Thursday, November 23, 2006

More Security Absurdity

Noam Eppel has posted his rebuttal to the commentary from his now legendary (if not infamous) Security Absurdity article. Noam is not apologetic, nor should he be. He states a lot of things that I whole heartedly agree with. Here are a few nuggets from the article...

"Security Professionals are in the best position to create change and that is why we are responsible for this situation."

"I think the security community needs to redefine their definition of success. And I think they need to understand the unique position they are in to improve security and to accept that responsibility."

"In order for Best Practices to be relevant, they need to be attainable, practical, implementable and manageable. Today's security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing....Security is a process to be evaluated on a constant basis. There is nothing that will put you into a "state of security" - no best practice, no security guideline, no security checklist."

"
My idea of security is that a user should be free to conduct, "normal and common" activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities - i.e., parks in the daytime on a busy street and locks it with a good security system - then that is normal and common behavior and a crime should not be expected."

The solution won't be easy, but it begins with participation and collaboration between all of the groups involved in security and ends with an Internet that looks much different than today. Each player has a part to play...Software vendors, security vendors, lawmakers, executives and most of all the security practitioners. Ultimately the key to any solution involves the active participation of the security community.

Rick

Wednesday, November 01, 2006

Extreme password security or Microsoft screw-up? You be the judge!

Another laugh compliments of the boys (and girls) at Microsoft (via Gene Spafford). An error message from Windows when attempting to change your password...

"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."

Definitely extreme, but secure... (-8

Rick

Thursday, October 26, 2006

Looking for a Job in Security?

Through the years I have mentored people looking to break in to the security industry (mostly other former Nortel employees). One of the things I have always told them is to get your name out there. Whether through joining local associations, writing papers, or volunteering...or all of the above...if you lack relevant experience it is best to show competency and interest.

On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.

Rick

Monday, October 23, 2006

Top 10 Security Myths decomposed.

In reference to Pete Lindstrom's Top 10 Security Myths, I am not sure I agree, but here they are:

  1. Security through obscurity is a bad idea.
  2. Strong passwords are strong.
  3. Altruistic bugfinding is beneficial.
  4. You can't quantify risk.
  5. You can't get ROI from security.
  6. Security is about process, not product.
  7. SSNs are secret.
  8. Program x is more secure than program y.
  9. Stand up to your boss and "just say no."
  10. Security is failing.
What do you think?

Rick

Friday, October 20, 2006

PHPSecInfo - What a great idea!

One of my biggest frustrations as a pentester is convincing web developers that their environment is set up incorrectly. PHPSecInfo is a tool you load directly on the server that validates the security of the environment and suggests improvements.

From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."

Good on ya!
Rick

Thursday, October 19, 2006

NIST Guide to Integrating Forensic Techniques into Incident Response

Somehow I missed this when it came out in August, but complements of the smart guys at NIST is a document on "NIST Guide to Integrating Forensic Techniques into Incident Response". Had a quick look and it looks useful.

Rick

Finally a map I can read! (-8

Compliments of Joel Cort via cccure.org is a document mapping the old ISO 17799:2000 standard to the new ISO 17799/27001:2005 standard. It looks like good work. Available in PDF and Word format here.

Rick

Sunday, October 15, 2006

Hilariously Funny?

Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!

http://www.amazon.com/Million-Random-Digits-Normal...

I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.

Rick

Thursday, October 12, 2006

Payment Card Industry Standards Changes

The PCI (Payment Card Industry) has just recently announced changes to the standards for companies utilizing credit card changes via ecommerce.

The changes are here.

The full standard is here.

Rick

Reminder: End of XP SP1 support

Just a reminder that the set of patches released by Microsoft on Tuesday October 10th were the last of the patches for XP SP1. From now on if you haven't upgraded to SP2 you are SOL when it comes to support from Microsoft.

I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.

Rick

NIST Guide to Log Management is final

The long awaited NIST guide to Computer Security Log Management (SP800-92) is out in it's released version. This document has a few flaws, but this is an excellent document and should be required reading for every security professional.

Rick

Friday, October 06, 2006

More Security Stupidity

A geologist on his way to a convention of geologists has a rock sample declared a "dual-use item" in other words a potential low-tech weapon. The scary part is I sort of understand this one...but that doesn't make it right!

Rick

Thursday, September 28, 2006

Current projects

A couple of people have asked me if I am working on any more of the hardening guides like what I have done in the past for the Linksys BEFW11S4 or WRT54G, or at least will be updating these. Admittedly those guides are beginning to show their age and could use an update, but unfortunately I have bigger fish to fry first.

I have just cleared a couple of SANS projects and have just started into a project on a presentation and paper currently dubbed "Botnets for Dummys". I am not sure what it will look like, or when it will be available, but hopefully before the end of November. I am also working on getting a version of the Nepenthes medium interaction honeypot and some related perl code going on CentOS as a prototype worm detection project and hopefully a paper. Unfortunately, it seems everyone in the world can get Nepenthes working except me!!! The little time I have spent on it has been frustrating, but I expect if I dedicated some time to it the obstacles would fall pretty fast.

Anyone who has any opinions or approaches for these projects please feel free to contact me.

Have a great weekend!
Rick

Tuesday, September 26, 2006

Symantec Internet Threat Report

The new version of the Symantec Internet Threat Report is out. While not completely unbiased, this report is one of the most thorough at documenting the state of Internet security. The executive summary should be required reading for every manager involved in security or application development for Internet facing services.

Herbie

Saturday, September 16, 2006

SCADA Security Webinar - Worth a listen

I haven't had a chance to listen to this yet, but I am recording this here so I will not lose track of it. There is not a lot of practical information about SCADA security out there, and from reviews this is very good. It is the presentations from a one day workshop SANS hosted on SCADA Security...complete with synchronized slides.

https://www.sans.org/webcasts/access.php?id=90748&pid=1307647220#

Rick

Human vs bear intelligence

Compliments of Bruce Schneier...an interesting article about a bear problem in Yosemite National Park in the 1980's and the quest to build a garbage can that would deter bears and still be useful by people. The article contains one quote that is priceless. Quoting a park ranger..."There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.". Unfortunately, working in security...this is not hard to believe.

If you don't find the article interesting enough, then try reading the comments. Definitely entertaining.

Rick
I never forget a face, but in your case I'll be glad to make an exception. - Groucho Marx

Saturday, September 02, 2006

New Security Blog

Raul Siles of SANS/GIAC GSE fame along with a couple of his friends, David Perez and Jorge Ortiz have started a new security blog. I have been following it for a few weeks now and these guys have some insightful things to say in the security realm.

Give it a try if you have a chance!

Raul also publishes a list of security related web pages, blogs, and podcasts that is worth a look...
http://www.raulsiles.com/resources/hackers.html

Rick
Getting older is no problem. You just have to live long enough. - Groucho Marx

Thursday, August 31, 2006

Live View - raw disk to VMWare image

I dabble a bit in the forensics world. Today I came across a wonderfully useful tool. Live View is a java based tool that converts raw disk images a la dd into VMWare compatible images. Messed around with it a bit tonite, and it seems to work exceptionally well.

More on Live View at http://liveview.sourceforge.net/

Rick
Remember, you can always find East by staring directly at the sun. - Bart Simpson

Sunday, August 20, 2006

Commentary...and More Security Related Humour

I have been out of Internet communication for the last couple of weeks. It has been nice. In the wake of the most recent round of security stupidity surrounding last week's terrorism arrests some people were asking my opinion. I have a couple of comments on this. The first being that it frightens me that some people care about my opinion, the second comment being that my opinion is obvious from past posts. Total and complete waste of resources. Security Theater designed to placate an uninformed public looking for decisiveness from their elected representatives. As I have said before...anything that futher inconveniences the travellers of the world means the terrorists have won another victory.

Fortunately, Bruce Schneier and others with much bigger reading audiences than me adequately filled in in my absence. (-8

David Malki has summarized my thoughts very adequately in this biting cartoon.

http://www.wondermark.com/d/220.html

Enjoy!

Rick

"Fry: No, Bender! Cutting off Leela's head won't solve anything!" - Matt Groening from Futurama

Friday, July 14, 2006

Some security related humour!

So far I have avoided wading into the discussion over the NSA Eavesdropping on telephone calls for a couple of reasons:

1) American politics is too easy of a target. As absurd as politics in Canada is, it seems American politicians don't even try to avoid being a three stooges skit.
2) I visit the US regularly. No watch lists or no-fly lists for me. (-8

So you will be pleased to know I am still not wading in...

but I couldn't help but post a pointer to this amazing little animated cartoon courtesy of Walt Handelsman at Newsday. I laughed so hard I fell out of my chair.

http://www.newsday.com/media/flash/2006-06/23671673.swf

Enjoy!

Wednesday, May 24, 2006

Security Absurdity and other follies

I"d like to point you to an article by Noam Eppel http://www.securityabsurdity.com/failure.php

and the subsequent followup by Marcus Ranum http://www.ranum.com/security/computer_security/editorials/failure/index.html

Both of these people are not unknown in the security community, and I would have to believe that Marcus is probably as close to a household name as there is in this industry.

I'd like to disagree with them, but unfortunately there is a lot of truth in what they say. The security vendors make, and so called security professionals (another discussion for another day) keep deploying, technology that is ill-conceived, flawed, and overly complex. Why? To attempt to satisfy protecting application technologies that are ill-conceived, flawed, and overly complex. The solution is not easy, but as long as this arms race continues, the attackers will continue to hold the upper hand.

The first step as always in security lies with people...in educating users, in educating security professionals, in educating application developers and senior managers, and CEOs. Unless they all begin to understand the implications of the applications being deployed this will get a lot uglier before it gets better.

Rick
I sent the club a wire stating, "Please accept my resignation. I don't want to belong to any clube that would have me as a member." - Groucho Marx

Monday, February 27, 2006

Mac OS X Honeymoon is over!

A few days late. Kevin Liston of the SANS Internet Storm Center published an insightful entry over the weekend. Basically he said that recent vulnerabilities in OS X have got exploit developers turning their attention in that direction.

http://isc.sans.org/diary.php?storyid=1145

It was bound to happen. It is not that the vulnerabilities weren't out there, it was just that hardly anyone was looking. Time for the OS Xers to join the real world.

Rick

I've had a perfectly wonderful evening. Unfortunately this wasn't it. - Groucho Marx

Thursday, February 23, 2006

Tell me about your first!

I was listening to Paul Asadoorian's podcast with Mike Poor and Ed Skoudis of IntelGuardians and SANS/GIAC (http://www.pauldotcom/2006/02/pauldodtcom_security_weekly_int.html) and the conversation came around to Mike and Ed's first computers. Mike's was an Apple IIe, Ed's a Vic 20 (purchased in 1980). This got me thinking about mine.

I can go one better...mine was a TRS80 Model 1 my Dad bought in about 1978. It was a 4K machine with a cassette tape drive. The first programming language I learned was Z80 assembler, followed shortly after by Basic. The first real program I wrote was a bad graphics version of poker dice in Basic.

Unfortunately, I remember punched cards, octal bootstraps, monochrome monitors (Volker Craig 4404's), Sigma 9's, PDP-11's , and a whole lot of other things that make me feel really old.

I would love to hear about your first.

Rick

Age is not a particularly interesting subject. Anyone can get old. All you have to do is live long enough.
Groucho Marx

Tuesday, January 03, 2006

Securing Linksys WRT54G

Yet another of my quick and dirty how-to docs has been published on infosecwriters.com. This one addresses hardening a Linksys WRT54G Wireless Router.

http://www.infosecwriters.com/texts.php?op=display&id=368

As usual, comments and constructive criticism are welcomed.

Rick

From the moment I picked your book up until I laid it down, I was convulsed with laughter. Someday I intend reading it. - Groucho Marx