Andy, ITGuy

I hack Johnny Long

2008-04-30T21:32:00.000-04:00

As I said in my SecureWorld Atlanta Day 2 post I met Johnny Long today. He gave the Keynote talk today and was by far the best part of the event. He gave his "No Tech Hacking" talk and also talked a little about his new venture "Hackers for Charity" and explained what they do. After his talk I went to talk to him about a few things. I wanted to talk to him about his faith which is very much a part of who he is. I wanted to talk to him about "Hackers for Charity" and about "No Tech Hacking". We talked about the first two and had to cut it short before getting to the third topic. Of course the first two are the most important and made my few minutes with him well worth it.

I was a little familiar with "Hackers for Charity" but had never really checked into it. After hearing Johnny talk about it and seeing a few slides that he had I decided that I wanted to do something to support it. Right now I can't go to Africa but I can do a couple of other things. I'm going to buy a copy of Johnny's new book "No Tech Hacking". This will help because when you go to his site and click on the book link it takes you to Amazon and you can buy it there. Also when you do it this way all of the proceeds of the sale go to "Hackers for Charity" . The proceeds of the sale of just one book will feed a child for a month. Johnny isn't keeping any money from the sale of these books. So in addition to getting a good book I'll also be doing something to help the charity.

The next thing that I'm going to do is ask each of you to do a couple of things. Buy the book from Johnny's site and take a look at "Hackers for Charity" and see if there is anything else that you can do. Then tell all your friends about it and encourage them to do something.

Why am I making such a big deal about this? Not that I think that this is the greatest charity ever but because it is a charity that was started by a hacker and security professional. It's something that we as Security Pros can get involved with and make a real difference in the lives of kids and others. We all talk about wanting to make a difference in the world of security but that has limited impact. Changing lives is something that has lasting impact.

SecureWorld Atlanta 2008 Day 2

2008-04-30T20:50:00.001-04:00

Day 2 at SecureWorld was much the same yet quiet different. It started off with a Atlanta InfraGard Chapter meeting. There was a report on "Emerging Threats" by an FBI analysts that was pretty good and then followed by a Panel discussion (I missed the topic) that never was. What I mean by that is that each of the panelists talked a little about who they are and what they do. Then the moderator asked if there were any questions. A lady asked a question about SMB security and the moderator opened it up to allow the audience to give input. That pretty much took the rest of the time. I never did find out what the topic of the panel was because the panel was never given the chance to talk.

The morning Keynote was by far the highlight of the conference. The speaker was Johnny Long talking about his No Tech Hacking. Not only was it informative but it was also enjoyable. I'm going to talk more about this in a separate post.

After Johnny's Keynote I attended a talk about aligning your security program with business objectives. This is something that is easier said than done and I am looking for any good tips I can get. The reason I say it is easier said than done is because often you get lots of push back when you try to do security the right way. Too often Management is only concerned about compliance checkboxes and so they don't support efforts to align the security program with the business objectives. The biggest obstacle here is educating management. They often don't want to learn or change and it's our job to convince them otherwise.

The rest of the day was pretty decent. I attended a couple of talks that were OK but nothing earth shattering. I had to miss the last session (of course it was one that I really wanted to go to) because of a conference call that I had to join in on.

All in all the conference is worth the money. It's a $200 conference so don't expect too much but you get your moneys worth. I'll probably attend next year again since it's here in Atlanta and offers good opportunities to network, meet new people and learn a little. If you're in the Atlanta area you many want to look into it next year.

SecureWorld Atlanta 2008 Day 1

2008-04-30T20:26:00.000-04:00

OK, so I'm a little late on my day one update. When I got home after day one I spent time with the family and then had some work to do. I was up until 1:00 am finishing a project plan that was due today.

This is my first SecureWorld Atlanta conference and wasn't sure exactly what to expect. I had looked over the conference schedule and knew from the length of the sessions and the titles that it wasn't going to be too technical. That's fine with me because I don't do much that is technical in my day to day work any longer, but I do enjoy sitting in technical sessions to stay fresh and learn new things.

I attended a session on SAN security considerations and a discussion by DHS on Securing critical infrastructure. I figured that the critical infrastructure talk would be a good one for me since I work for a company that is part of Atlanta's critical infrastructure. Neither session was overly informative but the CI session did have some good content and most importantly gave me some good contacts to keep for the future. From the SAN session I did come up with a few questions that I need to have my SAN team answer for me now.

The rest of Day one was spent talking to vendors trying to get past the "snake oil" and see what it is that they really do and how they are different than their competitors. I'm am actively looking at several different technologies to determine if they will meet needs that we have. The vendor time gave me a chance to see how some companies that I'm not as familiar with are doing things.

All in all the biggest benefit that I gleaned from day one was the networking opportunities. I also ran into a guy that did some consulting work with a company that I worked for a few years ago. He's still with the same company that he worked with then and I'm going to see about having him come in and help us with some professional services that we need.

SecureWorld Atlanta 2008

2008-04-28T04:39:00.002-04:00

Just a reminder that I'll be at SecureWorld Atlanta on Tuesday and Wednesday of this week. If your in the area and are planning on attending let me know. Also (I know this is late) but I can get you a $80 discount off the $195 regular conference fee or $200 off the full conference fee of $695. Just go to the website and register using this code JRC1031. There is also a "free" pass that will get you into the expo area and I think a couple of the open sessions.

