Thursday, August 30, 2007

SSL testing: Foundstone's SSLDigger


If you're required to be PCI-DSS compliant, or you just want to check the SSL settings for your site, Foundstone provides a great free tool: SSLDigger. It checks certificate details, encryption and cipher settings, and is generally a good way to double check your SSL setup. Note that it does require the .NET package to be installed first.

Wednesday, August 29, 2007

Email bomb threats

The Indiana Daily Student is carrying an article about an email bomb threat to Indiana University's Bryan Hall. The University of Iowa received a similar threat and noted that other universities are receiving these threats as well. With widespread email bomb threats spreading, it is useful to note that the email was sent with specific details - to a dean and threatening Bryan Hall in the case of IU, and threatening the library at UI. In addition, the article notes that the email was sent through an anonymous service. This is the modern day equivalent of phoning in your bomb threat from a payphone.

I've seen old style phone-in bomb threats can shut down classes and campus buildings for hours at a time. With the heightened security response from many schools in a post VA Tech mode, emailed bomb threats have a significant chance of disrupting school activities. As the school year starts, it will be interesting to see if this is just the beginning of a trend. Hopefully this won't become widespread - targeted availability attacks like this can wreak havoc on campus schedules and events.

Now is the time to review your emergency communications plan - can you communicate effectively to your staff, students, and other community members? Do you have evacuation plans for buildings?

Monday, August 27, 2007

Dial an Identity Thief: a story from the front lines

A co-worker was kind enough to share his story of attempted identity theft today:

I received a interesting phone call on my office phone this morning.

The caller claimed to be with the 'recovery department' of a company in New York. The caller spoke English very poorly and the connection was noisy, so I never did figure out the name of the company he supposedly represented.

The caller claimed to be calling about $650 that was supposedly withdrawn from my account (not sure what kind of account, or where) several years ago, apparently without my permission. He wanted to confirm some information, so he could return the money to me. He was difficult to understand, but I am fairly certain that he said he needed my credit card number.

We went around and around for several minutes, as I tried to figure out who he supposedly represented and how much information he already had. I finally told him that if he knew how to reach me by phone, he should also know how to reach me by mail, and he should simply send me a check.

Callerid on my phone reported that the call originated from 1234567890. That number is completely bogus. The caller was probably using an internet phone; it is relatively easy to fake callerid with an internet phone.
My thanks to the co-worker for giving permission to post his story. The moral of the story here is to always ask questions, to not give up information without verification, and to always know the identity of your callers. How would you respond to a call like this? What would you do if the callerID had matched a local bank instead of a number you didn't recognize?

I normally advise people to call the company back - ask for a number that you can verify in their website and call that number. If they can't provide that information, ask them to send you more information using your contact information on file. And, as always, the FTC identity theft website is a great resources. While you're at it, you may also want to check out the Privacy Rights Clearinghouse.

Thursday, August 23, 2007

So you want an IT job?

Readers here know that Richard Bejtlich's Taosecurity is a favorite read for me. On Tuesday, he posted "What Hackers Learn that the Rest of Us Don't", and included a bit of commentary about his views for hiring IT staff.

I've had the pleasure of working with IT staff from a variety of backgrounds, from the computer lab IT guy who was a fine arts major, to the gifted Windows admin with a marketing background. They have taught me that a CS degree or an MIS degree frequently isn't the best indicator of suitability to the job. One infamous quote from a CS major undergrad that I knew was "I don't care how the computer works, I just program for it!". That's the same as "I don't care about edge cases, it works most of the time!", or other quotes that scare security folks every time we hear them.

As Bejtlich points out, native curiosity and interest - paying attention to the edge cases and the little details are some of the things that can make a hacker successful. The same goes for hiring an IT professional. During the past few years, I've developed a short list of things that I look for when hiring:

  • Curiosity - if I mention a new technology, technique, or other area of interest, does the candidate ask questions, and do they absorb knowledge?
  • Passion - not everybody can go home and play with things for the entire night, but do they actively enjoy doing what they do? Do they want to do it? I tend to ask candidates what their home network looks like, and how they're securing it. I ask what they'd like to play with, and what opportunities they've had and what they've enjoyed.
  • Laziness - not the bad kind, but the right kind. I look for someone who does it right once, rather than badly over and over again.
  • Active learning - are they expanding their knowledge, either formally via courses and training, or informally by tinkering?
  • Active pursuit of knowledge. Far too many candidates come in who read a security magazine once a month to stay in touch. That's not a useful way of staying up to date in the modern security world. Ask your candidate what they read to stay up to date, and what mailing lists they're subscribed to. I look for depth and breadth of knowledge seeking.
  • Personality - can they make and take a joke? Can they deal with users? How do they come across?
So, what do you look for in an IT candidate? And how does a security professional differ?

Tuesday, August 21, 2007

Your password must be at least 18770 characters long

Courtesy of Digg, the next time your users complain about your egregious security policies, point out this handy Microsoft KB article regarding Windows 2000 authentication against an MIT Kerberos domain.

The specific message returned is:

"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."
Who says that 30 day password changes longer than 8 characters are so bad? This is almost as much fun as Compaq's "Where do I find the any key" article.

Monday, August 20, 2007

Snuggly the Security Bear

Martin McKeay's Network Security Blog has a link to Mark Fiore's Flash animated Snuggly the Security Bear in Aye Spy. It is an amusing commentary on the current state of wiretap laws. Send this one on to your security industry friends!

Friday, August 10, 2007

365Main - an example of great disaster recovery communications

Even if you weren't effected by the 365Main power outage, you should read the status update posted by their president.

There are a few things to note here:

  • The entire event is broken down with technical detail.
  • Details of problem solving, maintenance, and testing are all available and relatively transparent - thus providing customers with detail about the event.
  • The tone is professional and communicates issues and events clearly.
  • Customers are reminded of what recompense their contract provides for them.
  • There is a clearly explained troubleshooting process.
  • There is a clearly explained plan to prevent future issues.
  • The data is being made available to other data centers to help prevent similar issues elsewhere - thus giving back to the community.
Also worth noting is that the status has been regularly updated, and that each update includes current information and future steps.

If you are ever in a recovery situation, this is a great example of after action communication to follow.

On the technical side - remember that simply having backup power may not be enough - many of the customers who had power interrupted would have continued to function if they had dedicated UPS units - but without power to their network uplinks, they might not have been able to see the outside world, even if they had power to the machines themselves.

Thursday, August 9, 2007

Certifications and pay

A recent Computerworld article points to an increase in salary for information security practitioners with certifications. Despite questions about the usefulness of some certifications - Bejtlich's take on the CISSP is a great example - they're still required or desired for many positions. Despite views from some in the industry about it, the article notes that the CISSP is amongst the most valuable certifications - at least from a pay perspective:

"Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified InformationSecurity Manager (CISM)"
How does this negative view of the CISSP from respected industry folks like Thomas Ptacek and Richard Bejtlich fit with a high value for the CISSP? For one, more senior IT staffers are getting the CISSP. The oft maligned "mile wide, inch deep" coverage is well suited to the broad view of management. Similarly, the CISSP's experience requirement helps, but doesn't guarantee more time in the field, and thus one would expect a correlation to higher wages.

More technical certifications, such as many of the SANS paths - GIAC, GCIH, and such are more likely to be found in the hands of technically oriented professionals. The value of the certificates is definitely there, but the correlation to higher wage may not be as easy to show - fewer senior managers and C level positions are likely to have the SANS technical certifications.

Where does that leave us as professionals? Well, for one, the government is requiring more certifications. Per the article there is a "Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period" which will drive certification for many in the public sector. Second, compliance requirements dealing with PCI, HIPAA, FERPA, the GLBA, SOX, and other standards mean that companies are looking for security staffers - and certifications are an easy filter for HR.

Given those trends, a certification may just be a good route to a few dollars more on your paycheck, or into a new job - if your friends give you a hard time, tell them to think of it as analyzing and exploiting the system.

Google's new Case The Joint program

Google's Streetview provides a useful service - it shows you pictures of where you're going. Despite privacy questions, there is definitely a benefit to knowing what the building you're looking for looks like.

Now Google is introducing a program called the Google Local Business Referral program. You can become a representative and...

As a Google Business Referral Representative, you'll visit local businesses to collect information (such as hours of operation, types of payment accepted, etc.) for Google Maps, and tell them about Google Maps and Google AdWords. You'll also take a few digital photos of the business that will appear on the Google Maps listing along with the business information.
(Emphasis mine)

If you've ever done physical security evaluations, you know that having a good excuse to get in and take pictures is very handy. Well, here's a great opportunity - and you can get paid for it afterwards.

Is that a bit paranoid? Possibly. Will we see a rash of people noting that you can case the premises using Google's data? Also possible. The important thing is - does it increase risk? Yes - for some businesses such as banks and other high security locations that don't want the general public to be able to check where their security cameras are by doing a Google search. Those same risks exist with a camera phone carrying public, but those require physically visiting the location.

Just be careful when someone knocks on your door and mentions that they're with Google Houseview...