The Dark @rts

Attonment

noreply@blogger.com (Unknown) — Fri, 07 Oct 2011 20:53:00 +0000

For me this is the time of the year that I go into reflection mode. This is the time of year that Jews ask tough question about how they are doing in there relationship to g-d. But there is a lesson for all here in regards to information security. We are constantly evolving and changing so a process of continuous monitoring isn't much different to the process of identifying faults in ones self and atoning.

Most organizations are reasonable good at identify cyber incidents but few if any atone for there mistakes to keep them from happening again. Atonement rally is a process of not allowing past transgressions to happen again.

With that said what can you do as a user to make the next 12 months better for your company or organization? To not repeat the information security sins of the past and keep the barbarians at the gate.

Thank you Steve...

noreply@blogger.com (Unknown) — Thu, 06 Oct 2011 03:26:00 +0000

Matt Galligan wrote: “R.I.P. Steve Jobs. You touched an ugly world of technology and made it beautiful.”. This is one of the most true quotes I've seen today about Steve Jobs. Before Steve all computers were these ugly boxes you did work at. Then the iMac came and the entire industry began a 20 year shift to what we have today. Steve Jobs made computing a personal experience and believed in the power that people can have when they have freedom to access information anywhere at any time. I think he leaves the world a better place and hope the team at Apple is up to the challenge of honoring his legacy by pushing computing beyond our wildest imaginations.

Happy New Year!

noreply@blogger.com (Unknown) — Sat, 01 Oct 2011 05:23:00 +0000

Well it's a new year and time for resolutions. What cyber security resolutions will you make? Better trained employees, more automation, or just getting security program up and running?

Life on the Dark Side

noreply@blogger.com (Unknown) — Sat, 08 Aug 2009 04:13:00 +0000

As some of you may know back in March I took a position working as a Federal Civil Service employee. In the past I have railed against what I've called the dark side. Now I find myself being the dark side. One of the most profound things I've learned is that one should never criticize anything that one has not experienced.

Being a federal contractor and being a Government Full Time Employee (GFTE) are two completely different experiences. So life on the dark side of the force is pretty awesome. But then again maybe I'm just drunk with power?!?!?!

Animatrix meet Iran. Iran meet Animatrix

noreply@blogger.com (Unknown) — Wed, 31 Dec 2008 07:36:00 +0000

Holy Sh#t this is good stuff! All too often we submit to being sheep and believing what ever the media or authority figures tell us to believe without question. It's easy to demonize people you've never met or talked too. All I ask is get both sides of a issue before forming an opinion.

Iran: A nation of bloggers from Mr.Aaron on Vimeo.

Tis the Season to get Jacked!

noreply@blogger.com (Unknown) — Wed, 10 Dec 2008 07:56:00 +0000

It’s the season to be jolly and grateful but also, sadly, the time to get ripped off (if you’re not careful).

US CERT reported the following on Monday:

Malware Spreading via Social Networking Sites
added December 8, 2008 at 02:48 pm

US-CERT is aware of public reports of malware spreading via popular social networking sites. The reports indicate that this malware is spreading through spam email messages appearing to come from Myspace.com, Facebook.com, and Classmates.com. The email contains a message indicating that there is a YouTube video available and instructs the user to follow the link to view the video. If users click on this link, they will be prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update--it is malicious code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

* Install antivirus software and keep the virus signatures up to date.
* Do not follow unsolicited links.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the vendor's website.
* Configure your web browser as described in the Securing Your Web Browser document.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

The majority of the time the goal of the attacker is to get your credit card number or personal identifiable information. With more and more folks finding at the end of the day a pink slip waiting cyber crime (as with all forms of crime) is on the rise so in the immortal words of Hill Street Blues “Let’s be careful out there”. If you plan to do most of your holiday shopping online this season I recommend using PayPals’ security key so your credit card information isn’t sent over the net. (https://www.paypal.com/securitykey)

Most, if not all, users have Adobe flash installed on their desktops and/or laptops so I thought I’d pass this along to the community as a friendly reminder to always “trust but verify.”

Oh what the he77...

noreply@blogger.com (Unknown) — Sun, 23 Nov 2008 21:01:00 +0000

I feel like I posted this before but what the heck... Nobody reads this anyways!! Ha Ha Ha!

In WWII carpet bombing laid waist to most of Europe leaving little to nothing behind. In contrast today a FAC can sight an insurgent truck with GPS positioning binoculars to call in an orbiting B-52 to prosecute the target. The correlation between the history of modern warfare and the development and maturization of malicious code could be viewed as striking.

A concern seen expressed on INFOSEC blogs is that threats to a theoretical or “typical” enterprise could operate with impunity due to the security controls in place not having the ability to adapt and respond to new and emerging threats. I think the Federal IT space is at a point now that from a modern warfare perspective could be equated to the time before the GiG came into being an integral part of the warfighters toolset. I see great possibilities to transform federal information security through cost effective risk management.

Bad Blogger

noreply@blogger.com (Unknown) — Sun, 23 Nov 2008 19:32:00 +0000

Okay I'm just going to admit it and stop being in denial: I'm a bad blogger! There I feel better now. With that said I offer the following jem.