Wireless Scanning

2008-04-25T11:56:00.001-04:00

A couple of days ago I got on the bus to make the trip from Downtown Atlanta to the suburbs where I live. I pulled out my laptop to do some work and was just about to disable my wireless radio when up popped a "Wireless Network Found" message. I closed it and was about to go ahead and disable the radio when I thought it would be interesting to run NetStumbler and see what I could see as we drove through town. It was rather interesting and I decided to do a little categorizing and let y'all know what I found. I decided to do it again the next day and compare it to the first day. Here is a summary and some thoughts.

Disclaimer: Before I get into this I want to make it perfectly clear that I am NOT a wireless guru. I have lots to learn and some of what I have to say may have perfectly good exploitations or I may be WAY off base. Feel free to give me constructive feedback via comments or direct email.

The first thing I noticed was that all 11 standard channels in 802.11a,b,g were used. Then I noticed that there were some other channels listed. They are 36, 40, 48, 56, 157. Honestly I wasn't even aware that you could use these other channels. What does that mean and how do you do it? I'd like to learn more about this. I looked to see if there were any common denominators about the devices that reported this but couldn't really find anything useful. The second day I picked up traffic on the same channels plus one that I didn't see on day one, channel 64.

Next I noticed that over the 2 days I saw 696 different devices, 388 on day 1 and 509 on day 2. So that means that 201 devices showed up on one day that didn't on the other day. That can be explained by several things. They may have been off that day. Maybe the bus was going too fast to pick them up one day and not the next. One day I may have had less interference in that area than the other.

280 had no encryption enabled on them. The rest were reported as having WEP enabled but I doubt that is correct. I don't know if it's the version of NetStumbler that I'm using or what but everything is reported as WEP. I checked it against my home system which is running WPA2 and it showed up as WEP.

42 showed up as being ad-hoc which means that they were more than likely other laptop users who were broadcasting their signals. In looking at the SSID's shown by these ad-hoc networks either there are lot's of "evil twins" set up or possibly NetStumbler just didn't get enough of a signal and read on what was really going on with them. In comparing ad-hoc to AP I only found 2 that looked like they were possibly "evil twins" based on SSID reported. Again if the others were then I was not able to pick up the "real" AP in my scan due to range or interference.

Speed ranged between 11mbs to 54mbs with 22, 36, and 48 mbs also reporting. The vast majority of there were 54 mbs.

There were lots of vendors reported with the obvious ones present. Cisco, Aruba, Linksys, DLink, Netgear. There were several that I am not familiar with like Farallon, Eprigram, Sercom, Compex. Then some that I'm familiar with but only slightly like Gemtek, Z-Com, Airespace. I noticed several Symbol devices which I know is a popular handheld scanner manufacturer. I'm not sure if they make AP's also but these did show up as AP's. Again this goes back to me not being overly familiar with the world of wireless and who does what and especially not the specifics of how and why NetStumbler reports what it reports in the way it reports it. :)

Just a couple more thoughts and then I'm through. I noticed that a majority of the SSID's reported gave out too much information. Either company name, or some identifier that makes it easy to figure out who this AP belongs to such as a building number or something similar. All you had to do was look at the SSID and then at street numbers or business names and be able to put 2 and 2 together to find the owner. Not the wisest choice but in today's world of wireless hacking it doesn't take much for the bad guys to find out who you are pretty quickly anyway.

The last thing is I wanted to share with you a few of the funnier or more unique SSID's that I found. Sad to say this is as creative as people in this part of town seem to get. Oh, well.

Belkin Sucks
But Why ???
SSID Name
Your Mom
Funkdafied
Hotboysin1205
Smallpoxgirl
Tuffygoestovegas

Security Silos

2008-04-15T13:35:00.001-04:00

Something that I've noticed over the years is that lots and lots of companies secure their environments in silos. Each team, division, LOB or whatever is responsible for securing their equipment and they do so at their leisure and discretion. Not only that but within these silos there are other silos. Whoever is responsible for a particular device (server, router, switch, firewall, etc) secures it as they please or not at all.

Traditionally most people who are not security professionals and who get tasked with managing a device only secure the obvious. I've seen servers that have no admin password and only basic folder level security. They were deemed to be secure. I've seen routers, switches and firewalls that were managed via telnet with weak passwords and no password on the console. Then there is the whole "one password fits all" mentality that many companies have. I call this "Security Silos". It's security done in bits and pieces with no consideration for what is going on in other parts of the company in regards to security. It's the "my device is secure and I don't care about your device" syndrome.

What this misses is 2 very important pieces of information.

A device is only as secure as the weakest link in the network it sits on.
Security for the sake of security alone is no security at all.

You can lock a server (or any device) down to where it's next to impossible to get into it. Yet if the router that routes traffic to it is insecure then the bad guys will be able to get to the server and pick away at it little by little until they find the chink in the armor. Or they will sit there and watch all traffic into and out of the server until they find something that is of use to them and use against you.

If you secure a device just because it needs to be secure then you are missing out on the big picture. You don't secure a device just because it needs it. You need to understand the purpose of the device in the overall picture of what it is that the business is trying to accomplish. You then secure that device in ways that enable the business to work optimally while remaining secure. This can not be done effectively in silos. Go back to point 1.

Companies often lack the vision and understanding of a overall security program. This is basically a company wide umbrella that covers all aspects of security. It needs to include information and physical (or at least the ability to control physical access to information resources). To truly create this type of program Senior Management needs to understand the need for it and they must support it. The company as a whole needs to be informed about the need for it and they need to understand the purpose of it. IT needs to understand that living in silos will never allow them to truly succeed in their jobs. IT Management and personnel need to be on board with developing a program that will bridge the gap between infrastructure, network, servers, and applications.

