Thursday, May 1, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Interesting Bits - May 1st, 2008 [Infosec Ramblings]

Posted: 01 May 2008 09:57 AM CDT

I can haz typoz? [Vitalsecurity.org - A Revolution is the Solution]

Posted: 01 May 2008 09:36 AM CDT

Comedy spelling galore here. You'd think with all the money they have, these malware writers could afford dictionaries...

Influencing our user community…. [Infosec Ramblings]

Posted: 01 May 2008 09:20 AM CDT


Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.

I left the following comment and now am going to reuse it as a post :)

Mike,

I have been reading the book “Influencer: The Power to Change Anything” which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as “Make the Undesirable Desirable.”

If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.

So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I’m not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages :), but we do need to find ways to instill awareness into our user communities that is much more personal than “read this policy and sign this paper.”

Kevin Riggins

Is Interop about inter-operational anymore? [StillSecure, After All These Years]

Posted: 01 May 2008 05:43 AM CDT

Here in Atlanta waiting for the red eye connection home to Florida and wanted to quickly jot down some reflections on Interop.  The show seems to have settled in nicely at the Mandalay Bay venue.  It seems the right size and not too crowded.  In fact Vegas itself was not very crowded this year. I guess the economy is hurting the town. It used to be said that Vegas was rescission proof.  The worse the economy got, the more people gambled.  But with so much of Vegas not about gambling, I guess the economy has a big effect.  Anyway, back to Interop. 

At one time this show was called Networld+Interop.  The Interop portion was very much about how different networking technologies inter-operated with each other and how you could use products from disparate vendors to run and manage your network.  The labs and noc at Internet was full of engineers from different companies having their products working together.  I don't think that is what the show is about anymore.  It is all about network infrastructure for sure, but the vendors care less how their products work together and more about why you want to buy them.  Even the NAC vendors don't seem to be as focused on it anymore.  Yes, Joel Snyder and his Interop labs NAC team do a nice job of showing how the frameworks work well, but frankly that is a small percentage of the NAC vendors.  Juniper and Microsoft, Microsoft and Cisco and than a bunch of other vendors who try to show how their equipment can fit into the NAC equation.  Some like the switch vendors who are integral to the process and some like Arc Sight how are trying to move beyond SIM and think SSH'ing into switches is a scalable way to perform NAC enforcement, but really don't fit.  Most of the other NAC vendors frankly don't even give much lip service to interoperability.  The same is true for many of the networking vendors as well.  What is the shiny new box from Foundry or HP ProCurve.  Who has a bigger booth, whose booth is smaller than last year? How many people has this company laid off and how much run way do they have left? Who is giving away the best stuff and where is the cool party to go to tonight.  These are the questions of the show.  BTW, the Network World folks threw a great party at the Ghost Bar at the Palms Hotel.  Anyway, Interop has become a great show, but I seriously question how much of it is about interoperability anymore.  There is nothing a matter with it not being so interoperability focused by the way, I think it is just the evolution of this show taking on a life of its own.  Now if it were just not so close in time to RSA.

One thing about this show versus RSA, is that a lot of the attendees are buyers.  End users who come looking for solutions.  They have projects and budgets and want to find the best solutions for their needs.  This is in contrast to adult trick or treaters and business development meetings that have become standard at many other shows.  We saw a marked increase of people with NAC projects stopping by the booth this year, which is encouraging to say the least. 

Anyway, I have had my fill of Vegas, at least until Black Hat this summer.  Will be interesting to see if the casinos are more crowded then.

Log Haiku #4 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 May 2008 01:34 AM CDT

Think syslog is a standard?
A standard of what?
What were they smoking?

Links for 2008-04-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 May 2008 12:00 AM CDT

What hardware will the "God Box" run on? [StillSecure, After All These Years]

Posted: 30 Apr 2008 11:56 PM CDT

The folks over at Cisco Subnet (not sure if this is still my friend Brad Reese writing this over there) had an interesting blog yesterday about an announcement we made here at Interop. We announced that we will throw our support behind Cisco's AXP. That is the blade extension to turn a Cisco ISR into a Linux app server. You may remember that I blogged on this earlier here and here in relation to an article by Don Marti on LinuxWorld. Well this announcement, as the Cisco subnet article points out, put our money where our mouth is on this one.

