Tuesday, December 30, 2008

Gecko Readers Branching Out

It's nice to see that the Red Gecko reader base continues to expand. Thanks to all of you who have taken time to stop by.

MD5 Broken? That's Not News

Everyone is all a-twitter about the demo at the CCC congress, where a forged SSL certificate was created. The sky is falling! The sky is falling!

Except it's not.

Security experts have known for almost ten years that MD5 was broken - there was some good discussion back and forth for a time about this - and about five years ago, even the naysayers finally relented and admitted that MD5 as a crypto solution had seen its last days.

Of course, that didn't stop some firms from continuing to use MD5 with their CAs, and those are the people squawking now, because they are vulnerable to attack.

Quite a few Certificate Authorities moved off of MD5 some time ago in favor of the more secure SHA-1 algorithm, and regular Red Gecko readers will recall that I wrote about the ongoing competition to replace SHA-1 with SHA-3 in my post Round One Candidates for SHA-3. Nothing is unbreakable, so we're always looking for the next secure thing. Since SHA-2 shares some of the same weaknesses as SHA-1, adoption of SHA-3 can't come quickly enough.

I won't go into the technical details of the collisions or how they make use of inherent MD5 flaws to allow this whole silly thing to take place. If hardcore cryptography rocks your world, you can check out the gory details at this site.

I'm guessing there will be some sort of fix issued, but the better plan is to move off of MD5. It will be interesting to see how certification revocation is handled by the impacted organizations, and to watch for any production outages that might occur due to certificate invalidation or problems with the issuance of the replacement certs.

You'll hear a lot about this in the days ahead, but it's really a bit overblown. Play it safe and check for MD5 in your environment, then get on with your life. If you can't get off of MD5 in your CA, look into some of the workarounds to protect your certificate infrastructure until you can, such as adding a sufficient amount of randomness to the certificate fields, or to make active use of the "pathlength" parameter in the "basic constraints" field. Not perfect solutions, to be sure.
Expect browser developers to consider implementing some sort of pop-up to alert users that the site they are visiting has an MD5-based certificate, but the majority of users will find this to be meaningless gibberish. It's really going to be up to the site owners to do a better job of implementing their certificates while insisting that CAs being using strong cryptography, preferably SHA-2.

2009 Security: Kevin's Crystal Ball

We've seen a lot of movement in information security trends in the past year, not all of it good. Particularly disturbing is the notion that good security policy is in many cases an output of these trends, rather than an input that sets into motion tactical responses designed to implement your overall security strategy.

Put more simply, don't run your security program like some companies run their IT projects, where someone falls in love with a technology or gadget, then tries to wedge it into their infrastructure without much regard to the business problem you're trying to solve.

There are risks in this world, and you can't anticipate or prepare for them all. The sooner you acknowledge that, the better off you'll be. Corporate information risk and control is a dynamic environment, and you need to be agile in your security posture to ensure it adjusts not only to the changing threat landscape, but to your firm's developing business needs.

Which brings us back to some key things to consider as we move into a new year.

Security policies - it's time for a review to ensure that your policies for data privacy and protection are clearly articulated, meet overall business requirements, and are adequate in the face of both a rapidly changing business/financial environment and shifting regulatory landscape.

Security processes - have you successfully deployed solutions that implement your policies? Do you have the right people, in the right roles, employing the right technology in a standard, repeatable manner? Let's not forget the accepted definition of a process - it's standard and repeatable.

Audit trails - are you collecting the right data for audit purposes, and can you demonstrate a clear, defined audit trail for external examiners, regulators, and third-party assessment teams? Do you keep your security teams honest by having their work evaluated from the outside, and can you demonstrate compliance to good security practices like separation of duties, span of control, and job rotation?

Prevention - do we go beyond detective controls, where we learn after the fact that something is wrong, to employ preventive measures such as access controls, encryption, digital signing, IDS, IPS, and so on? A layered security posture not only makes it more difficult for the black hats to compromise your data, it also increases the probability that one or more of your early warning systems will alert you to an attack in progress. You can then kick in your robust incident response team process. You do have one of those, don't you?

So what do I see on the horizon? Here's the top 5 things that will make noise in 2009.

  1. Endpoint security - we've spent so much time, effort, and money trying to secure our knowledge repositories, data warehouses, server farms, and storage environments that we've begun to overlook what happens when this data is pulled to a client system where it's processed, analyzed, and otherwise at risk. I'm not talking just about the evolution of antivirus, antispyware, and personal firewalls here. Data control elements need to be part of that equation - what's happening to the information, how is it being used, and where is it going? Are you spending millions to harden your data centers only to have your sensitive information breached on a desktop, laptop, or handheld device, or is it being passed out via email, FTP, SSH tunnels, and so on?
  2. Secure virtualization - with a strong move to Virtual Desktop Instances (VDI) and server OS virtualization, we need better ways to lock down these emerging environments. In many cases, legacy approaches to solutions like role-based access controls, identity and access management, network-layer security, and state monitoring leave significant gaps when operated in a virtual world.
  3. Secure software - when are software vendors going to begin to be held accountable for selling us insecure software offerings? Probably not in 2009 - but that doesn't mean the push can't start. Think of how much less security you'd have to implement if operating systems and applications were hardened out of the box, and you weren't continuously running on the treadmill of vulnerability identification, patching, and repeating? How many times have you taken a secure box, loaded an app, and found huge security holes had opened, or you had to dial down your security settings in order to get the app to work correctly? Let's keep pushing software vendors to do the right thing, but while we're at it, let's ensure we're building robust security parameters into our internal software development lifecycle. The best executed security program can easily be short-circuited by a crappy web app or user developed tool. Run your internally-generated code through a rigorous application security assessment and pen test program, one that's separate and distinct from the app dev groups.
  4. Information lifecycle approach - think of your firm's information in the same manner that the Secret Service thinks of executive protection. Information is the target, so how do we protect the target at all times, from when the information is first created, through its use and transmission, following it through storage and eventually to destruction? What are the threats that exist at every phase, and what controls are in place at every single step to mitigate those threats? How effective are the controls, and are they constantly tested and revised in the face of new and emerging vectors? How do you substantiate your controls effectiveness? 
  5. The business of security - how integrated is your information systems risk and control program with the overall business plan and strategy? Do you know what's on the horizon, and is your security infrastructure ready to support it? The cost of implementing a new business strategy can be staggering, and having it fail due to security breach or incompatible security architecture is simply unacceptable. As a security professional, it's your responsibility to understand the business drivers and to present effective control solutions that protect the firm's information and systems while allowing the business to grow and prosper. If you don't understand the business roadmap, there's no way your technology path will succeed.
Leveraging the Internet has completely changed business, and security with it. No longer is a network viewed as a medieval castle, with tall strong walls, surrounded by a deep moat, with the good guys on the inside of the castle and the bad guys on the outside.