If all of these don't work together then you are just spinning your wheels. I'm amazed when I hear apps say that they don't need to worry about security because either the network is secure, the server they reside on is secure or doesn't sit on the internet or that the app itself is secure because it requires a user name and password to access it. There is a lack of understanding of overall security principles between different IT groups. Servers know how and understand server security but they don't understand Network or Application security and the same for the other two.

This is where a overall security plan and program add real value to an organization. It requires leadership and support in order to happen. This is where many programs fail. They get leadership yet management never buys in completely and therefore the program stumbles along. I know that some of you would argue that if the leader was really effective then he would be able to get the necessary support. I agree to a point but I've seen some good leaders who were up against a wall and couldn't get the support. Yet at other companies they were able to get the support and create good programs. Just as a company can't just decide that it needs a security program and never bring in leadership to create it. You can't will it to happen it has to be lead.

Getting the message across

2008-04-15T08:39:00.001-04:00

Sometimes it's almost comical (in a sad sort of way) how people just don't understand security no matter how much you preach it. Especially when many of those people are technical and they are supposed to be leaders and promoters of the IT program and even of security.

Case in point. In the last couple of months there have been 2 different conversations w/i my company that involve an individual (we'll call him Bob) with a position of influence and in each situation comments were made that just make me shake my head and want to find a hard object to bang in against.

The first conversation was around VPN access into our network for 3rd parties. Like it or not this is a part of business today. Gone are the days when we can isolate our selves and only allow employees access to our networks. Vendors need access to troubleshoot issues with their stuff, partners need access to be able to complete their jobs, contractors need access to work on projects. We do not have technology in place that will allow us to manage all of this centrally. This makes it a manually intensive process to ensure that we know who has access to what; when they are accessing it; why they are there; what they are doing while there, etc, etc, etc..... While I and my team were discussing ways to tighten this up the comment was made by Bob that we didn't need to worry about locking it down any more because if anything malicious was done we would find out about it via our monitoring and we could just sue the offending party. I'll wait here while you pick up your jaw and put it back in place.

OK, as you can imagine this went over like a lead balloon. I was speechless for a minute while I waited for him to crack a smile or something to let me know that he was just kidding. The smile never came. I looked around and saw the others in the room either putting their jaw back in place, holding back a laugh (not the good kind either) or staring off into oblivion hoping to find that peaceful place that they go to when life gets to be too much for them. Needless to say his idea didn't carry much weight and we were able to convince him that we really did need to control things better and that legal action was not the answer to our security problems.

After getting this "misunderstanding" straightened out I felt pretty confident that Bob had a much better understanding of security and what it is that we are trying to do. Then again maybe not. Fast forward a few weeks to a Change Control meeting yesterday. We were discussing a control that I wanted to implement to lock down some things on our systems that are not used (or at best only used by a few). Someone (not Bob) took exception to this because he actually used this. I told him that we would look at his and similar cases and make a case by case decision based upon their ability to show a legitimate business need. Then Bob chimed in. His comment was "We have a secure environment and it will get more secure as time goes by. Security is here to protect us and that means that it will be inconvenient for the user and that is OK with us".

NO, NO, NO, NO, NO, NO, NO, NO, NO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Where in the world did he get that idea from? It wasn't me. I'm always talking about how my aim is to secure the environment while making it as easy as possible for the user to do their job. I'll admit that it's not as easy as it would be if there was no security at all in place but that's not really true either. It wouldn't be easier because the malware would make it all but impossible to use the systems.

So it seems that with some people you just can't win.

Information Security According to Me

2008-04-11T08:51:00.001-04:00

I love technology. There isn't much that is more exciting than to get a new "toy" to play with and use to make your job easier and hopefully more secure. I think it's pretty cool how a piece of software can alert you to threats to your system, prevent you from doing things that you shouldn't do and keep your system from doing things without your knowledge. I really like the concept of having some devices on the network that can watch the traffic flowing through the network and make assumptions and/or decisions based upon rules, algorithms, and other things over my head and either drop, divert or allow the traffic to continue. Often these things can shut down ports (logical and physical), pass ACL's to devices and do other things to stop worms, virus' and other bad things in their tracks.

The problem with technology is that it often gets misconfigured, deployed improperly, or just isn't the right fit for what you are trying to do. Even if non of this happens it can still be left to it's own and cause problems. It has to be monitored, updated, tweaked and cared for on a regular basis. Not only that but in the case of shutting down ports and pushing ACL's automatically I would hope that you don't really want or allow that to happen on your network. Talk about taking a risk. Technology is cool and it is necessary but it has to be used in the right way for your situation. You can't let the vendors drive your strategy. Use them to learn about your options but what ever you do DON'T let them sell you what they want to sell you. Take your time, review your options, look at the pros and cons of each solution and find the one that fits your need and one that will fit in with your strategy and plans for the future.

As much as I like technology I still feel that it falls far short of the mark of keeping us secure. It goes much deeper than that. It requires a good solid framework that includes policy, process, procedures, guidelines, user awareness training, security training for IT staff. I like the new buzz acronym of GRC. Governance, Risk and Compliance. I think that it does a pretty good job of summing up what a solid program consists of. If a company doesn't allow for IT Governance to play a part in the way it does business then they are missing out on opportunities to make the best technology and policy decisions. These decisions are partly based upon the risk that is involved in doing various activities to enhance business. They are based upon the framework that is (or should be) in place for how technology is used to enable business. They take into consideration the goals and objectives of the company, the projects the the LOB's have, the way the IT infrastructure is designed, and making best use of what is already in place.

GRC is not perfect but when implemented correctly and supported from the top down it will make things run smoother and allow for business to function in a manner that balances security, productivity, usability and makes best use of company resources.

Proof of risk

2008-04-11T05:44:00.002-04:00

Update: First I want to apologize for not linking to Alex's site RiskAnalys.is in my original posting. I wrote this over 2 days and 4 different editing points and still failed to get all my ducks in a row. Secondly, even though the article was posted at RiskAnalys.is Alex wasn't the one who wrote it (no wonder he didn't remember writing it). It was written by JonesJ (whom I'm assuming is Jack Jones, based upon looking at the comments section).

I must say right off that Alex actually posted something similar to parts what I am going to say. I didn't just think about this after reading his post but had been thinking this very thing from the moment that the news of the DRAM being frozen to find encryption keys story hit. Actually I have held this belief for a long time but recent stories have made it "front lobe" thinking of late.

Lots of people get paid good money and receive grants to do research on various things. I think that this research is important and often critical to helping us improve security and how we secure data. What usually happens is that the researchers release their findings and the IT/Security world (OK just a few who tend to be vocal) shout it from the roof tops and bemoan how any day now we are all going to fall victim to this very attack. The vendors jump on the band wagon and talk about how their product X will prevent or fix this or at the minimum (although they don't admit that it's a minimum) keep you in compliance with every possible regulation that the government can think up.

What has to be do by companies before panicking is to determine what the risk of this attack happening to your company really is. Not only what is the risk but what is the potential cost if this happens. Will you lose IP that will seriously hurt the company? Will you risk having financial or PII data stolen? Will this happening seriously affect how your employees work?

In most of these cases the biggest question is "How likely is it that this attack will actually happen to us?" Is it worth the cost of putting in controls that will mitigate it? Can it be handled in a different way with technology that you currently use? Can you teach your users how to protect against it?

Lately there have been 3 "attacks" that have been in the news that have garnered lots of attention in the press and lots of blogs. At least 2 of the 3 have exploits that have been released (I'm not sure about the biometric key logger) that I want to touch on briefly.

The first is the study that proves how you can capture encryption keys and other data from RAM after the system has been powered off. This has potential to be a big deal. If FDE keys can be found hanging around in RAM then obviously the bad guys can use this against us, or can they? Ask it this way. How likely is it that this will happen to my users? Wait, even before that lets ask just what is it that has to happen in order for this to be exploited? How long does the data stay resident in RAM after you power off the system? What does the hacker have to do in order to get to the data? It turns out that the data only sticks around for a couple of seconds and that in order to preserve it the memory has to be quickly frozen and remain sufficiently cold long enough for the memory to be either removed from the system or the system to be powered back up. Then they attacker has to have the tools to read the contents of memory and figure out what is in there and how they can use it. How likely is it that when you power off your system that a hacker is going to be hiding in the next cube ready to pounce? Obviously laptops are the big threat here but even still a few simple tips to your users can eliminate this.
First, tell them to turn their system off instead of putting it in standby or Hibernate.
Second, tell them to turn the laptop off and let it power down while they gather up the rest of their stuff. Then by the time they are ready to leave the laptop has been powered off long enough to allow the data in RAM to dissipate enough to prevent this from being a problem. There is more to this. There are ways that the bad guys have a bit of an advantage and more that you and the user can do but this covers 99% of the risk.

The second thing is the Biometric Key logger that has recently been developed. As far as I know this has not been released into the wild. A British researcher has come up with a way to sniff biometrics and recreate the image. Again this is not good news but it's also not all bad. What has to happen in order for this to be a risk to your (or any) company? Besides the obvious that you have to be using Biometrics what other things have to happen in order for this to be worth an investment in time and money for your company? In my opinion this is a very low risk threat for most companies. In a few years when biometrics are more popular it may be a bigger risk but even for companies that use biometrics the risk of this happening is probably very low.

The last one I want to bring up is Winlockpwn This has potential to be a big problem for lots of companies now. Why? Because almost every computer and laptop in use today has a FireWire port that is active. This exploit allows you to connect a Linux system directly to the firewire port on a Windows system and get read/write access to memory. Can you say Total Pwnage? This one is not good news. There are lots of ways for hackers to get access to systems both in and out side your company walls. A few seconds is all it would take for malicious code to be loaded onto a system via this vulnerability. The good news is that most of us aren't using our firewire ports and they can be disabled when not needed.

So there you have it. A tale of 3 vulnerabilities that are putting lots of fear into the hearts of security professionals all over the globe. But in my opinion the fear is unnecessary and the exploits can be easily mitigated for most of us. So what is the moral of this little story? When you hear of the latest vulnerability, exploit or hack don't rush out and panic. Don't go spend the rest of your budget on some technology that isn't what you need. Don't go rushing to management with FUD. Take a step back and do a quick risk assessment for your environment and then make a well informed decision. Also before you go spending money unnecessarily take a look at what you already have in house that can be used to reduce this issue and make your life much easier.

Risk is key!

Thanks Birmingham InfraGard Chapter

2008-04-09T14:52:00.004-04:00

I'd like to publicly thank the Birmingham, Al chapter of InfraGard for having me speak at their April meeting. They seem to have a really good chapter going there. They meet monthly and have a strong regular attendance. Also from talking with them they seem to do quiet a bit outside of the regular meetings. I think my talk went well. They were at least polite and told me that they enjoyed what I had to share. Michael Ramm drove over from Tuscaloosa, AL to meet me. It was nice to meet someone that I've interacted with lots over the past year.

Atlanta needs something to kick start the local chapter here. We only meet quarterly and that's being optimistic. The last meeting was in November 2007 and the next meeting is at SecureWorld Atlanta the end of this month. On my calendar that's a 6 month lull, doesn't sound very quarterly to me. I'm not trying to pick on InfraGard in general here. There is something about Atlanta that doesn't seem to fit well with InfoSec meetings. I know that ISSA and ISACA meet monthly but I have never been so I can't speak to what they are like. We have tried several times to get a CitySec started and have had a total of 2 gatherings. The first time it was Mike Rothman, Beau Woods and myself. The second meeting Beau had dinner and drinks alone. A time or two since then emails have gone out no one has shown any interest. So I guess that will have to wait for another time.

I'm jealous of the fact that lots of my friends are at RSA this week and I'm not. For some reason I seem to have an aversion to working for companies that will send me to conferences. Maybe one day. I really can't complain too much. Even though I would have to foot the bill myself for most anything out of the Atlanta area I've been lucky. Atlanta has quiet a few small conferences (day, 1/2 day, lunch, etc) and a couple of 2 to 3 day events that I get to participate in. Just last month I attended the CSO Perspectives conference here and later this month I will be at SecureWorld Atlanta.

Things at work have been keeping me hopping. I've got so many things going on that I'm almost paralyzed trying to decide what to do first. I've prioritized them but still when it all is screaming at you it's hard to focus. Everything is an "emergency" in the eyes of the requester. Oh well, it will get done in time I just need to quit worrying about it.

Hopefully soon I'll get back to blogging something of value. For now work and my honeydo list calls so.......... It's off the catch the bus home and hopefully finish staining the deck.

It was a cold, dark, rainy night.........

2008-04-07T14:29:00.003-04:00

and you are home alone. All alone and very lonely. The only thing to keep you company is your computer and you internet connection to the world. Yet it seems that you are the only one alone on this night. No one want to chat. You have 4 different IM clients up and waiting. You are logged into 3 other chat rooms and still it's only you. You get more and more sad and life looks bleak. You pick up the TV remote and search the channels for something that you haven't already seen 3 times or an infomercial that you haven't already bought the product they are selling. Nothing. Tears start to well up in your eyes. Sleep won't come..........

Then all of a sudden a ray of hope appears on one of your IM windows. A MESSAGE!!!!!!!!! A REAL MESSAGE JUST FOR YOU!!!!!!!! You check the name and don't recognize it but still it's a message for you! So you anxiously start reading. Here is the text of the message:

(12:22:19 PM) teencutie957435@real-cam-girls.net: Hey! I thought you really enjoyy watching my F - R - E - E web camera :-* just visit 6d="" 36="" ojf=""
www.s%69%67%6E%75%70%36.%63%6F%6D/%67%69%72%6C%69%65%38%36/%69%6E%
klfpkklkkfjdkf64%65%78.html?????klu9987890Pleiades.luxfoatiii.dxbyn.fuchrbxuwho.diagramed
.lymphomata:?ojf
tell me what you think! :) x parcelled 5 alluvia 7 impanelling
lateralled chapelling oreades puj 80

A smile crosses your face as you hover the mouse over the link anxious to see what's on the other end of that web cam and maybe even chat with her. This is your lucky night.
_______________________________________________________________
Just how stupid do you have to be to actually click on a link in an IM from someone called teencutie957435 and when the link is as convoluted as that one is. Not to mention the garbage at the end of the message.

COME ON PEOPLE! USE YOUR HEAD! USE SOME COMMON SENSE!

Sorry, it just gets my goat to think that there are people who actually click on something so obviously wrong. I know it must work b/c they are still sending them out. I get 3 or 4 a week and NO I DON'T CLICK ON THEM. I type them in manually. :) Just kidding.

I know that none of you who read my blog would actually click on something like that and that I'm preaching to the choir but I had to get it off my chest.

I'm Speaking at the Birmingham, AL InfraGard

2008-04-05T21:21:00.003-04:00

I just wanted to put up a post to let y'all know that I'm still here. For some reason I've hit a lull and just have nothing worth saying so I'm keeping quiet.

The only thing I have right now is a reminder for any of you in the Birmingham, Al area that I will be speaking at the InfraGard meeting this Tuesday 4/8/08. If you are in the area and can make it I'd love to meet you. If you do want to come here is the address. 1000 18th Street North, Birmingham, AL. That is an FBI facility so if you want to come let me or the Chapter president know that you are coming. Reservations are required.

Hopefully I'll get back on the blogging track soon and post something worth reading.

The Bad Apple

2008-03-21T12:21:00.001-04:00

I've been thinking of buying a MacBook Pro for a while now. It's not something that I need I just want one. Just when I think that I am ready to bite the bullet Apple does something that kind of irritates me and makes me step back and take a second look.

A couple of years ago David Maynor and Johnny Cache were smeared by Apple for doing research and that left a bad taste in my mouth. Then I listened to an interview on Pauldotcom Security Weekly with Roamer where he details his experiences with Apple. This did nothing to endear Apple to me. Well, as time heals all wounds I've been thinking again that I may bite the bullet and buy a MBP and once again Apple has done something that just gets my goat.

Yesterday I noticed that my Apple Updater software was prompting me to install something. I looked at it and noticed that it wanted to install Safari. I don't want Safari and as far as I knew I didn't have it. So I said no and quickly checked my system to see if somehow Safari had been installed without my knowledge. I hadn't. So I mentioned it to some friends in a chat room and then forgot about it.

