New Rules

After many months off, I'm jumping back in to the blog with both feet. Mostly in a Howard Beale sort of way. Didja miss me? Anyway, stealing a meme from Bill Maher, I've got something to say to security vendors. Without further ado, New Rules.

If you are a vendor, especially a vendor of security products or services, these are the rules I expect your product to follow. These are common sense, and I feel a little condescending telling them to you. But if recent experience is any indicator, you need to hear them. And you deserve the condescension.

1. Do not store credentials in clear text! Seriously, you can get free libraries to hash credentials or store them in a secure container file that requires a secret key. There's no reason for a password to be in a text file or HKLM Registry key. None.
2. Do not hardcode passwords! If I can't change every single password associated with your product simply and easily, then there should be a law that strips all of your developers of any degree they hold and forces them to go back to college and learn file IO methods.
3. Do not use HTTP/Telnet/FTP/LDAP for authentication! Seriously, more than enough free libraries for SSH, TLS, IPSec exist. Use one. Or buy the one you really like. It beats having to issue a "patch" to sell to government and regulated industry.
4. Don't run as root/SYSTEM/sa/DBA! Your product is not so special that it actually needs administrative privileges to run on the server or database that hosts it. Unless by "special" you mean "coded by lazy fools that don't want to define even the most basic security model." OK, then it is special.
5. Don't use broken crypto algorithms! Sorry, but if you are shipping new product that uses 56-bit DES, RC4, or ROT13, please see rule #3.
6. Don't send passwords in e-mail! Remote password reset is easy enough to do properly, there's no reason to be lazy and just send me my password if I forget it. Also, it means you're breaking rule #1. Busted.
   

There are no excuses for any product to not follow these rules, but especially security/compliance products. Gee, thanks. I just spent six figures on a product to help me manage or achieve compliance, and the product itself can't comply with the regulation I'm trying to address.

The Next Phase

For those of you who haven't given up on my blog (or forgot it was still in your feed list), I want to let you know that I will be back to it later this year. More punditry, more metrics, more SIM, more cool random technical stuff. I'll try anyway. I've been missing it, but I had too much going on, had to prioritize, and this blog has rusted as a result.

A lot has changed since my last blog post in November - a new position at work, a new baby daughter - and the one thing that I've come to realize is that changing is hard work, but if you want it, it's worth it. There's been an excessive amount of talk about change this past year, and on the eve of President Obama's inauguration, I've decided to share with you this story of a moment I had recently.

On November 5th, the day after Election Day 2008, I spoke at the SecureWorld Expo conference in Detroit. I've been in West Michigan for the past several years, but I used to live and work on the East side of the state. It was a gorgeous Wednesday, clear and unseasonably warm for November. And as I was driving westbound on I-96, into the dusk between me and the sunset, I looked up and found myself in familiar territory - Webberville.

You've probably never heard of Webberville, Michigan. That's OK. It's a rural town on the automotive corridor where in the 1990's, companies got huge tax breaks to buy up farmland and build factories. And in 2001, I had an office in one of those factories. That company (a "Tier One" in industry lingo because we sold directly to car makers), like many automotive suppliers, has since gone out of business. And despite working there only a year, I have some very fond and vivid memories of that job. Perhaps the most vivid, however, is driving that stretch of I-96 between Webberville and Wixom and hearing the radio newscaster describe the second plane hitting the World Trade Center on 9/11.

That day changed everything for Americans. I was living in the Midwest, working in a one-story office that had highway on one side and cows on the other, but for the weeks that followed the attacks, I was afraid. We all were. I recall making that drive to Webberville again a week later while all of the planes were still grounded and thinking to myself, "How long until we recover? Can we recover? What will it take for us to move forward?"

Not get over it. Not forget. But move forward - take the next step as a society, as a culture, as a country.

So back to 11/5/2008, and my drive home from SecureWorld, less than 24 hours after learning that Barack Obama - a young, African-American man - would be our next president. And it was there, on that piece of highway in rural Michigan that I answered my own question. Seven years and two months later, I knew America was moving forward. We were moving forward.

Visual Analysis of 'Ideas in Security'

Amrit Williams, former Gartner analyst and CTO at BigFix is one of the bloggers that I follow regularly. Amrit's a very smart guy and I respect what he has to say. He recently wrote a pair of blog posts (here and here) that compliment eachother.

Now, in the details of what he has to say, Amrit and I are in agreement. But I got to thinking about the second post and how it relates to the first post. And, well, I fired up Visio and mapped the relationships between Amrit's greatest and worst ideas lists.

If we look at the great ideas that didn't spawn or perpetuate the worst ideas, then we're not left with much. Just segmentation and theory of least privilege. If we drop out planning and segmentation because they're not actually security ideas - just good ideas that work lots of places - we're left with Theory of Least Privilege as the one great idea to come out of security. Oddly, that seems about right.

Coffee Shop Warfare

It seems like I can't go to a coffee shop, conference center, or bar these days without some jackass on the network abusing the bandwidth. Running MMO games, BitTorrent, gnutella, or even just a large FTP/HTTP download will saturate the wireless access point, let alone the modest DSL line it's connected to, rendering it unusable for the other patrons there. This is just plain rude. And since the barrista can make a mean caramel cappucino, but doesn't have the ability to blacklist your MAC on the AP (which I realize isn't a very effective control, but hey - maybe you'd get the message then?), we're all stuck to suffer.

And I wouldn't do anything hostile on a public network. But in the name of network self-defense, there are a couple of tools you might want to take with you to the coffee shop next time.

• Wireshark - The quickest, easiest way to identify the abuser's MAC/IP is with a sniffer like Wireshark, tcpdump, or iptraf.

• Snort - Snort with flexresp2 enabled, bound to your wireless interface, and the p2p.rules set enabled and modified with "resp:reset_both,icmp_host" is an effective deterrent for people using P2P file-sharing software.

• Ettercap - More severe than Snort, you can use Ettercap to perform ARP poisoning and essentially blackhole the client(s) of your choice by MAC address. You could also use this tool to sniff unencrypted traffic between clients and the AP (and points beyond). But you wouldn't do this. It would be uncivilized, and possibly illegal.

There are lots of other wireless tools out there that have some application here, but many of them either go to far to be civil (Void11) or legal (Hotspotter), so I don't recommend them. For that matter, what I do recommend is getting your own EVDO card. Then you don't have to put up with rude WiFi users in the first place.

A Conversation With My Wife

My wife was at her mother's tonight when she caught me on GMail chat. This is the log of that chat, unedited:

Jessica: boo!

me: hey there

Jessica: hey baby!
Just looking at my moms task mamanger, she has a ton of stuff running
inlcuiding a bunch of exe file

me: that's all you should see in task manager - exe files

Sent at 10:28 PM on Tuesday

Jessica: how amobile deviceservice.exe, alg.exe, msmsgs.exe, searchprotection.exe, jusched.exe, E-S10IC1.exe
all of these are listed under "Administrator"

me: some of those are fine
type them into google
liutilities.com
searchprotection.exe sounds suspicious
don't log into the bank or anything

Jessica: why would there be 4 svchost.exe's?

me: that's typical

Jessica: or services.exe
winlogon.exe

me: both fine

Jessica: csrss.exe

me: also fine

Jessica: smss

me: seriously
google

Jessica: mDNSR

me: that sounds suspicious

Jessica: I don't need no stinkin google, I have you
:)

me: meh
Sent at 10:33 PM on Tuesday

When is a Security Event Not a Security Event?

When it's also a beer event, of course!

July's GRSec meetup will be Wednesday, 7/23/08. The reason for the Wednesday date is two-fold. First, Tuesdays don't work for everybody, so we're switching it up over the summer to see if we can get some fresh faces out to GRSec. Second, this month we're at the new Graydon's Derby Station, and that particular evening, they will be tapping a cask of Victory Hop-Devil IPA.

If that's not enough reason for you to be there, then I don't know who you are anymore, man! I don't know you at all...

Details & Map

B(uste)D+

Apparently, SlySoft's new release of AnyDVD has the ability to strip BD+, Blu-Ray's DRM scheme that has gotten some very credible acclaim.

It turns out that one of the folks behind BD+, Nate Lawson, is giving a talk on DRM at RSA next month. I'm interested to see what Nate has to say about BD+ being broken. That's why I asked him. :-)

14.4Kbps Nostalgia

I've got some decent display real-estate on my desk, roughly 576 square inches total, so choosing background wallpaper is not a task Itypically proceed into lightly. Well, last week, my selection of background aesthetic was undertaken a bit hastily. There was fallout. In what can only be described as a Bostonian fashion, Aqua Teen Hungerforce was once again poorly received. This time by my co-workers.

So today I went to DeviantArt looking for some new wallpaper, and stumbled upon these:

They're ANSI art, all done by Thor (iCE), for BBS's I used to call back when I was in high school. Legion HQ was the place, too. No real names. Just teaching each other random bits of knowledge and (mostly) cursing each other out like the angsty, angry misfits that we were. I didn't know it then, but I made some good friends during this time. I still keep in touch with a few, 14 years later. But what ever happened to Evil Dude?

Anyway, it's cool to see these again. They remind me of a much simpler time... of Desqview and Telix, of Pascal and WordPerfect, of Kings Quest and fractint, of 2600 meetings and boot sector viruses. It was all new back then. I was all new back then.

Sometimes in life, every few years or so, you stop and look back at who you used to be. The long blue hair has been replaced with short hair that's starting to speckle grey. I still listen to the same music, but it's not cool anymore. But I think that, aside from having never gotten a tattoo, the 16yr old I used to be would've been pretty jazzed to see how his life turned out.

ARST

Associated Press article via CNN Money. It's pretty favorable about this week's ArcSight IPO. Frankly, I don't care that much about their going public. I only like to blog about it because it's a thumb in Mike Rothman's eye. :-)

On a Lighter Note...

Say what you will about Bill Gates, but sometimes he does something that you just have to admire. According to Reuters, he's recently acquired a stake in FEMSA Cerveza, a Mexican beer and soft-drink conglomerate. Mexican beers don't often make it to the top of a beer snob's list, but for my taste, Bohemia is one of the better pilsners out there. Plus, it's usually cheaper than, say, Pilsner Urquell. And cheap beer is good beer when it's also good beer.

2008 Security Blog Predictions

Predictions seem to be a less popular topic this year than they were last year when nearly everybody with a blog made a stab at security predictions for 2007. There are still a few who have dusted off their crystal balls and taken a stab at it.

My blog wasn't up and going last year, so there are no poorly made guesses about security trends out there for you to hold me accountable for. This year will be no different. Instead, I present to you, dear readers...

My 2008 Security Blog Predictions

1. MSRC will continue to only post on the 1st Thursday and 2nd Tuesday of each month.
2. Matasano will burn up their clients' 2007 budgets and start posting again in January.
3. Richard Bejtlich will still be the only guy blogging about network taps.
4. Raffy will still be the only guy talking about AfterGlow, even though it works with Snort and Greg Hoglund used it in his new debugging tool.
5. Nate Lawson's blog will be surpassed by Chris Eng's as the most difficult to digest. Especially if Nate keeps posting exclusively about vintage computers and BaySec.
6. The Wired Support Intelligence blog will finally be declared abandoned and taken offline.
7. People will continue to read Schneier's blog, even though it's just Bruce riffing one-liners on 2-week old articles.
8. I will finally read WebSense Labs' blog regularly because they will add an RSS feed.
9. I will finally blog about my experiences upgrading ArcSight 3.5 to 4.0, because my hardware will eventually arrive and I will finally be able to do the upgrade.
10. ...and last but not least, security blogging will continue to really just be all about Google page rank.

Thank you, and good night.

For the Paranoid

Been too busy to blog lately. Got a few things half-ready to post. Just need to find the time, motivation, and answers to get them posted. So this is just a proof-of-life post, I guess.

This story from Radar Mag made my day, sort of. It's an excellent story, but if you're paranoid like me, it may take you some place you'd rather not go. Maybe I should move my blog to typepad. :-)

A Little YouTube Nostalgia

Nothing serious, just some computing throwbacks.

Remember when Bill Cosby sold computers? Or when Windows 1.0 came out? (Yeah, that is Steve Ballmer in the godawful jacket.) What about when Commodore 64 got a joystick? Did you even know that Atari made computers?

I had a TI-99/4A back in the day. With the 300bps acoustic coupler and the cassette storage cable to record my BASIC programs for later retrieval. I'm so friggin' old I could cry.

If I Could Tell Your CISO 3 Things

This is me on my soapbox. Preaching to the choir.

1. Buy more monitoring.
It's necessary to spend security dollars on prevention and protection technologies. But it's very easy (and thus very common) to overspend on these technologies as well. Budget and spend at a prevention-to-monitoring ratio of 1:1. Security monitoring is the cornerstone of security response, and in many ways response is more important than defense.

Think of it this way. As CISO, you are the mayor of Securityville, which is on the border of North Korea, Iran, Chechnya, Darfur, and Canada. When you spend on prevention products, you are buying fences and sprinklers to keep bad guys out and keep fires from spreading. When you don't buy monitoring tools, you lack cameras and smoke alarms to tell you that the fence has a hole in it and everything is on fire. To say nothing of the police and firefighters. Which brings me to...

2. Hire more firefighters.
And by firefighters I mean security analysts that can monitor for and respond to security incidents. In 2007, if you haven't experienced a security breach yet, you probably don't believe me when I tell you it's an inevitability. But when you reread this 2 months from now, you'll know I'm right. Or you'll smugly chuckle at how this post is all FUD while Chinese hackers rifle through your e-mail unhindered. Either way, if your security folks are all busy managing firewalls and doing vulnerability scans and nobody's monitoring your network, then you can't argue my point because you don't even know that you've been pwned.

Also, hire good people. Talented people. Security monitoring is not a help desk job, so you can't pay help desk pay for it. I'm proud of our team's incident turnaround time and ecstatic about the fact that in most cases we detect and respond to incidents before the impacted employees are aware there's a problem. But this is the natural order of things, because...

3. Security is not everybody's job.
So stop saying it is. Cindy's job is processing expense reports. Tom's job is developing new client accounts. Jim's job is, well, I don't know what Jim does, but he runs Fantasy Football each year, so he can stay. Oh, right, back to you and how security is your job.

If you want employees to act securely, then you must do the (very unpopular, unfriendly, unfun) job of writing and by God enforcing data security policies. It's really cool if you can write them, design the oversight and monitoring controls, and then hand enforcement over to the compliance or audit departments. Then you'll still get invited to happy hour every once in awhile. But not by Jim. He's not talking to you since he was written up for distributing NCAA brackets printed on the blank side of old payroll reports.

Firing Up The Rumor Mill

So last week we saw the first post from a new MSDN blog - "hackers @ microsoft." It's in my RSS feeds for now. Microsoft hiring hackers is hardly a newsworthy rumor. It's pretty much common knowledge. The big success story of infosec has been Microsoft's product turnaround over the past 5 years. The message there, that you as an infosec professional should take back to your organization, is that throwing money at security works. So tell them to throw more money at you and your projects.

The rumor I want to start has to do with the hiring of new hackers by Microsoft. Specifically, I'm going to loudly whisper that Microsoft may have hired Mark Litchfield. Here's the evidence I have compiled:

1) Mark was supposed to teach at BlackHat with his brother David, but couldn't. According to David, he was denied entry into the US because Customs felt he may have abused the visa waiver program (like Halvar). Apparently, the reason for his frequent trips to the US prior to BlackHat had to do with purchasing a house in WA.

2) But maybe Mark is moving to the US to focus on growing NGS in the states, you say. Except that NGS already has its US headquarters in Dallas.

3) If you dig around in bugtraq archives, you will see that Mark has published vulns in all variety of Microsoft products, from 2003 Server to SQL Server to IIS to IE to Outlook. Of course, Mark has spent a good amount of time publishing vulns in Oracle products as well. But Oracle's not headquartered in Washington. Microsoft is. Plus, Oracle still doesn't "get it." Microsoft does.

Sparty On!

http://www.ncaasports.com/icehockey/mens/recaps/d1_0407_01/2007/2007

At least there's 1 NCAA champion in Michigan. Yeah, I said it. Go Green!

Who Names These Things?

Yesterday, the SEC launched Operation Spamalot to combat pump-n-dump stock fraud that utilizes spam to artificially 'pump' some penny stock price. Aside from thinking that the name is atrocious and feeling sorry for Eric Idle, I think this is a good idea. Pump-n-dumps are an old trick, only the spam part is new.

So starting today, if your stock symbol shows up in spam, the SEC will suspend trading of your stock. They've already suspended 35 companies.

Aviram Jenik at Securiteam is concerned that this could be used to perform DoS attacks against bigger stocks. While technically possible, it's unlikely for a number of reasons. First, unlike firewalls receiving shun commands from IDS sensors, there will be people making these decisions. Second, if you look, it's pretty easy to see a pump-and-dump on paper. I collected some examples from stock spam I got this morning for you to look at. I'll bet you can see one way to differentiate them from the big boys right off the bat. The trading history tells the rest of the story.

LVCC.PK
CEOA.PK
NNCP.PK

I am SO NOT a developer

I came up in IT as a sysadmin, and though I have a few semesters of formal education in C and C++, what I know best are scripting languages - MS-DOS batch, UNIX shell, and Perl.

There is an undeniable trend toward the widespread use of Python in the infosec industry. I was finally convinced of this when I recently got a sneak peek of a commercial app that is going to offer a Python stepping interface to its scanning engine. Very cool. And we bought it... so, I better learn how to use it.

To prepare myself, I wrote my first Python program. It replaces a shell script hack that I wrote a year or two ago that basically does bulk DNS reverse-lookups on large IP ranges. To be cool, and to prepare for working with a scanning engine, I decided to use threading.

I've been working on it in small bursts over the past two weeks, and as of this morning I have something that works very well. I also have to say, it wasn't much harder than working with Perl. It took a little Googling to find the dnspython libraries, which I used instead of writing my own DNS query code. Once I had that working, the rest was pretty straightforward. Using threading was painless, and well worth the effort. Compared to the shell script it replaces, the Python program is smoking fast, as you would expect.

Mostly this post is me patting myself on the back, but what I wanted to impart to the other non-coders that might read this is that if I can muddle out 20 lines of working Python code, you can too.

First post!!!!!!1`11one

I just always wanted to be 'that guy', and I haven't read Slashdot at 2am since... ever. So this was my only chance.