LABrat.com - Grant's rants on information security

New Security Awareness Video: Learn about Cloud Security

2013-05-07T09:20:00.001-07:00

SANS just posted a new video that is aimed at educating your workforce on "the cloud" and how they should interact with and secure data that is kept with cloud service providers, whether they're a cloud storage, application or are providing other services.

I think it did a pretty good job in layman's terms, for business users, of explaining what "cloud" is and how to think about managing access for cloud services.

The video is here: http://www.securingthehuman.org/resources/ncsam

"Thinking Long Term can be Short Sighted"

2013-05-03T11:16:00.000-07:00

I've been on a kick lately about getting the fundamentals down pat before people should devote significant time to advanced thinking and processes. I admit that it is very tactical, which most people don't think is that sexy. The problem is that if we only focus on the sexy, new advanced things, we lose sight of getting the bread-n-butter security things done. The things that provide 80% of the value of the team to the organization. Things like effective security monitoring, application security risk assessments and compliance programs. These things need to be solid before we can get into things that may provide value, but they're incremental improvements, not wholesale capabilities.

LinkedIn: Thinking Long Term Can be Short Sighted

Image credit: msittig, http://www.flickr.com/photos/msittig/2513955691/, cc

Applications are like puppies!

2013-04-22T09:40:00.001-07:00

As I talked about in another blog post (Hoarding: an organizational phenomenon), hoarding applications can lead to an overwhelming and oppressive IT environment for the staff and the organization.

I like analogies. Buying an application is a lot like owning a puppy to people who have never owned a puppy before.

Everyone loves looking at a puppy (just like the business thinking about buying an application).
Everyone loves looking at the puppy do things (or for applications, capabilities and demos).
Everyone imagines having a puppy being full of Frisbee and cuddle time (or for applications, the business operating like a scene out of The Coca-Cola Happiness Factory).
At this point, everyone that wants a puppy agrees that it would be great to own a puppy. I mean, look at that picture! Isn't that puppy cute? How could you not want a puppy!?

Committing to a puppy is only a short term engagement. A puppy is only a puppy for a year, maybe. The reality is that you're truly commit to the full life cycle of a canine. Not only is your puppy a puppy, it will absolutely become a dog. It is inevitable.

Applications have a similar life cycle. Commit to a puppy of application, when it is all cute and funny, you are also committing to the dog of an application, where you need to clean up after it and take it to the vet regularly, like pay maintenance and for upkeep, including security updates. And...eventually, the dog becomes old and you'll need to put it down, just like old applications.

See, applications are like puppies!

Chris

photo credit: Roozbeh Rokni via photopin cc

Hoarding: the organizational phenomenon

2013-04-18T12:30:00.002-07:00

Applications are a key part of the success of companies these days. An organization's ability to create new capabilities and deliver new products often lies in the ability to execute on delivering new services with applications. It makes sense that we have applications, and even many applications. I've been thinking lately about the cost of supporting applications and infrastructure. As a security leader, I'm frequently thinking about what it costs to protect the organization from known and unknown IT security threats. The most significant threat is probably those same applications we all implement and use in an organization to propel the business forward.

I believe many organizations, and specifically leaders, have a bad habit of implementing things. I've inherited half-baked SIEM tool implementations 3 times now, for instance. Some organizations have processes to try to curb overall spend on IT implementations, as well as ROI calculators that help in determining if that product is a good idea for the company to implement. Regardless of these processes, and despite these processes, if leaders are not careful and intentional about product implementations, organizations become like hoarders we see on reality TV shows on A&E or TLC. (Truth be told, I've watched a number of them. Hoarders: Buried Alive, for example.)

Hoarders love to collect. Hoarders love to buy something, "own" it and bring it home. Organizations, meaning IT and the business, purchase and collect applications that feel (and maybe are) really valuable and really meaningful to the work that they perform. They are all beautiful and valuable when they're new to an organization. Leaders get credit for implementing new technology and enabling new capabilities in the organization. There is an all too common life cycle of products however:

The teams implementing the product go from "fighting for it" (insert appropriate long pause for the typical long implementation here) to "its implemented!"
Now the organization settles into a time where the operational teams are getting to know the product and working on operationalizing it; building processes, workflow, troubleshooting, etc. (some should have happened prior to implementation, for sure, but lots will happen after)
At this point, it is "installed" and probably "operational". This product will sit in a portfolio of other applications that have been implemented and collected over the years.
Various teams pay various levels of attention to the, now old, apps. So, over time, they sit and rot. They may be maintained...or not.

