Network Security Blog

I had a great time at BSides DFW this weekend!  Michelle Klinger, Joseph Sokoly and the whole crew of volunteers who made the event happen did such an awesome job of putting it together and the Microsoft tech center was the perfect place to have it.  Not that Jayson Street didn’t make a few of the security guards nervous from time to time.  And the rest of us nervous when he thought no one was watching where he was thinking of getting into.  I gave the closing key note speech, which went well despite the fact I was as nervous as I think it’s possible for me to be.  It’s worth giving the talk again some time, after I’ve tightened it up and loosened up a bit myself.  Just remember to challenge all our current security wisdom.

Saturday was November 5th, Guy Faulkes day, and despite it being a high holiday for Anonymous, nothing much seems to have happened.  They did pop Adidas last week, but that was supposedly a prequel to their main event this weekend.  On a more positive note, Brad Smith is doing slightly better, though he is still comatose and has pnemonia.  If you can, spare a few dollars to help Brad and his wife pay for medical bills; if you can’t, keep him in your prayers.  Brad has helped a lot of people in the security community and it’s time to help him in return.

Open Tabs 11/08/11

• Pictures from BSidesDFW – I’m the big guy in the green BSides SF shirt.  I know I don’t look like I sound.
• It pays to be the face of Anonymous – “Now my weed dealer won’t come by….” You can’t make this stuff up!
• Hackers worming way into utilities – No surprise to us, but maybe the idea will worm it’s way into the mind of someone who can do something about it.
• Feds try to prevent War of the Worlds-style panic over national emergency alert – This is a test.  This is only a test.  Please don’t panic!
• Ex-U.S. general urges frank talk on cyber weapons – We’re behind the curve and maybe behind the eight ball.
• De-lousing E-PARASITE – More on this moronic legislation
• Down the Rabbithole Episode 5 – I love Brian Stiekes thinking.  We both think information security is fundamentally broken.
• iPhone security bug lets innocent-looking apps go bad – And Apple shoots Charlie Miller (or at least his developer account) for being the messenger.

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video. 

This week’s podcast conversation with HD Moore and Josh Corman was a good thing.  Getting the ideas of “HD Moore’s Law“, the security poverty line and security debt out there so other people can beat on the ideas, examine them for flaws and hopefully incorporate portions of the concepts into their own thinking.  This is, after all, the whole reason I started blogging and podcasting in the first place.

Open Tabs 11/03/11:

• An open letter to Chris Dodd:  Silicon Valley can’t help Hollywood if you first cripple it with bad regulation – More on the horrible legislation that’s currently being considered.
• Debating human rights in the IT industry – The last few years have shown us exactly how important the Internet and computers are to basic human freedoms in the 21st century.
• Anonymous cancels Operation Cartel as Los Zetas track hacktivists – Good call.  The government isn’t going to kill you and hang your body from a bridge; these guys will.  I hope it wasn’t too late of a call. 
• Researchers flood Facebook with bots, collect 250Gb of user data – People were more willing to friend someone who’s got a hot picture?  Color me unsurprised.
• Kill Switch – Still more on the horrible idea of the Protect IP law.  Yes, this topic annoys the heck out of me and scares me with it’s ignorance.
• BayThreat speakers announced – Last year’s event was great, I have to believe this year’s will be even better.
• HouSecCon going on now, BSidesATL tomorrow and I’m closing out BSidesDFW on Saturday!  What a full weekend!

Tonight Martin is speaking to Josh Corman, Akamai co-worker, and HD Moore, creator of Metasploit and Rapid7 CTO.  Josh came up with the idea of HD Moore’s Law a couple of months ago, the idea that the strength of the casual attacker is roughly equivalent to what Metasploit is capable of.  If your corporation isn’t capable of defending yourself against Metasploit, you’re not going to be able to defend against these casual attacker and you’re going to be wide open to more sophisticated attackers.  Josh explains the concept and what it means to security and HD talks about the fact that Metasploit helps give security teams a measuring stick for their security.

Zach, Rich and Martin are all incredibly busy and are trying to figure out how to fit the podcast into the constraints of our schedules.  We may have to skip a number more weeks between now and the end of the year, but we’re trying desperately to get our lives under control.

Network Security Podcast, Episode 257
Time:  30:09

Show Notes:

• HD Moore’s Law – Josh’s blog post
• Metasploit project

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

• Hackers press the ‘Schmooze’ button – Explaining social engineering to non-security people.
• GCHQ Chief reports ‘disturbing’ cyber attacks on UK - Gee, ‘thousands of attacks per year’.  Wonder how they calculated that number?
• Unmasking the criminal hacker – Yeah, genetics explain it all perfectly.  If only it was that simple.
• Met police using surveillance system to monitor mobile phones – I hope these systems have some heavy duty auditing capabilities as well.
• China denies it is behind the hacking of US satellites – I have to admit, I think it’s the Chinese AND it’s just a play by the people writing the report to get political cred.
• Outsmarted: Captcha security not much of a gotcha – Botnet or social engineering, they’re just a speed bump.
• Brad Smith, aka Nurse, had a stroke at Hacker Halted – If you can contribute a few dollars to help defray his hospital bills, it would be appreciated!

This weeks podcast is getting released a little bit early in order to bring you some of the goodness that is the Verizon Data Breach Investigation Report.  Rich and Zach are conspicuously absent as Martin interviews a couple of his coworkers at Verizon, Alex Hutton and Chris Porter.  If you’ve been in the security field longer than a year, you’ve probably heard of the DBIR; it’s the best source of information about what’s really going on in breaches that’s currently available anywhere.  With the inclusion of the Secret Service’s breach data the last two years, it’s hard to think of anyplace you could do better.

We’re taking a week off from the podcast, but we’ll return the first week of May.

Network Security Podcast, Episode 238, April 19, 2011
Time:  29:45

Tonight’s Music:  Head Full of Numbers by Fine Print Pariah

Martin and Rich are joined tonight by our new co-host, Joseph Sokoly, formerly of the Southern Fried Security podcast.  Martin leads off the night with a short story about his kids, in which he once again demonstrates his inability to remember the proper names for people and things (it’s Elevation of Privilege by Adam Shostack, not ‘escalation).  We talk about the most recent round of breach disclosures as well as a brief foray into PCI.  But we do keep it mercifully brief.  Welcome again to Mr. Sokoly, it’ll be nice to have someone a bit more reasonable on the show.

Network Security Podcast, Episode 235, March 29, 2011
Time:  28:08

Show Notes:

• PHPFog Blog:  How we got hacked and why it won’t happen again
• Netcraft:  Comodo hacked
• Hacker takes credit for attack on Comodo
• Romanian Duo hacks MySQL.com
• PCI compliant cloud providers:  No PCI panacea
• Tonight’s music:  The Fool You Took Me For by Bill Johnston

Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach.  Actually, he was on more to talk about the industries reaction to the breach more than the breach itself.  The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA.  Which means we know just a little more than nothing, which is not a significant improvement.

Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes.  We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry.  Except Zach, who doesn’t do touchy feely so much.  And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us.  They even have they’re own Bizarro Zack, @jsokoly.

Network Security Podcast, Episode 234, March 22, 2011
Time:  42:06

Show Notes:

• Martin’s roundup of the RSA breach coverage
• Table Stakes over at Dark Reading
• FIRST 2011
• BSides Vienna
• Josh Corman:  Why Zombies love PCI
• Tonight’s Music:  Knobs and Switches by Secret Pop Band

This group of pieces on the recent RSA breach is only the tip of the iceberg, but most of what you’ll read on the story is purely suppositional.  In other words, a lot of educated people are playing a game of “let’s pretend” and blogging about it.  No one who’s writing knows much about the details, almost everything that’s out so far is guess work about what might of happened to RSA.  And while there’s some value to running through possible scenarios, it’s probably not worth the screen time the story has been getting until we know something concrete.

So here’s three stories on the RSA APT.  The first is just the initial facts as they were known late last week, in a story from the Boston Herald.  The second is an analytical brief from NSS Labs, included as an example of some of the conjecture people are making based on what is known.  NSS Labs is known for having some good folks and this report is far from the most outrageous speculation that’s been made so far, but it’s also going to require a lot more information before we can really make a claim like “a string of breaches stemming from this event.”  Dave Shackleford does a very good job of dissecting just how little we know so far in this story and why the ‘A’ in APT is a misnomer.

And finally a story that may or may not have anything to do with what’s happening to RSA, Google is accusing China of messing with their stuff.  It’s kind of hard to trust your servers when you’re sending them to another country that has no compunctions about using any means necessary to ‘protect their citizens’. 

Update:  And moments after I posted this @N0b0d4 posted a very good post by Steve Gibson dissecting the potential risks of this compromise for people using RSA SecurID tokens.  I’m not usually one of Steve’s biggest fans, but he’s taken apart the issues pretty well this time.

If you’ve been anywhere near security during the last 18 months, you probably have a nervous twitch every time you hear someone mention the term Advanced Persistant Threat. Much like Cloud is the big term of this year’s RSA Conference, APT was last year’s buzzword. But that doesn’t mean that APT isn’t still a real issue and isn’t important; it just means marketing teams burnt out the industry on an important issue. Dave Merkel from Mandiant took a few minutes to talk to me about the panel he was on yesterday, as well as the PCI Council’s new PCI Forensics Investigator program. And yes, the two are more closely connected than is immediately obvious.

NSP Microcast, RSA 2011: Dave Merkel, Mandiant