Wednesday, January 31, 2007

Getting Security Training Right

In early 2005, Marcus Ranum wrote an editorial in which he decries, among other things, security training for end users. His position, summarized, is, "If it was going to work, it would have worked by now." And here's the thing - mjr is a REALLY smart guy, and I respect the hell out of him. If he had a blog, I'd read it. I let Information Security Magazine kill trees in my name for the sole purpose of reading his editorials.

But on this issue, I think he's selling human beings short. The problem is that for training to work, you have to get it right. That begins with not requiring corporate security training for your employees. WTF, you say?! You train them on security by not training them on security? Bear with. The trick to successful training is connecting people to information that they want. Your users don't want corporate security training because corporate security isn't their job.

I have found that one of the best ways to get users interested in computer security is to point out that, when they go home at 5pm, so do I, and they don't live with me. So they're on their own. And by offering classes on home computer security, I've had a good deal of success in getting people interested, presenting topics that are relevant, and helping them understand what they can do - both technically and behaviorally - to be safer when online. So here's the outline for my class:

  • Why Hackers Want to Hack You
    • Money
    • Organized Crime Stats
  • Threats You Face
    • Viruses / Worms
    • Trojans / Bots & Botnets
    • Spyware / Adware
    • Spam
    • Phishing
  • Self-Defense
    • Software
      • Antivirus
      • Firewall
      • Windows Auto-Update
      • Anti-Spyware Tools
      • IPS
    • Manual Self-Defense
      • E-Mail
      • Safe Browsing
      • IM / Chat
      • Passwords
  • Personal Safety Online
    • Protecting Your Personal Info
    • Resources for Kids/Teens
    • When to Contact Law Enforcement
  • Q&A
So do you notice anything about the topics covered? If you were going to put together a user-facing training class on security issues, how much crossover would there be between your class and mine? After 1 year of offering this class (and having to schedule an extra class due to demand), I am pleasantly surprised to report that it works. Some of the folks that have taken my class have come to me with information regarding security issues in our workplace. I like to think it's because they're starting to think like a security professional - irrationally paranoid, but for good reason.

Friday, January 26, 2007

From Russia, With Malice

And I'd like to cap my week with something useful. It's a pair of simple Snort rules that will detect a packed executable downloaded via HTTP, which these days is nearly always some IE-sploited downloader.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 1"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4c|"; distance:10; classtype:trojan-activity; sid:9000090; rev:3;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 2"; flow:from_server,established; content:"|4D 5A 50|"; content:"|50 45 00 00 4c|"; distance:250; classtype:trojan-activity; sid:9000091; rev:1;)

*Note: The gianormous sid values are from the range that I use internally at work. It's otherwise meaningless.

Edited 1/30: Fixed false positive issue w/ GMail cookies

Gonna be famous

Not really, but I finally did a TV news piece I'm proud of.

If you're in West Michigan, WOOD TV8 (and probably WOTV 4) will be airing a news piece on wireless security with myself, Matt Carpenter of Intelguardians, and Dick Murray of the US Attorney's office. Despite the potential for overuse of the term 'wardrive,' we talked about and demonstrated MitM attacks against wireless clients. Hardly rocket science, but hopefully it opens some eyes. And it's certainly cooler than kismet with a cantenna (though we did that, too).

Plus it was great to work with Matt and Dick. I always feel like I gain IQ points by osmosis when I talk with Matt. He's teaching Hacker Techniques at SANS Detroit at the end of February. You should go.

UPDATE: The story will air during the news at 11pm EST on Thursday 02/01/2007

First post!!!!!!1`11one

I just always wanted to be 'that guy', and I haven't read Slashdot at 2am since... ever. So this was my only chance.