Hoarders are not good at assessing the value of something in relationship to what it costs to keep and maintain it. Eventually, you have a house full of things you've bought and no where to sit or sleep. In a company, the analog of running out of space is running out of budget. No organization can afford to keep every application going that they've purchased over the years, because:

You may no longer have the budget to pay for the staff with the numerous and varied skills needed to maintain a diverse and sprawling application environment.

You may not find that the vendors will support the application versions you're running, security updates included.

You may find that vendors are not willing to support out of date core IT infrastructure older platforms sit on.

I, as an IT security function, will point out the affects of #2 and #3 on what is in the environment on a regular basis.

Leaders are then forced to make a decision, which is a great thing. We need to consider what doesn't need to be maintained and can be removed from the environment. Unfortunately, leaders do not get much credit for dismantling old platforms. Sometimes they get credit for reducing overhead, but there's much more value than just reducing overhead. That is a culture problem that we need to change. Leaders should be rewarded for reducing complexity, reducing risk and reducing overhead. "A penny saved is a penny earned!" said Ben Franklin.

Unfortunately, we can't just call 1-800-Got-Junk and get rid of old applications. But I'd suggest some good directions to base actions:

create threshold for purchasing applications that involves exposing the risks and fully loaded expenses for an application, and use that to slow down expense sprawl.
create standards for the business and IT to follow, and be diligent about growing and tending those standards to meet and be predictive about the organization's needs.
make sure that the cost of maintaining systems is appropriately attributed to where in the organization that system/application supports the business.
make decisions to consolidate like applications.
make decisions to consolidate vendors .
make decisions to simplify the infrastructure.

In the end, I think the primary information security concern about the environments we operate in can be boiled down to being intentional about what we put into the environment. Know what the risk and commitments are before you take action and implement.

Chris

photo credit: canonsnapper via photopin cc

Mashable talks about InfoSec competition!

2013-03-29T11:58:00.001-07:00

Mashable has a great little article that talks about the mature and growing trend of information security competitions. The beauty of these competitions is that they typically have both offensive and defensive elements. The offensive side plays the "capture the flag", abbreviated as CTF in the infosec culture, by trying to break in to systems and networks and discover bits of clues that lead to the grand prize. This is a penetration testing competition, primarily. They serve as the "red team". This is how the the competition in the article worked.

More sophisticated competitions have also a "blue team" that provides defensive, detective capabilities, that will also trying to block the penetration testers and keep systems up and running.

It is a ton of fun, and a challenge for everyone involved.

Mashable: Competition Seeks Next Generation of Cybersecurity Experts
http://mashable.com/2013/03/28/cyber-aces/

Cyber Aces
http://cyberaces.org/

Replaced Windows Home Server (WHS) with a Synology DiskStation

2013-03-15T13:50:00.000-07:00

Over the course of the last year, I've come to the realization that I was going to be switching my Windows Home Server for something else. My issues weren't much different than anyone else's and my reasoning is familiar, but I thought I'd document them here so maybe it will help someone else think through the process and maybe they'll come to the same conclusion in their own situation.

Why I left Windows Home Server:

I was on Home Server v1 still because it worked. Home Server 2011 had issues, as far as I had heard on the Interwebnets.
Microsoft abandoned the Home Server platform. There was nothing after HS2011.
Plug-ins were weak. There were some, and they generally worked. There should have been more. After all, this is a generic server platform underneath. That never materialized.
My Shuttle XPC SN68G2 chassis was good enough (after having to replace two capacitors in the power circuit on the motherboard a couple years in), but I was running out of disk space and needed to buy more/new drives. I only had 3.5TB online. Sounds crazy to say that...
While I had faith I could bare metal restore a workstation that was backed up to the server, I highly questioned having to rebuilt the server. Especially given the lack of support from MSFT, and the eventual lack of support from the Internet community.

