• My Tweats

  • Flickr Photos

One of my wordles was used…

One of my Wordles was used here.

Information Security Wordle: PCI Data Security Standard

My Home Windows PC Security…

…culled from tweets.

 

I meant to write this for sometime. I just never got around to it. I felt moved to tweet the bare bones notes earlier today.

 

I will replicate those here.

 

– Avast for AV http://bit.ly/8bcLxX

– I try to separate out my on-line life as Purpleslog from my real life as XXXX. http://bit.ly/oE15sU

– I have an use a cross-cut paper shredder http://amzn.to/rhzXeM

– I don’t use my own email client. I use GMAIL for Purpleslog and Yahoo Email for XXXXX for their anti-malware

– Secunia Personal Software Inspector for Application patches and updates http://bit.ly/DW9u

– I have MS Updates set to auto-download. I require it to wait for me to install. http://bit.ly/LncO

– I have the MS Firewall turned on. http://bit.ly/9MArC

OpenDNS for some further AV and Mal-ware screening – http://bit.ly/lYju1o http://bit.ly/a66DUI

– Browser extension WOT – to give warnings of malicious web sites http://bit.ly/dHANri

– Browser extension Adblock Plus to reduce ads and ad-based malware http://bit.ly/fKVAIL

– Browser extension Flashblock to curtail unexpected Flash http://bit.ly/eJtzuo

– Browser extension HTTPS-Everywhere to force more SSL/TLS/HTTPS usage http://bit.ly/aZvj4e

– I use Foxit as my PDF reader. I don’t uses Adobe’s.  http://bit.ly/oAycMG

– Choose good passwords. Don’t re-use across systems. I use Password Safe to contain them. http://bit.ly/aqnaeB

– For my home WiFi, I use good and long passwords. http://bit.ly/cNpJoJ http://bit.ly/lqJSlJ

– Secure Zip http://www.pkware.com/software/securezip/windows

I ‘ll add Mac OS/X stuff in the future TBD.

 

Anti-Spam Lawfare

It sounds like some Computer Scientists…

A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a ‘choke point’ [PDF] that could greatly reduce the flow of spam…If a handful of companies like these refused to authorize online credit card payments to the merchants, ‘you’d cut off the money that supports the entire spam enterprise,’ said one of the scientists. [Link]

…has caught up to my thinking…

Often much of the cost of an information security incident falls not onto the party that is responsible for providing the Security but onto third parties. While the enterprise/individual that has the incident may incur costs, much of the cost of this InfoSec externality is put onto others (organizations/individuals/taxpayers).

What is lacking is proper incentives. By incentives I do not mean government regulations or criminal statutes.

I mean money. Getting money is a good incentive. Avoiding loosing money is a good incentive. Not having your Balance Sheet, Income Statement, and Cash Flow Statement be effected by information security loss is a good incentive.

What is needed is Information Security Lawfare.

If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.[link]

Why leave Lawfare just to the bad guys?

My Purpleslog identity is safe…

….from http://www.peekyou.com.

 

I found this via Slash Dot.

Cyber Security – APT – Advanced Persistant Threats – Capture Phrase…

…from here [The bolding is mine]:

Unlike traditional malicious attacks that occur over a number of minutes (days to weeks at most) and result in a demonstrable system payload, APTs are far more subtle. There is no single event to indicate compromise; the threat is made up of a number of small activities occurring over a long period of time, often up to 18 months.

The challenge facing security experts is that many of these small activities will not raise any alerts. APTs often include a degree of social engineering, with malicious individuals getting information from phone calls or looking up web addresses as a starting point for finding creative ways to gain access to systems, or they use people within the organisation to plant malware components within the system.

These small actions will not stand out from the millions of events occurring on an IT infrastructure every day– they get lost in the crowd. Even if they are noticed, they may be viewed as low risk when compared with traditional security threats, but in the era of APT these low-key events need to be considered differently.

Is there a trend in activity? Could this action actually provide a route into other company assets, such as financial information or intellectual property? Is this small event part of a larger scheme?

What does that sound like sort of? Hmm…

(old found draft post)CyberWar – Ref Links

Apr 26, 2009 @ 12:05

I will return to the topic of CyberWar sometime in the near future.

Continue reading

Remember: China is at best a Frenemy

From Forbes:

Last weekend, a report by researchers at the Munk Center of the University of Toronto revealed “GhostNet,” a computer espionage virus that had infected around 1,300 computers worldwide–including many “high value” targets where diplomatic and national security information was stored. The attack focused on computers in Southern Asia and offices belonging to the Dalai Lama, exiled leader of China-occupied Tibet. GhostNet-infected machines were controlled by computers located in the People’s Republic. Experts disagree on whether the evidence proves China’s guilt or merely suggests it overwhelmingly.
[…]
After the Dalai Lama’s office sent an e-mail invitation to a foreign diplomat, Beijing diplomats happened to phone the same diplomat and discourage the visit. A China-bound traveler who had used the Internet to help put Tibetan exiles in contact with Chinese dissidents was stopped at the Chinese border, shown transcripts of the online exchanges, and warned to cut it out.

The US and China may have have shared interests, but we are not friends, we are not allies. China will use this and all other means at there disposal to further their interests (political and economic).

(Russian) Cyber Militia example

At Danger Room:

A pro-Kremlin youth group has taken responsibility for the network attacks. And that group has a track record of conducting operations on Moscow’s behalf.

Nashi (“Ours”) is the “largest of a handful of youth movements created by Mr. Putin’s Kremlin to fight for the hearts and minds of Russia’s young people in schools, on the airwaves and, if necessary, on the streets,” according to the New York Times.

Yesterday, one of the group’s “commissars,” Konstantin Goloskokov (pictured), told the Financial Times that he and some associates had launched the strikes.

Here is  the thing: if I joined a similar pro-US or pro-Western Cyber Militia and participated in an action, I would expect to be litigated to the poorhouse. Lawfare (at least the threat of it) kills a US Based Cyber Militia.

A reminder of why companies need to block outbound SSH

Noted in a comment at SlashDot:

One day, I set up a PPP over SSH tunnel between my home computer, and my desktop at work. Transferring large binary files from my office network to my home computer was much closer to the original 3Mb/s speeds.

There is no legitimate reason for the above. I t would be a great opportunity for a malicious insider (e.g. to transfer proprietary data, to bypass access controls) or just a dumb-ass insider (e.g. to get around content filters).

Some sub-set of internal users may need SSH access to the organization’s servers that might be past the firewall. The right thing to do is have to have firewall rules to support that explicit user group and their destinations.

Social Engineer Caught? Security violation uncovered? Not.

A person called into my organization’s Help Desk from a remote facility. It got flagged as a social engineering attempt.

Notes:

– Caller was asking for a password reset
– They knew the user’s name
– They do not know the user’s userid
– When repeatedly asked to spell the name, they continually made 2 separate spelling errors
– They suggested there had been a power outage and the PC had rebooted

I assumed they don’t know the userid because they were given the real person’s password (most likely by the real person in violation of policy) to use and just kept unlocking/locking the PC. The power interruption caused a reboot. Now to log in a userid was required.

I was pretty sure we had two different security issues: Person A gave out their password (a security violation) and Person B used it and pretended to be Person A.

I informed management and HR.

The verdict: The person was just a total dumb-ass. They had forgotten their userid, and they were spelling their own name wrong.

My suggestion to HR that if the person couldn’t spell their own name correctly that then perhaps the company would be better off without them was met with a cold look. So, I think from the HR PoV, I just became the villain of the security incident instead of the incident handler.

Update:  I am pretty sure HR got snookered and the violators got away with it.

Great Freeway Sign Hack!!!

I spotted this on FoxNews.com.


There are still real hacker heroes

The “I am too Lazy/Busy to post” Open Thread & Linkspasm

I have been both too busy at work to post or read much and also too tired/lazy in the evenings to post, so here are a bunch of issues that might interesting. I will make updates in the comments.

I will engage in comments here and elsewhere, but I most likely won’t post much if anything the rest of the week.

Anyways, here we go:

National Security / Global Security

Positive side-effect from the US involvement in Iraq: “A top Iraqi official is calling for the formation of a regional economic security union to share water, energy and other resources, and mediate disputes among its members.”

Newspeak example: Ayers and the Weathermen were not doing terrorism, they were doing “extreme vandalism”.

The Greek Youth Riots: Leftists, not Muslims.

Military Theory vs. Philosophy: “My point is that real benefit comes from focusing on real and testable change, not extravagant theories on the nature of warfare. An example of a testable hypothesis would be that direct and accurate portable HE projection could replace MG in the primary infantry support role. Best platform would be the XM-109 payload rifle with air-fuzed and HEAP rounds. This could be tested through computer simulation, modeling, field testing and historical review etc etc. While all those methods have there weaknesses and biases, they provide more feedback then is achievable is from the “nature of warfare” theories, so why are focusing on these non-productive concepts of 4GW and EBO etc. to define how we fight COIN?”

Michael Yon on Afghanistan: “But Afghanistan is a different story. I write these words from Kandahar, in the south. This war here is just getting started. Likely we will see severe fighting kicking off by about April of 2009. Iraq is on the mend, but victory in Afghanistan is very much in question.”. His blog should be in your RSS feed.

Cyberwar? “The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a “red team” to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. “We’re playing a giant game of chess now and we’re losing badly,” says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.”. This should be a big money hole. I think the threat is overblown (and I am a IT Security guy). The real problem is that the approaches to information security at the Macro level seem pretty immature and need to be rethought. That is where the money should be spent.

– …and yet: “They propose that botnets should be designated as ‘eWMDs’ — electronic weapons of mass destruction.”

– Podcast to Listen to: Covert Radio


Economics & “On The Bailout”

– [Forbes] Makes the case to cut taxes across the board instead of increasing Government  spending. Here was my “stimulus” idea. So does Human Events.

– The interference into Bank business by politicians has begun.

Heh: “Practically speaking, however, public works involve long start-up lags. Large-scale construction projects of any type require years of planning and preparation. Even those that are “on the shelf” generally cannot be undertaken quickly enough to provide timely stimulus to the economy” and “Some of the candidates for public works, such as grant-funded initiatives to develop alternative energy sources, are totally impractical for countercyclical policy, regardless of whatever other merits they may have. In general, many if not most of these projects could end up making the economic situation worse because they would stimulate the economy at the time that expansion was already well under way.” Check out who said that.

Oops: “These finding are not consistent with standard Keynesian theory”

Amity Shales: “The idea is to revive the economy and create jobs for America’s unemployed. But huge public works projects often fail to revive national economies. Consider the example of Japan in the 1990s.”

– BTW, Real Clear Markets is a nice roundup web page.

Dissing (rightfully) Macroeconomics

– “One new reality is the imperative that our government modernize America’s aging energy, water and transportation infrastructure.

Also: “It’s important that the elected officials view public works investment not as a short-term stimulus for stimulus’ stake, or a vehicle for politically driven job creation. The goal should be to create the best and broadest necessary and permanent infrastructure for the most responsible minimal price needed to build it. Being careful here is necessary because this is borrowed, finite money; it could become prohibitively expensive for the feds to borrow as debt levels skyrocket. Spending is not investing.” and “Similarly, funding regular maintenance work that states and cities should pay for isn’t a wise investment. Federal money should pay for replacing obsolete assets and making well-thought-out improvements.”

Blamestorming the Crisis: “Free markets did not bring the world’s financial system to the edge of collapse. Rather, the epicenter of the crisis was a massive dose of state capitalism. By state capitalism, I mean that the state, in this case the federal government, used its vast powers to intervene in, and distort capital markets in a manner that led directly to the creation of trillions of dollars in bad loans. Moreover, in the pursuit of a social policy to increase affordable housing and home ownership, the federal government engaged in policies that disrupted the financial market’s ability to be self-regulating; that is to attenuate if not avoid the crisis we are in.”

– “Buffet U

– I am not surprised: “Recent data suggests that many borrowers who received help with mortgage modifications earlier this year tended to re-default on their payments, a top U.S. banking regulator said Monday.” […] Dugan said recent data showed that after three months, nearly 36% of borrowers who received restructured mortgages in the first quarter re-defaulted.

– Podcast to listen to: Econtalk and Planet Money

Detroit and the Auto Industry

Truth to power:  “GM, Chrysler, and Ford are failing in part because of their foolish attempts to manipulate the government into protecting them from the market”

 – The (first) Detroit handout bailout will be $15billion. Morning Joe (a pretty good morning news show) was saying that the House Speaker didn’t want anybody with business experience to be the Car Czar. Also, no chapter 11 for GM.

– FYI…that $70/hr figure for UAW workers is just current workers. Retirees cost are above that.

Chrysler should open its books: “Chrysler LLC says it’s almost broke and needs federal aid to survive. Perhaps that’s true. Yet taxpayers should be asking: How do we know? Sure, we can surmise from all the awful vehicles Chrysler makes that it’s losing mountains of dough. Really, though, we have no idea. We don’t even know who sits on the company’s board of directors. That’s because Chrysler and its owner, Cerberus Capital Management LP, won’t disclose the information”. I suggested this sometime back.

Milwaukee and “Fixing Milwaukee”

– The City can’t even do the basics right: “Up to $780 million more needed to fix worst residential roads“:

The audit from Comptroller W. Martin “Wally” Morics’ office found that 214 miles of residential streets, or nearly 21% of the total, were in the worst shape, as measured by a city Department of Public Works scale.

Auditors also found that the department is taking an average of 106 years to repave or replace local streets as of this year. That’s down from the 2005 peak of 163 years, but it’s still more than twice the streets’ expected lifespan.

To deal with the problem, auditors recommended shifting from a policy of working on the worst streets first to a strategy of keeping the best streets in good shape while catching up on the backlog of poor streets.

Retro Milwaukee

– The County Board chair wants to forgive the debt a do-gooder organization and let them be a county contractor again.

Entrepaunership Stuff

– “Bathroom for Rent

– Podcast to checkout: Struggling Entrepreneur

Science, Technology and Gadgets

Bad news for future Potential Space Elevator: “n a report on NewScientist.com, researchers working on development of a space elevator (an idea we have discussed numerous times) have determined that the concept is not stable.”

– “The 10 big energy Myths

“Ten ways the world could end”

Tech Dirt has Doug Engelbart’s 1968 demo. “That demo was the first time the world saw an awful lot of things that are common today: from the mouse (and, yes, he talks about naming the mouse), to a graphical user interface, to hyperlinks, among many other things (including a few computer bugs).”

– Podcast to check out: Talk of the Nation’s Science Friday.

Pop Culture

– Podcast to check out: All Songs Considered

Other / General

The Chicago Way! How disgusting.

Hmmm: “Joe Wurzelbacher says he felt “dirty” after “seeing some of the things that take place” on the campaign trail.” It is not fun to see how sausgage is made.

More evidence the Football Playing skill and Gun Safety are negatively correlated (sample size=2): “Mississippi Football Star Shoots Self During Traffic Stop”

Please add your thoughts and links in the comments.

“Perhaps the most interesting aspect of the advertised service is the offer to flood the victim’s phones”

The SANS handler had an interesting entry on a Russian ad:

The ad scrolls through several messages, including:

“Will eliminate competition: high-quality, reliable, anonymous.”
“Flooding of stationary and mobile phones.”
“Pleasant prices: 24-hours start at $80. Regular clients receive significant discounts.”
“Complete paralysis of your competitor/foe.”

Perhaps the most interesting aspect of the advertised service is the offer to flood the victim’s phones. We often think of network-based DDoS attacks, but phone-based DDoS could be as devastating. If the service can, indeed, target stationary (landline) phones, then we’re not just talking about SMS-based floods. These would probably be actual phone calls, probably initiated using VoIP, maybe via stolen Skype accounts with dial-out credits. Anyone knows more about such phone attacks?

Rock On Indian Navy, Rock On!

Hell yeah!

The Indian navy has been given formal approval by the United Nations to go after pirate ships in Somali waters, the BBC has learnt.

Though, I am not sure why UN Approval is needed.

“We can now enter the Somali territorial waters under certain circumstances. It would be only to check piracy,” he said.

India has called for greater co-operation between foreign navies to tackle the piracy threat.

Death to Pirates!

Checking for BGP Prefix Hijaking (or human errors) via BGPmon

I wish I had this a few years ago:

BGPmon can monitor your prefixes and alert you in case of a ‘interesting’ path change. Recently this has received quite some attention. Specifically after the Youtube hijack and the demo given at defcon. Path changes can be of different kinds, such as more specifics, change of aspath, change of origin AS, Transit AS or any combination of this. BGPmon classifies these changes in types. This software was written over the course of 1.5 years, mainly for private use. However given the more widespread interest I decided to make it available everyone interested.

This tool is a nice addition to any enterprise using BGP.

H/T TaoSecurity

One of my security “wordles” is in the wild…

here.

Quick Book Notes: The New School of Information Security by Shostack and Stewart

The authors state that the practice of Information Security is flawed in many ways (something I don’t disagree with in many ways).

This is not a book about information security, but a call for the practice of it to change…to grow up so to speak.

The authors want the practice of InfoSec to be based on hard data and suggest that many approaches just don’t do very much, or are not worth the cost.

With shout-outs to the OODA, Moneyball, security economics, and psychology, it is an interesting read.

For the last six months I have been doing network engineering (rather then information security engineering), so I have been looking at the practice of information security with an outsider’s PoV. While I still enjoy much of the tactical work of network security and other aspects of information security, at the strategic level, I question many of the ‘best practices”.  Too much is driven really by auditor’s canned interpretations of SOX requirements. Information Security program often just are checklist of controls mandated by auditor’s. Whether the control is useful or not or cost-effective is a secondary consideration.

 

Information Security Wordles

I am still having fun with Wordle. Here are wordles of important Information Security documents as:

FFIEC IT Examiner's Handbook
FFIEC IT Examiner’s Handbook

RFC2196 - Site Security Handbook
RFC2196 – Site Security Handbook

NIST Guidelines on Firewalls and Firewall Policy (Draft)
NIST Guidelines on Firewalls and Firewall Policy

Secure IOS Template
Secure IOS Template

PCI Data Security Standard
PCI Data Security Standard

Ross Anderson's Security Engineering
Ross Anderson’s Security Engineering

NIST Guide To Securing Microsoft Windows XP Systems For IT Professionals (Draft)
NIST Guide To Securing Microsoft Windows XP Systems

NIST HIPAA Security Guide (Draft)
NIST HIPAA Security Guide

Secure Bind Template
Secure Bind Template

NSA Router Security Configuration Guide
NSA Router Security Configuration Guide

Blogging Milestone: 100,000 Spams

Thank you Akismet!

Using Free WordPress.com Blogs to pass coded messages?

Somebody seems to be doing so.

I have a screencap:

screencap-spy

This is an example of secure communication over unsecure mediums. Deadrops are not needed as much anymore. Who knows what this about?

Can anybody recognize the language used in the comments?

“One In Five Employers Scan Applicants’ Web Lives”

Spotted on SlashDot:

“CareerBuilder’s new survey finds: ‘Of those hiring managers who have screened job candidates via social networking profiles, one-third (34 percent) reported they found content that caused them to dismiss the candidate from consideration.’ Some red flags: content about applicant using drugs or drinking, inappropriate photos and bad-mouthing former bosses.”

That is why I am on the web as “Purpleslog” and not under my real name.

I have worked with enough leftists that I know that if they could have googled me and if they had found my anti-leftists beliefs, I would not have been hired for the non-political Information technology positions I applied for.

I consider it a personal information security control on my part.

Interesting Podcast on Chinese Hackers – “The Dark Visitor #1″…

…is here.

The blog is interesting too.

WTF is This Captcha?

How the heck is a normal person supposed to “see” this anti-spam  CAPTCHA (found at Moodyloner) with over lapping letters:

Impossible CAPTCHA - WTF?

Yikes. It took many tries to post a comment.

The (new) US Cyber Security Chief is the Co-author of the “The Starfish And the Spider”

I did not realize this: The newish US Cyber Security Chief (and National Cyber Security Center boss) is Rod Beckstrom who is one of the authors of the interesting COIN/4gw/5gw/network related book The Starfish and the Spider which Arherring blogged about. This could be interesting.

I have been meaning to blog the book. I read it and wrote notes on it. I had set it aside with the intention that I would come back to it a second time before posting – and then I just forgot about it.

Flickr Credits:

Rod Beckstrom photo uploaded to Flickr by Alex Dunne

The Starfish and the Spider cover uploaded to Flickr by Darlene Fichter

Information Security Podcasts That I Listen to…

…in case you are interested (you most likely are not).

I subscribe to and listen through iTunes (in order of importance/priority to me) these podcasts:

Security Now – The most useful of them; I fast forward through the Spinrite masturbation congratulatory ads embedded into each one

Rear Guard Security – sparse and irregular, may now be dead

CyberSpeak – Newish to me, I am not a computer forensics guy but I find it interesting

CERT’s Podcast Series – dryer, more business-y

PGP Security Podcast

Risky Business – I have just started to check this one out

I also make heavy use of the free SANS Webcasts (the archive is here) which don’t work with iTunes. SANS has started experimenting with making the periodic Internet Storm Center Webcasts available as podcasts, so maybe they will move everything in that direction.

Note: Spinrite is a good product and I own it. The ads on Security Now are just annoying.

I would appreciate any other suggestions.