For a mere $100 and submitting to fingerprinting, iris scanning, and a background check you get to skip to the front of the line and- maybe- not take your shoes off. Check out the Wired commentary.

Even if this program worked, it doesn’t do a darn thing to improve security. The day we let people use this as a way to actually skip parts of security screening is the day all the terrorists that haven’t been identified yet sign up for it.

We’ve talked about this before. It’s just another example of using security fears to make an extra buck. The only possible impact is either someone makes some money at the expense of a few idiots that sign up for it, or it reduces security and people get hurt.

Any of the other frequent travelers here notice that the main airport where this is deployed, Orlando, is one of the only airports without a preferred traveler line?

If I lived in Orlando or someplace else where my frequent flyer status didsn’t help me get through the line faster I might consider paying extra to speed up my almost-weekly excursions.

But claiming it improves security? That’s at best just stupid and deceptive.

Reported over at Internetnews.com.

The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines

Not verified yet, but this could be a very major development, if true.

I don’t completely agree with banning all DRE- they play a valuable role for disabled voters and a few other demographics. During the last election I watched one older gentleman leave to go get a magnifying glass, since he couldn’t read the optical scan ballots.

Requiring a stronger voter verified paper record for a recount, rather than banning all DRE, seems more reasonable.

One indication of the security mindset is that you always assume an attacker will think of something you didn’t.

I don’t care if you’re writing secure code, locking down a network, or securing a building perimeter, there is always a way in you didn’t think of. There’s always something you missed. You’re human, and you make mistakes. You’re not the smartest person out there, and, although rare, there are bad guys that are smarter than you. Rather than relying just on the controls you have in place you learn to rely just as heavily on your ability to respond. Be it issue a patch, segregate a network, or deploy a response team.

It’s not just that someone might be smarter than you, but often people approach problems in very different ways.

For example:

Many years ago I worked as a paramedic at a semi-volunteer ambulance agency. As the agency moved more and more towards a paid service, with full time staff members, the new operations director decided to lock all the spare equipment up in a special room. Basically, he built a cage inside the storage room and locked everything up tight.

My shift had a tendency to pull pranks, and a locked room like that was just too much of a temptation. Our solution? I climbed on the roof and rappelled down to the window that easily shimmied open, since the cage didn’t block the window. I rearranged everything inside, popped back out the window, and locked up behind me.

Orthogonal thinking can be fun.

Last night I was reading through some posts on some other sites I’ve missed in the past couple weeks (darn real job), and stumbled upon this one by Richard Bejtlich. Basically, someone with particularly poor spelling asked if he could pay Richard to tutor him and just brain dump his entire career of security knowledge, since this particular reader “cannot afford nor have the time to take a full collage course on the topic of network security“. And I didn’t even know there were collage courses in security! Is that like cutting up printouts of packet dumps and pasting them into pretty pictures of routers? Do I sign up at the art school next to the comp sci lab?

But I digress. And suspect that individual is saving up for a spell checker before college.

In his response Richard reminds us that there are no short cuts, and lists some books to help build foundational knowledge. While good advice, I think there’s also something far more important every security professional, physical or IT, should foster within themselves. It’s the “security mindset”.

The name and tag line of this blog are a pathetically humorous attempt to put some words around this nebulous concept. The security mindset isn’t something you can get from reading a book or taking a course, but if you want to be good, really good at security it’s something you absolutely need to develop. The mindset is why my old friends from physical security days never get hacked at home, no matter how bad their technical skills. They just get security.

I suspect if you poll a lot of my fellow bloggers and security professionals all of them can point to people who “just get it” no matter how little formal training they have. They can also, probably more easily, point out plenty of people with “security” in their title that don’t really grok security. I’ve met people at all levels- from security operations, to analysts, to CISOs, that never really get it. Without a security mindset you’ll never be good at security, no matter how many books you read or courses you take. You might be decent at maintaining firewalls, setting user permissions, or running vulnerability scans, but you won’t be the person your organization turns to to solve the tough problems. You’ll be tactical, good at some menial tasks, but never really understand what’s going on around you and never be able to get ahead of the threats.

When people ask me what certification and educational background to look for in hiring someone new for security, I always make a pitch to try and get them to value a good security mindset over a resume. Problem is, I’ve never been good at describing how to identify this nebulous attitude.

Considering the name and tag line of this site, you’d think it’s something I’d have down by now.

Rather than subject you to another one of my mega-posts (like the DRM thing) I’ll just mention part of it today. Mostly because I’m making this up as I go.

The foundation of the security mindset is built on paranoia and cynicism. You always assume something will happen, and you don’t believe in anything. Yeah, it makes you real fun at parties, but eventually you get enough cool stories that people won’t care about your lack of personality. Then again, there’s probably a reason cops, firefighters, paramedics, and cryptographers tend to hang out just with other cops, firefighters, paramedics, and cryptographers (not at the same parties).

For the rest of this series we’ll build on this foundation and talk about some more specific ways of thinking like a security geek.

So how do you build the mindset?

You immerse yourself in security, and I don’t mean the job. Don’t read books on cryptography, go read some quality spy novels and security tales with ultra-paranoid protagonists that consistently improvise creative solutions to hopeless problems. The Bourne Identity is a great start, maybe followed by a few Jack Reacher novels and capped off by early Clancy (a bit of a freak job, and nothing past Clear and Present Danger is worth your time). I also like Cryptonomicon and Rainbows End. As for movies, watch Sneakers and Enemy of the State. Everything else is crap. Remember, these are fantasy; you’ll need to suspend some disbelief and let yourself roll with it. Some of the best social engineering to ever hit the silver screen is in Sneakers, despite possibly the worst representation of cryptography in history.

Then start to build some awareness. When you walk into a store, figure out how you’d rob the place blind (and, uh, don’t do it). When you go to a concert try to spot a free way in (it’s easier than you think). Pick apart airport security and figure out which parts work and which don’t. Maybe even take a good martial arts class- not some streetfighting garbage, but a real martial art with history and lessons on strategy, tactics, and reading your opponent.

Become paranoid. Trust no one. Think like a bad guy.

That’s probably a good start. There’s more to come.

I have a love-hate relationship with Vegas.

As someone who’s not the biggest fan of crowds (after way too many years of events security) this isn’t exactly the most relaxing environment. As someone who hates to lose… well, if you think you can win here you’re fooling yourself.

On the other hand I met my wife here (at a Jimmy Buffett concert); and as a security professional this is probably the most fascinating city on the planet (followed closely by Johannesburg).

Vegas is a double whammy of security- on one side there’s all the casino security. Cameras everywhere, multiple layers of guards and law enforcement, and the built-in security systems of the games. It’s a great place to challenge yourself and try and find the holes (or catch something before the casino does).

On the other hand this is an entire city dedicated to nothing more than manipulating every man, woman, child, and sentient alien on the face of the planet. From the casino design, to the advertisements, to the very structure of the city there’s no better place to come learn social engineering. Amazing. An entire city devoted to leaching every possible dollar out of your pocket through manipulation of every base instinct in your genetic code.

It’s just fascinating- from the single deck blackjack tables that make you believe you’re a card counter, to TV shows like Las Vegas that make casinos out to be some altruistic corporation run by locals who care. My favorite on this trip is the “ultra-lounge” here at the Rio (it’s a regular hotel lobby bar with the occasional model posing on a platform). I didn’t bother to check the drink prices. I was once comped a bottle of vodka at one of the lounges. We thought we’d order a second bottle, but I didn’t think $300 for something you could get for $40 in the liquor store down the street was the best deal on the planet, no matter how many “actress/models” serve it.

You gotta love Vegas.

(Someday I’d love to check out the behind the scenes security- just in case any of you readers have connections.)

I’m heading out to Vegas tomorrow morning to speak at the Data Center conference.

If any readers are there and want to meet up, just email…

In The Non-Geeks Guide to Consumer DRM: Why Your New TV Might Not Work With Tomorrow’s DVD player I concluded that current consumer DRM systems are more effective at restricting consumers’ rights than protecting content. Today we’ll look at the security consequences of consumer DRM from the consumer’s perspective. As DRM is ever increasingly embedded in consumer technologies and computer systems it drives dramatic changes in how we, the public, interact with content of any type- free, commercial, or self-created.

As I’ve mentioned before, one of the first presentations I ever created and delivered to an audience was on what I called, at the time, convergence security. This was over 5 years ago and the focus was on the security implications of digital convergence- what happens as the lines between the Internet, wired, wireless, television, consumer devices, and enterprise systems blur into a digital static of data, content, and connectivity. While “convergence” mostly died as yet another overused .boom term, the core concepts are becoming reality today; from video clips on corporate smart phones to digital distribution of… pretty much everything. Being the mid-life of Napster I looked at DRM and came to six conclusions:

1. If you can see it or hear it, you can convert it to a digital copy. It might not be “digitally pure”, but for most people it’s more than good enough.
2. Once a single unlocked copy is created, there’s no way to stop global distribution.
3. The only way to prevent digital copies of high-quality analog content is to embed hardware enforcement into every single device that accesses or displays content.
4. If DRM is too onerous consumers will be driven to illicit content. Less out of a desire for “free” and more from a desire of “use”.
5. Successful content owners will implement “good enough” DRM mechanisms that limit casual infringement, while supporting flexible customer use. These will be included as part of value-add services that are so compelling they draw consumers to the legal services, leaving illicit file trading to those what wouldn’t buy the content anyway.
6. Consumer electronics companies will never embed enforcement controls in all devices- while in the interest of the content owners, the increased costs and decreased usability are against the interest of consumer electronics manufacturers.

You can sum it all up with the rule of “it only takes one”. It only takes one pristine, unlocked copy and the scope of the Internet supports uncontrolled global digital distribution. Consumers need to be incented, beyond a mere inclination (or fear) to abide by the law (remember- everyone speeds) and restrict themselves to purchased, protected content.

I was right, and I was wrong. I thought I was being cynical, but I wasn’t even close to cynical enough. As we’ll see during our exploration of the consumer security implications of DRM the industry is moving forward with plans for complete control of content and the restriction of consumer’s use rights. While this may, under certain interpretations, be within their right as copyright holders, this control is coming at the expense of consumer security.

While consumer DRM doesn’t fundamentally conflict with consumer security, current DRM mechanisms often enforce content control at the expense of security. Why?

Comprehensive Digital Rights Management is only possible if the content owner controls both the form of the content, and all hardware and software used to access the content. Thus for rights to be enforced, the content owner needs control of whatever music player, DVD player, TV, monitor, stereo, TiVo, etc. that you use to play it.

That might seem acceptable, however restrictive, but this is digital content. Content we access using our personal and professional computers and devices. Systems that, to enforce rights, content owners need to control; thus intruding beyond mere content players into the hub of modern digital life.

(more…)

For some reason I think I often end up the middle on some of these vulnerability issues; trying to bring reasonable advice to both technical and less-technical users on hyped security issues.

Here’s another one.

The Month of Kernel Bugs project released a new flaw affecting Macs- it’s a flaw in disk image files that crashes the system. Right now we don’t know for sure if it could allow someone to take over your computer, but I promise you that this class of attacks will, if not now, eventually let someone else take over your system. There is also an unconfirmed report this may be in the wild.

DMG files are, to be blunt, the single most likely vector for a rapidly spreading Mac virus.

We talked a little about this in our first post on kernel bugs. Because of how OS X manages disk image files, if you mount a malicious disk image (even if you don’t run anything inside of it) an attacker could take over your system. This is a kernel flaw- so you don’t need to be running as root or with administrator privileges. The attacker will totally own your system, and can use it, just as Windows systems are commonly used, to attack your friends and associates. A really nasty attacker might even do some nasty things like try and identify other Mac users based on their address book settings or by trolling your inbox for Mac-formatted emails.

Yep- I’m using hyperbole, because I want you to take this seriously.

Matasano has a great write up on this. I disagree that disk images are always a bad idea since I’ve found them really useful, but do agree they are a royal pain in the rear to secure. I also think Gruber is taking this more seriously than they give him credit for, yet considering his influence on the Mac community I hope he takes it even more seriously.

Because of how disk images work they are far more likely to allow someone to take over your computer than other file types on a Mac. Here’s my advice for other Mac users:

1. As many recommend, turn off Safari’s “Open safe files after downloading” preference.
2. Don’t download any DMG file from an untrusted source.
3. Never open a DMG file emailed or IMd to you from someone you know unless you were expecting it. That’s how a mass exploit will work.
4. Apple should require admin privileges to open a disk image in future versions of the OS, or design some other mechanism to prevent kernel panics (e.g. virtualization or something similar). Yes, this is an inconvenience, but since we’re talking about a file format that will be nearly impossible to secure, yet is valuable to us as users, additional steps should be taken.

There’s no need to panic, but we do need to take this very seriously. This won’t be the last we hear about this kind of problem.

Today is the last day some of you will be in front of your computers before the horror of Black Friday. Thus, we are reposting our safe holiday shopping advice.

Hey. Let’s be careful out there.

Yes folks, Black Friday is less than two weeks away and the silly season is upon us. As someone born and bred in good old North Jersey (until I could legally escape), land of honey and shopping malls, this is a time so deeply ingrained into my subconscious that I’ve occasionally found myself sleepwalking around the nearest parking lot, looking for our old wood-paneled station wagon.

These days, thanks to the wonder of the Internet, anyone can experience the hustle and bustle of the Paramus malls from the comfort of their own home. And to help keep your shopping experience authentic, there’s no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your web browser. Of course they might take your house with it, which, even in Jersey (despite the legends) is somewhat rare.

In the spirit of safe and happy holidays, Securosis presents our top 6 tips for safe online shopping, simply presented for the technical or non-technical consumer. Some of these tips also apply to the real world for those of you who just can’t restrain the draw to the mall. Spread the fun, and feel free to post your own tips in the comments.

1. Use a dedicated credit card (or PayPal account) for holiday shopping. Our first tip is also useful for the physical world- still the origin of most credit card fraud. Take your card with the lowest limit and use it exclusively for holiday shopping. Use one you can monitor online, and check the activity daily through the holidays (weekly at a minimum). Make sure it isn’t a debit card, and turn off any automatic payments (so you can dispute any charges before making payments). Keep tracking activity at least weekly for 12 months after the holidays are over, or cancel the card. DON”T USE A DEBIT CARD!!! These don’t have the same protections as credit cards, and you’re responsible for fraudulent charges. As for PayPal, read on to our second tip.
2. Only use credit cards at major online retailers; use a PayPal debit account for smaller shops . Sure, you might get a better deal from Billy-Bobs-Bait-Shop-And-Diamond-Wholesaler.com, but many smaller retailers don’t follow appropriate security practices. Those hosted with a major service are often okay, but few consumers really want to check the pedigree for specialty shops. Instead, create a dedicated PayPal account that’s not linked to any of your bank accounts or credit cards. Credit it with as much cash as you think you need and use it for those riskier online payments. Worst case, you only lose what’s in that account, and you can easily cancel it anytime.
3. Never, ever, ever ,ever click on ANYTHING in email. It doesn’t matter if your best friend sent you a really good deal in email. It doesn’t matter if it’s your favorite retailer and you’ve always gotten email offers from them. Repeat after me, “I will never click on anything in email.” No special offers. No Ebay member to member emails. No “fraud alerts” to check your account. No nothing. Ever. Nada. Attackers are getting more and more refined in their attacks, some of which are very hard to distinguish from legitimate emails. Spam waves over the holidays are expected to break records this year. When you see an interesting offer in email, and it’s a business you want to deal with, just open your web browser, type in the address manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud; never click on anything in email!
4. Update your browser- use Firefox 2.0, IE 7, Safari, or Opera. Turn on the highest security settings. Over the past month or so we’ve seen major updates of Firefox and Internet Explorer, both with significant security enhancements. Safari (installed on every Mac) and Opera are also good options. Firefox 2.0 and IE 7 include features to help detect fraudulent sites- if you see a warning, shut down the browser and don’t go back to that site. All of these browsers will ask you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it’s a fraud or they don’t deserve your business. Most browsers now install with security enabled by default, so we won’t be providing detailed instructions here. Just download them. Now. Then come back and read the rest of this list. We’ll wait.
5. Download and install the Netcraft toolbar if you’re on Windows. This is a free toolbar for Firefox and IE that helps identify phishing sites. Although both browsers include their own anti-phishing technologies (as do many other toolbars), it never hurts to double up during the holiday season. Think of it as the deadbolt lock to enhance the regular lock on your front door. If you don’t want it bothering you all the time, at least use it during your holiday shopping and turn it off later.
6. Keep your antivirus, firewall, antispam, and anti-spyware up to date. I don’t really care which product you use (and truth be told, we don’t really like most of the commercial ones) but as bad as some of these perform they really are essential on a PC. Before the holidays we plan on putting together a list of free, non-geek security tools, but for you non-technical type any of the shrink wrapped major vendors offers at least a modicum of protection. For Windows users, Windows Defender is a good, free additional tool to limit spyware. Right now there’s no known spyware for Macs.

These six simple steps won’t stop all fraud, but will significantly reduce both the chances you’ll be a victim, and the damage if you are. Feel free to email them to your friends and family who won’t normally browse a security site like this one.

And stay tuned for our non-geek guide to securing a Windows computer for free…

There’s a new bug, which can reveal your password to any other page on the same domain. Even if you have a master password set, you should clear out all your Firefox stored passwords until this is fixed. There are a lot of ways to take advantage of this, especially on Web 2.14.168.42 sites.

Yep- I use it, and will miss it. I hope they fix this soon.