The Falcon's View

A colleague recently posted a link to the "EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance" Computer Security Awareness Video Contest. Some of these videos are absolutely hilarious. My favorite is the 3rd place video featuring the McCumber Cube. I took a class from McCumber at GWU and have kept in touch with him since then. Worth a look! :)

I've been thinking a lot lately about the impact of Web 2.0 on information security. I've read Tim O'Reilly's seminal "What Is Web 2.0" article that defines this new trend. I've attended Dion Hinchcliffe's Web 2.0 training. I've read (most of) The Long Tail and The World Is Flat. I get it. I understand this new surge in the Internet economy. I see myriad opportunities for monetization for anything that can be sold effectively online, for ad revenue, for social networking, and for further redefining the customer relationship experience.

In the end, I do not see how any of this changes the fundamental issues within Privacy and Security. It does, however, potentially make things worse. Here's my take on some of these fundamental issues:

I recently read Daniel Gilbert's Stumbling on Happiness (I blog briefly about it here), which got me to thinking about the tricks the brain plays on us and how this might apply to security. Interestingly, not long after that Dr. Bruce Schneier posted a paper titled The Psychology of Security, which he presented at the 2007 RSA Conference. In reading through his paper, I found a considerable amount of similarity with Gilbert's book, which was interesting. More interesting, however, were insights I've gained into how we as infosec practitioners might be able to better present security concepts to consumers and customers so that they'll welcome what we offer, rather than resist security improvements.

Following are my notes from reading Schneier's paper, plus some additional follow-up.

I've previously blogged about how I don't think, fundamentally, Web 2.0 represents a change in information security. It represents some new challenges, but the base goals are still the same -- Confidentiality, Integrity, Availability. I was able to attend a couple excellent internal conferences this week on Web 2.0, which has helped me further refine some of my thinking. One conclusion I've drawn over the past couple weeks is that the Web 2.0 "web as platform" principle is fairly significant, and is going to represent the new class of major self-propagating malware threats. And it gets worse.

Funny, I was just blogging about emerging threats in Web 2.0. Well, here's an example of an attack on a stalwart of the Web 2.0 concept, live and all: WordPress 2.1.1 has been declared dangerous after an attacker broke into the servers and modified the code base, inserting malicious code that allowed for remote code execution. This does not appear to be a "web as platform" class attack so much as a server-side code abuse attack. Really, the attack itself seems mundane. However, given the popularity of blog software, with huge growth due to social networking, this attack is amplified because of the Web 2.0 movement. fwiw. :)

According to the iceberg FAQ, "About 7/8ths of an iceberg is below the water line." That's about 87%. Thus, the iceberg principle is that you only see a very small portion of the iceberg, potentially missing the vast majority of it.

Working in security assurance (which in this context means internal consulting and attestation, injecting security requirements in projects and then performing technical security testing as the project nears completion), we are constantly dealing with the iceberg principle. We typically see projects when they follow procedure and come to us. We review the portion of the overall application or system being developed, issue our findings, and then move on. In the background, however, is the rest of the project, hidden just below the water line. Because of the large number of projects we're expected to clear, this prevents us (usually) from probing deeper and perhaps finding those hidden concerns.

Fyodor has posted the latest Nmap News to the Nmap Hackers list. Check it out!

Quoting here one choice section, specifically to help raise awareness. If you are currently using GoDaddy, get off of it asap. Some whack job started flinging falsified accusations and DMCA requests around, which apparently resulted in the domain pull-downs, even though they weren't justified (see later in the newsletter, linked above).

Ok, time to get back to an infosec focus here... :) KPMG UK has published a report that describes "fraudsters" (non-technical term describing a white collar criminal) based on analysis of 360 cases in Europe, South Africa, and the Middle East.

Below are some selected stats from the Executive Summary (section 3). If you find this interesting, I encouraging reading the whole story. It's interesting to see reinforcement of the old school notion that the vast majority of incidents are from internals. Reinforces the need to protect the company against its own personnel, though without treat people as criminals. The old phrase "it's behind the firewall" is once again proved ridiculous.

