Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video. 

Network Security Podcast, Episode 216, October 12, 2010
Time: 32:45

Show Notes:

• HacKid Conference – Boston 2010 (wrap-up by SecBarbie)
• Don’t expect to peer into Google cloud services security
• The Zombie Network: Beware ‘Free Public WiFi’
• Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
• Tonight’s Music:  Bored by Robin Tymm

Network Security Podcast, Episode 192, April 6, 2010
Time:  40:25

Show Notes:

• Are PDF’s Worm-able?
• Security spending finds misaligned IT security budgets
• ISO What You Did Last Summer
• Tonight’s Music: (Imagine the girlfriends I’d have) If I Still Had Hair by The Public Good

In the last 48 hours, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download.  Which, of course, means that it’s now available on any number of bittorrent sites.  The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild.  Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.  The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.

It needs to be pointed out that is owned and jealously guarded by Microsoft.  I won’t be surprised if they start going after people to get this removed from the Internet.  Surprisingly the folks at What.cd say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement.  It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself.  Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.

Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool?  Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy?  Should we be reporting people who make it available?  Or should we be reviewing the tool ourselves and proposing ways to make it better?  This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference.  While this is interesting, it’s nothing top secret or even that revolutionary.  I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised. 

Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools.  There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it.  For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased. 

If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use.  I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret. 

The second purchase I made was to get myself a membership in Microsoft’s Technet Plus.  I’ve had access to TN+ several times before through employers and I’d used it a lot to build and rebuild servers, test out new programs and generally learn aspects of Microsoft programs I wouldn’t normally have access to.  Unluckily the last time I had access to TN+ was just after XP came out and when Vista came out the only reason I got to try it at all was that I happened to recieve a copy of Vista Ultimate at an event I attended.  Not that I ever successful upgraded a system to Vista, but at least I got to try.

The truth is, TN+ is also a tax writeoff for me.  I haven’t earned much from Google Ads this year, but it’s more than the cost of the TN+ subscription and this will help me conteract what little tax burden there is.  But more importantly, this is an investment in my own continuing education for security and technology.  I work from home and while I get a chance to see different networks and OS’s with every new client, it’s not the same as getting your hands into the guts of a server and administering it yourself. 

So I’m viewing the purchase of TN+ as in investment in my technical skills for the future.  And that’s how I’m selling it to my wife as well.  I put a lot of time in to reading blogs, writing my own blog and creating the podcast, but the amount of money I’ve put into furthering my skills has been minimal the last few years.  My training comes through going to events like RSA, Black Hat and Defcon.  I don’t have a lot of time and energy to read security books, but several of the publishers occasionally send me those to read and review.  I often think about investing in a Masters Degree.  It’d be expensive and time consuming, but it’s a piece of paper that helps you go a lot further in life than a BS will.  But until my wife finishes her own college courses and gets a job, any further courses for me will have to wait.

What other venues should I be spending money on to further my career as
a security professional?  Is there something I’m neglecting that might
eventually catch up to me?  How are you investing in your career?  Are you investing in your career monetarily or are you making your investments in time and energy instead?  I know there are a lot of people out there who are beginning their careers who are curious about how to get into security, but I’m wondering how the people who’ve been in the field for years are continuing to improve their skills and preparing for that next step up or making themselves as ‘recession proof’ as possible.  I don’t think anyone in this field can afford to say they’re resting on their laurels.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

I’m still not upgrading to Vista until I can make sure the 64-bit drivers exist for all of my hardware.  Even if Vista is as secure as Jeff asserts, it’s not enough to make the upgrade worthwhile to me.

Stephen is still working for Microsoft, he just won’t be with the security team any longer.  If there’s one thing that’s geekier than being a Microsoft security guru, it’s becoming an X-box Live guru. I’m not a console gamer, but from what I’ve read on his site, that really is Stephen’s passion.  And if you can get a job doing your passion, I say go for it!  I know from recent personal experience, it may not always work out as planned.  But it’s better to have tried and failed than to live your life regretting the chances that slipped through your fingers.

Congratulations Stephen.  The security teams loss is Xbox Live’s gain.  Of course, this means you’re off the list for RSA 2008′s Security Bloggers Meetup, but there has to be a price to pay for your dream job.

Technorati Tags: Microsoft, Stephen Toulouse, Xbox Live