Security Rants

But, we've ALWAYS done it like this!

2008-02-07T18:20:00.000-05:00

Tradition is no substitute for a good reason.

Peter Tippett.

Know who he is?

Of course you don't.

He's just the vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus.

Not a bad resume.

He had some very interesting points to make recently in an article with Dark Reading.
Seriously, you should be reading Dark Reading.

Meanwhile, back at the ranch... Peter Tippett said something that I have been trumpeting for years. (I'm so validated! GRIN)
""Employee training sometimes gets a bad rap because it doesn't alter the behavior of every employee who takes it," he said. "But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn't that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?""

WOO HOO!!! Give the man a CIGAR!!!

He makes other great points as well, but this one is GOLDEN!

It's the human element that continues to be the weak point.
Why waste time guessing passwords when I can ask someone to just give me theirs?
Why pick a lock when someone will just open the door for me?

So much of what we are doing as Security Practitioners is just a big waste of time.
We're locking the barn door after the cows are down the road and in the slaughterhouse.

Why do we have mandatory "Sensitivity Training" but we couldn't care less if Joe Schmo in the mail room opens his FluffyBunny.txt.exe attachment in his email and now the whole organization is boned.
Boned, being a technical term.

We're back to the Theater of Security.
It doesn't actually do anything, but it looks great and gives us all kinds of expensive warm fuzzies.

After all, it's not how you are, it's how you feel!

Busting the GUI for fun and profit!!!

2008-02-01T14:32:00.000-05:00

Ok.
I admit it.
I LOVE MYTHBUSTERS!
There, I said it.
These guys are incredible. I absolutely love how they go in and tear apart all these pervasive myths about how and why things work or don't work.
We need more of that.
Worst offenders?
Our own school system.
But, I digress.

Recently, Jamie Hyneman of Mythbusters fame wrote a great article on what's wrong with current technology.
I found it to be very well written and hits the nail on the head of an industry gone wrong.
"..As machines become more complicated, good interface design becomes more essential—you can't just keep adding buttons and menus."

Modern design of just about everything in Tech is appalling.
From the interface to the backend.
To say nothing of the pointy haired bosses!
Firewalls that are a pain to configure. Routers that need special voodoo to route. Anti-virus that is a huge resource hog and is too difficult for the average user to configure. Security ends up being theater and innovation is a labyrinth of incomprehensible menus and configurations.

Does anyone wonder why so many WIFI routers are not configured with any security?
It's because it's too stinkin' hard for most people to handle and they either believe (Falsely) that it's all been done for them or that it really doesn't matter anyway!
"Hey, we bought some security. Now, you say we have to configure it? It should just know to secure us!"

Even IT Professionals fail miserably at this basic task.
If I had a nickel for every router, firewall, WIFI access point, server, etc that still had the default passwords on it, I'd be flippin' rich!

We need better associative interoperability on all our devices.
Devices should negotiate from the highest security settings they are capable of and move down by default. Currently, all too many devices start out with ZERO security turned on by default.
Why can't my wireless router see devices in the area and let me pick which ones I want to be able to connect to it? Then let it auto-negotiate the security based on defaults or mandatory settings that I choose.
Heck, why can't my router act as an intelligent and secure bridge to other networks in an easy to use fashion?

The hardware is very capable, the ideas are all around us.
Corporations and both greedy and very lazy.
A dangerous combination.

Don't believe me?
Linksys is owned by Cisco. Arguably, the top dog in networking.
They are the bee's knees in this field and you would think they would leap at the chance to make the absolute best and most affordable gear for the home market.
Frankly, they could do a LOT better.

Linksys firmware is still pretty primitive overall.
A number of third party's have come up with better firmware and they GIVE IT AWAY!
You heard me! FREE!!! NO COST!!!
DD-WRT, Tomato, and OpenWrt are just a few of many.
(Brief opinion here, been running DD-WRT on a 20 dollar Linksys WRT54GS 2.0 for a few months now and I LOVE IT! Beats the brains out of my 75 dollar SMC!)

Other problems are simple issues that no one seems to notice or care about that would make a HUGE impact.
Email encryption. User education. IPv6 (There, I said it!)

What does this have to do with the topic?
VERY POOR INTERFACE DESIGN MEANS PEOPLE WON'T USE IT!

We have devices with great features that go unused, great security that doesn't get configured or even turned on, great innovations that sit and rot because it's just too arcane.
We get used to this nonsense and never demand any better.
Why not?
Because everyone just assumes that the next batch will be even more incomprehensible.

All too often, they're right.

How to owe money by doing NOTHING!!!

2007-11-21T11:55:00.000-05:00

This one is just beyond the pale.
Even for these vampire banks and credit card companies.
I'm just amazed at the GALL they have, to say nothing of the outright FRAUD that is attempted.

Just read a post from The Twelve Angry Men blog.
These guys are doing some terrific work, more power to them!

Well, here's the link for the item that caught my interest.

Force-Post, or Huh? I haven’t even activated the card!

Basically, it boils down to all this "Opt Out" nonsense.
In other words, you have to tell them EXPLICITLY that you DON'T want something or they can go ahead and charge you for it!

The result of such insanity, you ask?

"In the particular case I am speaking of, customers had run up balances of $1500 or more having never activated their card. Not to mention royally screwing their credit histories at the bureaus.
A regular merchant could never post a settlement against an unactivated card as this is a principle barrier against merchant fraud. But the issuing bank, who usually also runs either an enhancement business unit, or contracts for one, OWNS the cardholder masterfile. By masking out the activation character position in the master file by means of a COBOL program,they can run the enhancement sales orders against the master file and ‘force post’ the enhancement product sale. The pretense is that this is valid and legal because the customer indicated a desire to purchase the enhancement, even though the product is an enhancement against a non-active account."

And people wonder why I go with a Credit Union???

What a business prospect!
Charge people for something they never asked for. In doing so it puts a big time hurt on them but not enough to be forced to get a lawyer.
Everyone BUT you profits!
For almost ZERO COST!!!

Educate yourselves.
Write letters to Congress and the Senate.
Write to the FTC.
Write letters to the Editor of your local paper.

STOP TAKING THIS LYING DOWN!!!

Do you need to have permission to have rights???

2007-11-03T14:15:00.000-05:00

I just read an outrageous article and opinion by a Detroit News Writer. A Mr. Chris McCosky.
I fully credit him and since I am a Detroit resident, I would LOVE to take him up on his challenge,
"We actually talk to, in person, the people we write about. If we rip somebody in an article, you best be sure most of us will confront that person the next day and take whatever medicine we need to take."

Please! Contact me at your earliest convenience regarding this. I will happily meet with you to discuss this.

The article as posted.
http://detnews.com/apps/pbcs.dll/article?AID=/20071103/OPINION03/711030306

Bloggers most certainly ARE journalists.

You state (and I credit you with), "It's actually getting to the point now where some (too many) of the bloggers are using cyberspace to discredit the legitimate media. "
What makes media legitimate?
The scandals? The yellow journalism? The favoritisms? The backdoor deals? The lack of ethics? Being beholden to advertisers? Endorsing popular opinions over the truth?
They deserve to be discredited when they are wrong. At every opportunity! THAT is freedom! The freedom to question, to dig, to examine, to hold up something or someone to the harsh light of the truth.
No one is above scrutiny!
Not even you.
The dictionary describes journalism as "Written material of current interest or wide popular appeal".
I would say bloggers are engaged in journalism by definition.
Since when are the rights of freedom of the press only granted to a favored few?
That is an outrage to even suggest that!
Who is to say what is legitimate media?
Who mandates that? No one does and no one should ever!
The act of writing creates the journalist and it's resulting product is journalism. It doesn't matter if you like it or not.
We are born with these inalienable rights. NOT granted them by a university or by being hired onto a staff.
Freedom of the press is universal. From the kids printing up thier own 'zines to the New York Times.
To be a journalist is simply to exercise ones rights that cannot ever be taken away.
I WILL exercise my rights that I was born with.
You CANNOT take them away.
I AM a journalist!

If you're not one of US, then you MUST be one of THEM!

2007-11-01T12:01:00.000-05:00

Bruce Schneier is fast becoming my favorite voice of reason in the wilderness.
He just wrote a tremendous article on the irrational concepts of the Citizens Reporting Atypical Practices. In short, C.R.A.P!

http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html
"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats... After someone reports a 'terrorist threat,' the whole system is biased towards escalation and CYA instead of a more realistic threat assessment... If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."

This will, of course, result in his immediate investiation for Journalists Investigating Internal Government Operations.
Jingo!
http://en.wikipedia.org/wiki/Jingoism

Ok, all kidding aside. The new witch hunts are here.
I see no reason to believe that these will turn out any differently from the past ones.
We already have descended to this hysteria,
http://www.bloggernews.net/18108

I found the best quote regarding this on SlashDot,
"The war on Terror is a war against an emotion... Anything which can cause fear is therefore subject to the war. In that way it's the perfect war for politicians."

Who makes money off this war on (insert today's fear response here)?
Who gets more rights then you do?
They, are your enemy.

If the product is so great, why not stand behind it?

