Sunday, November 4, 2012

@tqbf First they came for the small round rare-earth magnet sets

Thomas Ptacek posted this on Twitter. I was not sure of the context."First they came for the small round rare-earth magnet sets, and I said nothing." Then I read this news story about Mother Russia's new Internet Surveillance system:

"Most importantly, however, the new Roskomnadzor system introduces DPI (deep packet inspection) on a nationwide scale. Although DPI is not mentioned in the law, the Ministry of Communications — along with the biggest internet corporations active in Russia — concluded in August that the only way to implement the law was through deep packet inspection."

Stolen cell phone pictures, a cautionary tale

The Register carried an article about a woman with revealing pictures of herself that were stolen by two Verizon employees working on her phone. They then distributed the pictures.

Anything on the Internet is going to be around forever. Use caution. "the two men worked at a Verizon store in Bartow, Florida, where one, Joshua Stuart, 24, helped a nubile local waitress transfer her data from her old handset to a new smartphone. Unbeknownst to her, he also took a copy of some of the pictures from the phone's memory for his personal perusal, it's alleged, as well as for a colleague."

NBC gets it on Guy Fawkes Day

According to ZDNET, "NBC had its Web sites hacked on November 4th. The sites are now coming back up, but hours after the initial Sunday morning attacks, there are still dead pages and others that aren't working properly."

"The hacker, who called himself, "pyknic," replaced the Websites with a simple page displaying scrolling text saying, “Remember, remember the fifth of November. The gunpowder treason and plot. I know of no reason why the gunpowder treason should ever be forgot.”"

According to Time, "In recent years, Fawkes' legacy has broadened. He provided the inspiration for the tile character in the Wachowski brothers' V for Vendetta, in which a masked crusader embarks on a terrorist campaign against a totalitarian British dystopia."

Thursday, November 1, 2012

Apple IOS 6.0.1

I first heard about this release from the Internet Storm Center, a great source of news. So, I did a few Google searches and nobody seemed to be screaming that it brick'd their iPhone or iPad. I just finished updating my iPad. Then I saw this article from Sophos saying you really should for security reasons.

From the article: "But you ought to have grabbed it with both hands for security reasons: iOS 6 patched a whopping 197 CVE-numbered vulnerabilities in 41 system components"

Give em heck, Mr. Gary McGraw

Oh yeah! If you have not read Gary's article on "active defense" you really should.

One quote from the article, "When the Washington Post publishes a story hyping an ill-considered notion of cyber-retaliation misleadingly called "active defense" as a rational idea, we should all worry."

Another take on this from the HP Blog, says: "s a strategy for an enterprise, "going on the offensive" is, I believe, small-minded. here's why. With so many difficult factors to consider which I'll discuss in a minute, it's really hard to allocate resources to offensive strategy. Let's take even one more step backwards, first. When thinking about offensive security measures as a means of digital defense, we have to ask ourselves what the return on effort is. What is there to gain?"

This may all be about guerrilla marketing, an article in Reuters quotes former FBI agent Shawn Henry, how has joined CloudStrike: ""Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.

Let's give HBGary, the last word. I think their approach to Active Defense is a bit more sane. "Armed with advanced enterprise threat intelligence provided by Active Defense, organizations can quickly gather critical evidence to contain the threat, locate compromised machines, and assess damage. For example, one can use its IDS to detect additional infected machines, data exfiltration can be blocked at the egress firewall, and malware can be cut off from Command and Control servers."

Physical security, Amy Weber laptop stolen

WWE Amy Weber had her laptop stolen so she is preemptively posting naked pictures of herself according to this article.

No, I am not going to go get the NSFW links for you,and we have to give her some credit, she must have had backups.

Judge OKs warrantless cameras on private property

Bit by bit the United States seems to be headed towards being a police state. So sad. Read the story here.

According to the CNET article, "That recommendation said that the DEA's warrantless surveillance did not violate the Fourth Amendment, which prohibits unreasonable searches and requires that warrants describe the place that's being searched."

COOP, NYC Data Centers

Slashdot has a nice concise article on the fight to keep data centers running. Apparently after ConEd pulled the plug, they went to generators which were located in the basements. Enter the record storm surge and the generators drowned. They brought in alternate generators ( that has to be a story all by itself, delivering industrial generators in a hurricane ) and so now they are pumping their basements and trying to keep their generators fueled.

The Wall Street Journal blog, has a great photo of the Verizon basement and an in-depth story as well.

Verizon is continuing updates on their blog. This has a really cool picture of their 18 wheeler mobile communications center serving Nassau county.

My brain is screaming one thing over any other. SLAs. Gawker and the other web sites that went down, almost certainly had Service Level Agreements with the ISPs and data centers. Time for someone to write a check I suspect.

Wednesday, October 31, 2012

A binder full of security women executives

I just read a post on technet and it really reminded me of the binder full of women gaffe. ( by the way, I am non-political).
A quick excerpt from the blog post, the history of the founding of the Executive Women's Forum, now ten years old:"The prospect of finding a number of candidates to round out executive teams was a challenge too. In particular, Joyce was adamant that talented women existed for a spectrum of positions, while she also acknowledged that tracking down the talent and following the network wasn’t as easy as just going to security events."

Tuesday, October 30, 2012

Hurricane Sandy, physical security and rats

I just read that one of the side effects of hurricane Sandy was that the rats and mice that were in the subway tunnels, basements and parking garages had to come to the surface to escape the flooding.

Now they will be looking for two things, food and shelter. The unlucky buildings that give them both will have new residents. There is a great introduction here about why they are such a problem and what to do about it. Here is a more comprehensive discussion. Most of this I knew, but this article claims they can consistently survive a fall of 50'. Since they are now above ground, and they are good climbers, hmmmmm, I have an idea for an Indie horror film.

WA National Guard

I read a post on Richard Bjetlich's blog that Washington State National Guard was going to engage in cyber security.

Sure enough, here is a link to an article in the Bellingham Herald.

20 Critical Controls Reading List

Executive Summary:

The seminar papers required in your course of study are an opportunity for you to reflect on what you have learned in so far in The SANS Technology Institute's ISE 5100 and ISM 5100. You should view this first paper as a chance to establish a general theme for your studies, consistent with the overall goals you enumerated in the outcomes statement you submitted as part of your admission application.

Review your outcomes statement and if necessary, update it to reflect any changes in your goals. (Updates should be submitted to so that we always have your most recent version.) Review the technical material in the SANS class, and especially the aspects regarding practical implementation of the technology. Review the 20 Critical Controls, your paper must include at least one aspect of the appropriate controls. We have provided a list of readings below, a mix of threats and solutions illustrating various aspects of the critical controls which mention recent security related events. Choose to read the ones you feel might be relevant to your environment, and you are welcome to use other sources as appropriate. Your paper should discuss practical application of security technology in a context that is consistent with your stated outcomes. You paper should also serve to increase the knowledge of security and implementation and should have at least five sources not listed below. Your paper should be five to ten pages in length and should be the beginning of your research for your monograph, part 4 of this course.

Learning Outcome:

The student will demonstrate mastery of the 20 Critical Controls as a framework to implement enterprise security.

Grading rubric:

Relation of paper subject matter to student outcome statement 10 possible
Relation of paper subject matter to at least one control 10 possible
Paper contributes to the body of knowledge 10 possible
Length of paper is between five and ten pages, 1 point per page
Writing quality ( grammar, spelling, flow) 10 possible

Critical Security Controls - Version 3.1

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices Exploiting Embeded Devices chips
    Michael Baxter stole hw from Verizon and Cisco
    Illegal imports of hw to Russia

  • Critical Control 2: Inventory of Authorized and Unauthorized Software Malware on medical devices
    Downloading trojan (phone)
    Mobile malware
    Malware spreading through Skype - Ransomware

  • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

  • Critical Control 4: Continuous Vulnerability Assessment and Remediation Security business- Tenable,0,7059459.story

  • Critical Control 5: Malware Defenses
    Microsoft report on root kits
    State sponsored mini=flame
    Attributes of Malicious Files
    Microsoft Report on Malware in Romania, Poland, Bulgaria

  • Critical Control 6: Application Software Security BEAST

  • Critical Control 7: Wireless Device Control Symantec consumer wireless guide
    NIST Checklist
    NIST Wireless Special Publication

  • Critical Control 8: Data Recovery Capability Computerworld overview
    One of the many Scott Moulton Youtube videos

  • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
    Why certify?

  • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Router vulnerabilty

  • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Using SNORT for intrusion detection in MODBUS TCP/IP communication

  • Critical Control 12: Controlled Use of Administrative Privileges
    Admin privileges in Windows 8

  • Critical Control 13: Boundary Defense HSBC Social related hacking - null crew SCOCKS proxies

  • Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Evil Through the Lens of Web Logs

  • Critical Control 15: Controlled Access Based on the Need to Know Jitterbit and Workbench

  • Critical Control 16: Account Monitoring and Control Shortened URLs Encrypted Disk Detector ( opportunity to help )

  • Critical Control 17: Data Loss Prevention Warantless wiretaps
    BYOD exposure
    Google in Europe New Zealand Job seekers

  • Critical Control 18: Incident Response Capability
    Ireland Domain Registry
    Facebook response to data breach
    Zappos unenforceable EULA

  • Critical Control 19: Secure Network Engineering
    Pacemaker attack Letter to energy producers ( Sen. Rockefeller) Secure OS for control systems

  • Critical Control 20: Penetration Tests and Red Team Exercises
    IPhone backup files. A penetration tester’s treasure trove?
    Systems Engineering: Required for Cost-Effective Development of Secure Products

    Technology forces at work, not sure how cloud fits 20 CC
    Fault Modeling for Cloud Services
    Cloud Security Alliance
    Google email under state sponsored attack
  • Monday, October 29, 2012

    My defibulator has a virus and will not start

    I met Tim Hoffman at the annual ISSA meeting and we were talking about the problem of malware on medical devices. There is a great article about that here.

    I pointed out that the devices mostly worked anyway and Tim wisely pointed out that if he is have a heart attack he doesn't want the defibulator to mostly work. So true.

    The article jumps straight to the heart of the problem, with an example from Beth Israel Deaconess Medical Center in Boston: "664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."

    Wednesday, October 3, 2012

    SHA 3 is announced

    NIST has chosen SHA 3 and announced it. As they put it in their announcement, one reason this is important is if SHA 2 falls hard we have an insurance policy. The algorithm is Keccak "(pronounced “catch-ack”)". I commend the winners and look forward to playing with the new technology after the reference algorithm is published. One of the things I am most excited about is to see how deterministic it is. We know that two different messages produce a different digest, but if they are very similar, will the digest be similar. There are some interesting security implications including finding modified copyrighted documents if the digest allows similar documents to produce similar digests.

    VOIP in the cloud

    I was updating my course, MGT 512 day 1 and there is a section on VOIP. Did some Google searches to see what is new for VOIP and just was not finding anything, then I found a page that pointed to Youtube videos. What an incredible resource. There was a great explanation of SIP trunking that any CIO of a mid-size business should see. The potential cost savings are impressive. But the big eye opener is how many VOIP cloud providers have sprung up. This could really save a startup company a lot of money, just buy the IP phones or even use software phones that can work from PCs, Macs, iPads and such. In just a decade, the sunk cost of hardware for voice communications has dropped by an overwhelming amount of money, they most of these solutions do want a monthly subscription per user, but I bet with some research it gets pretty cheap.