From the monthly archives:

November 2009

Customers beware – security "consultants" to avoid

by Matthew Hackling on November 30, 2009

in SBN

Some tweets from @jack_mannino raised some strange feelings and thoughts that I wanted to express about some of the types of people that raise my ire in the security consulting industry:

Public enemy number one - the "nessus cut n paster"

Its all good to use nessus or OpenVAS as it helps shorten the process of grabbing banners with nmap and using google/secunia/mitre to find out publicly reported vulnerabilities about the network services in use (which we pretty much end up doing anyway!). We all use nessus as part of our suite of tools but you shouldn't just use nessus! And you definitely shouldn't just append the raw scan results as an appendix with a covering letter! Your client deserves you:
  • confirm that the reported vulnerabilites actually provide a risk (i.e. are the vulnerable modules on that webserver actually in use or is this a false positive)
  • provide some interpretation and an indication of how easy this vulnerability is to exploit based on your knowledge and experience (i.e. how likely is it that the client be attacked by an SSL MITM attack) and any compensating controls that are in place
  • provide pragmatic recommendation on how to address the issue (i.e. a link to technet article etc.)
Oh its worth adding, running nessus does not test web applications! It may test the configuration of the web server software but not the susceptibility of a custom web application to SQLi etc!

The "nessus cut n paster" leaves you feeling conned and frustrated as you paid too much for an assessment you could have performed yourself. You have to investigate each of the issues to identify if you should bother fixing them and find out how to address them.

Public enemy number two - the "over caffeinated try hard hacker"

This guy is someone who has just read "Hacking Exposed" and instead of building himself some vmware virtual machines and trying out what he is learning on them, he wants to "play hacker" on your network. On an external network he will focus on "cool and neat" vulnerabilities and forget to report "boring" vulnerabilities (the ones you are likely to get pwned by). On an internal network instead of focusing on testing key controls that secure critical applications (e.g. database listener passwords) he will do crazy stuff like pwning workstations with metasploit and looking for pirated games/music/pron to take home.

The "over caffeinated try hard hacker" leaves you bemused wondering what the hell happened, rebooting boxes and apologising to executives whose email accounts have been ransacked.

Public enemy number three - the "talky talky consultant"

This Svengali like consultant mesmerises you with talk about risks, approaches, ISO standards and buzzwords however never gets down to the discussions you want to have like:
  • what are my critical business processes and what applications, infrastructure and information assets are associated?
  • what are my key controls?
  • how do I test them and record the results and supporting evidence?
  • what should be in my security plan to improve my key controls?
  • how do I tweak my policy to address new risks?

The talky talky consultant often leaves you stuffed and slightly boozed after a long lunch wondering what value they actually added to your organisation and trying to find a deliverable to justify to your management why you engaged this clown in the first place.

Tips to Countering the fallout:

  • Make sure your security consultant has scoped the required work well and documented the scope in a contract or engagement letter in enough detail. It should be clear that work outside the agreed scope is not to be undertaken without express permission (i.e. running exploits, scanning other systems apart from the defined target systems)
  • Make sure if an assessment is being provided that the criteria for the assessment is detailed in the engagement letter and provided in the report
  • The contract or engagement letter should also describe the required deliverables for each phase of work in detail and the requested structure and content of the report
  • Ask for a sample report, mark it up and return it if it doesn't meet your needs.
  • Ask for regular updates on activities and require that they be provided so you can keep tabs on what is going on.

{ Comments on this entry are closed }

Child Facebook Safety

by Dave Whitelegg on November 30, 2009

in SBN

Recently I was invited to participate on Radio Five Live debate on children’s usage of social networking sites, and specifically child bullying within Facebook. Various parents were calling the radio programme and were saying their children had suffered from issues like cyber bullying and the receipt of obscene messages from perverts. Several individuals thought the answer was to prevent their children using social networking websites and even suggesting banning children from using the Internet altogether.



The main point I made was banning children from using social networking sites like Facebook, Bebo and MySpace will just not work, for one banning illegal activities like under aged smoking and drinking doesn’t work, sooner or later children will find a way to access social networking websites anyway, which isn’t illegal by the way. Furthermore preventing a child from using the home PC is a reckless approach in the information age and pretty pointless exercise, as children can access the internet and social networking from their mobile phones, on school computers, perhaps with friend’s laptop, crikey they can even access social networking sites through games console!

The clear answer I gave to this problem, cyber education. Not the usual optional Internet awareness classes give out of hours in secondary school, but mandatory classes on how to use the Internet safely in the later years of primary schools. For me this type of Information Communication Technology (ICT) education should not be just akin to the “don’t talk to strangers” and “crossing the road safely” type education, but needs to be as essential as Maths and English. School ICT lessons simply should not be just about how to do a bit of Desktop Publishing and putting together PowerPoint presentations, but be about the essential “life” skills on how to keep safe and secure when online.

While talking on Five Live about my thoughts on this subject, I went on to give an example of five things to which our primary children should be taught about social networking, and indeed what parents should be aware of too, apart of cyber bullying, social networking is the favourite tool of identity thieves. These five pieces of advice were:

1. USE GOOD FRIENDS MANAGESMENT

Child Advice: The first golden rule is to only accept friend requests from people you know, by know I mean actually have met face-to-face. Secondly only accept friend requests from people you actually like. Just because you know someone it does not necessary mean you like them. If you don’t get on with someone don’t accept them as friend, as usually this leads to no good. Remember a social networking site is not supposed to be about collecting as many friends you can. If you have 100s of friends on your friend’s list, you are just asking for trouble, as no doubt most of these “friends” will be strangers, amongst which there will always be some bad apples.


Parent advice: If your child has more than 10 to 15 friends on their social networking friends list, you should be concerned, ask your child to go through their friends list and confirm who they are. Also understand most social networking sites use all sorts of “rewards” to encourage their users to amass friends, some sites like Twitter is based on it, in the case of Twitter see point 2 and 3.

2. CHECK YOUR PRIVACY SETTINGS

Child Advice: Make sure your privacy settings is fully on, particularly ensure you are only sharing your personal postings and pictures with “Friends only”, “Friends of Friends” setting is not good, while “Public” is just asking from trouble.

Parent Advice: Periodically double child the social networking privacy settings as per child advise. Some social networking sites default new accounts with privacy fully on, but not all, for example Twitter’s privacy settings are off by default. However many applications within social networking sites tend to fool children (and adults) into switching these settings off. Leaving privacy settings off allows the world (strangers) to see your child’s comments and pictures.

3. WHAT GOES ONLINE, STAYS ONLINE!

Child Advice: Before posting a comment or picture, stop and think before you hit confirm. Remember once a comment or picture is posted it stays forever, just because you delete it seconds later doesn’t not mean it is gone from the internet. For instance most social networking sites send out an email updates containing your post, and can even post to other social networking sites, for instance Twitter integration with Facebook, so be very careful what you post. If you need to have private and sensitive conversation with your friends, it is always best stick to verbal communications, as you never know who could pickup on your posting.

Parent Advice: Periodically check your child’s posting to ensure you child is posting sensibility. The best way to do this is to add yourself as a friend of your child.

4. NEVER GIVE YOUR PASSWORD OUT

Child Advice: No one ever needs to know your password, except your parents. Emails from Facebook, Bebo, Twitter etc, and from social networking applications asking for your password are always false. Do not share your account with anyone and never give your password out to any of your friends.

Parent Advice: Cyber bullies and worst, often try to fool social networking users to provide them with their password, once they have it, they can get up to allsorts of nasty tricks, ensure your child uses a strong password and remind them never to share it with anyone accept yourself.

5. ENSURE ANTI-VIRUS & PATCHING IS UP-TO-DATE


Child and Parent advice: Make sure your PC’s Anti-virus is operating and kept up-to-date, and also ensure your PC’s Firewall is enabled, and make sure you apply the latest operating systems patches on a regular basis. This will help prevent malicious software covertly installing onto your PC, such software can steal your social networking passwords and send them on to bad guys without your knowledge.

Social Networking, like most things in life, can be fun, an extremely useful tool, and ultimately safe if used responsibly.

There are several useful website resources for this below:

Kidscape (Cyber bullying Awareness for Children)
http://www.kidscape.org.uk/cyberbullying/cyberbullyingchildrenyoungpeople.shtml

DirectGov (Cyber bullying Awareness for Adults)
http://www.nidirect.gov.uk/index/parents/your-childs-health-and-safety/internet-safety/cyberbullying-1.htm

A Guide to Facebook Security and Privacy
http://www.thetechherald.com/article.php/200938/4434?page=1

Anyone else would like to recommend further websites, please post in the comments, thanks

{ Comments on this entry are closed }

Confessions of a Corporate Spy – Got Ethics?

by Mark Brooks on November 30, 2009

in SBN

Confessions of a Corporate Spy - Got Ethics? The personal confessions of a Corporate Spy and what lengths companies will go to, to gain a competitive advantage.

{ Comments on this entry are closed }

The Daily Incite – 11/30/09 – Giving Thanks

by Mike Rothman on November 30, 2009

in SBN

Today's Daily Incite

November 30, 2009 - Volume 4, #34

Good Morning:
Oh yeah. I'm back and it feels great. Just getting done with the long holiday weekend here in the States got me thinking about how thankful I am. So I'm going to go through the list in an "Inciteful" way. Then it's back to some pithy and totally subjective opinion of some recent security stuff. IN MY VOICE. The past 15 months I've had to speak (again) in someone else's voice and well... that ain't me. So it's nice to exercise the sonorous baritone a bit and though I'm no Barry White, the voice is definitely mine.

I'm thankful the aliens didn't obliterate me this weekend.First and foremost, I'm thankful for The Boss. Yes, she is still my boss and no one provides more support for what I do than my wife. She was the first one to suggest that I really needed to get back to Incite and that it's the thing that makes me happiest. She's ridden shotgun through the highs and lows and back again. And hardly puked on my shoes through the turbulence.

Next up are my kids and family. The kids provide a ton of entertainment on a daily basis. When I'm not gnashing my teeth that is. But I need to continue working on my patience and there is no better way to do that than to have 3 kids running around. My family is well...my family. Yes, I love them. Yes, at times they make me crazy. And yes, I need to accept them and their idiosyncrasies. Just as they accept me and my nuttiness.

I'm thankful for all of the friends I've made in the industry. Many of which wrote to tell me how sorry they were I got laid off. It's great to have so many folks that "have my back," and are supportive of what I do. Of course, I'm not sorry about the way things worked out and I couldn't be more excited to be blazing my own trail again. But for every one of you that Tweeted or emailed or called, thank you. Really really thank you.

I'm thankful for the folks that have better things to do than secure their stuff. For one, a small percentage of them will be statistics which allow the vendors to keep spewing FUD at an unbelievable pace. That FUD keeps guys like me busy. I'm also thankful that these folks need a much more Pragmatic way to think about securing their stuff. They don't care about being "secure," they want to make the auditor go away and they don't want to get pwned. Of course, we all know those objectives are at odds with each other, but that evangelization process is what I love, so I don't want to change a thing.

I'm thankful for Big Research. They continue to well be Big, and that means pretty much lumbering around in their fat, dumb and lazy way. Using the same presentations year in and year out, and being a great backwards looking indicator. There are some great analysts in Big Research land, and I'm happy to call many of them my friends. There are also a whole lot of not so great analysts, and that creates opportunity for guys like me. But ultimately these are the folks that invented the IT research industry and I continue to ride their coat tails on a daily basis. 

I'm thankful for every single one of you that clicks on an email or opens up their RSS reader or even visits my web site to read what I write. Like everyone who gets a second (or third or fourth) chance, you appreciate it much more after it's been taken for a while.

Finally, I'm thankful for my time at eIQ. Every so often, a guy like me needs to be reminded that the grass is not greener on the other side. Statistically, you are probably as likely to win the lottery as you are to pick the right hot start-up and make a bunch of money. Ultimately the material spoils don't matter if you don't enjoy what you are doing. Especially when you can make a decent living doing what you like. So my latest trip back into corporate America reminded me of what I seem to have forgotten. That I need to be thankful for doing what I like, and that I should just do it. Which is what I plan to do.

Have a great day.


Photo: "Give Thanks" originally uploaded by Markus Rodder
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

 Follow me on Twitter:

@securityincite

Twitter

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

As you can imagine, quite a bunch of stuff has accumulated since the summer. So I'll pick some timely topics to cover, as well as some important stuff from my archives. The plan is to publish on Monday, Wednesday and Friday for a while and get back to a consistent drumbeat of Incite to make you laugh, cry, maybe learn something, but most importantly long for the days when I wasn't writing so frequently.

  1. IBM (maybe) takes out Guardium - We all knew it was just a matter of time before someone acquired the bigger Database Activity Monitoring start-ups. Looks like Guardium is the first to take the money and run. And with a reported $225 million of IBM's cash, they can run for a while. Clearly protecting the database is a key part of any security program and the DAM folks have shown it can be done at enterprise scale. IBM  likely paid a very healthy multiple (probably in the 7-8x bookings range) because Guardium was the first to cleanly support DAM for databases on the big iron. That is something IBM had to control. Adrian from Securosis provides his take on the deal as well.
  2. Security success? Remember the Credibility Bank - I wrote the Pragmatic CSO in the latter part of 2006. It's hard to believe it's been 3 years, but I have to say the message continues to resonate and appear in places that I never expected. Not directly, but from a philosophy standpoint. Take this article in SC Mag about Seizing Management Power. You don't really "seize" power, rather you earn it. It's really about the need for security folks to talk business and persuade their peers that protecting information is good for their business. It all gets back to credibility. If you don't have it, you can't execute on any kind of security program. Pure and simple.
  3. Maybe the CIO is your friend, but not mine... - Following up on the previous snippet about talking the language of business is a post from Mortman on the Securosis blog relative to the reality that most CIO level folks don't have a clue about how to be relevant to the business. The reality is, YOU as the security professional cannot be hindered by that. If your CIO get it, all the better. If not, you still have to build relationships with the business folks and still position security as good for the business. Mort's ideas on having someone to work with on messaging and making sure your stuff is professionally done is absolutely critical to building the credibility you know you need.
  4. Valuing Assets, using Lindstrom's Razor - For a guy who shaves once a week, whether I need to or not, the idea of a Razor being wielded by Grumpy Pete is outright terrifying. Kind of like a slasher movie set in a data center. I can just see Pete hacking away at Jaquith's stilts (oh, I think those are his legs) or Hoff's halo (he is the almighty, isn't he?). But seriously, Andy does pose an interesting thought experiment based on Grumpy Pete's ideas on valuing assets using a floor value based on the amount of money you are willing to pay to secure it. Hmmm. Gunnar expands on this a bit as well. The reality is most folks have NO IDEA what they are paying to secure much of anything. They have a security rock and they hit pretty much anything they can with it. Very few organizations actually decide on an asset (or even a business system) basis what they are willing to spend to protect it. They should, but they don't. But it's a good though experiment anyway.
  5. Profiling application traffic on a blade - Amazingly enough, the news that Check Point acquired FaceTime's application database didn't make the 11 o'clock news. They probably paid FaceTime in Starbucks cards. But the concept is interesting, in being able to deploy application profiling on a software blade on the gateway does open up a number of cool policies you can deploy, especially relative to egress filtering. This was clearly a cheaper way to get better application visibility than buying Palo Alto (which they should do anyway). Yes, the perimeter gateway is getting smarter, no the "secure network fabric" is nowhere close, and the reality is the action is what's happening inside the protocols and we security folks need to get a lot smarter on application attacks - stat!
  6. Security "scorecards" - love and mostly hate - I've had a love/hate relationship with the concept of metrics for a long time. On one hand (love), I realize the importance of measurement and counting and all that other good stuff that creates pie charts for the CFO. But my pragmatic gene kicks in (hate) and I realize the effort required to really quantify the impact of security doesn't leave a lot of time or resources to actually secure much. I look at a post like Russell's diatribe on building an InfoSec Risk Scorecard, with a sort of numb bemusement. The post is great and the tips are right on. But it's just hard for me to see most security folks going through the effort. One of the tips really hits home: "If your bosses really need a good InfoSec Risk Scorecard, then they should be prepared to pay for it." Therein lies the rub, most bosses don't care about a security scorecard (they just want to be secure) and they are certainly not going to pay a lot for it. Thus, they ongoing futility of security metrics.
  7. Tao votes for Leadership - It's funny, but the political hype machine is already talking about the mid-term elections happening next November. Solving the "cyber-security" problem continues to be a hot topic in the Fed space. Lots of folks think more efficient buying in an answer, or throwing a few more products at the problem. Richard is clearly voting here for leadership, not any of these other shiny objects (many espoused by the self-proclaimed cyber-war research czar Stiennon). And he's exactly right. We have to get sick of losing and then we'll devote the resources necessary to win. On an aside, is anyone else starting to puke every time I see the term "cyber-X." I know the Feds are spending money on security products, but a horrifying number of vendors are repositioning their stuff to address the "cyber" issue and in reality it's just another marketing shiny object and too many dim-wits can't tell the ruse for what it is.
  8. Writing the LRD - This isn't really security-oriented, but I wanted to point to a great post on the Pragmatic Marketing site about writing a "life requirements document." So of you call them goals, others a set of guiding principles, but all the same - you can't be good at your job or particularly happy unless you've given some thought to what makes you happy and what you like to do. Too many of us just meander through our lives getting through each day and looking forward to watching a football game, drinking a brew with buddies, or playing catch with the kids. So that is an awful lot of time spent waiting for something else. So read the post and give the approach some thought. Personally, I set goals, but an LRD structure may work for some of you.


{ Comments on this entry are closed }

I got that wrong.

by Jack Daniel on November 30, 2009

in SBN

Shortly after uploading my last post I realized I was wrong about money losing its voice.  It isn't losing its voice, it is just hoarse from screaming.  It also seems to be gaining an Asian accent.

 

Jack

{ Comments on this entry are closed }

Computer Security Day

by dk on November 30, 2009

in SBN

30 November is a Computer Security Day. This year's theme is "Managing Risk".

{ Comments on this entry are closed }

Gearing up for a Safe Cyber Christmas

by Security Blog on November 30, 2009

in SBN

The following content has been provided by colleagues at http://www.e-victims.org/. You can sign up for latest alerts via email or rss feed.

{ Comments on this entry are closed }

Password hashes for Check Point Edge Appliances (Vulnerability Announcement)

by Billford on November 29, 2009

in SBN

Hurricane Labs has responsibly disclosed a security issue to Check Point Software related to their Edge line of products. The details are as follows:

Summary
-----

While writing a utility for a client to do automated password changes on a large installation of Edge appliances one of our engineers discovered a flaw in Check Point's password hash. The hash was completely predictable with some simple techniques (documented in the code). A utility was written that could both create a hash from an entered plain text password and reverse a given hash to plain text when entered.

-----

Severity
-----

We call this one a moderate vulnerability as you can only get the hash from an exported configuration file and simply protecting the admin interface and any exported files will protect from this exploit.

-----

Links
-----

edgepwutil Google Code Page
Check Point Software's Site
Check Point's Edge Product Page
Sofaware's website
Check Point's SK article

-----

Mitigation
-----

Protect access to the admin interface of your Edge box. Encrypt any exported configuration files laying around on filesystems, etc.

There is currently no firmware fix for this but a SecureKnowledge article has been posted, it's sk43332.

-----

Affected Versions
-----

We believe that all versions of Check Point's Edge appliances and Sofaware's safe@office/home products are vulnerable.

{ Comments on this entry are closed }

Speaking of Security Podcast #170

by John McDonald on November 29, 2009

in SBN

Click to Download/Listen

Why do Hackers hack? Sam Curry, RSA's VP of Product Management discusses the motivation of cyber criminals on this week's Speaking of Security podcast.

{ Comments on this entry are closed }

What does Cyber Monday mean for you and what should you do?

by John McDonald on November 29, 2009

in SBN

It’s Cyber Monday again amazingly enough. For those who don’t know the phrase, it refers to the first Monday post-Thanksgiving (in the US). In the US, Black Friday is the name given to the Friday after Thanksgiving: that’s the day when most retail stores see the most business and “go into the black” due to massive volume.

{ Comments on this entry are closed }

← Previous Entries