Archive for June, 2011

Jun 29 2011

Guest on

Published by under Podcast

Over the weekend I had a chance to be a guest on the Aluc.TV podcast.  I’d heard Aluc’s name several times before, but it wasn’t until the last night of the FIRST conference in Vienna that I resolved to meet him.  A friend heard I was going to BSides Vienna the next morning and made a point of telling me I should meet Aluc.  I think the comment was something like “You should meet Aluc.  He’s …. interesting”.  With an introduction like that, how could I resist?  I talked to Aluc before and after his talk on social engineering and taking it beyond lying, his first public presentation since 1987.  He’s an interesting character and if he ever offers to show you some of his physical security moves, very politely pass.  If half of the things he says about his past are true, he’s a very dangerous man.

By the way, it was fun working with Aluc to get Jayson Street worked into a lather.  Not that it takes all that much to get Jayson worked up, but it’s still fun.

Aluc.TV Podcast

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Guest on

Jun 28 2011

Network Security Podcast, Episode 245

Published by under Podcast

Zach is still off earning a living or being otherwise distracted, so Rich and Martin keep it simple, stick to the security news, and roll through a handful of stories.  And talk about doing some fun stuff at Defcon.

Network Security Podcast, Episode 245, June 28, 2011
Time:  31:41

Show Notes:


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 21 2011

Network Security Podcast, Episode 244

Published by under Cloud,Encryption,Podcast

Martin is back from Vienna, but Zach is off in NYC. Thus Rich and Martin catch up, talk about the cloud security class and the rest of the security news. Martin is surprisingly coherent despite the jetlag.  Some might argue that Zach is one of the few things that keep Martin and Rich from rambling at length.  And they might be right.

Network Security Podcast, Episode 244, June 21, 2011
Time:  37:36

Show Notes:


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jun 08 2011

Fundamental flaw in thinking: We’re responsible

Published by under General,Simple Security

Over the last few months I’ve come to the conclusion that we’re doing security wrong.  Not the day to day details, though we’ve gotten a lot of that wrong as well.  I mean we’ve gotten the big picture issues wrong, we’ve made a number of false assumptions about how we should be protecting our enterprises.  We’re building the very concepts we rely upon to develop products, services and systems from on shaky ground.  If you don’t agree, just look around at the ease which hackers are tearing through the defenses of even the largest merchants (Sony) and you have to admit that something isn’t working like it should be.  You can blame businesses for not giving us the resources we need, you can blame a shortage in decent security professionals or you can do some self examination and realize that maybe security best practices and compliance efforts just aren’t working.

When I say we’re doing it wrong, I’m thinking at a more basic level than some of the common fallacies we run into every day.  We all know that ‘firewalls are a security device’ is wrong; they’re just a complex traffic management device and don’t do much more than filter traffic on the grossest level in most cases.  And that’s assuming they’ve been set up correctly, which too many aren’t.  When was the last time you saw good egress rules?  Or the fact that a number of studies have shown that antivirus commonly doesn’t catch more than 70% of all viruses and the number is falling.  These are both assumptions that executives and non-security professionals make, but most of us in the community know that firewalls and AV are just things we put in because the business has come to think of them as the expected minimums. 

But the flaws I’m looking for go deeper than the fallacies of firewall and antivirus effectiveness.  I’m not looking for the nuts and bolts assumptions that we make to work on a day in and day out basis.  I’m trying to examine the deeper assumptions, the ones that we’ve built our entire philosophy of security upon.  In a different context we my call this our morality or religion, which might not be a horrible comparison.  I’m looking to see what are some of the most basic truths we’ve decided for ourselves and what are the errors we’ve made because we’ve built these up from lessons taught to us by others.  Were these assumptions once valid, did they once have a grain of truth or were they merely the most basic and easy rules to put in place because they hadn’t been tested before.  And just as with religious or moral beliefs, to few of us ever take them out of the back of our mind to re-examine the assumptions and see if they still hold up as well to our adulthood as they did to our childhood.  The security assumptions that might have served you well when you were an IDS or firewall administrator may not translate well to a later point in your career, and in fact may cause damage to your reputation.

It’s never easy to change the core of your belief system.  I only know a few people who consciously make a habit of doing it on an annual basis and even fewer who live their lives in a constant state of re-examination.  It’s a powerful tool to be able to look at your worldview, understand that you’ve made some mistakes and adjust to the new realities of how that affects the way you interact with the world.  But it’s painful sometimes, and the change can be difficult.

So enough of the philosophical BS, what are the fundamental flaws in security reasoning that I’ve identified?  I’ll be honest, there’s only one I’ve identified and mulled over to the point that I’m ready to share.  We, security professionals have taken it upon ourselves to be responsible for all risk in the corporate environment.  We started by placing the firewalls around the outside of the network and as more and more complexity was added into the IT infrastructure, we took on more and more of the risk into our philosophy, without really stopping to consider if we are the ones who are responsible for the vulnerabilities and misconfigurations that spawn much of the risk in our environments.  We’ve only rarely been given, or fought for, the authority to make changes in the products and systems that introduce risk, we are all to often nothing more than a speed bump in the corporate culture and a scapegoat for compromises when they happen.  “Why didn’t you protect us?  It’s your fault this happened!”  But if we had little or no ability to change the underlying systems that led to the compromise, why are we considered responsible?  Responsibility without the authority to affect change is the surest route to being a scapegoat in the best of situations.

So why have we accepted this risk responsibility without having any authority?  Because that’s how most of us have been taught to do security.  It’s not only our duty to identify risks and explain them to the business, it’s our duty as security professionals to shoulder that risk and do what needs to be done.  Despite the fact that we can’t change the underlying problems that introduce the risk.  Despite the fact that all too often we don’t have the manpower to deal with the problems we already have.  Despite the fact that we’re not given the budget we need to reduce the risks that existed in the enterprise before some new project introduced even more risk into our overstressed environment.

So if we’re not responsible for the risk in the enterprise, who is?  In a perfect world, the people who introduce the risks should also be the ones responsible for it.  Is the marketing department requiring a new feature on the company web site that also opens up the corporation to a partner?  Then they should be the ones who’s finances bear the burden of paying for the additional monitoring costs.  The development department is doing the programing for the corporate web site, so why is the security department being held responsible when a SQL injection attack not only takes down the site but also discloses a million customer records?  If a proper SDLC had been implemented, if tools for testing the software, if internal training had taken place, the SQL injection should never have happened.  Yes, we can be responsible for adding a layer of protection beyond that, but it’s the development team that should be taking the responsibility, since they’re the team that actually had the authority to make changes and prevent the risk from being placed in the environment in the first place.  We need to stop being the sin eaters of the corporate world, absolving all other departments of their responsibility for the risk to the corporation they introduce on a daily basis.  We need to push back and put the onus of dealing with risks and vulnerability on the shoulders of the people who are closest to the problem.

The fundamental flaw in security thinking is that we can effectively combat the risk for the entire company.  We can’t.  We have to advise and point out where new or existing risks are, but it’s impossible for the security team within an organization to deal with every single potential vulnerability and we shouldn’t even be trying.  We need to make a change to the way we think about security and start pushing that responsibility back on the people who can actually affect change.  It’s amazing how many requirements turn into ‘nice to have’ or ‘we don’t really need that’ when the department asking has to shoulder the responsibility.

There’s no quick fix, I think this is something that needs to be a ‘generational’ change in security.  One of the first things that was brought up when I floated this idea amongst my peers is that we can’t just barge into the corporation and force a new way of thinking on corporations.  And that’s true, we will never be able to make an overnight change to the way other business units perceive us and we can’t be militant in pushing other parts of the organization to take responsibility for their actions.  It will be an unpopular path to take, since no one wants to take back responsibility once it’s been offloaded.  But it’s imperative we start down this path, because this isn’t a problem that’s going to go away, and as more and more compromises happen, we’re only going to be blamed more for issues we had no authority to change.  We have to change the way we approach risk in the enterprise and slowly educate our businesses about where the responsibility for risk really sits.

There are a number of people who I think are already aware of this fundamental flaw in security thinking.  Andy Ellis over at Akamai, Rafal Los at HP and a number of senior security professionals understand that we can’t take the responsibility for all risk and are pushing it back to the proper departments.  This isn’t to say they’re blocking progress, but that they’re telling the departments, “If this is what you need, we will show you the risks involved.  But you will sign off on those risks and accept that if something goes wrong, it’s not the security department who will take the blame.”  Rafal gave a great talk on this recently at BSides Detroit, and my conversations with him subsequently were a large part of the impetus for this post.

Start by changing your own way of thinking about acceptance of risk.  Push back gently at first, but push back.  Even if you’re unable to get a written statement saying that others take responsibility for the risk they’re creating, bring it up in meetings and stop just accepting it for them. Talk to your legal department, make sure the corporate council knows when there’s a risk you think will put the company in danger.  Start cultivating relationships higher in the organization and changing the way other people think about security.  Because as long as we continue to take responsibility for all risk in the corporation, we will be the scapegoats for any compromise and will be unable to be effective.  Not only will we continue to suffer, but the business will continue to be compromised with frightening regularity.

