Monday, August 26, 2013

Wheel locks - Theft deterrent or mostly annoying?

As I was trying to change a tire on my wife's SUV the other day, in the pouring rain, I realized something... those little wheel locks (the funny-shaped bit that's on one of the wheel lugs so you have to have the "key") are the quintessential example of a security idea that just doesn't past real-world muster.

There I was, changing a tire, getting soaked, and now I was going to have to dig through my glove box, arm rest, trunk compartment for that special key so I could get the damn wheel off. As I was cursing the people who put these things on the truck I tried to understand why they are put on cars anyway. Turns out, this is a security feature, right? To keep people from stealing wheels from nice cars (or sometimes not) these were meant as a deterrent to theft, and to frustrate the would-be wheel thief. There's just a few problems with this...
  • Wheel locks barely add any anti-theft "security" - primarily because thieves can get these things quite easily, you don't need any special permissions, validation that you own that particular make and model, or really anything else. If I wanted to steal the wheels off of a high-end Mercedes I'd simply call up the local dealership, ask them for one, and then go off and steal the wheels off the car.
  • The inconvenience to losing one of these is immense - if you've ever lost one, or can't find out, you know what I'm talking about. As I was there on the side of the road, getting soaked and cursing up a storm I wondered where I could get one so the rest of my day wasn't spent calling dealers, and trying to get a ride to pick one of these up from a dealer that was less than 25mi away. Very frustrating.
  • Wheel locks are expensive! - I'm not one to complain about a $25 part, but when I have to pay the dealership $25 (or more) to replace one of these wheel locks, which is just annoying to me anyway, I'm upset and feel like I'm getting hit when I'm already down. Again, very frustrating.
The lesson learned? Sometimes something that has a reasonable perceived security value to inconvenience trade-off is completely wrong in the real world. This is perfectly in-line with how I feel about having to change your password every 30 days, or those often insane-sounding complexity requirements for passwords (you know, 10 characters, 2 numbers but not in the beginning or end, and an upper-case letter, but no spaces of "special characters", and no repeats) ... come to think of it I'm starting to feel like passwords altogether are going this direction in general.

My plea to you security professionals out there, and those that are aspiring to lead enterprises into the future of security - please, please think about what you're asking not just developers but end-users to do and then weigh that carefully against the real risk-reduction benefit. Often times if you're forced to do a failure-mode analysis-like activity around your desired control you may find out that there are 100 ways this new thing can be heavily inconvenient to the end-user, while there are less then a handful of cases where it will benefit and reduce risk.

Love wheel locks? Hate 'em? Have a real-life story to share? Love to hear your input, frustrations, and snarky commentary. Hit me on Twitter (@Wh1t3Rabbit) and hashtag your tweets with #SecBiz ... let's learn from other seemingly great ideas!

Saturday, August 24, 2013

Bug Bounties are great but...

As the case with the most recent bug on PayPal one has to ask themselves whether this was a bug found and diligently disclosed to PayPal only, or was it first used by the criminal element and then when it was used up disclosed to PayPal to receive the bounty?

I suppose PayPal could have the data somewhere to support either way, or maybe they don't?

I'm not arguing against bug bounties, I've been converted...but I have to wonder whether they are being abused...or maybe it doesn't matter as long as the vendor gets the heads up they likely wouldn't gerry otherwise? The money isn't massive sums, certainly arguable that it's cheaper than hiring many more security professionals on staff...and likely more effective, but... I'm still left wondering.

Bug bounties are great but, how much are they giving companies a heads up? Do wr even care for the small fees we pay out?


Thursday, August 22, 2013

The Startup with a Legacy Problem

I don't know about you readers, but I used to absolutely love the show House on FOX. I loved the character of Dr. House for many reasons - but primarily because he loved to solve puzzles others either gave up on, or saw as 'solved'. I feel a little like Dr. Greg House when I get to tackle a new puzzle, and a recent engagement made gave me pause. I've never run into an organization that had all the complexities and challenges of a start-up company coupled with the pain of a legacy brick-and-mortar organization so naturally I'm hooked.

Imagine a fictitious organization called the ACME Widget Company, which for the last 50 years has been a business unit within a global widget manufacturer - and last year became the result of a successful spin-off into their specific niche - the widget power unit. The power unit they developed was so good that other manufacturers started coming to them to power their widgets - so a spin-off was only natural because the new organization was going to be able to build its own market and generate revenue more readily if it wasn't part of the parent widget maker.

Over the past year the Widget Power Unit Company has been busy creating its own infrastructure, hiring entire new departments which never existed before (they were services provided by the parent until a year ago!) generating sales and manufacturing and shipping those power units all over the world. Business is good and now they're expanding globally to new markets, and scaling up their business.

