Archive for the 'General' Category

Jan 05 2014

Much needed vacation

Published by under General,Personal,Risk

I’m back after a two week self-inforced haitus from all things security and work related.  For the last 14 days, I haven’t checked emails, I haven’t been on twitter, I haven’t checked the news, I haven’t read the news sites.  I’ve simply spent time with my family, played Minecraft, watched anime and eaten my way through the Christmas holidays.  And there was gifts in there somewhere as well.  Vacation started as a weekend in Munich, but the vast majority of it was spent at home near London with no deadlines, except a couple of shopping trips with the wife and kids.  All in all, it was one of the most relaxing times I’ve had in years.  And it was sorely needed.

All jobs are stressful to one degree or another, it’s just a fact of life.  But security is a more stressful job then most.  I’ve done a few panels with other security professionals talking about the stress we face, and we’ve done (okay, mainly folks like Jack Daniel and K.C. Yerrid have done) some research into it and found that our high stress is an actual fact, not just something we say to make ourselves feel more important.  Our chosen career is difficult to be good at, we’re constantly under multiple conflicting demands and it almost never slows down.  Is it any wonder that we feel stressed?

It’s almost a joke when you talk to security professionals about substance abuse in our industry.  It’s nearly expected of people to get stupid at conferences.  But it’s not a joke at all, something that was graphically illustrated by the loss of Barnaby Jack last year.  Substance abuse may not be an industry wide problem, but it’s definitely something that we need to be aware of.  I can think of at least half a dozen people who I’ve jokingly made comments about in the last couple of years who might be in real danger.  Most of them know they can come to me if they need support, but I know that’s the best I can do if they don’t want to change.  How many people do you know in a similar position?  Have you expressed concern or at least let them know you will help if they ask?

It’s not my place to get preachy or say I’m any better than anyone else, but I do think we need to be aware and check our own stress levels from time to time.  Let your friends in the industry know you’ll support them if they need help, but more importantly, know when you need to take a break and get away from the  whole scene once in a while.  We do important work, but we can’t do it if we’re too wrapped up in our own problems to function properly.  

Now to get caught up on two weeks of work emails.  Luckily, most of my co-workers took the Christmas holidays off, at least in part, so it won’t be quite as bad as it could be.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Much needed vacation

Dec 12 2013

Annual Predictions: Stop, think, don’t!

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Dec 02 2013

Huawei is pulling out?

Published by under General

Apparently the CEO of Huawei says they are giving up on America.  But he doesn’t say exactly what that means.  To me, that says they’ll probably stop any expansion in the US and stop trying to actively find new business, rather than closing any offices, at least in the immediate future.  They’re fairly happy with their handset sales, according to Ren Zhengfei, but their sales of networking equipment has been severely hampered by allegations of being nothing but a thinly veilled front for the Chinese government, something the company strenuously denies.

In case you’ve never heard of Huawei (Hwa-way, is the correct way to pronounce it), they’re a Chinese networking and phone manufacturer who’s long been accused of having back doors in their system software for use by the Chinese government.  As far as I know, there’s never actually been such a backdoor found, but the software is also so buggy and easy to compromise that there isn’t really a need to backdoor the systems. The quality control of their operating system is possibly some of the worst in the world if rumor is to be believed, but I’m in no position to know or look at the software myself.

So Huawei has been banned from a number of projects in Australia, they’re pulling back on the US and they’re not considered trustworthy by many other countries around the globe.  You’d think this would limit their growth, but they’re apparently prefered over many of the US vendors by China, which should be no surprise.  China’s market is huge, so the company can have a long and fruitful life, but any dreams of world domination are probably going to have to go by the wayside for now.  

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Dec 01 2013

Security in popular culture

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Nov 24 2013

Et tu, Television?

Published by under General

I’m getting used to the idea that the NSA and the GCHQ are looking at every packet that crosses the Internet.  I hate it, I think it’s wrong, but I can understand that they think it’s their mandate to spy on us in order to protect us.  The logic is deeply flawed, but at least it’s understandable that they’d convince themselves that it’s worth the risk that such spying entails.  However, when my television starts spying on my viewing habits, the drives I plug into it and every file on my network, then sending the information back to LG, all in the name of providing ‘a better viewing experience’, someone has most definitley pole vaulted over the line to into the pit of pure stupidity.

If you’ve missed it, last week blogger DoctorBeet did some sniffing on his home network and found his LG TV was phoning home to the manufacturer and reporting on his viewing habits.  It sent packets when turned on, as it was turned off, any time he changed the channel, and most importantly, it catalogued any USB he plugged into it.  And now a second blogger has found that LG is scanning all the network shares you might have and reporting that information back to the home servers.  When confronted by DoctorBeet with these egregious privacy violations, LG’s initial response was “you signed off on the terms of service, so take the TV back to the store you bought it from if you don’t like it”.  They’ve since had a change of heart, mostly because bloggers and news sites around the globe have started raising a big stink about the story.  Oh, and while there is an option to turn off the data collection, this just means that you’ve set a flag to tell LG to ignore your data when it gets to their servers, not stop collecting it in the first place.  You’ll just have to trust them that there’s no PII and that they actually dump your infomration from the databases.

We already know that Smart TV’s are riddled with vulnerabilities and that many are running a stripped down Linux kernel in the background, some complete with web servers on the backend.  I’d hazard a guess that most of the services are running as root on the TV, that the developers have never heard of SSL and that all the connections to your phone and tablet are done over the public internet completely unencrypted.  While someone at the manufacturer might have raised the spectre of security, he or she was probably shouted down in favor of adding more capabilities to the TV as cheaply as possible.

The Internet of Things means that this type of spying and vulnerable technology on our home networks is only going to get more prevelant as time goes by.  Someone out there is probably already working on the web enabled refrigerator that reads the NFC chip on your milk carton to automatically send a request to Tesco when your milk gets low or reaches it’s expiration date.  And some day we’ll have an alarm clock that phones in to work for you when you sleep in and are going to be later for work.  And this will all be a data source for the marketing companies.  And the NSA.

Some of this will be handled by legislation that makes data collection like what LG is doing illegal.  It will still happen, but it’ll become less common as companies get caught by bloggers and the press, embarrased into removing the snooping technologies from their hardware.  Or, more likely, they’ll learn to be more circumspect in what they’re capturing and how they transmit it back to home base.  And the intelligence agencies will want access to it all.  Isn’t paranoia fun, especially when it’s closer to reality than a psychosis?

Update: I’ve only had a little time to poke at the web server on my Samsung TV, but some gentlemen at University of Amsterdam have dug into it more deeply than I could hope to.  I’m guessing there’s still more to find on these TVs.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Et tu, Television?

Nov 10 2013

Big Brother in the Sky

Published by under General

I fly a lot; I’ve flown well over 100K miles this year so far, and at least as much the previous two years.  I know that the airlines I fly, primarily Star Alliance, know a lot about me.  And I know that security isn’t one of their primary concerns, something illustrated very graphically by the way United’s own site log on and phone system treats passwords and PINs.  So don’t expect me to be very hopeful that they’ll do a very good job in protecting my information from threats internal or external as they begin creating huge data mines about every customer who ever flies the friendly skies.

It still surprises me slightly when an attendant on a flight greets me by name when I get an upgrade, but when I think about it, I shouldn’t be.  After all, every seat on the plane is assigned, we filled out forms telling them what our credit card numbers are, where we’re coming from, where we’re going and what we’d like to eat along the way.  Now take that a few steps farther and start keeping track of what we like to drink on the way, what movies we watched while we’re in the air and what each of our destinations have been in the last five years.  It’s fairly easy to build up a pretty sophisticated profile on a customer from just that data, but if you add in all the little tracking details that might be available from when you were browsing the Internet to purchase the ticket to begin with a whole new world of profiling exists for the airlines to explore.  I truly doubt their ability to protect this data in a meaningful way, which means it’ll be open to attackers, whether they’re governments or organized crime.

It’s interesting that the airlines, or at least American Airlines, are cognizant that there’s a line that once crossed brings them into “creepy” territory.  I fly enough that I recognize some of the staff on my flights, but imagine if you’re meeting a steward on a flight for the first time and they apologize that the airline lost your luggage on your last trip.  Or they ask you how your vacation to Greece was.  The potential for stalkers amongst the crew might be a far fetched idea, but it only takes one really strange person to ruin your day.

Data mining is a given in this day and age, so I guess the only really surprising thing about the airlines getting into it is that they took so long.  I don’t know what they hope to sell me on my flight, since I’ve never purchased anything from an in-flight magazine, but they’re definitely hoping they can increase profits somehow.  Personally, I’m more concerned about getting an upgrade to business class than I am with making a purchase on their site.  And I wish they could put a little more of that computing power into making sure my flights leave and arrive on time rather than trying to sell me stuff.


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Big Brother in the Sky

Oct 27 2013

Battling for Power

Published by under General

The Battle for Power on the Internet” is long, but it’s a worthwhile read.  I’m not going to try to sum it up in a few lines or even a few hundred words, but it’s a well thought out piece by Bruce Schneier.  I think I’ve seen him speak too many times, because I can hear his voice in my head as I read it.  

One point he makes is worth calling out though, the ‘security gap’.  Basically, this is the space between new technologies being created, and exploited, and law enforcement’s ability to police and enforce societal rules on the technology.  And because our technology is changing faster than it’s ever changed before, that gap is growing wider and wider.  

The mirror of the security gap should probably be called the ‘surveillance gap’: the space between government and corporations’ ability to monitor the activities of citizens and citizens’ ability to maintain some sort of privacy and anonymity.  This gap is widening even faster than the security gap, because governments are using terrorism and criminal behaviour as a reason, or excuse, to spend enormous amounts of money on surveillance.  And as Bruce points out, the criminals and those who have specific reasons to avoid being watched can find ways around the eyes and ears in the network while the average person is always under the microscope.

There are no easy answers to this problem, but the article raises a number of interesting points.  Go, read it, form your own opinions.  And think about how this affects our future.


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Battling for Power

Oct 27 2013

Making the right mouth noises, but…

Published by under General

The security team at LinkedIn is stating they’ve done a spanking awesome job of securing Intro and that we should trust in them.  This came out on Saturday in the form of a blog post from LinkedIn’s Cory Scott.  Cory has an impressive background, with time spent at Matasano Security and Symantec.  You can check out his LinkedIn profile for yourself if you want.  And it sounds like they’ve got a pretty good setup.  But his missing the main point: LinkedIn has painted a huge target on themselves by asking for access to data they should never be asking for in the first place.

I could pick apart every single claim he has made in the blog post; I have to explain and defend similar statements every day in my own role and what he’s said is almost meaningless given the level of detail he’s telling us.  What does it mean to have a ‘tight security perimeter’ or ‘the right monitoring in place’?  A tight perimeter only lasts until the marketing team decides they need direct access to data or an admin makes a mistake on a network configuration.  What is ‘the right monitoring’ in this case?  How closely is LinkedIn looking at the data coming into, and more importantly, leaving their network? LinkedIn has had several high profile compromises in the last few years and I’m willing to bet that they thought they had the proper level of monitoring in each of those cases too.  

What’s really the problem is what LinkedIn had to do in order to create Intro.  This isn’t actually much of a program, it’s really a configuration file that you install to LinkedIn permission to insert itself into the traffic between iOS and the IMAP server you’re connecting to.  They’re breaking the communication channel and any security surrounding it in order to be able to insert their own content.  Even if they don’t monitor the emails content itself, the metadata about the emails you send is invaluable when it comes to understanding your network of contacts and friends.  Just looke at how closely this mirrors the current international debate about the NSA.  I can’t see why anyone would be more willing to trust LinkedIn any more than they’d trust a shadowy government agency.  At least the NSA supposedly has our best interest at heart and won’t sell our data in order to meet Wall Street earning numbers.

Then there’s the issue of being able to inject HTML code and a user interface (UI) into your email, one that allows them to push HTML and CSS to your desktop.  How much testing has that really undergone?  How is the system protected from malicious code being injected into the stream?  If these systems are somehow compromised, then the entire user base of LinkedIn could easily be compromised.  Or an attacker could wait until a specific target uses the service, vastly increasing the chances to remain undetected.

I maintain that LinkedIn has made a huge mistake with Intro.  If I was a well funded, adaptive attacker, I’d be quickly sniffing around the edges of Intro, looking at how I can compromise the profiles, if I can intercept the communication between the devices and LinkedIn and how I can compromise the servers and services LinkedIn is offering.  They’ve made themselves the center man in a circle of communication, a role I have a hard time believing they’re ready for and that they have the ability to properly secure.  This isn’t the type of activity and network that standard security practices, even done right 100% of the time, are ready and able to handle.  LinkedIn’s history doesn’t leave me feeling they’ve done even standard security practices to industry leading standards, so why should I feel they’ve done it right this time?

If Intro lasts a year without some sort of class break or system compromise, I’ll be surprised.  I wish them luck, but I maintain this was a bad idea any security professional should have called a halt to early in the planning process.  And I won’t be surprised if Apple calls a halt to this either.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 22 2013

Renting isn’t an excuse for spying

Published by under General

I know Rich, Zach and I talked about Aaron’s before on the podcast.  This is a company that rents out many items to customers, including laptops.  A few years ago they thought it was a good idea for some of their franchises to install software on the laptops which allowed administrators at the stores to take screenshots, capture keystrokes and generally spy on the activities of the users of the computer without their knowledge.  And apparently some administrators were using this capability to take pictures of in ‘intimate moments’.  Yeah, I think we all know what that really means.

I’ve always said this level of monitoring by anyone, not just the owner of the computer, of another human being is a horrendous invasion of privacy.  We have so little privacy left right now, to have the computer you rented taking pictures of you is unexcusable.  I fully admit there are legitimate uses of this sort of technology, such as finding a stolen laptop or tracking a deadbeat renter, but this type of usage has to be very narrowly defined and the administrators of the system have to be trained in the allowable uses and ethics of the technology.

This highlights the problem of enabling spying capabilities in a microcosm.  If we don’t very carefully lay out what is and isn’t acceptable usage, the systems are going to be abused.  Some of it will be innocent testing of the limits and finding edge cases.  But a lot of what will happen is that people will do things they know are wrong, simply because it feeds their darker desires.  

Aaron’s took a running leap over the line with their spyware and never even understood that there was a line.  I’m sure the legal battle with their customers and the FTC has made them painfully aware of that line and they’ll be a lot more careful in the future.  But I’m waiting for a car dealership to install something similar in all their rentals.  Oh, wait, they’ve already done that and been slapped down.  Maybe furniture rental places will put motion sensors in their sofas to determine when people are having sex on the couch and charge them extra at the end of the contract next.  It could happen.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Renting isn’t an excuse for spying

Oct 21 2013

RSA EU is all too soon

Published by under General,Public Speaking

Next week is the RSA Europe conference in Amsterdam.  I’m speaking three times at the conference, once as a sponsor, once with my own topic and once in a lightning talk, aka a Pecha Kucha talk.   And at just 6’40”, it’s the PK talk that scares me the most.

The PK talk scares me because it’s such a rigid format.  20 slides set to forward automatically every 20 seconds means you have to have your patter down.  I don’t usually speak in public like that.  I generally use my slides as a template that I can hang talking points off of, but I don’t have a rigid script I’m talking to.  This lets me control the pace and the timing as I want to, rather than needing to go at a set pace.  So, yeah, it scares me.

The other part of giving the lightning talk is that some of the best speakers in security have given them, and I can’t help but compare myself and be found wanting.  Katie Moussouris, Josh Corman, and Rich Mogull, all friends, have given the talks and rave about how much fun it is, but they also talk about how hard the format is.  Any one of them probably have a dozen times the speaking experience I do, and if they found it hard, how is it going to be for me?  

So, if you’re in Amsterdam next week at RSA Europe, whatever you do, don’t come to the lightning talks!  Don’t come see me embarass myself!  I already feel like an idiot abroad, don’t make it any worse.


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on RSA EU is all too soon

« Prev - Next »