How Security Became an Issue

It is interesting to pick up various computer books and see that there is usually a history section that sets the stage for where society is today pertaining to computing and data processing. Unlike histories that tell of times long past, the history of computing typically begins in the 1960s. A lot has happened in a short period of time, and computer security is just starting to reach its time in the limelight.

Roughly twenty-five years ago, the only computers were mainframes. They were few and far between and used for specialized tasks, usually running large batch jobs, one at a time, and carrying out complex computations. If users were connected to the mainframes, it was through “dumb” terminals that had limited functionality and were totally dependent on the mainframe for their operations and processing environment. This was a closed environment with little threat of security breaches or vulnerabilities being exploited. This does not mean that things were perfect, that security vulnerabilities did not exist, and that people were in a computing utopia. Instead, it meant there were a handful of people working in a “glass house” who knew how to operate the computer. They decided who could access the mainframe and when. This provided a much more secure environment, because of its simplicity, than what we see in today’s distributed and interconnected world.

In the days of mainframes, web sites describing the steps of how to break into a specific application or operating system did not exist. The network stacks and protocols being used were understood by very few people relative to the vast number of people that understand stacks and protocols today. Point-and-click utilities that can overwhelm buffers or interrogate ports did not exist. This was a truly closed environment that only a select few understood.

If networks were connected, it was done in a crude fashion for specific tasks, and corporations did not totally depend on data processing as they do today. The operating systems of that time had problems, software bugs, and vulnerabilities, but not many people were interested in taking advantage of them. Computer operators were at the command line and if they encountered a software problem, they usually just went in and manually changed the programming code. All this was not that long ago, considering where we are today.

As companies became more dependent on the computing power of mainframes, the functionality of the systems grew and various applications were developed. It was clear that giving employees only small time slices of access to the mainframes was not as productive as it could be. Processing and computing power was brought closer to the employees, enabling them to run small jobs on their desktop computers while the big jobs still took place within the “glass house.” This trend continued and individual computers became more independent and autonomous, only needing to access the mainframe for specific functionality.

As individual personal computers became more efficient, they continually took on more tasks and responsibilities. It was shown that several users accessing a mainframe was inefficient and that some major components needed to be more readily available so that users could perform their tasks in an efficient and effective way. This thinking led to the birth of the client/server model. Although many individual personal computers had the processing power to compute their own calculations and perform their own logic operations, it did not make sense that each computer held information that was needed by all other computers. Thus, programs and data were centralized on servers, with individual computers accessing them when necessary and accessing the mainframes less frequently.

A long summer away..

noreply@blogger.com (Unknown) — Mon, 28 Jul 2008 19:33:00 +0000

I seem to be drawn away from blogging in the summer as there is always something outside that calls me away. Well to be a seasonal blogger or just blog I think the important thing is just to keep posting. Maybe someone out there finds what I have to say insightful and useful. But then again I've said that I'm doing this for me. If other folks enjoy my blog all the better!

A Time for hericy...

noreply@blogger.com (Unknown) — Mon, 28 Jul 2008 19:31:00 +0000

Ah but with out heretics we'd still think that the sun revolved around the earth! We must challenge the status quos in order to provide a space where true freedom can prosper. Some wise person (wink wink) once told me there are three kinds of GS employee; 1) The kind that cares and works hard to get the job done, 2) The Power Mongers, and 3) the burn outs.

I'd have to say that 70% of the GS'rs fall into the burn out category, with 20% falling into the getting the job done (not necessarily correctly mind you), and the last 10% being the power hungry premedanas.

I’d like to see those percentages shift to 10% burn outs and 70% getting the job done and the remaining 20% focused on service improvement. In other words the 20% would be the management who care about getting better service to American tax payer. But there in lies the core of the problem, that another very wise man (wink wink) shared with me, the Federal Government is the largest non-profit business on the face of the planet. It is only answerable to Congress (another branch of itself) and as we have seen from the esteemed Senator from Alaska the internet is a series of tubes!

With the watchers being blinded by ignorance to the power at there finger tips I think it becomes easier to understand and accept that the culture of security goes beyond those who work, those who are burned out, and those who just want power. The culture of security is paradigm to the culture of seat belts.

Once upon a time the presence of seat belts in the car was optional. It wasn’t until a guy named Nader (another heretic) spoke out for automotive safety standards that things started to change. I think the most important word of that statement is “started” as it took 30 plus years of education and enforcement to see the survival rates that we see on the highways today. People I know put seat belts on and don’t even think twice about it.

We’ve just begun this effort to change the culture of information security in the federal government. It’s going to take a long time, a lot of effort, money, and enforcement (giving people tickets for not clicking the seatbelt as it were) and maybe even fighting the good fight for a generation. The X Gen folks (me), and those that came after me, have a different perception of the meaning of data and what is possible with the data processing systems we have today.

I have only seen one X Gen’r in senior position within the federal IT space and the rest are baby boomers who, I believe, have it burned into there punch card heads that, and they will deny this, we live in a world were data is like concrete. You pick it up, move it, store it and build things with it. I look at data like water. It can harden to blocks of ice data. Melt to flow in any direction or evaporate into a gas state (it’s there but you can’t see it). I don’t even think the baby boomer managers out there are even aware of this at a conscious level. Remember it’s burned into there punch card brains.

Regardless if they are aware of it or not they are not looking at data systems like vessels for water management. They look at blocks of concrete which ultimately impacts the entire conversation about data security and how we interact within our digital lives. After all why should we care about rouge access onto a network if data is a concrete block that I can tie down (password protect) in a NTFS file share? But if you look at it from a fluid dynamics perspective everything changes and the insanity of classified or privacy information on a public network share becomes clearer. Fluids are constantly in motion or in a process of transition from one state to another due to the influence of the environment around them. The same holds true for data if your mind it open to the concept.

Money, It's a Gas...

noreply@blogger.com (Unknown) — Wed, 02 Apr 2008 05:56:00 +0000

I can say that for the most part INFOSEC continues to be an "after thought" as a reaction to OMG we just lost 40,000 PII records and now we have to go before a congressional committee explaining why we lost Senator "X" PII.

The key problem isn't the lack of laws, technology, or even smart IT Security folks to make it work. The problem is that the stupid people out number the smart people on a grossly, and frightening, scale.

To compound that problem the people who control the money are not the smart people but the stupid people in the accounting offices. Most of whom are, you guessed it, accountants who do not understand the fuzzy logic of IT Security.

My mother is a CPA, and god bless her I love her very much, but if even so much as a cent is out of place she goes nuts finding it and find it she does. That is her job and what she understands.

When I try and help her with IT issues the same binary thought process kicks in. She will complain that "my computer is slow" and the response is to buy a new one because binary logic says that if the computer is slow it is because the computer is old and should be replaced.

To an IT Security person we would look at the system from a holistic perspective and not from the single variable. The main reason her laptop, which was only 1 year old, was slow is that she loaded it with junk programs and the operating system did what it always did and filled up with Cr@p. So over time the system kept tracking down a death spiral until it started blue screening.

In that there lies the other problem we face to get budget needed to meet the objectives outlined by the stupid people. The level of complexity of information security issues can't be solved by buying a new shinny widget (laptop). The business must be understood and the impact to the business must be made clear if the IT assets supporting the business are negatively affected in any way.

Yet the stupid people, who control the money, don't understand that this level of detail isn't a nice thing to have it should be a required thing. But seriously look at who is really running your show (business) and ask yourself "would they know how to get to grep?" or "do they understand what happens when they ask to run a network scan at 2 pm on Thursday before payroll gets sent out the next day?" or, and my personal favorite "I need an exception to Proxy rules for one person.... to which I say why? and the response is "because" and I say this will mod the Proxy for the entire agency... and the response is "So?"

Just remember who we are all dealing with. I'm not saying these people are bad or even malcious in their intentent. It's just that dumb and dumber are running the show and those of us who have a clue are out in the cold wondering how we got locked out of the warm cabin again.

Proving to the dumb and dumbers that money spent on IT Security is worth while will never be an easy chore because we will always be a cost center.
What do CFOs love to do most and most often? Seek and Destroy cost centers! It is there mission in life and forget trying to explain that not upgrading an network intrusion sensor will leave them vulnerable because the requirement states they have to have NIDs in place.

It falls back to the CPA that says I have NIDS so I am good to go. When in reality the NIDS in place are worthless beacuse the are end of life and can't upgrade to cover the lattest IDS signatures.

But the CPA that lives in every CFO and manager says I'm covered so why worry?

Is IPv4 Dead?

noreply@blogger.com (Unknown) — Fri, 07 Mar 2008 06:14:00 +0000

I've heard many speak of the "end of days" for IPv4 and calling for IPv6. Many who make such calls want technology to move forward because they are well meaning and good engineers that know IPv6 is a better platform from many different perspectives. One thing though that we engineers tend to forget is who we work for. Engineers solve problems "the others" create for us because of something they need or want to do. I have not seen too many engineers in charge of marketing departments or CEO's.

Thus choices about network topology and protocols are constained by the needs of "the others" who we look down upon as slightly more functional than a village idiot. However we need to remember two things; 1) those to whom we serve need us as much as we need them, and 2) business will always drive us and as much as we want to migrate to better standards the users (stupid folks) don't care how the packet gets there as long as it does.

NATs solved the immediate problems of IP address space limitations but still left the transport wide open from a vulnerability perspective. So is IPv4 an undead zombi corps that just hasn't walked into the path of the tractor trailer speeding down the highway? Do we as security folk need to start getting ready now and head back to school again?

Just for fun!

noreply@blogger.com (Unknown) — Sat, 26 Jan 2008 04:17:00 +0000

As with many folks I do have interests outside of my chosen profession. This is the first movie I have ever made using my Canon Powershot A95 and Apple iMovie 08. I shot this on Monday of this week. Enjoy!

