Thursday, August 21, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

The Daily Incite - August 21, 2008 [Security Incite Rants]

Posted: 21 Aug 2008 06:17 AM CDT

Today's Daily Incite

August 21, 2008 - Volume 3, #71

Good Morning:
Now that the Olympics are winding down, in the US the presidential election is heading into full swing. With about 10 weeks before the election, soon enough it's going to be all election - all the time. It starts next week with the Democratic National Convention and then the Republicans get their turn. On one hand I'm excited because it's a historic election and we clearly need some change. On the other hand, I'm sickened by the negative ads surfacing even before the conventions. They've let out the attack dogs, and once they are on the loose - you can't pull them back in.
Don't mess with these dogs!
Seth Godin has a great post here about why negativity sells in politics. It's within the context of the "stories" each candidate manufactures about the other, but he's annoyed by it as well. I can tell you, this is going to be a nasty election. There is a lot at stake, and even if you have something good to say - that isn't interesting. Not to the media anyway.

I don't want to totally blame the media, but they have a lot to do with why most folks in the world are cynical, pessimistic, and downright grumpy. All we see on TV are sensationalistic images of everyone else's pain. Maybe 20% of the news is sort of positive and "feel good" stories. And it usually is the last 5 minutes of the broadcast, after the Lotto numbers.

In the US, it seems we've become a have-not society. We think a lot more about what we DON'T have, rather than what we DO have. People make more money than ever before, yet we are less happy. The stress is enough to break most people on most days. So why would our politics be any different? Our politicians sell us on what the other guy DOESN'T have, not on what the candidate does have.

It's all disgusting. But it's not going to change because negativity sells. That's right, being positive is a crappy marketing strategy. It's sad, but true. Obama did try this different message in the primaries and it was new and novel and different. And then the negativity broke him down. It had to. He would have lost if he didn't strike back. 

And now the presidential election will be more of the same. I'm going to try to tune out most of the crap. But it will be in the news, on the TV, all over the Internet. Maybe I'll just hibernate until mid-November. Clearly that's not an option, but it sure would be nice. It's hard to try to stay positive, when everything around you is negative.

I guess it is what it is. In hindsight, 2004 was the historic election. That was when the entire US was "swift boated." And it's hard to see how that is going to change in the foreseeable future. That's the thing about the US. We do stuff and don't really think about the long term impact and cost. I guess that's the American Way.

Have a great weekend. I'll need to spend the next 45 minutes doing positive affirmations.

Photo: "Can I please walk my dogs in peace?" originally uploaded by hand-nor-glove

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today

Security Mike's Guide to Internet Security

Top Security News

Taking the wraps off PCI 1.2
So what? - PCI is the gift that keeps on giving. With PCI 1.2 imminent, the PCI grand poobahs are starting to talk about what's new and different. Not a lot, but they are moving to address some of the weaknesses in 1.1 that resulted in breaches and/or confused the hell out of us. Things like wireless security. Evidently they figure 802.1x is a good thing. Not clear if that will be mandated, but perhaps "recommended." This is great for everyone that sells networking and security services. Why? Because 802.1x is hard to do and most companies don't have the technical chops to do it right. And we all know what happens when you configure things incorrectly. There is also some more clarification about anti-virus, evidently it needs to run on all operating systems. I'm sure the folks that sell Linux AV are tickled pink by that prospect. Of course, those nasty Linux worms are definitely creating a problem out there. Like signatures are going to stop a root-kit. It just seems to me that PCI is becoming like the TSA. Every time a new attack vector shows up, there is a new rule to stop it. A lot of it seems like security theater. Or even better, kind of like the signature AV business. At what point does PCI become so long (since it needs to have a new rule or clarification for every attack every attempted), that it can't keep up? For the time being, PCI has been a good thing. I hope it stays that way.
Link to this

Now this is an "insider threat"
So what? - What most of us do is low risk. You know, if one of your devices gets compromised, it's sad - but no one is going to die. With the CIA, it's a totally different story. Fascinating article here in NetworkWorld about how the CIA truly trusts no one, not even the insiders. The watchers are constantly watching the watchers and there are definitely lessons that we can take out of this. The first is about the fact that a background check on employees is a point in time. Kind of like an audit. But tomorrow something can change and that could impact the insider. So maybe doing ongoing investigations on people that have access to truly sensitive data is a good thing. The CIA also audits everything and looks for anomalies. REACT FASTER baby. That's what it's all about. They know they can't possible protect every flank of the tens of thousands that work there. But they can make sure everyone knows they are going to be monitored and that "they'll" be watching. Is it a deterrent for everyone? Of course not. But it works for most. And when people's lives are at stake, every little bit of help is a good thing.
Link to this

Missing the point of security software reviews
So what? - Seltzer is all up in arms because once again Consumer Reports has issued another anti-virus test. It uses the old software. Wah. It's not a fair testing methodology. Wah Wah. They spend the entire front part of the article trying to scare everyone. Wah wah wah. Larry is right that it's hard to explain security to lay people. Me? I'm less concerned about right or wrong or how this is going to effect the Big Yellow's market share. I'm happy that at least SOMEONE is talking about security. No review is perfect. Every review can be gamed. But the worst thing in our space is to not talk about it. If no one is talking about it to the consumers, then they are certainly not doing anything about it. And the fact is, there is very little difference between any of the top tier offerings. That box is green. One is yellow, the other is red. Big deal. They all work good enough. But not talking about it is much worse. Personally, I don't know why anyone pays for this stuff with all the free options out there, but that's just me.
Link to this

The Laundry List

  1. Thanks to the Emergent Chaos guys for pointing out the classic XKCD voting machine AV comic. Anytime you can use condom and voting machine in the same sentence, it's cool by me. - Emergent Chaos blog
  2. Who has time for that? TippingPoint announces a new portal with real time threat info. I'm sure it's great eye candy, but how many administrators can just sit and look at the portal to figure out which new policies need to be deployed to their boxes. Anyone, anyone. Bueller, Bueller. - TippingPoint release

Top Blog Postings

What do Will, Skill, Bill and Nil have in common?
They are impediments that we security folks have to contend with that make it hard to complete a job. Bejtlich comes up with a great way to discuss each of our issues. A "will" problem is about motivation. Skill is self-explanatory. Bill is about not having money, and Nil is about not having "mojo" or credibility to push something through. When you think about it, pretty much all the problems do fall into one of these categories. So how do you fix it? I wish there was a simple answer, but it's really about focusing on the cross-section of the problems where your four impediments are minimal, and whatever you are trying to protect is sufficiently valuable. You don't want to just focus on the things you can get done, if there is little organizational benefit. But you also don't want to spend all your time chasing windmills because you don't have the money or skill (or motivation or mojo) to get something important done. That's why security is an art, not as much a science. And prioritizing effectively is the most important part of the job.
Link to this

How do security folks use social networks?
No this isn't another rant about Facebook or Twitter (sorry Jen). This is about an interesting survey done by the Big Yellow that tries to get at how security professionals use social networks. The data is kind of cool. Basically, we are suspect of the value, but can't really block it. We don't want to "friend" everyone because that may be an implicit endorsement of someone we hardly even know. We know there is malware out there, but aren't really sure how to stop it. Hard to dispute with anything in here. The fact remains that social networks is just something we have to deal with. Yes, they are infested with bad stuff and yes, it means we are going to have to clean things up time and time and time again. But like you couldn't really stop IM back in the day, you can't stop the social network. So we need to make the best of it. Try to educate your users on what to do and not to do. Have provisions in place to REACT FASTER when something goes down. Right, this is nothing really new, it's just happening faster than ever before.
Link to this

No one said it had to be hard
It was pretty funny to watch the MBTA dispute over the DEFCON presentation. It seems that every year there is one organization that is caught with their pants down (thankfully it wasn't Eliot Spitzer again) and they react badly. The folks at Veracode wonder if the hack could really be that easy? Of course it can. Because a lot of these organizations are blissfully unaware that bad people will do bad things when given the opportunity. So they are surprised when someone points out that maybe storing value ON THE CARD is a bad thing. That not protecting that value is a REALLY bad thing. And the MBTA was pissed because their entire strategy of security by obscurity has been blown out of the water. Fact is, by trying to muzzle the MIT kids, they shined such a spotlight on themselves that they instantly became a target. And once you are a target, it doesn't take long for the bad guys to figure it out. Whether the kids discuss it at DEFCON or not. Maybe I should write an eBook on "how not to respond to security researchers" or something like that. But most folks wouldn't read it until it was too late. Anyway, it's way too much fun to see these organizations falling all over themselves.
Link to this

The New Personal Identity Portal (PIP): [Blue Ocean]

Posted: 21 Aug 2008 12:15 AM CDT

Today, we are releasing a brand new version of the Personal Identity Portal (PIP). With support for two-factor authentication, the PIP remains a strong OpenID provider as VeriSign remains committed to the broad deployment of OpenID across the Internet. Beyond OpenID, the new PIP also includes some unique identity management features. As the user-centric identity movement reaches beyond authentication and attribute exchange, we wanted to evolve the PIP into an identity aggregation service that enhances control, convenience and security over personal data even when the data is scattered across non-interoperable Web sites.homepage.jpgThis theme of identity aggregation is going to remain an important product philosophy for us moving forward. Our first implementation focuses on personalization, convenience and security. This post provides a brief overview of the new features. For those of you who never read product description, you can sign up for a free PIP account here. For the more curious minds, please, read on, and let us know what you think.

Personalization and the Personal Identity Page

The Personal Identity Page allows you to aggregate public identities and presence across multiple Web sites under your OpenID. In my case, my personal identity page can be found at You can see that I have chosen to aggregate my Blog, my Flickr pictures, my YouTube videos, and other personal links to provide a complete reflection of my public Web persona. With a Personal identity page, my OpenID URL now provides a simple way for people to find and discover my "aggregate me". Think of it as a modern version of public white pages. We have tried to keep it simple enough that it can be built within a few minutes, but rich enough to keep it interesting.
idpage.jpgOf course, for many, the logical place to share their identity is their social network. For that reason, we have also created a FaceBook application. As shown below, the PIP FaceBook application lets you embed your "identity carrousel" into your FaceBook profile to share it with your friends.