2007-07-07T11:37:00.000-05:00

Just had a very inspiring read from Charles Cooper at Cnet's News.com

http://news.com.com/8301-10784_3-9740409-7.html?part=rss&subj=news&tag=2547-1_3-0-5

The simple question at the heart of it is, Why don't companies warranty their product for a reasonable time anymore?
Sure, you can BUY an extended warranty. Corporation LOVE the profit margins on those!
But, why not a reasonable warranty?

Case in point,
Sooner or later, shoddy quality is going to bite you.
HARD!
When it does, it costs big.
About a BILLION DOLLARS big.
http://games.slashdot.org/games/07/07/06/1330228.shtml
Demand more, demand better!
Write to your congressional representative.
I even made it really easy right here on the website!
Nothing will get fixed if we don't start demanding something be done!

But, at least they're saving money, off-shoring your job!

Better security, eh? Sure it is!

2007-07-02T19:35:00.000-05:00

Oh great!
Microsoft is at it again.
More reporting back to the mothership of your data.

From the article, http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Features-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml

"The Redmond company emphasized numerous times the fact that all information collected is not used to identify or contact users. But could it? Oh yes! All you have to know is that Microsoft could come knocking on your door as soon as you boot Windows Vista for the first time if you consider the system’s computer information harvested. Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software." But all they really need is your IP address. "

When is this going to end?
When are the consumers, especially the corporation, going to stand up and refuse this type of spyware?

One simple solution?
Go Open Source.
Frankly, I'm seeing less and less reason to not switch to Linux.

It's YOUR computer, YOUR data, YOUR security.
You deserve better!

2007-04-12T13:33:00.000-05:00

Just got done reading a VERY interesting paper by Richard Clayton.

http://www.lightbluetouchpaper.org/2007/04/03/there-arent-that-many-serious-spammers-any-more/

I was made aware of it from Bruce Schneier's Blog. (A must read btw, GO BRUCE!)

http://www.schneier.com/blog/

It appears that just a few spammers may be responsible for the majority of spam out there.
Could Alan Ralsky from the Metro Detroit area be one of them?

http://en.wikipedia.org/wiki/Alan_Ralsky

Could Sandford Wallace be back in action?

http://en.wikipedia.org/wiki/Sanford_Wallace

Only the Shadow knows.

http://en.wikipedia.org/wiki/The_Shadow

Now seriously folks, this really is important.
If this is the case, we really have a chance at nailing a good bit of the problem.
5 or 10 people versus tens of thousands?

You may be asking, "Why is he interested in Spam?"

http://news.com.com/Spam+law+a+matter+of+fax/2100-1028_3-994076.html

As you can see, I am not a fan of spam in the least.
It's essentially the same as telemarketing using collect calls.

Are you sick of 90% of your Inbox being spam?
Get off your duffs and get ahold of your Congressman!
http://www.rallycongress.com/letter2congress/698/?gclid=CNXehdXtvYsCFRgXEAodY1blyQ

Remember, we're all in this together.

When you dont challenge a myth, it becomes a religion.

2007-04-12T09:41:00.000-05:00

Paul Ohm wrote a surprisingly refreshing and sobering piece on the myth on the superhacker.

Guess what? Another Slashdot.org link!
http://it.slashdot.org/article.pl?sid=07/04/11/1952247

One part that I think was really on the point was,
"First, some statements of Superuser harm are so hyperbolic as to be self-disproving. For example, as Cybersecurity Czar under the Clinton and second Bush administrations, Richard Clarke was fond of saying, “digital Pearl Harbors are happening every day.” I’m not sure what meaning Clarke was giving to the phrase, digital Pearl Harbor: he may have meant attacks with the psychologically damaging effect, horrific loss of life, terrifying surprise, size of invading force, or historical impact of the December 7, 1941 attack; no matter which of these he meant, the claim is a horribly exaggerated overstatement."

Now, I'll be the first one to dust off the old aluminum foil fedora for a nice tiptoe through the tulips. But, this is just beyond the pale.
All this "the sky is falling" just deadens us to actual threats, and boy are there plenty of those.

This leads us handily to the next part.
The response to the boogey man on the Internet!

"The CFAA’s (Computer Fraud and Abuse Act) prohibitions cover an expansive laundry list of activity. You might be a felon under the CFAA’s broad “hacking” provisions if you: breach a contract; “transmit” a program from a floppy to your employer-issued laptop; or send a lot of e-mail messages. And even if the FBI decides not to prosecute you for these transgressions, the broad CFAA gives it the right to investigate you, to read your e-mail messages and maybe even wiretap your phones and Internet connections."

Well, if you aren't guilty of anything, you should have no problems with any of this!
"Officer Jellydonut, hand me my rubber gloves. Just going to have a little look-see!"