Now I'm sitting around the table with Bill the CIO, Amy the "security manager", and a few other select people who run operations, architecture, and other critical components. Oh, one more thing is critical to think of here - the Widget Power Unit Company is nearly fully outsourced... each department within IT has a manager but behind them are small armies of contractors. Servers, desktops, networking, applications and other critical pieces including security operations (I use this term loosely here, bear with me) are all contractors. Making this matter even more complex, they're different outsourcing organizations. It's the usual list of IT outsourcing suspects, including a small, local boutique company. Ordinarily you'd take a hard look at this type of arrangement and question how this company gets anything done - but I assure you the arrangement, while not optimal, works.

Over the course of 2 days I had the opportunity to do in-depth discovery with all the leadership of the organization's Information Technology group. What struck me is hearing things like "We've never had to think about that before, that's always been provided by the mothership!" from Bill the CIO. This included things like risk management and legal functions!

As we were talking about strategy and trying to determine what his org structure would look like, services they would offer, and their insource/outsource strategy going forward it occurred to me just how difficult of a job Bill had ahead of him. This is a puzzle Dr. House would find worthy of his time, and I'm certainly thrilled to be engaged here.

The big challenge with this type of organizational profile is the presence of what we commonly refer to as legacy systems (systems and applications) that fall into the outdated bucket. Ordinarily start-ups don't face these issues since they're starting with a clean slate - but organizations that are spin-offs often face the worst of both worlds. They struggle with supporting outdated systems and applications which are vital to their mission, but at the same time are often strained to find the people necessary to keep these dinosaurs running.

  • People - Organizations that fit in this profile have a major issue. You're hiring people who can tend to the dinosaurs, while trying to hire people who can make sure you're technologically competitive and able to innovate in today's market. Now consider that you are a start-up and hiring is a priority but your pool of cash isn't endless. Good luck finding an employee that has the skills to maintain your Cobol systems, while trying to help your organization be cloud-ready. Now if you find one of these folks - good luck affording them.
  • Process - Business processes that were largely supported (at scale, as a shared service) by the parent company now have to be replicated, and you need to hopefully replicate ancient processes using modern technology - this is a lot more difficult than it sounds if you haven't tried it.
  • Technology - You may carry some of the legacy systems and platforms with you from your old situation into the new independent business - but you'll likely not have all the resources since you didn't manage them yourself. Things like machine management tech (HMI, ICS systems) may come with the plant or factory or office - but other things like that SAP platform you depend on or the materials ordering system probably will need to be developed ... and your workforce knows that old system not some new replacement you put in place. Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to inter-operate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap.
The challenges are many. The purse is likely small.

This is no time for a weak stomach, and desire to sleep, but it sounds like fun to me.

If you have survived this type of situation, and have any tips or advice - by all means - share it! On Twitter you can find me as @Wh1t3Rabbit, and if you want to discuss this post, or other similar security - business topics hit the hashtag #SecBiz.


Thursday, August 15, 2013

Unmasking th3 J35t3r ... or not

He goes by the Twitter handle th3j35t3r, and has taken the phrase "tango down!" from a military term to something that has come to mean that somewhere in cyberspace, a web server serving up hate or inciting Jihad is screaming. Sir J3t53r (or "J" as he is affectionately known to some) is loved, hated and even stalked (yep, seriously ... weirdo stalker alert!) - but above all he's respected.

So who is that masked man?

Some have guessed him a wounded warrior.
Some have guessed him a fraud.
Some have guessed him a CIA, NSA, FBI or other agency operative.
Some have guessed he's some kid in his mom's basement.
Maybe he's 5 penguins in a trenchcoat.

You know what, I don't think it really matters.

Many have tried to "dox" him, to dig deep and analyze his every word, move, geo-location and tweet to try and figure out his true identity. There have been some pretty interesting attempts, but you have to admit the guy could quite literally write the book on Operational Security (OpSec) - he's proving to be that good.

I'm going to go back to my previous statement - I don't really think it matters just who th3j35t3r is in real life - he's transcended the humanity of a human being and has become an idea many, many believe in.

Operationally, th3j35t3r does things that the US Government probably wants to do but doesn't want to get caught doing it...shutting down or temporarily disabling web sites that incite death and destruction across the globe isn't a clean business. Th3J35t3r has proven time and again that he's not afraid to get dirty, and break a few rules. When the organizations who should care are overwhelmed, under-resourced, and arguably over-matched we send in 007 with a jester hat.

So then who, or more importantly what is this @th3j35t3r?

He's me.
He's you.
He's everyone who is gets sick to their stomach every time bureaucracy and red tape makes it possible for good people to throw up their hands in defeat or stand idly by while bad people do bad things unchecked.

So I pose this ... you see people running around with those Guy Fawkes masks representing their movement ... maybe it's time for jester hats and jester masks? Maybe it's high time we acknowledge the idea behind the hacker.

Love him, or hate him - Th3J35t3r is more than a person ... he's an idea who's time I believe has come.

Wednesday, August 14, 2013

Orange is the New Green

Hey everyone ... this is cross-posted from my HP corporate blog. I'm going to be doing this a lot more now because it's easier to comment, share, and link here...

If you've been to the airport a few times over the last decade and your mind thinks in that slightly different way mine does you have undoubtedly noticed something curious. Right after the tragic events of September 11th, 2001 things got a little crazy at the airports. Over the next decade or so the fall-off of hype and fear mongering didn't drop off as expected, instead, orange (alert level) became the standard for the next 10 years or so as best as I can remember. The problem with this is, of course, that when you constantly live in “heightened fear” that becomes the new normal and the baseline adjusts. When the baseline adjusts the general population adjusts to the new normal quickly, and that fear dissipates.

This was not the intended consequence, but it is human nature.

Consequently, this is also happening in the Information Security space…although it may be a good thing.

For the Information Security (or Cyber Security if you prefer) world, I would propose we've never been at condition green… it’s been all orange all the time but our ability to see that is just now maturing. I won’t try and argue that the threat has been as great in 1998 as it is now, but then again the level of technical capability and integration was significantly less. The threat to technology from the attacker has grown proportionally with the increase of technology in our daily lives. This shouldn't surprise anyone. More opportunity for the bad guys means more attacks, simple.

So what does this mean, for those of you working on defending your enterprise networks, systems, applications and critical intellectual property from the attackers and thieves? It means that orange is the new green… and we actually do live in what one executive has called a “post-breach” world.

Starting your day with the assumption that the enemy is likely among you already is not something most people, even hardened Information Security veterans, are comfortable with. That being said, this isn't a completely new concept and it shouldn't be that revolutionary.  Except that it is.  The problem is enterprises have collectively spent hundreds of millions of dollars (just a SWAG) on prevention and when that approach didn't work they spent even more. So now we’re at the same place we've been for a long time: condition orange. The enemy is inside the infrastructure, is watching us and waiting to strike when we’re not paying attention. They know what you're doing (probably better than you), and know how to exploit you.

How will you adjust?

This is a wake-up call. How will your organization adjust to the acknowledged state of heightened risk – permanently? This is not a drill.

I’m kicking off a series of posts on this topic that I’ll address over the next few weeks, with some thoughts on how to actually live in an era where orange is the new green, and we have to assume we've been breached.

Sunday, August 11, 2013

US cyber defense versus the world...and ourselves.

An interesting article caught my attention earlier tonight - written by @sedaye_man it shines a bit of a spotlight on a topic that's been discussed in think tanks and around executive board room tabletop exercises ...but it has meaning for a much broader audience. The article is entitled "Will the U.S. - Iran cyber conflict escalate?" and it does more than merely pose a question that has a fairly obvious answer ...

The aforementioned article calls to light a recent publication called "Iran: How a Third Tier Cyber Power Can Still Threaten the United States" from an organization called the Atlantic Council. Interestingly enough, without even having to read the publication or attend the event they hosted, if you've been paying attention to the 'cyber' aspect of our daily lives you can start to see how even a "tier 3" country like Iran can and may likely cause substantial damage - financial, political and maybe in terms of human lives - to a "tier 1" country like the United States.

I'd like to take a slightly different perspective here, as you all already know me for doing. I'd like to point out a painful fact that the United States government is causing a large portion of its own demise. Allow me to explain...

What do countries like Iran, Syria and perhaps even China have in common? Once you get past the rebellious faction of the population you quickly come to the nationalists. To an outside observer, countries like Syria, Iran and China are burrowing deep within the United States, and other countries too, infrastructure largely being supported by their government. These attacks driven by nationalism to a degree - for example look at the Syrian Electronic Army (SEA) - and fueled by the brainwashed hate of western society and the US.

Now, by itself this would all appear to be standard operating procedure and something the United States will simply have to deal with. But judging by the global news - and this very well may be because countries like China, Iran and Syria have tight control on their news outlets - while the nationalists from these countries are fighting the United States, the United States is fighting not only them but internal battles as well with their own citizens. This I blame largely on the corruption inside the US which has reached a fever pitch. It's not like this kind of unrest didn't exist before - only now we have the Internet and connected systems which can potentially open a dam and flood a town mistakenly connected to the open Internet.

If you're in the business of protecting United States critical infrastructure, you have an interesting adversary model to build. On the inside threat you have groups like Anonymous (which by now we all know) and other hacktivists, and on the outside you have organizations like the Syrian Electronic Army and APT1. That is not an enviable position to be in.

One has to wonder whether the lack of a catastrophic incident involving a cyber aspect inside the United States is due to the tremendous skills of the defenders, the enemy biding their time, or simply incompetence and dumb luck... whatever the real cause this is not a good position for us to be in.

I can tell you this with reasonable certainty - adversary models would be a whole lot less complex if we didn't have an ever-expanding internal threat at level or greater than the external threat. Maybe it's time to rethink US internal and foreign policy ... and maybe that is the lesson of cyber?