This morning I received a link for my friend Martin McKeay to a story that explains what happened. It seems that Apple decided to push out the Safari install to everyone who runs Apple Updater. Martin wrote about this here and you should read his take on it. I tend to agree with Martin that there is nothing really wrong with this but it is underhanded and it irritates me. It would bother me just a little if this was the first thing that Apple has done that I didn't like but it isn't. What I like even less is that they do these things and think that it's no big deal. Why shouldn't they be able to smear peoples names and reputations or give bad service or sneak their software onto possibly millions of computers. Their Apple!

I don't like this because it's semi-dishonest and it takes advantage of peoples inherent acceptance Apples goodwill. They assume that because it is being delivered by Apple via an update mechanism that it is an update. A install of software not currently on the system is not an update and it's wrong to make people think it is. People assume that if a reputable company is sending them something via an updater then it is an update and needs to be installed. We in the security community have been preaching to our friends and family to keep their software updated and along comes Apple with what could be called predatory practices. That is just plain wrong.

This won't make me not buy a MBP one day but it will cause me to really consider whether or not I want to spend my money with a company who doesn't seem to care about how they do things. I know that I lots of companies that I do business with do things that I don't like or agree with and there have been lots of companies that I've stopped doing business with (at least knowingly). For now Apple has lost my business again and only time will tell whether or not they earn it back.

CSO Perspectives Day 2 and 3

2008-03-18T17:40:00.000-04:00

I think one of the aims of the conference was to make us feel right at home. What I mean by that is for most of us our days start early, end late and we are always on the go. That is exactly how day 2 was. Breakfast was at 7:00 AM and the day ended (officially) at 9:30 PM and just about every hour in between was filled with something. Even lunch was done in table discussion format. The last 3 hours were geared more towards the "fun" side of things. There was a big St. Patrick's day party open to all. I missed out on it because I had been invited to a dinner that IBM was sponsoring. After the dinner was over and we all parted ways it was pushing 11:00 and we had to start again at 7:30 the next morning.

I'm not going to bore you with all the details of the day. The main thing that I want to stress is that this is a quality conference. It's not geared towards the technical side of life but towards the business/operational side. It's not big and it's not super sexy like some of the larger conferences but it is done right. In talking with lots of attendees I discovered that the reason many of them choose this conference is because it is small and it does offer what the CSO needs. Many people that I spoke with have been to CSO Perspectives at least once before and some were on their 3rd or 4th conference.

What did I like? Pretty much the same things. Not too many people so it was overly crowded. Good content in most of the sessions. Vendors were there but they participated in the conference as both vendors and participants. It wasn't pushy and it wasn't filled with sales pitches. The opportunities to network with others in similar situations was really great. I spoke with guys very much like me who were fairly new to the world of being a information security officer to those who had been doing it for years and who worked for some of the worlds largest companies. The thing that really got my attention is that all of them acted just like they were "real" people. No egos, no "look at what I've done". Just "Here I am. What can I do for you?"

Several times during Q/A sessions I'd ask a question and almost every time someone would approach me afterwards and give me a card and tell me to get in touch with them if I needed any thing.

Just a quick rundown of some of the highlights of the conference and who some of the speakers were.

Eric O'Neill - Former FBI Operative. The movie "Breach" is about his role in bring down one of the foremost spies in recent history, Robert Hansen.
Dave Morrow - CSPO, EDS - spoke on the topic of monitoring employees
Milton Ahlerich - VP Security, NFL - talked about the challenges of security when dealing with "stars" and very large venues.
John Stewart - VP & CSO, Cisco Systems - John spoke about the value Security adds to an organization and how to sell that value to management and the users.
Andrew Nash - Sr. Dir. of Information Risk Management, PayPal. Andrew talked to us about the growing threat of malware and what companies like PayPal are doing to fight it and help make us all safer.
Louis Freeh - Former Director, FBI - This is a guy who's shoes I wouldn't have wanted to be in. He was put in the undesirable position of having to conduct multiple investigations into the actions of his boss. The President of the United States, Bill Clinton. He spoke to us about leadership keys that can make or break your career.

There were also "break out" sessions that touched on different concepts and strategies to help us do our jobs better. There were lunch sessions around various topics of interest and there were other "Hot Topic" sessions for the whole group. The only thing that I would have done differently was to reduce the number of "break out" sessions and increase the amount of time for these sessions. Each as 30 minutes long and that's just not enough time to do much more that get going good. Other than that I think the team at CXO Media did an excellent job in planning and executing the conference. If you have never been I'd make a note to attend next year if you are a CSO or in a position of security leadership with your company. It's worth the investment in time and money.

Quote of the Day

2008-03-16T22:37:00.001-04:00

My favorite quote from the CSO Perspectives conference today.

"Someone tasked with trying to influence the activities of an organization without the authority to do so."

Why do I like it? It describes my job to a tee. :)

CSO Perspectives Day 1

2008-03-16T22:27:00.001-04:00

Today was the first day of the CSO Perspectives Conference here in Atlanta. This is a conference put on by CXO Media that is designed to bring CSO's (and aspiring CSO's) from all over and give them tools to do their job better. I must say that they got things off to a good start.

Today was sort of a pre-conference day. It was a half day hands on seminar on Presenting to the Board of Directors. They brought in Paul Argenti who is Professor of Corporate Communications at the Tuck School of Business, Dartmouth College. He spent the day talking about how to be better communicators especially when we have to face the Board. This is an area that many CSO's need help with and few of us get to learn outside the "School of Hard Knocks".

