Interesting Post on Data Breaches

A little behind in my reading...I just read a post by Bryan Sartin at VerizonBusiness.com. The post is a good read, but one thing stuck with me. Bryan states...

"I would estimate that payment cards represent as little as 1.2 – 1.5 percent of all data thefts. The remaining 98.x percent being occupied primarily by personally identifiable data (PII), then account credentials, company-proprietary data, and a few other categories in a distant fourth and fifth by incidence...When stolen, payment card data tends to lead to fraud. That’s the whole point of stealing it. The ensuing fraud is detectable and fraud analysis and detection tools have made it almost elementary to identify the likely source of a suspected payment card breach for almost 10 years."

The point is that compromises of payment card information are rarely detected by the company who breached the card information. Rather the breach is detected by the payment card industry and traced back to the company due to the fraud and tools utilized by the payment card industry.

No similar capabilities exists to trace the source of personally identifiable information, account credentials, intellectual property and other lost information.

Would you even know if your company was breached?

Seth Godin on Tribes

Somebody recently put me on to the TED talks. I have been through several but one that has intrigued me is Seth Godin on Tribes. In a nutshell what Mr. Godin is talking about is that the Internet provides anyone with an impassioned cause the capability to create a movement or a tribe of people to spread your message.

Definitely worth a listen.

Mandiant Memoryze Review and other free Mandiant Tools

In followup to my ISC diary of January 2nd. Russ McRee of holisticinfosec.org has published his review of Mandiant's Memoryze tool. Russ was so impressed with Memoryze he awarded it the 2008 Toolsmith Tool of the Year!

For those of you who didn't read the first diary...Memoryze is a free tool from Mandiant to assist with Windows memory analysis. It is one small piece of Mandiant's Mandiant Intelligent Response (MIR) product, released for public consumption

Russ's review can be found at http://holisticinfosec.org/toolsmith/docs/february2009.pdf

Another outstanding free tool released by Mandiant in the last few weeks is Hilighter. Hilighter is a tool that assist in the viewing and analysis of log files and other text files. I have only played with it a little bit, but so far I am very impressed.

Mandiant has other free incident response tools available on their website as well:

Red Curtain - helps find and analyze unknown malware

Web Historian - assists with review of websites found in browser history files

First Response - incident response management software

If these first few releases are any indication it appears that the Mandiant folks are committed to providing top quality free tools to the incident response community.

Enjoy!

The Academy...Home!

Sometimes an idea comes along that was so obviously needed that you wonder why you didn't think of it yourself. One of those ideas is The Academy!

Because of very persistent marketing most people in the security industry have heard of The Academy. Peter Giannoulous has done an amazing job of promoting his security video website in an almost viral way using all sorts of Web 2.0 from Linkedin to Twitter and everything inbetween.

Now Peter has gone one step further, launching The Academy Home. This site has the same general idea...videos on how to configure security...but the audience is much different. The Academy Home is aimed at the average computer user. Finally a good quality security website aimed at your parents and grandparents who are not savvy computer professionals and sorely in need of good quality, knowledge appropriate guidance.

So please help make this endeavour successful! Let all of your non-tech-savvy friends and relatives know about The Academy Home. Maybe you will even get a couple of nights off from tech-support. (-8

SANS Log Management Survey

I don't make personal pleas often, but this is something I truly believe can be significant in the security industry.

SANS is surveying individuals on log management practices in their organizations. The more people who take the survey the more useful the results. so please give up 10 minutes of your time to complete the survey. Even if you have not yet started a log management project...please take the survey...your information is at least as important as those who have, if not more.

Thanks in advance!

25C3: MD5 Collisions and SSL Certs

At the Chaos Computer Congress currently on in Berlin, a group of researchers have described an attack that utilizes MD5 collisions to create an intermediate Certificate Authority which would permit them to act as a Man-in-the-Middle in SSL transactions. While a lot of effort went into creating a huge hype for this announcement, the short answer is that the Internet is not dead yet.

That said, this is a potentially serious attack. It permits somebody who is capable of generating an MD5 collision to effectively impersonate any SSL enabled website.

There is very little the end user or any website administrator can do. The solutions to this attack lie with the certificate providers...who must stop issuing MD5 signed certs. Verisign has announced that they are no longer issuing MD5 signed certs, others will follow quickly.

If you are an administrator of an SSL enabled web server or application you should take a look at your cert and see if it is signed with MD5 or SHA-1. If it is MD5, it would not be a bad idea to replace it with a new one signed with SHA-1. This will not prevent this particular attack; even if you have a SHA-1 signed cert someone could impersonate your site using an MD5 signed cert; but it will go a long way to putting a nail in the coffin of MD5 signed certs once and for all.

How do you tell? Connect to each of your SSL enabled sites and double click on the padlock in the bottom right corner. Click "View Certificate", click the details tab, scroll all the way down to the bottom and click on "Certificate Signature Algorithm" It should say "PKCS #1 SHA-1 With RSA Encryption" or something similar. If it says MD5 then I recommend calling your cert issuer and requesting a new one signed with SHA-1.

New (to me) nmap features!

I spent a little time today catching up on some emails I filed away for future reading. One of the emails that caught my attention was a write up on Fyodor's announcement at Defcon of new features in the new version of Nmap (was 4.75, 4.76 is out now) and the subsequent email from Fyodor on the nmap-hackers list. A few of these features caught my attention.

The first one is -top-ports. Essentially Fyodor and company spent the summer scanning the Internet and doing some research classified all the TCP and UDP ports by frequency found open.

According to their research

nmap -top-ports 10

will give you about 50% of the open ports and

nmap -top-ports 1000

will give you approximately 94% of the open ports.

The biggest difference is from a reconnaissance point of view. With the older nmap versions if you just let nmap loose with the default set of ports

nmap -sS -sU

nmap would scan over a thousand TCP and UDP ports. It wasn’t quick against one IP, it was interminably slow against a large IP range. For this reason most pentesters have a small range of 20-50 ports they used to discovery scans. With – top-ports this is largely superfluous, although their may be reasons you might want to add extra ports based on the environment being scanned.

Another option that came out of this research is the Fast Scan option (-F).

nmap -F

is perfect for discovery scans. It scans the top 100 ports of each protocol, increasing the speed from the default behaviour by an order of magnitude.

Taking a slightly different direction...I have always been an nmap command line bigot. This is partly because I have used nmap from the days when all that was available was the command line. Another reason is that I have never found an nmap GUI that I liked. Some of the new features in Zenmap have me re-evaluating that.

The two that got my attention are scan aggregation and mapping.

In short, scan aggregation is a feature that combines all scans performed from the same Zenmap window. This permits incremental scans, and analysis of the combined scan. Here is a screen shot of a couple of scans aggregated in Zenmap:

The mapping feature I still find a little lightweight, but it is an outstanding start. Here is the map from the same scan.

Some more detailed sample maps and a feature description are available at http://nmap.org/book/zenmap-topology.html.

There are other features that I haven't had time to look at yet, such as improved OS detection, rate limiting, and many, many, more.

Now if I can just get past my fear that nmap on Windows is somehow less accurate than nmap on *nix.

Cool: New Nmap features

Fyodor is God!!

Seriously...thanks to the Google Summer of Code and the hard work of Fyodor there a bunch of new and way cool features coming in nmap.

Declaration of Independence

Those who know me rapidly learn that I am not cut from the same cloth as the average person. I consider myself eccentric, intelligent, logical, and at the same time creative. I am not a good sheep, I can't settle for conformity, I challenge the status quo, and feel sorry for people who are willing to accept their lot in life without attempting to improve it.

While not directly security related, Pamela Slim has assembled a flash movie that closely resembles my philophy on life, and is one of the most inspirational pieces I have seen in a long time. While she is trying to push the viewers towards entrepreneurial endeavours, the attitude and lifestyle she is proposing is very applicable to my life and should be applicable to most security practitioners lives. This is not an industry that is made for people who are willing to accept the status quo, but rather for those who creatively look for solutions and push the envelope of technology and conventional thinking.

Hope you enjoy it!
Rick

Stephen Northcutt weighs in on security predictions (sort of)!

An interesting and somewhat inciteful posting by Stephen Northcutt, the boss over at the SANS Technical Institute. Instead of doing his own predictions he has "borrowed" others.

I would like to take a chance to comment on some of these:

"Apple Will Gain Significant New Market Share"
While I expect that Apple will gain market share (I know I am hoping to go back to one), I can't see it being huge over the long term. The problem is that the people who are going to Apple are tech-savvy people looking for something better, and I expect will also have a Windows computer around. The problem is the "unwashed masses" don't have the ability to realize that there should be something better than Windows, nor are they prepared to look past the mountains of software available for Windows to make an informed decision to go to a computer system which is easier to use and easier to live with.

