Incite 1/20/2010 - Thanks Mr. InternetBy Mike Rothman
I love the Internet. In fact, I can’t imagine how I got anything done before it was there at all times to help. Two examples illustrate my point. On Monday, I went to lunch with the family at Fuddrucker’s, since they had off from school. They say a big poster of Elvis with a title “The King” underneath. They had heard of Elvis, but didn’t know much about him.
The Boss and I were debating how old Elvis was when he had that unfortunate toilet incident. I whipped out the iPhone, took a quick peek at Wikipedia, and learned the King died when he was 42. Oh crap, that’s not much older than I am right now. Then we went into his history and music and the kids actually learned something. Thanks, Mr. Internet.
Next up, I’ve been having some problems with my washing machine. So I check out the appliance boards on the Internet (thanks to the Google) and figure out what the error code means and a few ideas on how to fix it. Turns out it’s very likely a control unit issue. Amazingly enough, there is a guy in the Southeast who fixes the unit for half the price of buying a new part.
The guy sends me a little PDF on how to remove the control unit (it was a whopping 3 Torx screws and unplugging a bunch of wires). I put the unit in a box and sent it off. It could not have been easier. Thanks, Mr. Internet.
Now what would I have done 10 years ago? I would have called Sears. They would have come over, charged me for the service call ($140), replaced the control unit ($260), and I’d be good to go. $400 lighter in the wallet, of course.
They say an educated consumer is the best consumer. Not for the old Maytag Man, I guess. Don’t think he’s sending thanks to Mr. Internet.
Photo credit: “Maytag Man Inflatable” originally uploaded by arbyreed
Incite 4 U
This week we got contributions from almost everyone, which has always been my evil plan. And as much as I like the help, I do think having a number of opinions weighing in makes things a lot better – for everyone.
China wastes a zero day on IE6? – It seems that the zero day vulnerability exploited by China doesn’t only work on Internet Explorer 6, but according to this article in Dark Reading may also work on IE 7 and 8, and might even work around the DEP (Data Execution Protection) feature of XP and Vista. Considering all the old vulnerabilities in IE6 (you know, something you should have dumped years ago), you have to wonder if the attackers just assumed we weren’t dumb enough to still use ancient code open to old exploits. Without listing all the permutations, it looks like IE8 on Vista or Windows 7 (because of that ASLR anti-exploitation thingy) may be secure, but everything else is exploitable and Microsoft is issuing an emergency patch. I realize it’s painful to think you might have to actually update that 10 year old enterprise application so it works with a browser released after 2001, but it’s time to suck it up and browse like it’s 2010. – RM
They are better than us – Clever programmers working on a single project, test their code against live servers, monitor effectiveness, and evolve the code to get better every day. Working with operating systems I used to see this dedication. Some of the programming teams I worked on bordered on fanaticism and worked hard to become better programmers. Teams were like coder’s guilds, where more experienced members would review, teach, and occasionally shred other members for shoddy work. They worked late into the night, building new libraries of code, and studied their craft every night on the train ride home. They knew minutiae about protocols and compilers. I swear a couple of them thought in hexadecimal! When I read blogs like “An Insight into the Aurora Communications Protocol” I get the picture that the hackers are more professional than the “good guys” are. Hackers use obfuscation, SSL variations, code injection, command and control networks, and stolen source code to create custom 0-days. These highly motivated people have rapidly evolving skills. What worries me about Aurora isn’t the sophistication of the attack, but the disparity in dedication between attacker and your typical corporate developer. One side lives this stuff and one has a job. This is getting worse before it gets better. – AL
Here’s a serving of humble pie. Eat it! – The truth of the matter is that a lot of security folks fail. Almost as often as marketing folks. Combine the two and you get…me. It does make sense to do a little soul searching and this post from Dan Lohrmann on CSOOnline really resonated. Basically his contention is that security folks come across as unusually proud or overconfident. That’s politically correct. I’d say in general we’re a bunch of arrogant asses. Not everyone, but more than a few. The reality is security folks need a bit of an edge, but at the end of the day we still need to be respectful to our customers. Yes, those idiots who get pwned all the time are our customers. So think about that next time you want to throw some snark in their direction. Just share it on Twitter. Like me. – MR
Things in public, are, you know, public – On The Network Security Podcast last night we talked a bit about this article by James Urquhart over at CNet on the Fourth Amendment in the cloud. Actually, forget about the fourth amendment (that’s the search and seizure one for you engineering majors), when it comes to the Internet and privacy repeat after me – “if it’s on the Internet, it isn’t private, and never goes away”. The article emphasizes that anything you store on Internet services (I’m not limiting this to cloud) that is accessible by your service provider can’t be considered private under current law. Phone and paper mail are protected, but the law hasn’t been expanded beyond that. But with all the hacks of services going on, I think it’s safer to assume everything might someday become public anyway. As someone who once had some private Twitter direct messages exposed thanks to someone else with a weak password, trust me on this one. – RM
Business Relevance by Balanced Scorecard? – We continue to struggle with business relevance, every day. And I’m certainly not too proud to borrow a good idea from someone else if it can get me where I need to go. So seeing this post on selling security with the balanced scorecard got me thinking. Can a well-worn general business concept be useful to us security hacks? The verdict is… maybe. I’m hedging because it depends on your culture. So whether it’s relevant to try to quantify the “learning and growth” aspect or not, the point is to try to understand and communicate business relevance. – MR
Blind as a bat – I’m not a big fan of surveys. You know that. But like everything else, some data can be used as a tool to make a point that needs to be made. So my pals over at EMA did a survey and it showed that only 19% of some group is adequately monitoring their systems. Yeah, that’s a problem. No data. No early warning system. No forensics. No nothing. Richard Bejtlich made a point on Twitter today that 2010 will be the year when intrusions became a hotter topic than compliance. I expect incident detection and response to be big. Not if we don’t have any data. So think about your data collection efforts and whether you have enough data to find that needle in a haystack. – MR
You’ve got to earn that ‘trust’… – SQL Server 2008 R2 is scheduled for release in May of this year. I am looking forward to getting my hands on a copy to test out transparent database encryption and see exactly what data is pushed into the audit log, or if we are just going to get the same old syslog garbage. Given the number of new interfaces and amount of collaboration software being added, I am a little nervous about platform security. Which raises the question: does any software company get to advertise any new product as “A trusted and scalable platform”? The old platform maybe. I give Microsoft the benefit of the doubt nowadays when it comes to security, as they have made huge strides and have done some very smart things with their SDLC, but every database vendor for every major release has seen a big spike in vulnerabilities in the first few months of deployment. With several new interfaces and data sharing applications like Excel and PowerPivot connecting to the database, I think I’ll wait a little while before I trust it. – AL
That’s a not a hack, it’s a feature… – I’m a MiFi user, as is Rich and probably a lot of you. When you work remotely, having constant 3G connectivity is critical. I’ve been frustrated with the MiFi WiFi (say that 10 times fast), so I’ve basically been using the MiFi in USB mode. Good thing, since a “feature” in the configuration interface makes the MiFi easy to hack. Of course, it was a great idea to build in CGI parameters to read and change MiFi settings. Threat model, anyone? A hacker can change network settings, which I think some folks have proven is a bad thing (DNS, right?). They will patch it and the impact will be minimal, but it does bring up yet another issue with consumerization of technology. Some of your employees have these devices and they are connecting into your network. So yes, you need to train the users about how to use this stuff responsibility. Good times. – MR