This marks blog post 2000.  It’s taken 7.5 years.  But it’s been worth it.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

18 responses so far

Jun 07 2011

New to Security? Get on Twitter

It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security?  How can I learn more about security?”  More and more, my answer to that is becoming simpler:  Get on Twitter.  (I’m @mckeay, unsurprisingly enough)

Twitter has become the “digital water cooler” for a huge number of security professionals.  I’m not saying all security professionals are on it, nor should they be.  But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions.  If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it.  If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.

And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking.  Don’t expect a single tweet to rock your world and reveal the secrets of the universe.  Instead, look for the threads that explain how many people view security and the inner dialogue that led them there.  Don’t try to read every tweet, dip your toes into a communal stream of consciousness.  Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.

You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream.  I know my own twitter stream is a perfect example of that.  For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about.  But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.

Don’t plan on getting involved in twitter, other than very superficially, for the first month or so.  Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are.  Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by.  If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter.  He updates it almost every Friday.  Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.

My boss recently started on twitter.  I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry.  If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen).  But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.  I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader.  Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.

Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage.  Don’t force it, but don’t be afraid to contribute either.  Be natural, talk to the people who are out there, and get an understanding of the community.  There will be many voices, like mine, that seem to be nattering away at almost every hour of the day.  There will be voices that only speak up once every week or two.  Both have their value, both are worth listening to.  And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time.  I won’t mind at all… I mean they won’t mind at all.

You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career.  These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community.  Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.

It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe.  Information security as a profession isn’t even 50 years old yet!  Some would say that it’s not even 25 years old as a distinct profession.  And it shows; every day the playing field is changing.  Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it.  Or things may be so bad you can’t trust anything that your computer tells you.  In either case the only constant you can reasonably expect in a career in security is change.  If you can’t live with that, get out now.

Why is this understanding of change important?  Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them.  In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be.  Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented.  So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be.  If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse. 

A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly.  Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010.  Is Joseph smart?  Hell yeah.  But is he so special that that alone makes him stand out in a crowd?  Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average.  Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started.  Not too many people will be able to reproduce his efforts, but not many people should try.

Twitter is an echo chamber.  Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community.  But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people.  That involvement may be what gets you your first job as a security professional.  Or it might just teach you a new way of thinking about security.  And its always possible that I’m completely wrong and twitter may be a complete waste of time for you.  But it is worth looking into.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

9 responses so far

Jun 07 2011

Network Security Podcast, Episode 243

Published by under General,Podcast,Simple Security

We blame Rafal Los for this week’s podcast.  He was looking for someone to host a discussion on which is easier to learn, the business side of the business or the security side of the business.  And he had a cast of characters he wanted discuss it with.  Being a well know sucker for these sort of conversations, Martin volunteered to moderate and help move the conversation along.  Except what started as a single discussion may mutate into an ongoing conversation.  No, none us are so passionate about what we do that we’d give up sleep in order to do it, are we?

Joking aside, this is a good discussion of how we view the disconnect between the security within a corporation and the business needs of a corporation.  As with many of these conversations, we all agree it’s a problem, but we don’t come to a concrete conclusion about how we can bridge the gap.  As long as we get more people to think about it though, that’s enough for now.  Look for the discussion under the hashtag #SecBiz on twitter.

Network Security Podcast, Episode 243, June 7, 2011
Time:  1:05:55

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 243

Jun 03 2011

My campaign to replace APT with STFU

Published by under General

I don’t know about you, but I’m tired of the term Advanced Persistent Threat.  Every time I see “APT”, I cringe and a little part of my soul dies.  So I decided that I never need to see APT on a web page again, I’ve created a little Greasemonkey script that replaces “APT” with “STFU” and “Advance Persistent Threat” with “Standard Tactics Failed Us” on every site except this one.  It was trivial, it’s not that complex, and it’s certainly not Rugged, but it amuses me.  Which is all that really matters.  Just don’t ask me to troubleshoot it. 

Here’s the script for you:

// ==UserScript==
// @name           ReplaceAPT
// @namespace
// @description    Replace “APT” with “STFU”
// @include        *
// @exclude *
// ==/UserScript==

textNodes = document.evaluate(
var searchRE = new RegExp(‘Advanced Persistent Threat’,’gi’);
var replace = ‘Standard Techniques Failed Us’;
for (var i=0;i  var node = textNodes.snapshotItem(i); =, replace)};
var searchRE = new RegExp(‘APT’,’g’);
var replace = ‘STFU’;
for (var i=0;i  var node = textNodes.snapshotItem(i); =, replace)};

Hat tip to @imaguid for coming up with the term “Standard Techniques Failed Us”

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far