Archive for the 'General' Category

Jul 13 2014

Impostor syndrome

Published by under General,Personal

What am I doing here?  When are they going to realize I don’t know what I’m doing?  How long until they fire me for faking it?  I don’t belong with these people, they’ve actually done something, while nothing I’ve done is remarkable or interesting.  I’m not worthy of this role, of being with these people, of even working in this environment.  I’m making it up as I go along and nothing I could do would ever put me on the same level as the people around me.  How did I end up here?

I know I’m not the only one who has these thoughts.  It seems to be common in the security community and not uncommon in any group of successful people.  It’s called ‘impostor syndrome‘ and it’s often considered a sub-set of the Dunning-Kruger effect.  Basically it’s a form of cognitive dissonance where a successful person has a hard time acknowledging his or her success and overemphasizes the many mistakes everyone makes on a daily.  To put it simply, it’s the thought we all have from time to time that “I’m not good enough” writ large.

It’s not hard to feel this way sometimes.  In security, we create heroes and rock stars from within our community.  We look at the researchers who discover new vulnerabilities and put them on a stage to tell everyone how great their work is.  We venerate intelligence, we stand in awe of the technical brilliance of others and wish we could do what they do.  We all tend to wonder “Why can’t I be the one doing those things?”

It’s easy to feel like this, to feel you’re not worthy.  We know the mistakes we made getting to where we are.  We know how hard it was, how rocky the road has been, where the false starts and dead ends are and all the things we didn’t accomplish in getting to where we are.  When we look at other people we only see the end results and don’t see all the trials and tribulations they went through to get there.  So it’s all to common to believe they didn’t go through exactly the same road of mistakes and failure that we did.  As if they don’t feel just as out of their depth as we do.

I don’t think there’s a cure for impostor syndrome, nor do I think there should be.  We have a lot of big egos in the security community and sometimes these feelings are the only thing keeping them from running amok.  The flip side of impostor syndrome, illusory superiority, the feeling that you have abilities that far outstrip what you actually have, is almost worse than thinking your an impostor.  And I’d rather feel a little inadequate while working to be better than to feel I’m more skilled than I am and stop working to get better.

If you feel like an impostor in your role as a security professional, I can almost guarantee you’re not.  The feeling of inferiority is an indicator that you think you’re capable of more and want to be worthy of the faith and trust those around you have put into you.  You might be faking it on a daily basis, making things up as you go, but the secret is that almost all of us are doing the exact same thing.  It’s when you know exactly what you’re doing day in and day out that you have to be careful to fight complacency and beware of illusory superiority.  It’s better to think you’re not good enough and strive for more than to think you’ve made it and are the best you can be.

One response so far

Mar 05 2014

DDoS becoming a bigger pain in the …

Published by under Cloud,General,Hacking,Risk

I’m in the middle of writing the DDoS section of the 2013 State of the Internet Report, which is something that makes me spend a lot of time thinking about how DDoS is affecting the Internet (Wouldn’t be all that valuable if I didn’t put some thought into it, now would it?).  Plus I just got back from RSA where I intereviewed DOSarrest’s Jag Bains and talked to our competitors at the show. Akamai finally closed the deal on Prolexic about three weeks ago, so my new co-workers are starting to get more involved and being more available.  All of which means that there’s a ton of DDoS information available at my fingertips right now and the story it tells doesn’t look good.  From what I’m seeing, things are only going to get worse as 2014 progresses.

This Reuters story captures the majority of my concerns with DDoS.  As a tool, it’s becoming cheaper and easier to use almost daily.  The recent NTP reflection attacks show that the sheer volume of traffic is becoming a major issue.  And even if volumetric attacks weren’t growing, the attack surface for application layer attacks grows daily, since more applications come on line every day and there’s no evidence anywhere I’ve ever looked that developers are becoming at securing them (yes, a small subset of developers are, but they’re the exception). is only the latest victim of a DDoS extortion scam, and while they didn’t pay, I’m sure there are plenty of other companies who’ve paid simply to make the problem go away without a fuss.  After all, $300 is almost nothing compared to the cost of a sustained DDoS on your infrastructure, not to mention the reputational cost when you’re offline.

I’d hate to say anything like “2014 is the Year of DDoS!”  I’ll leave that sort of hyperbole to the marketing departments, whether it’s mine or someone else’s.  But we’ve seen a definite trend that the number of attacks are growing year over year at an alarming rate.  And it’s not only the number of attacks that are growing, it’s the size of the volumetric attacks and the complexity of the application layer attacks.  Sure, the majority of them are still relatively small and simple, but the outliers are getting better and better at attacking, Those of us building out infrastructure to defend against these attacks are also getting better, but the majority of companies still have little or no defense against such attacks and they’re not the sort of defenses you can put in quickly or easily without a lot of help.

I need to get back to other writing, but I am concerned about this trend.  My data agrees with most of my competitors; DDoS is going to continue to be a growing problem.  Yes, that’s good for business, but as a security professional, I don’t like to see trends like this.  I think the biggest reason this will continue to grow is that it’s an incredibly difficult crime to track back to the source; law enforcement generally doesn’t have the time or skills needed to find the attackers and no business I know of has the authority or inclination to do the same.  Which means the attackers can continue to DDoS with impunity.  At least the one’s who’re smart enough to not attack directly from their own home network, that is.

No responses yet

Jan 21 2014

Faking Safe Harbor compliance

Published by under General

If you’ve ever had to deal with data privacy laws, then you’ve probably heard of the EU Safe Harbor framework.  These are basically a set of 7 basic guidelines (Notice, Choice, Onward Transfer, Security, Data Integrity, Access & Enforcement)  that govern how any US company doing business in the EU will treat private information.  Doesn’t sound too bad, but the reality is that Safe Harbor is a bit of a pain to comply with, since there are different interpretations of the rules for nearly every country in the EU.  The rules in one country, say Italy, might be relatively short and easy to understand, while the rules in another, maybe Germany, might be long, complex and convoluted.  The general outline is the same for all countries, but they get to decide their own specific implimentations.  You can see that this might make it a little hard to comply with the Safe Harbor framework, even though the laws all orginate from the same framework

So it doesn’t surprise me too much to find out that the Federal Trade Commision has announced that a dozen companies, including Level 3 and a few football teams (??), have violated the Safe Harbor rules.  According to Gigaom, the violations are technical in nature, rather than being willful violations.  This means they were probably tracking visitors using cookies in the wrong way or retaining information about their clients they shouldn’t have.  It wouldn’t take much, since in some countries an IP address can be considered privately identifiable information (PII) and retaining that information would be a violation.  On the other hand, I can fully believe that companies such as the accounting firms named in the violoations knew they were keeping information they shouldn’t, but had to in order to perform the roles they’re paid to do.  

I believe one of the points that’s easy to miss in the article is probably the most important: “US companies have been deceiving people by using out-of-date certification marks”.  In other words, these companies at one time had been self-certified or audited by a third-party, but let this lapse and continued to do business and sell products by stating they were Safe Harbor certified.  If the FTC did an audit of their own records, made a list of the organizations that let their certifications and then investigated those organizations, it would explain why these people made the list.  It would also be a warning shot across the bow for other companies that have let their compliance lapse, and an indicator that there are a lot more companies that might be facing scrutiny in the future.  If your company has Safe Harbor responsibilities, I’d definitely review your own compliance level.

I can almost guarantee that Safe Harbor will be getting a lot more attention this year than it has in the past.  The US is, and will be for some time to come, under the microscope by EU governments and organizations.  The NSA efforts uncovered by Snowden make this a given, just as they make the handwaving by the FTC a given.  This probably marks the first time that the FTC has taken Safe Harbor seriously in quite some time, but it won’t be the last.



One response so far

Jan 05 2014

Much needed vacation

Published by under General,Personal,Risk

I’m back after a two week self-inforced haitus from all things security and work related.  For the last 14 days, I haven’t checked emails, I haven’t been on twitter, I haven’t checked the news, I haven’t read the news sites.  I’ve simply spent time with my family, played Minecraft, watched anime and eaten my way through the Christmas holidays.  And there was gifts in there somewhere as well.  Vacation started as a weekend in Munich, but the vast majority of it was spent at home near London with no deadlines, except a couple of shopping trips with the wife and kids.  All in all, it was one of the most relaxing times I’ve had in years.  And it was sorely needed.

All jobs are stressful to one degree or another, it’s just a fact of life.  But security is a more stressful job then most.  I’ve done a few panels with other security professionals talking about the stress we face, and we’ve done (okay, mainly folks like Jack Daniel and K.C. Yerrid have done) some research into it and found that our high stress is an actual fact, not just something we say to make ourselves feel more important.  Our chosen career is difficult to be good at, we’re constantly under multiple conflicting demands and it almost never slows down.  Is it any wonder that we feel stressed?

It’s almost a joke when you talk to security professionals about substance abuse in our industry.  It’s nearly expected of people to get stupid at conferences.  But it’s not a joke at all, something that was graphically illustrated by the loss of Barnaby Jack last year.  Substance abuse may not be an industry wide problem, but it’s definitely something that we need to be aware of.  I can think of at least half a dozen people who I’ve jokingly made comments about in the last couple of years who might be in real danger.  Most of them know they can come to me if they need support, but I know that’s the best I can do if they don’t want to change.  How many people do you know in a similar position?  Have you expressed concern or at least let them know you will help if they ask?

It’s not my place to get preachy or say I’m any better than anyone else, but I do think we need to be aware and check our own stress levels from time to time.  Let your friends in the industry know you’ll support them if they need help, but more importantly, know when you need to take a break and get away from the  whole scene once in a while.  We do important work, but we can’t do it if we’re too wrapped up in our own problems to function properly.  

Now to get caught up on two weeks of work emails.  Luckily, most of my co-workers took the Christmas holidays off, at least in part, so it won’t be quite as bad as it could be.

No responses yet

Dec 12 2013

Annual Predictions: Stop, think, don’t!

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!

3 responses so far

Dec 02 2013

Huawei is pulling out?

Published by under General

Apparently the CEO of Huawei says they are giving up on America.  But he doesn’t say exactly what that means.  To me, that says they’ll probably stop any expansion in the US and stop trying to actively find new business, rather than closing any offices, at least in the immediate future.  They’re fairly happy with their handset sales, according to Ren Zhengfei, but their sales of networking equipment has been severely hampered by allegations of being nothing but a thinly veilled front for the Chinese government, something the company strenuously denies.

In case you’ve never heard of Huawei (Hwa-way, is the correct way to pronounce it), they’re a Chinese networking and phone manufacturer who’s long been accused of having back doors in their system software for use by the Chinese government.  As far as I know, there’s never actually been such a backdoor found, but the software is also so buggy and easy to compromise that there isn’t really a need to backdoor the systems. The quality control of their operating system is possibly some of the worst in the world if rumor is to be believed, but I’m in no position to know or look at the software myself.

So Huawei has been banned from a number of projects in Australia, they’re pulling back on the US and they’re not considered trustworthy by many other countries around the globe.  You’d think this would limit their growth, but they’re apparently prefered over many of the US vendors by China, which should be no surprise.  China’s market is huge, so the company can have a long and fruitful life, but any dreams of world domination are probably going to have to go by the wayside for now.  

2 responses so far

Dec 01 2013

Security in popular culture

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.

3 responses so far

Nov 24 2013

Et tu, Television?

Published by under General

I’m getting used to the idea that the NSA and the GCHQ are looking at every packet that crosses the Internet.  I hate it, I think it’s wrong, but I can understand that they think it’s their mandate to spy on us in order to protect us.  The logic is deeply flawed, but at least it’s understandable that they’d convince themselves that it’s worth the risk that such spying entails.  However, when my television starts spying on my viewing habits, the drives I plug into it and every file on my network, then sending the information back to LG, all in the name of providing ‘a better viewing experience’, someone has most definitley pole vaulted over the line to into the pit of pure stupidity.

If you’ve missed it, last week blogger DoctorBeet did some sniffing on his home network and found his LG TV was phoning home to the manufacturer and reporting on his viewing habits.  It sent packets when turned on, as it was turned off, any time he changed the channel, and most importantly, it catalogued any USB he plugged into it.  And now a second blogger has found that LG is scanning all the network shares you might have and reporting that information back to the home servers.  When confronted by DoctorBeet with these egregious privacy violations, LG’s initial response was “you signed off on the terms of service, so take the TV back to the store you bought it from if you don’t like it”.  They’ve since had a change of heart, mostly because bloggers and news sites around the globe have started raising a big stink about the story.  Oh, and while there is an option to turn off the data collection, this just means that you’ve set a flag to tell LG to ignore your data when it gets to their servers, not stop collecting it in the first place.  You’ll just have to trust them that there’s no PII and that they actually dump your infomration from the databases.

We already know that Smart TV’s are riddled with vulnerabilities and that many are running a stripped down Linux kernel in the background, some complete with web servers on the backend.  I’d hazard a guess that most of the services are running as root on the TV, that the developers have never heard of SSL and that all the connections to your phone and tablet are done over the public internet completely unencrypted.  While someone at the manufacturer might have raised the spectre of security, he or she was probably shouted down in favor of adding more capabilities to the TV as cheaply as possible.