Walls don't exist in cyberspace. There are only barriers, and everyone knows there are ways around them. It's time to get away from the fortress mentality when it comes to security. Today, some of the bad guys are on the inside, and a lot of the good guys are on the outside, needing in to be able to do their jobs.

If you're dedicated to prevention - the fortress - you'll soon learn there's no such thing as Camelot. It's such a silly place. Make sure you're spending a big chunk of your time on detection and response, too. 

Happy 2009!

Sunday, December 28, 2008

Fido vs. Fossil Fuels

Even though gasoline prices have plummeted recently, it's probably unwise to breathe a sigh of relief, since we all realize that prices will continue to rise in the long term as growing world demand outpaces a dwindling supply.

Oil companies have begun touting technological advances that allow them to extract precious drops of oil from deep inside rocks and shale. That seems like a very expensive, labor-intensive effort that would not be undertaken if the easier alternative of sticking a pipe in the ground was available. The truth remains unspoken - we're running out of oil.

Enter DogPoweredScooter.com, a site seemingly designed by a 10th grader using Microsoft FrontPage. What the page lacks in modern design it makes up for by the sheer volume of words WRITTEN ALL IN CAPS.

It's not just dog powered scooters here, either. They have dog powered trikes, dog powered skateboards, and coming soon, dog powered folding bicycles. I'm guessing they won't fold while you're in transit, but I can't be certain.
The obvious question here is what powers the dog, and for how long? Do we recycle methane that comes out the tailpipe, or burn turd nuggets in the Eukanuba converter?

We own a pudgy little freak of nature that we saved at the animal shelter, and I'm not sure how he would feel about this. Mojo is part basset hound and part American bulldog (we think), with a massive head perched on a thick neck. Mojo defies gravity by not tipping forward, his long, muscled trunk held by four stubby little legs with huge feet. He's about 18 inches tall and weighs 60 pounds. An ottoman with teeth.

Strapping him to a skateboard or scooter essentially makes me the human sidecar in some Stephen King-inspired Cujo propulsion experiment. Checking out the pics and videos that are meant to assuage my fears actually stokes my panic. 

I had better performing brakes on my Big Wheel when I was 5. Those things are supposed to hold when Mojo spots a passing squirrel or the neighbor's nappy Persian devil-cat? I think not.

The center of gravity seems a bit high, too. I realize that I'm a computer engineer and not a real engineer, but physics is physics. If Mojo takes off and I need to make a quick turn to avoid a tree or small child, the last thing that will go through my head will be Newton's theory of vectors and scalars.

Perhaps the bicycle model will have some new design elements that are more horse & buggy and less Turner & Hooch. Until then, I'm holding out for the wind powered Audi A6 5-speed with leather trim. Mojo can ride shotgun.

America Sports Wood in War on Terror

The US Central Intelligence Agency (CIA) has found a novel way to battle Afghan warlords. While wood is involved, surprisingly no one is getting splinters.

I realize that leading clans of ruthless mountain insurgents can be a bit stressful, what with all of those Predator drones shooting laser-guided rockets up your ass and the constant uncertainty that comes from obtaining assistance from Pakistani rebels. Heck, you never know what side the Pakistanis are on anymore.

That said, exactly how is it that giving a handful of tiny blue pills to a tribal leader who has four wives leads to him returning with key intelligence on Taliban activities in exchange for more of the wonder tabs? I mean, if big dicks were instrumental to winning in the Afghani highlands, shouldn't we have been more successful by simply having George W. Bush as our Commander-in-Chief?

Much like the red deer who scamper across the craggy landscape, warlords need some sort of antler-rattling to demonstrate their authority. 

Suppose you're a tribal leader who has been struggling to please the ladies. Who can you turn to in a manly hour of need? What can turn your indigenous three-toed dwarf jerboa into a feisty polecat? It's not me who wants to know - I'm asking for a friend.
There's been a cacophonous outcry lately about how Afghanistan has been largely ignored since the invasion of Iraq, and evidence that our own CIA has resorted to pushing Mr. Blue in order to gain some momentum raises some interesting questions.
Why isn't Enzyte Bob on the front lines? If doling out blueys gets the chieftans some respect, imagine the smiles on their faces when their chuol transforms them into Happy Brakat. Mission accomplished. 

How do I get on their insurance plan?

Have we thought about using the side effects to our advantage? It's well known that sudden decreases in blood pressure can occur as all the blood in your upper body rushes to inflate your johnson, so what better time to stage a raid then went the only weapon in danger of firing is busy doing other things.

Skirmishes lasting more than four hours should be reported to your doktur.
Do not take Viagra if you have trouble walking up steep mountains or firing shoulder-mounted RPGs at coalition troops. Not tested for multiple ambushes.

This makes me wonder if I would have been a better soldier if they had passed this out back when I was wearing combat boots. It certainly would have been easier to keep my pup tent raised.

Saturday, December 27, 2008

Caroline Kennedy's Pumpkin Carriage

When Hilary Rodham Clinton resigns her Senate seat upon confirmation to become Secretary of State, the resultant Congressional vacancy will create a political vortex that draws many to its center. Among them is Caroline Kennedy.

As I look at some of Kennedy's competition, a lot of familiar names jump from the page - Andrew Cuomo, the state's Attorney General and son of the former governor Mario Cuomo, is another pedigreed pol who has expressed interested, and there are a number of lesser known candidates, including New York City congresswoman Nydia Velazquez, Buffalo Mayor Byron Brown, and Albany-area Congresswoman Kirsten Gillibrand.

This whole Kennedy debate has kick-started my thinking about how the elected/appointed leadership in this country has evolved over the last several decades. Can you remember a time when those in power had a name other than Bush, or Clinton, or Dole?

We know about Bush 41, who lead a "meh" administration, and Bush 43, who continues to lean forward on the stick to see how close he can come to crashing the plane before January 20. Jeb Bush is considering running for the open Florida seat discarded by Mel Martinez, so perhaps we'll still have a Bush high up in the legislative branch to carry on the family work. Florida's loss could be our pain.

Bob Dole took a respectable Senate career and turned it into one of the worst run Presidential bids (he should have coffee with John McCain to compare notes) of the century, and ended up pushing war memorials and little blue pills. Bob Dole sports statues and wood.

Elizabeth Dole won her North Carolina seat originally based on name recognition, support from the GOP machine, and the fact she was a Republican, rather than through accomplishments related to her haphazard stewardship of the Red Cross or her time in various GOP positions. Thank goodness her lack of visibility and actual work evidence got her bounced from the Senate after one term.

Bill Clinton managed to fend off those aiming for his scalp in his final term as much of his good work was washed away by a spray of fluid on a certain intern's blue dress and a hapless deposition in which he debated what the meaning of the word "is" is - to the point that I actually began to doubt his ability to govern if he couldn't provide the meaning of a word that third graders everywhere understood.

If Hilary had defeated Barack Obama and then gone on to hoist McCain on his own petard, it's entirely possible that we could have been governed by the Bush or Clinton family for 30 years. How ridiculous. That's exactly the kind of aristocracy we paddled across the pond to escape.

Which brings me back to Caroline Kennedy. Being the daughter of JFK certainly gives her a perspective that few would bring, and she's done some good work in the area of NYC school funding, along with other charitable endeavors. She has name recognition, and the support of NYC Mayor Bloomberg, who believes changing the law so he can serve longer than two terms in spite of his campaign promise is completely justifiable because he thinks he's the perfect man to steer the metropolis through these tough economic times. Rules are for putzes.

Kennedy has been less than impressive as she's sauntered out to small towns and medium sized cities, dipping her toe into the December waters of public opinion. She has some previous positions already articulated, such as same-sex marriage (for it) and school vouchers (against it), but it's not her platform that she thinks makes her qualified in this time of national crisis. Kennedy believes her political connections, her ability to fundraise, her committment to public service, and even her experience as a mother and author raise her level of expertise above all other potential candidates.

When the press starting doing some digging into her voting record, they found it spotty at best. Missed elections, a lack of consistency - vaguely reminiscent of past candidates who want you to evaluate them not on their record but on what they say they'll do once ensconced in the big chair.

If nothing else, the election of Barack Obama was a plea for competence, for facts and deliberation, an embracing of strong opinions by bright people who would poke holes in the strategies of others while defending their own ideas, the end result to hopefully be the best possible solution to accomplish the goal at hand.

With Caroline Kennedy, I don't see the investment in building the strong foundation needed to support more lofty endeavors. She's seeking to be judged on a concrete slab of Camelot that was poured before she was born, where she had great assistance to assemble a light political framework made of entitlement and family legacy. She has not hoisted the heavy beams of her own sacrifice to strengthen and improve the ivory tower into which she was born and from whence she now ventures out to meet the commoners.

Political dynasties usually end up benefitting the concept of aristocracy and plutocracy much more than solving the serious problems that exist, such as homelessness, poverty, healthcare, racism, Medicare/Medicaid, Social Security, the Middle East, and nukes in North Korea and Iran. I don't see anything on her CV that prepares her for those challenges. And I don't think cocktail parties and op-ed pieces in major newspapers will generate enthusiasm or strategies to fix what ails us.

There's plenty for Caroline Kennedy to do outside of the Senate. She's said she won't run for the seat in 2010 if she isn't placed into the open seat now. That tells me everything I need to know about her committment to serve. If she thinks she's better than anyone else, it should be easy for her to win the seat in 2010 regardless, given almost two years to make her case. The fact that she wants it handed to her so she's running as the incumbent underscores the doubt in her own mind that she could endure the rigors of a tough race without a leg up on the competition.

Camelot was a long time ago. It's time for us to face reality, roll up our sleeves, and do the hard work needed to get this country back on track. Now is not the time to annoint the Princess and admit her to the ball. There's no such thing as a pumpkin carriage to keep her glass slippers from getting dirty. If she wants to go, she should walk the trail like everyone else.

Friday, December 26, 2008

People Who Deserve It?

Are you thinking to yourself, "What is a person who studies Buddhism doing visiting a website called PeopleWhoDeserveIt.com?"

I'm curious, for one thing. And what better way to reinforce the Four Noble Truths or gain a better understanding of karma than to see what the competition is doing?

There is some rich material to poke through at this site, from Creepy Mall Santa to Passive Aggressive Emoticon User.

My favorite so far is Self-Important Bluetooth Guy:

Hey there buddy, I see you got one of those fancy cyborg ear attachments for your cell phone, you must be pretty important?

Oh, of course you’re not, you’re not even on the phone right now, instead your just walking around with a blinking light in your ear like a metro-sexual robot.
Honestly, unless you’re police dispatch, or air traffic control, there is no way you’re getting enough calls to justify sporting that glorified techno-earring 24/7. So do us all a favor take that “thing” out of your ear and rejoin regular society.
Otherwise, it’s open season, and our fist-to-face connection is one call that always goes through. Can you hear us now?
Generally, I get the impression that it's a site for folks to contribute what bothers them about humans in general. 

There's nothing wrong with a good, old-fashioned snark. I've been known to fling some psychic knives at unsuspecting targets before, but I'm feeling much better now. A special prize will be awarded to anyone who can tell me in the comments what television show used that line as a running gag.

We're all interconnected on this blue marble we share, and we're gone in the blink of a cosmic eye, so let's embrace those special qualities that make us all unique contributors.

Our lives would be so much less rich without Guy Who Takes Office Magazines Into Bathroom.

The Slegoon - Crap Your Pants While Sledding

When I was a kid growing up in the mountains of central Pennsylvania, winter presented many opportunities to cheat death while screaming down a snow-covered hill at breakneck speeds, desperately attempting to avoid pine trees and boulders through a combination of highly-tuned reflexes and lots of blind luck.

For kicks, we would wax the runners of our sleds, or grease the bottoms of our aluminum saucers in an attempt to reduce the drag coefficient as we pursued new snow-speed records. Our parents were convinced that we were hell-bent on making them care for paraplegics for the rest of their natural lives.

I was fascinated to learn of the Slegoon, which combines the thrill of high-risk sledding with the protection of a NASCAR roll cage. Sweet!

The Slegoon looks a little like the tiny probe vehicle piloted through a human body by Dennis Quaid in the movie Innerspace - a one seater that's more function than form, but with enough geek charm to attract the ladies.

One of the more positive aspects of the design is that the Slegoon will continue rocketing down an icy slope even if it rolls over, so you can achieve that complete Pinball Wizard experience. It's only a matter of time before someone attaches afterburners to this thing and mistakenly ends up in orbit.

Slegoon - ask for it by name.

Republicans Remain Dumb

After George Allen's infamous "macaca" slur during the Virginia senate race against Jim Webb cost him the election, and Trent Lott lost his Senate leadership post after doing the equivalent of a secret racist handshake while honoring Strom Thurmond, himself a career segregationist, Republicans should have learned to dummy up and keep their African-American bias to themselves.

There were many racist examples during the 2008 presidential campaign at the local, county, and state campaign levels, from untoward posters, bumper stickers, jingles, and other demonstrations of 19th century attitude that partially explains the moral and cultural bankruptcy behind several years of election losses in the House and Senate, and now the White House will contain not just a Democrat, but one of them, just like old Strom and Jesse Helms feared.

So it comes as no surprise that one of the posers in the running for chairman of the RNC has gone and trotted out the dark side of the GOP again. Tennessee Republic Chip Saltsman sent a CD to committee members that included the parody song "Barack the Magic Negro", racist lyrics set to the tune "Puff the Magic Dragon".

The parody originally appeared on Rush Limbaugh's radio show in 2007, which should have been everyone's first clue that it would ruffle some feathers. Saltsman claims the song is obviously satire and meant as a joke, another in an endless litany of Republican "lighten up, Francis" excuses brought out whenever someone in their party shits the bed in public.
There were other equally offensively-titled tunes on the disc, including  "John Edwards' Poverty Tour," " "Ivory and Ebony" and "The Star Spanglish Banner," an obvious reference to the GOP's position on immigration reform that's been so well supported and revered that Hispanic-Americans voted for Barack Obama by overwhelming margins. 

As Obama counts down the days until he sits in the Oval Office, having put together an impressive leadership team in record time, there are still some who believe more in broadcasting worn stereotypes than they do fixing the massive problems their party created. To borrow one of the key phrases from the Bush 43 administration, why do they hate America?

If the GOP wants to continue bringing a spork to a gunfight, I'm ok with that. If they want to drive an obstructionist agenda when clearly the people have called for quick and effective action, that's fine. They will continue to seal their fate for a generation.

The rest of us are moving on to more important things, like humanity, compassion, competence, and results. 

The bus is leaving, ladies and gentleman. You're either on it, or you're not.

The Grinch That Stole Christmas Sales

Do you remember that scene in the animated holiday classic How The Grinch Stole Christmas, where the poor little dog Max is alternating between being hilarious and acting as a poster child for PETA as he attempts to pull the over-laden sled up the steep slopes of snow covered mountains?

At one point Max teeters precariously on the edge of a cliff, and it looks as if he will plummet to his death in some cavernous winter wonderland. Perfect children's fare.

The Wall Street Journal is reporting that retailers weren't as lucky as Max. Holiday retail sales plunged 5.5% in November and fell an amazing 8% in November in what some experts are calling  the worst holiday shopping seasons on record.

Considering that early discounting was the response from most retailers, the impact to margins and P&L statements will be even more severe, as many goods were sold at break-even levels or lower. Even the purchase of gift cards was affected, which might curtail some of the post-holiday spending, terrible news for shops that count gift card sales at redemption, not at purchase. Heavy discounting prior to Dec. 25 also makes post-holiday sales less attractive, leading to the possibility of even more radical pricing strategies as merchants attempt to move sluggish inventory to generate cash flow and to support spring margins to buy.

Much hand-wringing by the industry is to be expected, as the retail community is somewhere near the Mendoza line in their performance this past year. While heaps of scorn for automakers and dealerships are evident, there's yet to be much public blame assigned to the retail supply chain, whose failure to anticipate a slowing consumer spending pattern as part of the overall economic slowdown is of epic proportions.

Of course, experts and retail management will quibble, their defense sure to include things like lead time needed for buys to be delivered for holiday marketing campaigns and how things weren't quite this terrible back when the purchasing and ad campaigns were implemented. That's letting them off the hook.

The ability to forecast consumer spending habits, and to make key determinations as to what the customer will want to buy and how much they will want to spend, is the crystal ball that separates successful retailers from the rest of the pack. In my many years in retail, the common explanations from management whenever sales failed to meet forecast or fell below l/y weather (it was bad, so no one could come out to shop, or it was good, so people were doing things other than shopping), the calendar (we had huge sales this weekend last year), and of course, the economy (no one has jobs to they can't afford our 27 SKUs of Dolby surround sound 5.1 DVD players with progressive scan). 

It's slightly amusing that these same merchants who've made millions thought the concept of false scarcity, with rabid crowds sleeping in the parking lot to be first in line to trample their neighbors in their quest for small quantities of discounted are now suffering the fate of actual abundance, as consumers aren't buying and stockpiles of unmoved goods hang as a profit-killing albatross around the necks of retail executives, who are doing the only thing they know - slashing prices and cutting heads, their eyes on the weekly and monthly numbers rather than on the horizon.

Wednesday, December 24, 2008

Give Someone W32.Sality.AE for Christmas

If you're looking for that last minute gift idea for a friend or co-worker who isn't on your "nice" list, how about a nice virus that infects executable files and then attempts to download malicious software from the Internet?

I know what you're thinking - I would never give a present like that. If you're handing out digital picture frames, don't be too sure.

As seems to happen every year, some digital picture frames are coming pre-loaded with assorted malware. In this case, it's the Samsung Frame Manager 1.08 software for Windows XP that comes bundled with a number of various Samsung frames.

Amazon.com took the unusual step of distributing the following communication to customers who purchased the SPF-85H 8-Inch Digital Photo Frame:

"The alert involves the SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory, designed to work with Windows-based PCs via a USB connector," the warning states. "They were sold between October and December 2008 for about $150. ... If you are using Vista or a different version of Frame Manager, this issue does not affect you."

Samsung has an updated version of the Frame Manager software available for users, and they recommended using your favorite antivirus program to quarentine the virus. 
Thanks, Samsung! I have a better idea - how about if you stop shipping me infected stuff?

This issue first popped up more than a year ago, and it leverages a known weak point in the exploit matrix - users will plug anything into their computers without giving a second thought to where it comes from or what it might do. 

In the early days of personal computing, floppy disks were the primary delivery mechanism for viruses, because computers weren't networked like they are today, so transport via disk was the preferred distribution method. Users got (somewhat) comfortable with doing a quick virus scan of the media before running it. If they didn't, it wasn't long before a corrupted Master Boot Record or trashed registry reminded them. Hard lessons tend to be remembered longer.

As we moved out of physical media into a networked world, more malware was delivered digitally, either embedded within other software (you didn't think that downloaded copy of Microsoft Office was completely free, did you?) or as a self-executing file attached to an email that ran when the message popped up in your email program's preview pane.

This caused us to develop media malware amnesia, and we turned sloppy when we opened a new CD or DVD and inserted it into our machine. After all, we sort of trusted the company who sold us the media, and in any event, our antivirus/antispyware/OS defender program would save us. Right?
But as always, it's up to the user to provide the last line of protection against the various forces of evil that are out there. As my friend Kevin, an incident handler at the SANS Internet Storm Center says, "The user's ability to do stupid things continues to trump my ability to keep them safe."

So if you're looking for a good gift for your friends and family this year, how about a list of computer security tips to remind them of how easy it is to do their part?

For that, you can reference Mark Hofman's ISC diary entry on The 12 (or so) Hints of Christmas.

Tuesday, December 23, 2008

World Bank Bans IT Vendor

It's been months since reporters started pelting the World Bank with questions about rumors that hackers had infiltrated their records and stolen large amounts of financial data.

Being a global financial organization, the World Bank did what any pseudo-respectable organization would do - they stonewalled like hell.

Indirectly confirming what many of us already knew to be true, the World Bank admitted that a  leading India-based IT vendor, Satyam Computer service, was barred nearly a year ago from doing any business with the bank, and the ban started in September. Hmmmm. Think there's a connection?

This makes it a bad week to be Satyam, which deals with roughly 1/5 of Fortune 500 companies as clients, and also trades on the NYSE. These relationships reportedly generate about $2 billion is sales as part of outsourcing agreements.
Trends toward outsourcing of critical IT functions make it even more necessary to apply IT controls and substantiation requirements to vendors that are at least as robust, and in many cases much more so, than a firm's own internal controls. 

From an information lifecycle perspective, how is information tracked from creation to destruction, and at all points in between? What controls are in place, and what sort of testing is performed to validate the effectiveness of those controls? 

When controls are found to be ineffective, what steps are taken to either enhance these controls, supplement them, or replace them with entirely different control sets?

What are the hand-off points for critical data points? When data is created, how is it transmitted and utilized? What systems process the information, and who has access to the data, including system and database admins who provide maintenance and support? 

Is separation of duties enforced, and are security admin roles kept segregated and distinct from production roles? What's the audit methodology, and how are the IT control audits validated?

Finally, how is information protected as it's moved from production to storage? Encryption, anyone? Access control? 

How about destruction? When the information is no longer needed for business reasons, how is it destroyed, and what sort of validation is provided?

Business today is all about information - creating it, using it, running analytics and spinning out reports to be actioned, data warehousing, marketing, correlation and business intelligence.

Much like a company's business plan and future strategy, information is valuable and needs to be protected. Lax oversight by the World Bank shows what can happen if this responsibility is neglected. The only difference is that most people won't pull their deposits from the World Bank.

Santa Annoys Steelers Coach

In his weekly press conference, Steelers coach Mike Tomlin was probably already leaning to the Grinch side of things following Sunday's drubbing by the Tennessee Titans.

It was probably a poor decision by local broadcaster Bill DiFabio to reprise his annual visit as Santa, and if he didn't get the hint that he had worn out his welcome via the repeated audible sighs directed his way by Tomlin, perhaps Saint Nick can stuff some situational awareness in Bill's stocking this year.

According to SI.com, Tomlin originally went along with the gag, to the point where he invited DiFabio to the front of the room in Wahoo-burgh. But when Shecky DiFabio went on for over five minutes with a stand-up routine that took shots at the Cowboys and Browns along with cracks directed at his fraternity of broadcasters, Tomlin decided that enough was enough. Yoy!

He even tossed a football to DiFabio, lamenting "If that will get you out of here."

I'm surprised Tomlin didn't pull a "Slinging" Sammy Baugh, when Baugh grew tired of a defensive lineman jawing and taking dirty shots at him, so he instructed his offensive line to let the joker through on the next play.

This was in the days of leather helmets and no face masks, remember.

As soon as the ball was snapped, the defender broke through with a roar and began to gallop directly at Baugh.
Baugh remained calm, seemingly looking downfield for an open receiver, and seconds later turned and delivered a perfectly-spiriling rocket right between the eyes of the charging tackle, knocking him out colder than an Alaskan cod.

Between the loss to the Titans and Santa's faux-pas, I would hate to be the Cleve Brownies this Sunday. Umm-HA!

Microsoft Gives Us A Lump of SQL Coal for Christmas

It could have been an Easter present, but instead, Microsoft has chosen to dump a gift-wrapped SQL turd in our Christmas stocking.

Thanks for that.

A security researcher had pointed out the SQL flaw in April, and only went public with exploit code after months and months of patching inaction by Redmond. And they wonder why I stopped being an MCT several years ago and ignored their repeated request to renew my Microsoft Partner status for 2009.

The vulnerability in question concerns a remote memory-corruption vulnerability because it fails to properly handle user-supplied input. Authenticated attackers could exploit this flaw to execute arbitrary code and completely compromise affected computers. Even if the code execution fails to compromise your app or SQL box, it will probably cause a denial-of-service. Have fun with that, e-commerce sites struggling in the face of IT layoffs in a faltering economy.

The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, according to the advisory.

Bernhard Mueller, the security researcher who discovered the flaw and then went public with the details after waiting in vain for Microsoft to acknowledge and fix the weakness, is currently being pelted with coal by both Microsoft and other security researchers, who call his public release of the vulnerability "irresponsible

I'm sure we'll see more dialogue on the ethics and responsibilities of researchers to notify vendors of the flaws they discover but to zip their lips until the vendor gets around to protecting their customers by updating the insecure product the customer paid good money for in the first place.

You may be able to tell that I'm torn by this - we wouldn't let Ford off the hook if someone told them the doors and wheels kept falling off of the Escape hybrid, and some serious lawsuits would follow if Ford took six months before publicly admitting the problem and remediating or replacing the SUV. I'm not sure why software makers are given such latitude, either by consumer groups or by the massive corporations who purchase these repeatedly-insecure chunks of code. SDLC, anyone? I guess time-to-market is more important.

Round 1 Candidates for SHA-3

NIST announced the round 1 candidates for the SHA-3 competition, and crypto experts and math geeks everywhere had a SHA-gasm.

As background, National Institute of Standards & Technology decided to open a public competition for the development of SHA-3, the latest incarnation of the Secure Hash Algorithm.

NIST decided that a new version was needed due to the increase in attacks against SHA-1, and the fact that both SHA-1 and SHA-2 share a common framework. If SHA-1 goes down, SHA-2 won't be far behind.

The competition is supposed to run through 2012, and first round entrants needed to have their submissions in by October 31, 2008. Sixty-four submissions were received, and 51 of these were accepted. A couple of those accepted have already been broken, so it's looking like it won't take nearly as long to trim the field as originally expected.

SHA was developed as a set of cryptographic hash functions by the NSA, and a great many security protocols and applications employ SHA. Since SHA is essentially really hard math, it's not unbreakable, and over the last several years, concerns have been raised about potential mathematical weaknesses in the existing algorithms.

SHA-1 attacks in 2005 pointed out some security flaws, and everyone agreed that a stronger hash function would be needed. As of today, there haven't been any reported SHA-2 attacks or associated flaws.

The SHA-3 competition is similar to the efforts to develop Advanced Encryption Standard (AES), a block cipher adopted as an encrypted standard by the US government. Development of AES was needed after it became apparent that neither DES or 3DES were secure in this age of more powerful computing. AES is now used extensively in symmetric key encryption.

A hash function takes binary data (1s and 0s for you non-binary types) called the message, and condenses it down into the smaller message digest. To make that easier to understand, think about the Readers Digest magazine - taking longer versions and squishing them down for presentation - even though the whole story wasn't there, you got the gist of what the writer was saying.

A cryptographic hash function is a deterministic procedure (the algorithm, or really hard math) that takes a chunk of data and returns a fixed-length bit string, known as the hash value. If I go back and change any of the original chunk of data, either accidently or on purpose, then the hash value will also change. From a security perspective, I would know that the original data has been tampered with.

In this case, I would call the chunk of data the message, and the hash value the message digest. I can use the hash value as part of a digital signature (such as signing email or data transmissions to ensure integrity), for authentication purposes (proving you are who you say you are before granting access), or for any number of information security reasons.

Hopefully, the SHA-3 competition will provide a foundationally-secure algorithm that will buy us 5-10 years of grace before SHA-3 itself is broken. Letting crypto experts worldwide submit their own entries while trying their best to crack the submissions of others is a good start. It takes a special mind to be able to understand this stuff, and an incredible mind to create it.

Gas Price Complaints

From GraphJam

Airing of Grievances

Today is officially Festivus, the holiday for the rest of us. If you need some background on this faux-holiday, check out my Festivus post or read the Wikipedia entry.

Time for my airing of grievances. I have a lot of problems with you people.
  • Republicans, who put forth a sorry effort in the 2008 election, falling back on the politics of smear while nominating for vice-president an unqualified right-wing religious zealot as a way to capture the PUMA vote.
  • CEOs and corporate boards who abdicated their responsibilities to employees, shareholders, and customers by greedily turning their decisioning matrix into a single-channeled spigot spewing ludicrous executive compensation packages as their companies tanked.
  • Everyone who approved the TARP funding package that's allowed poorly run banks and investments houses to rake in oodles of cash with no oversight, which means that a percentage of my taxes, for the rest of my life, will slowly be poured down the resultant black hole.
  • Anti-gay marriage supporters, for failing to live up to the basic tenet of human equality in their quest to restrict the ability of committed adults to form recognized relationships. When these folks can tell me at what point in their development they chose to be straight and have feelings only for members of the opposite gender and begin to punish adultery, I'll have a better understanding of how my gay friends chose to be gay and began their grail to destroy traditional families.
  • General Motors and Chrysler, who made and sold shitty cars for thirty years and now expects me to give them money since they couldn't get me to buy their products. I'll give you my money when you give back all the salary and bonus money you've made.
  • Dick Cheney, for his single-handed rape of the Constitution and for commanding the charge of neo-conservatists who brought us torture, Iraq, Abu Ghraib, Katrina, the US Attorney scandal, Blackwater, energy task forces, financial tumult, world scorn, and essentially most things that are wrong in the world today.
  • Eliot Spitzer and John Edwards for allowing their peckers to taint all of the good works they have performed and for virtually guaranteeing that they will never make the kind of difference in the world that they could have if they would have thought with the big head instead of the little head.
  • George W. Bush for his feckless leadership and blinded world vision.
  • The FDA and corporate farming conglomerates for serving us salmonella-tainted tomatoes and peppers, listeria-traced deli meats, and e-coli burgers for the main course.
  • The Federal government and corporate lobbyists for continuing to ensure that desperately-needed healthcare reform takes a back seat to profit, because anyone can suffer an early, painful death, but only a select few deserve big houses and golden parachutes.
  • Traditional media for their incestuous relationship with the subjects they are paid to cover, for failing to speak truth to power, and for their obvious futile effort to ride their outdated business model like a dinosaur into the sunset.
  • The American people, for their continued addiction to foreign oil and blatant unwillingness to sacrifice even a little bit to develop alternate energy sources and efficient vehicles.
  • Microsoft, for roughly 5% of my blog postings concerning their vulnerabilities, clunky overpriced software, and core integration of their insecure browser into their base operating systems.
There are more, but this is a good start. Please chime in with grievances of your own via comments.

Monday, December 22, 2008

The Shoes Are Tragic

The title is a well-worn line from the 1990 movie My Blue Heaven, when Steve Martin's recently arrested character Vinnie looks at the footwear worn by Hannah Stubbs, the assistant district attorney played by Joan Cusack, and expresses his disdain.

I was browsing through Time's Person of the Year 2008 photo spread when I saw this picture of Barack Obama, and I was reminded of that line.

This was not the first time I had seen the Obama photo. In fact, I had viewed it several times during the course of the campaign, and had read about how Obama was going through his second re-sole of this particular pair of shoes since the campaign had begun.

At the time, I contrasted that against the hundreds of thousands of dollars that were spent on clothing, accessories, and stylists for Sarah Palin and her family, and contemplated what it meant that the leader of one ticket was having a single pair of shoes repaired for the second time as he worked to disseminate his key message of changing the way government worked, while the other ticket spent obscene amounts of money to gussy up a lightweight, inexperienced candidate while claiming to be representative of the working men and women of this nation - Joe and Suzy Sixpack, if I recall correctly. Style over substance?

Today marked the first time I'd seen the Obama shoe sole photo since the election. I pondered anew the significance of it all, given everything that has happened in the six weeks since voters cast their ballots.

An economy in shambles, with rising unemployment, shrinking credit availability, and an uncertain future await the President-elect. $350 billion of the $750 billion in TARP funds has been disbursed so far to financial institutions who are refusing to account for how much they have received or how it's been spent. $15 billion dollars have been allocated to GM and Chrysler to act as a bridge that allows them to finally put together a working business model that they hope will delay their extinction.

The pace and number of home foreclosures quickens, and those who either bought more house than they could afford or who lost their jobs and can no longer keep mortgage payments current grows weekly. Some lenders have placed temporary stays of execution on mortgage foreclosures in an attempt to keep families in their homes, but it's less altruistic than it is a desire to recoup some of their investment during a time when falling real estate values makes it problematic to foreclose and try to sell off the large number of properties flooding the market.

Frightened consumers who have been spending with both hands and one foot suddenly put the brakes on their addiction, throwing into a tizzy retailers and restaurants, travel and entertainment, and just about every other type of business reliant on the free flow of disposable income.

As I gaze on the Obama photo now, I see something else. Obama was right. I get it.

It's been articulated thousands of times in stump speeches and slogans, batted about by television pundits like three kittens playing with a ball of yarn, outlined in pressers and commentary by bloggers and writers across the communication spectrum. Economic stimulus, middle-class bailout, call it what you will. How do we turn this turd barge around without sinking?

It's back to economic fundamentals, baby. Goods and services. Making things with intrinsic value that are in demand, and manufacturing them to be durable, of high quality, to be counted on in good times and bad. Infrastructure. The important things, where the rubber (or sole) hits the road. Roads and bridges, ramps and streets, sidewalks. Jobs and salaries that pay taxes, manufacture of materials, transportation, repairing this place from the bottom up. Obama is right on.

Everyone needs good shoes, made from quality leather (sorry, PETA), with solid stitching, and durable outsoles. A spacious toebox that doesn't cut off circulation to your toes (fashion be damned), and a balanced heel counter that keeps your foot centered on the insole, to assist in stability and save on sock replacement, not to mention knee replacement later in life. A vamp that's expertly designed to ensure lacing pulls the shoe snugly to your foot for fit and comfort.

There's no glory in delivering a well-designed shoe vamp, or outsoles that keep you off your ass, literally and figuratively. You won't make a million dollars faster than Manola Blahnik and his preposterously priced designer stilleto heel collection, but sales of $2000 shoes are dropping like a stone as shoe repair shops report 20 to 40 percent increases in business, from those same $2000 Manolas to more reasonable shoes originally priced from $150 - $300.

There was no reason for the lemming-like footwear purchasing crusades we've seen over the last ten years. I blame people with more money than sense, and Sarah Jessica Parker. But it's certainly representative of the larger attitudes and behaviors that have driven our economy to the brink of Hoover-ism with a healthy dose of George W. tossed in. We did it because we could, and we refused to believe the shoe party would ever end.

$2000 shoes don't help you walk any better (quite the opposite, from what I hear), and I'm told many designer shoes actually hurt the feet and cause much glee to the American Board of Podiatric Surgery. Why wear them? It's all about appearances. There's no added value other than being recognized as someone who can afford Manola's.

I'm pretty sure OJ Simpson was wearing Manola shoes. 'Nuff said.

We're moving from a Manola Blahnik economy of style over substance to an Obama-led cobbler society of foundational integrity, where there's value and reward directed toward those who make and wear the common footgear, rather than the 2% of society who have more shoe dollars collecting dust in their closets than the GDP of Paraguay.

I hope Mr. Obama keeps those worn soles on display in the Oval Office to remind himself and all of us what led to his success and what it will take for our nation to return to a position of strength and prosperity, where all citizens have the opportunity to live the good life. Let's stand for something. Let's stand for shoes.

Sunday, December 21, 2008

Black Boxes

Frank Rich, writing in his Sunday NY Times column, ponders the repeated warnings we've had during this current economic crisis and questions why we continue to ignore all the red flags.

He posits that many of these financial instruments are regarded as "black boxes", that are either very complex, or confidential, or both. Things go in one end, mash about like socks in a dryer, then spit something wonderful out the other side. As long as we're happy with the result, we don't ask too many questions about what's going on inside the box.
The rest of us know black boxes as those cockpit recorders that are supposed to provide salient details after a crash, ostensibly to help us understand what went wrong to prevent future disasters. The black boxes don't, however, provide much benefit to the passengers and crew of the plane.
Particularly in light of the Bernie Madoff case, where as much as $50 billion in investments might be forever lost in what amounted to an elaborate, unregulated Ponzi scheme, rich folks and savvy investors ignored the lack of documentation and transparency into what was actually responsible for their above-average return, year after year.

The question in the aftermath of the Madoff calamity is this: Why do we keep ignoring what we learn from the black boxes being retrieved from crash after crash in our economic meltdown? The lesson could not be more elemental. If there’s a mysterious financial model producing miraculous returns, odds are it’s a sham — whether it’s an outright fraud, as it apparently is in Madoff’s case, or nominally legal, as is the case with the Wall Street giants that have fallen this year.

The fact that ABC News has been ignored as they requested information from the financial firms who received part of the $700 billion in bailout cash to determine how much they received, and how that money has been spent, tells us a lot more about the endemic problems that exist in how our financial markets are owned and operated than any Congressional committee hearing. They took our money, gave it to those who operated the black box enterprises, and refuse to tell us who, what, when, where, and why. 

Soon we'll be printing $1 billion dollar bills like some third-world nation. And there's plenty of blame to go around.

Saturday, December 20, 2008

Cardmember since I stole your cookies

I expect American Express to struggle in this economy, with card members cutting back on purchases, which limits the amount Amex can collect from merchants for the privilege of accepting the various American Express cards.

One of the things that I expect them to get right, however, is web security, given it's an exploit vector, and successful compromise could allow all sorts of bad things to happen to innocent site users, like me.

Cross-site scripting, or XSS, is one of the more versatile and useful tools in the black bag of tricks. It's a too-common vulnerability to leverage in web applications, and it allows the bad people to perform code injections using HTML code or client side scripting, which permits them to either bypass existing access controls or to exploit your browser, especially if you're using an inherently poor security browser like Microsoft's Internet Explorer, or if you're not very timely in applying security patches or updating your antivirus signatures.

In some cases, the compromised browser can redirect you to an attacker's site that's set up to look like a real site, and in other cases, the attacker can take full control of your computer, capture your keystrokes (like user IDs and passwords), or turn your machine into a spam-spewing bot that responds to orders from a centralized command & control server owned by the Russian mob or other nefarious characters.

So when Amex was notified (several times) that they had a well-known XSS vulnerability on their site, you would think they would bust their ass to not only close the hole but see what other doors and windows they might have left open.
You would be wrong, of course.

The Register
reported that it took a full two weeks of being pestered by a security researcher who found the XSS flaw on their site, and that Amex had reportedly failed to respond to emails and other communications from the researcher as he tried to be a white-hat and use his powers to battle the forces of evil. Eventually, American Express managed to close the XSS vulnerability that was pointed out to them. Whew.

Except they didn't fix the problem. The fixed an instance of the problem. Two separate sources have reported that the XSS flaw still exists, allowing the crooks to capture americanexpress.com user authentication cookies. So they put a lock on one door, but failed to check the rest of their application to see if this flaw (or others) might exist elsewhere.

Assuming that Amex has a robust info security program, it's difficult to understand why these flaws weren't discovered during normal testing during the application development cycle, or as a result of periodic internal tests by the security or ethical hacking teams.

Certainly, Amex could benefit from occasional reviews of their sites by outside vendors who can do penetration testing and vulnerability assessment scanning as a check & balance to ensure that things are as locked down as possible.
XSS flaws aren't that troublesome to fix, either.

As a customer, I would expect American Express to do more than issue a press release confirming that they take security seriously. They should perform a top-down review of their app dev and vulnerability management programs and do some root cause analysis of their security incident response process to determine how it could take so long for a reported vulnerability to be corrected.

A good information security program involves constantly probing your own networks and evaluating your controls environment to find the gaps before anyone else does. With so many automated exploit frameworks out there, it doesn't take someone with a doctorate in computer science to compromise your network - attacks are point and click now, and if you don't believe me, go spend some time reading about the Metasploit framework.