As the subnet article points out as well, I think the real question is not whether we in IT are going to run more apps on our router boxes, but whether or not these "God boxes" will be expensive, proprietary black boxes like Cisco routers or low-cost standards based off the shelf hardware. With this announcement, we are covering all of our bases and saying you pick the platform of your choice, we will support it. That is the StillSecure way.

Mid-Week Spywareguide Roundup [Vitalsecurity.org - A Revolution is the Solution]

Posted: 30 Apr 2008 05:16 PM CDT

Haven't had one of these for a while, so here goes.

* Here Phishy, Phishy and Booze & Binders: Some leet hax script kiddy applications currently in circulation. I'd throw in a picture here, but amazingly the Blogger image upload tool is broken. Again. Blogger is full of so much win and awesome, and by win and awesome, I mean crap and fail.

* Locking down Facebook Chat: Nothing particularly revelatory, but a little delve into the wonderful world of Facebook Chat, or (to be more accurate) how to get rid of the damn thing if (like me) you had no clue what you were supposed to click on when confronted by hundreds of people saying HELLO LOL. Once more, no pictures. Blogger. Fail. Epic fail.

* Myspace - Who is Watching the Detectives Part 3: Did Myspace ever fix their "system error" that allowed people to view exactly who had been snooping round their profile pages? Click this and find out. Ooh, the suspense.

* Off-Topic Fun: Videogames are Awesome: Spurred on by my post about the Dreamcast phishing incident a few weeks ago, I decided to go deep into off-topic country and post up a bunch of my old videogame systems. Due to the magic of me using Flickr for the posted images, nothing now stops me from slapping you with pictures of things!


My Shenmue Collection, originally uploaded by Paperghost.




ChuChu Rocket Box Set (Front), originally uploaded by Paperghost.


Bam, take that Blogger! Take that right in the tailpipe of your poorly designed and implemented image publishing system! I encourage anyone remotely interested in old game systems to post up some screenies of their collections. I had planned for people to post their links directly on Spywareguide, but it appears the comments fixing has fuxored once more. With that in mind, post your links here and when (if) the comments start working again on SPG, I'll port everything over there.

The Daily Incite - May 1, 2008 [Security Incite Rants]

Posted: 30 Apr 2008 03:24 PM CDT

Today's Daily Incite

May 1, 2008 - Volume 3, #42

Good Morning:
I tend to be one of those hyper-connected guys. I don't do twitter, but besides that I don't really have email too far away and I can be found in my RSS reader a couple of times a day. I like to think I'm "in the loop." A lot of the time I'm not sure how healthy it is. At night, there are times when I have to specifically repress the need (dare I say addiction) to hit the iPhone slider and see what has accumulated in my inbox.  

UnplugBelieve me, there isn't that much interesting stuff in my email. But I like to see it anyway. And it's a constant battle. I suspect many of you fall into that category as well, battling those same demons.

Thus, when I saw this post on Web Worker Daily about "Shut Down Day," I was intrigued. The picture to the left is called "Unplug for safety," but this concept is more about unplugging for SANITY. Can I actually shut down my machine(s) and not be connected? Yes, even my iPhone. For a full 24 hours? Is it possible?

The honest truth is that I don't know. But I'm going to try. It'll be easier for me for a couple of reasons. First, it's not like I'm trying to do this during the week. Saturdays are somewhat manageable and although I've been known to work a bit over the weekends, it's definitely possible for me to skip it.

Second, the Boss and I will be tied up all day at an event. And I mean all day. So now I have a fighting chance, since it would be a lot harder to unplug if I was in the house watching some crappy baseball game.

So we'll see how it goes. I'm kind of excited by the possibility of becoming the master of my domain again. I don't expect to need to unplug very often, but it will be nice to know that I can.

Have a great weekend.

Photo: "Unplug for safety" originally uploaded by mag3737

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

DEFCONs just want to have fu-un. DEFCONs just want to have fun.
So what? - When the s*storm hit last week about the new contest to come up with interesting ways around malware detection suites, I could only laugh. Of course, Cyndi Lauper's "Girls just want to have fun" was also thundering in my eardrums because that's what this is about. In the immortal words of Sgt. Hulka, the AV vendors need to "Settle down, Francis." It's like the PwnToOwn context at CanSec. Some folks will find some interesting holes and the vendors will patch them. Same deal here. Maybe the AV vendors are worried that the crazy kids at DEFCON will pierce their veil of their marketing hype. Maybe the big world of all those stupid lemmings will finally realize that any machine can be owned at any time by some rather mediocre hacking talents. We wouldn't want them to learn that now would we? And I'll also punch a hole in the idea that there are already enough samples to keep researchers busy. Who knows, maybe with a minor financial incentive, the DEFCONs will find something interesting. Something (oh the horrors) that we may not already know about. I'm good with this contest and I think these are valuable endeavors. First, you get kind-of smart folks trying to break things in a semi-controlled environment. Second, you are teaching these folks how to think like hackers, which is one of the first things that security professionals need to master.  
Link to this

NAC client game is over
So what? - Tim Greene makes a decent point (even if it was spoon fed to him by MSFT PR folks) about the imminent death of the NAC client at the hands of the bundled NAP client. With Windows XP SP3 being deployed over the next few months (it takes a few months for these things to be widely deployed), the NAP client will be within most of the Windows devices out there. That means this idea of client vs. client-less is largely done. Of course, it's been a moot argument for quite a while since the answer has always been both. For some managed devices, a client makes sense. For other devices you don't control, you need a client-less option, and pretty much all the NAC vendors can do both. We could split hairs about disolveable vs. Nessus-based plug-in's vs. active-x, but it's all the same to me. If I put on my Stiennon suit, does that mean I'll trust the endpoints any more than I did before? Of course not. I still need to verify who they are, and more importantly monitor what they are doing. Just in case. But having the client out there can't really hurt NAC adoption. But I'm not sure it's going to help either. Hold that thought for a few seconds...
Link to this

NAC less interesting to users, which may be a good sign
So what? - It's funny in that every market goes through a series of phases. Jim Rapoza gets it mostly right in this eWeek slideshow. My classic "Farce of Market Sizing" post back from 2006 hits the same topic, but from a different angle. And NAC as a market has certainly gone through a bunch of phases. This latest NWC reader survey about NAC doesn't bring good news on the surface. Fewer customers are interested in NAC this year, than last year. Isn't that bad? Maybe not. Given the macro-economic backdrop, I suspect most users are focusing on those projects they absolutely need to get done, and the one's that are a bit less critical get put on the back burner. At least it seems the users are being honest with themselves about where NAC falls on the priority list. But this isn't really bad, it's natural. There is no question that the concept of LAN Security (bigger than just NAC, more about campus network evolution) will take root. The question is when. I think if the hype around NAC deflates a bit, then folks can think a bit more rationally about how best to move towards a secure LAN environment. Which is really what they should have been thinking about all along.
Link to this

The Laundry List

  1. Learn about Stiennon's new gig. Ask him to bring back a koala when he goes to visit the mother ship. - NetworkWorld coverage
  2. NetworkWorld jumps into the time machine and goes back to when Voltage first introduces IBE. A PKI without keys? How novel! And how irrelevant how it actually works. Slow news week, I guess. - NetworkWorld coverage
  3. Prevent online theft? Authentium claims their SafeCentral "prevents" malware. Big claims for sure, and seems too good to be true. - Authentium release
  4. Secure Computing also asks us to jump into the time machine and forget that pretty much every other security vendor runs their stuff in a VM image now as well. The good news is that I don't forget.  - SCUR release

Top Blog Postings

PCI: DOA in UK?
James T. Newby gets on his Trek suit (don't know if they make 7 foot tall Captain Kirk costumes) and talks about some of the differences between how security companies are marketing in the UK vs. the US. It's nice to see I have more to like about the UK than room temperature pints of ale. I hesitate to call the Brits more enlightened (Boston Tea Party anyone?), but being a smaller market with less desperate competition (and presumably a less noisy security market) they seem to have gone through the cycle a lot faster than in the US. I don't need to rehash my recent ranting, but I've hardly talked to anyone in the space over the past two weeks that hasn't wholeheartedly agreed with my contentions that Easy PCI marketing is a sham. Yet, if everyone is agreeing with me, why do I expect to continue seeing these ridiculous positions and claims for years to come? Basically because I've seen the movie before and as long as their are customers that want to believe, the vendors will be there to feed them a plate of crap.
http://robnewby.blogspot.com/2008/04/captains-blog-supplemental-pci-is-dead.html
Link to this

Endangered species - The CISO
Since I'm piling on many of my positions today, let's go over another one, which is the inevitable demise of the security "role" in an organization. Stuart King talks about his experiences in a mock trial of the CISO at Infosec that resulted in the CEO and CIO going to the big house. I guess that would be the mock big house with the mock Bubba pounding the mock CEO in places where the sun don't shine. But nasty imagery aside, the point is the point. I suspect we'll see the demise of the CISO first in the mid-sized businesses and then we'll get a very Innovators Dilemma evolution, where the security role will generally be subsumed higher and higher up the F5000 chain. Do I think the CSO of a Fortune 50 company goes away? Nah. Those organizations are so big and so complex that there will always be a role for a new CSO every 18 months to take the fall when someone on the ops team screws something up.
http://www.computerweekly.com/blogs/stuart_king/2008/04/on-trial-role-of-the-ciso.html
Link to this

Hands-off Pwnage
In yesterday's P-CSO newsletter, I did a little thinking out loud about staging a data breach and using it as a means to educate the employee base about what they can and can't do. Another key education mechanism is the idea of phishing your own folks and getting them to click on links and go to sites that they shouldn't. Of course, as long as they are sites you control, it's all cool. And as long as you use the opportunity to instruct, it's even better. Ed Dickson talks a bit in this post about some of the nastiness that's out there nowadays. So maybe after you get a set of your employee dimwits to click on a bad link, then you hammer the message home with a little video to show just how easy it is for people to be compromised. Even good people. I think this two step 2x4 educational mechanism may have a better chance than most run of the mill user awareness training. This is a topic I'll cover in a bit more depth next week.
http://fraudwar.blogspot.com/2008/04/nowadays-all-you-need-to-do-is-visit.html
Link to this

On Travel and Airlines [Anton Chuvakin Blog - "Security Warrior"]

Posted: 30 Apr 2008 03:23 PM CDT

Inspired by this, of course.

So, I am sitting here in  San Jose Airport even though I am supposed to be flying to Hartford, CT to speak at OWASP. Why am I sitting here? Well, 'cause the NWA plane got a flat tire (literally, I actually noticed the flat while "deplaning") and the nearest replacement tire  is in San Francisco. A three hour delay -> missed connection -> missing my conference presentation (which sucks hard!)

I do travel a lot (especially lately), but I am still amazed when smart people follow the logic of "weather delay + wet luggage  = airline sucks."  Admittedly, I had fun travel stories (here and overall here), but I never bitch about airlines. I guess I am funny that way. To top it off, I like US Airways (gasp!), which definitely makes me a weirdo among the "high-travel cognocenti" :-)

What is the reason for this "phenomenon"? Here it is: I am used to expecting A LOT from an airline and, so far, I have always gotten it. ALWAYS! Specifically, I expect "not dying at the hands of the airline that is transporting me."  That means A LOT to me, it really does :-)  And, so far, it worked marvelously!

So, anything else is an awesome perk! For example, I was flying United  (with which I don't have any Elite status) from JFK to SFO and right after my attempt to stand-by for an earlier flight failed and I was about to stick my wireless card in and do some work, the gate agent called my name.  I approached the gate thinking they bumped me or took away my coveted exit row seat. On the opposite, the gate agent said "Mr Chuvakin, would you mind if we upgrade you?" -  "No, not at all."  So I got my comfy United p.s. business class seat and a good breakfast (as well as some sleep)...

Some would say that I have "lowered my expectations", but I beg to differ: I do expect a lot. And I get it, which is, some say, a key to [travel] happiness :-)

Finally, apologies to my OWASP CT chapter audience: sorry, next time!

Technorati tags: ,

Snarf those CDP packets…. [Infosec Ramblings]

Posted: 30 Apr 2008 02:31 PM CDT


Once again I find a nifty tool via Darknet. CDPSnarf lets you passively capture CDP packets and see the yummy goodness inside.

For those who don’t know, CDP stands for Cisco Discovery Protocol.  It can be used to discover information about neighboring devices.  For example, if I am on a Cisco router that has several interfaces and I want to know what is connected on each interface, I can execute ’show cdp neighbors detail.’ This lovely command will tell me all about those neighboring devices with the following caveats:

  1. The devices are Cisco devices.
  2. CDP is enabled

Here is a good overview of CDP.

As the saying goes, “Knowledge is power.” The more we know about the target network, the easier it is to get past the crunchy outer shell and snack on the chewy center.

Kevin

Poetic Virtual Security [Rational Survivability]

Posted: 30 Apr 2008 01:48 PM CDT

Shakespeare I was at Starbucks with my four year old.  She was laying down the Dr. Seuss
with aplomb so I was inspired to dig deep and show her how the old man can
ebb and flow.

I swear to $diety that upon hearing this she rolled her eyes and said something like "Dad, you had me at 'virtualization.' "  At that point she quickly pointed to my iPhone and asked if I would purchase the latest Hannah Montana song on iTunes...<sigh>

You can see more of my poetic ramblings here (scroll down after the jump.)


When debating the future of secure virtualization
It's wise to reflect on its very creation

Some say poor code is the reason it's here
while others use doubt and (un)certainty's fear

Economically speaking the V-word's a boon
operationally, though, it showed up too soon

Duties, once separate, are now all a-blended
one moat, lots of castles -- the model's up-ended

Competency and skillsets come into play
Who owns the stack?  Well, that's hard to say

Can an admin whose mad skillz focus on the OS,
really be trusted to manage this mess?

The virtual sysadmin owns the keys to the kingdom
but it's hard to fix hosts when you can't even ping 'dem!

Operational silos have now become worse
since the virtual admins control all the purse

The network and security wonks try to fudge it
but switches and firewalls just don't get budget

Security, network, storage, and host
if you push the wrong button it all becomes toast

Our current security solutions don't cope
but the dealers keep pushing their VirtSec straight dope

I don't want to come off like a VirtSec despiser,
but to protect our crown jewels it's all HYPErvisor

Don't worry my friends, no need to be scared
your whole infrastructure will be VMware'd

...or Xen'd, or sPath'd or perhaps Hyper-V'd
virtualization, I'm told, will solve everyone's need

Organizational issues are really what matter
there's no real need to make our vendors much fatter

Focus first on improving your present situation
like assessing your risk and host segmentation

Get a grip on the basics and work up from there
don't give into the hype, doubt, confusion or fear

That's it boys and girls till I rhyme once again
Stay happy, stay secure, and now...

EOM

[Chinese]网络信息安全的度量和考核指标体系(cont) [Telecom,Security & P2P]

Posted: 30 Apr 2008 09:36 AM CDT

继续整理关于安全考核指标体系的一些想法和大家的反馈。

# 安全考核指标体系有什么意义?有什么价值?

第一, 从各种视角反映出当前组织的安全保护和运行状态,向管理层提供战略和战术层面的反馈,以及趋势分析
第二,用以诊断各种流程存在的优势和不足,并提供何以改进的提示
第三,用以组织的绩效考核

# 在设计安全指标体系时应该注意的要点,同时也可以说是好的指标体系的特点:

  • 与业务目标相关。这是第一位的要点。安全指标体系不是为了指标而指标,为了标准而指标,而是为了核心业务目标而制定。因为不同的组织企业,在不同的历史阶段有不同的业务目标,所以指标体系也不会有全世界通用的”灵丹妙药”。需要根据自己的特点而制定,但是可以参考一些业界的最佳实践。
  • 定义清晰,易于理解。大部分的指标是要团队、很多团队的协作才能实现的。所以,指标制定出来后,需要宣传贯彻,需要申请资源和协作。清晰易懂的指标体系帮助形成目标一致的合力synergy。
  • 前后一致,可测量,容易收集,低成本。大家都很了解SMART原则,这里也适用这一原则,即指标要具体(Specific),可量化(Measurable),可达成(Achievable or Attainable),现实的(Realistic),并且有限定的时间期限(Timely)。有明确的收集频率,收集源,较低的收集成本。
  • 可控制,通过行动可以影响结果。指标应该有明确的责任人和达成共识的阈值。责任人明确通过努力而影响并达成该指标。
  • 可以进行数量化、图形化的呈现

指标中的一部分会成为KPI,即关键绩效指数。这时通常有两种类型,其一是当前可以达成,但是需要一直保持,例如设备利用率;其二是通过努力在一定时间内达成,例如当前的每百设备高危漏洞数量是10个,设立的目标是降至每百设备1个。

# 设立安全考核指标时的考虑事项

第一 指标类型、描述、设立原因
第二 收集方式、频率和成本
第三 计算方式
第四 接受范围和阈值
第五 责任人

呵呵,上面这些东西似乎和安全还没有挂上钩,基本上还是比较普通的东西。再接下来就该是安全的指标体系了。热烈欢迎大家分享自己的心得和看法!

ShareThis

Is IF-MAP the spark that will ignite theTCG/TNC and the security industry? [StillSecure, After All These Years]

Posted: 30 Apr 2008 09:25 AM CDT

If_map The big news at Interop yesterday was the new IF-MAP specification and standard announced by the Trusted Computing Group/ TNC group. Some may call it TCG NAC 2.0 but it actually goes way beyond just NAC. IF-MAP represents a method that allows disparate security technologies to talk to each other and leverage the information gathered from multiple sources to make better and more secure decisions about network devices, users and traffic. It has huge implications for not only NAC, but IDS/IPS, vulnerability management, SIMs, etc. Also, it represents a real opportunity for the TCG/TNC to move out beyond the shadow of NAP and really become a dominant standard for the network and security industry to rally around.

The idea behind IF-MAP is that data is stored in a central container called a MAP or meta-data access point. This data can be called upon or supplemented with more data from a wide variety of sources. You can publish, search or subscribe to the data. The format is XML. The diagram (which you can click on for a bigger version) on the left shows a sample multi-vendor configuration, but the combinations are endless. To get a better flavor for what you can do you can click here to see a PDF presentation by the TCG of IF-MAP.

I had a chance to speak about IF-MAP with Steve Hanna and Mike Fratto. If it does indeed become widely adopted this can have a profound impact on our industry. Also, Steve and the TNC is very much looking to diversify and distribute the administration of the MAP among many vendors so that it does not become a single vendor steered standard. I applaud Steve and the rest of the group for working so hard on MAP. I challenge the rest of the industry to take a look at it and work towards adopting it. It truly can help be a win for all security vendors, but most of all a win for security administrators who would finally be able to use best-of-breed products from different vendors and have them talk to and work with each other.

This posting includes an audio/video/photo media file: Download Now

Its a trade show in Vegas, you know the booth babes are out [StillSecure, After All These Years]

Posted: 30 Apr 2008 09:23 AM CDT

booth babesI know it is Vegas, but overall the booth babes were not out in force at Interop.  The biggest defender was Blue Cat networks, who once again had a frat boy set up with girls dressed in very skimpy skirts and leggings inviting giddy geeks in to play some virtual golf.  Of course this follows past years where Blue Cat had girls dressed in skin tight jump suits putting you in flight simulators.  Of course the girls scanned your information while they strapped  you in.  This sort of exploitive behavior from Blue Cat has become expected.  I don't know if I were a woman, if I would want to work at that company.  For the most part, the booth babes are employed by companies looking to put fannies in seats at presentations.  These woman are usually good looking but not dressed to crazy and try to to get you to sit down, listen to a presentation and maybe win a prize. I don't have a problem with this, depending on how they are dressed.

In the you never know category though is my experience with this potential booth babe from D-Link.  A quick look at the picture to the right would indicate, yes a booth babe for sure. However, I had a chance to speak with this young lady and was surprised to find out that she was an expert on 802.1x.  She knew all of the potential radius attributes supported by every single Cisco switch.  She also was able to set up the DHCP server on the D-Link Routers and to top it off explained to me exactly how D-Link was using the data stored in a MAP server to provide greater security utilizing the new TCG IF-MAP standard. Of course you believe all this right and know she was not just a booth babe.  What do you think?

Interesting Bits - April 30th, 2008 [Infosec Ramblings]

Posted: 30 Apr 2008 09:06 AM CDT

Pragmatic CSO Newsletter #53 [Security Incite Rants]

Posted: 30 Apr 2008 07:58 AM CDT

Pragmatic CSO Weekly

April 30, 2008 - #53

Mike RothmanMike's Pep Talk:

"When choosing between two evils, I always like to try the one I've never tried before." - Mae West

A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver.

Let's get one thing straight. You are not the Lone Ranger. This is not about good and evil. This is about dealing with the lesser of two evils. The reality is that your environment will be compromised, and you have been entrusted by your organization to stop it.

Fork in the RoadIn a nutshell, you are in a lose-lose situation. We all are. That is the cold harsh reality of practicing security. Whether it's physical security, cyber-security, or any other type of security - ultimately this is not a game we play to "win." It's a game we play to survive.

Why the dour tone today? Did someone piss in my Wheaties? Not exactly, since this is a concept I discuss pretty frequently in all of my publications. I read news clipping like this one in NetworkWorld about most employees intentionally skirting enterprise security controls, and part of me wants to hold my hands up and start serving Blizzards at Dairy Queen.

At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere.

Every time I start to feel this way, I need to purge a bit. I need to rant and I need to get it out of my system. Here's the deal: Our customers don't know who is good and who is evil. They can't tell the difference. If they are intentionally going around our controls, then WE ARE SCREWING UP. We are at a fork in the proverbial road, and we need to figure out how to get more relevant and work better within the context of our business. It's as simple as that.

I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless?

Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground.

Photo credit: Buggs

Thinking out loud: A new type of IR practice

Sometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not).

Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing.

So I suggest we show them, in a way they haven't seen before.

You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan.

What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies.

Of course, the breach didn't really happen. It would be staged. But that would seem to me to be a very powerful means to get the point across to the employees about WHY they need to follow the policies.

I know, I know. Intentionally deceiving employees is kind of an April Fool's joke gone wild. I'm sure there would be a number of folks pretty steamed when the truth that the breach was staged gets disclosed. And you'd need approval at the highest levels to pull off something like this, and how many CEOs would go for this kind of plan?

The odds are long that this kind of thing would work, but something tells me this idea may have some legs. Let me know if the comments section about my "thinking out loud."

Hannaford Recap- the Big Questions and Impacts [Compliance Focus - Blogs]

Posted: 29 Apr 2008 11:00 PM CDT

I was out on vacation (and then at RSA) when much of the interesting detail about the Hannaford breach emerged. Security professionals and probably the general public are growing a little desensitized to security breach news, particularly of the type “company XYZ lost a laptop, and NN,NNN individuals NPI is now at risk”. This stuff is so commonplace that it gets tuned out. I guess it means that the markets for endpoint security technologies, full disk encryption, etc. will be robust for a long time, but beyond this, not much of a big deal.

Then there are the big, cataclysmic security events like TJX, Societe General, or Hannaford. With highly impactful security breaches like Hannaford, it sometimes takes a while to understand not only the “how-what-where-when-why” detail aspects of the breach, but more importantly the likely future impacts.

The future impacts and likely consequences as a result of the Hannaford can be expected to be significant. Consequences to Hannaford will no doubt include fines and a lengthy mandated security program (with external security audit and review) from the FTC. In terms of PCI compliance, it isn’t entirely clear if penalties can be imposed by the credit card payment chain. After all, Hannaford claimed PCI compliance. The bigger long-term impacts will likely be to the future of the PCI standard- once the attack vector and vulnerabilities, whether technical or administrative, are better understood, the PCI standard will have to ratchet up the controls specified so as to prevent these attacks in the future.

To the general IT world, this latest big breach adds more fuel to the fire for a US national law on consumer data privacy. This was a sophisticated attack that should rightfully scare the heck out of IT security execs in all sectors and industries. It is also a reminder that compliance does not equal security.


High School IT-Adventures Cyber Defense Competition [Infosec Ramblings]

Posted: 29 Apr 2008 08:11 PM CDT


A few weeks ago I wrote about participating in Cyber Defense Competitions as a Red Team member. This weekend I had the opportunity to do so again. This time with a bunch of High School students.High School

This weekend was the annual IT Olympics event that is put on by Iowa State. The event is an opportunity for the High School students who participate in the IT-Adventures program to get together and compete. There are three competitions:

  1. Robotics
  2. Game Design
  3. Cyber Defense Competition

While the robotics and game design competitions were very interesting, I was there for the CDC.  The Red Team didn’t actually get to start attacking until Saturday morning, so I volunteered to show up on Friday and help the students with anything they might need during the setup period.  These kids are amazing.

Twenty-fourish teams showed up and we had about 20 Red Team members. In my previous post I mentioned three ways in which you can provide value to the students when participating in this type of event:

  1. Keep good notes
  2. Write down remedies
  3. Attend the debrief

I am happy to say that we accomplished all three goals.  Probably the best decision made was to setup a Wiki with pages for each team where we could all keep notes as the contest progressed.  These notes then became the outline for our talks with the teams in the debrief.

If you have never had the opportunity to work with kids that are interested in IT, I highly recommend you find a way to do so.  It is truly a rewarding experience.

Kevin

Have You Noticed Less Spam? [The IT Security Guy]

Posted: 29 Apr 2008 07:53 PM CDT

Call me crazy, but I sure have. There has been a lot less spam in my e-mail inbox over the last few months.

Could it be the crushing of the Storm botnet? It's hard to say. Microsoft took credit for deep sixing the infamous botnet, though, as usual with any Microsoft claim, there's a lot of controversy around it.

In any case, Microsoft does have an interesting botnet hunting tool worth taking a peek at.

Managed (Security) Services: Still the Underdog [Alert Logic]

Posted: 29 Apr 2008 06:41 PM CDT

This week, I've seen a few really interesting articles about IT spending that almost contradict themselves. An eWeek Channel email newsletter I received had links to two interesting articles (one placed directly on top of the other) "IT Distributors Say Economy is Hurting" and "MSP Sales Getting Easier" which made me laugh, given the placement [...]

Interesting Bits - April 29th, 2008 [Infosec Ramblings]

Posted: 29 Apr 2008 09:25 AM CDT

Digital Forensic Evidence Collector [Matt Flynn's Identity Management Blog]

Posted: 29 Apr 2008 09:07 AM CDT

I want to get me one of these. Microsoft provides law enforcement with a digital forensic evidence collector in the form of a USB thumb drive. And it's free. Maybe I'm out of touch, but I haven't heard of this before. Pretty cool.

No comments: