Rants by Chort
What's wrong with everything

There has been a lot of noise recently about whether it's worth the cost to run anti-virus software. As laid-out in the Wired article, the opposing viewpoints typically boil down to:
FOR: Anti-virus is essential for protecting careless users.
AGAINST: There are more effective ways to spend security budget.
Those are both good points, so I think making a purely binary use it/don't use it decision is short-sighted.

Before I get to the main point, I'd also like to note the only source on-record in that article vigorously defending anti-virus is a giant analyst firm. You don't have to think very hard to see a huge economic reason for a company that makes a lot of money off of vendors being a vocal cheerleader for the two companies who dominate all security spending. A cynic might wonder how good the advice is they're getting from an analyst who puts the interest of their own firm ahead of their customers. It seems there's a lot of that going around. I'd wager this situation contributes greatly to the suspicion of giant AV vendors.

Read the rest of this story...

One of the consistent themes I heard from attendees of B-Sides SF and RSAC this year was "this was the best year yet!" That is a huge turn-around from the cynicism that was so prevalent last year. I haven't quite put my finger on a root-cause for that sentiment, but perhaps it has something to do with increased focus on people and process over technology. Although I didn't take detailed notes this year, I will attempt to summarize the concepts from each of the sessions I attended and some of the "hallway track" themes.

SCADA Security: Why is it so hard? - Amol Sarwate
In many ways this talk was a rehash of the SCADA talks we're used to now: Lifecycles are long, field upgrades are hard, the protocols are brittle, the control networks aren't air-gapped, etc, etc. The only new information for me was the realization that Wireshark already has solid protocol analyzer support for many SCADA/ICS protocols (such as Modbus), and the news that Qualys are releasing a protocol-aware SCADA scanner for DNP 3 and Modbus. The advantage of such a scanner vs. traditional network tools such as NMAP is that the former is less likely to crash delicate SCADA endpoints.

At the end of the presentation, Joseph Weiss stood up and made a impassioned, yet unconvincing speech. He rattled off numbers of people killed and facilities damaged by "cyber attacks," but didn't cite any sources or credible evidence. The crowd reception could best be described as incredulous. I came away with the sense that Joe is dangerous and irrational, but maybe one of us just hadn't had enough coffee.

Automating Security for the Cloud: Why we all need to care… - Rand Wacker
I was hoping this presentation was going to explain how to automated cloud security, but it turned out to be more why automating security is necessary [in retrospect, the title does say "why" so it was wishful thinking on my part]. Perhaps this is news to some folks. The only useful tidbit I picked up was that attackers are rapidly creating new VMs in cloud provider environments, trying to grab an IP lease that was recently used by another VM. They use the new VMs to scan for other VMs that allow trusted access based on IP address. In this manner attackers can impersonate previous VMs and gain access to services that are protected only by host firewalls. This is certainly a type of attack enterprises don't have to deal with on their private networks and goes to show that stronger authentication is needed beyond simple IP ACLs.

We are Handling Security the Wrong Way - Brett Hardin
This talk started off well, encouraging security practitioners to limit conclusions to those supported by data, and to readily accept challenges to our assumptions. In addition, it was suggested that outcomes should be used as feedback into future decisions (first of several talks to link incidents and metrics). It meandered a bit through the limitations of vulnerability assessment (referred to as "vulnerability management") software, and noted the frustrations of developer education. I didn't walk away with a good sense of what the next step is.

I chatted with Brett on the developer education topic after the presentation. He revealed that his experience did not show a quantifiable reduction in bugs per lines of code over a one year period. I related my positive experience in building rapport with developers, but acknowledged that I'm far from being able to measure the impact. We agreed that it's tough to scale a diplomacy approach, since so many security practitioners are not naturally adept in interpersonal relations. Unfortunately we weren't able to pursue the conversation beyond that.

So you want to be the CSO... - Daniel Blander
The key points from this talk were: Don't attempt to operate security programs in a vacuum (understand what business process you're protecting and why), be able to communicate a real value for security projects (as opposed to employing FUD), and understand the motivations of the different actors within your organization. Essentially broaden your horizon beyond pure tech and figure out how the people and processes interact to form the system.

Metrics That Don’t Suck: A New Way To Measure Security Effectiveness - Dr. Mike Lloyd
This was the second talk in just the first day to mention security metrics. Dr. Lloyd's talk was full of optimism and can-do spirit, which was appreciated. The presentation highlighted the use of metrics by the US Department of State in measure the vulnerabilities present in systems at US embassies, and a process for creating attack-chains that visualized systems at risk via other systems.

I think there's a lot of value in simply starting these kinds of measurement programs, but I had the nagging suspicion the attack-chain model only represented a narrow slice of actual risk, since it focused on outside-in attacks through firewall ACLs into protected DMZs. With the rise in popularity of phishing and other social engineering attacks, a lot of systems are directly at risk that aren't visible inbound through a firewall. When I asked Dr. Lloyd whether they had thought of employing the attack-chain in reverse, i.e. start from a valuable server and see what all could reach it, he replied that the resulted tended to not be useful, since it often pointed to an anti-virus management console or monitoring system. He said that wasn't vary useful for assessing risk, but myself and a few researches seated near me noted that these systems are prime targets for penetration testers and malicious actors for exactly the reasons mentioned (everything on the network can reach them, and they can reach everything).

How NOT To Do Security: Lessons Learned From The Galactic Empire - Kellman Meghu
This was a light-hearted talk full of pop-culture lulz, but little substance. It was the perfect talk to start a morning.

2012: The End of Security Stupidity - Amit Yoran, Kevin Mandia, Ron Gula and Roland Cloutier
As we were taking our seats for this talk, several people near me noted that panels are often shallow and light on useful information, relying on name-recognition to pull a large audience. I agreed and braced myself for a potentially mind-numbing session of self-congratulation and circular back-patting. Fortunately that was not the case.

Ron got things off to an interesting start by suggested Anonymous are the best things to happen to the information security industry. From there it delved into a deep discussion of the futility of preventative security controls and the importance of incident response and forensics. Kevin memorably stated "you're only as good as your best forensicator," meaning the effectiveness of your security is largely determined by the skill of your employees. Roland described how the security program at his organization has shifted drastically to focus on response. He said he talks to other organizations that don't have responders and he doesn't understand how they can function without them.

There was a lively round of audience participation at the end of the session. The best question was regarding how organizations could train incident responders to cope with the demand, noting that traditional IT security employees don't have forensic and malware analysis skills. Roland shared that his organization partners with local schools and colleges to hire interns to work on projects. He likes to get young students excited about information security to steer their study focus in school towards forensics and other relevant areas. He called out the University of Maryland, among others, as having a strong emerging infosec program. The panel in general encouraged organizations to find young talent and train them from scratch, rather than trying to convert old-school IT security practitioners who focus on firewalls and security appliances.

There were a number of other interesting topics and discussions during the panel that I simply don't have the room to cover. Suffice it to say this panel was my favorite session of the week. If you weren't there, you really missed out. Look for incident response to become an increasingly important topic this year. If you're a career infosec engineer who has focused heavily on security appliances, you need to rapidly adopt a new skill set or risk being passed over for a new generation of security workers.

Fundamental Flaws in Security Thinking - Martin McKeay
This talk focused on some of the erroneous assumptions about the security industry. People often assume that the goal of security is 100% safety from attacks, but that is simply unattainable. Striving for perfection is only going to burn people out and disappoint other parts of the organization (chiefly, management). Security professionals need to set reasonable expectations for how frequently attacks will succeed and what can be done to mitigate the impact. Hand in hand with that is the idea that security professional are solely accountable for all success and failure relating to the security of data and operations. In reality, many parts of an organization are responsible for the security of the system, so that should be communicated and understood widely. Security professionals shouldn't try to take the weight of the world on their shoulders.

Money$ec Evolved - Jared Pfost and Brian Keefer
Since I was involved in this presentation, I will only summarize it briefly. Jared and I talked about the necessity of using incident response and root-cause analysis to measure the effectiveness of security controls. Jared pointed out additional ways that mature organizations can improve their efficiency through metrics, and how to communicate those visually and through narrative. We also gave a shout-out to Ben Sapiro's  "We Are Losing" blog post. You can find our slides on the Third Defense Blog.

Your IR Team: More than Firemen and Maids - Wade Baker and Christopher Porter
By my count, the fourth B-Sides SF talk this year to heavily feature statistics and suggest setting metrics. The presentation made an argument for formally tracking and classifying incidents, for instance using the VERIS framework. The talk was quite compelling and did a good job illustrating how incidents can be charted and visualized.

Unfortunately, when I visited the VERIS wiki I found it rather disorganized. To me, the wiki doesn't do a good job of communicating how the framework can be implemented and throws up a wall of words rather than diagrams and practical implementations. In all fairness it is under construction, and does give some example, but more concrete tools would be welcome. If someone would release a spreadsheet template or simple app (Python, Ruby, etc) to jump-start organizations on their incident classification, that would be a huge public service.

Get Secure or Die Tryin' - Dave Shackleford
This talk was a great way to close out the conference, with a laugh a minute as Dave shared some of his real life pentest experiences. Although the main thrust was humor and catharsis, it did highlight how simple things like shared admin passwords, failure to audit the domain admin group membership, and failure to check for the most basic flaws in web apps can bring organizations to their knees.

Beyond the presentations, I had some really fantastic conversations at B-Sides. I got to talk with Adam Shostack about the work Microsoft is doing to improve User eXperience related to security. I understood the process to be identifying where users have insufficient information to make an informed decision, and either providing the appropriate information, or removing the choice. It's more nuanced than that and deserves a much deeper explanation, but that's the abstract concept.

I also spent a long time talking to Julia Wolf on far-ranging topics from malware reversing to the history of UNICODE. Hopefully we can expect some new posts from her on the FireEye Blog and perhaps a really fascinating piece of reversing will be revealed soon at a conference near you (I got a detailed walk-through and I assure you it will make a riveting presentation).

SIDEBAR: At a time when everyone loves to whine about how little information is being shared, I would like to point out how incredibly valuable it is to have folks like Julia, diocyde, Mila Parkour, Gary Golomb, Brandon Dixon, etc posting their research. I never would have worked up the motivation to get into forensics and malware analysis if it wasn't for their excellent reference sources. Mad props to everyone sharing their research. It's making a difference.

On Thursday I finally made it to the expo floor at RSAC (using a fake name, although I didn't find that newsworthy at the time) and had a chance to walk around. Although it was a lot more of the same as usual, I did get to visit a lot of new vendors who are working on problems I care about. One thing that helped a lot this year was having many contacts from Twitter who could provide feedback and help setup meetings. That made the floor-search process much more rewarding. For example, I met with David Mortman to discuss how enStratus has designed their service for cloud management. We dove into the architectural details at a level we probably wouldn't have had from a sales or marketing person, cutting to the heart of what I needed to know. That was invaluable (PS I recommend talking with them if you're trying to manage private or public cloud projects).

Friday I capped the week with the Security Wineout organized by MC Petermann and Dr. Paul Judge. Besides the obvious good food and great wine, I got to chat with Paul about his latest venture, Pindrop Security, which is a lot more interesting than it would sound at first blush.

So that wraps up another B-Sides SF & RSAC. I learned a whole lot, much of which I attribute to the contacts I was able to make via Twitter. Peace out.

Just a quick note to let folks know my schedule for RSAC week. I'll be at BSidesSF both Monday and Tuesday all day. Tuesday afternoon at 2PM @JaredPfost and I will be giving our follow-up to the Money$sec talk we did last year. Thursday morning I plan on being at the Securosis Recovery Breakfast and Friday will be the Security Wineout with @pauljudge and @petermannmc

Unfortunately I don't think I can stay for Baysec or the BSidesSF party on Monday night. I might spend some time on the RSAC exhibit floor Thursday, but that's iffy. If you want to meet me, Monday and Tuesday at BSidesSF are your best bets, or Thursday morning at the recovery breakfast. Make sure to mark your calendar for the Security Wineout next year so you don't miss out again!

In the interest of science, to see just how fast a mobile-class GPU cracks passwords, I run the benchmarks on oclHashcat-lite-0.08 and oclHashcat-lite-0.09. I think pentesters may be surprised by how fast they could crack passwords on a laptop GPU, compared with rainbow tables or (shudder) CPU.

Read the rest of this story...

A coworker once told me he imagined immigration officials handing Chinese immigrants two bags with slips of paper, asking them to pick a paper from each bag and put them together to form the name of their restaurant. This is how he imagined names like "Green Dragon," or "Golden Lotus," or "China Garden" got created. While it might not be a very accurate way to describe culinary establishment marketing, it is similar to how many users choose passwords. I'm calling this method the "Chinese Take-out Attack."

Read the rest of this story...

While we all wear our arms out patting ourselves on the back for the remarkable changing of tides today, let's not forgot why the website blackouts actually worked: Because of the massive number of phone calls to senators and representatives. You can whine on Facebook and change your Twitter profile picture all you want, but no one in Washington D.C. will ever notice that. When a massive number of people jam phone lines and overflow voicemail boxes, THAT gets their attention. If you haven't called your senators and representative yet, your job is not finished. Make sure you call all three before the PIPA vote on January 24th.

Make no mistake, this war isn't over. The MPAA and RIAA will come back over and over again, in sneakier and sneakier ways. It costs them a lot less money to buy congresspeople than it does to take risks by investing in new business models. This is why I'm proposing another course of action: Defeat Lamar Smith in the next election. I made a promise today on Twitter to contribute the maximum legal amount to a candidate with a legitimate shot to defeat Rep Smith, and I intend to follow-through. We need to send a message that not only do we get pissed off when businesses buy laws, we don't forget who facilitated them.

We can't afford to financially assail every pro-SOPA/PIPA congressperson up for reelection, but we can make life miserable for one of them. Rep. Smith has been the most visible and the least rational MPAA/RIAA cheerleader, accepting all their propaganda verbatim, without any attempt to question it. This deliberate any-intellectualism (blocking network architects from even testifying on the ramifications of proposed legislation, and dismissing all amendments without consideration) needs to be punished. It's not OK to legislate out of ignorance. The citizens of Texas should be ashamed of putting this man into office, and they certainly shouldn't keep him there.

Even if you read this months after the posting date (January of 2012), it's almost certainly still relevant. Big, old corporate interests are still going to be attempting to legislate away any competitive or disruptive market forces, to protect their obsolete business models. Educate yourself, fight back. If you some how came to be reading this blog post and have no idea what I'm upset about, here are some references.

EFF action site for SOPA/PIPA.
Long history of content industry takedown powers abuse.
A technical examination of SOPA and PROTECT IP.
Statement by several brilliant, well-known artists against SOPA/PIPA
What Joe Brockmeier wishes sites were saying about SOPA/PIPA.
Learn about corporate money's corrupting influence (and what YOU can do).

You may be aware that the DHS are now sending (opt-in) "Daily Cyber Reports" to IT and security practitioners. The stated purpose of the reports is "to facilitate a greater understanding of the nature and scope of threats to the homeland." I wonder if they're aware of the threat they're creating by teaching people to open PDF documents from unauthenticated email? Well they have no excuse now, because I told them. Here's a copy of the email I sent them on the topic.

1.) Create a DKIM record for hq.dhs.gov and use it to sign the headers of the email, so recipients can verify it was really sent by hq.dhs.gov, rather than a phishing site.

2.) Publish a public key for OSINTBranchMailbox [at] hq.dhs.gov on a website that has a DNSSEC-signed record.

3.) Use the private key (GPG or S/MIME) to sign messages sent from OSINTBranchMailbox [at] hq.dhs.gov

4.) DO NOT INCLUDE ATTACHMENTS, unless they are plain text. Training users to open Adobe and Microsoft documents is the worst thing you can do, when most compromises are initiated with poisoned Adobe or Microsoft documents.

5.) Host the Cyber Report on a website that has a DNSSEC-signed DNS record and an SSL certificate that matches the hostname of the website and chains up to a trusted root.

If you're going to advise organizations on security, you should secure your infrastructure and comms too. Lead through action.

PS you haven't configured your authoritative DNS server properly. The template default value for email address is showing in the SOA.

Recently I was asked for some pointers on creating a security roadmap. Since there's no one-size-fits-all strategy for which programs or technologies to implement, this is a tough question to answer. After thinking about it for a few minutes, I stepped back and put together this abstract, which is really what security boils down to after all. The rest is implementation details.

Read the rest of this story...

In struggling to come to grasp with what the Occupy Wall Street movement really means to society, I realized there had been a serious shift in public perception of law enforcement--at least by the white middle class*. If we think back 10 years, nearly everyone was heralding law enforcement and other first-responders as heroes, for risking their lives at the World Trade Center site. If we look at the press today, we see police, sheriff, and campus security forces being roundly criticized for widely publicized incidents of violence. Public officials appear to have been caught off-guard and their response has ranged from bi-polar (Jean Quan, in Oakland) to defiant (Michael Bloomberg, New York City). What accounts for this change?

Read the rest of this story...

In the last few weeks I've learned a lot about applying GPUs to break password hashes. I'd like to thank @ErrataRob for writing the blog post that got me started in this field. If you haven't read Rob's post, I highly recommend you do that first, because this post builds on it. Don't buy a graphics card until you've read my post though, because there are some important updates.

Read the rest of this story...