Digital Certs and Smart Cards the Future of Info Security

noreply@blogger.com (Unknown) — Fri, 25 Jan 2008 08:57:00 +0000

Bill Gates: Digital Certs and Smart Cards the Future of Info Security

Your browser may not support display of this image.

Speaking in the opening keynote address of the RSA Conference 2007 in San Francisco, Microsoft Chairman Bill Gates said that security needs to migrate from the computer infrastructure to the end user, in order to cope with the changing environment of portable devices inside corporate networks.

“Security is the fundamental challenge that will determine whether we can successfully create a new generation of connected experiences that enable people to have anywhere access to communications, content and information,” he said.

“This challenge is going to get a lot tougher,” he said. “The threat landscape has evolved in dramatic ways. When we first began working on Vista most attacks were done for notoriety. Today it is a lot more serious and nefarious than it was five years ago,” he added.

In his last keynote speech at RSA the Microsoft chairman criticized conventional passwords. “Passwords are not only weak, but passwords have the huge problem that if you get more and more of them, the worse it is,” he said. “Smart cards and certificates in general is the way to go. Enterprises should start to migrate from passwords to smart cards. We are laying the groundwork so that we can have certificate-based roots of trust.”

– Fiona Raisbeck, SC Magazine, at RSA Conference in San Francisco February 6, 2007.

My Wonk Died

noreply@blogger.com (Unknown) — Mon, 21 Jan 2008 05:15:00 +0000

I was going back through some old posts and saw my writing about my inner wonk. I just wanted to share that I believe the Wonk in me is dead. I've evolved beyond that point and with my thoughts focused on "transparency" I think I have hope for a better tomorrow. Now to drag that better tomorrow into today!

Transparency Arrived Today

noreply@blogger.com (Unknown) — Mon, 21 Jan 2008 03:38:00 +0000

I see the disconnection between the user and what is really going on under the hood in the same way we see people on the freeway disconnected from the chaos just a few inches away. I think the way to break the "hamster wheel of pain" is to stop treating risk as a model that all things form into. Rather we need to factor risk as a "driver" in a machine we'll call the Automated Processing Environment (APE).

The APE is essentially stupid slow and constantly vulnerable to attack from smaller, faster, and more agile life forms. The ape isn't simply a collection of hardware, software and security controls. It is physical, human, and logical. I believe that we have to move on from the SDLC, CIA, and all models that have been crafted before this time because the complexity of attacks that we see in our environments simply can not be captured with current thinking in a way that helps us move forward.

If we shift the paradigm and factor in that, at the most basic level, we have human, physical, and logical assets all interacting with one another in a constant state of flux it becomes next to impossible to authentically predict, or better yet, assess the risk posture of the APE. The piece meal approach to providing a “cure” to the information security challenges simply will not make muster any more. We must address all components at once. Why? If all pieces of the APE triad (Human, Physical, or Logical) are not addressed at the same time, and with the same vigor, than the triad will collapse, and once again become vulnerable from the segment that was not equally bolstered. I've talked about transformation before in previous posts but I think that trying to improve one section at a time will never work because we will always be chasing the "tail of the dragon".

The same is true for mitigating risk to data. All too often I have seen huge efforts to implement technical solutions that do yield "a result" but that result is never fully understood. Manufacturers love to show dashboards showing all the security data that has been collected but in the end the dashboard serves no tangible purpose to understanding what is going on in the APE.

To break the cycle we must change the way business is done. We must become more closed and bring more sensitive data closer to home. This could be done by "purging" all sensitive data from systems that are in the wild and bring the data literally inside the walls of the Data Center. We need to move to a use of both the client/server and the more feudal approach of thin client architecture that pulls data processing into centrally managed activities in order to strike a risk based cost balanced approach. An awareness of who, what, where, and when sensitive data is being processed will help reduce the threat of loss of the data into the wild. Just like a diamond on display in a museum is protected but shared through the exhibition.

But by far the greatest weakness in the APE triad is the human factor. Behaviors must be modified and addressed immediately upon discovery. When I worked the flight line I saw folks sent home immediately after any kind of accident. One case sticks out in my mind at SFO where the tug driver ran a container into the side of an aircraft. He immediately was sent for a drug test and ordered to take a week without pay. Hence I would say the level of intensity and focus during a turn around was extreme. The danger was present and the risks real. That fear does not exist in the mind of the average user but should in those APE users that roam in a hostile world.

To be truly transparent means not only to report the control failures but to have visibility into any area of the enterprise allowing issues to be fully and freely expressed before they manifest themselves into security events.

Did you know you can do something about...

noreply@blogger.com (Unknown) — Sat, 12 Jan 2008 18:31:00 +0000

Did you know that you can help reduce the national debt? You sure can by sending the government money directly to pay down the debt. Unlike taxes which are controlled by politicians and rarely go towards paying the national debt you can make a difference.

How do you make a contribution to reduce the debt?

Make your check payable to the Bureau of the Public Debt, and in the memo section, notate that it is a Gift to reduce the Debt Held by the Public. Mail your check to:

Attn Dept G
Bureau Of the Public Debt
P. O. Box 2188
Parkersburg, WV 26106-2188

Or you can fire your elected official and hire (vote) for someone who will be responsible to the people that put'em in office!

Stay home and don't give...

noreply@blogger.com (Unknown) — Wed, 19 Dec 2007 05:53:00 +0000

I've been wondering why I haven't been as dedicated a blogger as I should be and I have come to the conclusion that the entire premise for my blogging was flawed from the get go. I was blogging not for myself but for some imagined audience out there.

Well that audience hasn't materialized but more importantly I don't care anymore. I'm blogging now for myself just for the knowledge that my thoughts have been in some way added to the zeitgeist of the Internet. I am still committed as ever to helping people secure information.

Through my writing and experiences this year I have come to the conclusion that information is more important than the systems that process it. This is not to say that those systems are irrelevant as the symbiosis that is in play can not be ignored.

It is critical that we refocus on the information (data) in our lives. Where that information rests, when it is in motion, and what controls are in place to manage that information. I can put my dog in front of a door with my laptop running without a password and a open file with all my passwords on the screen.

But just as if a tree fell on a Mime the question comes down to "Does anyone care?".
I see every day, and sadly too often from people who should know better, that we just don't see shades of gray, we are those shades.

I've said before how human beings want simple easy answers because we are all essentially 8 years old and want to feel protected. The truth I have accepted is that we will never be 8 years old again and we will always be vulnerable. There will never be simple answers to questions of the control of information. So please stop being FRACKING fixated on the shinny box and look at the contents (data) in the box for FRAKS SAKE!!! Then look at the boxes around your shinny box and ask yourself if your shinny box fits inside any of the other shinny boxes and go from there!

So as we close out 2007 I would like to fire off a few parting shots.

The first is a request...

Please don't do your holiday shopping at work. I can't believe that you have the balls let alone the time to sit there and pretend to work when you are on Amazon, Barnes & Noble, or Victoria Secret when you should be getting what ever it is your being paid to do done!

For that matter don't shop! Drag your lazy family (or your own @ss) down to a local reputable charity and give your time. Forget money, though I am sure that the Red Cross, Salvation Army, or other worthy charity would happily take your money, as time is often more important than any amount of money you can give.

I'll go on record as saying I hate what Christmas is today in North America. (Remember Christmas is not observed the same way in different parts of the world so I am not opposed to Christmas just the way it is observed.)

So stay home spending time with your family and don't give to your family but to your fellow human who doesn't have a warm place to stay.

Train Wreck

noreply@blogger.com (Unknown) — Fri, 02 Nov 2007 19:19:00 +0000

Allrighty then; I have officially crossed over into a place that is outside of normal space. I don't know what this space is but when you watch a train wreck and laugh your @ss off it kinda tells ya somethings not right.

I was surfing youtube.com, where you can see just about anything, and caught this flick of a dude firing off a small mortar in a semi-confined space. Check it out but be warned it's messy.

I know it's wrong to laugh but the stupidity of it just laid me on the floor. Maybe I'd feel different if I had been combat? Maybe I'd feel different if I knew the story of how that dude got to the point of being there loading those mortars? I'm sure he was someones son once upon a time. But in the end I still laughed because while these guys (this guy and the ones off camera) are all busy praising g@d they all get nailed by a bad mortar round. If that isn't stupid irony I don't know what is.

The Downfall of a SuperPower

noreply@blogger.com (Unknown) — Fri, 02 Nov 2007 16:15:00 +0000

Beyond the obvious; the possible demise of the United States as a super power has deeper implications for information security and your own personal security. I'm trying to be alarmist without being over the top. The United States still spends more than any country in the world on the military and still has a multi-trillion dollar GNP. But do those two factors define a super power today?

I say that we must examine the underpinnings of our society and thus our way of life. Information Technology (IT) is a tool wielded by people who grow (or don't) out of the culture that is promoted at the most basic levels of society; the playground and school yard. It is these places (institutions) that the foundation for how we conduct ourselves in our adult lives is laid.

We all talk a lot lately about risk management and you may have heard about the shift away from risk aversion to more centric risk acceptance. Yet the next generation of leaders (our kids) is being taught to not take risks in the simplest of ways; the playground.

Government taking fun out of playgrounds?

While city councils cower in fear of the next lawsuit, and parents "protect" children with cocoons of padded foam insulation believing they are doing everything they can to safeguard their children with things like body armor.

Is it just possible that we are exposing, and expressing, our own fears through our children? We the adults in the United States could be so shell shocked and afraid of our own emotional scars, or the threat of being scared, that we are robbing the next generation of not only what it means to be a child (exploration) but teaching them that in order to be safe they have to give up the choice to accept risk.

Accepting risk is the most basic element of information security. We have the challenge today of educating the last generation, current generation, and future generation that risk is with us at all times and to say to a child here is a back pack that will protect you from a gun is to say "duck and cover little one" and you'll be alright. Life isn't safe and neither is operating an information system. We should not retreat into a foam covered play land believing that we are all safer for it. Friedrich Nietzsche wrote "That which does not kill us makes us stronger" and knowing the risks and the freedom to take them are what made this country great.

There can be serious repercussions in such a state that claws its way into our lives and "nannies" us. The Asian nation of Singapore is known as the world's leading nanny state. Lee Kuan Yew, the celebrated former prime minister of that nation, wrote in his memoirs: "We would have been a grosser, ruder, cruder society had we not made these efforts to persuade people to change their ways," and later, "If this is a 'nanny state,' I am proud to have fostered one."

Yew may have been proud — and certainly he was successful, as Singapore is one of the most prosperous nations in the world — but at what price? In 1999, The Economist dubbed Singapore the "world execution capital." For years, media coverage in the nation was stifled, opposition political leaders jailed, and endless draconian nanny rules imposed on the population, from penalties for infractions like spitting or chewing gum to detention without a trial for nonviolent acts against the government. "Freedom of the press must be subordinated to the overriding needs of Singapore," Yew told the International Press Institutes assembly in 1971.

My definition of what makes the United States "super" and what keeps us most secure is our freedom to fall, get scars, and learn from how we fell and see the scar as a constant reminder of our pain. If you go to Washington DC the city is literately filled with monuments to the scars of our national past. It is, if you're mind is open, a gallery of national pain and suffering. From the Viet-Nam wall, to the FDR memorial (very cool at night) which embodies the suffering of the American People during the great depression.

So stand up, take your beatings, and lets be the America that we know we can all be; Proud, not Afraid, and Strong on all fronts. Take risks and know that failure will happen but it is not the failure that is the issue it is what we do once that failure has occurred that is a true measure of greatness.

My Hamster Wheel of Pain

noreply@blogger.com (Unknown) — Thu, 25 Oct 2007 18:21:00 +0000

This was from a post I did on another blog at (http://feeds.feedburner.com/~r/Riskanalysis/~3/173775219/):

The lesson I have taken from history is that in the beginning security was real and tangible. Systems were in essence static and well defined boundaries with known inputs and outputs. If you wanted to use a mainframe in the 1970's you pretty much had to be hard wired into the system to access it. (Rare cases of dial-in which we all remember Capt Jack and the War-Dialers; which focused on long distance calling)

We are all stuck with management that grew up in that 1970's Era and who still thinks in those terms that information processing systems can still be defined, managed, and controlled. Let's face facts folks; most of us are subordinate in our organizations and rightfully so. We, the security practitioner, serve the greater good of our respective organizations. So we will always be in some form of conflict to whom we serve because of blissful ignorance, incompetence, and funding.

But let's look at the core driver in all this mess. That being change. Without change security is possible because all the known variables can be accounted for and performance can be tracked and reported with real confidence. Over the past 30 years the rate of change has increased at an exponentially faster rate. The time that a information processing system used to input and output data and the amount of data compared to what is possible today are night and day. Another way to put it would be the transformation of war from static Napoleonic warfare with fixed positions, static lines, and Aristocratic rules of engagement to what we see on the streets of Bagdad (Urban Gorilla Warfare).

So it is impossible, unless we all collectively agree to step back in time, to say that anything is secure. We are not g@ds who can see all things all the time. We are but men (and women folk) who only know what we know and are faced with the daily challenge of managing change. Those changes are forced by people who do not understand themselves, the changes they make, or the very technology they control. What makes this dangerous for us all living in an open and free society (USA) is that we are all connected now in some way and that the culture of indifference to one another and to just being responsible means that most of the management I have been exposed to doesn't want to be enlightened. They want to punch the clock, make the next bonus, and go home to an empty and meaningless life.

I write this with the conviction that if those in power, not us, truly understood even the concept of change/risk management we would not be having this discussion because folks would be taking systems offline faster than a car goes around the Indianapolis 500 track.
Fore these are the folks who ask "What do you mean I can't send company/government data to my Yahoo/Google/Hotmail account?" with the rational that "It's my email account and I have a good password so it's "secure" from other people getting to it" while exposing the organization to loss of confidentiality because the financial expense reports for 3000 employees just got broadcast over the internet (Which BTW breached privacy as bank account information could be included in expense reports for reimbursement.)

I used to believe in technology and had faith that people were essentially "good" but have come to a place where I see time and time again that people aren't "good" (which is not to say they are evil) but that most of the population is blindingly ignorant of even the most basic things and that compounding that blindness is the culture of indifference which dooms us all to a never ending cycle of pain (Hamster wheel of Pain). I also don't believe in technology as the "silver bullet" because who drives technology; Management Marketing type folks who sell, over promise, and under deliver. Always pushing developers and engineers to deliver half baked products because the "vision" is never in line with the reality. No one can honestly say that a single product out of the box can effectively manage the core issue without significant overhead and investment in tuning the product to environment.

Bottom line: There is no silver solution anywhere, just lead shot, and we are using slings when what we really need is semi-automatics. To truly solve the problem of "security" within the information processing world is to say that change stops now; which is impossible. To truly solve the problem of security we don't need to continue to escalate the "logical arms race" with better and better technology because that cycle feeds itself with attack v counter-attack; we need to transform the expectations of the people we serve.

By making the world understand that if you want to continue the culture of instant everything while paying next to nothing, from a dollars and sense perspective, that you choose to give up something far more valuable than mere money; you give up your ability of choice. So unless we slow down, accept less convenience, and choose to understand our world a bit more we are all exposed, vulnerable, and essentially naked to anyone who seeks to do us harm. Hence those of us who ride out (in our office chairs) keeping watch will be forever shackled to the hamster wheel of pain.

V/r PZ

Three Laws Strong - Rules to Live by

noreply@blogger.com (Unknown) — Thu, 25 Oct 2007 06:41:00 +0000

Rules that all Information Security practitioners should follow.

1. An Cyber Security Professional (CSP), or anyone one assigned information security responsibilities, may not injure a human being or, through inaction, allow a human being to come to harm.

2. A CSP must obey orders given by customer, client, or senior manager except where such orders would conflict with the First Law.

3. A CSP must protect its own existence as long as such protection does not conflict with the First or Second Law.

If it's good enough for AI then it's good enough for me; eh?

Private Patriots or Just Plain Mercs?

noreply@blogger.com (Unknown) — Thu, 25 Oct 2007 04:52:00 +0000

While the topic of contracting out the US Army and Marines to former Army personnel and the "others" who join private "security" firms seems to be well established what I find new and interesting is the extent to which these private security firms are being used today by the US Federal Government.

It was the role of the US Marines to provide protection for the State Department but with all but a few good men spoken for patrolling the streets of Bagdad the void had to be filled some how. In Viet Nam that void was filled with a Draft. The simple fact then as is now is the reality of an all volunteer force is we are limited in what we can do from a tactical and strategic perspective because we do not have the man power to support every goal.

If you have an all volunteer, or all recruited, force then it does not become possible to say that we can maintain two fronts (or three, four, five, etc). Military history shows time and time again that no matter how powerful the army without the logistical support being in place to sustain and protect the rear areas of the theater the battle may be won but the war will be lost.

What we have really lost here is sight of what is really going on and I find it distasteful at the least; that being politicians using US Taxpayer money to buy themselves out of a political nightmare. That nightmare simply said is the avoidance of a Draft through the use of private armies.

This brings into the fold a new challenge for DoD and other sensitive systems that support warfighting. While it is well known that contractors provide IT support. (Including myself) There has always been a separation of duties. The clear oversight and practice of least privileged I believe has ensured operational security and mission success.

Outsourcing our core military capabilities is wrong, demoralizing to the warfighter (who is often on food stamps), and dangerous to national security. Limited use of physical security contractors here in the United States is fine but putting Mercenaries on the ground in a hot LZ is a different story all together.

If we can't secure the peace we haven't won the war. The worst part is that why should any 18 year old choose to go into the Army and earn $18000 a year when they can go to a private firm and make $30k to start (Much more if you have experience).

It all comes back to "Trust but Verify" because physical and cyber security are the same thing and depend on one another without the ability to separate either one. So the next time you think about outsourcing think about the additional risk you are accepting before you pop the champaign and celebrate how much you think you just saved. BTW - The latest estimates on the cost of operations in Iraq and Afghanistan are over 2 trillion dollars by 2010. Back in 2002 the total cost was projected at only 500 billion and most of that was going to be paid for by a eager democratic Iraqi government from the oil reserves. Moral of the story there is that nothing, and I mean nothing (Security Tools, Firewalls, Vendors Promises) is what it appears.

Sounds hypocritical coming out of my mouth since I am technically a "vendor" but I do apply the same standard to myself as anyone else. In that I apply the three fundamental laws of AI.

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given to it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

Vendors in principal follow the same logic. As a business you would not do anything that would harm the business. However we are here to provide service to the customer and as such much obey. But we should not obey orders that would break the first law.

Oh hell this is good for another post.

The new Iron Curtain...

noreply@blogger.com (Unknown) — Wed, 24 Oct 2007 16:55:00 +0000

Wars have been started for less; eh? Could the breakdown of political and other institutional support for interconnected systems mean a regression back to the stand-a-lone systems if governments do not enforce some moniquire of civility and common sense with regards to companies and individuals that operate within their borders?

Shadowy Russian Firm Seen as Conduit for Cybercrime

http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html

By Brian Krebs
washingtonpost.com Staff Writer
Saturday, October 13, 2007; A15

An Internet business based in St. Petersburg has become a world hub for
Web sites devoted to child pornography, spamming and identity theft,
according to computer security experts. They say Russian authorities
have provided little help in efforts to shut down the company.

The Russian Business Network sells Web site hosting to people engaged in
criminal activity, the security experts say.

Groups operating through the company's computers are thought to be
responsible for about half of last year's incidents of "phishing" --
ID-theft scams in which cybercrooks use e-mail to lure people into
entering personal and financial data at fake commerce and banking
sites......

Apple's time to take the spot light... may not be so bright.

noreply@blogger.com (Unknown) — Mon, 15 Oct 2007 06:35:00 +0000

I was browsing the net for intel on the Iphone, I want one, and it struck me that there is a hidden issue here for Apple and one that I hope to g@d that they have considered; security.
Information security has been touted amongst the Apple set as one of the corner stones of the product lines. After all “get a Mac” means not having to deal with the viruses and problems PC’s have to deal with every single day. Right? We all know that OS X is based on a flavor of BSD-UNIX and that the Iphone has been reported to be based of OS X. I’m confidant that the folks at Apple changed the core kernel and locked it down enough to withstand the casual attack. Here’s the rub though. Apple for as long as I can remember, or since Microsoft stole the GUI from them, has been in a “niche” of the IT world.

Creative folks love Apple and won’t use PCs. People with more money than they know what to do with and want something in there home office or living room that looks drop dead gorgeous get Apples. Until this point in time I would say it is safe to call Apple the Porsche of the IT world. Sure the Ipod enjoys a market share of the portable music world but now we are getting into something entirely different with the introduction of the Iphone. Until now our Ipods were essentially stand alone systems with the overarching security controls of our PCs and Macs offering some protections. (I say this in all optimism that folks that use PCs actually do some form of security even though I know this not to be true, and am in all forms, in a complete state of denial, as to the pure insanity and ignorance that is the general computing population, with regards to the absurd idea that computing without a firewall and antivirus program is “ok”.)
Now that I have that off my shoulders. Back to the issue at hand. Until today Apple has not had the market footprint that PCs and their peripherals have enjoyed (including smart phones). If Apple is as successful as predicted with regards to the Iphone, and they most likely will be, what are the consequences of an Apple OS having the same profile and therefore the same market footprint as its windows nemesis?
I put forth that Apple is now fair game for Malware, viruses, and any other threat agent out there that can take advantage of the Mac OS running on the Iphone. Imagine millions of Iphones infected and performing “drunk dialing” of fee based porn sites or phone spoofing. Any time you tie a possible revenue stream to a device that is interconnected with the cloud you invite the current generation of organized crime based crackers to get cranked up and figure out how to milk this cow for every dollar possible.
And boy there could be millions made from exploitation of Iphone. Consider this theoretical model.
1) Hack a week server at a data hosting or web hosting company and setup a pay porn, or any other fee based site, with PayPal as the money channel to an offshore account.
2) Buy three Iphones. One for destructive testing, One for regression testing, and one for final testing. (Cost $1600 bucks)
3) Either you are the mind bending cracker or you find one and get to work on finding the exploit. Lets say for this deal your going all out and don’t want to get caught. You go to a local computer shop, pay cash, and buy three decent laptops with enough horsepower to get the job done. (Cost about $2000 avg.)
4) Load them up with your favorite flavor of BSD-UNIX and some VM ware that you cracked.
5) Destroy one Iphone to figure out how the thing is built and where the “guts” of the box are.
6) Extract the OS, date files, etc and start regression testing. Figure our how they interoperate with the data network. (What ports and protocols are used.)
7) Find the exploits (Everyone has them and if any one tells me that Apple has closed all the holes in a “just works” environment I have some land to sell you.)
8) This is where the real fun begins. Let’s say it takes you four months to crack the box and devise a way to get all the Iphones in the world to go to your website. Or better yet dial your international 900 number in a country with no extradition treaty. (Better yet a country that just doesn’t have the resources to find you or track you down.) Cost of living in a third world country per month 300 bucks if you don’t want to attract attention to yourself. I hear Africa is dirt cheap and they have bandwidth.
9) Finally you have you ingenious crack and your ready to unleash it on the world. Buy one round trip ticket to Asia, you know there going to eat this Iphone alive, and deploy your malware. So if you deploy 1 year after the release of the Iphone and there are an optimistic 2 million Iphones sold, all interconnected to the cloud, going to your site, or dialing your numbers, at an conservatively imaginary .25 cents (US) an hour and you are able to run for 24 hours before Apple figures out the game is afoot and closes you down how much do you think you could make?
(2 Million Iphones) X (.25 cents an hour) X (24 hours) = $12,000,000 !
Not bad for an investment of a few months time and just under $5000.00 (US). What’s your price? We all have one and 12 million is a lot of reasons to bring everyone that has been working on the Microsoft world to come over the fence and play. One of the reasons Apple has been, well secure is that their hasn’t been the critical mass of targets needed to justify the risk, time, and cost. Iphone has the potential to shift the paradigm and offer a target rich environment that could yield the kind of monetary incentives we are seeing as the principle motivating trend in the cracker community.
I hope apple is ready for the spotlight because if Iphone and Macs share the same platform any security flaw that is exposed on Iphone could be applied to the Mac and the population that depends on it.
Finally I shudder to think what will happen when these devices make it into the US Government space. I am not aware of any single policy that deals with a device that has this level of connectivity in a single unit. Governments around the world are going to have to meet this new level of integration head on if they are to understand and mitigate the risks that this devices posses to their information data processing environments.
Sleep well knowing that somewhere out there are folks who have already dreamed this up and can't wait to get there hands on the Iphone not because it is shinny and cool but because they see a ton of money waiting to be taken.