Network Security Blog

I got home Sunday from 3 days in Las Vegas, two of which were spent at the first ever Minecon.  For those of you who aren’t the parents of Minecraft addicts or addicts yourselves, it’s a game where you create a whole world then mine it for resources and build just about anything you can imagine.  It’s multiplayer, sometimes massively so, and it’s very easy to set up your own server and be hosting it for the world in a matter of hours.  Unluckily, it may be too easy; people who can barely figure out what their IP address is are setting up servers on their desktops then sharing their systems with friends via Hamachi or simply opening their home network to the world. It’s enough to give a security professional an aneurism!  I wrote up my own experience in creating a cloud server for Minecraft in April, but that server never caught on with the kids.  So now I’m trying a different solution, MineOS Crux, a custom build distribution of Ubuntu specifically created for people who want a secure, lightweight Minecraft installation.  I’m running it as a VM on my Mac Mini server and exposing it to the world on a non-standard port, plus I locked down the distro a little more than the standard build.  I’m still more than a little paranoid about it, so if the kids aren’t using it, it’ll go away.

Oh, and the kids got me to start playing Minecraft as well.  Good thing there are a lot of long holiday weekends coming up.

Open Tabs 11/22/11:

• Death by Exception – As a recovering QSA (the taint doesn’t wash off), I can sympathize with Michelle’s frustration with exceptions.  It really isn’t an ‘exception’ once it becomes the rule.
• The “Off the Record” track – There’s really no such thing as “off the record”.  But for some reason, I’ve noticed that people become more guarded and less likely to talk when they first 
• AT&T tells users of ‘organized and systematic’ hack attempt – Glad to see they’re warning people and not invoking the “APT” card.  Yet.
• Hacker says Texas town used three character password to secure internet facing SCADA system – I wonder if the three letters were “APT”? 

Google got in a lot of trouble last year for capturing private data from wireless networks when they were driving the googlemobiles around to get video shots for StreetView.  Basically, rather than just capturing the SSID for the access points, in a lot of cases they captured data streams from the AP’s, which violated all sorts of European privacy laws.  And in reply to this, Google came up with a solution:  users can opt-out of Google’s wireless access point mapping solution by simply adding “_nomap” to the end of their SSID!  So simple it’s stupid.  No, I mean it’s so simple it’s absolutely idiotic and a waste of the digital ink that was used to express the idea!

I think MG Siegler expresses it best when he said, “The solution is a joke.“  Siegler thought of the same things I did when he saw this so-called solution.  First, only a fraction of a percent of people are even going to understand that Google is mapping their access points and even a smaller segment of the population is going to understand what that means.  And of that small group, only a much smaller percentage are going to make the changes to SSID names necessary to opt-out of the Google mapping.  I thnk that his .01% of the 10% of the people who actually read the article is a bit generous; only the truly paranoid will opt out using this method, and they probably weren’t advertising their SSID to begin with.

Let’s think about the pain in the arse it is to change a SSID to include ‘_nomap’.  My house is probably not normal, but it’s what I have to use as an example.  I have two wireless networks, two access points, three desktops, half a dozen laptops and a server that all would have to be changed to include the ‘_nomap’ SSID.  Plus there are a few more systems to worry about when you include the gaming systems the kids use.  The average household probably doesn’t have nearly that much equipment, but they also don’t know enough about wifi to set it up with proper encryption in the first place, so why would Google assume the average home user would know enough to change the SSID on all these systems once they finally got them running on their home network?

Let’s be honest; all Google is doing is waving their hands over StreetView in an effort to claim they’re doing something in front of governmental bodies who wouldn’t know the difference between an SSID and Sid Vicious.  In most cases, they’d probably recognize Sid Vicious before they’d have a clue what an SSID was or what it’s used for!  Siegler nails it when he states that Google might as well ask for people to solve calculus problems.  And I’d be willing to guess there are a number of people would have an easier time solving advance mathmatical equations than they would changing their SSID.

I want a solution that doesn’t require me to change my SSID to opt-out of Google’s mapping.  It’s a stupid solution and I’m not changing my SSID to include the ‘_nomap’ modifier.  My last thoguht is two-fold:  What effect will this have on the all the data that Google has already collected (Answer: none) and will Google actually honor their own ‘_nomap’ identifier and drop the data at collection or will they simply not display the access points using ‘_nomap’ but keep the data in their database?  I think you and I both know the answer to the second one as well.

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video. 

Tonight Martin is speaking to Josh Corman, Akamai co-worker, and HD Moore, creator of Metasploit and Rapid7 CTO.  Josh came up with the idea of HD Moore’s Law a couple of months ago, the idea that the strength of the casual attacker is roughly equivalent to what Metasploit is capable of.  If your corporation isn’t capable of defending yourself against Metasploit, you’re not going to be able to defend against these casual attacker and you’re going to be wide open to more sophisticated attackers.  Josh explains the concept and what it means to security and HD talks about the fact that Metasploit helps give security teams a measuring stick for their security.

Zach, Rich and Martin are all incredibly busy and are trying to figure out how to fit the podcast into the constraints of our schedules.  We may have to skip a number more weeks between now and the end of the year, but we’re trying desperately to get our lives under control.

Network Security Podcast, Episode 257
Time:  30:09

Show Notes:

• HD Moore’s Law – Josh’s blog post
• Metasploit project

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

• Hackers press the ‘Schmooze’ button – Explaining social engineering to non-security people.
• GCHQ Chief reports ‘disturbing’ cyber attacks on UK - Gee, ‘thousands of attacks per year’.  Wonder how they calculated that number?
• Unmasking the criminal hacker – Yeah, genetics explain it all perfectly.  If only it was that simple.
• Met police using surveillance system to monitor mobile phones – I hope these systems have some heavy duty auditing capabilities as well.
• China denies it is behind the hacking of US satellites – I have to admit, I think it’s the Chinese AND it’s just a play by the people writing the report to get political cred.
• Outsmarted: Captcha security not much of a gotcha – Botnet or social engineering, they’re just a speed bump.
• Brad Smith, aka Nurse, had a stroke at Hacker Halted – If you can contribute a few dollars to help defray his hospital bills, it would be appreciated!

I’m not a big fan of opinion polls, especially when the people writing them present them as if they were facts, rather than simply opinions of the people polled.  There’s a huge difference between the reality we live in and the way we perceive that reality.  That’s simply a fact of life, not a criticism of anyone in particular.  But it has a huge impact on the real usefulness of data when it’s based on perception rather than a quantifiable measurement.  And in the information security field, we’ve been working on perception and intuition for far to long and need to start relying on real, measurable data instead.  I have been told I’m too hard on polls, since opinions are valid data points as well, but I’m not so certain.

That’s quite an opening statement for a look at the latest security survey by Symantec, but I wanted to get my own personal biases out of the way before starting.  It also help explain some of my skepticism of the value of the Symantec State of Security 2011 report.  It’s pretty, it’s glossy, it has nice pictures, but it’s still an opinion poll and I always have to wonder how much it’s been affected by the perception of the people who were surveyed, how much they were willing to answer honestly and whether or not they actually knew the answers or just made stuff up.  As I said, I’m not a big fan of opinion polls in security, in large part because I’ve filled out more than a few of them myself.

There’s a lot of white space, large type and big graphs in the the report.  Padding that should have been replaced with more analysis and discussion rather than being wasted.  Which tells me this was probably produced by the marketing department rather than someone in engineering or security.  Marketing might have gotten the analysis right, but the 19 pages would have been boiled down to 8 or 10 pages if it had been written by an engineer instead.  That’s not to say there isn’t some good information in the report, but it does mean there’s a lot of fluff to wade through to get to it.

One of the important tidbits is that, according to the poll, 41% of security professionals feel that security has become more important to their businesses over the last year as opposed to 15% who think it’s decreased in importance.  Given some of the high profile attacks that we’ve seen in the last year, I don’t find that surprising, but I’m still glad to see that what we do is gaining in awareness of management.   41% of respondents also feel that they’re being given more budget, which leads me to ask if the increase in awareness is leading to a greater budget or if an increased budget lead to a feeling of more awareness?  Given how long we’ve been underspending on security, it is good to see some positive movement on this front.

I found the trends that are driving security concerns a little confusing.  According to Symantec, mobile computing, social media and consumerization of IT top the list of concerns; this was explained to me as coming from the newness of the technologies, but I find that hard to swallow.  Smart phones aren’t new, social media isn’t new and consumerization certainly isn’t new.  I know I had to deal with consumer products in the workplace when I was a sysadmin and that’s been nearly a decade.  The first thing I’d point out is that there’s only a 4% difference between the top 6 items in the list and Symantec acknowledges a 5% margin of error in the survey.  Which means that nearly any one of those categories could actually be the biggest security concern.  I’m a little surprised they split different aspects of ‘cloud computing’ into various subcategories such as SaaS, PaaS, public and private cloud, but I mean that in a good way.  It’s so nice to see someone who actually realizes that the ‘Cloud’ isn’t one technology but a collection of very loosely related technologies and implementations. 

I would like know more about how the question concerning significant security threats was posed to the people polled.  Hackers top the list, but there’s also a category for hacktivism, criminals, industrial espionage, targeted attacks and state-sponsored attacks.   I see those all as potentially falling under ‘hacking’ which could mean that there was a flaw in the question asked that biased the results.  I’m also not sure how this perception actually gains us any understanding in the first place.

“71% of respondents saw an attack in the last year…”  Oh boy, that’s a loaded statement.  If only 71% of the companies saw an attack, what were the other 29% doing, because I’m absolutely certain they were attacked, even if it was simply a drive-by attempt.  Were they playing ostrich, with their heads buried in the sand and no detective measures on their network?  Did they have anti-virus and ignore the malicious code that found it’s way into their network or did they not have AV at all?  Were they actually looking at the logs from their IDS or were they ignoring those as well.  I’ve run into more than a few security professionals who’ve said their management didn’t want detective measures  in the environment because detection would mean they’d have to do something about it.  But even I have a hard time believing it was 29% of the companies. 

The one perception I find in this report that I find scary is the measure of what security professionals think they’re doing well.  52% of security professionals polled believe they’re addressing routine security measure effectively.  But that also means 48% of security professionals don’t think they are.  Close to half of us are willing to admit we aren’t doing a good job at the basics.  And that was the highest measurement amongst all the data points.  If half of us admit we aren’t even doing the basics well, is it any wonder that we’ve seen so many breaches in the last couple of years?  Do we even have a chance if half of us admit we don’t have the resources to do the basics?

The recommendations by Symantec are generic and could have come from nearly any security report written in the last few years.  Policy, process, buzzwords don’t help much.  What should have been highlighted is the need to get the basics right, rather than work on policies that most people in your company will never even know exists.  Yes, policy gives us a lever to pry money out of management from time to time, but it doesn’t address the real problems of just being aware of what’s happening on your network.  But that’s probably not what management wants to hear anyway.

Take a little time to read the report, it won’t take you more than 15 minutes to read every word in it.  As with any report there are some nuggets of knowledge to be gained, but question the analysis put forth by Symantec.  I wish they’d included more information about the specific questions asked, because that tells a lot about the biases involved.  I would also like to see hard data points about the points made, rather than just opinions.  But I guess a couple of years of hanging around people like Alex Hutton and Wade Baker, writers of the DBIR, make me value analyzing data over opinion.

This weeks podcast is getting released a little bit early in order to bring you some of the goodness that is the Verizon Data Breach Investigation Report.  Rich and Zach are conspicuously absent as Martin interviews a couple of his coworkers at Verizon, Alex Hutton and Chris Porter.  If you’ve been in the security field longer than a year, you’ve probably heard of the DBIR; it’s the best source of information about what’s really going on in breaches that’s currently available anywhere.  With the inclusion of the Secret Service’s breach data the last two years, it’s hard to think of anyplace you could do better.

We’re taking a week off from the podcast, but we’ll return the first week of May.

Network Security Podcast, Episode 238, April 19, 2011
Time:  29:45

Tonight’s Music:  Head Full of Numbers by Fine Print Pariah

I know it’s something I talk about at least once a year, feeling burnt out in my career path.  Like many people, I feel stressed by the huge amount of information that comes our way as security professionals, especially when I start reading about security breaches that potentially affect clients of mine.  It’s hard to feel like you’re winning the battle when you hear about a supposedly secure company that was compromised and had all their data exfiltrated.  It’s even worse when that data is probably going to be a lot of credit card information and there’s a ton of questions about the company’s last PCI assessment.

So there’s a little stress associated with being an assessor.  No matter how well you get along with the client, they know as well as you do that your job is to review their security configurations and setup, make a judgment call, and tell them whether they pass the assessment or not.  They didn’t want to deal with PCI in the first place, they don’t agree with many of the requirements, you’re the authority figure in charge of enforcing the requirements and almost invariably, you can’t meet with the time lines the client wants, usually due to circumstances beyond your control.  And who can blame them, since PCI is forcing so many merchants to spend time and money on security measures they didn’t want or didn’t feel they needed in the first place.  No one wants a third party telling them they have do put in AV or face having a higher exchange rate on each and every transaction.

It’s not an easy job, and while I am whining about it a little, what’s really surprised me lately is the number of QSA’s I know who’ve left the field in the last few months.  It’s not like people are telling me “I hate our company, I’m leaving for a better company”.  What I’m hearing is, “I hate PCI, I’m going back to some other aspect of security”.  For some it’s been the cyclic nature of PCI and going back to the same companies year after year and seeing the same exact issues show up each and every time. For others it’s been the lack of any significant changes in the PCI requirements since they came out and at least three more years before there’s much chance for change.  And in a few cases, it’s been the need to restrain themselves from commentary or criticism of PCI since it’s the main source of income.  Not a single one of the people I’ve talked to has said, “Oh, I’m sorry I left PCI, I want back in.”  And I don’t expect to hear that from anyone any time soon.

I don’t know if there’s a solution, other than training the next set of QSA’s. Companies are improving their security, some more than others, and it shows.  Unluckily, the bad guys appear to be able to bypass those security measures more adeptly than we are at putting them in place.  More security professionals are subscribing to the idea of “compliance through security, not security through compliance”, but it’s a slow process and too late to keep QSA burnout at bay.  Getting involved with the special interest groups (SIG) who work on many of the aspects of networking and security for PCI is a way to affect change, but it’s a slow process as well, and one fraught with it’s own perils and stresses.  You might be able to affect change eventually, but given the glacial pace that the SIGs have been releasing guidance, the chances are slim you’ll feel like you’re actually being effective at any point in the process.  And criticizing PCI, the PCI Council or any other aspect of the whole compliance effort is something that is always going to require careful thought and judgment no matter what role you take in the industry, something that’s not going to change.  Ever.   If you have a voice in the community, it can and will affect your job if you say the wrong things or say the right things in the wrong way.  Being right is no defense if you offend the wrong person in the compliance industry.  Not that I would know anything about that.

I suspect that we’re looking to see a spike in the burnout rate over the next year or so.  A lot of the people who have been involved exclusively in PCI since the early waves of compliance are reaching their pain threshold and looking for ways to get out.  Which is hard, since the skill set of a QSA (I know, oxymoron) is in high demand and pays well.  Even that hasn’t been enough to keep some people, since you eventually reach a point where the money isn’t worth it anymore.  People are going to continue to quit this segment of the industry, leaving holes that will have to be filled by less experience, though not necessarily less knowledgeable, assessors.   Which will in turn add to the stress most assessors are feeling.

I don’t personally have any plans in place to leave the PCI arena any time soon.  It’s hard, but fighting the stress, fighting the anxiety of being an assessor is something that can be dealt with for now, if not forever.  People I thought would never abandon PCI have left the field for other opportunities, so I know that I will also leave eventually.  And maybe this is just part of a natural career progression that occurs; learning a new skill, mastering it, then burning out and moving on.  But as opposed to leaving your company to go work in a different role elsewhere, most QSA’s leave one company to do the exact same thing at another company, until they burn out and leave entirely.  And I’m pretty sure that’s not a healthy career progression.

Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach.  Actually, he was on more to talk about the industries reaction to the breach more than the breach itself.  The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA.  Which means we know just a little more than nothing, which is not a significant improvement.

Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes.  We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry.  Except Zach, who doesn’t do touchy feely so much.  And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us.  They even have they’re own Bizarro Zack, @jsokoly.

Network Security Podcast, Episode 234, March 22, 2011
Time:  42:06

Show Notes:

• Martin’s roundup of the RSA breach coverage
• Table Stakes over at Dark Reading
• FIRST 2011
• BSides Vienna
• Josh Corman:  Why Zombies love PCI
• Tonight’s Music:  Knobs and Switches by Secret Pop Band

This group of pieces on the recent RSA breach is only the tip of the iceberg, but most of what you’ll read on the story is purely suppositional.  In other words, a lot of educated people are playing a game of “let’s pretend” and blogging about it.  No one who’s writing knows much about the details, almost everything that’s out so far is guess work about what might of happened to RSA.  And while there’s some value to running through possible scenarios, it’s probably not worth the screen time the story has been getting until we know something concrete.

So here’s three stories on the RSA APT.  The first is just the initial facts as they were known late last week, in a story from the Boston Herald.  The second is an analytical brief from NSS Labs, included as an example of some of the conjecture people are making based on what is known.  NSS Labs is known for having some good folks and this report is far from the most outrageous speculation that’s been made so far, but it’s also going to require a lot more information before we can really make a claim like “a string of breaches stemming from this event.”  Dave Shackleford does a very good job of dissecting just how little we know so far in this story and why the ‘A’ in APT is a misnomer.

And finally a story that may or may not have anything to do with what’s happening to RSA, Google is accusing China of messing with their stuff.  It’s kind of hard to trust your servers when you’re sending them to another country that has no compunctions about using any means necessary to ‘protect their citizens’. 

Update:  And moments after I posted this @N0b0d4 posted a very good post by Steve Gibson dissecting the potential risks of this compromise for people using RSA SecurID tokens.  I’m not usually one of Steve’s biggest fans, but he’s taken apart the issues pretty well this time.