This is perhaps one of more amusing failure of U.S. Department of Defense (DoD) intelligence in recent times. Couldn't find the link, but within the last year or so an intelligence report was put out warning against fake Canadian coins containing radio frequency (RF) transmitters for the purpose of espionage or surveillance. Well, it turns out those reports were grossly overstated. According to CNN.com, a special series of "poppy" quarters were released in 2004 by the Royal Canadian Mint to commemorate those lost to war. Apparently the DoD didn't get the memo.

What is perhaps most egregious here is the failure of the DoD to apply a mote of common sense, such as in applying Occam's Razor. According to the CNN.com article, the defense contractors who "discovered" these "suspicious" coins performed a very detailed analysis of the pieces. Unfortunately, they came to conclusions that were, well, rather far-fetched. Maybe they had been reading spy novels and let their imaginations run away with them. I just find it sad that the level of analysis described could occur with the end-result being issuance of a warning about spy coins that had no basis in the facts determined. Talk about a major disconnect between reality and imagination.

We're a strange people. I'm unsure if this is an Americanism, or just a human trait, but it's kind of weird, and definitely rates high on the selfishness scale. A raid was conducted yesterday against a terror cell in New Jersey planning an attack on Ft. Dix. The raid was the result of good old fashioned police work, complete with a paid snitch and all the leg-work you would expect. Notice there were no restrictions on liquids or gels involved in this bust.

What I found annoying in local coverage, however, was that the media immediately jumped into super-hyped panic mode. "What if this were to happen here?!?!?", they'd say. Well, I hope that the investigators here are just as smart as the investigators in NJ, meaning they would take the tip and run with it, too. Hopefully people here would be just as cognizant of aberrant behavior and would report it accordingly.

Ok, so, tomorrow (Monday 5/14) new postage rates and rules go into effect. First class mail increases from 39 cents to 41 cents. Annoying, but probably no biggie for the average person. USPS is also introducing the new "forever stamp" -- a stamp that will continue to be good regardless of future rate increases. Kind of clever, don't you think?

But wait, there's more! Apparently a bunch of rate rules are also changing, such as about the size and shape and thickness of envelopes. Is this a good thing? If this CNN.com article is any indication, then I would say "yes, it is a good thing!".

Bruce Schneier has an excellent blog post today on why people overreact to events that are particularly rare (e.g., fear of plane crashes vs car crashes). It's well worth the time to read it, and is also worth checking out some of the included links.

The Bruce has a couple excellent posts on his blog this week. The first informs us of a TRAC report criticizing the DHS' lack of focus on terrorism. The second is an essay he wrote for Wired titled "Tactics, Targets, and Objectives" that touches on TSA, but really goes broader on the topic. The essay is very informative, I think, and definitely worth the read.

I don't have any commentary really to add. I'll be generating some new original content here over the weekend -- once I get my feet back under me from the break-neck pace of work these last couple weeks.

"Because technology can evolve much faster than we can, our natural capacity to process information is likely to be increasingly inadequate to handle the surfeit of change, choice, and challenge that is characteristic of modern life. More and more frequently, we will find ourselves in the position of the lower animals -- with a mental apparatus that is unequipped to deal thoroughly with the intricacy and richness of the outside environment. Unlike the animals, whose cognitive powers have always been relatively deficient, we have created our own deficiency by constructing a radically more complex world." (Influence, p.277)

Influence: The Psychology of Persuasion (Collins Business Essentials)

This work fascinated me from an information security perspective. One of the primary threats to average users today is from phishing and spam, which often lead to various types of fraud. These attack vectors often leverage one or more of the six methods, as I'll describe below. Following are my notes from the reading, with additional thoughts and anecdotes added as applicable.

Bruce Schneier has posted an essay from Jan 2005 on Cyberwar that is fairly interesting. It's an interesting contrast to Marcus Ranum's comments in his book The Myth of Homeland Security. What do you think?

Bruce Schneier has posted a recent Wired essay he wrote titled "Portrait of the Modern Terrorist as an Idiot" in which he urges us all to be skeptical of what we hear from the media and government, particularly with regards to so-called "terrorist" plots. He looks at the fear-mongering tactics used to push political agendas when these so-called "terrorists" are nothing more than a bunch of drooling idiots who are haphazardly trying to create a stupid idea.

This concept of skepticism is actually a very valuable thing to develop. CIO magazine recently had an article on "How the Elite Innovate" that talked, also, about being skeptical. Instead of being silent followers of all changes, we should instead think critically, asking hard questions, behaving in a manner that challenges change to make sure that it is, in fact, the right thing to do.

Pardon me while I diverge from my travelogue for a moment to point out a couple articles demonstrating pure idiocy, first on the part of politicians, and second on the part of "security experts" mindlessly saying that something "might" be possible instead of pressing a more likely scenario.

Greetings! I'm back! :) I'm sure you missed me, oh so much (mom). So, I've collected a few things of interest over the past couple days (or more) and thought I'd toss them all into a single post (since technorati whines if I post more than 1 article per couple hours [which is so weird]). Anyway, a quick overview of the topics:

1) A good blogger law resource.
2) Interesting notes from groklaw on MS, SCO GPL tapdance.
3) 9th Circuit Court ruling on warrantless monitoring.

Well, you've undoubtedly heard by now that our brilliant legislators apparently lost their freaking minds last week before then fleeing for Summer break. Yes, indeed, it's true: I left town and the prats passed legislation removing most of the FISA limitations to prevent the NSA from spying on everybody under the sun (well, ok, a "foreigner" must be involved, technically).

Susan Landau at the Washington Post has a great write-up on why this is such a remarkably bad deal. Bruce Schneier tags on
with a few references to the recently uncovered Greek telecomm snooping debacle. Most other security sites have already touched on this, too, so I won't say really anything more than I have already.

If you're righteous indignation (or outright anger) about this, then I highly encourage that you take a stand and do something about it!

It is a day to celebrate! All the madness in the SCO v sanity trials has come to a screeching halt, and SCO, I expect, will cease to exist very, very soon. Oh, and all those allies (Microsoft, you know we're talking about you) who propped SCO up and played license bully? They now stand to owe Novell a ton o' money. Ha ha ha!!

PJ has a good summary over on Groklaw here. Story also covered here and here.

Ok, phishing is not the "official" threat of the month, but if you follow any security blogs, you'll notice that the topic is coming up in several circles at the moment. First out was Symantec's "A Brief History of Phishing" Part I and Part II. Then came a piece from the Think Smarter blog titled Balancing Security and Usability: The Human Factor. And, lastly, Bruce Schneier has posted a piece citing two new bits of research on phishing. What does it all mean?

I've been slammed and exhausted lately, so haven't had time to formulate a real post. So, to keep you interested and your appetite sated, I refer you to the Stephen Colbert report "Nailed 'Em: Cyber Terrorists". I hope you'll be as amused by this piece now as you should have been outraged in June. :)

Click here to learn how to protect against such attacks.

Anybody who knows me very well, has worked with me, or has followed my blog (well, back when I still made substantive posts like this one), will know that I'm obsessed with not only questioning everything, but also asking the right questions. It's actually a rather annoying knack that's emerged from growing up in an academic environment, where questioning and debating are ways of life. When other kids were playing Nintendo, I was watching the "Mysteries of the Unknown" video series, solving fun Math and Logic puzzles. For my career in information security, this has long been my mantra; namely, question everything, and make sure to ask the right (often hard) questions.

Finally, another security post! You must have thought I'd forgotten all about this topic. :) Honestly, I have a few ideas in notes at home, but haven't been motivated to write lately. But that's all about to change as of right now.

I have three different items for you today. First, in "Um, no." I talk about a recent posting on the Symantec Security Response Weblog that is, well, rather moronic. Next, "Don't be stupid." is a quick pointer to another excellent Bruce Schneier blog post on counter-terrorism stupidity. Last, Richard Bejtlich at TaoSecurity has a great list of responses, from worst to best, that measure the degree of proof provided in response to the question "Are you secure?".

A false positive is a test result that indicates an affirmative response when the actual response is negative. It's also known as a Type I error (Wikipedia has an excellent write-up on Type I and II errors). False positives are problematic in information security because they can result in "the little boy who cried wolf" situations. Meaning, if you start seeing a bunch of alarms and they're always false alarms, you'll start ignoring the alarms. Thieves have been known to use this tactic to trick police or security guards into ignoring alarms so that they can then burglar successfully. In information security, we try to find ways to eliminate false positives, or at least develop methods of validating the data through an alternative method rather than accepting the false positive as accurate. If only the federal government understood the need and importance for doing this.

According to a post by Bruce Schneier, a man in Sweden was unhappy with his son-in-law, who was in the process of divorcing the man's daughter. This soon-to-be-ex-son-in-law was traveling to the US, against the wishes of his wife, which caused disgruntlement. To exact retribution, this older man in Sweden sent an email to the FBI accusing his soon-to-be-ex-son-in-law of being a terrorist, providing flight details and indicating that the son-in-law was en route to meet with his al Qaeda contacts.

D.J. Bernstein, author of qmail and professor at U-Chicago, has released a new paper on qmail security. Though ostensibly about qmail, it's really an exposé on secure coding practices. In the paper, he identifies three fundamental approaches that will met "users' security requirements" within a given program:
1) eliminate bugs
2) eliminate code
3) eliminate trusted code

There's nothing I can say here that isn't better said by DJB in his paper. As such, I highly recommend reading it right away. It's very short (10 pages including the page of references) and very accessible. You do not need to be a programmer or a CompSci major to understand what he is saying.

It's a little after 5am local time and I've been up now for almost 2 hours. No, I'm not suffering from insomnia, nor am I trying to use myself in a sleep deprivation experiment. Rather, the security alarm in the apartment (for which I have no use) has decided to start beeping (rather loudly) about every 30 seconds. I'm sure they gave me directions for the darned thing when we moved in, but that was nearly 3 years ago, and I haven't the foggiest idea where they are.

So, the next logical thing was to call the after-hours maintenance hotline and have the on-call person paged. I say "logical" because the other option that occurred to me ranged between ripping the panel out of the wall to simply cutting the wires.

I called the maintenance hotline and the woman took my info and the nature of the problem and said she'd call maintenance. And then I waited. And waited. And waited. 30 minutes went by and no response. So, I called the hotline again, got the same woman, and she says "I'm sorry, this isn't on our pre-defined list of emergencies." !!!!!!! An alarm, for which I have no remedy, is going off at 3:30am and she won't page the on-call because it's not on her list. To make matters worse, she couldn't be bothered to call me back and tell me this. I had to wait 30 minutes and then call back to find this out. Putting aside the sheer failure in customer service, let's explore the fundamental problem here: inflexibility and a lack of creativity in finding a solution. This minimum wage drone had no motivation to help me.

We've had an interesting, though sadly disparaging, thread on the cisspforum this week. I can't post any direct quotes for you, since that would be a violation of the forum guidelines, but I can talk about the issues in a generalized sense. I wish to do this because I find it indicative of some larger problems within the security industry, and in fact within American society at large.

The core point of contention in this thread was whether or not so-called "off-topic" posts were appropriate. The forum guidelines clearly prohibit content that is not related to security. A couple people argued quite vehemently that anything that diverged from that rule should be strictly omitted. This stance seems reasonable, perhaps, at first glance, but it begged a larger question: given the extremely broad subject that is security, how does one gauge whether or not a post is relevant? Moreover, who's opinion holds more weight in answering that question.

Awesome. It's so obvious, and yet so brilliant. There's tons of free code out there to setup such a tool, too.

How to Harvest Passwords
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

Hat tip to guru Bruce Schneier for the find.

The Symantec Security Response Weblog has an excellent post up today titled "Honor among thieves?" that talks about free versions of the now-infamous Mpack and IcePack exploit packages containing backdoors and additional redirects. They theorize that this is essentially the premium for getting the packs for free, which is very interesting. In essence, the malware gurus are using an ad revenue model to make money off the packs. This is kind of like the shift from Web 1.0 to Web 2.0 in terms of moving away from relying on product sales to really leverage the long tail available to them. :)

Ok, so some of my thoughts here are tongue-in-cheek, but it's an interesting post nonetheless. Check it out! :)

Ok, this is a grab bag post, I admit it... first off, Shawn has posted a great explanation of session fixation - a little discussed or known security vulnerability. Second, our government at work... it seems the House, in a pre-election frenzy (a little early for that, don't you think?), has rapidly passed a bill that I guarantee is so poorly thought through that it will caused lots of headaches if it ever makes its way into law.

Specifically, Congress now thinks that any provider of Internet access - including free wi-fi at your local coffee shop, now must report "obscene" images to NCMEC if they're detected or seen. Now, on the one hand, this is a stupid law, because you're already required by law to report any instances of suspected child pornography. But, on the other hand, this is potentially distressing as, if read in the wrong way, could result in free wi-fi access being yanked out of most coffee shops as they may determine the legal exposure is too great. Yet another case where Congress is micromanaging where they needn't interfere. There are potential privacy implications here, too, that are of course not likely being considered by the geniuses on the Hill.

Last, but not least, as mentioned earlier today, Republican presidential wannabe Mitt Romney today mimicked JFK in giving a speech on the role of his religious beliefs in his life as a public servant. Fortunately, he erred on the side of providing space for all religions, though at the same time he seemed to imply that we should all adhere to religious values, which seemed a little off. You can decide for yourself. You can read CNN's coverage here, and the Salon has posted follow-ups here and here.

I've decided to trim back my infosec data sources as some of them have held decreasing value for me of late. The big change is that I'm reading most of my news through Google Reader, and so my desire to wade through piles of mailing list discussions has flagged. To that end, I've dropped three Security Focus mailing lists today: incidents, firewalls, and forensics. My biggest complaint was that these moderated lists were either feast or famine (though a malnourished feast at that). Moderators can help keep discussion on-topic, but if they're not attentive, then you get a slough of messages all at once. My other complaint relates to the high number of bounces from these lists. I responded to one post last week and proceeded to receive almost 2 dozen bounces. Quite the penalty for participating!

In other news, I've decided to start making use of the "Shared Items" feature in Google Reader. Feel free to subscribe to the feed at the following link, or you can revisit it by selecting the "My Google Feed" link on the right.
http://www.google.com/reader/shared/02083241909295253845

Alrighty, my second blogroll (of three)... this one is focused on security (multiple aspects), ranging from aviation security to faulty bridge design (physical security) to threats from the plague to commentary on compliance and PCI DSS. Also, a collection of very entertaining videos of Derren Brown performing his "mind hacking" tricks. The links are further on, but the full list of articles is:
* Refuse to be Terrorized
* Source: Design flaw caused bridge collapse
* Plague: The new Black Death
* Patrick Smith on Aviation Security
* Demos Report on National Security
* From Monitoring To Prevention: Switching To Debix
* US Policy Would Allow Government Access to Any Email
* Cloned animals are 'safe to eat'
* An Assertion About PCI & Risk Management
* IT Security Compliance: What are the Critical Success Factors?
* Bayesian Truth Serum
* OWASP London Chapter December 6th Presentations Now Online
* Mind Hacking.

If you hadn't heard, a fellow named David Ritz was ruled against in a North Dakota civil case earlier this month for finding information on alleged spammer Sierra Corporate Design. At the core of the case was Ritz's use of DNS zone transfers to determine the full extent of named servers within Sierra's network, which was ruled to amount to unauthorized access. The conundrum is this: in general, access to network services is presumed on the Internet to be implicitly authorized, unless labeled otherwise. Furthermore, even if the network service is misconfigured to provide more information than is desired, it is still generally assumed that the information is "public" by virtue of being available. Unfortunately, as Rasch explains, in the ND case, intent was also factored into the equation. So, just because Ritz could perform a DNS zone transfer does not mean that he was authorized to do so. This conclusion is somewhat specific to DNS zone transfers (we hope) because it is an area where there isn't necessarily a good case for demonstrating implicit permission simply because the query can be performed.

You can read the whole story here. Rasch concludes by saying:

Again, it’s a close call. Under other circumstances, a court could easily conclude that the use of a particular command was, in fact implicitly authorized. Security researchers use publicly available and widely used tools to probe Internet accessible computers all the time. Courts in the future are likely to look both at the motives of these researchers and the impact of what they do in deciding whether or not their actions give rise to civil or potential criminal liability. So we need to learn to play nice with other children.