Why I went to a Synology NAS:

I wasn't willing to go head-long into a full Windows server. That opened me up to other operating systems.
I was comfortable with this platform being back-ended by Linux. I didn't think I'd be doing a lot of super, command line or other customization, but I thought if it's based on Linux, there's the possibility of the Internet community turning up some cool things.
No major OS to deal with. It is stripped down so there's less complication and less to be compromised, in theory.
Synology builds disk subsystems and NAS platforms for business. That inspires some confidence.
Great reviews.

Am I glad I have one now?

The management console is great. Seriously, this makes the platform.
I was right, by the way. There are some cool things you can do when you get into the guts and homebrew world. There are some restrictions, but you can manipulate things and use common Linux tools. Which is good.
The software capabilities of this server is crazy. Synology maintains and supports a dozen different very, very useful plugins that just work. Need a VPN? No problem. Need media streaming? Sure, there are multiple ones to do that. AND, on top of that, there is an active vendor community. I assume Synology works and helps vendors support their platform. It is really great, given where I came from on WHS.
Given Synology takes pride in their SOHO, home business. It is the equivalent of Honda racing teams bringing some of that technology to a Civic. It shows. The software is the same software they run on their commercial platforms. You see some of that in the console, but doesn't inhibit a home user in any way.
There are apps for Android and iOS to access and manage the server. W00t!
It just works.

What don't I like/what would I like to see?

Hardware-based encryption would have been nice. The speed of the server is fine, but start doing a lot of that and I imagine you'd run into issues.
I'd love to have a Synology NAS-NAS backup solution that would encrypt the actual data. That way I could park one at my brother-in-law's or parent's house and they could have a server I could put vital data. They both have servers, but there's no option to encrypt the data, so it makes everyone feel a little weird about doing it.
That's really it...

Chris

3D designs, fan designs, copyright

2013-02-21T12:05:00.001-08:00

This is going to be interesting. I suspect there will be a middle ground found. We already have laws regarding copying someone's design. The question will be around "fan" work, and the ability of folks to be able to check for copyright and patents easily. AND, it will be up to the copyright/patent holder to hire lawyers and take people to court. So, if you don't have the cash, you won't be able to defend yourself from people copying your design.

http://readwrite.com/2013/02/20/3d-printing-will-be-the-next-big-copyright-fight

And once the 3D printing designs are out on the Internet, it is going to make it even more challenging to protect your own designs.

Chris

Top 10 Reasons Valentines are Like Passwords

2013-02-14T08:46:00.003-08:00

Valentines are like passwords, or is it passwords are like Valentines. I'll let you decide. These are pretty good.

http://www.okta.com/blog/2013/02/top-10-reasons-valentines-are-like-passwords/

My favorite is: No one wants to change them when things are working

AlienVault infographic about 2012 malware

2012-12-19T14:48:00.001-08:00

New infographic from AlienVault, maker of OSSIM, on "The Eternal Life of Malware" showing that 2012 was about malware that simply was a remix of previously seen malware.
Infographic by AlienVault

What version of Adobe Flash am I running?

2012-12-18T12:12:00.003-08:00

Attacks using compromised Adobe Flash files are common, and prevalent in today's malware marketplace. Java has had and gets to keep the title of "King of Vulnerable Software" for the foreseeable future, but Flash is always #2 on the list. This is due to it being installed by default on some older operating systems, and everyone needs it to see dynamic content and videos online.

Because of this, I've wanted to tell what version of Flash I'm currently using in the particular browser on the particular machine that I'm on at any moment in time. It isn't obvious to determine or find this information.

As it turns out, Adobe created a page specifically to help with this problem. I Google'd and found this very handy link from Adobe that allows you to see what version of Flash you're using, as well as a list of what the current version is, AND where to download Flash.

http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html

Good luck, have fun and stay safe out there!
Chris

Need an old version? Go to OldVersion.com

2012-10-16T08:39:00.003-07:00

Ever wanted to make a system vulnerable for demonstration purposes? OldVersion.com can help you accomplish that goal. They have (at the time of this blog article) 7934 versions of 485 programs. There's got to be some good vulns in there somewhere...

http://www.oldversion.com/

Chris

UI Failure...Free Text Message Reminder...

2012-08-10T14:23:00.004-07:00

Judge Orders Defendant to Decrypt Laptop | Threat Level | Wired.com

2012-01-27T13:10:00.000-08:00

Judge Orders Defendant to Decrypt Laptop | Threat Level | Wired.com

This decision has left me wondering, why would someone volunteer to decrypt their laptop? Isn't it the equivalent of telling the police where you hid the murder weapon? You can order someone to do it all you want, but the fact is I can't think of a reason the person would be motivated to give it up. In the end, I guess its the same as a murder weapon; you hope that the more cooperative you are with authorities the less of a sentence you receive as a result of the crime.

This portion of the case was really just a test to see if revealing a password *could* be protected under the 5th amendment, which it is not. I doubt this precedent is going to change much either in police work or in court cases.

Gov't and IP, takedown of MegaUpload.com

2012-01-25T07:50:00.000-08:00

It is an interesting coincidence that in the same week time frame that SOPA/PIPA are to be voted on here in the US, MegaUpload.com is taken offline and its owner being brought up on charges. The US Gov't has conveniently listed them on the home page of MegaUpload.com for us to reference. I think there a couple of interesting points to be made out of these recent events.

SOPA/PIPA are both the wrong tool for the right job. Certainly we expect the government to take steps to protect people's intellectual property (IP) and their copyrights. What we're challenged with, however, is the history of "personal use" when duplicating quality was a problem, and both the originators of the content and the people making personal copies were satisfied with the quality of the copy. Laws and content owners were satisfied (or at least told to be satisfied) with people making copies of media for their own use. Those who are old enough to remember... We copied each other's vinyl albums onto cassette tapes. We made mix tapes from songs recorded from albums or the radio. We bought VCRs specifically to record our favorite TV programs from network, broadcast TV. And all was good, and the law was on our side. Only when technology improved to create near, or even exact, copies of the content were the content providers not satisfied with the laws of "personal use" and sought to change the laws. I would argue that they instead should keep focusing on managing the technology of content delivery. Yes, its a hard problem and one that is going to take a long period of time to resolve. Where content providers are challenged with delivering a product that can be easily copied and distributed, they should not be creating an onerous legal environment which has significant ramifications to more than just their content distribution.
Did MegaUpload.com do something illegal? They should likely be prosecuted for their role in promoting privacy. I say likely, because I'm not privy to the evidence the government has. In matters of prosecution for information security related things, they've been pretty good. The fact that Kim Dotcom barricaded himself in his mansion on the distant island (at least from the US authorities) of New Zealand probably says something about how he feels about his own business dealings as well. Not that its evidence of wrongdoing but...
Shuttering a site that is not used exclusively by evildoers is not a good solution. There should be a better method for dealing with shutting down sites which hold legitimate consumer data. While I believe MegaUpload intentionally catered to the people who wanted to share illegally copied content, I have to imagine that some of that 50 million user base statistic are legitimate users of a functional service. I believe, that similar to how failing banks are transitioned to new banks, sites and data should be transitioned to similar services. How that exactly happens, I'm not sure, and I'm sure it would be challenging, but the point is that consumers are left without their data because the government shut down a site that was providing services to law abiding citizens, unknowingly supporting a (likely) criminal enterprise. People's ownership and stewardship of their data is going to become more and more of an issue as our lives are increasingly data driven.

Comments? I'd love to hear them.

Chris

LABrat.com

uCertify's Computer Hacking Forensic Investigator PrepKit initial impressions

2012-01-04T12:18:00.000-08:00

I received an offer from uCertify to review their "PrepKit" for the EC Council's Computer Hacking Forensic Investigator certification. Given I'm a security geek and hold several certifications, I thought I'd see what it's like. They call this the 312-49 PrepKit.

Initially, the UI looks good and the process of taking the first assessment test was good. Lets face it, the requirements of a test UI isn't rocket science, however it is hard to do well. I think uCertify has done a good job at this component. I was a little challenged in the initial assessment questions around specific tool names, so I'm eager to understand the rest of the test questions to see if this is a quality test prep for that exam.

As soon as I am done with the full review I will post it for you all.

Thanks!
Chris

Hitler and Cloud Computing Security - YouTube

2011-12-01T11:19:00.000-08:00

If you're involved in managing risk assessments for your organization, you will find this video hilarious. The subtitles are where the action is. This video is priceless...

Hitler and Cloud Computing Security - YouTube

Chris

Help stop SOPA/PIPA and corporate censorship of the Internet

2011-11-28T09:48:00.001-08:00

These pair of bills (Senate and House) need to be defeated. The PROTECT IP Act and the Stop Online Piracy Act both go to far. I don't object to the original intent, necessary, to give copyright holders more capabilities to block those people who are infringing on their legitimate rights, however, these bills are overreaching and put the power in the wrong hands (government driven by business). Please sign up at americancensorship.org and help stop these from being passed.

Chris

top testing tools for SQL injection

2011-06-14T12:15:00.000-07:00

While trying to look up options for testing SQL injection, I came a cross a few you may want to try. I have not tried all of these, but it seems that there isn't a good list of them around that Google can find, so I'm going to make one here. YMMV

Happy hunting!
Chris

99.7% of Android phones leak data, contacts can be downloaded

2011-05-21T22:53:00.000-07:00

Turns out that Google uses tokens for authentication that have an unreasonable lifetime. This isn't the real issue. The problem is that when your phone connects to an open wifi network, the phone attempts to reconnect to all the services, including your Google accounts. This is where your contacts are stored. So...sniff the AuthToken, use it later to authenticate/sync to an account, and wah-lah, p0wn3d.

http://mocana.com/blog/2011/05/17/almost-all-android-phones-leak-account-details/

Gee, nice...

Police: Wireless network [cracker] targeted Seattle-area businesses

2011-04-24T00:15:00.000-07:00

Who knew wardriving could still net credit card data. I was considering getting a laptop mount, but maybe that would just arouse suspicion of wardriving for cracking purposes.

Even more brazen is physically stealing the servers themselves. Having the servers, you'll also have the data.

Police: Wireless network hacker targeted Seattle-area businesses - seattlepi.com

Chris

Chrome Facebook error, just to help out others...

2011-04-05T10:34:00.000-07:00

When I clicked on an email notification from Facebook I got the error "Only the recipient of a message may view it." My default browser is Chrome, and when it opened up the link, this is what I got. I cut/pasted the link into IE9 and it opened right up. Seems like Facebook has a problem with Chrome at this point.

Chris

Ideal Skill Set For the Penetration Testing | InfoSec Resources

2011-03-24T11:28:00.000-07:00

This is a great article which flushes out a lot of the key things I look for in a good information security professional. If you have this knowledge and mindset, you will always have job security in the information security business.

Ideal Skill Set For the Penetration Testing | InfoSec Resources

Chris

How to Secure Linux Servers :: Basic Linux Server Security

2011-03-24T11:20:00.000-07:00

Looking for a quick start guide to a security standard for Linux server boxes, or looking to secure your own, here's a quick guide for newer users of Linux:

How to Secure Linux Servers :: Basic Linux Server Security

Chris

Facebook open JavaScript hole

2011-02-11T14:59:00.000-08:00

Facebook open JavaScript hole

This is going to be an issue going forward for a large number of users if Facebook doesn't do something different with how they handle applications. Using iframes creates an abstraction that users can't see. The linked Trend Micro blog has this right. Maybe there will be other protections, but at this point it doesn't look good.

Chris

The awesomeness that is Android on HTC Evo 4G

2011-01-24T13:16:00.000-08:00

As I type this, I am sitting in an car repair shop using my Sprint HTC Evo 4G to run PDANet (Android USB tethering application for Internet access) connected to my netbook, using my noise canceling head phones to listen to PaulDotCom (security podcast) using Car Cast Pro (Android podcast downloader/player) as well as updating my podcast feeds. Android and good Internet access is all good...

Chris