The InfoSec Blog

Why San Francisco’s network admin went rogue

Posted by Anton Aylward

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network ... whatever. No-one would know. "Dual controls" are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His 'pride in his work' and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco's FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is 'why didn't that happen?'

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don't want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don't institute basic controls.

So when they do have to reign him in -- UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city's use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I'm cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Zemanta Pixie

Business Logic Flaws

Posted by Anton Aylward

Toronto - OWASP

This month's meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was 'failure mode'. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we'll contact those people and tell them of the mistake.

Other lists I'm on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don't have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for "out of the office". Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
'Out of office' messages turned into spam relays

Reblog this post [with Zemanta]

Best spam *ever* …

Posted by Anton Aylward

Maybe I'm just punchy from dealing with too much real spam, but I found this hilarious.

Introducing--Penis Reduction Pills!

Shipped to you, not in the stereotypical plain brown wrapper, but in a
large box proudly labeled on all six sides. Because you wouldn't be
ordering them if you didn't need them, right? Just leave the bottle
around the house where the girl you are interested in can find them.

http://www.penisreductionpills.com/

(Note: placebos may have unintended side effects. Depending on the
context ...)

Thanks to Rob Slade for bringing this to my attention - http://victoria.tc.ca/techrev/rms.htm

Zemanta Pixie
Filed under: Humour No Comments

Don’t print this out! Its too long

Posted by Anton Aylward

BSI Germany have an extensive list of threats.

Comprehensive? Well, pretty good.
The kind of thing that could keep a client's IT staff occupied for weeks. If they had hard copy to annotate and work with.

However it is bottom-up as opposed to top down, dealing with details (aka threats) rather than FMEA - failure modes and their effects.

Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency - that is what are the most critical failures that will affect the operation of the business.

The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.

FMEA on the other hand identifies criticality regardless of the cause.

See also

Zemanta Pixie

Not Microsoft’s fault?

Posted by Anton Aylward

Data can leak from partially encrypted disks

"Information is spilling out from the encrypted region into the unencrypted region"

Help me here. Why would you have an only partially encrypted drive? Yes, that's easy to set up with Linux where you have many partitions. In fact failing to encrypt swap is a classical mistake.

But with Windows you have to quite explicitly set up partitions and move stuff around. The 'out of the box' default is a single partition with the system, data and swap all in the one partition. Yes, I've set up "D:" partitions and moved the user data (desktop etc) there. I've also set up a partition for the swap file. It helps with matters like fragmentation and backup management. But it takes thought, planning and deliberate action.

So why might you be keeping only part of your hard drive encrypted? I don't know.

I can imagine a Windows user who has an encrypted USB drive and a clear (as in out of the box) main drive could hit this situation, but as data leakage goes I suspect this is small fry. The 'potentially huge issue' may not be that earth shattering.

Since this is being presented at Usenix HotSec later this month perhaps it is a Linux issue. Damned journalists - so vague ... Full-Disk Encryption Is Partial Protection, Analysts Say

Zemanta Pixie

Motive isn’t necessary to convict

Posted by Anton Aylward

http://government.zdnet.com/?p=3874

There's an old joke about a man brought before the court for breaking and entering, not because he was caught in the commission of a crime but because he was found in possession of housebreaking tools - crowbars, glass-cutter and so forth.

When found guilty by the judge he said "well you better convict me for rape as well since I have the tool for that".

Professor Alan Dershowitz of Harvard Law School. This case is neither new nor precedent setting as Alan Dershowitz pointed out ... back in 1988 in this book "Taking Liberties". Some of his orther books at Amazon are listed here.

Zemanta Pixie
Tagged as: , No Comments

On Spies and inside knowledge

Posted by Anton Aylward

My friend and mentor, Donn Parker, observes:

Build your security assuming that the enemy knows as much about
your security and what you are doing as you do.

The lesson of history, InfoSec, industry, literature, warfare and politics tells us this is so.

Chapter 13 of Sun Tzu's great work, "On the use of Spies", advises:

What enables the enlightened rulers and good generals to conquer
the enemy at every move and achieve extraordinary success is
foreknowledge.

Foreknowledge cannot be elicited from ghosts and spirits; it
cannot be inferred from comparison of previous events, or from
the calculations of the heavens, but must be obtained from
people who have knowledge of the enemy's situation.

Therefore there are five kinds of spies used:

Local spies, internal spies, double spies, dead spies, and
living spies.

He goes on to say

Only the wisest ruler can use spies; only the most benevolent
and upright general can use spies, and only the most alert and
observant person can get the truth using spies.

Which is of course pandering. And then:

It is subtle, subtle!

Which is pandering still, but none the less true.

There is nowhere that spies cannot be used.

Which is also true. Hence http://privateeyespyshop.com/

Generally, if you want to attack an army, besiege a walled city,
assassinate individuals, you must know the identities of the
defending generals, assistants, associates, gate guards, and
officers. You must have spies seek and learn them.

However these days, many companies and countries publish all this information on the web. The identity theft in "Day of The Jackal" (which has been copied by many other authors since) can now be performed from the comfort of you local hot-spot equipped café or in some locals commuter train.

Zemanta Pixie
Filed under: Risk, Security No Comments

How magic might finally fix your computer -

Posted by Anton Aylward

http://redtape.msnbc.com/2008/07/cambridge-mass.html#posts

Charlatans don't bother creating detailed schemes for deception. They
just have a feel for what fools people.

Its not about technology...

Bad guys have better people skills
Criminals usually don't bother learning all the ins and out of the
technology they exploit -- they simply learn enough to be dangerous. But
they spend endless hours understanding the people they plan to fool.
Hackers long ago learned a short cut, what they call social engineering:
Why spend years trying to hack into a bank when you can just ask an
account holder to give you their name and password?

and not only that, but adding technology won't fix things.

The technologists, on the other hand, tend to fight this battle with one
hand tied behind their back. They generally spend most of their time
studying technology, learning all its nooks and crannies from the ground
up. They write careful research papers following the strict rules of
scientific method. They must spend endless hours defend their findings
against all comers, and they can't hurt anyone while conducting studies.
They know the technology well, but they have little time to sit around
understanding how people work.

I've been saying for over a decade that InfoSec qualifications should focus on psychology and sociology and business rather than technical matters, but exams & qualifications such as CISSP, CISA, CEH, and SANS focus on technical matters.

Part of this is "the metrics problem". We focus on what can be measured, the "if you can't measure it, you can't manage it" myth that started with Taylorism and has been promulgated by people who only see the numbers side of Deming's principles. His "System of Profound Knowledge" advocated that all managers need to have a deep understanding
of psychology and human nature. His famous "14 points" are about attitudes towards management of work, not about numbers; in fact he was against many 'numbers' such as quotas. He viewed managing by numbers to be a "deadly disease", along with an emphasis on short term results (more number-keeping), and relying on technology to solve problems that are really based in the organization, management and psychology of the workplace and corporation.

So how do we actually manage? How we evaluate people and their work?
How do we grant certifications and issue awards? How do we solve our business problems?

The media says that InfoSec is a growing market. I wonder sometimes if that growth isn't in the sales of appliances - throwing technology at the problem and resisting the changes that are really needed, changes in organization, attitudes and management.

Zemanta Pixie

When did you last update your browser?

Posted by Anton Aylward

http://www.theregister.co.uk/2008/07/03/browser_insecurity_survey/

I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets 'snuck in' by various methods such as XSS.

Lets be realistic, though; the browser isn't the only avenue by which a user's workstation can be infected - I'll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?

Unsurprisingly the study concluded that update features within differentMozilla Firefox
browsers played a key role in determining how quickly users update their
software. Firefox users "typically updated" within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.

So that makes me one of the 'good guys', a Firefox user. Actually I update my plug-ins 'same day' - which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)

The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.

Now lets be fair, not everyone has control over what they use.

"I think it may be a little unfair for many IE users to be grouped in
the 'less diligent' bucket because they're stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, 'unfair' isn't
going to keep them safe," Ollmann writes.

As it says in the article I've referenced ...

A white paper on the study, Understanding the Web browser threat, can be
found here.

Zemanta Pixie