The first part of the day was us listening to him teach us some keys to effective communication. We had some homework that we were supposed to do prior to the conference. A paper to read and a case study to go over. These were used as tools in the discussion and learning aids. After we had been given a good overview of effective communication we then broke up into groups of 5 and were given 1 of 3 scenarios to talk about. After 30 minutes of brainstorming we then teamed up with the other groups who had the same scenario that we had. Then as a larger group we put together a short Board Presentation and had one of the group make the presentation to a mock Board. After each group made their presentation we wrapped up the day and went to have some light snacks and refreshments.

So what were my take-away's from today? Several things I think.

First, when we communicate our message, no matter who the audience is, we must be clear and focused.
Second, be prepared. When you are going before the board you need to have all your facts and you need to be prepared to defend your position and be ready for them to throw you a curve ball.
Third, know your audience. Find out what you can about who they are, what they like and don't like. Anything that you can use to boost your message and get it across to them

I didn't really know what to expect out of today's session but I was pleasantly surprised at just how good it was.

There are 2 more days of the conference with lots of sessions to choose from. It promises to be a good two days of learning and networking.

Information Security is a people problem

2008-03-14T09:03:00.000-04:00

I know this has been said before but it needs to be said again and again until we ALL finally get it. Technology isn't going to solve the problem by itself because there are too many flaws in either how it is coded, deployed or maintained. Then there is the whole thing of people who come up with ways to get around what has been put in place. Once one person figures it out they tell two friends and they tell two friends and so on and so on.......

Amrit talks about how securing just the desktop alone can cost a small fortune for a company. Douglas Schweitzer talks about how we seem to be in a losing battle. NetworkWorld has an article from ComputerWorld on how Execs fear the security risks of remote workers but still have to deal with them.

I mention all of these to highlight some of the problems and issues that we face everyday whether you are a company dealing with securing workers or a worker who has to be secured. The thing is that we are constantly under attack and the attacks are getting better and better and technology is having a hard time keeping up. Even when it is up to date there are still the issues of misconfigurations, wrong deployment scenarios, wrong technology for the environment or threat, work arounds, etc, etc, etc... It's also been said before that the best technology can't stop stupidity, apathy, or someone who is determined to get around it (in most cases). Until everyone, including IT and security pros get their act together we will continue to have big problems.

What do I mean by this? Let's start with the IT/Security Pros. As long as we have people who don't know what they are doing trying to do things that they aren't qualified to do we will have issues. As long as we have people who are apathetic and don't bother to ensure that they have the proper controls in place and that they are properly deployed, configured and maintained we will have issues. As long as we have those in this field who feel that they are above the law (or policy) and continue to skirt the rules we will have issues. IT and Security has to take the lead (assuming management buy in) in doing things in the best way possible.

Then the users have got to get their act together. They have got to quit being so click happy and so focused on the next "cool site" or funny flash animation. They have got to quit being so enamored with the Internet, email and IM that they lose all common sense. I'd like to say that there is no reason for them not to be aware of the threats but it seems that I can't. Actually I can say it. There is no reason. There has been enough media coverage to let everyone in on the secret. The problem is that they think that it will not happen to them and so they ignore it. That doesn't mean that we don't need to continue to educate and get the word out but people just can't use the ignorance excuse anymore. Although I am surprised at the questions and looks I get from people when I talk about some of the attack vectors and threats that are out there. Even people in IT sometimes look at me with that deer in the headlights look.

Technology is a very important part of securing our networks and systems but it has to be paired with common sense and good security practices. If we could get people to do their part then we wouldn't need to spend hundreds of thousands of dollars per year to secure the company............ huh?, what?, just five more minutes mom, please. I promise I'll get up in 5 minutes......zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

DR vs BC

2008-03-06T06:42:00.002-05:00

Yesterday I went to a TechTarget breakfast seminar on Business Continuity. They had an analyst from The Burton Group talk about BC and then a short case study by Stratus on how they had solved a BC problem for a client with their solutions.

It was a good morning and started me to thinking about the difference between DR and BC. It seems to me that lots of companies think that DR = BC and that they will be in for a very rude awakening if/when they ever have to put the plan into play. BC involves much more that DR but as technology professionals it's easy to get caught up in the technology of it all and forget the processes that make the business run. I'm not suggesting that IT is responsible for ensuring that Finance or HR or any other department within the company has their BC plans in place but we do need to ensure that our DR plans match up with the companies overall BC plans. That is where we can step in and raise the proper questions. I'm a firm believer that in order for technology to do it's job properly that we must understand the business. By understanding the business and knowing the technology (and how the DR plan works) we are in a great position to bring up other BC related issues.

This got me to thinking that this may be a good time to start doing polls again. So here is my first Poll question for this year. Does your company have a full Business Continuity plan in place or only a Disaster Recovery plan? DR Only or BC and DR

It's quick and easy and a good way to start the polls again.

Screen Savers

2008-03-03T09:12:00.000-05:00

Recently we implemented mandatory screen savers for all PC's at work. There were a few systems that we had to exempt from the policy due to legitimate business need. These systems are in secured areas and have limited access by only a few users. The rest of the systems received the policy early last week.

The decision was made to use a common Text based screen saver and allow the user to change the text but not theme of the screen saver. We sent out several messages informing the users of the change and when it was scheduled to happen. The day that it went into effect you would have thought that we took away their PCs and replaced them with an etch-a sketch. All of a sudden no one could work because they would be in the middle of intense computation and all of a sudden the screen saver would kick in and they would lose all of their work. In reality the problem was that they either didn't like having to reenter their passwords or they were upset because they couldn't change the screen saver to something else.

The manager of the help desk is also the one who sent out the emails explaining everything that was going to happen. She is also the one catching the wrath of many of the users. She has been bombarded with calls, emails and visits by people who complain that they can't work or extremely upset because they no longer have pictures scrolling across their screen when the screen saver kicks in. The sad thing about this is that in the past this has worked. A new policy is put into place, the users whine and cry, the policy is rescinded. Fortunately things are different now. Management realizes that the policies have to be put into place whether the users like it or not.

Often management caves to the whims of the user without taking the bigger picture into account. I've seen this in many companies that I've worked for and have heard stories of many others. Management wants the users to be happy, which is important, and security wants them to be secure, which also is important. The important thing is to reach a "happy medium". The point where users are happy and can actually do their job, yet the systems and network are secured. In a company that has a history of allowing the users to make policy decisions it can be a challenge to reach this happy medium.

There are several steps involved in getting past history and to where the company needs to be. It starts with education.

Management needs to be educated in the need to find balance. They need to understand that users want convenience, ease of use and control over their systems (ability to add programs, manage how it looks and feels, etc).
Users need to be educated. They are not concerned, at least by default, about security. They push back on most anything that changes how they are able to control their systems. The problem with this is that users are not "secure by default". They don't understand how to secure a system or why "that cool screen saver" they downloaded may just be the back door into the network. They need to understand "WHY" security is important and how it affects them personally.
Communication of changes MUST happen well ahead of the actual change. All affected parties need an opportunity to think about this and how it may affect them and then ask questions. Maybe they need time to work out new processes to minimize the impact on their jobs without compromising security. This step does not happen just by sending out an email telling that the change is coming. The communication needs to tell them to think (kinda sad isn't it?). Unfortunately many people don't think by default.
Feedback from users needs to be taken into account to work around issues that may come up. An example from our screen saver issue is we have a few systems that are used by our call centers to view call queues. That is all these systems do so we need to exempt them from the policy while still ensuring that they are secured. Remember, we have to balance security with usability.
IT/Security has to remember that they do not have the final say on what, when, where, how or why these things happen. Their job is to come up with solutions to problems and convince the company why this is what we need and then work with the business units to make the solution as painless as possible.

Digital Forensics

2008-03-01T07:34:00.000-05:00

I've mentioned before that I'm not a forensics guy by any means. I've never done any "real" forensics, at least not anything beyond simple looking for fairly obvious evidence of a breach or problem. I enjoy reading about digital forensics because it fascinates me. The way that data can be extracted from media after it has been deleted, hidden, and even when the disk has been formatted. Not to mention how someone who is trained can look at the system and determine what happened, how it happened, who did it, how they gained access to the system, etc....

Last week I read this post by Harlan Carvey here. This quote that he made got me to thinking:

My personal thought on this is that ideally what an organization would want to do is develop an in-house capability for tier 1 response...trained folks whose job it is to respond to, triage, and diagnose a technical IT incident. By "trained", I mean in the basics, such as NSM, incident response, troubleshooting, etc...enough to be able to triage and accurately diagnose level 1 and 2 incidents, as well as preserve data until outside professionals can respond to level 3 or 4 incidents.

What is it that companies really need? What are the basics to ensure that triage is done in a manner that doesn't compromise "the crime scene". I decided to post that question to my friends in the Security Catalysts Community here. As I expected I have gotten some good responses.

On Thursday of this week I attended a one day event put on by ISC2 called SecureAtlanta 2008. I had forgotten what the topic was and it turned out to be Digital Forensics. It was a high level discussion that covers a lot of the basics of what DF is and why companies need to be informed and concerned about it. Not much of the content was technical but it was informative. One of the things that grabbed my attention was the topic of DF and the law. We need to keep in mind that what we are doing in incident response and forensics needs to keep in mind the possibility of going to court. Our findings may need to be presented in court to convict or defend. Therefore we need ensure that our teams are trained in the basics but also trained in how to not contaminate the crime scene.

One last thing to consider is that just as all things related to security there has to be a balance. We have to balance IR and DF with ensuring that we get (or keep) the company running. We can't forget that our company probably relies on these systems running in order for them to make money. So if your company doesn't have proper policies and procedures in place for this that you start the conversation with your boss. Then work with management to put in place the proper program and training get put in place.

Real Life Awareness

2008-02-28T05:02:00.004-05:00

Here's a great user awareness story from real life.

My wife and I just finished attending a 4 week long Sunday School class on Parenting Preshoolers. Yesterday the girl who was the class coordinator sent out an email to the whole class. She ended the class with the following statement

"If any of you are interested, please let me know and I will email her your email address. I did not want to send everyone's address to everyone without their consent."

If you stop to think about it you will know where this is going. :) When I looked at the "to" address sure enough there was each and every address for the whole class. I couldn't help but smile. It sort of has a happy ending though. A few minutes later she sent out a follow up email

"I apologize for not hiding the addresses in the last email. I meant to press a different button but hit send before I could correct it. Sorry."

So either she realized what she did or someone else pointed it out to her. Either way I was impressed with the fact that she was aware of the fact that she should not have just sent out every ones email address w/o their permission. Way too often people just forward emails with the address of everyone in their address book w/o thinking about it. I'd like to know where she learned about the need to hide addresses. I saw her last night and we had a good laugh over this I wish I'd asked her then. Was this something that she learned from a work User Awareness program? Did her husband pass this on to her? Maybe a friend told her about it. Either way it's a good that she know it and that she puts it into practice..........usually.

I sent her a reply and told here that with her permission I'd like to use her in my blog. Of course I assured her that I'd not reveal her name or email address........unless I forgot. :)