The Internet of Things means that this type of spying and vulnerable technology on our home networks is only going to get more prevelant as time goes by.  Someone out there is probably already working on the web enabled refrigerator that reads the NFC chip on your milk carton to automatically send a request to Tesco when your milk gets low or reaches it’s expiration date.  And some day we’ll have an alarm clock that phones in to work for you when you sleep in and are going to be later for work.  And this will all be a data source for the marketing companies.  And the NSA.

Some of this will be handled by legislation that makes data collection like what LG is doing illegal.  It will still happen, but it’ll become less common as companies get caught by bloggers and the press, embarrased into removing the snooping technologies from their hardware.  Or, more likely, they’ll learn to be more circumspect in what they’re capturing and how they transmit it back to home base.  And the intelligence agencies will want access to it all.  Isn’t paranoia fun, especially when it’s closer to reality than a psychosis?

Update: I’ve only had a little time to poke at the web server on my Samsung TV, but some gentlemen at University of Amsterdam have dug into it more deeply than I could hope to.  I’m guessing there’s still more to find on these TVs.

No responses yet

Nov 10 2013

Big Brother in the Sky

Published by under General

I fly a lot; I’ve flown well over 100K miles this year so far, and at least as much the previous two years.  I know that the airlines I fly, primarily Star Alliance, know a lot about me.  And I know that security isn’t one of their primary concerns, something illustrated very graphically by the way United’s own site log on and phone system treats passwords and PINs.  So don’t expect me to be very hopeful that they’ll do a very good job in protecting my information from threats internal or external as they begin creating huge data mines about every customer who ever flies the friendly skies.

It still surprises me slightly when an attendant on a flight greets me by name when I get an upgrade, but when I think about it, I shouldn’t be.  After all, every seat on the plane is assigned, we filled out forms telling them what our credit card numbers are, where we’re coming from, where we’re going and what we’d like to eat along the way.  Now take that a few steps farther and start keeping track of what we like to drink on the way, what movies we watched while we’re in the air and what each of our destinations have been in the last five years.  It’s fairly easy to build up a pretty sophisticated profile on a customer from just that data, but if you add in all the little tracking details that might be available from when you were browsing the Internet to purchase the ticket to begin with a whole new world of profiling exists for the airlines to explore.  I truly doubt their ability to protect this data in a meaningful way, which means it’ll be open to attackers, whether they’re governments or organized crime.

It’s interesting that the airlines, or at least American Airlines, are cognizant that there’s a line that once crossed brings them into “creepy” territory.  I fly enough that I recognize some of the staff on my flights, but imagine if you’re meeting a steward on a flight for the first time and they apologize that the airline lost your luggage on your last trip.  Or they ask you how your vacation to Greece was.  The potential for stalkers amongst the crew might be a far fetched idea, but it only takes one really strange person to ruin your day.

Data mining is a given in this day and age, so I guess the only really surprising thing about the airlines getting into it is that they took so long.  I don’t know what they hope to sell me on my flight, since I’ve never purchased anything from an in-flight magazine, but they’re definitely hoping they can increase profits somehow.  Personally, I’m more concerned about getting an upgrade to business class than I am with making a purchase on their site.  And I wish they could put a little more of that computing power into making sure my flights leave and arrive on time rather than trying to sell me stuff.


No responses yet

Oct 27 2013

Battling for Power

Published by under General

The Battle for Power on the Internet” is long, but it’s a worthwhile read.  I’m not going to try to sum it up in a few lines or even a few hundred words, but it’s a well thought out piece by Bruce Schneier.  I think I’ve seen him speak too many times, because I can hear his voice in my head as I read it.  

One point he makes is worth calling out though, the ‘security gap’.  Basically, this is the space between new technologies being created, and exploited, and law enforcement’s ability to police and enforce societal rules on the technology.  And because our technology is changing faster than it’s ever changed before, that gap is growing wider and wider.  

The mirror of the security gap should probably be called the ‘surveillance gap’: the space between government and corporations’ ability to monitor the activities of citizens and citizens’ ability to maintain some sort of privacy and anonymity.  This gap is widening even faster than the security gap, because governments are using terrorism and criminal behaviour as a reason, or excuse, to spend enormous amounts of money on surveillance.  And as Bruce points out, the criminals and those who have specific reasons to avoid being watched can find ways around the eyes and ears in the network while the average person is always under the microscope.

There are no easy answers to this problem, but the article raises a number of interesting points.  Go, read it, form your own opinions.  And think about how this affects our future.


No responses yet

Next »