it. In a lot of cases you can get away with some pre-built apps and get the answers other people wanted of the same data. That’s great, if you’re lucky. If you’re not so lucky though, you will need to build out your own searches and your own apps. To do this you will need to know what business/operational/security questions your data needs to answer. This will also help you know what data you need to collect and how long you need to keep it, etc. I would try to be as specific as possible up front as this will help you craft your searches and dashboards. It is very important to get an idea of what answers you would like to see.

4) What do you mean, correlate?

Correlation is a funny thing and it means different things to different people, it shouldn’t but it does. You should decide, up front, what correlation means to you and your organization so you can concentrate on collecting and relating the data you need correctly up front. This will be harder than any of the other questions and I don’t have great advice for you on answering it because it is such a weird topic. Basically though, I would start with the simple correlations and then grow them as they can get very complex very quickly. Correlate early, correlate often, here’s a hint, yes there is some relation between your firewall data and your IDS data, for example, the trick is finding and visualizing that relationship in a clear manner. Have fun.

5) How much storage do I need to maintain all this stuff?

This is a trick question because you need to answer number 2 first and then decide how long you want to keep that data. This is known as defining a retention period for your data. This could be governed by policy or regulation so the answer should be pretty concrete but I’ve noticed in a lot of instances it isn’t, so I wanted to be sure to include it. Get this information up front or plan for some heartache down the road.

6) How do I define success?

Ask yourself, your bosses, your pets, whoever will be looking at and asking questions of the data, how do you define success? What answers will have to be provided for you to say this project is a success? Chances are you will get wildly different answers, but each person involved will have answers. If they don’t you should resist the urge to define success for them but know that once you get everything going, they will suddenly have a flood of ideas for what success will be or should have been. This is also a tough question but one that should be asked up front.

The most important part of this post is that you should not go into a Splunk or any big data project blind. Ask these sorts of questions up front and implement your project accordingly, don’t try to do this all at once though, implement in phases. I recommend taking small chunks of data at once, get your answers on a micro level then blow it out and get answers at a deeper level. This is the best recipe for success in a Splunk project, don’t bite off bigger chunks than you can chew at once, it is very tempting to do so but really resist the urge, you’ll thank me later.

Finally as with everything I’ve ever written, said or done, take a deep breath, relax and dig in, it’ll be okay.

The post Six “Big Data” Questions To Ask BEFORE You Implement Splunk appeared first on Hurricane Labs.

Connecting a New Agent

Every agent issues a certificate signing request, or CSR, to the puppet master. In return the master signs the agent’s CSR, thereby allowing the SSL communication. We will be using agent1.localdomain in the following examples.

To sign a new agent you need to run the following commands.
On the agent

puppet agent --test

This will create the puppet certificate and send it to the puppet master. The first time you run this you will get an error that looks like this:

info: Creating a new SSL key for agent1.localdomain
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for agent1.localdomain
info: Certificate Request fingerprint (md5): FD:E7:41:C9:2C:B7:5C:27:11:0C:8F:9C:1D:F6:F9:46
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

The error is generated because the puppet certificate has not been signed yet. So let’s get to the good stuff and sign it.

On the puppet master Run this command:

puppet cert list

This will list any puppet certificates that have not been signed. It should look like this:
agent1.localdomain (FD:E7:41:C9:2C:B7:5C:27:11:0C:8F:9C:1D:F6:F9:46)

To sign this agent’s CSR run the command:

puppet cert sign agent1.localdomain

The agent is now ready to connect to puppet.

Revoking a Puppet Certificate

Down the road you may need to revoke the puppet certificate for an agent. It is a good idea to revoke the certificate when decommissioning or rebuilding the host. That way there are no unused certificates laying around on your master. The two different options for revoking a puppet certificate are to clean or revoke.

Clean: To revoke and completely remove all puppet certificates for a host

puppet cert clean agent1.localdomain

Revoke: To revoke and move the certificate to a Certificate Revocation List

puppet cert revoke agent1.localdomain

Other Useful Commands

To list all of the puppet certificates that have been signed:

puppet cert list --all

To list an individual agent puppet certificate

puppet cert list agent1.localdomain

To show the whole puppet certificate of agent

puppet cert print agent1.localdomain

To show the digest (default is MD5) of a puppet certificate

puppet cert fingerprint agent1.localdomain

The post Managing Puppet Certificates appeared first on Hurricane Labs.

When managing information security of any environment, bear in mind these five truths:

1. Incidents will happen

An incident response plan should not be a matter of “if”, but instead a matter of “when”. As defenders, we are tasked with managing and protecting every vulnerable service and system, which is a gargantuan task compared to the attacker, who must only successfully exploit one single vulnerability. The discipline of risk management would not exist if it were possible to eliminate all risk – some level of risk must be considered acceptable. A well-defined incident response plan can triage a compromised system in minutes. It will take much longer than that to develop a plan in the face of an incident, with significantly more damage occurring during the response process.

2. Systems will be compromised

As important as it is to be proactive, information security is by nature reactionary. Attackers will seek to locate and exploit weaknesses in your systems. Operating system patches exist for a reason. Privilege escalation attacks can bypass user permission levels. Virus writers design malware to evade detection, and constantly update their code before signatures can catch up.

3. Applications need to both work and be secure

Unless you work for a company like Hurricane Labs, information security is not the reason your business exists. As such, the organization will often be much more interested in furthering their business interests than funding the information security department. Architectural firms will hire architects, design firms will seek out designers. It is much easier for businesses to justify the cost of talent and assets that are aligned with their business goals than something more nebulous like the security of intangible assets.

Information Security is a series of trade-offs. We often cringe at hearing the term “legacy application” – we all have run into them, and we have all heard or seen firsthand the challenges of securing an application that was built in an era when security was much less of a concern. While the most security-conscious decision for securing such an application might involve an upgrade or total code rewrite, this is rarely practical. It will be up to you to manage the business operations while doing your best to keep these types of systems secure.

4. People will break things

Plan for what you consider least likely to happen. The builders of the Titanic claimed the ship to be unsinkable, and we all know how well that worked out. When faced with restrictions never underestimate the creativity and determination of your users. This is especially a prevalent issue in today’s environment, where cloud based and mobile data access is all the rage.

And you cannot simply paint a target on the average user, either. All too often, even those of us who should know better can take shortcuts or neglect to follow security best practices. Changes, upgrades, improvements, and redesigns can become necessary, and it is impossible to plan for every possible situation that may occur (even though you should try). Learn the technologies, ask questions, strive to improve, and think on your feet. Which brings me to my next point…

5. You will need to be an expert on something you’ve never seen before

Sometimes, you just need to know how to fly a helicopter
https://www.youtube.com/watch?v=6AOpomu9V6Q

Although networking equipment and software is not always as awesome (or capable of flying), we often find ourselves in the same situation as Trinity in the video clip – we must work around something with which we are unfamiliar. Don’t let differences in command syntax or installation procedures fool you – the underlying technologies are frequently the same. Leverage what you know, use the resources you have available (Google is great for this), and find a way to be a hero.

The post Five Truths of Information Security appeared first on Hurricane Labs.

What web development framework do you employ?

What secure development lifecycle (SDL) do you use?

What is the process for reporting bugs (security and otherwise) to the web developer?

What type of regression testing do you employ with bug fixes?

What type of security training do you provide to your developers?

What sort of logs will this application generate?

How will the application handle authentication?

How will the web application handle credit card payments?

Has an application you’ve written ever been “hacked” or breached?

Can I have a guarantee that this application will never be hacked?

Those are the ten questions that have worked best for me over the years as I’ve consulted with various companies to help them hire third party web developers. Hopefully you have found them useful as well.

The post Top Web Application Security Questions to Ask Third Party Developers appeared first on Hurricane Labs.

this process won't start because it can't read xx file

gpg: WARNING: unsafe enclosing directory ownership on configuration file '/home/user/.gnupg/gpg.conf'

ls -ltrh

-l use a long listing format
-t sort by modification time, newest first
-r –reverse – reverse order while sorting
-h –human-readable – with -l, print sizes in human readable format (e.g., 1K, 234M, 5G)

~/files $> ls -ltrh
total 40K
-rwxr-xr-x 1 user user 38K Jan 21 23:52 filename.txt
~/files $>

In this example we see that there is a file called “filename.txt” in this directory. The first section of the entry: -rwxr-xr-x is the description of the unix file permissions that are active. This entry consists of ten places, or bits, which tell the system what users and the system itself can or cannot do to this file. Let’s review what each of these bits means.

Unix File System – Bit Meanings

The ten place bits in a unix file permission entry are laid out like so:

1

2-10

The entry-type bit can be:

-

b

c

d

l

p

s

w

Unix file permission entries are broken into three groups of three bits:

2-4

5-7

8-10

Unix file permissions entries can be:

r

-

w

-

S

s

x

-

10

T

mode 1000

t

mode 1000

Further explanation of the sticky bit: The sticky bit is often used on folders to prevent the deletion of a folder or its contents by other users, even though they may need to have write permissions. Once it is set on a folder, it can then only be deleted by its owner or by root. So users would still be able to modify or work on those files, but not delete them or the parent folder. This is a useful tool to preserve your file structure on a multi-user system.

Expanding On the List Command

So, let’s look back at our example, but let’s also expand it a bit:

~/files $> ls -ltrha
total 48K
drwxr-xr-x 67 user user 4.0K Jan 21 23:51 ..
drwxrwxr-x  2 user user 4.0K Jan 21 23:51 .
-rwxr-xr-x  1 user user  38K Jan 21 23:52 filename.txt
~/files $>

You’ll see the ‘a’ switch added to the end of the command there. This tells the ‘list’ command to show even hidden entries, which in this case are the *nix “this directory” and “parent directory” dot-entries. You’ll see on

filename.txt

-rwxr-xr-x

• The first bit is a dash. This is a regular file.
• The owner permissions bits are: read, write, execute. The owner can basically do anything to this file.
• The group permissions bits are: read and execute. Members of the same group can read this file, and execute it if it’s a program. They cannot write to it, so cannot change its contents.
• The other permissions bits are: read and execute. Others (users in different groups, daemons, etc.) can read it and also execute it. They cannot write to it, so cannot change its contents. 5. Owner and group are both “user”
• The size is 38 kilobytes.

Directory Permissions

This expanded example also shows us an important feature of *nix permissions as related to directories. You see the two entries there,

.

..

d

x

For instance:

~ $> chmod 300 files/
~ $> ls files/
ls: cannot open directory files/: Permission denied
~ $>

What I did here was set the folder permissions to take away execute from all parties. Then, when the owner tried to list the contents of the directory he received a permissions error. However:

~ $> cat files/filename.txt

This command still works, since the permissions on a file within the directory are still

-rwxr-xr-x

Applying More Restrictions With chmod

Now, if we wanted to change the file permissions to be more restrictive, perhaps to disallow anyone but the owner from reading or executing the file, we would have to change those bits to different values. This is accomplished with the ‘chmod’ tool. It “changes mode” on the file, telling the system how to treat the object. To tell the system whether we want read, write, execute, or some combination of the three, we need to know how ‘chmod’ describes these modes in relation to User, Group, and Other.

There are seven chmod Mode Set characters:

1

2

3

4

5

6

7

This means that to set permissions with the chmod tool, you would do something like:

chmod 700 filename.txt

This will set owner as read+write+execute, and set group and other both as ‘none’. Then,

ls -ltrh

~/files $> chmod 700 filename.txt
~/files $> ls -ltrh
total 40K
-rwx------ 1 user user 38K Jan 21 23:52 filename.txt
~/files $>

This example shows: The first bit as a dash

-

rwx

---

---

To demonstrate how this works, try taking away the owner’s “read” permissions:

~/files $> chmod 300 filename.txt
~/files $> cat filename.txt cat: filename.txt: Permission denied
~/files $>

What we just did was give the owner write+execute-only permissions. So the owner could still modify and execute the file, but could not read it. Thus, the

cat

Final Notes on Unix File Permissions

So with this basic understanding of Unix/Linux file permissions, you’ll be able to relatively easily manage what can be done to files on your system. This can aid in protecting configuration files, preventing sensitive information from being compromised, or simply be used as a safety check to keep yourself from deleting an important item.

Just remember- make sure you actually understand the chmod you’re about to do before you hit enter, or you may end up needing some root-level rescue.

The post Unix File Permissions appeared first on Hurricane Labs.

1) Shortcuts?

Are they promising you the world? One thing about information security that you should know upfront: there are absolutely no magic bullets. Anyone promising you one from a product or a particular process is lying to you. It requires a blend of products and a blend of methods, no shortcuts will help you – period.

2) Rock Out with Your NOC Out

Are they rockstars? So-called rockstars happen in every industry, it is just human nature and cannot be helped. The problem I’ve seen with most rockstars (almost universally in infosec) is that they are not the least bit interested in your problems. They are interested in getting paid and increasing their already big, and in most cases, undeserved reputations. You really have to be careful with these folks – a lot of them are just naturally talented public speakers so they get it on at various conferences and accumulate massive Twitter followings, making them think that those alone qualify them to dispense advice on applications and networks. In most cases, and sadly I’m not overgeneralizing here, they’ve never had any operational roles so they don’t really know what works and what doesn’t. So if it isn’t in the buzzword dictionary sitting in their blazer pocket, it just isn’t valid in their world. You’ll know these people by their insistence that whatever you’re currently doing is wrong – you should be using the method they developed or their tool they wrote because that is the only way to solve your problem. They won’t really listen to you, usually just nodding along with whatever you say until you hit the keyword they need in order to tell you how cool they are. Of course there are some “good” rockstars, so if you’re set on hiring an allstar look for one who has had operational roles in the past and actually appears to listen. Chance are though if they do that then they are very bad rockstars.

3) Lazy Web

Watch the website. Does it ever change? Chances are if they don’t have time to devote to their own website they’ll never get time to devote to protecting yours. Avoid the companies that never update their website or only list their products and services. Try to find one that offers practical advice and is active in the security community. When you’re looking for an outside company to help with your information security, try to find one that has something of their own to protect – a web service or their own network, many do not. This is a really self-serving one because, well, this is how our website is set up and we have a fairly sophisticated network of our own that we protect.

4) Agree to Disagree

Are they really just that agreeable? Good security people are contrarians, they just are. It is either the industry that attracts them or it creates them, either way few people in it are described as agreeable. If you’re in a pre-sales meeting and the sales person or consultant is constantly agreeing with everything you say, ask them what you need to hire them for if everything you’re doing is so right. I use this technique on a lot of our vendors because they are constantly nodding along and agreeing with everything we’re doing. They’re usually taken aback by that question but it really tells you who you’re dealing with. You need to know, upfront, what they are going to really be able to help you with. It is dangerous to have a security person agreeing with you all the time. Conversely, they shouldn’t be disagreeable for the sake of being disagreeable, you have to strike a balance. This is a tough one because, as I said, the industry is filled with both contrarians and slick-haired salespeople. You need the former but should forego the latter. Someone can be a skeptic or a contrarian without being completely disagreeable or being a miserable person to be around.

5) Auditors in Disguse

Beware the auditor in a security person’s clothing. There are literally thousands of information security consulting companies out there. There are probably as many ways to categorize them as there are letters in the alphabet but let’s take a look at just two. The technical group and the auditor group. Now let me say upfront that I’m not denigrating real auditors here, the people that really do the audit job, I’m denigrating the pretenders here. You will find this very prevalent with companies that do penetration testing or vulnerability assessments. For a proper penetration test you really need a good technical person that can communicate both the technical risks and the business issues associated with that risk or exploit. You’ll be hard pressed to find this in just one person, so you want to hire someone with a penetration testing team as opposed to just some solo testers acting as a team. You’ll have a rough time finding the right team and you’re bound to make a few mistakes, but you really do need the best of both worlds.

Now penetration testing service companies come in two flavors – again the very technical and the not-so-technical auditing tester. Penetration testing is difficult and is very technical, so you cannot rely on a person just checking boxes to call your network well tested. You need someone who is doing more than just running a scanner and calling it done, you need a person who can actually exploit the vulnerabilities found. This is a skill that requires some sophistication and usually doesn’t lend itself well to “normal” people. You never want an auditor performing a penetration test and, vice versa, you would never want a penetration tester performing an audit. Why these two things are fused together so much is beyond me. If you’re hiring for a penetration testing company then hire for that, if you just need some audit work then hire for that – but do not hire one set of people and think you’re done, they are entirely different skills.

Of course, there is no 100% guarantee when it comes to the hiring process – you almost never see their true colors until it’s just too late. Be sure to keep sharp and use a little common sense when following these guidelines. If there’s anything else you think you should look out for, leave it in the comments!

The post Five Ways to Hire an InfoSec Consultant appeared first on Hurricane Labs.

So I decided to take some online training while I’m on vacation this week (yes I know, not much of a vacation but that’s me). I did some research and decided to register for a course provided by a well-known training vendor (I won’t mention which as I’ve sent this problem to them and they should have some time to respond) and I dutifully registered through their online store and paid for the training. Sounds great, right? Not so fast – they informed me that I would receive a “registration” email which, if one follows modern site design, you would assume there would be a link to verify my email address, etc. So what did I get? That’s right, an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it) but gentle readers, I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration:

1) My password was right there in clear text. I’m not really concerned about it passing through my network unencrypted so much because SSL, despite its flaws, is pretty good at preventing snooping. No, my problem is that clearly they are not encrypting my password at all. Now I suppose they could be encrypting in their database and then decrypting it for the email but… well let’s just say if they were that well thought-out I’m pretty sure they wouldn’t have sent the email with my password in it in the first place.

2) During the registration process I was asked to save my credit card number for convenience while making later purchases. Now there is nothing out of the ordinary about this and I’ve personally never opted to do it, but they’re asking for a lot of trust for a company that clearly doesn’t even encrypt my password. This is both arrogance and bad form – this is how severe breaches start.

3) This is a security training company! They’re supposed to be teaching people not to do stupid things like this, it makes my head hurt. Stop me if you’ve heard this before: “But Enterprise XYZ does it that way, why can’t we?” I hear this all the time and it is sound logic… until XYZ accidentally has a SQL injection. Boom – not only your password but now your credit card numbers are at risk. Security companies must start leading by example and not “do as I say not as I do.”

4) You have to wonder about the quality of the advice/training you’re getting from them if they build their registration/checkout software this way. When I take the course I plan to ask – not just to be a typical security jerk – but rather to point out the obvious problem with passing yourself off as an expert while violating the basic tenets of security. Violations like this should be pointed out and corrected by the offending party.

5) I’ve probably said enough, but according to every SEO article I read I have to have at least five points so here’s my last one. If this company isn’t bothering to encrypt the password, what are the odds that they’re encrypting your stored credit card number? You know, the one that thing that makes it “convenient” for you to checkout later. I just lose all trust in a company when they do things this way and I simply cannot believe they’re handling the credit card numbers properly.

So there you have it – maybe now you understand why things like this make me Hulk out with rage. Happy Thanksgiving everyone and enjoy your online shopping, I know I won’t

The post E-mailing Passwords – Practice What You Preach appeared first on Hurricane Labs.

So you’d like to use DjangoCMS, which uses sekizai by default to manage its css and js resources, but you’d also like to use that new sass stuff everyone is talking about instead of css. Here’s the steps you’ll need to go through to get it working. You’ll need to installthe dev version of django_compressor for now, as compressor.contrib.sekizai isn’t in the version 1.2 on pypi.
[prettify]
#pip install djangocms
#pip install -e
git+https://github.com/jezdez/django_compressor.git?#egg=django_compressor#gems install sass

Add this to your settings.py:

# compressor settings
COMPRESS_PRECOMPILERS = (
('text/x-sass', 'sass -t compressed {infile} {outfile}'),
('text/x-scss', 'sass -t compressed --scss {infile} {outfile}'),
)
[/prettify]
And do something like this in your templates:
[prettify]

{% addtoblock "css" %}
			
			
{% endaddtoblock %}
{% render_block  "css" postprocessor "compressor.contrib.sekizai.compress" %}
[/prettify]
[prettify]{% addtoblock "external-js" %}
<!--externally loaded JS files-->{% endaddtoblock %}[/prettify] [prettify] {% addtoblock "js" %} <!-- internally loaded JS Files -->{% endaddtoblock %}[/prettify] [prettify]{% render_block "external-js" %} {% render_block "js" postprocessor "compressor.contrib.sekizai.compress" %} [/prettify] Compress doesn't understand external files, so I used the "external-js" sekizai block to contain the things coming off the googleapis cdn.

The post DjangoCMS – Sekizai and Compressor for SASS Explained appeared first on Hurricane Labs.

The thing that piqued my interest though was the QR code printed on it. And since the staff were more than a little inefficient I had plenty of time to explore the bracelet.

I started by scanning the code with my trusty Galaxy Nexus and fully expected either encrypted gibberish back or a link to some internal, locked down website where all these electronic medical records are stored… nope, I just got back good old plain text. That shocked me, okay not really but I didn’t think it would be quite that simple. I was then interrupted by a nurse telling me it would be just a few more minutes, this after about an hour of sitting there. After the brief interruption I explored the data I got back a bit.

// <![CDATA[
W;0387432;216784;MATHEWS, WILLIAM;12/31/1969;39Y / Male;11/04/2012;800032334;;;Doctor, Primary J, DO;

Obviously I changed a lot of the data I got back because, well, I don’t really want you guys having that data (which is why the entire ordeal concerned me). Now almost all of this information was found printed on my bracelet anyway so it wasn’t that big of a deal, I’m really just laying this out here for my own curiosity. Does anyone know the purpose of QR codes on the bracelets? I would love to know what the various codes are for (only one was printed on the bracelet) and I’d like to know why there were empty fields. I was also curious because while I also had a big red bracelet that said “ALLERGY ALERT” none of my allergies were listed in this data set or on the printed bracelet. I’m not in the medical profession so I’m genuinely concerned at what the actual use of the QR codes is and why isn’t other relevant, important information readily available in the QR dataset?

Just to sum up, I’m not saying this is a huge privacy or security issue. I’m just a really curious person that likes to know how my information is being used. I’m not an alarmist by any stretch but since my data is involved, I would like to know what precautions are being taken to protect it. We get so preoccupied with sites like Facebook and Google handling our information, but we almost never hear people get up in arms about hospital procedures. That is of course until the hospital is involved in a data breach and all your data is exposed (of course that would never happen).
// ]]>

The post Medical QR Code Curiosities appeared first on Hurricane Labs.

The senders of these emails pretend to be reputable companies, requesting financial and personal information, or saying there is something wrong with your account. But their ultimate goal is to trick you into providing account information they will then use to buy things on their own or to steal your identity.

In conjunction with National CyberSecurity Awareness Month, Visa has provided a detailed example of a phishing scam email. Scroll over the blue arrows and it will reveal various examples of how this email is a scam. Emails like this usually present a problem with one of your accounts and ask you to update your information within a specific time period.

While your heart may begin to beat faster, the first thing you should do with this email is to not click, reply or call their given phone numbers. Clicking on their email link can lead you to files which will spread malicious software onto your computer. Instead, think of the company they represent. Find your actual account information by reviewing your monthly statement from that company. Call the company directly via the phone number you can find on their reputable site that you Googled for authenticity, or on their monthly statement, and ask them about your account. Also, tell them about the email you received and how you believe it is fraudulent.

Use OnGuardOnline.gov to learn more about the steps of phishing emails. They provide examples, suggestions on how to deal with phishing scams, and action steps you can take. Make sure you are always cautious when you open an email from someone you donʼt know – do not provide them with your personal information and never click on their links. Always visit their website by Googling it if it seems questionable. Investigate whether your email client or web browser offers anti-phishing features. Google Chrome, Firefox, Internet Explorer, and Safari already have them, but there are many other applications to help you. Make sure you are taking advantage of them. You are the only one that can spot phishing emails, so stay educated – otherwise you might get caught in the net.

The post Spot Phishing Attacks Before They Catch You appeared first on Hurricane Labs.

My suggestion to everyone reading this is to print out the list below (PDF download) and use it as a check list monthly (or at least quarterly) to assess the security you have in place on your computer. Protect your computer, your personal information, and yourself online by taking these necessary precautions. Read below and please share it with your friends.

Keep a Clean Machine

- Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
- Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
- Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
- Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them.

Protect Your Personal Information

- Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
- Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.
- Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.
- Own your online presence: When available, set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information.

Connect with Care

- When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
- Get savvy about Wi‐Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine.
- Protect your $$: When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. “http://” is not secure.

Be Web Wise

- Stay current. Keep pace with new ways to stay safe online: Check trusted websites for the latest information, and share with friends, family, and colleagues and encourage them to be web wise.
- Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information.
- Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Be a Good Online Citizen

- Safer for me more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.
- Post only about others as you have them post about you.
- Help the authorities fight cybercrime: Report stolen finances or identities and other cybercrime to the Internet Crime Complaint Center and the Federal Trade Commission.

The post Cyber Security Tip Sheet appeared first on Hurricane Labs.

On their nonprofit website, NCSAM provides up to date information to teach you all about cyber security. Their first message is really elementary: Stop. Think. Connect. Stop and think about what you are doing to keep your computer(s) safe. What is a virus and what is malware? When is someone trying to compromise your personal information? What information is safe and what should you be leery of? How much personal information is acceptable to reveal? What websites are secure and which ones are questionable? It’s evident there is a lot you need to know – you are the one who has to find ways to learn this and teach it to others.

Next, Think of where you’re headed. What websites are you visiting? What are you doing when you’re online? You need to make sure that what you are doing online is safe and appropriate for you, your family, and your business. Are you noticing any warning signs? What steps have you taken to make sure your computer, your browser and sites in which you hold an account are safe? What types of security software are you using to make sure you remain secure. Also, when was that security software last updated?

Finally, Connect. Once you have taken the appropriate steps to ensure the safety of yourself, your family and your employees, go online and accomplish your goals. Remember though, you must be aware and keep up to date on what you need to look out for and when you feel you need to address something questionable. From now on, this is going to be a process of lifelong learning for you.

Throughout the month of October, I will be relaying the list of suggestions from Stay Safe Online. What can you do and how can it best benefit your needs at home, at work, and in the online community at large? Everyone needs to develop strategies to proactively help yourself, your family, and your organization remain secure. Now is the time to learn.

The post Stop-Think-Connect: Cyber Security Month 2012 appeared first on Hurricane Labs.

Look, no company is ever going to be perfect at it, but some handle it a lot better than others. Fast-forwarding roughly 13 years after that article and Microsoft has gotten quite a bit better. Not necessarily for locking down their ecosystem, but for making it more resilient. Maybe even more importantly, for having an efficient response plan in place when bad things do happen. Are they perfect? Of course not! But they’re putting in the effort and it is showing some considerable gains.

Enter Adobe. I could fill a book with all the severe Adobe vulnerabilities that have valid exploits out there. And yet they simply don’t seem to take it all that seriously. More recently, their code signing infrastructure was compromised. If you’re unfamiliar, it’s basically the stuff that makes your computer trust Adobe’s software. They’ve found some pretty nasty utilities out there signed by their valid keys. Now nevermind that they’re blaming a build server compromise for this (which strains credulity) – nevermind that they claim they’ve now revoked all the keys involved – how does something like this happen and go undetected until active attacks start occurring?

The answer, sadly, is a simplistic one. They simply don’t take the security of their software, or apparently infrastructure, seriously. Code signing is a really important thing these days (Do I think it’s useful? Let’s save that for another post.) So why can, even a compromised build server, just randomly sign some piece of code not actually found in your ecosystem without detection? Simple: You weren’t paying attention to it. All systems can be compromised, the trick is knowing when it happens (monitoring) and dealing with the aftermath (response). Knowing about it and responding to it after it’s out in the wild is probably too late.

You might ask why I’m comparing Microsoft of the 90’s to Adobe of today, a fair question. Adobe has the same special responsibility today that Microsoft had (and still has) and one that Apple needs to wake up to in the mobile space. When you are ubiquitous and on pretty much every device, as Adobe is, you have a duty to your customers and yourself to focus on security and pay attention to those little details. It is no coincidence that once Microsoft started really paying attention to security that their code started getting a bit better and a little more stable. One man’s random crashing is another man’s buffer overflow waiting to happen.

The post Adobe is the New Microsoft: Maintaining Multi-Platform Security in 2012 appeared first on Hurricane Labs.

Background
Derbycon is an information security conference based in Louisville, Kentucky. Founded by Martin Bos, Adrian Crenshaw, and Dave Kennedy in 2011. The topics that are covered during the conference can include (but are not limited to): hacking/pentesting, cryptography, network defense, vulnerability research, and more.

Talks
What I really enjoyed this year was the willingness of everyone to share ideas and, in general, talk about their field of work. One talk that I took the absolute most from was Eric Smith’s talk – Penetration Testing from a Hot Tub time Machine. Their presentation covered “older” methods of pentesting that have seemingly been forgotten but still work. It mainly focused on using less automated tools and scanning – and relying more on a sense of curiosity and passive information gathering techniques for engagements such as internal/external and even physical and social engineering engagements, there are a lot of things pen testers can do before launching a vulnerability scan to help the test become much more successful.

Carlos Perez gave a talk that dove pretty deep into using DNS as a viable way to perform information gathering on a target network. He also developed a tool, DNSRecon, that helps this process along. DNSRecon is a tool written in python that can enumerate domains, bruteforce subdomains, check for zone transfers, cache snooping and many other things. A good overview and tutorial can be found here.

I wanted to explore as much of the conference as I could, but I found that I missed a good number of talks that I wanted to see due to the sheer number of talks going on at any given time. Along with the four “tracks”, new for this year were the “stable” talks. Stable talks were presentations that were shorter (about 30 minutes) in nature and held in smaller rooms. Fortunately for me, almost all of the presentations are recorded, so I can catch up on them here at irongeek.com.

Capture the Flag
A CTF (capture the flag) was also hosted at DerbyCon. A capture the flag contest is where contestants hack a number of hosts on a network and find “flags” which are submitted to a scoring server and obtain points (or take away points). The contest ran during the entire conference – the LAN room shut down at night while wireless access was granted to the contest network 24/7. I very briefly competed, finding a few flags. I liked the layout of the contest but I found something a bit odd – the coordinators of the contest would bring hosts up and down throughout the contest. Announcements were made via their Twitter account, @Derbyconctf.

Lockpick Village
The lockpick village was run by FOOLS (Fraternal Order Of Locksport). Many tables were set up with a large variety of locks for anyone to sit down and practice their lockpicking skill. For the newbies out there, they provided plenty of information and guidance to help learn the basics and get you started. Along with the previous, they also had lockpick sets for sale.

Vendors
The number of vendors literally doubled this year, ranging from managed services firms to booksellers. The one vendor I spent a bit of money at was Hak5. They had a booth set up with demos of their products (such as the Wifi Pineapple and USB Rubber Ducky). I ended up buying the Wifi Pineapple for myself to delve deeper into wireless pen testing. No Starch Press was another table I spent money at, picking up the book “Gray Hat Python” for further studies.

Birthday!
Derbycon organizers took it upon themselves to celebrate a birthday. Not a person’s birthday, but an exploit. MS-08-067 is a very well known exploit that affected a large number of Windows-based systems. When executed properly, it can fully compromise a computer.

Final Thoughts
Being the second year I attended, I was very impressed with how it had grown from last year (from 1100 to over 1600 attendees this year). The staff for the conference were polite, friendly, and helpful. The events ran smooth with little to no snags (at least visible to us attendees). In closing, I will say that it was very nice catching up with friends I had met last year, and making new ones this year.

The post DerbyCon 2.0 – The Reunion appeared first on Hurricane Labs.

The first presenter, Daniel Thau, demonstrated his new distribution called Bedrock Linux. I’ll admit it, the cynic in me was saying, “great just what we need, another distro.” I thought of all the distributions flying around today and wondered what could be so special about this one. Boy was I wrong! Bedrock Linux is unique: it pulls several distributions together and runs them all simultaneously – all controlled by a single kernel. In the demo he presented, Thau showed that he was using X from Arch, Compiz from Debian, and a window manager from another distro on top of that! Bedrock Linux does all this by a combination of bindmounts, chroot, and PATH. It’s complicated, maybe a little bit overkill, but it definitely works. Daniel was running his presentation straight from Bedrock, so he was able to show off a few neat tricks while switching distros on the fly. What did I take away from Dan’s talk? Well, this is probably not (more like definitely not) the most practical way to approach things. It may be crazy, but isn’t that the point? When we keep the status quo we get the same results over and over again. But when we throw in a dash of crazy and try something new, we’re much more open to innovation. Will I be rushing out and installing Bedrock? Probably not, I enjoy my current setup (Ubuntu with GNOME Shell). However, I love the outrageousness of Bedrock Linux – I love the fierce spirit that kills the cynic in me and forces me to get behind something. We should all get out there and try something new every once in awhile.

New/different distributions seemed to be a recurring theme this year. This next presentation was no exception – Ted Robinson’s The Road to 31 Flavors. I stepped in a bit late, but I still thought it was fantastic. Everyday he would install and customize a new desktop and operating system…for an entire month – that’s 31 completely different environments! Todd’s discoveries on desktop configurations intrigued me, he analyzed just what worked and what didn’t. He took great care in experimenting with the location of menus, icons, and launchers. What I liked best was that he took a screenshot for every single day. Each day was unique in it’s own special way. You could see how passionate Robinson was as he described each day with such enthusiasm – it was impossible not to be totally engrossed in the project. And when a Star Trek desktop theme (complete with stardate clock) appeared on screen, I couldn’t help but cheer along with the crowd.

Every year I visit LinuxFest, I come back with something new. This year, I witnessed the birth of brand new ideas. As domestic use of Linux continues to grow, we’ll be seeing a lot more innovators step up to the plates. But there’s a few things that we should keep in mind. Linux is about changing the world – it’s about not accepting the status quo. But above all else: it’s about having fun.

The post Ohio LinuxFest 2012 – Reflecting on Fun appeared first on Hurricane Labs.

1: Organize Smaller Training Groups
I have found that having no more than 5 to 8 people in a session leads to better discussions and more effective training. I’m not sure of the psychology behind it, but smaller groups (at least in my experience) learn better and more content seems to stick. I know this can be tough, particularly in larger organizations, so the temptation is to pack as many people as possible into an auditorium and just regurgitate facts. This will not work – not now, not ever. People in larger groups have an easier time “hiding” and glazing over the material. Using the large groups method will make your user education worthless, don’t do it.

2: Develop Labs
I know labs are usually reserved for more “technical” courses, but I assure you that if you make the course more interactive, people will learn more. I would build phishing labs and show real examples of phishing techniques. Set up scenarios for social engineering – show how folks typically respond and how they should respond. This is far more effective than just spewing out random facts of the day, it brings the threat to life – a huge benefit to non-technical users. We cannot expect every user to just “get it.” “It” isn’t their job, your accountant doesn’t try to make you an expert in taxes does she? Why do we insist users should just understand everything we do?

3: Establish an Internal Security Community
This can be a mailing list or an internal company social network, but it should be a non-judgemental place where ordinary users can go for security advice. Appoint moderators / action takers to make sure people are getting answers to their problems. This would be external to a help desk and it is important for managers to not chime in and make users feel they can’t ask honest questions like, “Why do we restrict access to this website?” This type of transparency will help your users understand why something is the way it is and how it benefits them. With more user involvement, you might find far less resistance to security policies. Incorporating user input you will net you a far more involved community and higher adoption rates.

4: Create a Formalized Escalation Process
This would be outside of number 3 and would be a formal security reporting process. This would include reporting things from “I saw this guy dressed as a plumber today and he was here yesterday as an electrician” to “I got a suspicious email you might want to check out.” This is generally done through a help desk, but the important thing is to actually respond in a timely manner – involvement is a two way street.

5: Use Cheat Sheets
Anyone who has ever taken one of my courses knows that I love cheat sheets. I use them for everything from a quick checklist to important points people should remember from each course modules. Cheat sheets are a great takeaway from a class that help reinforce the material and give the users a guide to go off of when they’re not in class.

6: Reinforcement Tests
Create an internal certification for user awareness and make it practical. People love hanging certifications in their office or cubicle, it gives a sense of pride and accomplishment if done correctly. After the course, give them an exam, score it, and follow up with some focused testing attacks that were covered in the class. If they pass they get a certification. If they don’t, well they get to retake the course.

7: Don’t Treat Them Like Idiots
This is a common problem across all of IT. Yes we’ve all met some of “those” users, but it is not the population at large. Most people will adopt things that benefit them as long as it is transparent and they’re not talked down to. Imagine how you would feel if you sat in a room with someone you didn’t know and they berated you for clicking on that link or insisted that the way you used email was “wrong”. If you approach them from more of a “Hey you may not have known this but…” rather than “I can’t believe you didn’t know that!” then you might get far better results.

Obviously these steps won’t fix all of user education but it will help to organize the trainings into a more effective tool for users. I think that’s the bigger point: somewhere along the way we forgot that it is not about us – it’s about the users. We need to get back to that and get the users back on our side or we will lose the overall war.

The post 7 Steps to Effective User Education appeared first on Hurricane Labs.

And that means you need something to defend you when your firewall admins make a mistake. And something to protect you when that layer fails. And so on. So what are these other layers? Well one of them is having a good IDS/IPS system. An IDS/IPS listens to network traffic, generally the traffic inside your firewall, and either alerts on (IDS) or drops/blocks altogether (IPS) traffic that meets specific rules defining “bad traffic”. But what else can you do?

A coworker and I put a couple pieces of open source software (OSSEC and Snort) together to respond to certain types of automated attacks we were seeing in our IDS (we use Snort in this case). Prior to this, an engineer would manually respond to alerts by logging into our firewall and blocking the IP address causing the alert. This process was tedious, repetitive, and time consuming. By the time the firewall change would be pushed, generally the scan (it was usually a scan) was over and the attacker had moved on. So we took advantage of a feature in OSSEC called “active response”, which is used to react to events on the network. OSSEC was configured to watch for Snort alerts, and would run a script on our Internet routers (running Vyatta core 6.3) to block the IP for 10 minutes. This response runs almost immediately. We hand selected alerts that we had associated with simple scans, such as FTP Brute Force attacks, and set them up to block the addresses. But this wasn’t enough for us.

We started to ponder what sorts of scans were happening that our firewall was dropping. For example SIP or SSH scans, which don’t ever pass through the firewall, that were at best sucking up bandwidth and at worst causing problems if our firewall rules ever let something slip. Granted, those sorts of slips are uncommon, but mistakes are always possible and it’s best to plan for every type of failure.

Coincidentally, we also wanted to test a new IDS on the market called Suricata. Suricata was designed from the ground up to be an “open source next generation intrusion detection and prevention engine”, and we wanted to run it through its paces (which is a different article entirely). So, we configured a server running Suricata, but this one was configured to watch traffic on a SPAN session watching traffic outside the firewall. What we found in preliminary testing was that we saw a few types of scans on a regular basis – NMAP ping scans, SSH brute force scans, and SIP scans. So, similarly to what we did with FTP brute forcing (which for multiple reasons is better detected on the sensor inside the network) we configured OSSEC to watch logs from Suricata (which was relatively simple, as it logs in a format compatible with Snort alerts anyways). Poof! A network that defends itself.

What we’ve done is similar in premise to the Team Cymru Darknet Project. According to their website, a darknet is “a portion of routed, allocated IP space in which no active services or servers reside.” It is then assumed that any packets entering the network are unsolicited and more than likely undesirable. This can be used to reliably build a list of known malicious hosts. Unlike a true darknet, we’re using IP space that hosts active services, however we’ve tuned our monitoring to look specifically for traffic we know, by design, not to expect. This allows us to gain many of the benefits of a darknet without the resource investment required.

The advantage of this method is that we can run the “active response” on multiple targets. So, for example, we run two Internet-facing routers on our colocated data center network, and another on the edge of our office network. By detecting scans on both networks, the other network is automatically protected as well. This could be propagated to several other mechanisms as well. It could be used to build a dynamic BGP feed, or DNS blacklist, of hosts that are known to be scanning the Internet maliciously.

I’ve attached a few snippets to this article to help get you started on the path to building a self-defending network. These include configuration examples and rule signatures for OSSEC, Snort and Suricata.

The post Creating a Self-Defending Network Using Open Source Software appeared first on Hurricane Labs.

Since my boss, Bill Mathews, is a strong supporter of antivirus software and companies (you can read his previous articles here, here, and here if you need a refresher or aren’t picking up on my sarcasm), this article most certainly struck a nerve for me. I know we have quite a few articles bashing anti-virus software providers, but influencing the direction of this blog might be above my pay grade at this point. If anything, I’m just fanning the proverbial “Flame” a bit.

Schneier makes a very valid point that anti-virus companies are abject failures at their jobs. A given is that the nature of virus detection (especially in the signature-based arena) is purely reactionary. However, malware is everywhere, and it can be very easy to evade a “dumb” anti-virus program that relies primarily on signatures.

Current anti-virus packages have (or should have) progressed well beyond the simple signature detection methods of their precursors, but even more advanced heuristic techniques can be evaded fairly easily. However, anti-virus software companies are businesses – and they want to make money. Just as users that complain most about their computer issues tend to get the most attention from IT support staff, malware that is the most noisy or noticeable will generally get the most attention from anti-virus software developers. This leaves a significant number of potentially severe malicious programs to be ignored. In the case of Stuxnet and Flame, the damage occurs well before the problem is discovered, let alone investigated. Only when these threats become popular topics, greater attention is given to them.

Host based antivirus has inherent flaws – it is a software program, which is running on the same computer, operating system, and memory address space as the malicious software. Software inherently has bugs, and exploiting them to cause harm is often all too easy. Furthermore, these host-based programs can be significant resource hogs (I’ve always felt that the true reason dual and quad-core CPUs were invented was to run McAfee/Symantec/insert your least favorite vendor here). What is a security administrator to do?

At least as of this posting, a network based antivirus/intrusion detection system remains one of the best ways to detect these more advanced malware threats, provided that the system is properly configured and updated, and threats and alerts are actively monitored, investigated, and responded to. This is not a simple task. With threats such as Flame relying more and more on encrypted connections for the information disclosure and command and control communications, this is even more challenging (for those of you who like reading packets, take a look here for a capture of Flame in action – you don’t see a lot in the packet payloads, unless you’re really good at decrypting SSL on the fly).

Consider, for example, the Snort alerts released for Flame (Snort SIDs 23019 to 23038). These were set to trigger on a specific user agent string and some suspicious DNS queries. With that in mind, you might only see a single packet on the network to indicate that a host is compromised. How many of you would simply ignore a single instance of an alert as a potential false positive, without even giving the alert a second look? The answer is too many. With ever increasing demands splitting your attention and focus, this oversight is even forgivable.

When one becomes accustomed to ignoring single alerts, there is quite an opportunity for the attacker to take control of systems, even in a well managed and monitored environment.

This is where effective monitoring from a company such as Hurricane Labs comes in. We monitor many intrusion protection systems for our customers. We never use a cookie-cutter approach for these sorts of systems, where the admins are constantly inundated with alerts to the point where they become meaningless and annoying. Every IPS system is tuned to the exact environment it is intended to protect. We take the alerting process seriously – investigating the traffic that triggers the alert, researching the exploit or vulnerabilities in question, and providing you with recommendations tailored to handle each evolving situation.

I’m proud to be a member of the team who works so diligently to analyze, research, and respond to alerts as they come in across the networks we monitor. No security solution is perfect, but it is important to know that we are making a difference in improving the overall security of the many customers we strive to protect.

The post The Failure of Antivirus appeared first on Hurricane Labs.

So I decided to put together a little utility called LogSup. Basically, LogSup is a very hacked up Python script that takes a filename as an argument and then compresses, encrypts, and uploads that file to S3 while taking hashes of the file along the way to try to maintain integrity.

It might still prove useful to some folks who, for whatever reason, don’t trust Amazon’s encryption – or anyone who wants to have a very quick command line way to upload log files (LogSup works quite well with logrotate as a postrotate command). Obviously, since we are open sourcing this and providing it free, there is no warranty of any kind either expressed or implied and no support offered. You can hit me up on Twitter (@billford) and I can try to help you out…but again no guarantees. Hopefully you find it useful, enjoy.

LogSup is available at http://code.google.com/p/logsup

The post LogSup – Secure Upload for Your Logs appeared first on Hurricane Labs.

My first disagreement was with the tone of the blog post. It seemed to imply that Forbes.com was making the comments about not having a Facebook making you suspicious. That is simply not true, Forbes was reporting on a trend among the Internet and people at large.

Second, I disagree with the interpretation of the article. I don’t think the article was in any way assaulting our right to not conform. The entire blog post is in defense of making a choice not to have a Facebook, and defending whoever makes that choice as not being a serial killer. The Forbes article specifically says that it’s absurd to say that not having a Facebook means you might be a mass murderer. But the article was trying to point out a trend where it is less and less common to not have a Facebook, and more and more people have specific reasons for not having a Facebook – not just “I haven’t gotten around to it” or “I haven’t had a reason to”. Sometimes the reason is “I can communicate with people other ways” or “I don’t want my personal information out there”. If it’s the latter, then I have to ask myself – What would you be putting on Facebook that you don’t want out there? My address, phone number, SSN, etc aren’t on my Facebook.

I don’t use Facebook to make plans with people. I use Facebook to communicate with people I don’t have regular interactions with. I post comments or thoughts or opinions, and people who I haven’t talked to face-to-face since high school can respond with their own opinions – it opens up HUGE dialogs I never would’ve had! I can share pictures from my daughter’s birthday with my aunts in Cleveland and my aunt in Georgia in one shot, without emailing them to a dozen people or mailing printed copies. When I want to make plans I text or call people. It’s not that I need Facebook to communicate, it just opens a communication avenue to people I wouldn’t have otherwise communicated with.

I suppose the issue is mostly generational. I seriously look at my grandmother, the way she rolls her eyes when people talk about the Internet – how she doesn’t need the Internet because she’s got her magazines and her telephone – and see the same thing as people who say “well I don’t need Facebook, I have texting and can share photos and…” I honestly think that it’s a fear of change, it’s something we just have to learn to cope with during any major shift in society. If you told me you didn’t have a Facebook, I wouldn’t be suspicious at all. If one of my brother’s friends told me they didn’t have a Facebook (or any other social media presence), I would be suspicious.

Perhaps suspicious is simply the wrong word. If someone doesn’t have a Facebook, I want to know why. If someone doesn’t have a car, I want to know why. If someone doesn’t have health insurance, I want to know why. There are a lot of decisions that I either feel that there is a “right” decision to make (like health insurance), and if someone makes the opposite choice, I’m going to judge them on that until I know why they made that choice. There are other decisions (like Facebook or a car) that I don’t think there’s a “right” choice to make, but I think there’s a “normal” choice to make, and I always feel suspicious when someone makes a choice that is abnormal – at least from a societal point of view.

Mostly, the overall tone of the blog post comes off as extremely defensive in response to a blog post that wasn’t on the offensive against you or anyone else. I think the article was simply trying to warn that it’s becoming more common for people to think it’s weird when someone doesn’t have a Facebook. The opinion’s already there, it’s not coming from the article. The thing is, Facebook IS becoming more and more commonplace, almost to the point where it’s as weird to not have a Facebook as it is to not have an email address. And believe me – if someone doesn’t have an email address, I get “suspicious” of them.

The post More Social Media “Suspicions” appeared first on Hurricane Labs.

These requirements to conform exist in many different parts of your life: work, school, home, friends – basically a mixed variety of situations. But what about those people who make a conscious decision not to conform to social norms? They are usually shunned, but are they really wrong for choosing to do so?

Take two of my friends from school – They are adamant about not creating a Facebook account. When questioned, their response includes: “Why do we need it? If we want to talk to you, share exciting news, or organize a night out, we can call or text you. We don’t have to post it for everyone to know.”

They are choosing not to conform to these social norms. Mind you, these two friends have a clean record, are productive members of society, and are living a happy life without Facebook. Yet this article states: “Facebook abstainers will be labeled suspicious.” Really?

Maybe that is the author’s life and they label those that don’t conform as outliers. But what’s wrong with being an outlier? Choosing to do something different from everyone else because…well, you choose to, isn’t something bad. Many of those outliers go on to do great things.

Later in the article, the author talks about a “German news story in which an expert noted that mass murderers Anders Breivik and James Holmes both lacked much of a social media presence, leading to the conclusion, in Slashdot’s phrasing, that ‘not having a Facebook account could be the first sign that you are a mass murderer.’” Well, I have got to say that I have seen stories of many more murders that have taken place where the suspects professed their intentions on Facebook before the actual occurrence…yet no one believed them.

Being suspicious of people is necessary when you use your intuition. If you feel uncomfortable about someone, definitely look into it. Their Facebook account will ease your worries as it illustrates their life. But just because they don’t have a Facebook or other social media account, doesn’t mean they should be placed on the Department of Homeland Security’s Watch List. I promise, if someone is questionable, the DOHS will find other means of collecting information to gauge their intentions.

The post Not-So-Suspicious Individuals appeared first on Hurricane Labs.

The hackers are proud of their accomplishments, as they have gained access to tens of millions of users account information. But it seems they have a message for corporations – encrypt your customers’ personal information. But are companies being proactive?

When you personally work with any company – be it a bank, hospital, university, or social media site – as a customer you are providing them with personal information. This includes credit card numbers, account numbers, social security numbers, birthdates (which are easy to find in other places too), health information, passwords and more.

When you provide that information to a company, what do they do with it? They place it in a database for easy access whenever you need more information, want to purchase something, or have questions about your account. When they create their database, from their point of view, they look at storing information based on ways it will assist their company’s financial success. But now with the recent breaches occurring, it is essential for them to focus more on the importance of encrypting their customers information for their company’s and customers’ protection.

If you’ve never had an account compromised, talk to someone who has (I promise they will be within six degrees of Kevin Bacon). Ask them what happened, what they lost (financially or personally), and how hard it was to fix the breach or their credit scores. Unfortunately, they all have stories. Your goal should be to avoid those occurrences in your life by being proactive.

To do this, I have an idea. I would like to start a grassroots campaign where regular, ordinary people like you and me begin writing large companies demanding that our personal information be encrypted. Who should we write? Name a large company with whom you have been a long time customer. Got it? Now think of one more. It’s easy to come up with at least two companies which you have given personal information. I know I can come up with at least five off the top of my head. But if you need extra ideas, see the list below. It includes banks, credit card companies, insurance companies (auto, medical, health and life), financial companies, stores where you buy big ticket items, social media sites, and more.

Take five minutes to write a letter or simply copy and paste mine below. Sign your name at the bottom and make sure you include your contact information. Then, go to the privacy portion of their website. There you will find their privacy policy for your personal information. Under updating your personal information, or something similar, find their Send a Request to email address. From there, email your letter. Or to make a bolder statement so that there is a tangible copy in hand, use the address provided on that page for snail mail.

Another easy way to getting this point across is through a nonpartisan petition I created. You can find it here. It is written for the United States House of Representatives asking them to create a bill to securely encrypt consumers information within corporate/organizational databases. I plan to submit it to a few representatives from both parties that are either in or near my district in Ohio, or ones that I am betting would support this based on committees in which they have served. Please support this by signing the petition and encouraging your friends and family to do the same.

Cause and effect is a really important point that many companies and people within those companies do not take seriously enough. Help them see the light. Send them a letter telling them that you as a customer demand that your personal information be encrypted and secured before a security breach within their organization occurs. When they begin to hear this from a multitude of customers and constituents, they may just be encouraged to act.

If you would like to let us know to which companies you have sent a letter, or received a reply back from any company that you would like to share, you can reach us at blog@hurricanelabs.com. You will find my example letter below along with a list of various large companies that you may be interested in contacting. Look at your monthly bills to add or create ideas of who to contact. I will keep you posted on the outcome of the petition, and thanks in advance for your signatures. Together, I know we can get this done.

To Whom it May Concern:

As a longtime customer of your company, I would like to know how and how well you encrypt my personal information within your company’s database. With the recent multitude of security breaches taking place, I believe it is essential to keep my personal information, including social security numbers, passwords, medical and insurance information, credit card information and contact information secure within your organization. Please let me know if the information is encrypted and what measures your company takes to ensure that my personal information is secure.

I am requesting a personal response and look forward to hearing from you soon. My contact information is listed below. Thank you for your time and attention.

Sincerely,

Your Name
Your Address
Your City, State Zip Code
Your Phone
Your email address

Here are links and other contact options to largely used websites that you may want to target if you are a customer or user:

Amazon Privacy Policy
Contact Amazon: If you do not have an Amazon account, click on the “Skip sign in” Link.

AT&T Privacy Policy
Contact AT&T: Email them at privacypolicy@ATT.com or write to them at AT&T Privacy Policy, 1120 20th Street N.W., 10th Floor, Washington DC 20036.

Bank of America Privacy Policy
Contact Bank of America or Click on the feedback link at the bottom of this page

Chase Online Consumer Practices – note, even if you have a Chase account, it is the same as Bank of America.
Contact Chase: You will find a variety of contact information here.

Discover Card Privacy Policy
Contact Discover: 1-877-256-2632 or log into your account to email them. Address: Customer Service – General Inquiries, Discover Financial Services, P.O. Box 30943, Salt Lake City, UT 84130-0943.

Facebook Data Use Policy
Contact Facebook: Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025 or

LinkedIn Privacy Policy
Contact LinkedIn: You will need to be logged into your LinkedIn account.

Morgan Stanley
Contact Morgan Stanley: US Privacy and Data Protection Counsel, Legal and Compliance Division, Morgan Stanley & Co. LLC, 1221 Avenue of the Americas, 35th Floor, New York, New York 10020

Sprint Privacy Policy
Contact Sprint: Office of Privacy – Legal Department, Sprint Nextel, P.O Box 4600, Reston, VA 20195. It says they will respond to requests within 30 days.

Verizon Privacy Policy
Contact Verizon: Privacy Office at privacyoffice@verizon.com or write to Verizon Privacy Office, 1320 North Courthouse Road, 9th Floor, Arlington, VA 22201. Fax: 703-351-3669.

Yahoo Privacy Policy
Help for Yahoo! Account
Write to Yahoo! Inc., Customer Care – Privacy Policy Issues, 701 First Avenue, Sunnyvale, CA 94089. You can also call them at 408-349-5070.

The post Encrypt My Information, Please appeared first on Hurricane Labs.

We offer a diverse array of training programs for Chief Security Officers, Security Managers, Network and Security Architects and Engineers, and other IT Professionals. We also provide ongoing learning experiences for a full range of employees within your organization to enforce security on all levels of the spectrum. Whether you are looking into firewall management or social media policies, we’ve got you covered.

Our Training Center can accommodate corporate meetings, non-profit meetings, hands on training classes and traditional lecture style classes.

The Training Center is equipped with some of the latest technology and consists of:

• Classroom for up 30 students
• 2 breakout rooms
• Common registration area
• Student lounge
• 80” LED TV for Presentations
• 2 46” LED TVs for mirrored or alternate displays
• iPad and Mac Mini with Airplay
• Laptops provided for in class use

Please join us on Thursday, August 30 from 5:00 – 8:00 p.m. for our Grand Opening Open House where you can tour the facilities and learn more about the classes we provide.

Information Security Summit
Grand Opening Celebration
Thursday, August 30
5:00 – 8:00 p.m.

4401 Rockside Road, Suite 300
Independence, Ohio 44131
(216) 633-8220
cso@informationsecuritysummit.org

Information Security Summit is an all-volunteer, non-profit organization that works in partnership with various security, compliance and privacy related organizations. Our purpose and primary objectives are to provide low-cost, quality training and conferencing events to Northern Ohio security and audit professionals. In addition, we promote education and awareness to those people whose job involves security-related activities.

Hurricane Labs is an information security firm, specializing in providing penetration testing, network monitoring, vulnerability management and network security monitoring. By offering a blend of technological services, educational resources and expertise, Hurricane Labs is able to create a custom network of security solutions that works to monitor and protect clients, 24 hours a day, seven days a week.

The post Training Center – Grand Opening Open House appeared first on Hurricane Labs.

The message that General Alexander had was for hackers to help out the US government – that private sector Information security, hackers, exploit developers, etc had to share information and tools in order to help protect the United States from the looming threat of a cyberattack from foreign governments.

Thoughts
I am all for sharing any non-sensitive information, along with open source tools (seriously, who doesn’t like free?) But, my main thoughts initially were about the General’s/NSA’s motive for trying to appeal to people that work in the private industry to basically, come to their side. It had me wondering, what is their deal? Are they trying to build profiles on potential domestic hackers? Are they unable to develop/hire the tools/people they need in order to effectively do their job?

Background
It is widely known that the government is having trouble hiring the people they need in order to be effective. In regards to creating their own tools, the NSA is in a bit of hot water with the US Senate. There is a current mandate in place (OMB Circular A-130) that requires the use of “off the shelf” software from commercial sources “unless the cost effectiveness of developing custom software is clear and has been documented through pilot projects or prototypes”. The current debate on the NSA creating Acculumo is that it violates that mandate. Such mandates and stoppages can definitely impede the progress that the NSA wants to make, and I can see why the agency is reaching out for some help.

I’ve always had a bit of a suspicious nature however, time and age have taught me to always consider both sides of the coin.

I suppose some can see it as a false sense, or better yet, a facade of transparency between government agencies and the general public. Given the lack of transparency in the past 15 years, I feel justified in thinking so. Another point that I discussed with @billford, hackers in general have trust issues with any federal agency. In some cases, this distrust is justified. For example, former NSA official William Binney was featured in an article on Wired:

On the other side, one can see why a US Government agency (entrusted with protecting most likely, VERY sensitive information) is seeking help from the private sector. The private sector of business (in many other fields than Information Security) have always pioneered new methods, technologies, etc. A question that comes to mind is “Why reinvent the wheel?”, essentially saying, why would federal agencies develop everything on their own when they have a rich resource of knowledge and tools in order to do their jobs.

Is the NSA being nefarious and wanting to spy on hackers? Or are they legitimately seeking help for a problem that has been growing and will only continue to grow in the future? Time will certainly tell in this case.

The post Government Hackers – Party in the NSA appeared first on Hurricane Labs.

Video game consoles covertly storing secret files. A perfectly detailed account of the exact causes and motives of a crime. Police chases. Gunfire. All neatly solved in a half hour or less.

Unfortunately, the popular view of forensics is often in stark contrast with reality. The computer forensics field requires significant quantities of tedious, detail-oriented work, sifting through huge amounts of data looking for pertinent details. If Hollywood produced a movie that accurately depicted actual computer forensics work, it’s doubtful that anyone would actually watch it. But I don’t want to dwell on the perceived law enforcement aspects of forensics for this article – we need to consider security.

Many of the procedures commonly employed as part of a criminal investigation can be extremely useful as components of an organization’s security assessment. Even basic forensics techniques can be helpful tools in a security professional’s arsenal. Consider a new application you are deploying that must manage sensitive personal information: Do you know exactly what information this program captures and where it’s being stored? Is this information cached in such a way that it might be readable in an unencrypted form? It would be impossible to answer these questions without a basic forensic analysis. By knowing how information is stored and transmitted, it is possible to confidently state where information is stored, without relying on the word of an application developer alone (who have never been known to lie about these sorts of things).

When compared to a criminal forensics investigation, corporate forensics allows for much more flexibility and less pressure for the investigator. When the guilt or innocence of a defendant lies in the hands of a forensics investigator, a single mistake can corrupt or cost the prosecution its case. Corporate forensics, on the other hand, can be “noisy”. For example, programs can be run repeatedly to observe any minor changes in the disk contents (which might contain cached sensitive information).

Just because an internal forensics project might not fall under the same scrutiny as a criminal investigation, does not mean that common forensics best practices should not be employed. Whenever possible, disk images should be used and work should be performed on copies of entire drives and/or images. If a write blocker is available, it should be employed to prevent accidental modification of data. When working with images or disks for analysis, mount them as read only devices to afford the safest access to your evidence.

When considering overall organizational security, forensics might not be at the top of your list. I completely agree – there are many more steps to take that will result in an overall improvement in your security posture (firewalls, patches, intrusion detection and prevention techniques, etc.). However, there are some cases where a basic forensic investigation of a system or application might be an advantageous component of your overall security strategy. If anything, think about it, and consider this as an option when exploring the benefits and risks of a new application.

The post Corporate Forensics: Security, Not Law Enforcement appeared first on Hurricane Labs.

Here’s a few definitions to get you up to speed:

HTTP/2.0
This is the new version of HTTP currently in development by the httpbis working group of the IETF. The last update was HTTP 1.1 as described in RFC 2616 in 1999.

TLS
Transport Layer Security is an upgrade to SSL v3.0 (Secure Sockets Layer). It operates at the transport layer to encrypt application-specific protocols such as HTTP, FTP, SMTP, etc.

TLS NPN
Next Protocol Negotiation is an extension to TLS which allows the application layer to negotiate which protocol should be preformed over the secure connection in a manner which avoids additional round trips and which is independent of the application layer protocols.

HTTP/1.1 Upgrade Header
The Upgrade general-header allows the client to specify what additional communication protocols it supports and would like to use if the server finds it appropriate to switch protocols.

There are a few competing specs attempting to become blessed by the IETF as HTTP/2.0. SPDY (by Google), and HTTP Speed+Mobility (by Microsoft) are the leaders, along with Network-Friendly HTTP Upgrade. So far, only SPDY has seen real world implementation. Each are described below:

SPDY
SPDY improves browsing in two ways: 1) SSL encryption is forced for all sites 2) Simply put, it’s just plain faster. It has the largest user base of the three HTTP/2.0 proposals and is included in Firefox 13 (June 2012) and Google Chrome (since Chrome 11 in April 2011). It’s reported that Amazon uses SPDY between the Kindle Fire Silk browser and their EC2 cloud rendering engines.

HTTP Speed+Mobility
Microsoft’s own alternative to SPDY. “The main departures from SPDY are to address the needs of mobile devices and applications.”

Network-Friendly HTTP Upgrade
Immature spec. Lacks client implementations. Focus is on reduction of header overhead by binary encoding and header reuse within streams. Note that its incompleteness was intentional as it was not meant to be a complete proposal, but rather to be used to study alternative compression and upgrade schemes.

Feature Comparison

The post Review of HTTP 2.0 appeared first on Hurricane Labs.

In retrospect, I should have turned the car around (or stopped at a store along the way) and picked up sunscreen. But as usual, hindsight is 20/20 – Without proper skin protection I’ll be suffering the results for the next few days.

The same idea applies to Network Security – to keep your network, web application, or system safe you need to protect every portion of it from the very beginning. And you may have to reapply the sunscreen (or in this case review and update your own safety restrictions) every so often to keep your system from becoming vulnerable to harmful rays (methods of attack). But the real question is, do you take the time to do that with your network? Or are you as careless as I was during my Summer outing? Did you unknowingly miss an area that caused a major consequence?

Just like the ritual of putting on sunscreen before you go out, network protection starts with you scheduling a formal review time or patching schedule. Maybe you say to yourself or your coworkers that you will do this update every few weeks, but is it actually on your calendar? Does it get completed? At Hurricane Labs, we have it scheduled monthly. It’s on our calendar monthly for the entire year, so it definitely gets done. To do this for your organization, pick a date – maybe the same date as your birthday so it’s easy to remember. Add it to your calendar for that date every month. That way, it becomes habitual and on your list of things to do.

What should you do during this time? Run security updates, review what employees are downloading to your network, and make sure your data is encrypted. To me, running security updates should be a no-brainer, but do you do this regularly? When you come across an update you need to include, you should either do it right away, or add it to a to do list in your calendar on the date you are scheduled to run the updates. You don’t need to do it immediately if you have other, more significant things on your plate. I get it, the list is long. But if you add it to the list you are reserving time to complete it.

It is also essential to review what employees are downloading on your network – you need to keep the malware at bay. You may also want to find time to educate them on ways to keep their computers secure. Also, remember that applications and documents that they download take up precious space. Is it essential for you to keep that information for them, or are they no longer using it and have moved on to another project?

You also need to make sure, like sunscreen, security is applied everywhere. This starts from the beginning with Least Privilege. Least Privilege is an easy concept, but many IT specialists fail to implement it when they setup a network. Simply put, if a user/application/process doesn’t need access to something (like a command or memory space) then don’t give it access!! It’s a preventive measure taken to ensure that the wrong people don’t have access to sensitive data. It stops potential problems from occurring in the first place. To fix this, review who has access to different parts of your network. Is it updated? Do the people you have listed even work in your organization? Remove employees that no longer need the access and verify those that are approved.

Next, you need to keep a tight control of what is on your network. When I was at the pool, everything was going well…or so I thought. I was having fun, talking to friends, and playing in the water with my kids – but had no idea that the sun was burning my skin. I should have paid more attention to that vulnerability. You need to do that for your network. If it’s running on your network then you need to know why. Review everything to make sure it needs to be there.

As with sunscreen, security starts from the beginning. It is essential to make sure you have covered your entire network with the proper security measures in place. That way, from the beginning, you automatically decrease your vulnerabilities and increase your protection. Just like me, few people apply sunscreens as heavily or as often as they should. Make sure you do.

The post Sunscreen and Security appeared first on Hurricane Labs.

That said, I’m really growing tired of reading articles about “Malware discovered in Google Play”, “First Malware ever in the App Store”, “Malware went undiscovered for weeks in Google Play”. It’s not really news – People write malware, people distribute malware, people install malware – It happens. I shake my head at people who run Windows computers and don’t have good anti-virus software installed. I have 3 Windows computers at home (well, my girlfriend does, I really only use my Mac). They all have AV on them (ESET NOD32 if you’re curious). And you know what? I’ve got an AV-type malware detector on my phone, too (Lookout Security).

The thing about malware is that it’s out there and its not going to go away. If the fact that it got past Apple (granted, after however many years) says anything, it’s that you can try and try and try and you’ll still get it. There will always be security flaws in software, there will always be hackers, there will always be viruses/malware/etc. The fact that the news outlets on the Internet feel the need to report each and every time malware is found is indicative of something…but I’m not sure what. It’s like the news reporting on every time someone gets a parking ticket. There’s no need to inform the public about it. At best, you’re going to annoy the readers. At worst, there could be a lot of people getting parking tickets and you’re going to make people think the local police are getting overbearing with parking tickets.

The fact of the matter is, Google/Android, Apple/iOS, Microsoft/Windows Phone, they ALL need to be more upfront with their users about the fact that some sort of virus or malware protection needs to be installed. They could even take the route Microsoft ALREADY took with Windows on the desktop and include a pretty basic version in the OS. Google could easily pick up someone like Lookout and integrate the malware scanning into the base OS. Sure, Apple tends to fight that stuff at the App Store level, but having something integrated into the OS wouldn’t be a bad idea either. And at that point, why not integrate the scanning into app submissions? If you can detect the Malware before it gets accepted to the app store then you eliminate a huge chunk of the problem. My guess is that there ARE scanners checking apps before they get submitted to the store, but obviously things are getting through. So, are the scanners that bad that so many things are getting through, or do we not have the details about how many ARE getting stopped?

What it comes down to is this: Owning a smarter phone is great, it lets you carry the Internet in your pocket, stay connected, etc, etc. But you have to remember something important. YOU’RE CARRYING THE INTERNET IN YOUR POCKET. Your phone is now just as connected to the Internet as your computer. And if you’re affording your computer some sort of protection because its connected to the Internet, why wouldn’t you do the same for your phone? Assuming something is safe just because its not running Windows has been proven to be a bad security tactic (I’m looking at you, Apple). Do yourself, your data, and the poor people who are tired of reading articles about malware in the app stores a favor – just be smarter about your phone.

The post Malware, Malware Everywhere appeared first on Hurricane Labs.

But this brings up another question – how do we handle the posting of information on a social networking site, such as Facebook, when it pertains to our kids?

I see it every day on my own Facebook account. Parents willfully and without warning posting countless picture of their kids – at the park, at home, with mom and dad, eating some ice cream – the list goes on and on. All very innocent and wonderful memories for the families involved, I’m sure. But this brings to mind the fact that there is a huge amount of responsibility on us as parents to be mindful of not only how we teach our kids to behave socially on a day to day level, but also how we utilize their information socially on a day to day level. What is meant by this?

It is up to us, as responsible parents, to decide whether or not it is appropriate for us to post information about them. It is our duty, I believe, to act in their best interest. I simply mean that the very act of posting images, videos or anything else of our kid’s lives (no matter how seemingly innocent) onto a social networking site carries with it a possible price.

Imagine, if you will, being a teenager of the future and you start searching the internet and decide to look yourself up on Google. Suddenly you stumble across countless pictures and videos of yourself as a kid that your parents posted of you on a social networking site. These images and videos are publicly available for all to see. They are now owned by some faceless organization that owns the right to every image of you as a child (remember your parents no longer own those images once they posted them to Facebook). How would you feel about this?

This is an open ended question and there is no absolute right answer. Different individuals will feel very differently about how they would react to this. Nonetheless, I think it’s very important to consider this question. To take a moment and think about the future and the data we willingly provide not only about ourselves, but others around us. I completely understand that I base a lot of this on my own personal feelings. A lot of what I say may have no weight with other individuals. Maybe the times are changing, maybe the veil of privacy is lifting and is truly a thing of the past. I cannot and do not speak for everyone. This article is meant simply to act as moment of pause and reflection of what we do as parents. To hopefully consider something we did not consider before.

Let me close with this – we do not and cannot know who will own the information we post to a social network in twenty or fifty years. Because of this fact, we must be Information Guardians for our kids. We must act responsibly on their behalf. Again, posting about ourselves is one thing – we carry with that our own responsibility. When we post about our kids, I believe it becomes something entirely different, something overflowing with responsibility. I think this is something that has not really been considered that much. So please, regardless of your choice on how to handle this, just take a moment and think about your kid(s) before clicking the ‘Post’ button.

PS – My wife and I have enacted a “no social networking policy” regarding our kid. We both considered the pros and cons and decided against posting any images or videos to Facebook or anywhere else. We completely understand we may not have 100% control over a relative possibly posting something, but as parents we are trying to do what we think is in our kid’s best interest. Again, it’s different for every parent out there. Good luck and godspeed with your own parenting.

The post Parents – The Information Guardians appeared first on Hurricane Labs.

Anyway, cloud security is tough for a lot of reasons, not least of which is because you, like me, probably only understand the basics of what you interface with in the cloud – the controls the cloud provider allows you to see. This lack of depth of management introduces many security related challenges. Having said that, let’s explore:

1) Control Panels
Control panels are simultaneously the best and worst aspect of a given cloud provider’s offerings. They can enable you to do really great things or handicap you by not allowing enough fine-grained control. They can enhance the security of your slice of the cloud infrastructure and then cut it off at the knees, sometimes with both in the same feature. If a control is very granular and allows you to be very custom, you can make spectacular infrastructure decisions while at the same time easily forgetting to make some necessary security adjustments. If the controls aren’t granular enough, i.e. the provider made those decisions for you, then that can limit your abilities. In general, control panels are a double edged sword…and a balancing act…usually done while juggling razor-sharp ninja stars – not necessarily an easy job.

2) Uptime/Downtime
This is a problem, but not necessarily a problem specific to the cloud. It is a problem specific to computers. You will have downtime no matter where you host your services or what you do to prevent it. (Author’s Note: I have spent a large portion of my company’s overall budget to avoid downtime. It still happens, it’s just mitigated better) Some will argue uptime is worse in the cloud than if you hosted it yourself, but depending on who you are this may or may not be true. It just depends on how much trouble you want to go through to deal with the uptime of critical assets – or rather how much you want to spend to achieve a good uptime ratio. In the public cloud, the cost is spread around so it is naturally a bit cheaper. If you are doing it yourself then you are footing the entire cost. Simple equation really: how much downtime can you afford? Be careful here, the cloud is not always cheaper than doing it yourself, check out the Cloud is Cheap section.

Side note: While I was editing this post and getting its accompanying presentation ready Amazon Web Services had their big storm related outage and one of our apps was in the wrong zone at the wrong time, bringing it down for about 30 hours total. Luckily, it was a weekend so no one was using it. But still, there is no greater feeling of helplessness when your service is down and completely out of your control. I’m like this whenever my phone or data center provider have problems too so I’ve gotten used to it. A bottle of pepto and lots of patience is required for any sort of cloud endeavor.

3) Access Control
There is a “myth” that you have no concept of access control in the cloud. In most cases, at least with the reputable providers, you do have a decent ACL system. In Amazon you can set up roles and assign folks to groups, not half bad. The problem comes in when you actually MEAN access control. With very few exceptions you are running on shared resources in the cloud, not dedicated equipment. If you were under the impression it wasn’t shared, perhaps we need to revisit the definitions of cloud computing again (see cheatsheet). In theory, this sharing could cause some problems. All cloud providers use some sort of virtualization – what it is, what vendor, what tech is completely irrelevant – there is at least some risk of someone being able to break out of the virtualized jail and see your data or perform some other malicious activity. This is a very important risk, one to at least mitigate with encryption on both the transport and rest layers. Honestly though you should be doing this in any virtualized environment, it just makes for very good practice. Dare I say, it should be a best practice.

4) API (Good and Evil)
I have a love/hate relationship with APIs (Application Programming Interface). I love them because they can make so many things so easy to do, at least the good ones. I hate them because they can often change without notice (depends on the provider) and they give providers yet another avenue for charging “micro payments”. Micro payments sound good in theory but they do add up. Amazon, for instance, wants you to send email through their messaging API and charge you per-message. I haven’t paid for email per message since…well never. They claim it increases reliability and makes it better than sending directly from your EC2 instance. I find that claim a little suspect but it’s their jail and their rules. Another big issue is if you buy the theory that the cloud is a jail for your apps then APIs are the bars. They can really lock you into a provider. I despise vendor lock-in almost more than anything. There are cloud abstraction layers (such as Delta Cloud) but honestly I’ve never used them and really it is just adding another layer of complexity. Deploying your cloud app is not like dating, it’s more akin to marriage and divorcing it is hard, so remember to do your homework.

Of course there is also the whole security angle of APIs that you have to consider. Is the transport encrypted? Is the data reliable and untainted? Are you sure you are pulling the correct data? These considerations cannot be overlooked, even in a cloud environment where you are encouraged to “trust the system.” Buyer should always beware.

5) Firewalls Are Dead….Well Sorta
Real firewalls in the cloud are a great idea, most reputable providers at least have basic packet filtering available. But wouldn’t it be great to have a full-on firewall up there protecting your data? It is possible! Check Point, Cisco, and probably many others have full firewall instances (some with IPS) available for you to deploy. I think it’s a good idea and all, but I struggle to see how many people will actually use it. I mean, people hate firewalls as it is for some strange reason (I blame willful ignorance). But now not only do you have to pay for the firewall license, but you will have to pay for the CPU time to actually run it. Obviously we’re talking about a public cloud here, if you have your own private cloud already you just need the license. Regardless of where you have your cloud, you should probably have a firewall to give you tighter control.

6) Redundancy
One of the ways the cloud sells itself is on it’s instant super-redundancy and availability. As we’ve learned, even the large cloud providers are susceptible to downtime. As I discussed above in the uptime/downtime section, downtime just happens. The more or less instant redundancy marketing line is somewhat true, you can absolutely load balance your apps across multiple Amazon EC2 instances across multiple availability zones. But this isn’t some magic feature you just get, it costs extra. Don’t be fooled by those sort of marketing tricks.

As I wrote this section I began thinking about the abstraction layers discussed in the API section and started to wonder: is it possible to build an application that was hosted then load balanced across multiple cloud providers. I bet it would be but now brain hurts (and I suspect if I did that my wallet would be hurting too). Anyone doing that out there?

7) Encrypt Early, Encrypt Often
Before Amazon introduced the ability to encrypt in their storage offering (S3) I wrote a tool called logsup that would allow me to automatically rotate (through logrotated), encrypt (through GPG) and upload (to S3) old log files. It takes some metadata and writes it up to Amazon’s SimpleDB service so I can easily search and figure out what data was in the encrypted log files. Of course I thought I was really clever when I wrote it, but then four days later Amazon introduced their encryption feature that has better key management than GPG. Eventually I’ll rewrite logsup to take advantage of that, but until then I will keep stubbornly using it.

There are two primary lessons to take away from my logsup adventure. First, you should always encrypt sensitive data before it leaves your control. Second, you should always write a receipt for that data so you know where it came from and at least abstractly what type of data it contains. This will allow some piece of mind that your data is safe and that you will be able to find it later when you need it most.

Depending on the deployment, encryption also offers some protection against snooping tenants when you’re using cloud storage or other less private storage. It is not a replacement for strong access control or larger security precautions but it can provide a decent layer of protection against basic prying eyes.

8) Cloud Is Cheap!
There are a number of different types of cloud service (see cheatsheet) and the whole “cloud is cheap” myth only holds up for a few of them. Cloud can be very cheap when you’re discussing Software As A Service (SaaS), e.g. Google’s Apps for Business is only around $5 per user per month per year or $50 per user per year. You as an independent person or company cannot run a mail server for any amount of users for less than that cost per user. The hardware alone would set you back more, so it makes very good financial sense to run your email in the cloud. Whether it makes good common sense is a different story, but I think it is becoming more generally accepted as a best practice to outsource your email, even if only for the cost benefit.

The story gets a lot murkier when you move away from software into infrastructure or platforms as services. Depending on your needs and usage this can be way more expensive than running your own stuff or much cheaper, again it just depends on the needs. If you want to build a redundant platform or infrastructure with off the shelf hardware and Linux, prepare to pay for the privilege. It really depends though, I’ve seen analyses where it is cheaper to do it yourself, so as with all advice your mileage may vary.

9) Logs In The Cloud
There is a very persistent myth that you can’t get proper logging for your cloud applications and this is patently untrue. An EC2 instance is just an operating system tweaked a little bit to run on Amazon’s infrastructure. There is nothing magical about it, it is the same as if you were running it on a VMWare cluster and you can get your logs from there just fine right? Right? Of course you can, your application and OS will log the same as if you were hosting it locally. You could even put a log collection server in the cloud if you were so inclined or use something like Loggly or Splunk Storm and have your log analysis up there too.

When you start discussing SaaS or IaaS the story gets a little darker as you are not necessarily buying access to the logs – you are outsourcing it completely so the providers simply do provide that same level of visibility. I guess that is their call, you just need to be prepared. As we discussed in the control panels section the type of visibility you get will depend on how well the control panel is architected. A lot of providers will give you access to logs for your specific instance (if only to cut down on support calls), but others do not. It is simply a matter of asking the right questions and, again, doing your homework.

10) Service Level Agreements (SLA)
When you are choosing a cloud provider be sure you actually read their SLA. This is basically the agreement that spells out your interactions and expectations when dealing with your provider. This is the document that will basically tell you how much uptime to expect (they all say 99.999% uptime, they are almost all deceitful) and more importantly what sort of compensation you will get if they violate their SLA. Expect a lot of lawyer-speak here, so if you are putting something really critical in the cloud have your lawyer read it over. You won’t have a lot of negotiation room usually, but at least you’ll be able to plan for the possible risks with a clear head. Typically an SLA will link out to a document describing security precautions taken by the provider to protect your data. This can be crucially important to have so you can effectively add in tech to fill the gaps, though sometimes these documents tend to be a bit vague.

While this list wasn’t entirely security focused, the intent was to help guide folks looking into cloud deployments for their organizations and how to better prepare for the differences in securing those environments. Hopefully it met those goals and more. Please send any feedback on this list to blog@hurricanelabs.com.

The post Ten Things I’ve Learned About Cloud Security appeared first on Hurricane Labs.

Ah, so you need a little more convincing? Okay then let’s see what I can do. First off, this isn’t even a trial version like ESET’s was – it’s a feature-limited Lite version with only anti-theft and anti-malware enabled. Taking a cue from their desktop product line it seems Symantec decided to make their mobile apps confusing too. Anyway, the main menu is where you start to setup everything…all two things. The anti-theft feature is password protected (good) but the anti-malware doesn’t seem to have that option (unlike ESET).

The funny thing about Norton (okay not THAT funny) is that it seems to lack so-called “persistent” scanning. So the same EICAR file I used on ESET that I exported from Dropbox was allowed to be saved to the device just fine. In fact, Norton seems to be use scheduled scans only, but the default settings make no sense.

By default it doesn’t even scan your SD Card (on certain Android phones [ahem Samsung] the “SD Card” is internal) but this is your non-volatile storage, where a persistent virus could actually live. It’s like the hard drive of the mobile world, why on earth would the default not scan it!? Oh it’s right there in the subtext, “This might slow down your system.” As I reported, ESET seemed to have no such problems and they didn’t make the user work for the protection they were allegedly getting. End User applications HAVE to be better than this, otherwise there’s just no point.

The other troubling thing (to me anyway) is the default setting to “Enable Norton Community Watch”, which seems to send data to some mystery cloud that they don’t explain terribly well. I guess I have to get over that one as most software is doing something like that these days, it’s just really creepy to me and the lack of clarity just makes me wonder what they’re doing with the data.

For something that doesn’t even seem to do anything in the background it took up a lot of memory and cycles from my phone. Still no noticeable slowdown but lots of memory being used.

On to the scanning. It took a bit longer than ESET (actually more like twice the time) but it did find my test file. It also failed to find any of the custom “malicious” stuff I had going nor did it trigger on any of the “sketchy” stuff I installed. But honestly, I didn’t expect it to because at this point I simply didn’t expect much at all.

Initially I was a little shocked by the big green check saying I was all good – I knew I wasn’t. That is when I discovered the “scan SD Card option” wasn’t checked by default. Sometimes I can be so silly, I actually expected a security product to have reasonable defaults! I think ESET set my expectations too high. Anyway, I went back, selected that option and re-scanned and wouldn’t you know it, totally detected.

I am the first one to admit I have a pretty extreme bias towards antivirus products in general (and their vendors specifically), but after my ESET experience I was really keeping an open mind. Leave it to Symantec to ruin that. I hated this product so much that I am visibly irritated while writing this article. This company somehow manages to make money year after year while selling substandard products to people. I just can’t comprehend it, perhaps I have too much pride. Obviously this one is a Do Not Buy. Next up will be Kaspersky’s offering.

The post Mobile Security Apps – Norton appeared first on Hurricane Labs.

All you need to do is export your scan results to a CSV (Nessus 5) and you’re ready to start Splunkin’. To get started and a more detailed breakdown of the functions, head over to the Splunkbase page where you’ll be able to download the app. If you have any questions, you can reach us at blog@hurricanelabs.com.

The post Nessus and Splunk Coming Together appeared first on Hurricane Labs.

Facebook has, as of April 2012, 901 million active members (according to Wikipedia). If Facebook were a country, it would be ranked 3rd in the world by population. And it seems every week, they’re in the news again, someone ranting about their privacy on Facebook. My favorite came a few weeks ago, just after Facebook went public. It was a post spreading around Facebook like wildfire, and it went something like this:

For those of you who do not understand the reasoning behind this posting, Facebook is now a publicly traded entity. Unless you state otherwise, anyone can infringe on your right to privacy once you post to this site. It is recommended that you and other members post a similar notice as this, or you may copy and paste this version. If you do not post such a statement once, then you are indirectly allowing public use of items such as your photos and the information contained in your status updates.PRIVACY NOTICE: Warning – any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other “picture” art posted on my profile.

You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein.

The foregoing prohibitions also apply to your employee, agent, student or any personnel under your direction or control. The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law.

UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE

Wow. Sounds great, someone just shared hours of their lawyers expensive work with us. Only, not really. I doubt any lawyer consulted on that because they would’ve told the original poster that its just plain wrong. I couldn’t tell you what UCC 1-103 or UCC 1-308 means, but I don’t think it means any of that. The only legal thing binding anyone’s use of your data on Facebook is the privacy policy/terms of use. But my argument here isn’t that you’re falling for a silly chain letter. My argument is that a) you’re posting something on Facebook, a SOCIAL NETWORKING site, whose goal is to let you connect and share with friends, that you don’t want people to “take any action against you” using, and b) that, if that’s the case, you didn’t already use Facebook’s built in privacy stuff to hide it. Facebook has privacy controls. They’re REALLY not complicated. There’s no reason not to use them. But too many people don’t.

The scarier part of all of this comes from other websites where people, for whatever reason (probably a lack of privacy settings in general, and a different environment that promotes public sharing a little more) have no regard for the privacy at all. The best example I could ever hope to have presented itself last week in the form of a Twitter account. This Twitter account is not associated with any particular person. Instead, it is associated with a purpose. The account does nothing except retweet other users who have posted pictures of the debit/credit cards. WHAT ARE WE COMING TO? Do people really not understand the implications of posting a picture of their debit card online? Pretending Twitter had your debit card number for a minute, if they tweeted it to your followers once, you’d be pretty upset wouldn’t you? So why, in the name of all that is good and wholesome, would you post it yourself!?

People seem to want someone else to protect their info for them. They want to be able to throw all of their information out in the open, and let someone else police it and protect it. Not only that, but they want that person to do it for free. The Internet is supposed to be free, I should just get everything I want for free, right? This problem is two fold: People don’t want to pay for a service like Facebook (or Twitter, etc), but they expect it to but running 24/7, be absolutely perfect, and have every feature THEY want, even if they’re only part of a small group (even a million is less than 1% of Facebook’s userbase) who wants it.

“But Facebook is ad-supported”, you say. Well that’s great. So they’re going to collect information about what pages you like, what games you play, what you post pictures of, and use that to target the ads that they show you. That way, they can show you ads that you’re more likely to click on. HOLD THE PHONE. They’re going to do what with my information? UNACCEPTABLE. My information is for me and my friends, they have to keep their dirty, capitalist, money hungry fingers off of it.

My friends, my co-workers, my acquaintances, and people I’ve never met who are just bored and reading this blog post. I implore you. Do yourself a favor and stop and think the next time you post something on Facebook. Are you okay with it possibly being public? If not, please go change your privacy settings so it isn’t. Are you okay with them harvesting information from it to show you better ads? If not, please don’t post it. Because Facebook is well within their moral and ethical rights, let alone their legal ones, to use that information that way, as long as they have “removed from it anything that personally identifies you or combined it with other information so that it no longer personally identifies you”. So please, stop complaining about Facebook/Twitter/Foursquare/LinkedIn/MySpace/WhateverNextSocialSiteComesBy, and start taking responsibility for your data yourself.

Want to learn more about protecting your company, your employees and yourself in social media? Hurricane Labs offers a Social Media Security Awareness Course: What Employers and Employees Need to Know. Click here for more information. Have a question? Reach out to us on our Education page.

The post Take Social Media Privacy into your Own Hands appeared first on Hurricane Labs.

My target this week is Apple and their security practices, or rather, the lack of their security practices. They are releasing an automatic security update for OSX – awesome, thanks Apple! I’m surprised no one has ever thought of this before…oh crap, nevermind. As a fellow co-worker pointed out on our previous podcast – this type of thing has been around in operating systems for the better part of a decade, but I’m sure Apple will tout this as a brand new feature that ‘Automagically Keeps Your Mac Safe’. Because of this, Apple should write a really long apology for being dumb about security. This should be put on the front page of the Apple website:

(Okay, maybe the last part is stretching it.)

You may be saying to yourself: “Ian, why so serious?” Well, let me tell you why, friendo – I had first hand experience dealing with Apple’s misinformation regarding their security. A couple of years ago my wife and I went to the Apple store to buy her a new laptop. During this visit, one of the Apple Representatives told her that she would never have to worry about computer viruses. I immediately scolded him and told him that this was simply not true. On the car ride home I reminded my wife on the importance of updating her software regularly and to be conscious of her computer activity – nothing is 100% secure.

Let’s say, hypothetically, that my wife did not have her Designer Security Expert husband by her side to show her not only how to crop a picture in Photoshop, but that she also needed to update her software from time to time. If this were the case, she would have come home and years would have gone by without her ever updating her Mac’s software. Trust me, she wouldn’t have updated it – ever! She didn’t even know she had a trash can on her Windows machine. (Don’t tell her I told you that.) And the worst part – she is just one innocent consumer who was told this lie. Telling consumers something blatantly false – especially when it comes to security, is just wrong and irresponsible. Not to mention the fact that they looked pretty stupid when the whole Flashback fiasco happened and it took them forever and a blue-moon to release a Java update. The worst thing they could have done is to try and ignore the problem, which is exactly what they did.

Good news though. Like I said earlier, Apple seems to be (well kinda) changing their ways by offering automatic security updates for Mountain Lion. Good job Apple, I commend you. Let’s hope your Apple store representatives are a little more honest about your product security as well.

My point, in the end, is that companies need to be more upfront about the security of their products. Why risk getting caught with egg on your face when you could have just been more upfront from the beginning? Hopefully Apple will be a little more proactive with the security of their iOS devices (probably not, but that may just be me being cynical). A little transparency can go a long way – this goes for anyone – including you LinkedIn, but you’ve already been yelled at enough.

The post Apple’s Magical Lie appeared first on Hurricane Labs.

I started out with ESET Mobile Security because it was always the one that annoyed me least on Windows. I would like to note that I have NEVER had a virus or malware issue on any Android phone I’ve ever owned (stock, rooted, or custom ROM). It just never happened, which is shocking since I install new apps all the time. Here’s my “review”/opinion of a product I didn’t need:

Installation:
Installation was no different than your typical Android app, just install it from the Play Store. It will guide you through setup (which is almost nothing). One thing I really like is the ability to password protect individual features – e.g. I can enable it for anti-spam but leave it open for the quarantine. I like flexibility.

Usage:
It works basically like any other app – you get a menu listing out all of the things the app can do. I picked Antivirus first because, well, that’s the selling point of this application.

I wanted to see how well the device performed (on a Galaxy Nexus) so I chose Scan Device and tried to do some other things. You know what, either ESET does nothing or it is written so well (doubtful since it has to be in Java) that it caused no noticeable slowdown. It wasn’t sluggish at all. I was very surprised!

The next thing to look at, which is always a problem with AV solutions, is how it runs in the background – how much memory/CPU/whatever does it take? Again, here ESET doesn’t take much. I had to scroll down on my usage page to even find it, Words With Friends took up more resources. I really wanted it to fail here because I hate AV. But it didn’t, it doesn’t suck up many resources at all. Which means it doesn’t have a significant impact on my battery life. I haven’t had to change my charging schedule in the past few days that it’s been running – that’s fantastic since I hate having to charge my phone in the middle of the day. So far, so good…

Once the scan is finished you are presented with the results by way of various counts. It doesn’t give you a lot of detail but really, who cares, you just want to know if you’re okay or not, right? Also, notice the Scan duration: 375 scanned files in 25 seconds. Not bad.

Results:
So far I haven’t been able to get it to complain about things I’ve installed. I’ve even installed some really sketchy things that really should cause it to alert. Finally I tested it with the EICAR signature (this is a series of strings guaranteed to trigger AV alarms). First I created a file on a web server and surfed to it. No problem, it displayed the text. This wasn’t terribly surprising but I was hoping for better. Since it was just a text file being displayed I was willing to let that slide. Then I tried to save the file and this is where the real magic began.

I was really hoping to see it catch some of the more sketchy stuff that I installed, but I couldn’t guarantee any of that to truly be malware. I even tried it with some custom malicious items but it didn’t pick that up either. It could be that it is just purely signature based, meaning that if it didn’t already know about my particular piece of malware it wouldn’t catch it – typical AV behavior. It doesn’t slow down your system or really seem to create any other problems, so if you work with a lot of questionable material on your phone or aren’t careful about what you install I suppose it couldn’t hurt. As an added bonus, there are additional anti-theft features and a nice phone/SMS white/blacklisting function. I’d put it at a cautious buy if you’re bored and have some spare cash.

Warning:
In typical AV fashion, I’ve found a reason to be angry. Each mobile AV app I’ve looked at (more reviews to come) is marked as “Free” in the Play Store. Although after installation they make it clear that you’re on a 30 day trial and if not purchased/subscribed within the evaluation period the app will cease to function. I place part of the blame on Google for not clearly tagging Trial software in the Play Store (Google Reps: Contact me to license this brilliant idea). The only one that was upfront about the pricing scheme was Kaspersky. They have a Lite version (100% free) and then two premium versions (Phone and Tablet). Kaspersky and ESET seem to be the lesser of the AV vendors evils, but I’m sure they’ll prove me wrong at some point.

The post Mobile Security Apps – ESET appeared first on Hurricane Labs.

It’s a pretty simple and not terribly technical concept. Encryption is really just a masquerading technology, an illusion meant to provide temporary privacy for moving data. When data is at rest, given enough time, it is even less of a security technology (but we’ll save that for a different post). I know what you’re thinking, “I know that, of course encryption only protects privacy and in some cases integrity.” Awesome, I think it is great that you know that, would you mind helping me spread the word to marketing departments and management folks? Here’s why:

LinkedIn’s response to their recent breach was to add some encryption to their passwords. A really good move to be certain, why it wasn’t there already I don’t know. However I have seen no mention of actually proving these security measures. How did the attacker get the data in the first place? LinkedIn seems certain that, aside from passwords, no other data has been leaked out. But how do they know? They’re certainly not talking (which is a whole separate problem in handling an incident). Having conducted and/or run quite a number of penetration tests I can tell you if we get a SQL Injection and dump out the passwords table, it usually doesn’t take much to get the usernames too. So what is the real story? Again, they’re not talking but they’ve “added some encryption” so in case it leaks out again, it’ll be better.

You see it on websites all the time, “We use bank level encryption to secure your data” and my response to that is always, “so what?” My wife is probably quite sick of hearing about it and since no one else would listen I figured I’d write a blog post. When I read this, it is usually in reference to their website’s use of SSL and that’s great, everyone should use “bank level encryption” for their SSL connections. But what really matters is the meat of their protections, what are the other layers? If you’re just encrypting the traffic and nothing else then all you’ve done is insure that no one can snoop on the bad guys while they’re breaking into your stuff. That’s it (and these days even that it isn’t a certainty). We have to be smarter about the messages we send to customers. You are not protecting them because you’re encrypting their traffic – a slogan is simply not enough. You have to provide layers of protection and you should go into some detail about them so customers can really understand your precautions. This is much better than lying to them.

The bigger problem I have with encryption is that on a long enough timeline (shorter with more computers doing it) ALL encryption is breakable. Don’t believe me? Fujitsu Labs just broke 923-bit encryption which was thought to take thousands of years. With 21 computers (252 cores) they broke it in 148.2 days. That probably sounds like a long time if you’re only passingly familiar with cryptography, but really it was a land speed record. With computers getting faster, cheaper, and cloudier (couldn’t resist) cracking “bank level encryption” will become trivial within a few years. What does this mean? It means start getting serious and stop relying on encrypted voodoo and soothing marketing “power” words like “bank level encryption.” It is meaningless and makes me wonder what else you’re hiding.

The post Encryption is Still Not Security appeared first on Hurricane Labs.

I’m going to write a series of these blog posts based on a personal journey I began recently. My dad always told me growing up to “make your money with your brain not your back”. I like to think I’ve done a pretty good job of that. But I learned in the little bit of college I went to that you need to have a diverse set of skills. Transferrable skills. You can’t rely on the place you’re working to always be in business — in fact, I argued in class, it was irresponsible to do such a thing — and that you’ll be able to keep doing what you’re doing where you’re doing it forever. And while I love my job, it’s only responsible to understand that some day, it may not be there for me to love.

So here I am. A 22-year-old “Director of Internal Operations” at an IT security company. As I start this, I have three goals on my plate learning-wise. I’ll describe them each individually, but they all come from different places, and all cover different areas of my job-life. I want to set a deadline for each but I need to think long and hard so I can set realistic deadlines to break — err, meet.

The first goal comes to me from my boss. He tends to have these…random night terrors related to things he thinks are problems with our network, or servers, or a service we provide. And then he comes in, and usually he ends up being right, although occasionally I’ve had the same night terror first and already taken care of the problem. He’s been out of the office a few weeks, and among the several discussions we had, he brought to me his latest fear.

So we conversed a bit and he’s right. None of the sysadmins have a very deep understanding of our database systems. We’re capable of installing them, and using them, and in general administering them (common tasks, like creating new databases, backing up the databases, etc). But when problems come up, especially in the Postgres world, we’re often turning to our developer (who has previous experience with running postgres) or our ex-developer, ex-dba, pentester (who, well, used to be our DBA, and is currently the closest thing we have to a real one) with questions, and then to Google if they don’t have the answers. The problem is they’re not involved in it every day, so it’s harder and harder for them to help. So we found a “database admin school” and we got ourselves a book or two.

My second goal was inspired by a coworker of mine recently. Out of everyone in the company anymore, he’s the closest to me in longevity — he has me beat by roughly six months, meaning December marked his 5 year anniversary with the company. Consequently, my 5 year anniversary is today. 5 years is an important landmark in the security industry. And it’s this landmark that got him, and then myself, thinking.

The International Information Systems Security Cerification Consortium (or (ISC)^2 for short) publishes a certification called the CISSP — the Certified Information Systems Security Professional. This exam is an international standard for the security industry. If you’re interested, you can read all about it on its Wikipedia page. Basically, its an intense test that covers 10 “domains”, or subject matters, at a very broad level (it’s “a mile wide but an inch deep”). These ten domains range from physical security (locks on doors, security cameras, etc) to cryptography (encryption) to secure programming.

A colleague of one of the owners of the company I work for teaches a CISSP class in our training center at the office, and so my coworker and I plan to “audit” the class, so to speak, and prepare ourselves for the exam. I’ve heard its not easy, but that remains to be seen.

My third goal came about from an article I read online the other day about why every sysadmin should know 3 programming languages. Not any three in particular. But one each of three types of languages: Automation, Production, and System.

The Automation Language is one that you use to automate part of your systems administration job. Shell scripts that do repetitive things for you, etc.

The Production Language is one that you use to solve problems just a little too advanced for your automation language. Its also for things you’d like to distribute to other people.

The System Language is the real low-level one. The one your OS is written in. The one all of your OS tools are written in. It’s probably a C-based language (C, C#, Objective C).

I already know an automation language – BASH. I write things in it for those exact reasons all the time. And I have a production language too – Python. I write all sorts of things in Python. Including my biggest project ever, Supload. I’m missing a system language. I talked to our developer about this dilemma and asked for a suggestion which language to learn. He suggested Go, a “next generation” programming language from Google. We looked around and found a set of “koans” — a set of short simple tutorials using the language to teach itself — for Go, and we both began working on them. I’ll probably pick up a book about Go as well.

As I proceed through my journey I will post updates about my endeavors, the first of which is coming soon.

The post Just Keep Learning – Episode 1 appeared first on Hurricane Labs.

As a security professional working for a company whose responsibilities include firewall management, I found the article to be extremely shortsighted, and borderline offensive. Normally, I’d encourage you to read the article in question, but your time is most certainly better spent doing nearly anything else. I would highly recommend learning home dentistry as a suitable alternative activity.

Grimes argues that firewalls are becoming increasingly less relevant, due to their inability to protect against attacks, the difficulty associated with managing the devices, and the availability of more effective defenses and solutions. The sheer number of logical fallacies spawning hasty generalizations in the article leads me to believe that it is intentionally written to provoke this type of discussion. With this in mind, I would like to address several of the author’s arguments from the perspective of a security engineer.

Network boundaries are amongst the most sensitive areas of any network. Although attacks can be targeted towards any area of a network, the majority of intruders will utilize a WAN connection as their primary attack vector. Such a connection provides much more viability and availability than a localized connection, such as a wireless network. Any traffic utilizing this connection should encounter a firewall. This firewall should be configured to only allow traffic that is absolutely necessary. Any unnecessary or unrecognized traffic should be immediately dropped at the border.

A firewall is by no means a cure-all. Effective security is built on a series of well-placed, layered defenses. Such an approach forces a would-be attacker to penetrate multiple barriers and systems in order to reach his target. A given system could be vulnerable to any number of attacks. However, a system globally accessible from the Internet with minimal defenses is a significantly more attractive (and likely) target than a well-protected one. An attacker forced to defeat a border firewall, evade an intrusion detection and prevention system, bypass access control lists (since these can serve as a pseudo-firewall as well), and successfully circumvent both an application layer and host-based firewall in order to exploit a specific vulnerability (which they would have to discover using similar methods) all while not drawing any attention to the attack in progress represents a much less likely scenario. As a security professional, what approach would you prefer to protect your critical services and information?

Part of my security experience stems from the National Collegiate Cyber Defense Competition (CCDC), where I was a member of the Rochester Institute of Technology team for several years. This competition is intended to simulate the experience of managing and defending a corporate network from a talented team of motivated attackers and penetration testers (the red team) while still allowing the business to function effectively. Essentially, the competition represents the day-to-day operations of an information security and information technology department condensed into a three day window. Year after year, some of the most successful teams were those whose strategy involved a solid perimeter defense. By restricting incoming (and to a lesser extent, outgoing) traffic to only services that were required, the vulnerabilities available for exploit by the red team significantly decreased. Teams with weak perimeter defenses frequently went out with a blaze of red team glory, unable to reassemble the broken bits of their infrastructure into any semblance of a functional network.

It may be true that the computing paradigm is moving away from the traditional fat client approach of full desktops and laptops to one where mobile devices such as tablets, smartphones, and other embedded devices rule our lives. Although these devices may have a smaller attack surface, they can and will be subject to the same level of malicious activity as any client machine in use today. Eventually, we will see many more targeted attacks exploiting vulnerabilities in our mobile phones and tablets. Even though these devices are currently considered to be more secure than a desktop running a full blown Windows installation, we cannot hide these devices under a veil of supposed security. Vulnerabilities exist in these devices, and they will be exploited. You don’t believe me? Windows 2000 was advertised as being secure when it was released as well.

The author’s comments concerning the solution to MS12-020 are incredibly shortsighted. Yes, applying the Microsoft hotfix is the ultimate solution to the underlying vulnerability that was addressed in the security bulletin. However, his approach requires that patches be deployed immediately once they become available. Even the most vigilant organization experiences a lag period between the release of a patch and its deployment to vulnerable systems. In some cases, patching cycles can be months behind the original release dates. Fortunately, security patches have never been known to cause system failures or malfunctions. Additionally, security patches never need to be tested to ensure compatibility with the systems and software deployed on an organization’s network. Furthermore, any problems that might be caused by the installation of a security patch (I know these don’t happen, but bear with me for a moment here) are easily remedied by simply uninstalling the patch, with little to no administrative oversight or troubleshooting required. Contrast this to an emergency firewall block, which omits the brain-dead simple software side of things with the painstakingly difficult modification of a few configuration lines. Consider the incredible challenge of troubleshooting any associated problems of this firewall block, since firewalls do not provide any mechanism for selectively enabling or disabling rules for isolating problems. You might even have to manually weed through log files (since there aren’t any tools for managing these sorts of things) that will tell you exactly what the problem is. The point stands as written, firewalls are unnecessary.

Like any computing device, a firewall is incredibly good at doing exactly what it is told to do. Some administrators have a tendency to configure their firewalls to work as routers, moving traffic between networks with little to no interference. If you need routing functionality, there’s a device for that – it’s called a router! If you are putting ANY-ANY rules in your firewall policies, you are doing it wrong. Yes, connectivity issues can be more challenging to troubleshoot when a firewall is involved, and it is tempting to completely eliminate the firewall as a source of interference when struggling to meet a deadline. However, applications can be made to work through a firewall. In the end, you might even end up understanding more about the application’s operation and communication than the original developers know themselves.

I sincerely hope that my colleagues are misinterpreting the intent of this article. Perhaps Grimes is writing as a present-day Jonathan Swift, drafting a modern Modest Proposal. If that is the case, he has certainly accomplished his goal.

If not, God help us all.

The post Why You DO Need a Firewall appeared first on Hurricane Labs.

His premise is that exploits and attacks are developing at a level as to surpass the capabilities of a conventional firewall and that firewalls aren’t used properly so why bother. We’ve all heard that before and I won’t even get into the muddled waters of the next-generation firewall concept, though I could. The worse part about the idea of the firewall being dead is the rationale he gives for the death of the firewall.

First he talks about how remote buffer overflows have decreased since 2003 and how Microsoft has improved the code to the point where protections on the host have rendered the firewall useless. Clearly I’m behind the times, apparently the success of the firewall is now measured by how many buffer overflows are stopped. Now the rest of the garbage that is stopped by the firewall is irrelevant? Good to know.

Next he goes on to talk about the management of the firewall:

“Firewalls tend to be horribly managed. Almost no one reads the logs or responds to the events recorded. Who can blame us? The average firewall produces thousands of warning messages every hour. Who can find the valuable, actionable information in all that noise? Not me — nor any firewall administrator I’ve ever met.”

I’m almost unsure of how to respond to that. As someone whose job it was to manage firewalls for over 30 different organizations, I’m offended. A competent firewall administrator is doing all of those things. Firewall logs are an extremely valuable resource for both analysis and troubleshooting purposes. Just because Roger (or any of the people he worked with) aren’t doing these things does not mean that others aren’t. He also talks about poorly written firewall policies being another reason why firewalls are ineffective. I would agree with him, a loose firewall policy is inviting attack vectors that you could easily close up by doing it right but just because someone was less than thoughtful or lazy does NOT mean that the technology itself is inherently flawed. Using that logic you can blame the gun and not the gunman for the crime.

Lastly, Mr. Grimes blames the fact that most applications now run over ports 80 and 443 for the ineffectiveness of the firewall. Okay, I guess I will get into the next-gen firewall concept. Most firewalls today can inspect and profile both 80 and 443 traffic and determine what is malicious and what is not. Is it always fool-proof? No, but the next-gen firewall will provide some of the protections that he claims are lacking in firewall technology.

I think my biggest issue isn’t that he’s trying to make an argument for getting rid of the firewall – it’s that as a security professional he’s forgetting one of the basic tenets of security: Defense-in-Depth. Let’s just agree with him for one minute and say that the firewall isn’t doing as good a job as it was 10 years ago, does that mean that we should take that layer of protection out of the equation? By no means am I saying that the firewall is the be-all/end-all of your company’s security posture but remove it completely because it isn’t being administered properly? I think I’ll go home and take the locks off my doors because someone could kick it down if they really wanted to. I almost blame InfoWorld for this since they published this piece and either didn’t read it or worse, didn’t find anything wrong with it.

The post No Firewall, No Problem? appeared first on Hurricane Labs.

I’ve been using bash and vim for more that 10 years and I continue to learn more features that I can use on a daily basis. I’ll give you some tips at the end, but the moral of the story is learn how to make better use of your tools.

How to Get Better

1) Anytime you’re typing the same thing more than once, ask yourself if there’s a better way to do it. If you don’t know, stop what you’re doing and ask Google. Maybe you should be using awk or sed to do some search and replace job. Maybe you can just do it in vim. If you’re in vim already, do you know how to work on more than one file at a time?

2) Anytime you want to do something you’ve done before (ok, that’s the same as typing it again, right?) think about how to do it faster. You can use ^R to search your bash history, you could write a shell routine, you could write a script, that script could be parametrized.

3) When you want to do something involving multiple files, use find. Really, read the man page for find. It’ll chmod, chown, rm and more all the files you can find with it.

4) Keybindings! Start learning how to do fancy things with single keystrokes. If you’re holding down the arrow keys (or Delete/Backspace), or pounding them repeatedly, there’s probably a better way to get where you’re going. Start of the line, end of the line, delete a word, delete through the end of the line. There are keystrokes for all of these and more in both your shell and editor.

5) Know how to navigate and customize your environment. This is all personal preference, but I keep certain tasks on certain spaces (virtual desktops), user shells in one tabbed window, root shells in another. All of my shells now run screen. And my latest bit of learning was tabs for vim to edit multiple files, this lets me stay organized and move between tasks quickly. You’ll need to figure something out for yourself, but always think about how your environment could be better or faster. Most of these settings will happen in dot files, so you’ll probably want to have an easy way to deploy them to new machines. I use a skel.tgz that I keep on one of my servers, using GitHub or Bitbucket might be another good idea.

Ok now here’s some tips and tools I frequently use:

bash
1) Keybindings:
* ^R – search your history
* ^A – start of the line
* ^E – end of the line
* ^K – delete through the end of the line
* esc-D – delete through the end of a word
* esc-backspace – delete back to the start of a word

2) .bashrc collected from who knows where, some of this may be standard in your distro:
"""
export VISUAL=vim
# Screen needs this
alias vi=vim

# If not running interactively, don’t do anything
[ -z "$PS1" ] && return

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval “$(SHELL=/bin/sh lesspipe)”

# set variable identifying the chroot you work in (used in the prompt
below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we “want” color)
case “$TERM” in
xterm-color) color_prompt=yes;;
ansi) color_prompt=yes;;
screen) color_prompt=yes;;
screen-bce) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability;
turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it’s compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi

if [ "$color_prompt" = yes ]; then

PS1=’${debian_chroot:+($debian_chroot)}\[33[01;32m\]\u@\h\[33[00m\]:\[33[01;36m\]\w\[33[00m\]\$
‘
else
PS1=’${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ‘
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case “$TERM” in
xterm*|rxvt*)
PS1=”\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1″
;;
*)
;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
eval “`dircolors -b ~/.dir_colors`”
alias ls=’ls –color=auto’
fi

# enable programmable completion features (you don’t need to enable
# this, if it’s already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
. ~/bin/django_bash_completion
echo “Extended Complete enabled”
fi

# Get out of a symlinked path
# this was a case of repeating the same command
alias here=’cd `pwd -P`’

# I want anything in my bin to come first
export PATH=~/bin:${PATH}:/usr/sbin:/sbin

# I frequently grep for a string in all of a particular type of file
# under the current directory
function type_find {
TYPE=$1
shift 1
find ./ -name \*$TYPE -exec grep -H $* {} \;
}

# Mostly python files
function py_find {
type_find py $*
}

“”"

3) .dircolors (this looks good on a black screen, mostly it subs cyan for the usual dark blue)

"""
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.

# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.

# Below, there should be one TERM entry for each termtype that is
colorizable
TERM linux
TERM linux-c
TERM mach-color
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM dtterm
TERM xterm
TERM xterm-color
TERM xterm-debian
TERM rxvt
TERM screen
TERM screen-w
TERM vt100
TERM Eterm

# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 00;36 # directory
LINK target # symbolic link. (If you set this to ‘target’ instead of a
# numerical value, the color is as for the file pointed to.)
FIFO 40;33 # pipe
SOCK 01;35 # socket
DOOR 01;35 # door
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file

# This is for files with execute permission:
EXEC 01;32

# List any file extensions like ‘.gz’ or ‘.tar’ that you would like ls
# to colorize below. Put the extension, a space, and the color init
string.
# (and any comments you want to add after a ‘#’)

# If you use DOS-style suffixes, you may want to uncomment the following:
#.cmd 01;32 # executables (bright green)
#.exe 01;32
#.com 01;32
#.btm 01;32
#.bat 01;32

# archives or compressed (bright red)
.tar 01;31
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z 01;31
.Z 01;31
.gz 01;31
.bz2 01;31
.deb 01;31
.rpm 01;31
.jar 01;31

# image formats
.jpg 01;35
.jpeg 01;35
.gif 01;35
.bmp 01;35
.pbm 01;35
.pgm 01;35
.ppm 01;35
.tga 01;35
.xbm 01;35
.xpm 01;35
.tif 01;35
.tiff 01;35
.png 01;35
.mpg 01;35
.mpeg 01;35
.avi 01;35
.fli 01;35
.gl 01;35
.dl 01;35
.xcf 01;35
.xwd 01;35

# audio formats
.ogg 01;35
.mp3 01;35
.wav 01;35
“”"

What’s in my ~bin?
1) django_bash_completion – from extras/django_bash_completion in the django distribution

2) user@host:~/bin$ cat pep8_check.sh
# I don't like the line length errors
find ./ -name \*py | xargs pep8 --show-source -r --ignore=E501

3) Other scripts of little use to anyone else

vim
1) Installed plugins:
* Supertab – http://www.vim.org/scripts/script.php?script_id=1643
* desert color theme (looks good on a black terminal)

2) .virmrc I particularly like the mappings for dealing with tabs, as that is the newest addition:

"""
"The default leader is '\', but many people prefer ',' as it's in a
standard location
let mapleader = ','

colors desert
set ts=4
set sw=4
set et
set ai
syntax on
set hlsearch

:function! Go_wide()
:% s/,/ /g
:set ts=40
:set nowrap
:set ss=5
:endfunction

nnoremap <C-p> :set invpaste paste?<CR>
set pastetoggle=<C-p>
set showmode

” Only in python files
au BufRead,BufNewFile *.py,*.pyw highlight OverLength ctermbg=red
ctermfg=white guibg=#592929
au BufRead,BufNewFile *.py,*.pyw match OverLength /\%80v.\+/

” Making it so ; works like : for commands. Saves typing and
eliminates :W style typos due to lazy holding shift.
nnoremap ; :

“clearing highlighted search – by typing “,/”
nmap <silent> <leader>/ :nohlsearch<CR>

” Change Working Directory to that of the current file
cmap cwd lcd %:p:h
cmap cd. lcd %:p:h

” tabbing stuff ^h and ^l for next/prev tabs
map <C-h> :tabp<cr>
map <C-l> :tabn<cr>
imap <C-h> <esc>:tabp<cr>
imap <C-l> <esc>:tabn<cr>
map <C-n> :tabnew

“”"

The post Slow Down and Make Yourself Faster – Tips for the Terminal appeared first on Hurricane Labs.

I always like to take a random sampling of certifications. It’s fun to challenge myself (some are more challenging than others) and it gives me a good idea of what sorts of training and certificates I’d like my guys to have (if any). I’ve never been the biggest fan of some of the bigger ones out there, but we’ll save that for another post.

The bulk of the CCSK covers the Cloud Security Alliance’s guidance document and the rest can be found on their exam FAQ. They break down “cloud security knowledge” into 13 so-called domains and two areas – one focused on a ENISA report and one based on applied knowledge. Don’t let the ENISA stuff steer you off though as the principles are perfectly applicable here in the US (where I am based anyway). The domains are general enough so they include some very good guidelines, but they’re not too in-depth in any one area, which is okay, they’re not supposed to be. It really is just a guided tour of things you need to know before going “cloud.” The price is a little steep ($295 US) but is reasonable when compared to a few others and includes two attempts (in case you fail). The test is web-based so of course you could cheat but then what would your conscience think of you?

Overall I actually liked the exam. It asked some good questions that will steer folks who are just getting into “cloud stuff” in the right direction. They do have a couple of courses that go more in-depth into the various domains and probably provides a lot more detail than their guidance report does. I didn’t take the class because, well, I just didn’t and probably won’t since I’ve been doing cloud stuff for a while and was already familiar with the ENISA report. I loved the noticeable lack of any vendor “spin” or marketing and the focus on actual implementation issues. If I were training someone to build out more cloud security or just deploying a cloud project I would recommend the training and certification. Just my $.02, but I almost never have anything good to say about certifications or infosec training programs. So I wanted to put some positive things out there while I had one.

The post Review of Certificate of Cloud Security Knowledge appeared first on Hurricane Labs.

Since then, the check was adopted by Luke Harris for use in the Splunk for Nagios app for Splunk. We promised way back when that we’d add additional checking for the expiration of licenses, and now I’m here to tell you we’ve made good on that promise. But there’s more to the update than just expiration monitoring…

The reason we originally released check_splunk_license, you may recall, was in direct response to a problem we were having – we kept violating our license, and not getting a notification about it. Well, the additional check in this update came from a similar problem. A customer of ours was experiencing an issue where random events (roughly 28 days old, if I’m not mistaken) were being deleted from their index. Upon investigation, we discovered that their ‘main’ index (the default index for things in Splunk) had reached and exceeded the configured max size (the default, 500000MB or ~500GB — that’s a lot of logs!) And so, we created an additional monitoring check to alert when an index is approaching its max size.

All three of the checks have been integrated into a single check_splunk.py file, which you can use to execute the checks. In addition, three wrapper scripts have been included, one for each of the individual checks we provided (check_splunk_license, check_splunk_index, and check_splunk_license_expiration). However, we’ve added an important dependency — we now require that pynagios be installed. This python module makes writing Nagios/Icinga plugins a walk in the park, including performance data! We’re slowly moving all of our checks to using this module, and encourage everyone to use it in anything they write.

If you’re interested in checking out the latest version of the checks, head over to BitBucket, where the repository is hosted. If you have feedback, please let us know at blog@hurricanelabs.com.

The post New Splunk Nagios/Icinga Checks appeared first on Hurricane Labs.

Ian had gone on a mini-rant during the soundcheck about how there are too many different open source licenses, and they basically all say the same thing. So why complicate open source by having so many? I thought about this a lot over the next few days and did a lot of reading into open source licenses of my own. The results are interesting, to say the least.

To start, there are a couple really good resources for reading about open source licenses. The first is on the GNU website. It lists licenses for software, documentation, and even fonts. It also goes on to sort the licenses into GPL-compatible, GPL-Incompatible, and Non-Free Licenses. The thing to keep in mind while reading this website is that it tends to be a little biased. GNU, and the Free Software Foundation who supports them, very strongly believe in something called “copyleft”. According to Wikipedia, a “copyleft” is “a general method for making a program (or other work) free (libre), and requiring all modified and extended versions of the program to be free as well”. This is a philosophical decision above all else. In fact, Richard Stallman (the founder of the FSF) writes that copyleft is a form of “pragmatic idealism”, and that’s the reason GNU’s own license, the GPL, is written the way it is (see his whole article on the GNU website).

Anyways, the other site I found useful for comparing open source licenses is the Open Source Initiative. The OSI is a non-profit organization tasked with maintaining the “official” definition of Open Source, and they are recognized throughout the community for approving licenses as compliant with this definition. The OSI follows a much less idealistic philosophy, having roots in the business community. One of their original goals was to avoid the idealism inherent in the “Free Software” movement. Therefore, their site provides little philosophical commentary on the licenses. What they do provide is an arena to communicate with open source developers regarding the various licenses.

As part of my reading, I began to develop a sort of distaste for copyleft. Not only is it forcing your open source ideals on other people, but I’ve seen throughout my experience many problems created by the strong copyleft that some licenses (GPL v2) creates. Copyleft doesn’t only force your ideals on your own software — this in and of itself is not a problem, after all, its YOUR software. However, when the license you apply to your code prevents me from using someone else’s code with your code because they didn’t agree with your ideals, you’re forcing your ideals on that other software, and on whatever software I’m writing, too. It saddens me every time I think of this to know that the open source community, which in my opinion creates superior software 9 out of 10 times, feels it has to resort to something like this.

Until now, anytime Hurricane Labs has released software to the open source community, it has exclusively been under the GPL. However, after some careful consideration, we’ve decided to make a change. From this point forward, any software we release will be licensed under the license commonly referred to as the “MIT License” or the “Expat License” (you can view the license at the OSI website). In addition, we are retroactively applying this license to anything we’ve released in the past as a dual-license model. If you’ve already chosen to license our existing software under the GPL, you are free to continue doing so. However, you may choose in the future to license it under the terms of the MIT license instead.

The MIT license has many advantages, in our opinion, over the GPL. First and foremost, the MIT license is significantly shorter and simpler. The laymen’s summary of the MIT license (and please don’t take this as legal advice) is “use the software as you see fit, but if you redistribute it you must maintain this copyright license. Also, there is no warranty of any kind”. In addition, the MIT license does not enforce any sort of copyleft on the code. This means that if you have a commercial use for it, you can use our code in your closed source project, and the only condition is you must maintain the notice that the code is copyrighted by Hurricane Labs. There is no requirement that you maintain a method of obtaining the source code, no requirement that you open source your changes, etc. This should make using any code we’ve developed as simple as possible.

Licensing is a complex topic, be it Open Source licensing, commercial software licensing, or any other kind of licensing. There is a lot of legal jargon to it, and the big, long, “EULA”-esque licenses are difficult to understand. Open source licensing also brings with it a heated debate, as with almost any topic in open source it seems, with both sides of the argument feeling that their opinion is right. But not only that, but that the other side’s argument is as wrong as wrong can be. We chose a license based on what best fit all of the goals we were trying to achieve by releasing our code, and we feel the MIT license does this for us. It is not really a statement of philosophical beliefs. Instead, think of it as the result of applying the old “is this good for the company” to our open source licensing. I encourage you to look at licensing in terms of what achieves your goals, and not what people try to convince you are your goals. If the GPL, or any other license, fits your code the best, then by all means, that’s what you should be using. And don’t be afraid to change someday either. We weren’t.

The post Open Source Licensing – Demystified? appeared first on Hurricane Labs.

Why I Am Leaving Goldman SachsAs an IT security consultant/MSSP/whatever you want to call third-party security provider, the second I started reading that article I immediately began drawing comparisons to the current landscape of IT security companies. Too many times I’m brought into a company to discuss a need that they have that relates to security and I’m confronted with “Well Company X told us to purchase this technology and that would solve our issue”. A good majority of the time that technology is overpriced, bloated, and the times that it is actually the right fit it is so over-scoped that the client is paying for way more than they need to be.

When did it go out of fashion to do the right thing for the client? I understand that a sales rep is paid and evaluated based on how much they sell, it’s the nature of the business. It is the job of the sales rep to grow the business, but at the cost of what the client actually needs? As security professionals, we often have a unique perspective that most IT people do not. They don’t understand the intricacies of security, it’s not necessarily their job. That’s why they have us and they should be able to trust us (and when I say “us” I mean that as security professionals as a whole).

There are many security companies out there that can sell a hundred different security products and if one doesn’t stick they have ninety-nine more that are guaranteed to solve your problem. Keep in mind, your problem doesn’t mean anything to the sales rep sitting across from you. Most likely they have no idea what the root of your problem actually is, they are just listening for five or six buzzwords that equate to a product on their line card. They don’t know what security best practices actually are, nor are they keeping up with trends and equating them to your business and how you can be affected. In the rare case that they actually are knowledgeable, are they going to tell you A) That some well built firewall rules, the existing technology that you have in place, and some patches will mitigate an issue or B) That need to buy the latest and greatest web-app malware-fighting endpoint-protecting thing on the market?

Do I sound a little cynical? Yes, I recognize that. Am I actually being cynical? I don’t think so. Far too often security companies misuse the trust placed in them for their own financial gain. I know this isn’t new and I’m not surprising anyone, but it gets a little tiring going into company after company and hearing how they’ve been raked over the coals by another security vendor. It’s unnecessary.

If you’re a client and reading this – I hope you keep us at Hurricane Labs, and any other security vendor you deal with, accountable to the standards I’ve talked about. If you’re one of the security vendors I’ve mentioned above, I hope you feel sufficiently ashamed of yourself (though I know you won’t be).

If there is one tenant that rings especially true with me from Greg Smith’s article it is this: Do what is right for the client and both companies will benefit in the long run.

The post Sales – Listen to the Customer appeared first on Hurricane Labs.

Yep those guys, nasty little things. Basically, if IPS vendors are to be believed, those are the things that don’t have a patch yet and have active exploits against them. You update your IPS signatures and BOOM protection from zero day! The problem we always run into, and this is with almost every IPS vendor so I’m not just picking on Check Point here, is how do you know when an update is available? As much as most vendors would like it we are simply not logged into their console all day long so their automated “hey you have an update” thingy is not useful. This was a big problem for us because we manage a lot of firewalls so what to do, what to do. We turned to a combination of something old (RSS) something a little new (Splunk), and something really> old (email alerts.) Here was the issue and how we solved it:

ISSUE
Updates come out, an email goes to only one person (subscribing everyone is impractical), updates are scheduled as needed. The process is slow, too “people heavy”, and has a lot of built-in delay. This is no good when dealing with zero days.

SOLUTION
I took Check Point’s RSS feed that announces their IPS updates and fed it into Splunk. This allowed me to index the feed and break it apart a little so I could build a dashboard around it (dashboards in Splunk are basically a collection of searches and reports.) By itself this would allow us to search across IPS updates and figure out which ones we needed, but I wanted to dig a little deeper and make the process a bit less painful. This is where Check Point helped me out a bit (and possibly other vendors do this too but I don’t know for sure), they actually have a severity tag in their RSS feed so I know how important a given new protection is (Critical, High, Medium, Low) and I could organize my dashboard accordingly.

This dashboard gives me a neat layout of my IPS protections and how important they are. This was a great jumping off point to automate my process a bit more. Next I created a Splunk alert that allows me to alert our engineers of Critical or High protections that should be pushed with some urgency while allowing for a smaller alert for protections to be analyzed a bit more before pushing. The biggest benefit to this was unknown to me at the time, but the RSS feed is updated a full 24 hours or so before that update email is sent out so we were able to get updates out a full day faster, this is huge in this allegedly zero day world.

Some future improvements might be pushing the alerts out to SMS or via our Nagzilla system. I also have, in the back of my head, an idea for relating these things to relevant hosts via Splunk’s inventory module. All in all just one way to use technology for the betterment of all mankind or something like that.

The post IPS Updates, Splunk, Check Point and You appeared first on Hurricane Labs.

A former scientist at the Bridgestone Americas Center for Research and Technology (located in Akron, Ohio) was arrested for stealing trade secrets. The individual in question, Xiaorong Wang, is suspected of passing this information to a Chinese manufacturer of polymers.

Until all the facts surrounding this case are uncovered, it would be imprudent to make blanket statements involving the guilt or innocence of the individuals involved. However, this case has powerful information security implications. An individual with a key research role would likely be considered a very trusted employee, possibly with unrestricted or very minimal restrictions regarding access to proprietary information. Organizations are often forced to trust the integrity of these individuals, which can open an organization to significant risks if the relationship between the employer and the employee were to deteriorate.

This case highlights the importance of monitoring the flow of information within an organization. How could access to proprietary corporate information be protected from users who already have fairly free access?
A possible alerting strategy could involve the transferring of a large number of files from a specific location within a short period of time. Although seemingly random access to a file server could reflect normal work behavior, rapid attempts to successively copy the entire contents of a network directory or series of directories might trigger an alert for a possible act of espionage or a potential information leak.

Furthermore, the information in this case did not leave corporate boundaries through an Internet connection, but instead, was copied to several CDs and physically removed. This type of information transfer is quite difficult to track. With nearly every laptop on the market today being equipped with a CD/DVD burner, the amount of information that can be removed is quite substantial. Furthermore, very few options exist for completely disabling the ability to copy sensitive information to external media. A possible solution might involve the use of data loss prevention (DLP) solutions, which rely on network, storage, and endpoint centered technologies and systems to detect and prevent the egress of sensitive information. Along these lines, Check Point offers Endpoint Policy Management software that can enforce policies regarding USB flash drives and other removable media.

Finally, this case brings to light important precautions that should be taken whenever the relationship between and employer and their employee is severed. All too often, I see alerts related to former employees’ accounts still causing activity in a client’s logs. This should always be a cause for an alarm. Often, this could be a simple case of services that might still be running on a server under that user’s account – a relatively simple issue to correct. However, it could also be an indication of more nefarious activity occurring on your network. Ideally, a user’s account should be terminated before they are aware of their impending termination. This is in the interest of damage control – disable the user’s account(s), kill off their network port, and lock their inbox. This might seem harsh, but in a world where information has substantial value, you do not want your former employees to become assets to your competitors.

What policies and procedures do you have in place to protect your critical information?

For more information about the Bridgestone story, see the following:
http://www.ohio.com/business/akron-based-bridgestone-americas-researcher-charged-with-trade-secrets-theft-1.284100
http://www.cleveland.com/business/index.ssf/2012/03/bridgestone_trade_secrets_case.html

The post When Employees Attack appeared first on Hurricane Labs.

What is Tcpdump?

Tcpdump is the most commonly and widely used tool to analyze and intercept various types of Ethernet traffic. A network administrator, security auditor, or anyone else dealing in the end to end connectivity of their infrastructure will find this tool pre-installed most of time. Many times when working with third party vendors, sometimes you have to prove that its isn’t your network, firewall, or NAT causing the issue with the application and its just poor coding on their end.

First we will look at some simple traffic and in this case will be an apt install of 2 packages.

The following is the command that I used to to ‘capture’ or record this network traffic.
[prettify]tcpdump -s 1500 -Avvvn -i wlan0 -w package.pcap host 208.100.4.53[/prettify]

Command Breakdown

tcpdump: Name of the application.

[prettify]-s 1500[/prettify]: Snap length is how much of the packet to get. The default is 65535 bytes. Setting the snap length to 0 sets it to it’s default. (According to the man page for my version)

[prettify]-A[/prettify]: Prints the packet in ASCII. Useful for plain text traffic and application troubleshooting.

[prettify]-vvv[/prettify]: Very very verbose – Prints more information about the packet such as TTL and a lot more

[prettify]-n[/prettify]: Won’t convert address to human names

[prettify]-i[/prettify]: Which interface to listen and capture on

[prettify]-w[/prettify]: Write the packet to said file name

[prettify]host[/prettify]: The remote peer

Now that we have successfully written the packets to a file we can now analyze the traffic. In any type of troubleshooting situation you have to start at square one. Lets open this file and pipe it into something useful instead of filling the scroll back buffer and missing the first essential connection details.

Since the TCP/IP stack has retransmission as part of the protocol if the first few packets fail then the rest of the connection is doomed.

<em>tcpdump -s 1500 -Avvvn -r package.pcap | less</em>

The -r switch reads the file instead of writing it. Since we already filtered out any other traffic with the host argument we don’t need to be as detailed in our command. The | (pipe) means direct the standard output (console screen) to another application, in the case “less”. This give us the ability to scroll through the whole .pcap file.

The first the 3 packets represent the 3 way-handshake which every TCP connection must go through to set up the connection.

[prettify]12:26:58.632628 IP (tos 0×0, ttl 64, id 20547, offset 0, flags [DF]

, proto TCP (6), length 60)

10.0.1.38.59181 PC@.@.
.

..&.d.5.-.PZ..v……………….

.g.5……..

12:26:58.663268 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], pr

oto TCP (6), length 60)

208.100.4.53.80 > 10.0.1.38.59181: Flags [S.], cksum 0x7075 (co

rrect), seq 2554095472, ack 1526109303, win 5792, options [mss 1460

,sackOK,TS val 2580458519 ecr 6800437,nop,wscale 7], length 0

E..<..@.3.g..d.5

..&.P.-. 208.100.4.53.80: Flags [.], cksum 0xb5ab (cor

rect), ack 1, win 46, options [nop,nop,TS val 6800445 ecr 258045851

9], length 0

E..4PD@.@.

.

..&.d.5.-.PZ..w.<gq...........

.g.=....[/prettify]

And now my host is sending its HTTP GET request to the remote HTTP server. Remember when I said in the beginning that I was going to install two packages? Well you can see two GET requests made to the server in the output below. Can you tell what I was installing?

[prettify]12:26:58.663524 IP (tos 0x0, ttl 64, id 20549, offset 0, flags [DF]

, proto TCP (6), length 435)

10.0.1.38.59181 > 208.100.4.53.80: Flags [P.], cksum 0x0d68 (correct), seq 1:384, ack 1, win 46, options [nop,nop,TS val 6800445 ecr 2580458519], length 383

E...PE@.@. A

..&.d.5.-.PZ..w.<gq....^Mh.....

.g.=....GET /debian/pool/main/a/awn-extras-applets/awn-applets-c-extras_0.4.0-3_amd64.deb HTTP/1.1

Host: mirror.steadfast.net

Connection: keep-alive

User-Agent: Debian APT-HTTP/1.3 (0.8.10.3)

GET /debian/pool/main/a/awn-extras-applets/awn-applets-python-extras_0.4.0-3_all.deb HTTP/1.1

Host: mirror.steadfast.net

Connection: keep-alive

User-Agent: Debian APT-HTTP/1.3 (0.8.10.3)
[/prettify]

How do we know that the server even received our request? TCP will always send an ACK, or in the case of a corrupt packet, a reset (RST) the last packet. As you can see in the following output there is the acknowledge of the GET request and then the server's HTTP 200 OK response.

[prettify]
12:26:58.693420 IP (tos 0x0, ttl 51, id 52036, offset 0, flags [DF]

, proto TCP (6), length 52)

208.100.4.53.80 > 10.0.1.38.59181: Flags [.], cksum 0xb406 (cor

rect), ack 384, win 54, options [nop,nop,TS val 2580458549 ecr 6800

445], length 0

E..4.D@.3....d.5

..&.P.-.<gqZ......6.......

...5.g.=

12:26:58.750220 IP (tos 0x0, ttl 51, id 52037, offset 0, flags [DF]

, proto TCP (6), length 1500)

208.100.4.53.80 > 10.0.1.38.59181: Flags [.], seq 1:1449, ack 3

84, win 54, options [nop,nop,TS val 2580458605 ecr 6800445], length

1448

E....E@.3....d.5

..&.P.-.<gqZ......6.H.....

...m.g.=HTTP/1.1 200 OK

Date: Sun, 18 Mar 2012 16:27:03 GMT

Server: Apache/2.2.3 (CentOS)

Last-Modified: Mon, 19 Jul 2010 07:02:03 GMT

ETag: "2ae23c67-1e17e-48bb8254eb0c0"

Accept-Ranges: bytes

Content-Length: 123262

Connection: close

Content-Type: text/plain; charset=UTF-8[/prettify]

And as they say “the rest is history”. Well, technically the rest is of the TCP stream for my packages, but if you are troubleshooting further than the initial connections you are going to need to roll up your sleeves and have a firm grasp of the TCP protocol. If you're not as strong at reading packet captures or understanding how the whole TCP/IP stacks work, then this is the best way to learn with simple, easy to define and read traffic. In my next entry I plan on going more in depth with situational examples.

The post The Ins and Outputs of TCPDUMP appeared first on Hurricane Labs.

]]>