The Heartbreak of Nondisclosure

Look what I've got in the test lab this week:



It's a little more recognizable with the front bezel on it:



That's right, it's ArcSight Logger 2.0 beta! Alas, the non-disclosure agreement prevents me from telling you any more than that. OK, I'll also tell you that, much to my disappointment, the cool logo bezel does not light up.

Addendum: If I Could Tell Your CISO 3 Things

On the issue of spending on monitoring versus prevention, I stand by what I said about spending on monitoring equal to prevention. But there's another point worth making that I missed the first time around. So, if I may, I'd like to tell your CISO another thing.

1b) Let the results of your 2007 monitoring determine what you spend your 2008 prevention dollars on. Simply put, no consultant, auditor, or magazine is going to know better than you what your security problems are. So, unless you still don't believe me about monitoring, don't let them tell you how to spend your money. (Remember that "deep packet inspection firewall" you bought in 2005? That's what you get for listening to a magazine.)

Set aside time each year to review what your big messes were as well as where your analysts spent the majority of their time. Then look at the market for technologies that can cut the amount of time your talent spends doing the same thing over and over by hand. Also look at technologies that can help you keep the promises you made under your breath to never let _____ happen again.

So while there may be no Security-ROI-Santa-Claus, comprehensive operational security is self-supporting. Leverage it to the maximum extent that you are able.

A Little Wi-Fi Hacking With Your Half-Caf Nonfat Mochachino?

So like, literally right now Vivek and Sohail from AirTight networks are presenting on a new attack on WEP at Toorcon. This new technique, cheekily dubbed Cafe Latte, attacks clients instead of access points. But according to an interview that the researchers gave prior to Toorcon, the attack can take from a few minutes to a few hours, making it no more efficient than existing techniques.

Cool research guys, but I guess the question I have is this. If I need to attack a mobile client instead of an access point in order to avoid detection by, I dunno, a wireless IDS of some sort - and I have to struggle with position and availability of the target, no less - won't I be shocked to discover that your technique works because this highly secure wireless network uses WEP?!

I'm just saying. Attacks against wireless clients in the field are interesting, and fertile ground for all sorts of cool hacks and lucrative crime. But - and maybe I'm missing the obvious here - I don't get it.

A Little YouTube Nostalgia

Nothing serious, just some computing throwbacks.

Remember when Bill Cosby sold computers? Or when Windows 1.0 came out? (Yeah, that is Steve Ballmer in the godawful jacket.) What about when Commodore 64 got a joystick? Did you even know that Atari made computers?

I had a TI-99/4A back in the day. With the 300bps acoustic coupler and the cassette storage cable to record my BASIC programs for later retrieval. I'm so friggin' old I could cry.

State Penn

I just got this story off of Engadget. It only has a little something to do with security, and my rant even less so.

Penn State has developed a high-security environment for students to take exams in. This is a total waste of technology. The point of this is to ensure that students cannot cheat on tests by using iPods or cell phones to store potential answers to questions. In my day, it was graphing calculators, and in my folks' day it was arms up shirt sleeves.

My point is not that invasive, high-tech monitoring can't work, though it probably can't. My point is that it only allows the continued perception of validity of the worst testing higher education has to offer - memorization. Computers are for data storage. Human minds are for imagination, applying concepts, and learning. None of this can be stored on an iPod. Professors who insist that students learn by regurgitating facts that can be digitized and retrieved with Ctrl-F only serve as a barrier to learning.

On George Clooney and HIPAA

Palisades hospital in New Jersey has suspended 27 employees for accessing actor George Clooney's medical record after he was treated there following a motorcycle crash. I don't disagree with the employees' suspension, but the hospital spokesperson told reporters, "What these individuals did was violate a HIPAA regulation. We can not say that they actually released any of this information to the media."

It's clear that someone did leak to the media information from his medical record, but the hospital doesn't know who. Additionally, these employees had access to patient EMR data as employees of a covered entity (the hospital). So I'm picking a nit here, but I do believe the hospital has admitted that it doesn't know which of the 27 employees suspended, if any, actually violated HIPAA. As far as I can tell they were, under the law, authorized to view Clooney's medical record. Of course, what they did was still inappropriate, unprofessional, unethical, and probably a violation of hospital policy.

But perhaps the best-slash-worst part of this whole situation is that a union rep defending some of the suspended employees has been quoted as saying, "There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed."

Phishing Secure Email Portals

Here's a new twist on an old scam:



Lots of companies have implemented some form of "secure e-mail" solution. If you haven't seen this before, a user at Megabank or Gotham Hospital sends you a message about your personal information. Instead of arriving directly over SMTP (which is, among other things, as clear a text protocol as any), you receive a notification via SMTP that tells you to click on a link to a web site (encrypted with SSL) where you can log in and retrieve your message. This is extremely common in the health care vertical because the HIPAA Privacy Rule that went into effect in 2003 explicitly forbids sending personal information unencrypted over the Internet.

So it makes perfect sense that these portals are worth phishing - they are almost guaranteed to contain some sort of valuable data. But it got me thinking about something else. I work in the health care vertical, and we have a secure e-mail solution in place. And when we evaluated products a few years ago, we discovered some sort of session handling flaw in better than half of the products we looked at. Not to mention that a number of the vendors out there support what can only be described as a "letter-of-the-law" configuration*.

Anyway, I wonder if phishing is all that necessary for sites like these. I would bet that there are enough vulnerabilities in enough of these portals that hacking them straight up is a better bet for the criminals that want the dumps to sell on IRC. Especially since some of the third-party products out there are appliances that insist on SSL termination at the appliance. What's that mean to a hacker? A blind spot to the IDS plus permission from the firewall. Oh, and we all know how good the logging on an appliance like that is bound to be.


* In this mode, the portal sends a link that contains a hash of some kind. Send that link back with the valid hash, view the message. Well, technically, the private data's not sent unencrypted. Instead, a link to the private data is sent unencrypted. If you have deployed something like this and you feel that you can justify it, I'd love to hear from you. Obviously there was enough demand for it since most of the vendors in this space have something like it.

If I Could Tell Your CISO 3 Things

This is me on my soapbox. Preaching to the choir.

1. Buy more monitoring.
It's necessary to spend security dollars on prevention and protection technologies. But it's very easy (and thus very common) to overspend on these technologies as well. Budget and spend at a prevention-to-monitoring ratio of 1:1. Security monitoring is the cornerstone of security response, and in many ways response is more important than defense.

Think of it this way. As CISO, you are the mayor of Securityville, which is on the border of North Korea, Iran, Chechnya, Darfur, and Canada. When you spend on prevention products, you are buying fences and sprinklers to keep bad guys out and keep fires from spreading. When you don't buy monitoring tools, you lack cameras and smoke alarms to tell you that the fence has a hole in it and everything is on fire. To say nothing of the police and firefighters. Which brings me to...

2. Hire more firefighters.
And by firefighters I mean security analysts that can monitor for and respond to security incidents. In 2007, if you haven't experienced a security breach yet, you probably don't believe me when I tell you it's an inevitability. But when you reread this 2 months from now, you'll know I'm right. Or you'll smugly chuckle at how this post is all FUD while Chinese hackers rifle through your e-mail unhindered. Either way, if your security folks are all busy managing firewalls and doing vulnerability scans and nobody's monitoring your network, then you can't argue my point because you don't even know that you've been pwned.

Also, hire good people. Talented people. Security monitoring is not a help desk job, so you can't pay help desk pay for it. I'm proud of our team's incident turnaround time and ecstatic about the fact that in most cases we detect and respond to incidents before the impacted employees are aware there's a problem. But this is the natural order of things, because...

3. Security is not everybody's job.
So stop saying it is. Cindy's job is processing expense reports. Tom's job is developing new client accounts. Jim's job is, well, I don't know what Jim does, but he runs Fantasy Football each year, so he can stay. Oh, right, back to you and how security is your job.

If you want employees to act securely, then you must do the (very unpopular, unfriendly, unfun) job of writing and by God enforcing data security policies. It's really cool if you can write them, design the oversight and monitoring controls, and then hand enforcement over to the compliance or audit departments. Then you'll still get invited to happy hour every once in awhile. But not by Jim. He's not talking to you since he was written up for distributing NCAA brackets printed on the blank side of old payroll reports.

Is Your IP Address Personal Info?

According to a German court it is. (via Eric Fitzgerald's blog)

The remedy that this ruling implies - not logging IP addresses to a web site beyond the duration of the user's session - is either unsustainable or crippling to site security.

If it becomes standard practice in Germany to not log IP addresses anywhere for any length of time, they will essentially be declaring open season on themselves. There will be no network evidence trail and therefore no case to prosecute. I can't imagine it'll come to that, but it is interesting to ponder.

Paris Got a Raw Deal

OK, so this might be proof that Paris Hilton's prison sentence was too harsh. An MIVD official (read: high ranking Dutch spy) was sentenced at The Hague for losing some part of an NSA intelligence feed he had access to in his role (as a high ranking Dutch spy). The sentence? 120 hours of community service. So, uh, I guess if you live in Utrecht, keep an eye out for a guy in a tuxedo picking up trash along A27.

TJX: A Glimmer of Clue?

This is the first time I've heard anyone say anything about TJX doing something about their network security posture. But read between the lines here. WEP has been thrown under the bus, they've implemented WPA, but all of these credit card numbers lived in a database.

Is it safe to assume that the sa or sysdba password was different than the WEP key? OK, then maybe WEP wasn't the only problem? It's disingenuous to make WEP the scapegoat for what is a larger security failure. But, hey, at least they're using WPA now. Anybody taking bets as to whether or not it's WPA-PSK?