Incite 2/20/2013: Tartar WarsBy Mike Rothman
5 years. It doesn’t seem that long. It seems like yesterday I was on the phone screaming at the office manager of my (previous) dentist. He told the Boss something and then backtracked on it, and I had to write a check to fix the problem. I had just dropped my dental insurance and that little optional procedure wasn’t going to be covered as he had said it would. I told them to pound sand, which was a good move – I settled for perhaps 30% of the cost 18 months later, before it went to collection.
But at the same time, I dropped the dentist. He violated my trust and that was that. Though I seemed to have forgotten to find a new one. This was pretty uncharacteristic – I had been going every 6 months for cleanings since I was a kid. I had a handful of cavities but my teeth were in great shape. But none of my pals had a dentist they liked, so I kind of forgot about it. No big deal, I’ll find one. Sooner or later.
And one year became two years, which then turned into 5. Turns out a friend of ours recently moved his dental practice around the corner, so I had a new guy I trusted. Combined with the call I got last week about the Boss needing a root canal (she hadn’t been in 5 years either), I knew it was time. The fact that Arthur Treacher’s famous Tartar Sauce was caked onto my teeth notwithstanding, it was time to pay my penance and go in.
First of all, my guy does it right. Most folks hate the dentist, so he staffs his office with the nicest people on Earth. I wasn’t in a great mood, and within a minute they had me smiling and chatting it up. That is nothing short of amazing, given my general state of grumpiness. They were all super helpful and by the time my hygienist got through my health forms and X-rays, I knew her life story. Then she proceeded to sandblast my teeth for 35 minutes to clean them off. Evidently a lot of crap sticks to your teeth over 5 years.
Yes, it was uncomfortable. But penance is never pleasant. At least she gave my gums a rest halfway through. A little polish, a bunch of floss and I was ready to meet with the big man. I was a little apprehensive because I figured with all the plaque build-up my teeth must be a train wreck. He cracks some jokes and then pokes and prods with his tools. Oh crap, here it comes… 3 new cavities and about 5 other areas to watch. Wow, it could have been a lot worse. I guess all that fluoride my Mom made me take when I was a kid worked okay.
Of course he did mention my habit of grinding my teeth. Evidently that’s my subconscious way of dealing with the stress and paranoia of being me. Though it’s not causing too much damage right now. So I’ll need to be more aware and cut it out. Evidently I need to find another stress outlet. Maybe some vendor will have a nice squeeze toy or punching bag to give away at the RSAC next week.
He also made an impassioned plea for me to floss more. I hate flossing. I mean hate. But hey, if it means I won’t have to get more fillings next year and the year after that, then I’ll just do it. I have declared war on tartar, and that damn floss is a key armament in my arsenal so I have no choice. A man’s got to do what a man’s got to do.
Photo credits: Thong Lor dentist originally uploaded by Mrs Hilksom
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Network-based Threat Intelligence
Understanding Identity Management for Cloud Services
Newly Published Papers
- Building an Early Warning System
- Implementing and Managing Patch and Configuration Management
- Defending Against Denial of Service Attacks
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance
Incite 4 U
Attribution. Meh. Indicators. WIN! With the Mandiant APT1 report making mass market waves yesterday (Rich covered it, and Adrian has some thoughts below), attribution is now big news. John Sawyer discussed this on Dark Reading last week, of course quoting the Mandiant PR machine. His point is that attribution is hard and the kind of profiling and work done by Mandiant is required to really be sure who a specific attacker is. And although Jeffrey Carr brings up some decent points about considering other actors before attributing (though he has no way to know to what degree Mandiant considered competing hypotheses), the reality is that Mandiant did the work and showed with reasonable certainty the specific actor is who they think it is. But ultimately will this do anything besides force the attackers to change tactics and reconsider their OpSec? Probably not, but that misses the point. What will be most valuable is the hundreds of indicators published with the research. Kudos to Mandiant for that. – MR
Siri, build me a cloud: If you have been paying any attention to anything I have written or said on cloud security the past couple years (something I’m definitely not about to assume), you know I’m a huge fan of cloud automation and software defined security. We really cannot manage cloud security manually, and need to take lessons from the whole DevOps movement to become much more efficient in protecting cloud instances. One thing I have mentioned frequently is use of tools like Chef and Puppet for configuration automation (in the CCSK labs we use cloud-init, which is a similar but less robust approach for initial configuration). This was always something you had to do on your own, but now Amazon has baked Chef right into their management console. If you work with AWS at all, you need to read this post. And don’t forget VMWare invested in Puppet, so they will be making a play here as well. – RM
The bare minimum: PCI Security Problems: The Practical Versus The Perfect by Evan Schuman does a great job at capturing the core friction between merchants and card brands. Granted, ripping and replacing ancient operating systems shouldn’t be such a big deal – that’s normal maintenance. Replacing the card-swipe devices and POS systems and the back office software that goes with them? A huge expense, but like most equipment, something you need to do every decade or so. But as with far too much of the PCI Guidance documents, this (entirely unenforced) guidance is about as meaningful as “serving suggestions” for food, and about as valuable for security. IT departments are not going to effectively monitor VM memory and they are not going to validate P2PE; those are skills few people possess. – AL
Hack all the public interests: There have been a few recent cases of people acting in what they thought were the best interests of the public and then discovering that the victim didn’t see things the same way. The latest in the trend is a Dutch MP fined for hacking into an electronic medical records system to prove a point about privacy and security. I’m usually a bit of a bleeding heart (I’m Canadian, eh) and I like to believe that people can hold their governments and the custodians of their data to task. I know… naive and oh so quaint. Given that breach is the new secure, is calling out a public sector agency any worse than stealing a loaf of bread? The consequences are similar, which means until the punishment for discovering and publicizing security and privacy issues is measurably less than the punishment for getting caught doing stupid things with other peoples’ information … nothing will change. But we know how this ends – the breaches aren’t going to stop, and Jean Valjean will be hunted by Inspector Javert. And we’re all miserable. – JA
Alternative perspective on developing attack tools: Much has been said about the Mandiant Intelligence Center report, and many more discussion will ensue over the coming months. One facet I have not seen discussed hit me more than anything else in the report: attack tool development. When you’re blazing new technology trails in software, you build tools to get your work done because there isn’t anything commercial that fits your needs. That’s what being on the cutting edge is all about. Every development team I have ever been associated with built tools to make their jobs faster and easier. Looking at the hacking tools described by Mandiant, you see many tools purpose-built for data discovery and extraction. While they are close to systems management and code development tools, they are focused on information reconnaissance and recovery. These appear distinct from ID theft / botnet / generic malware tools in wide circulation. And they have the UNIX tool feel, where a set of simple commands are grouped together to perform advanced tasks. These tools indicate well-funded espionage software development – there is really no other use case. – AL
Digital Die Hard: When Hans Gruber took over the Nakatomi building in the original, classic Die Hard he faked political demands to buy time to crack the safe. A classic diversion ploy. We have seen the Big Distraction used countless times in films and bad police procedurals, and now it seems it’s gone digital. An attack group timed a DDoS attack on a bank while they (or right after they) drained some business accounts. Overwhelm the limited security staff by knocking down the door, while taking the TV out the back. Remember that DDoS is usually a means to an end, and that end is no good for you. – RM
Suspect judgment: Great point here by Dwayne on the difference between a technical mistake and a judgement mistake, and the importance of distinguishing between the two. The only way to do that is via a formal post-mortem after every incident. Both kinds of mistakes can be addressed, but they require different tactics. Obviously a skills gap is straightforward to deal with. A judgement problem is a bit harder and requires assessing whether your responsible staffers can (and will) learn from making the wrong choice. But all the same, without digging into the issues and finding the root cause of the problem, you cannot make sure it won’t happen again. You know the deal: fool you once, shame on them. Fool you twice, shame on you. – MR