I think that covered infringement of civil liberties pretty well, don't you?

The next exhibit in our Alleyway of Fear, Uncertainty and Dread would be the end result and failures of our industry and it's so called "experts".

"Finally, too many experts consider online risk assessment to be somebody else’s concern. Computer security experts often conclude simply that all computer software is flawed, and that malicious attackers can and will exploit those flaws if they are sufficiently motivated. The question isn’t a technology question at all, they contend, but it is about means, motive, and opportunity, which are questions for criminologists, not engineers. "

Nothing like the classic "somebody else's problem".
But, it's everyone's problem.
Seriously, it affects and impacts you, me, Grandma, the schools, the job market, the stock market. (Boy, I'm starting to sound a bit paranoid here, eh?) (I can say eh, I live 20 minutes from the Canadian border!) (Michigan joke)

We desperately need greater information sharing and peer review.
We need empirical evidence and the harsh light of day.
We need to stop buying the lie!

We must demand that at the very least, best practices that are recognized by the IT Security industry are in place and enforced.

IT needs to be a democracy, but not at the expense of the true data owners.
Mr. and Mrs. America.

The long arm of the lawyer!

2007-04-03T09:43:00.000-05:00

OK,
I'm all for full disclosure.
But!

When the RIAA's lawyers start fishing expeditions like this, it's just too far reaching!
As was reported on Slashdot.org, http://yro.slashdot.org/article.pl?sid=07/04/02/0516242
""The RIAA's attempt to get Ms. Lindor's son's desktop computer in UMG v. Lindor has been rejected by the Magistrate Judge.

The judge said that the RIAA 'offered little more than speculation to support their request for an inspection of Mr. Raymond's desktop computer, based on ... his family relationship to the defendant, the proximity of his house to the defendant's house, and his determined defense of his mother in this case. That is not enough. On the record before me, plaintiffs have provided scant basis to authorize an inspection of Mr. Raymond's desktop computer.'"

This amounts to an attempt to get free shots at just about anyone's computer based on the arguments of relationship, proximity, and the fact that they are against just this sort of strong arming in the first place!

"You don't agree with us, so you MUST be guilty too!"

Oh yeah, THAT fills me with warm, fuzzy feelings.

I'm amazed how a group that can be behind consumer rights restricting DRM, installing RootKits on customers machine, unfair and monopolistic practices and such self serving legal wrangling and can STILL survive.

It's not about the music, it's about the profit margins!

Ignorance of merchants and what it's costing you!

2007-02-21T19:56:00.000-05:00

A new article on Slashdot.
BTW, if you aren't reading Slashdot, you need to.

"A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

Amazing!
The small to medium business's are just RIPE for enterprising security practitioners to do work for and it's really quite an untapped market!
Then again, I hear time and again. "No one wants to hack us! We're the little guys! They only want the huge companies!"
Remember those words. As a security practitioner you will hear them often and loud.
They simply don't want to spend a nickel preventing what they don't see as a problem, until it happens to them.
Why isn't the IT Security industry targeting them with an educational campaign?

The problem is, yes, the credit card companies are shifting the financial burdens to the merchants. But, this protects them with only the byproduct of protecting us. Not the intention at all. Merely a benefit.
I really have yet to see where we are being implicitly protected.
Why aren't we?
Because there isn't a profit margin in doing so and the lawmakers aren't interested in creating real protections for consumers.
So again, here we are in the leaky rowboat.
But again, the end of the month figures look great!

The myth of security.

2007-02-19T08:58:00.000-05:00

First post!
Finally, what I couldn't do on Slashdot. :)

So, with that out of the way...

My name is Mark Reinertson. I'm an IT Security practitioner in the Metro Detroit area.
How dull, right?

Ok, on with the rants. This is called Security Rants for a reason.
Here we go.

At Defcon 14, just this past summer in Las Vegas, I got to ask the "Meet the Feds" panel a very important question.
What is the government doing or going to do to safeguard our personal financial data when it is being sent overseas? Bearing in mind that, we the people, are the data owners. The corporations are merely the data stewards.
The reply you ask?
I was told "We don't tell corporations what to do".
WHAT??? Wait just one second there! Since when does the federal government NOT tell corporate America what they can and cant do???
Last time I checked, it was government of the people, for the people, by the people!
NOT, of a few people on a board of directors, by a few people on a board of directors, and for a few people on a board of directors!
The idea of our personal financial data being sent overseas with virtually zero safeguards scares me to death! What is going to prevent mass identity theft?
This has the potential for disaster that makes 9/11 look like a drop in the bucket!
But, the month end figures look great!