Information Centric Security Phase One
I have been trying to convince people to make this shift for years. Unfortunately through whatever fault decison makers aren't prepared to look past security FUD spewed by the security vendors and do a proper risk analysis. I think if you start looking at your information and classifying it you will be drawn to the conclusion that the hard crunchy shell with the soft interior is no longer applicable. The concept of perimiter security was great for its time, but it comes from a day when very little information was available online and the perimiter protected a few machines. But this is a different world, most companies are 100% connected, and all of their crown jewels live on or is accessible from their corporate LANs. The volume of information available via a breach is astronomical compared to when the perimiter security was conceived, and the sensitivity of the data stored on your corporate network is scary. It does not make sense to cast all data with the same brush any longer. Most information generated by the average corporation is mundane...however some of it is critical and the loss of that data can be fatal or at least severely harmful. Doesn't it make a lot of sense to start focusing security on the data and making sure the critical assets are better protected than your mundane information?

"even more paperwork will be devised by the clueless trying to help"
It sure seems the longer I am in security the more this is true. Nowadays it seems we spend more effort checking to see if we are compliant with whatever legislation or standard is sexy this week and less actually getting compliant, or better yet, getting secure! Standards are a wonderful thing to measure against, but the fact is they are a minimum set of controls which are great as a starting point. The fact is they don't represent reality, and they certainly don't represent your environment. We would all be better off if we spent less time doing compliance, and put more effort into doing what makes sense for us!

GIAC, 20,000 strong

Near the end of December GIAC passed the 20,000 mark in certified individuals. This is a huge milestone for what is arguably the best security training organization anywhere (I am biased). Congratulations! Hopefully, 100,000 is not far off!

Jim Leroy died doing what he loved!

I have received a few emails and comments related to a blog entry from a couple of years ago about the death of Jimmy Franklin and Bobby Younkin. For those of you who don't remember Mr. Franklin and Mr. Younkin died during a collision while performing a dogfight routine at the Moose Jaw Airshow in 2005.

The other pilot involved in that performance and sole survivor of that fateful performance was an equally amazing pilot name Jim Leroy. Mr. Leroy died himself at an airshow in Dayton Ohio this Saturday past.

There is not much to be said about the loss of another amazing pilot that has not already been said. He was one of a kind and will be sadly missed.

I did however want to point to the amazing job the Dayton Daily News has done of coverage of this event. There is everything there from introspectives, to pictures, to video of the crash itself. A very fitting tribute.

The content is all linked from one page here.

Jim Leroy 1961-2007, may he rest in peace.

Reminder: Inaugural event Friday

Just a reminder...the inaugural regina.whitehats.ca chapter get together is this Friday, April 13th at 7:00 PM at O'Hanlon's pub. I am hoping for a good turnout.

As an aside, I noticed that this event got some press in the Canadian Information Security Newsletter put out by Robert Beggs at Digital Defence. Thanks Robert!

See you all Friday!

Forming a security group in Regina, SK, Canada

As most of you know, I moved out to Regina from Ottawa a few years ago. One of the the things I miss about Regina is the lack of an active security community. Well hopefully I have a way of solving that.

I am announcing here a Regina chapter of whitehats.ca. For now we are starting simply with a blog. At some point in the future hopefully it will have its own mailing list and website. But for now let's start with baby steps.

Hopefully the first meeting will be in April, in a local pub, with some good brews and good conversation.


Rick

So you wanna get into IT Security!

Still catching up on my blog reading. I came across an interesting article by Richart Betjlich over at the TaoSecurity Blog. The post is about suggestions to people with no experience who want to get into the security industry. I whole heartedly agree with Richards suggestions. Here they are summarized for your enjoyment...

1. Represent yourself authentically.
   
2. Stop using Microsoft Windows as your primary desktop.
3. Attend meetings of local security group.
4. Read books and subscribe to free magazines.
5. Create a home lab.
6. Familiarize yourself with open source security tools.
7. Practice security wherever you are, and leverage that experience.
   

As one of the roughly 68,000 people laid off during the continuing implosion of Nortel I have lived through the laid-off experience, and have counselled a few people in this area. A couple of other items I would like to add.

Publish

In the Internet age self-publishing is easy. Put up your own web server at home and register a URL or domain with dyndns.org, or if that is too much work pages like infosecwriters.com will publish quality papers no questions asked.

I know... You all hate writing...so why would you do this?

Firstly, it gets your name out there. The ability to be Googled is not yet essential in this industry, but it sure doesn't hurt.
Secondly, it proves that you can write something coherent and readable and gives potential employers a source besides resume and interviews to measure your ability.
Third, it shows that you are serious! Everyone knows that most people intensely dislike writing. It will show that you have the ability to complete difficult tasks. The fact that you put the effort in will weigh in your favor.

Believe it or not this is not rocket science. I am not suggesting a 50 page treatise on detecting the PDF exploit using Snort. I am talking 5-10 pages on stuff you know. Write as you read... and learn. Consolidate learning from different sources into new views on a subject. Remember there are lots of people at the same level of knowledge as you and lots even lower who will be happy to read what you write to expand their knowledge.

Volunteer

Security organizations and conferences are always looking for people to help out. Volunteer for anything local to you. This is a great chance to meet people in the local security industry, and possibly even get the chance to learn some things.

Another place you can volunteer is community and open source projects. If you have coding skills volunteer for any of the open source security initiatives over at sourceforge or similar places. If you can't code, there are always community projects that are looking for a minimal amount of expertise and lots of enthusiasm to organize documentation, coordinate work etc. Or in a similar vein there are a number of consensus projects like the SANS Top 20 that are looking for opinions.

You are limited only by your imagination and your enthusiasm.

Rick

Witty comments

I've been working hard on studying for a certification the last bit, so I haven't been getting here much. Sorry.

Today I was catching up on some long neglected blog reading and got a chuckle compliments of the lovely people at F-Secure. They ran a contest for witty sayings for laptop stickers. The results are in and some are worth a chuckle...

I lost my password, can you tell me yours? — Azham R. of Malaysia
This is not the wireless access point you're looking for. — Matt L. of Australia
I just click OK to make the box go away. — Justin R. of UK
My botnet can beat up your botnet. — David B. of USA
Password is on a Post-it note on the display. — Ken T. of Germany

Have a good one!
Rick

More Security Absurdity

Noam Eppel has posted his rebuttal to the commentary from his now legendary (if not infamous) Security Absurdity article. Noam is not apologetic, nor should he be. He states a lot of things that I whole heartedly agree with. Here are a few nuggets from the article...

"Security Professionals are in the best position to create change and that is why we are responsible for this situation."

"I think the security community needs to redefine their definition of success. And I think they need to understand the unique position they are in to improve security and to accept that responsibility."

"In order for Best Practices to be relevant, they need to be attainable, practical, implementable and manageable. Today's security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing....Security is a process to be evaluated on a constant basis. There is nothing that will put you into a "state of security" - no best practice, no security guideline, no security checklist."

"My idea of security is that a user should be free to conduct, "normal and common" activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities - i.e., parks in the daytime on a busy street and locks it with a good security system - then that is normal and common behavior and a crime should not be expected."

The solution won't be easy, but it begins with participation and collaboration between all of the groups involved in security and ends with an Internet that looks much different than today. Each player has a part to play...Software vendors, security vendors, lawmakers, executives and most of all the security practitioners. Ultimately the key to any solution involves the active participation of the security community.

Rick

Extreme password security or Microsoft screw-up? You be the judge!

Another laugh compliments of the boys (and girls) at Microsoft (via Gene Spafford). An error message from Windows when attempting to change your password...

"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."

Definitely extreme, but secure... (-8

Rick

Looking for a Job in Security?

Through the years I have mentored people looking to break in to the security industry (mostly other former Nortel employees). One of the things I have always told them is to get your name out there. Whether through joining local associations, writing papers, or volunteering...or all of the above...if you lack relevant experience it is best to show competency and interest.

On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.

Rick

Top 10 Security Myths decomposed.

In reference to Pete Lindstrom's Top 10 Security Myths, I am not sure I agree, but here they are:

1. Security through obscurity is a bad idea.
   
2. Strong passwords are strong.
3. Altruistic bugfinding is beneficial.
4. You can't quantify risk.
5. You can't get ROI from security.
6. Security is about process, not product.
7. SSNs are secret.
8. Program x is more secure than program y.
9. Stand up to your boss and "just say no."
10. Security is failing.

What do you think?

Rick

PHPSecInfo - What a great idea!

One of my biggest frustrations as a pentester is convincing web developers that their environment is set up incorrectly. PHPSecInfo is a tool you load directly on the server that validates the security of the environment and suggests improvements.

From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."

Good on ya!
Rick

NIST Guide to Integrating Forensic Techniques into Incident Response

Somehow I missed this when it came out in August, but complements of the smart guys at NIST is a document on "NIST Guide to Integrating Forensic Techniques into Incident Response". Had a quick look and it looks useful.

Rick

Finally a map I can read! (-8

Compliments of Joel Cort via cccure.org is a document mapping the old ISO 17799:2000 standard to the new ISO 17799/27001:2005 standard. It looks like good work. Available in PDF and Word format here.

Rick

Hilariously Funny?

Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!

http://www.amazon.com/Million-Random-Digits-Normal...

I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.

Rick

Payment Card Industry Standards Changes

The PCI (Payment Card Industry) has just recently announced changes to the standards for companies utilizing credit card changes via ecommerce.

The changes are here.

The full standard is here.

Rick

Reminder: End of XP SP1 support

Just a reminder that the set of patches released by Microsoft on Tuesday October 10th were the last of the patches for XP SP1. From now on if you haven't upgraded to SP2 you are SOL when it comes to support from Microsoft.

I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.

Rick

NIST Guide to Log Management is final

The long awaited NIST guide to Computer Security Log Management (SP800-92) is out in it's released version. This document has a few flaws, but this is an excellent document and should be required reading for every security professional.

Rick

More Security Stupidity

A geologist on his way to a convention of geologists has a rock sample declared a "dual-use item" in other words a potential low-tech weapon. The scary part is I sort of understand this one...but that doesn't make it right!

Rick

Current projects

A couple of people have asked me if I am working on any more of the hardening guides like what I have done in the past for the Linksys BEFW11S4 or WRT54G, or at least will be updating these. Admittedly those guides are beginning to show their age and could use an update, but unfortunately I have bigger fish to fry first.

I have just cleared a couple of SANS projects and have just started into a project on a presentation and paper currently dubbed "Botnets for Dummys". I am not sure what it will look like, or when it will be available, but hopefully before the end of November. I am also working on getting a version of the Nepenthes medium interaction honeypot and some related perl code going on CentOS as a prototype worm detection project and hopefully a paper. Unfortunately, it seems everyone in the world can get Nepenthes working except me!!! The little time I have spent on it has been frustrating, but I expect if I dedicated some time to it the obstacles would fall pretty fast.

Anyone who has any opinions or approaches for these projects please feel free to contact me.

Have a great weekend!
Rick

Symantec Internet Threat Report

The new version of the Symantec Internet Threat Report is out. While not completely unbiased, this report is one of the most thorough at documenting the state of Internet security. The executive summary should be required reading for every manager involved in security or application development for Internet facing services.

Herbie

SCADA Security Webinar - Worth a listen

I haven't had a chance to listen to this yet, but I am recording this here so I will not lose track of it. There is not a lot of practical information about SCADA security out there, and from reviews this is very good. It is the presentations from a one day workshop SANS hosted on SCADA Security...complete with synchronized slides.

https://www.sans.org/webcasts/access.php?id=90748&pid=1307647220#

Rick

Human vs bear intelligence

Compliments of Bruce Schneier...an interesting article about a bear problem in Yosemite National Park in the 1980's and the quest to build a garbage can that would deter bears and still be useful by people. The article contains one quote that is priceless. Quoting a park ranger..."There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.". Unfortunately, working in security...this is not hard to believe.

If you don't find the article interesting enough, then try reading the comments. Definitely entertaining.

Rick

I never forget a face, but in your case I'll be glad to make an exception. - Groucho Marx

New Security Blog

Raul Siles of SANS/GIAC GSE fame along with a couple of his friends, David Perez and Jorge Ortiz have started a new security blog. I have been following it for a few weeks now and these guys have some insightful things to say in the security realm.

Give it a try if you have a chance!

Raul also publishes a list of security related web pages, blogs, and podcasts that is worth a look...
http://www.raulsiles.com/resources/hackers.html

Rick
Getting older is no problem. You just have to live long enough. - Groucho Marx

Live View - raw disk to VMWare image

I dabble a bit in the forensics world. Today I came across a wonderfully useful tool. Live View is a java based tool that converts raw disk images a la dd into VMWare compatible images. Messed around with it a bit tonite, and it seems to work exceptionally well.

More on Live View at http://liveview.sourceforge.net/

Rick
Remember, you can always find East by staring directly at the sun. - Bart Simpson

Commentary...and More Security Related Humour

I have been out of Internet communication for the last couple of weeks. It has been nice. In the wake of the most recent round of security stupidity surrounding last week's terrorism arrests some people were asking my opinion. I have a couple of comments on this. The first being that it frightens me that some people care about my opinion, the second comment being that my opinion is obvious from past posts. Total and complete waste of resources. Security Theater designed to placate an uninformed public looking for decisiveness from their elected representatives. As I have said before...anything that futher inconveniences the travellers of the world means the terrorists have won another victory.

Fortunately, Bruce Schneier and others with much bigger reading audiences than me adequately filled in in my absence. (-8

David Malki has summarized my thoughts very adequately in this biting cartoon.

http://www.wondermark.com/d/220.html

Enjoy!

Rick

"Fry: No, Bender! Cutting off Leela's head won't solve anything!" - Matt Groening from Futurama