Monday, December 19, 2011
The twelve days of Hackmas
On the twelfth day of Hackmas, the Twitters gave to me:
12 bad predictions
11 vendors hyping
10 drunken podcasts
9 scammers scamming
8 raids on banking
7 bots a calling
6 geeks a playing
5 SCADA flaws
4 carding sites
3 backdoors
2 SQLi
and an 0-day from Adobe.
Wednesday, December 7, 2011
What is wrong with Infosec as an Industry?
I contend what is wrong is because so many people try to answer that question with only one thing.
I couldn't count on all my fingers and all my toes (even if my good Southern US upbringing leaves me with an extra) the number of things that are actually wrong with something as broad and complex as the Information Security Industry. But I tried. I really did. I even thought about submitting to a conference as a talk.
But, CFP for Shmoocon is passed, and krypt3ia's Zero Sum Game got me thinking, maybe I ought to say it just in case anyone wants to read it. So, here it is.
The problem is the norm. We need to normalize security. Institutionalize it. It has to be ingrained in our thinking, in our tools, in our processes, and in our society. Law enforcement, legislators, business leaders, end-users, technology leaders, innovators, lawyers, hackers, security wonks, systems engineers, and support staff have all got to work together to break the ennui.
It's not about breaking things in new and creative ways to scare people into doing what you know is best.
It's not about finding The One True Risk (although watching Donn and Alex fight is pure entertainment, ain't it?)
It's not about establishing the right touchie feelies with end-users because they clearly just don't understand why they need to act differently (this hasn't worked on making fat people go to the gym, why do we think it's going to work for people's passwords).
It's not about pushing people down the stairs and laughing at them in a pentest (Thank you, Nickerson for that analogy).
It's not about finding the right magic bullet software/hardware that runs itself.
It's not about spending more on test (because, realistically, your code has nothing on the combined power of a million under-employed Aspies who hate your company).
It's not about hiring people with the right certification.
It sure as hell isn't about creating a Governance, Risk, and Compliance organization and setting it as far as possible from the people who actually have to secure your systems and implement your technology solutions.
And let's face it, the plethora of gerrymandered "research" and buzz being relentlessly peddled to decision makers is fostering a generation of junk decisions.
You simply can not focus on any one area and say "bam. Infosec is fixed!" And tearing it all out and starting over is expensive (at least if you do it all at once). Security is everyone's problem, and everyone needs to be involved and to have buy-in in order for it to succeed.
The infosec community needs to establish better inroads in development communities and professional organizations for systems administrators. Build relationships with schools to have security concepts integrated into the curriculum (yes. We're getting there). Build secure alternatives or secure libraries for easy use. Contribute to the solution instead of bitching about the problem.
Share information to feed the risk models and grow the research. It doesn't matter if you think it's snake oil. Information sharing is key to getting us better.
User awareness initiatives are good, but don't rely on an annual CBT to keep you safe. Focus on fostering a culture of security, not just an awareness. Build better relationships with Business Schools who are training entrepreneurs and business leaders. Show them how building in a culture of security saves money in the long term. Teach them how to navigate security for themselves instead of managing via airplane magazine.
Mature our frameworks. Make them easier to use and understand. Foster adoption of these frameworks with relationships within the government, within professional organizations, among corporations, and with educational authorities. Continue to feed and grow infosec mentor and internship programs! These are vital. The infosec attitude of "I learned it by doing it, I am not going to enable other people's laziness by spoonfeeding them" is self defeating. Spoon feed people. Even a rudimentary grasp of the right concepts is better than letting ignorance reign absolute.
The infosec community needs to stop thinking of security as "you can't do that!" and start thinking of it as "what technology will let you do that safely?" Work with vendors or spend more time on producing and sharing more software that enables use, not just breaks things.
And Vendors? Find the need and work with your customers to solve it. Don't sell solutions to problems people don't have. Stop trying to convince people they have problems they don't. Trust me, there is plenty of room for earnings in this very real space without selling people a bucket of gak and calling it a wrench. "But it's more flexible!" doesn't confound overworked people any less, and your professional services tend to suck.
This is an uphill battle. It shouldn't be. But, the reason it is, is because all of the involved parties aren't starting with the same common understanding. I don't think "stupidity, laziness, fear, and greed" are the best categories to describe the human part of the problem. First and foremost, doing something because someone else tells you that you must do them is a terrible reason. Do things because you want to do them, or because you believe in them and it's the right thing to do.
Corporations and individuals (let's skip that debate about corporate personhood) who choose not to use secure practices do so because they don't believe in them. Either, they believe "that will never happen to me," or they believe they're simply bullshit.
There's more monetary incentive to work solo and break something once than to work with a bunch of people to fix something and support it forever. Well, in general. I bet you HD Moore could give a strong argument to the contrary. But, since what we've got is generalities, let's go with that.
Breaking shit is "cool" and cracking is magical. It's all about your own rules, and sticking it to the man! Revolution is the final form of accountability in broken systems where all else has failed. And it's too easy not to get punished with law enforcement agencies being forced to choose which cases to investigate based on where the most money was lost. Fixing stuff, documenting it, and sharing it is the province of nerds. We have a cultural problem.
The problems are deeper and run to the core of how we think about things and how we do things from the base up. So, next time you want to get on a jag about what's wrong with the Information Security Industry, pause for a minute to consider the complexities and choose where you want to help fix it instead of taking the easy way out and assigning the blame on someone else.
I couldn't count on all my fingers and all my toes (even if my good Southern US upbringing leaves me with an extra) the number of things that are actually wrong with something as broad and complex as the Information Security Industry. But I tried. I really did. I even thought about submitting to a conference as a talk.
But, CFP for Shmoocon is passed, and krypt3ia's Zero Sum Game got me thinking, maybe I ought to say it just in case anyone wants to read it. So, here it is.
The problem is the norm. We need to normalize security. Institutionalize it. It has to be ingrained in our thinking, in our tools, in our processes, and in our society. Law enforcement, legislators, business leaders, end-users, technology leaders, innovators, lawyers, hackers, security wonks, systems engineers, and support staff have all got to work together to break the ennui.
It's not about breaking things in new and creative ways to scare people into doing what you know is best.
It's not about finding The One True Risk (although watching Donn and Alex fight is pure entertainment, ain't it?)
It's not about establishing the right touchie feelies with end-users because they clearly just don't understand why they need to act differently (this hasn't worked on making fat people go to the gym, why do we think it's going to work for people's passwords).
It's not about pushing people down the stairs and laughing at them in a pentest (Thank you, Nickerson for that analogy).
It's not about finding the right magic bullet software/hardware that runs itself.
It's not about spending more on test (because, realistically, your code has nothing on the combined power of a million under-employed Aspies who hate your company).
It's not about hiring people with the right certification.
It sure as hell isn't about creating a Governance, Risk, and Compliance organization and setting it as far as possible from the people who actually have to secure your systems and implement your technology solutions.
And let's face it, the plethora of gerrymandered "research" and buzz being relentlessly peddled to decision makers is fostering a generation of junk decisions.
You simply can not focus on any one area and say "bam. Infosec is fixed!" And tearing it all out and starting over is expensive (at least if you do it all at once). Security is everyone's problem, and everyone needs to be involved and to have buy-in in order for it to succeed.
The infosec community needs to establish better inroads in development communities and professional organizations for systems administrators. Build relationships with schools to have security concepts integrated into the curriculum (yes. We're getting there). Build secure alternatives or secure libraries for easy use. Contribute to the solution instead of bitching about the problem.
Share information to feed the risk models and grow the research. It doesn't matter if you think it's snake oil. Information sharing is key to getting us better.
User awareness initiatives are good, but don't rely on an annual CBT to keep you safe. Focus on fostering a culture of security, not just an awareness. Build better relationships with Business Schools who are training entrepreneurs and business leaders. Show them how building in a culture of security saves money in the long term. Teach them how to navigate security for themselves instead of managing via airplane magazine.
Mature our frameworks. Make them easier to use and understand. Foster adoption of these frameworks with relationships within the government, within professional organizations, among corporations, and with educational authorities. Continue to feed and grow infosec mentor and internship programs! These are vital. The infosec attitude of "I learned it by doing it, I am not going to enable other people's laziness by spoonfeeding them" is self defeating. Spoon feed people. Even a rudimentary grasp of the right concepts is better than letting ignorance reign absolute.
The infosec community needs to stop thinking of security as "you can't do that!" and start thinking of it as "what technology will let you do that safely?" Work with vendors or spend more time on producing and sharing more software that enables use, not just breaks things.
And Vendors? Find the need and work with your customers to solve it. Don't sell solutions to problems people don't have. Stop trying to convince people they have problems they don't. Trust me, there is plenty of room for earnings in this very real space without selling people a bucket of gak and calling it a wrench. "But it's more flexible!" doesn't confound overworked people any less, and your professional services tend to suck.
This is an uphill battle. It shouldn't be. But, the reason it is, is because all of the involved parties aren't starting with the same common understanding. I don't think "stupidity, laziness, fear, and greed" are the best categories to describe the human part of the problem. First and foremost, doing something because someone else tells you that you must do them is a terrible reason. Do things because you want to do them, or because you believe in them and it's the right thing to do.
Corporations and individuals (let's skip that debate about corporate personhood) who choose not to use secure practices do so because they don't believe in them. Either, they believe "that will never happen to me," or they believe they're simply bullshit.
There's more monetary incentive to work solo and break something once than to work with a bunch of people to fix something and support it forever. Well, in general. I bet you HD Moore could give a strong argument to the contrary. But, since what we've got is generalities, let's go with that.
Breaking shit is "cool" and cracking is magical. It's all about your own rules, and sticking it to the man! Revolution is the final form of accountability in broken systems where all else has failed. And it's too easy not to get punished with law enforcement agencies being forced to choose which cases to investigate based on where the most money was lost. Fixing stuff, documenting it, and sharing it is the province of nerds. We have a cultural problem.
The problems are deeper and run to the core of how we think about things and how we do things from the base up. So, next time you want to get on a jag about what's wrong with the Information Security Industry, pause for a minute to consider the complexities and choose where you want to help fix it instead of taking the easy way out and assigning the blame on someone else.
Tuesday, August 16, 2011
Why passwords really suck
RE: http://securitynirvana.blogspot.com/2011/08/xkcd-936-discussion-continues.html?m=1
First: It's a comic. It's meant to be funny. Why the fuck are we over analyzing this?
Second: People don't use shitty passwords because they can't remember good passwords. People use shitty passwords because they don't care. They think no one will ever crack THEIR passwords, or because they're crap typists.
Therefore, any content below can only be pedantic.
Per Thorsheim has far more experience than me in this space. But, I've always been too stubborn or too stupid not to argue with people based on that.
I'll go ahead and admit that I am a sad American monoglot. My pathetic failure to achieve fluency in any other language cripples my ability to debate the security of Norwegian passwords or Russian passwords or, gods forbid, Chinese passwords with their variant character sets and vocabularies. So, I'll stick with what I think I know (which isn't much), and talk about American.
I do my good friends from the United Kingdom the favor of admitting this isn't the same as English.
Wolfram Alpha tells Mr. Thorsheim there are 600,000 words in the Oxford English Dictionary 2nd edition. I'm going to go out on a limb and suggest, if you can find a hundred Americans who know all 600,000 words in that dictionary, much less use them on a common basis, you might want to visit Las Vegas and put it all on red.
I'm not a developmental psychologist, and as it's seven PM on a Tuesday, I'm also a pretty lazy researcher. But, since the standard was set at Wolfram Alpha, that bar is fortunately low.
Wikipedia (see how I did that?) tells me there are two types of vocabulary: Productive and Receptive vocabulary. That's a fancy way of saying there are words you recognize if you hear them or if you see them, but you're not likely to actually use them. The kind you use are in the productive category, and that's stereotypically a smaller subset than the kind you recognize.
Now, of the words people actually use, there are words that are more common than others. For example, there is an occasion to use a word like herpes. Most people know it. Most people have used the word at least once in their lives, hopefully in jest. But most people don't use the word herpes very often.
I say most people because of the company I keep. As a good Southern Girl, I tend to stay away from shady bars and navy bases (no offense, sailors).
So, we assume that, if you take a person's entire vocabulary, their productive vocabulary is a subset portion of that vocabulary, and commonly used vocabulary is a subset of productive vocabulary. I couldn't find any scientifically supported studies that everyone recognizes as sound. But, I also live in a country where people are debating seriously whether or not the Bible should be used as a scientific text for schoolchildren.
I did find one blog that has used input from its Internet savvy readership as research about vocabulary. They compare the findings to self-reported SAT scores (and we're back to the American education system) to suggest their Internet readership isn't exactly average. http://testyourvocab.com/blog/2011-07-25-New-results-for-native-speakers.php
If nothing else, it was an interesting read. They suggested total vocabulary figures of around 26,000 words for people between 23 and 28 years of age (native American speakers).
Another (http://www.trivia-library.com/b/word-counts-and-vocabulary-usages.htm) suggested that the People's Almanac figures are closer to 3,000 words for the average person (since going to college and taking the SAT is, realistically, not an average experience when you consider the entirety of Americans.
Let's aim for somewhere in the middle and assume that a total vocabulary of around 10,000 words is fair. Subset that to extract productive vocabulary, and we can take that down to say 8,000.
Again, I can't be sure. I'm pulling numbers out of thin air. But, I'm pretty sure that the assumption that all 600,000 words is the best starting point for a crack dictionary is flawed.
You can add punctuation to increase the randomness. But when you look at GPU password cracking like http://hashcat.net/oclhashcat/#performance (that claims single system speeds of up to 6194M c/s (for NTLM)), use basic logic to assume that most people will put spaces between words (and may put a comma space between two of their words), and most people will put other punctuation at the end (and it will usually be a ?, !, or .)...
I'm not a talented enough programmer to whip up a solution to test this theory against your hash in only 14 days. But, I genuinely hope someone does. I'd be fascinated to know the result.
But, in the end, it doesn't really matter. People who are using "jennifer" or "password123" or "12345" as their passwords aren't going to stop doing so in favor of ")&$@ZVCjlmqr:;">|}=_-+" or even "monkeyshitforbrains"; that mess is just too hard to type.
First: It's a comic. It's meant to be funny. Why the fuck are we over analyzing this?
Second: People don't use shitty passwords because they can't remember good passwords. People use shitty passwords because they don't care. They think no one will ever crack THEIR passwords, or because they're crap typists.
Therefore, any content below can only be pedantic.
Per Thorsheim has far more experience than me in this space. But, I've always been too stubborn or too stupid not to argue with people based on that.
I'll go ahead and admit that I am a sad American monoglot. My pathetic failure to achieve fluency in any other language cripples my ability to debate the security of Norwegian passwords or Russian passwords or, gods forbid, Chinese passwords with their variant character sets and vocabularies. So, I'll stick with what I think I know (which isn't much), and talk about American.
I do my good friends from the United Kingdom the favor of admitting this isn't the same as English.
Wolfram Alpha tells Mr. Thorsheim there are 600,000 words in the Oxford English Dictionary 2nd edition. I'm going to go out on a limb and suggest, if you can find a hundred Americans who know all 600,000 words in that dictionary, much less use them on a common basis, you might want to visit Las Vegas and put it all on red.
I'm not a developmental psychologist, and as it's seven PM on a Tuesday, I'm also a pretty lazy researcher. But, since the standard was set at Wolfram Alpha, that bar is fortunately low.
Wikipedia (see how I did that?) tells me there are two types of vocabulary: Productive and Receptive vocabulary. That's a fancy way of saying there are words you recognize if you hear them or if you see them, but you're not likely to actually use them. The kind you use are in the productive category, and that's stereotypically a smaller subset than the kind you recognize.
Now, of the words people actually use, there are words that are more common than others. For example, there is an occasion to use a word like herpes. Most people know it. Most people have used the word at least once in their lives, hopefully in jest. But most people don't use the word herpes very often.
I say most people because of the company I keep. As a good Southern Girl, I tend to stay away from shady bars and navy bases (no offense, sailors).
So, we assume that, if you take a person's entire vocabulary, their productive vocabulary is a subset portion of that vocabulary, and commonly used vocabulary is a subset of productive vocabulary. I couldn't find any scientifically supported studies that everyone recognizes as sound. But, I also live in a country where people are debating seriously whether or not the Bible should be used as a scientific text for schoolchildren.
I did find one blog that has used input from its Internet savvy readership as research about vocabulary. They compare the findings to self-reported SAT scores (and we're back to the American education system) to suggest their Internet readership isn't exactly average. http://testyourvocab.com/blog/2011-07-25-New-results-for-native-speakers.php
If nothing else, it was an interesting read. They suggested total vocabulary figures of around 26,000 words for people between 23 and 28 years of age (native American speakers).
Another (http://www.trivia-library.com/b/word-counts-and-vocabulary-usages.htm) suggested that the People's Almanac figures are closer to 3,000 words for the average person (since going to college and taking the SAT is, realistically, not an average experience when you consider the entirety of Americans.
Let's aim for somewhere in the middle and assume that a total vocabulary of around 10,000 words is fair. Subset that to extract productive vocabulary, and we can take that down to say 8,000.
Again, I can't be sure. I'm pulling numbers out of thin air. But, I'm pretty sure that the assumption that all 600,000 words is the best starting point for a crack dictionary is flawed.
You can add punctuation to increase the randomness. But when you look at GPU password cracking like http://hashcat.net/oclhashcat/#performance (that claims single system speeds of up to 6194M c/s (for NTLM)), use basic logic to assume that most people will put spaces between words (and may put a comma space between two of their words), and most people will put other punctuation at the end (and it will usually be a ?, !, or .)...
I'm not a talented enough programmer to whip up a solution to test this theory against your hash in only 14 days. But, I genuinely hope someone does. I'd be fascinated to know the result.
But, in the end, it doesn't really matter. People who are using "jennifer" or "password123" or "12345" as their passwords aren't going to stop doing so in favor of ")&$@ZVCjlmqr:;">|}=_-+" or even "monkeyshitforbrains"; that mess is just too hard to type.
Thursday, July 21, 2011
Friday, July 15, 2011
Goats and ITSec
A local health insurance provider recently launched an ad campaign using goats to confront the highly contentious issue of health care reform. The idea is that each participant in the health care system (including health care providers, patients, lawyers, and insurers) all have a different scapegoat for the rising cost of health care.
The ads are amusing, and you can see most of them on youtube: http://www.youtube.com/results?search_query=scapegoat+bcbsnc&aq=f
My point is not to popularize this campaign, but to muse that we seem to have the same sort of problem in information security.
After going to quite a few conferences, five distinct security philosophies seem to arise:
The Riskies: If executives better understood the link between security and the potential cost to business, they'd be secure!
The Feelies: If security professionals were kinder and gentler, everyone would love security and hear the message and be secure!
The Pwnies: If we break enough stuff, people will finally believe us when we say how screwed they are, and they'll get secure!
The GRCs: If we document the right policies, everyone will know how they are supposed to act, and everyone will be secure!
The Fixies: If we had the right solution, security wouldn't be so expensive, and it would be easier to be secure!
Meanwhile, a bunch of people who are responsible for budgeting and selecting solutions are too confused by the jargon, the math, the legislation, and the systems to act. "Find me a vendor that will make us secure! Or, better yet, to the cloud! Let's just make this someone else's problem!"
Each security philosophy has merits, but when is the security community going to pitch in to offer a comprehensive and comprehensible solution?
The ads are amusing, and you can see most of them on youtube: http://www.youtube.com/results?search_query=scapegoat+bcbsnc&aq=f
My point is not to popularize this campaign, but to muse that we seem to have the same sort of problem in information security.
After going to quite a few conferences, five distinct security philosophies seem to arise:
The Riskies: If executives better understood the link between security and the potential cost to business, they'd be secure!
The Feelies: If security professionals were kinder and gentler, everyone would love security and hear the message and be secure!
The Pwnies: If we break enough stuff, people will finally believe us when we say how screwed they are, and they'll get secure!
The GRCs: If we document the right policies, everyone will know how they are supposed to act, and everyone will be secure!
The Fixies: If we had the right solution, security wouldn't be so expensive, and it would be easier to be secure!
Meanwhile, a bunch of people who are responsible for budgeting and selecting solutions are too confused by the jargon, the math, the legislation, and the systems to act. "Find me a vendor that will make us secure! Or, better yet, to the cloud! Let's just make this someone else's problem!"
Each security philosophy has merits, but when is the security community going to pitch in to offer a comprehensive and comprehensible solution?
Friday, May 27, 2011
Lessons Learned for ITSec from Swearing
Swear words are only words, really. If you use them the same way you would use any other verb, noun, or adjective, they have no distinct power. Their rarity (and the way people are trained to respond to them) is what gives them their power to offend.
Lewis Black jokes that, in New York, "Fuck" isn't a swear word, it's a comma. If used in such frequency, I am certain the reaction to it is significantly less interesting than if you were to utter it in the middle of a small town Southern Baptist Church during Sunday service.
But, swear words do have a purpose. They provide a way, in our language, to raise attention to a point that is above what is normal. It is how you make a distinction between a problem, a big problem, and a big fucking problem. How do you emphasize the significance when people are so used to the language that they are able to simply tune out? You shock them by saying something they haven't heard in common conversation.
So, how does this apply to Information Security? Think about the words that are bandied around in common circles for Information Security news and topics. Think about the reaction the term "Incident" probably has now with all the coverage about Sony in the news, and all the legislative language that tries (and mostly fails) to define due diligence for Operations.
Is it a problem, a big problem, or a big fucking problem? And are we turning it into mere punctuation or offending the people we hope to influence?
Lewis Black jokes that, in New York, "Fuck" isn't a swear word, it's a comma. If used in such frequency, I am certain the reaction to it is significantly less interesting than if you were to utter it in the middle of a small town Southern Baptist Church during Sunday service.
But, swear words do have a purpose. They provide a way, in our language, to raise attention to a point that is above what is normal. It is how you make a distinction between a problem, a big problem, and a big fucking problem. How do you emphasize the significance when people are so used to the language that they are able to simply tune out? You shock them by saying something they haven't heard in common conversation.
So, how does this apply to Information Security? Think about the words that are bandied around in common circles for Information Security news and topics. Think about the reaction the term "Incident" probably has now with all the coverage about Sony in the news, and all the legislative language that tries (and mostly fails) to define due diligence for Operations.
Is it a problem, a big problem, or a big fucking problem? And are we turning it into mere punctuation or offending the people we hope to influence?
Wednesday, April 27, 2011
Lightbulb jokes for the ITSec Industry
Q: How many pentesters does it take to screw in a lightbulb?
A: None. We break stuff, we don't fix it.
Q: How many auditors does it take to screw in a lightbulb?
A: None. We don't fix stuff, we justify the budget to have it fixed.
Q: How many CISOs does it take to screw in a lightbulb?
A: Are lightbulbs really a regulatory requirement?
Q: How many security software vendors does it take to screw in a lightbulb?
A: If you pay us a lot, we'll give you a tool that will let you screw in your lightbulbs better!
Q: How many university degrees in security does it take to screw in a lightbulb?
A: Well, we've never actually seen a lightbulb, or screwed one in, but in theory...
Q: How many security certifications does it take to screw in a lightbulb?
A: If you don't require certification for lightbulb screwers, how else will you know your lightbulbs are screwed in right? Nevermind how much it costs, expense it!
Q: How many security analysts does it take to screw in a lightbulb?
A: We'll tell you the lightbulb isn't screwed in, we'll provide flashlights, and we'll tell you how you should do your job, but we don't screw in lightbulbs.
Q: How many administrators does it take to screw in a lightbulb?
A: One more than the budget pays for: there are too many other projects going on.
Why do we divorce security from operations so thoroughly?
A: None. We break stuff, we don't fix it.
Q: How many auditors does it take to screw in a lightbulb?
A: None. We don't fix stuff, we justify the budget to have it fixed.
Q: How many CISOs does it take to screw in a lightbulb?
A: Are lightbulbs really a regulatory requirement?
Q: How many security software vendors does it take to screw in a lightbulb?
A: If you pay us a lot, we'll give you a tool that will let you screw in your lightbulbs better!
Q: How many university degrees in security does it take to screw in a lightbulb?
A: Well, we've never actually seen a lightbulb, or screwed one in, but in theory...
Q: How many security certifications does it take to screw in a lightbulb?
A: If you don't require certification for lightbulb screwers, how else will you know your lightbulbs are screwed in right? Nevermind how much it costs, expense it!
Q: How many security analysts does it take to screw in a lightbulb?
A: We'll tell you the lightbulb isn't screwed in, we'll provide flashlights, and we'll tell you how you should do your job, but we don't screw in lightbulbs.
Q: How many administrators does it take to screw in a lightbulb?
A: One more than the budget pays for: there are too many other projects going on.
Why do we divorce security from operations so thoroughly?
Subscribe to:
Posts (Atom)