Convenience and 1-Click Sign-in across any Web site
The PIP 1-click sign-in service may be one of the most interesting new features. The service aims at enabling single sign on across all popular Web 1.0 and Web 2.0 sites (whether they support OpenID or not). We have devised a client-less authentication solution that only requires one single click for you to log in across your social sites (FaceBook, Yahoo!, Google, MySpace...), your travel sites (TripIt, Expedia, United...), your financial site (Wells Fargo, E*Trade, ....), almost any of your sites, really! Think of it as a password vault in the cloud. Think of it as a universal single single-sign-on Web service. 1Click.jpgSince, we did not think you wanted to give all your names and passwords to VeriSign, we have designed it in such a way that VeriSign never sees your actual names and passwords (we only receive and store an encrypted form of them and you keep the secret key for yourself). Of course, you still need to log into the PIP (that is the one required login). Unlike most existing solutions out there, there is no client to install, only an optional bookmarklet to save in your browser (the install is drag and drop in Firefox and Safari and we have an automated install script for IE6 and IE7 users). It works on Windows, and the MAC. It will work in your 3G iPhone too, making OpenID and general login really user-friendly in a mobile environment (more in my next post). Note that the Beta 1-click service only supports 70 popular Web sites at this point. If your feedback is positive, we will add many more, so once again, let us know what you like and what you dislike.1CkickJS.jpgThe bookmarklet is also a nifty navigation tool. When you are not on the login page of a Web site, it triggers a small navigation window (see above). The window displays the list of all the Web sites that you have registered with the 1-click sing-in service. Simply click any of these links; you will navigate to the site and be logged in automatically. No more URL to enter, no more name and passwords to remember or type, only your PIP OpenID!

Security and Free Digital certificates
Since the 1-click vault security hinges on the PIP authentication, we wanted to offer you a broad choice of strong authentication solutions. Last year, we enabled VIP credentials (OTP tokens) within the PIP. This year we added a free layer of security that does not require any hardware. Indeed, we are giving our PIP users a free VeriSign certificate to secure their PIP account. Certificates and PKI have often been blamed for poor user experience. Therefore, we decided to create a new user interface for logging in with a certificate. Instead of issuing an identity certificate, we are issuing what we call a "browser certificate. A browser certificate is anonymous. It does not contain any information about you. Think of it as an opaque token that you link against you PIP account to protect it (it provides a second authentication factor: "something you have". Your PIP login name and passwords remains your first authentication factor: "something you know"). You can install these certificates on Mac and Windows (as many as you need). The certificates are free. We are still working on the iPhone (we have encountered a few challenges with certificates with the iPhone Safari, but with a little help from Apple, we will get there).

The whole PIP team has worked hard during the last 8 months to bring you all this new functionality. We are really excited to release this new version of the Personal Identity Portal to our growing PIP community. We hope you will enjoy using it as much as we enjoyed building it. Feel free to drop us a note, report bugs and make product suggestions. Our support email is We are looking forward to your feedback!

Overly Paranoid? []

Posted: 20 Aug 2008 06:20 PM CDT

During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering.

I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s.

In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security.

From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off.

I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this.


Verizon Elaborates On Data Breach Report [Infosecurity.US]

Posted: 20 Aug 2008 04:06 PM CDT

The Verizon Communications Inc. (NYSE: VZ) Business Division Security Blog’s Peter Tippet has posted a detailed update to the companys’ previously released 2008 Data Breach Investigations Report (DBIR) in June. If you haven’t already done so, download the report from the Infosecurity.US Document Repository.

Adobe Acknowledges Flash Vulnerability, No Fix Yet. [Infosecurity.US]

Posted: 20 Aug 2008 03:41 PM CDT

Adobe’s (NasdaqGS: ADBE) PSIRT (Product Security Incident Response Team) has acknowledged, but not provided a timeline for the fix (specifically for the recently reported Flash based exploit). Many mainstream sites, including MSNBC, CNN, NBC, CBS, ABC, YouTube (the list goes on…) are at significant risk, and are definitely in a pickle.

The Best Incident Response Training You Can Buy. For Free. []

Posted: 20 Aug 2008 10:38 AM CDT

Next week I’ll be out of the office on one of my occasional stints as a federal emergency responder. I haven’t had the opportunity to do much since we responded to Katrina, and, to be honest, am surprised the team still lets me hang on (it’s in Colorado, I’m in Arizona, and I don’t get to train much anymore). Who knows how much longer I’ll get to put the uniform on- the politics of domestic response are a freaking mess these days, with all the cash funding the war, and I won’t be surprised if some of the more expensive (and thus capable) parts of the system are dismantled. Hopefully we can hang on through the next election.

Anyway, enough of my left wing liberal complaints about domestic security and on to incident management.

Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA.

Yes, that FEMA.

For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking.

And while I’m at it, here’s a definition of “Incident” that I like to use:

An incident is any situation that exceeds normal risk management processes.

Although I’ve sat through a lot of the training before, I never actually went through the program and test. I’m fairly impressed- these are some of the better online courses I’ve seen.


Security Catalyst Community Discussion Forum Update - August 20, 2008 [The Security Catalyst]

Posted: 20 Aug 2008 10:00 AM CDT

Here are some of the recent — and thought provoking — conversations of the Security Catalyst Community (SCC):

Opportunities to meet, network and join together

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

Security Briefing: August 20th [Liquidmatrix Security Digest]

Posted: 20 Aug 2008 07:27 AM CDT

MIT CharlieCard Hackers Gag Free [Liquidmatrix Security Digest]

Posted: 20 Aug 2008 07:11 AM CDT

So why the fuss over the MIT student presentation that “never was” at Defcon? Why the court order barring them from speaking AFTER the presentation had been handed out to 7000 or so attendees and had been available on an MIT website for several months?

Well, money. MBTA is drowning in red ink.

From The Boston Globe:

Strapped with an $8.1 billion debt, the MBTA can’t afford expensive upgrades to its automated fare equipment. That may explain, in part, why the transit agency put such extraordinary legal pressure on three MIT students who claim to have found a way to hack into the transit system’s $180 million automated fare system. But trotting out the lawyers didn’t make the T less vulnerable to future hackers.

Well, the gag order has been lifted. Which, in all fairness, should never had been in place to start with.

The MIFARE wireless chips are popping up in transit systems all over the place. Case in point, in the greater Toronto area (GTA) an amalgamated transit card is being rolled out that will provide users the ability to travel several systems on one card. London’s implementation of Mifare technology has been less than stellar.

Our own Myrcurial attempted to contact the Prestocard folks about the Mifare technology at the beginning of July but, he was given the Heisman (a “straight arm” for the non-sports inclined). So, is the Presto Card headed for an epic failure? We’ll have to wait and see.

Article Link

UK Police Raid Chip and PIN Hacking Op [Liquidmatrix Security Digest]

Posted: 20 Aug 2008 06:31 AM CDT

Where there’s money to made, illegally, you can be sure someone will hear the call of easy money. One such gang was taken down a few days ago by UK police.

From ZDNet Asia:

The discovery was made by specialist card fraud police unit, the Dedicated Cheque and Plastic Crime Unit (DCPU), when it raided a sophisticated counterfeit card factory in Birmingham. Two people have been arrested and charged with conspiracy to fraud following the raid.

When police raided the premises they found stolen chip and PIN terminals, card account numbers, a card reader/writer, computer software and fake magnetic stripe cards.

According to police, the tampered chip and PIN terminals are installed in retail outlets and petrol stations either by someone working on the inside or by threatening staff. The criminals are then able to steal card details and PIN numbers.

This is nothing new except that the criminals were threatening their victims into installing them. Usually the perps aren’t quite so brazen opting for a more discreet approach.

Article Link

MBTA Hacking Injunction Lifted [Zero in a bit]

Posted: 20 Aug 2008 12:49 AM CDT

Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary:

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge today correctly found that it was unlikely that the CFAA would apply to security researchers giving an academic talk,” said EFF Staff Attorney Marcia Hofmann. “A presentation at a security conference is not some sort of computer intrusion. It’s protected speech and vital to the free flow of information about computer security vulnerabilities. Silencing researchers does not improve security — the vulnerability was there before the students discovered it and would remain in place regardless of whether the students publicly discussed it or not.”

This sets a good precedent for future cases, and perhaps next time a similar situation arises, a judge will not be so quick to issue a gag order. It’s not a happy ending yet though, as the original lawsuit is still in effect.

As Chris Wysopal pointed out last week, the MBTA’s ire is misdirected. Rather than suing the vendor who sold them the defective system, they sued and attempted to silence the students who discovered the weakness. This is 2008, not 1988 — did they honestly think a gag order would prevent the information from reaching the general public? The DEFCON presentation was already available on the Intertubes prior to the injunction being issued, and the MBTA attorneys included a copy of the confidential whitepaper with their filing, thereby making it public.

I guess you wouldn’t expect that a transit authority would have paid any attention to theCiscogate fiasco from a few years ago. That presentation never got out either, did it? All that taxpayer money the MBTA spent on ridiculous lawsuits and restraining orders could have been put toward fixing the security flaws. What a concept.

Disaster for Disaster Recovery []

Posted: 19 Aug 2008 10:39 PM CDT

And I thought we weren’t going to be part of the disaster recovery test on Friday.  Boy was I wrong!  In the early hours of Friday morning we had a hardware failure on the firewall for the link used for the VPN to the disaster recovery site for our mainframe (which was conducting a DR test on Friday).  To add insult to injury this was the same link that our remote users use for access.  So Friday morning El Sidekick was taking fire from all directions with remote users unable to get in.  During all of the chaos it escaped everyone except for myself that the DR test was dead before it even began.  A remote user can drive to the office if remote access is unavailable.  The DR test doesn’t have the same luxury.

Let’s get to the heart of the problem…the hardware failure.  Luckily, we had a spare firewall appliance sitting in a closet that had been retired because of some reliability issues.  Unluckily, I had never deployed a Check Point firewall on a Nokia appliance before.  I have been administrating them for over four years now but have never installed one.  Oh, did I mention we didn’t have support on this hardware (or Check Point for that matter)?  So I was on my own to figure this out.  Nothing better than having the pressure of an expensive disaster recovery test sitting on your shoulders as you try to figure something out that you’ve never done before!  This stuff isn’t rocket surgery and it didn’t take too long to get the ball moving.  I figured out how to wipe the previous config (rm /config/active).  After going through the IPSO setup we were able to then delete the previous Check Point packages and install new/fresh ones.  Well, that was the plan anyway.  I went to the most likely place to have a copy of the package I needed, our SmartCenter server.  Not there.  Fother mucker!  Okay…now what do I do?  Maybe its on one of the two firewalls at the other location.  First firewall check?  Not there.  Shit.  Second firewall check?  Jackpot!  So I FTP that down to a FTP server and upload it to the firewall I’m trying to load.  The upload was successful so I went to install the package.  Corrupt.  Son of a bitch!  Well that left us with one last chance to get this firewall operational.  The unit that replaced this retired hardware I was trying to install came with a cd that had a new IPSO version on it along with a new Check Point version.  Hells bells, let’s upgrade the IPSO and install this newer package.  I got the IPSO upgraded no problem, got the Check Point package uploaded and installed.  Everything seemed to be falling into place.  I added the firewall into SmartCenter and tried to initialize the SIC.  It failed and I really didn’t know where to go from there.  By this time it was approaching mid-afternoon and people more important than me were needing to know if this disaster recovery test was going to be able to happen in any capacity.  Having never done this before and having no idea how much longer it was going to take we decided to go to ”plan B.”  ”Plan B” was to connect the router the VPN terminates on to another router and lock it down with ACLs so only the DR traffic can traverse this interface.  Luckily I know Cisco way better than I know Check Point so I was able to have access to the VPN site in about 15 minutes as opposed to the nearly 5 hours of trying to work through the Check Point stuff for the first time.

I walked away a beaten man that afternoon.  I hate it when I can’t figure something out.  Luckily I had the Jack Johnson concert Friday night and my daughter’s 2nd birthday on Saturday to get my mind off of it.  Sunday I was ready to give it another go.  First thing I tried was to reset the SIC on the firewall itself.  You do this by typing “cpconfig” and then choosing the “Secure Internal Communication” option.  Guess what, you have to run “cpconfig” after you install a package as well!  Had I known that Friday could have ended on a happy note.  After I figured that out things went a lot better.  Through some trial and error I got the installation down to a science and am now able to do it in roughly 20 minutes.  Not to bad considering Friday I’d never done it before!  So there you have it.  Sometimes you have to learn things the hard way.  The things I learned from this failure were numerous and definately learned the hard way!!

Design your Failure Modes [Last In - First Out]

Posted: 19 Aug 2008 09:30 PM CDT

In his axiom 'Everything will ultimately fail', Michael Nygard writes that in IT systems, one must:
"Accept that, no matter what, your system will have a variety of failure modes. Deny that inevitability, and you lose your power to control and contain them. [....]  If you do not design your failure modes, then you will get whatever unpredictable---and usually dangerous---ones happen to emerge."
I'm pretty sure that I've seen a whole bunch of systems and applications where that sort of thinking isn't on the top of the software architects or developers stack. Foe example, I've seen :
  • apps that spew out spurious error messages to critical logs files at a rate that makes 'tail -f' useless. Do the errors mean anything? Nope - just some unhandled exceptions. Could the app be written to handle the exceptions? Yeh, but we have deadlines...... 
  • apps that log critical application server/database connectivity error messages back to the database that caused the error. Ummm...if the app server can't connect to the database, why would you attempt to log that back to the database? Because that's how our error handler is designed. Doesn't that result in a recursive death spiral of connection errors that generate errors that get logged through the connections that are in an error state? Ummm.. let me think about that.....
  • apps that stop working when there are transient network errors, and need to be restarted to recover. Network errors are normal. Really? We never had that problem with our ISAM files!. Can you build your app to gracefully recover from them? Yeh, but we have deadlines...... 
  • apps that don't start up if there are leftover temp files from when they crashed and left temp files all over the place. Could you clean up old temp files on startup? How would I know which ones are old?
I suspect that mechanical engineers and metallurgists, when designing motorcycles, autos, and things that hurt people, have that sort of axiom embedded into their daily thought processes pretty deeply. I suspect that most software architects do not.

So the interesting question is  - if there are many failure modes, how do you determine which failure modes that you need to engineer around and which ones you can safely ignore?

On the wide area network side of things, we have a pretty good idea what the failure modes are, and it is clearly a long tail sort of problem, something like:

We've seen that circuit failures, mostly due to construction, backhoes, and other human/mechanical problems, are by far the largest cause of failures and are also the slowest to get fixed. Second place, for us, is power failures at sites without building generator/UPS, and a distant third is hardware failure.  In a case like that, if we care about availability, redundant hardware isn't anywhere near as important as redundant circuits and decent power.

Presumably each system has a large set of possible failure modes, and coming up with a rational response to the failure modes that are on the left side of the long tail is critical to building available systems, but it is important to keep in mind that not all failure modes are caused by non-animate things.

In system management, human failures, as in a human pushing the wrong button at the wrong time, are common and need to be engineered around just like mechanical or software failures. I suspect that is why we need things like change management or change control, documentation and the other no-so-fun parts of managing systems. And humans have the interesting property of being able to compound a failure by attempting to repair the problem, perhaps the reason why some form of outage/incident handling is important.

In any case, Nygard's axiom is worth the read.

(Apologies to the syndicators for the premature partial post. It turns out that slapping a moquito and publishing to a blog use very similar hand/arm motions. Hmm....another failure mode to think about....)

onTour Updates - where is Michael Santarcangelo? [The Security Catalyst]

Posted: 19 Aug 2008 01:18 PM CDT

Greetings from Sierra Vista, Arizona with a long overdue update. While I may have been quiet (rare, I know), I have not been idle.

A few months ago I was focused on tracking down security fundamentals - and how they need to be applied; last week I was able to craft an intense training section that brought a group of professionals through a unique training class designed around that very concept. It was a great week and really has me energized (despite the need for sleep).

I also shared some insights from Into the Breach with a group at Fort Huachucha yesterday. The best part - for everyone, myself included - was the hour-long conversation that ensued after the keynote. We talked about current challenges and how we can face them by addressing the true problems (not the symptoms) and how to engage people to take responsibility while increasing our ability to hold them accountable.

We are going to take some time today to visit Bisbee, AZ before heading up to Tempe, AZ tomorrow. This is our final “pre-tour” trip as we work out the kinks of driving cross-country in the RV multiple times a year, running the business and spending time as a family. This trip was much smoother than the spring “expedition” and we are already looking forward to the onTour launch in September!

As we make our way back to NY, here is our schedule for the next two weeks:

Phoenix, AZ

I love Phoenix and look forward to catching up with a lot of good clients, friends and even some new faces.

Arrive: Wednesday, August 20, 2008

Depart: Friday, August 22, 2008

Staying here:


Dallas, Texas

We have a lot of friends that we hope to see while we stop in Dallas. The best part of traveling by RV is the complete flexibility to see clients, potential clients and friends (most of whom were once clients or will be clients). We really enjoy life as a family and seeing the country in a way that allows us to work with people we would chose to spend time with!

Arrive: Saturday, August 23

Depart: Monday, August 25

* we have not yet picked a park, but these are the top three options - have experience or insight? Drop me a line *


Atlanta, Georgia

** Will be meeting some friends and potential clients to discuss how Into the Breach influences “Awareness that Works”; I love the opportunity to discuss my passions and share research. I’m really pumped about this!

Arrive: Tuesday, August 26

Depart: Thursday, August 28

Staying here:


Potential other stops on the way “home”

  •       Considering a brief stop in Charlotte, NC
  •       May take one more trip to Hershey Park (need to find a connection at the Hershey Chocolate company - we’re there so much!)

Are you along our path?

If you are along our path or in one of the cities where we are touching down, I would love to meet, say hello and can offer you a preview copy of Into the Breach!  I am currently tweaking the onTour website in time for our September launch and will be announcing the 6-week onTour Fall leg in about a week or so.


Other Quick Updates

  •       Four podcasts are lined up, including the Pop Culture Security, Breach Breakdown and Security Roundtable!
  •       Despite my compressed schedule, my brain has not stopped; I have been working on a series of articles to share
  •       I have a special report on “freeware” that I will be releasing next week; this was a real change in thinking for me and I look forward to sharing what I learned with you.


Book Updates

  •       The kindle book should be available this month
  •       The eBook should be available this month
  •       The hardcover book will be available September 16, 2008 (we’ll be picking up 500 copies on our way to Nashville, TN)
  •       The book can be pre-ordered here:

The Daily Incite - August 19, 2008 [Security Incite Rants]

Posted: 19 Aug 2008 09:13 AM CDT

Today's Daily Incite

August 19, 2008 - Volume 3, #70

Good Morning:
It's really amazing how a little change in perspective can totally change your outlook. I'm wired as a cynical pessimist. That means I tend to look for the downside in everything, and even when it's mostly upside - I'm still looking for the downside. No wonder I do security, eh? But it does make for a pretty bumpy ride because you are never really "happy." Or only happy for short bursts of time before your internal wiring reminds you that things can (and probably will) go wrong and you need to be prepared for that.
Check out that itsy bitsy plane
Obviously this is a tough way to go through the day. It's amazing that you can put two people - one optimist and one pessimist - through exactly the same situation and see how different their perspectives will be. So I'm working on trying to change this about myself.

Of course, it's almost impossible to change the way you are wired. Since a lobotomy isn't high on my list of things to do, I figure I need to make the best of my psyche and employ some little tricks to smile more and appreciate the great stuff that happens every day.

I call the technique "little things." In that I'm looking for the little things that are funny and give me an opportunity to remember how lucky I am. For example, I had a bunch of little things when I took the boy to the Falcons game on Saturday night. But the best was when we were on the train home and I asked him what his favorite part of the game was. I figured it would be the two exciting long runs from Michael Turner. Or a good tackle or a completed pass. But I forgot I'm dealing with an almost 5 year old here. His response was "I had a bunch of treats." Of course, cookies and Dippin' Dots are exactly what would appeal to him. That made me smile. That was a little thing.

Or when I went to the Boston/Styx show on Sunday. Two of my favorite bands growing up, it was great to see the old favorites live. And to see how much they (especially Styx) still enjoyed playing the songs they've probably played 10,000 times over the years. You wouldn't know it by seeing their performance. It was like things were brand new. That's a little thing too.

Or even yesterday when the barista at Starbucks made a mistake in my favor and I ended up with the venti (that I ordered), but got charged for a grande (the medium size). Again, I think I saved maybe a buck. But the folks behind the counter and I had a good laugh about it. And that was a little thing. Sure it's nothing major, but these little events help take my focus away from the fact that it won't be too long before I start looking over my shoulder again and assessing the risk of sitting at the far corner table facing the door (which I usually pick so I can see everyone that walks in and out). 

I know I can't turn off those aspects of the way I think. But I certainly can try my best to look at things a bit more positively. Have a great day. And pick maybe three "little things" to appreciate today. It'll totally change your outlook - for the better.

PS: I ranted a bit yesterday about password resets, and mentioned Shimmy and My Little Pwnie in the same post. :-) But my email broadcast systems was tempermental, so I couldn't send it out to folks that get the TDI via email. Sorry about that.

Photo: "Airplane 02 nano" originally uploaded by watdoenwijmetnl

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today

Security Mike's Guide to Internet Security

Top Security News

Maybe we should check Hoover's file cabinet
So what? - All hail Brian Krebs. He did a masterful interview of the FBI's head cyber dude on his blog and it's fascinating, and I'm not sure in a good way. They go through all the typical geek cred stuff (like the FBI guy favors Linux and builds his own video cards), but when it gets to security - that's when it gets interesting. Sure the guy still banks online (as do I) and most folks out there have no idea how to protect themselves, which I agree with. He also makes the point that security will be a differentiator for some institutions (especially banks), which I'm a bit skeptical of - but I understand the theory, which assumes that people care. It's when Brian asks him about how the FBI is evolving, our favorite special cyber agent becomes very testy. He even calls Brian "unpatriotic" by even asking the question about how the FBI is trying to catch bad guys. It's that one statement that really undermines all the positive PR work the FBI has been trying to do. It seems our cyber security chief forgets that there are only so many ways to catch a thief. And it's important for us common folks to gather the right data to actually maybe assist the FBI in their investigations. But it's all very secret and hush hush, so we can't talk about that kind of stuff. We wouldn't want to give the bad guys any tips. Like they don't know how to do a forensic scan of a device. It hearkens back to the days of Hoover's file cabinet. Clearly they shouldn't be talking about specific investigations, but to not talk about techniques? They think perceived mystique is a selling point. I think it seems a bit too close to the Wizard of Oz. Don't look behind the curtain, y'all.
Link to this

Hands on NAP
So what? - The folks at InformationWeek reports did a hands-on test drive of Microsoft's NAP (this is a PDF file) and it's kind of interesting to see how Microsoft's under the radar (for the last year anyway) approach to proliferate NAP in most places will likely work. If you recall, MSFT got caught up in all the hype back in 2006 and was really selling the "future" of NAP. Of course, it was mostly vapor and APIs. But then they stopped talking about it. And with Server 2008 on the street, now they can start doing it. The reviewers tested a bunch of different enforcement methods (DHCP, IPSec, VPN, Terminal Services and 802.1x) and the product seems to work (if you can believe a review, anyway). There are some gotchas (like turning on the NAP client service on the devices), but nothing that isn't more than a minor pain. To me the crux of the decision isn't about to NAP or not to NAP. It's about how to leverage NAP to solve the real problems, be it guest/contractor access or even specific access control. And it will be interesting to see how the NAC vendor community looks to take a page out of the MSFT play book and "embrace and extend" NAP, so their products add value when NAP is there. For the NAC industry - their window is still open to add value for heterogeneous markets and ease of configuration/use. But those aren't long term value propositions. That's why I keep maintaining that NAC functionality will become a feature of the network. We'll see in 5 years if I was right.
Link to this

No rootkit for you (you hope)
So what? - It's funny how the security industry seems to have the attention span of a gnat. Remember back in 2006, at Black Hat, rootkits were all the rage. Now we hardly hear about the attack. I guess it's just not newsworthy anymore. Unless you've been infected, then it's a lot of fun to reimage your machine and hope you didn't lose too much data. Why aren't we worried about rootkits anymore? Basically, in this case no news is bad news. As this NetworkWorld article details, not much has changed. The same old attack methods are still working well, and the defenses aren't. We don't like to draw attention to the fact that we aren't getting the job done, so we sweep the issue under the rug and hope it goes away. It's not and if anything, the bad guys are making rootkits harder to find and eradicate. So what to do? Continue blocking, tackling and monitoring? Again, you may not be able to figure out if/when a device gets nailed, but you can figure out it's doing something funky. Then you investigate and remediate it, if need be.
Link to this

The Laundry List

  1. CHKP announces a better virtual VPN-1 SPLAT. Is that the sound it makes when the cat is thrown off the 30 story building in Second Life? Hoff seems to think this is a big improvement in terms of high availability. I'll take his word for it. - CHKP release
  2. Security at Cisco is growing up? That's good, maybe one of these days they'll get out of diapers and won't have to keep cleaning up turds on the floor. Though this interview does provide a good perspective on how yummy eating your own dog food can be. - NetworkWorld interview
  3. CoreTrace stops all the bad stuff during the Race to Zero at DEFCON. It seems there may be something to this white listing stuff. But we can't forget how strong the signature based inertia is in the security business. - CoreTrace release
  4. Deal: Symantec buys PC Tools. Looks like there will be more crap in the Big Yellow retail box before long.  - Symantec release

Top Blog Postings

I break your cert, and you will like it
Shostack rants quite a bit here about the new Firefox and it's penchant to break self-signed SSL certificates. He does a good job of presenting both sides of the issue here, since it's clear that when dealing with a branded web site (like PayPal or eBay), if the browser doesn't question a self-signed cert then the phishers will have a field day. OK, that's assuming that anyone actually does look for the green bar or the lock or whatever other visual cues they are building into the interface. But is it a legitimate tax to have to pay $29 a year for a signed cert? And does that really mean anything besides the fact that you control a domain and have an email address. If you are looking for even half-assed validation, then you need an EV cert and that's a couple hundred bucks. And Adam's question is really about whether it even matters. Most users are conditioned to just click off the warning boxes. Adam's answer is to stop sending links to users and to train them to actually type in an address that you know is legit and then bookmark it. It's an interesting idea, but it's not really practical. Because these businesses are all about making it easier for the customer to find their site and do business with them. They'll deal with the shrinkage and fraud because that represents a lot less financial impact in the aggregate then providing a more difficult user experience. And these companies are willing to shell out for the VeriSign SSL cert tax. And that seems to be the way it is.
Link to this

Protecting endpoints is the key (especially when you sell endpoint security)
I get a good chuckle out of McAfee's blog most of the time. It varies from CEO-level rah rah stuff to weird stats to unadulterated humping of their product lines. Like this post that talks about why an integrated endpoint agent is "key to security control." Hmmm. Yes, most of today's device security is a mess. Lots of customers have lots of agents and it's all very inefficient for lots of reasons. So I'm totally on board (much to Shimmy's chagrin) with Big is the New Small and the need to integrate a lot of these functions, if only for simplicity's sake. But to figure that an integrated endpoint, managed by a central console is the Rosetta Stone is just funny. I know this blogger is only looking at it from the perspective of the endpoint. And I know that McAfee sells a bunch of other stuff to solve other security problems. I just think this kind of drivel is more entertaining than anything else. Wouldn't it be great if we could just trust a big vendor like McAfee (or anyone else for that matter) to get it right, and we could play a bit more golf? How cool would it be if we could sleep like a baby at night know that the integrated endpoint security is defending us against all of the charlatans and fraudsters out there? Yeah it would be cool and part of me thinks a lot of the folks at Big Security companies actually believe it. They should get out in the real world a bit more.
Link to this

New times call for new security models
Gunnar makes the point here that mainframes are still good business. "Selling like hotcakes," which is actually making me hungry. Yet, underlying the desire for the simpler days when RACF made everything tidy and secure, is the real issue. There is an impedance mismatch between the security models of distributed apps and mainframes. So most folks rely to the tried and tested approach of a proxy looking gateway sitting in front of the mainframe to "translate" between the different models. Which is fine, as long as you can trust who is getting the data. Own that proxy box and you own all the data in the mainframe. Or most of it anyway. GP's point is that we need to start focusing on securing the DATA and not just the resource. That's exactly right. The existing security industry is all about securing devices (with a rather broad definition of device). But the problem is really about securing data. I know, I know. Hoff and the Mogull and even a small brained fellow like myself have been talking about data-centric security for a long time. But I just wanted to remind you that it's important. Just ask Gunnar.
Link to this

NERC Has A New CSO [Liquidmatrix Security Digest]

Posted: 19 Aug 2008 08:09 AM CDT

The North American Electric Reliability Corporation (NERC) announced yesterday that they had managed to lure Michael Assante away from Idaho National Labs. Assante was formerly CSO for American Power and American Electric Power prior to that.

From the press release:

In this newly created position, Assante will formally establish Critical Infrastructure Protection as one of NERC's program functions, alongside its existing standards development, compliance and enforcement, and reliability assessment programs. Assante will also serve as the single point of contact for the industry, NERC's Electric Sector Steering Group, and government stakeholders seeking to communicate with NERC on cyber and infrastructure security matters. Assante will officially begin at NERC on September 2.

NERC has made a positive move with Assante’s hiring. It is a touch disconcerting that NERC didn’t have a CSO function previously, when you consider their role:

Our mission is to ensure the reliability of the bulk power system in North America.

Hopefully, he will be able to drag pretenders to the throne kicking and screaming into the sunlight.

Congrats Michael!

Article Link

(Thx to CJ for the heads up)

No comments: