Monthly Archives: July 2015

Are You There Business? It’s Me, Information Security

Are you there Business? It’s me, Information Security. We need to talk. I know you’re busy generating revenue and keeping the lights on, but we’ve got some critical matters to discuss. I feel like everyone hates me and thinks I’m a nag. Every time I want to talk to you about patching and vulnerabilities, I’m ignored. I’m so scared, because I’m always trying to secure the network so the bad guys don’t get into it, but no one wants to help me make sure that doesn’t happen. Honestly, I don’t feel heard. It seems like everything is about you all the time. I get it. I wouldn’t have a job without you, but I really need to feel respected in this relationship. Because let’s be honest with each other for once, if you’re breached, I’m probably the one that’s getting fired.

I understand that you don’t always remember passwords, which is why you write them down or use your pet’s name. I know that it’s takes a lot of time to follow rules that don’t always make sense. But this is important, so could you find a way to work with me?  I’d really appreciate it, because I feel so frightened and alone.

Yours Truly,

Infosec

P.S. Could you please stop using the word “cyber”in everything? I really hate that term.

P.P.S. And yes, I’m blocking porn because it really does have malware. But also because HR told me to. So please don’t get mad at me.i-wonder-if-9jgrq0

Tagged , , , ,

The Physical Layer: Networking’s Fifth Circle of Hell

Recently, Pope Francis made headlines when he called unrestrained capitalism the “dung of the devil.*” I’m betting he’s never been a network engineer dealing with negotiation issues.** Problems at the physical layer always seem to be the most painful, mostly because you think, “Dammit, I should have known better!”

These thoughts come after the third in a series of attempts to insert a Vendor’s network packet broker bypass module inline at my $dayjob. Vendor requires and only supports manual configuration of the GigE LX fiber ports, but we couldn’t get this to work. It was infuriating, because we seemed to have link, but the dB loss was too high.

I should mention that in most of my previous jobs, the network team always managed the perimeter router. But not in this shop. Unbeknownst to me, the demarcation point, a port on a router, was set to auto-negotiate. This wasn’t identified in the diagram and was only discovered after lots of yelling by a cast of thousands, including multiple representatives from the Vendor, in a server room late at night. This issue was finally resolved by opening a case with the service provider and requesting that they hard set the uplink port on the managed router.

The situation was infuriating. I woke up at 5:00 AM the next morning with a bad case of nerd-rage. I needed to find a target for my anger, so I went to Google to help me direct this justified (so I thought) apoplexy.  I started reading through the IEEE standards on Ethernet and 1000BASE-X, even finding an “interpretation” document. This just made me more irate.

18.3.1.8 Auto-Negotiation
The Auto-Negotiation algorithm of Clause 28, while the preferred method for the determination of half or full duplex operation, is not currently defined for fiber MAUs.
Manual configuration, while not recommended for copper-based MAUs, is the only practical choice for fiber implementations. Connecting incompatible DTE/MAU combinations such as a full duplex mode DTE to a half duplex mode MAU, or a full duplex mode station (DTE and MAU) to a half duplex network, can lead to severe network performance degradation, increased collisions, late collisions, CRC errors, and undetected data corruption.

Point – Vendor

37.1.4.4 User Configuration with Auto-Negotiation

Rather than disabling Auto-Negotiation, the following behavior is suggested in order to improve interoperability with other Auto-Negotiation devices. When a device is configured for one specific mode of operation (e.g. 1000BASE-X Full Duplex), it is recommended to continue using Auto-Negotiation but only advertise the specifically selected ability or abilities. This can be done by the Management agent only setting the bits in the advertisement registers that correspond to the selected abilities.

Point – Mrs. Y. The Vendor doesn’t support this option.

Interpretation for IEEE std 802.3-2002 #1-11/02 (1000BASE-X Auto-negotiation)

The standard clearly states in the second paragraph of subclause 37.2.5.1.1 Control register (Register 0), “When manual configuration is in effect at a local device, manual configuration should also be effected for the link partner to ensure predictable configuration.”
Hence, if this recommendation is not followed and a link has manual configuration in effect at a local device but not at the link partner, or the reverse, the resultant link configuration can not be predicted.

Point – Vendor

Final Decision: I will direct my righteous indignation at the IEEE. I spent over two hours going through reams of documentation to find this information and I’m still confused by which is the “best practice.” Is it any wonder that vendors and network professionals still argue about the standards?

Pope_link

*Devil Dung would be a great name for a punk rock band.

** And please don’t flame me over referencing Pope Francis. He seems like a cool guy with a good sense of humor. I don’t think he’d mind.

Tagged , , , , ,

Meetings: the First Horseman of the Apocalypse

While browsing the Interweb for daily threat intelligence this morning*, I found an interesting research paper, “Meetings and More Meetings: The Relationship Between Meeting Load and the Daily Well-Being of Employees.” Anyone with some amount of seniority in IT is familiar with the concept of “death by meeting,” so I was excited to find scientific research (!) confirming that meetings are the soul-sucking creation of Satan.

Meetings are an integral part of organizational life; however, few empirical studies have systematically examined the phenomenon and its effects on employees. By likening work meetings to interruptions and daily hassles, the authors proposed that meeting load (i.e., frequency and time spent) can affect employee well-being. For a period of 1 week, participants maintained daily work diaries of their meetings as well as daily self-reports of their well-being. Using hierarchical linear modeling analyses, the authors found a significant positive relationship between number of meetings attended and daily fatigue as well as subjective workload (i.e., more meetings were associated with increased feelings of fatigue and workload).

No shit, Dick Tracy. Every morning I check my calendar with trepidation, wondering how much of my day will be wasted watching pointless Powerpoint presentations, the “jazz hands” of the modern workplace. How often will I be forced to feign attention as leadership drones on about strategy? Then I realized that civilization will not be destroyed by weapons of mass destruction or global warming, but with meetings. As T.S. Eliot said,

This is the way the world ends
Not with a bang but a whimper.

It seems appropriate to end with an xkcd comic on the topic.

Meeting from xkcd.com

*Who am I kidding, I was watching silly videos like “The Running of the Pugs.” I blame Adobe Flash, not just for being insecure, but as the harbinger of time-wasting.

Tagged , , , ,

Cognitive Dissonance and Incident Response

“In psychology, cognitive dissonance is the mental stress or discomfort experienced by an individual who holds two or more contradictory beliefs, ideas, or values at the same time, or is confronted by new information that conflicts with existing beliefs, ideas, or values.”

Festinger, L. (1957). A Theory of Cognitive Dissonance. California: Stanford University Press.

For your consideration, what follows is the hypothetical discussion between a Pointy Haired Fearless Leader and a Security Analyst regarding the possibility of an organization’s large, web application having been breached. The Frankenapp in question was creatively duct-taped together around the same time that dinosaurs roamed the earth. All characters appearing in this work are fictitious. Any resemblance to real persons living or dead, is because truth is often much funnier than fiction.

SA: There’s a possibility our Super Amazing Custom Web Application has been breached.

PHFL: (Breathes into paper bag as starts to hyperventilate. In between breaths) How did this happen?!

SA: Same way it always does. A user was phished.

PHFL: But why didn’t our Extraordinarily Powerful Security Tools that cost $$$$$ stop this?!

SA: Because they don’t always work. Especially when they don’t have all the data necessary to identify malicious activity.

PHFL: But we paid $$$$$ because the vendor said it would stop APTs!

SA: This isn’t an APT.

PHFL: But we have Super Powerful Web Application Firewalls!

SA: They’re still in learning mode, because the web developers won’t work with us to identify false positives. And a WAF won’t detect phished credentials. We need multi-factor authentication to prevent this.

PHFL: But MFA annoys the users. What about the network firewalls?!

SA: Our firewalls wouldn’t have caught this and our web filtering system hasn’t worked for months.

PHFL: Do we know what accounts were compromised?

SA: We don’t have enough data. We don’t really have many application logs and the ones we do have aren’t being sent to the  SOC to be correlated.

PHFL: Why wasn’t I told about this tragic and desperately horrible situation?!

SA: I’ve been telling you every week since I took the job. I even hired someone to sky-write it twice. I’m also working on an off-Broadway musical called, We’re About to be Pwned Because Our Visibility Stinks and Our Security Tools Are Broken.

PHFL: Well, this is clearly your fault.

Dilbert On Incident Response

Tagged , , , , , ,

Security Karma

The Hacking Team debacle continues to make life miserable for defenders everywhere. Any vestige of organizational good will I  may have built up over the last year, is gone after issuing five emergency patch requests over ten days. I’m exhausted and still wondering how many more 0-days are lurking around the corner.

The compromise was epic, with hackers releasing approximately 400GB of data, including thousands of internal emails and memos which were posted on Wikileaks. Reuters reported that all this mayhem was caused by six disgruntled former employees who also released Hacking Team source code.  Frankly, I don’t have much sympathy for David Vincenzetti and his circle of douchery that includes government clients using Hacking Team’s brand of malware to spy on dissidents. While following the story, a Confucian proverb came to mind. “When you ride a tiger, it’s hard to get off.”

And so it has been for The Hacking Team, now bitten by that proverbial tiger and broken, a casualty of their own hubris. Whether they can recover from this disaster is questionable. Their arrogance only surpassed by that other sad sack of the security industry, HBGary, taken down by Anonymous.

There is a story of a soldier who went to see a famous Buddhist Monk, Ajahn Chah, to ask why he had been shot on the battlefield. Why had he been chosen to suffer, was it something he had done in a past life? Ajahn Chah answered that it was the karma of a soldier to be wounded. The real meaning of karma isn’t punishment, it’s simple cause and effect. With the Hacking Team it’s a case of security karma: they chose to enter the arena of offensive security and use the tools of attackers for questionable purposes. By doing so, they increased the odds that they would themselves become an object of retaliation.

Tagged , , ,

Security’s Bad Boys

This week’s latest stunt hacking episode seemed to cement the security community’s reputation as the industry bad boy. The Wired car hacking story demonstrated an absence of the responsible disclosure most security researchers strive to follow. While the story indicated that Miller and Valasek have been working with Chrysler for nine months and that they’re leaving out a key element of the published exploit, there’s still going to be enough left to cause some mayhem when released at Black Hat USA next month. Moreover, the story’s writer and innocent bystanders were often in harm’s way during the demonstration on a major highway in St. Louis.

The annual Black Hat conference in Vegas is an adult version of “look what I can do” for the security set, perfectly placed in the city’s carnival atmosphere. A grand spectacle where every breaker competes to get Daddy’s attention by taking apart the toaster, or car in this case. The media loves this stuff and floods outlets with paranoia-inducing stories the few weeks before and during the conference.  What’s so disturbing about these events isn’t the frailty of our technology-enabled stuff aka “Internet of Things,” but the need for a subset of people to focus on its faults. The typical rationale from many of these researchers for their theatrical, hype-infested releases during Black Hat and other security conferences, is that they can’t get any attention from manufacturers when going the path of responsible disclosure. I would argue that this behavior is more about ego than concern for the safety of consumers, because there are plenty of principled researchers, quiet heroes who slog along filing bugs with vendors, unknown and overlooked by the general public.

Most idiots can blow up a cathedral with enough C-4. But it takes a Bernini or Michelangelo with hundreds of talented, dedicated artisans, to design and build one. People who will never be remembered by tourists standing in the middle St. Peter’s, glorying in the majesty of such an achievement.

St. Peter's

Tagged , , , , , , ,

Dear Flash, It’s Over

Dear Adobe Flash,

It’s probably insensitive of me to do this in a blog post, but I can’t trust myself to be alone with you anymore. The relationship started out great. Those cute kitten and puppy videos would get me through the most stressful days, when I just needed to turn off my brain off after a day of navigating the network poopfest at work. I wish we could go back and start over again, but after three patches in a week, I’m done. This just isn’t working for me anymore. Okay, I know we could still have some fun times, but I simply don’t feel safe with you anymore. So I’m going to have to end it. And to be clear, it’s not me, it’s you.

P.S. I’d just like to point out the irony of a recent Wired article, “Flash.Must.Die.” It has a Flash popup.

Screenshot 2015-07-16 09.31.52

Tagged , , , ,

Mythology and the OPM Hack

Seems like every security “thought leader” on the planet has commented on the OPM hack, so I might as well join in.

Although the scope of the breach is huge, there’s nothing all that new here. In fact, it’s depressing how familiar the circumstances sound to those of us who work as defenders in an enterprise. For the moment, ignore attribution, because it’s a distraction from the essential problem. OPM was failing security kindergarten. They completely neglected the basics of rudimentary security: patching vulnerabilities, keeping operating systems upgraded, multi-factor authentication for accessing critical systems, intrusion detection.

Being on a security team in an organization often means that your cries of despair land on deaf ears. Much like a mythical figure named Cassandra. She was the daughter of the Trojan king Priam and greatly admired by Apollo, who gave her the gift of prophecy. When she spurned his affections, he converted the gift into a curse. While her predictions were still true, no one would believe them.

As a recent Washington Post story reminded us, many in security have been predicting this meltdown since the 90’s. Now that IT has become a critical component of most organizational infrastructures, there’s more at stake and we’re finally getting the attention we’ve been demanding. But it may be too late in the game, leaving worn out security pros feeling like the Trojan War’s patron saint of “I told you so’s,” Cassandra.

Cassandra on TVM

Tagged , , , , , ,
<span>%d</span> bloggers like this: