Research

I wasn’t planning on writing about this, but with the release of a third unpatched MS Word vulnerability it’s time to be extra careful. I’m assuming this will be patched soon, but for now I’d limit yourself to only documents you are darn sure are safe. I’d tell you to stop using Word, but that’s just silly and unrealistic. Just be safe, okay? Share:

I’m on yet another airplane, this time up to Seattle for another client meeting. I felt really bad for the non-English-speaker being berated by security at the airport for daring to bring 4.2 full ounces of liquid in his bag, as opposed to the 3 ounce limit. Anyway, every now and then I see a convergence of different tidbits hitting from multiple directions that points to a single issue. This time it’s about controlling content after you make it public. I’m consistently amused by the utter shock and dismay of various individuals and corporations when… gasp.. someone takes something they made public and does something… and you won’t believe this… unexpected and unapproved with it! How dare they share that file, deep link that news article, satirize that press release, re-work the data, or, worst of all, republish sale prices posted on a web site! Here’s the thing- if you make something public, you can’t assume it won’t be used in unintended ways. From friends sharing that new song just discovered, to a website pre-posting sales prices before Black Friday. I’m not saying it’s always legal, sometimes it is and sometimes it isn’t, but what I can say is that you’re foolish if you don’t prepare and plan for unintended use. People are people. They do unexpected things during every moment of consciousness and unconsciousness. Security is fallible, and we can’t prevent everything. If you make something public; heck, sometimes if you even share it privately, the only assumption you can make is that you can’t completely control what you release. What’s the old saying? If two people know a secret it’s only really secret if one of them is dead. Personally, I say knock them both off just to be safe. Share:

I’m out in Colorado with the wife to catch up with friends (I used to live here) and test the snow for proper friction (snowboarding up at Copper, where I used to patrol). And, uh… what was it… oh yeah. Work with a client. While I’m sure I could invent all sorts of crappy metaphors on how security is like snowboarding (keep your knees bent and your weight forward or the firewall crashes?), I think I’ll just sign off for a few days and enjoy the snow. Remember- there are no friends, or blogging, on a powder day. Share:

Adam at Emergent Chaos has a quick post on the lawsuit against the Seattle Seahawks over physical searches at the stadium. My response? Get over it. I performed more pat downs than I care to admit. Sometimes thousands on a given day. It ain’t fun, and I never enjoyed touching all you smelly, drunk, think-you’re-hotter-than-you-are types out there. It was, however, a great workout for your quads after the first few hundred squats to check the ankles. The main reason for searches at football games isn’t weapons (except at Raider’s games), it’s booze. The biggest safety concern during most sporting events is drunks. More specifically, it’s testostahol. When selling beer in a stadium there is a minimum level of control and patrons can be cut off when obviously drunk. No, it isn’t perfect, but it’s more effective than most of you realize. When patrons bring in hard alcohol things can get very ugly. Aside from fights, there are a lot of associated medical concerns (drunks like to fall down, pass out, and do other stupid stuff). Based on personal experience, the more you can screen up front (including denying entry for obvious intoxication), the less you have to deal with inside. Some items, particularly cans and bottles, are also very hazardous in a stadium environment. I’ve seen people nearly killed by an errant beer can thrown from the crowd at the crappy ref. As for the legality, go look at the back of your ticket. Even if built using public money, a stadium during an event is a private facility. Otherwise, technically, anyone could go for free. On all your tickets to any concert or game is the provision that you can be denied entry for any reason. Refusing to subject yourself to a search is a good reason. Besides, court houses, legislatures, military bases, and all sorts of other facilities are bought with public money and subject to security rules for public or private safety. What makes a stadium any different? Get over it. No one wants to pat down your ugly ass anyway, so it’s not like they enjoy it. Share:

I travel a lot, and on occasion I’ll run Nmap or some other scanner from my hotel room to get an idea of what’s out there, and how dangerous these hotel networks really are. To be honest it’s not something I do all that much anymore since even scanning an open network is running the risk of being considered over the line. But I just discovered a new security tool. It’s free. And it even plays music! Yes, the ever venerable and recently updated iTunes turns out to be an honest to goodness, if limited, security scanner. How? Well, I arrived in my hotel room last night, connected to the network, and launched iTunes for some background working music. Very quickly I saw four shared iTunes libraries on the network (without even looking actively, if you have iTunes set to find shared libraries they pop up all on their own after that). Some of my fellow traveler’s musical tastes are fairly interesting. In three of the four libraries the users conveniently included their personal name in their shared library name. One user even had the word “Limewire” in his (judging by his real name) library name. Huh. I wonder if he acquired all the music legally? Thus iTunes is now my new network security tool- I can instantly tell if I’m connected to a switched or segregated network, and even pick up the names and listening habits of other hotel guests. Anyone know if the RIAA offers a bounty? I mean they sue grandmothers and children, I don’t see why they wouldn’t start a confidential informant project. (Update 9/16 : DM and Chris Pepper remind me this feature isn’t anything new. Actually, I’ve used it for years on my home network, but this is the first time I’ve noticed random users on a hotel network and I found it amusing.) Share:

Electronic voting seems to be popping up again thanks to our favorite digital ostrich, Diebold. Martin Mckeay’s also writing on this a bit, and it’s well worth reading. This isn’t the first time I’ve mentioned this, and I didn’t come up with the idea, but with the most recent Diebold gossip I think it bears repeating. Gambling systems, electronic or physical, undergo extensive testing, validation, and auditing. We’re not just talking hacking, they shock the darn things with cattle prods and attack them using such phenomenally creative techniques that I’m awestruck the few times they show it on Discovery channel specials. And it’s the complete system that’s tested and audited constantly- even the odds distributions among video poker clusters in casinos (which are audited externally by various gambling commissions in the sin city of your choice). What does this have to do with voting? Gambling systems are somewhat unique in that pretty much everyone involved has an incentive to cheat everyone else. Were talking about a system where no one can really trust anyone. Sure, casinos (at least in Vegas) are on the up and up, but do any of you really trust them? They sure can’t afford to trust us, and pretty much no one trusts the government. The result? Some fracking good security. So here we have a highly secure system of numerous specialized electronic devices operating in a networked (or non-networked) environment with near-perfect auditability. Hmm, where else might we want a similar system? Heck- they even already have testing labs and audit standards. Funny how closely related gambling and politics are. I wonder if cattle prods are illegal in voting booths? I wonder how long Diebold would survive in Vegas? (I’ll be the first to admit us security types have a habit of blabbing on any topic we can possibly stuff into the security bucket, but electronic voting happens to be one of the areas where our experience is directly applicable. I don’t know too many (any) security types that try to justify Diebold’s positions. They’re either criminal or mentally incompetent.) ((And speaking of casinos- one of my favorite memories of Defcon was how none of the stores in the casino would take credit cards during the event.)) Share:

Reported over at Internetnews.com. The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines Not verified yet, but this could be a very major development, if true. I don’t completely agree with ba ing all DRE- they play a valuable role for disabled voters and a few other demographics. During the last election I watched one older gentleman leave to go get a magnifying glass, since he couldn’t read the optical scan ballots. Requiring a stronger voter verified paper record for a recount, rather than ba ing all DRE, seems more reasonable. Share:

A few months ago I picked up a Western Digital external hard drive at Costco since my MacBook’s internal drive was a bit stuffed with digital photos. The WD drive is a pretty nice USB drive and really portable. The problem? I started having some intermittent failures on the drive. Since this is where I now keep my wedding photos (backed up somewhere else, of course) I decided to return it before it totally died on me. I got the replacement drive, packed up the original, and heading to the shipping store… … where I realized I hadn’t wiped the drive. While it’s just photos, and none of them are of an embarrassing nature, I still don’t relish the idea of seeing them “enhanced” and posted on MySpace. Lucky for me I use a Mac and safe erasing is an integral part of Disk Utility. I ran the program, clicked the security options button, and chose the 7 times overwrite option. 7x might be overkill for some non-sensitive photos, but I figured it would be a good test to see how long it takes. The answer is about 7 hours for a 120 GB USB 2.0 external drive. For the record. Oh well, I guess it isn’t going out today. But I’m darn glad I remembered to wipe the drive before shipping it back. I’d really hate to see any pictures of our cat show up on some sick kitty-porn site. And I’m really glad Apple makes it so easy. Microsoft also has secure formatting options, but generally you need a third party tool (or write your own script) to get the same degree of security. Unless the data is encrypted, without overwriting it’s pretty likely someone can recover it. Then again, smashing is probably faster. But Western Digital might not appreciate a smashed return. I’d probably lose my deposit. (edited 9/10 to add disk size of 120 GB) Share:

I’m out on the road this week, right now spending two days at a strategic planning session with a large energy company. This is the kind of trip I actually enjoy- working with an end-user on strategic issues at the executive level where they really want to solve the problem. The theme of the day is major disruptions- how to stay in business in the face of massive disasters that go well beyond disaster recovery. I’m just one of about a dozen outsiders brought in to try and get people thinking in new directions. Someone saw one of my presentations on responding to Katrina (I’m a reservist on a federal team) and thought a little on the ground experience might liven the discussions. I’m more than happy to stay at a nice hotel and tell rescue war stories while drinking fine wine (as opposed to pissing off my friends telling the same damn story for the 50th time after too many drinks). One of the presentations on crisis communications was particularly interesting. No, not ham radios, but how do governments and organizations communicate with the public during a disaster? The academic they brought in had some very compelling examples ranging from nuclear power accidents, to the air quality in lower Manhattan after 9/11, to chemical spills, to product recalls. One message emerged load and clear- liars always get caught… eventually. But they’ll probably get away with it in the short term. I asked him directly if he knows of any successful cases where a corporation or government attempted to spin a situation through obfuscation or outright deception and actually got away with it. His answer? In the long term- no. In the short term- yes, but the long term impact is usually magnified when the truth emerges. The most successful crisis communications? Honesty, transparency, and openness (even if spun a little). Seems like a pretty valuable lesson to us in security. Any security professional will eventually deal with a breach, or on the vendor side with a bad vulnerability. The more we try and cover something up the worse it is for us in the long run. A few quick examples? Look at Cisco and the Mike Lynn situation. I hear there are some job openings at Ohio State. Choicepoint swapped CISOs after their breach, even though it wasn’t an IT security failure. We can go on and on- can anyone think of a single security breach or vulnerability disclosure where the organization involved didn’t get caught in a lie or cover up? Same goes for vendors exaggerating product capabilities. I know one that recently changed their entire management team because the old CEO thought he could fool the market just long enough to get bought. Too bad the board didn’t buy it. He’s out of a job (but I’m sure he got a nice package). The bad news is you can get away with it in the short term, but I’m not sure how that really helps you as an individual, or your company, if eventually you’ll get fired. You see lying is like crack- a short term high, but in the end you’ll end up naked in front of a dumpster with a crack pipe in an uncomfortable orifice. I suppose that’s okay if it’s what you’re into. Personally, I’ll stick to the truth and head downstairs for some free wine. (P.S.- the exception to all of this, of course, is politicians. I think it’s either because we’re lazy as voters, or because they all eventually smell the same. Probably a little of both) Share:

I have a love-hate relationship with Vegas. As someone who’s not the biggest fan of crowds (after way too many years of events security) this isn’t exactly the most relaxing environment. As someone who hates to lose… well, if you think you can win here you’re fooling yourself. On the other hand I met my wife here (at a Jimmy Buffett concert); and as a security professional this is probably the most fascinating city on the planet (followed closely by Joha esburg). Vegas is a double whammy of security- on one side there’s all the casino security. Cameras everywhere, multiple layers of guards and law enforcement, and the built-in security systems of the games. It’s a great place to challenge yourself and try and find the holes (or catch something before the casino does). On the other hand this is an entire city dedicated to nothing more than manipulating every man, woman, child, and sentient alien on the face of the planet. From the casino design, to the advertisements, to the very structure of the city there’s no better place to come learn social engineering. Amazing. An entire city devoted to leaching every possible dollar out of your pocket through manipulation of every base instinct in your genetic code. It’s just fascinating- from the single deck blackjack tables that make you believe you’re a card counter, to TV shows like Las Vegas that make casinos out to be some altruistic corporation run by locals who care. My favorite on this trip is the “ultra-lounge” here at the Rio (it’s a regular hotel lobby bar with the occasional model posing on a platform). I didn’t bother to check the drink prices. I was once comped a bottle of vodka at one of the lounges. We thought we’d order a second bottle, but I didn’t think $300 for something you could get for $40 in the liquor store down the street was the best deal on the planet, no matter how many “actress/models” serve it. You gotta love Vegas. (Someday I’d love to check out the behind the scenes security- just in case any of you readers have connections.) Share: