Network Security Blog

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

• Anonymous blasts El Salvador offline – I guess they found some soft targets.  
• How your signature can propel your security career – How are you putting your signature on the security at your company?  Don’t do what everyone else has done.
• Top 10 Security Voices on Twitter – I didn’t like @jgamblins list; half of the accounts on it are businesses.  Who would be on your Top 10 Security Voices list?
• Supreme Court justices concerned about pervasive, technology-enabled government surveillance – As they should be!  Wait until the government admits they’re also turning on the microphones and other sensors in your phone.  And don’t think they aren’t.  
• Judges weigh phone tracking – A little more to feed your paranoia.
• Doom, gloom and infosec – Of course our career field isn’t all feces and stench, but it’s not roses and cake either.  
• Cisco CSO:  Infosec pros should get back to basics – Yes, let’s quit buying all of Cisco’s blinky light solutions and get back to patching and policy.  That’s what he meant, isn’t it?
• ‘Biggest cybercriminal takedown in history’ – The hyperbole isn’t Brian Krebs’, but the rest of the article is some great stuff.  DNS can be dangerous stuff.
• Steam database hacked.  Encrypted credit card information and passwords compromised – First thing I had the spawn do when they got home from school yesterday was change their passwords!

I had a great time at BSides DFW this weekend!  Michelle Klinger, Joseph Sokoly and the whole crew of volunteers who made the event happen did such an awesome job of putting it together and the Microsoft tech center was the perfect place to have it.  Not that Jayson Street didn’t make a few of the security guards nervous from time to time.  And the rest of us nervous when he thought no one was watching where he was thinking of getting into.  I gave the closing key note speech, which went well despite the fact I was as nervous as I think it’s possible for me to be.  It’s worth giving the talk again some time, after I’ve tightened it up and loosened up a bit myself.  Just remember to challenge all our current security wisdom.

Saturday was November 5th, Guy Faulkes day, and despite it being a high holiday for Anonymous, nothing much seems to have happened.  They did pop Adidas last week, but that was supposedly a prequel to their main event this weekend.  On a more positive note, Brad Smith is doing slightly better, though he is still comatose and has pnemonia.  If you can, spare a few dollars to help Brad and his wife pay for medical bills; if you can’t, keep him in your prayers.  Brad has helped a lot of people in the security community and it’s time to help him in return.

Open Tabs 11/08/11

• Pictures from BSidesDFW – I’m the big guy in the green BSides SF shirt.  I know I don’t look like I sound.
• It pays to be the face of Anonymous – “Now my weed dealer won’t come by….” You can’t make this stuff up!
• Hackers worming way into utilities – No surprise to us, but maybe the idea will worm it’s way into the mind of someone who can do something about it.
• Feds try to prevent War of the Worlds-style panic over national emergency alert – This is a test.  This is only a test.  Please don’t panic!
• Ex-U.S. general urges frank talk on cyber weapons – We’re behind the curve and maybe behind the eight ball.
• De-lousing E-PARASITE – More on this moronic legislation
• Down the Rabbithole Episode 5 – I love Brian Stiekes thinking.  We both think information security is fundamentally broken.
• iPhone security bug lets innocent-looking apps go bad – And Apple shoots Charlie Miller (or at least his developer account) for being the messenger.

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video. 

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

• Hackers press the ‘Schmooze’ button – Explaining social engineering to non-security people.
• GCHQ Chief reports ‘disturbing’ cyber attacks on UK - Gee, ‘thousands of attacks per year’.  Wonder how they calculated that number?
• Unmasking the criminal hacker – Yeah, genetics explain it all perfectly.  If only it was that simple.
• Met police using surveillance system to monitor mobile phones – I hope these systems have some heavy duty auditing capabilities as well.
• China denies it is behind the hacking of US satellites – I have to admit, I think it’s the Chinese AND it’s just a play by the people writing the report to get political cred.
• Outsmarted: Captcha security not much of a gotcha – Botnet or social engineering, they’re just a speed bump.
• Brad Smith, aka Nurse, had a stroke at Hacker Halted – If you can contribute a few dollars to help defray his hospital bills, it would be appreciated!

Last night I got an email from Jim Engineer at e-Rainmaker PR stating that Kevin Mandia from Mandiant would be appearing before Congress.  I’m always interested in hearing the leaders in our industry speak to members of Congress, because it reveals a lot not only about how the thought processes of the folks who are presenting to Congress, it also reveals what our Congressmen think about security.  This hearing was no different from most, in that it showed there are definite agendas at work,but it also showed that the biggest concern for our Congress is the threat of China to our businesses and intellectual property, in addition to attacks on government properties.  I live tweeted as much of it as possible and I’d like feedback in the form of comments if you found it valuable.  Or even if you didn’t. Any misquotes are my own and are attributable to trying to listen and tweet at the same time.

General Hayden impressed me the most of the three speakers.  His main message was that the issue of cyber-security is a not something we should be in a rush to come up with ‘the answer’ for, but that we should be looking at having long conversations about what needs to be done in a thoughtful, logical manner.  While he encouraged legislation, he made it clear he wants the goal to be outcomes, not just compliance.  He was level headed and clearly understood the difference between security and compliance, something Kevin Mandia also backed up.

I thought Kevin was underutilized in this conversation.  He had some very good, clear thoughts on the subjects at hand, but the members of the committee seemed to give his testimony less credence, since it didn’t directly feed into the narrative they were trying to lead to.  His strongest statement was, “You will be breached, the security compromise is inevitable.” He followed it by stating that “In our last fifty incidents, forty-eight of them learned of the compromise from external third-parties like the FBI”.  That’s a pretty damning statement about the state of detection in our industry today.

And then there was Art Coviello.  I’m not going to dig too deeply into Mr. Coviello, but he was being a good CEO while also being an intellectually dishonest security professional, if you could call him a security professional at all.  Statements like “Our advanced technology allowed us to detect and react to the attack in progress” and “We were within hours of being able to stop the compromise” and other comments about how ‘swiftly’ RSA responded to the compromise go directly against the timelines in the press and against the history of how RSA notified the public and their customers of their compromise.  Remember, they didn’t even have a Chief Security Officer before the compromise, there was no one at the C-level responsible for security.  I was very unimpressed with Mr. Coviello today.

Not much will come from this Committee meeting, but it was educational to learn what message the members of Congress wanted to put out and how businesses are willing to help them.  It was also a lot of fun to live tweet it and see what security professionals around the country think.  Marty Roesch from Sourcefire (@mroesch) was especially cynical and entertaining.  But there were a lot of people who had good feedback and questions, for which I’m thankful.

Feedback on live tweeting is very appreciated, leave comments and expect me to do the same next time I have time and opportunity.  And here’s the press release from Jim.

For your information, MANDIANT
CEO Kevin Mandia will offer testimony to the House Intelligence
Committee at the invitation of Chairman Mike Rogers (R-MI) tomorrow Tuesday, Oct. 4, from 10 a.m. to 1 p.m.
Kevin is available to comment on his testimony should you have an interest in pursuing.

To view the testimony please visit:

http://intelligence.house.gov/hearing/cyber-threats-and-ongoing-efforts-protect-nation#

“Cyber Threats and Ongoing Efforts to Protect the Nation” 10:00am – 1:00pm ET HVC-210

·         The Honorable Michael V. Hayden, Principal, The Chertoff Group
·         Mr. Arthur W. Coviello, Jr., Executive Chairman, RSA
·         Mr. Kevin Mandia, Chairman and Chief Executive Officer, MANDIANT

Chairman Rogers on the Cyber Security Hearing:
“Examining the threat of cyber attacks against the United States is of
utmost importance. The threat of cyber attacks continue to evolve. What
started out as a kid in the basement hacking into a school computer to
change a grade, has evolved into entire nation states focused and
determined to exploit our nation’s cyber systems. The Committee will
review recent developments in the evolution of the cyber threat against
the United States by nation state actors and others. Additionally, we
will evaluate the status of the United States government’s efforts at
providing cyber security within the government, the status of cyber
security in the private sector, and the sharing of government
information, including intelligence information, with the private sector
to enable it to better defend and protect our nation’s most critical
private systems.”

Jim

PS>  I think I only heard the dreaded “APT” once, from Art Coviello.  Figures.

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)

I travel around the country a lot in my role as an assessor and being in security, I have a off again on again interest in taking pictures, specifically pictures of some of the odd places I find security cameras and the places they cover.  That and taking pictures of error messages that pop up on various screens and systems that are in public view.  I find it interesting to look at some of the odd places that companies have decided to put a camera and how much of the surrounding area surveillance catch that people probably don’t have any awareness of.  And in this day and age, I’m almost surprised that no one’s commented on my picture taking and called me a terrorist.  But guess what, people: Photographers are NOT terrorists.  Like most other photographers, I’m following a passion, however little someone else may understand it.  Get over your unfounded paranoia and get back to living your life.  And yes, 99.999% of your paranoia about terrorists plots is unfounded, no matter what the DHS and TSA might want you to think.  And most of the other .001% has some level of validity, but it’ll probably never affect you directly.

A few years ago Mike Rothman over at Securosis dubbed me “Captain Privacy”.  And thanks to my wife’s sense of humor, I even have a cape and domino mask (but no tights, for which everyone is thankful).  I like my privacy and I often argue against movements by our government to erode the controls protecting our privacy.  And this is one of the more subtle points that Mike and other people miss about me: I am not arguing against the government having the ability to spy on people when they need to, I’m arguing for strong controls around the ability and judicial oversight to ensure that the ability to monitor citizens isn’t abused.  To some it’s a very subtle difference, but to me it’s an incredibly important distinction. 

So it should come as no surprise to anyone that I’m thrilled that the 6th Circuit Court of Appeals has ruled that email is protected by the Fourth Amendment.  For years now law enforcement has been arguing that there should be no expectation of privacy for your email on corporate and cloud services (like Gmail) and that there was no need to get a search warrant prior to seizing copies of email records from service providers.  In other words, since your email is hanging out on a public service provider’s servers, they felt they could just walk in at any time, demand a copy of your email and no one would tell you until you were served up with an arrest warrant.  No due process, no judicial oversight, just quietly take what you want whenever you want it.  Understand why the police would want this power, but I also believe that it’s something that’s just waiting to be severely abused, if it hasn’t been already.

This is an appeals court, so it is possible that the ruling could be overturned by the Supreme Court if it got to that level, but it’s unlikely.  The 6th Circuit Court made it very clear that you and I have every right to expect our email to be as secure from covert observation as our physical mail.  Which means that police and federal officers can monitor it if they can prove to a judge that it’s necessary and appropriate.  And that’s all Captain Privacy really wants for Christmas, the knowledge that someone is double-checking what our LEO’s are doing and making sure that due process is being followed.

I urge you to read “So…I got detained by the TSA at the airport today“.  There are no federal laws and few state laws that prohibit you from recording a TSO(transport security officer) in the pursuit of their duties.  In fact the TSA actually encourages it.  But many TSO’s and supporting law enforcement agents never got the memo, so you may end up getting harassed if they think you’re doing something wrong.  Flying Fish has a good story about how to deal with the issue and how to deal with the TSA and law enforcement in a reasonable, calm manner and come out okay.  Not everyone has his contacts, but that’s not really the point of the post.

But more important than the post itself was one of the comments, with all the contact information you need to get in touch directly with the TSA offices of Civil Liberties and the Ombudsman .  I now have this information entered into my cell phone and will use it next time if I have to.  I have a funny feeling if it gets to the point of my having to make the call, things will have already gone beyond my comfort point, but better to have them and not need them than the other way around.

deltaGOLFflyer

I’m not going to weigh in on the whole TSA whine fest that’s going on; I agree that the TSA has gone too far and needs to have their collar yanked on to settle them down.  But a whole bunch of us complaining on Twitter isn’t going to do much, neither are lengthy blog posts.  Quite frankly most of us have too little exposure to be taken seriously on the national stage.  I got my own whining in early, so now I’m trying to gather some information on how to be effective.

But we do have people we can contact who do have some pull, starting with our federal legislators, who are easy enough to find and monitor on the Project Vote Smart site.  I didn’t notice a political slant either way to the site, it appears to just be reporting the facts and is easy to use.  Writing to your Senator (mine is Barbara Boxer) will be slightly more effective than Twitter, at least an intern somewhere will tally your complaint.  Two other places that you can write that I’ve been told will have slightly more impact is your airline and their lobbying firm.  Explain your position in terms of how it impacts your business and how it will impact their bottom line.  The SourceWatch wiki supplied me with contact information for United Airlines and their lobbyist firms.  I’ll let you know if I hear anything back from them.  I had a friend on Twitter explain this, basically you want to start any emails you send by talking about the money, then end with little side notes like ‘protection from unreasonable search and seizure.’  It’s easier for many people to understand money issues than those of Constitutional rights.

The TSA does have a way to report a complaint, though I don’t know of anyone who’s done it so far and what the results have been.  Personally I’d be afraid of getting added to a watch list.  What might be more helpful is to read the official TSA Blog.  For instance, did you know it’s actually allowable by TSA rules to photograph a TSO in pursuit of their duties?  That is if the state and local laws allow it, which they don’t in many states.  So far California appears to.

The current pat downs and back scatter x-ray’s are both issues that need to be addressed.  As is the over-reach of the TSA to grab power at airports.  But observing and talking about them don’t do much good unless we follow up with some sort of action.  If you have some better ideas of who to contact, please leave a comment.