Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: new year

The more things change, the more they stay the same!

AKA: 10 years of FAIL!

As it gets closer to the end of the year, you can’t help but despair at the seemingly un-ending flow of prediction posts. Heck even I threw one up on the blog (although more of a joke than anything else). Everyone (not just those trapped in the InfoSec echo chamber) seem obsessed with the next big thing, the year to come and what the future holds. I can see the attraction… looking back at all the mistakes we’ve made is never a nice thing.

I’m willing to bet that most people reading this think things have changed a lot in the last 10 years. We’ve got web 2.0 and things are more complex than ever! I thought the same, until I stumbled on a little bit of history while cleaning out the bookshelves. If you’re as old as me you probably remember those “Top Internet Website Guides” from years gone by. Before the almighty Google took search engines to a new level, people actually had books listing interesting websites. It was just such a book that caught my eye, and I couldn’t resist looking through it to see what the World Wide Web looked like back in 2001.

Websites come and go… they fall from favour and in the blink of an eye they’re gone from the world… some however stand the test of time and surprisingly enough, look pretty much the same now as they did back in 2001. Timeless design? Simple to use interface? or just a little bit of proof that not much changes in 10 years, even on the Internet!

This slideshow requires JavaScript.

Look familiar? I’m pretty sure it wasn’t that long ago that Apple.com was still using the same design! Still, that’s all fun and good, but this is an InfoSec blog, so let’s get to the point.

This trip down memory lane got me thinking… what was the landscape like back in 2001. What were the threats, the vulnerabilities and the issue we hoped to fix. What were the predictions and promises we made back in 2002?

Just looking through the schedules for Blackhat (US | EU) and DefCon for 2001 shows just how far we’ve come and how little we’ve actually achieved! 10 years on and the things that we’ve fought against are still the things that we’re fighting against today.

Just to pull a few examples from those schedules .:

One-Way SQL Hacking: Futility of Firewalls in Web Hacking (JD Glaser & Saumil Udayan Shah)

WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)

Hackproofing Lotus Domino (David Litchfield)

Web Vulnerably & SQL Injection Countermeasures (1-2) (Tim Mullen)

GSM / WAP / SMS Security (Job de Haas)

Hacktavism Panel (cDc)

OS/X and Macintosh Security (Freaky)

Scary isn’t it! I’d love to see the reaction people would give if these talks were listed in a conference this year. I’m not sure about you, but I’d think it was a pretty good lineup and relevant to our current issues.

Whats the moral of this story… simple really. We’re failing. You’re failing, I’m failing, and everybody who thinks they’re not is deluding themselves. We’re stuck in this constant InfoSec circle-jerk where we each tell the next how much better things are and how we’re making the world a better, safer place. In reality all we’ve achieved in the last 10+ years is to form an industry around InfoSec that helps to maintain the status quo. We’ve built this virtual altar were we pray at the feet of so-called InfoSec rockstars. The people who we look to, to make things better for us. Well, sorry to say, but Dan Kaminsky isn’t going to come down your chimney this Christmas and leave you a shiny black box that solves all your APT woes! Although, I for one think it would make a cool movie plot! Jeremiah Grossman isn’t going to wave a magic wand and make your SQL injection vulnerabilities disappear in a puff of magical pink smoke… although, it would make a funny clip for next years DefCon (hint, hint)

The more things change, the more they stay the same!

Right about now you’re probably laughing, shouting or just saying to yourself “well he’s just pointing out the problems we already know about… where are the answers loudmouth!”. I don’t blame you, I’d be saying the same thing.

So, what would I do?

Well, in my VERY uneducated opinion these are the things I’d do to make a start in getting to security utopia.

Back to basics

No point in wasting that €75,000 on an all singing, all dancing WAF solution.

What do you expect that WAF to protect? Get to the REAL problem. Train your developers, implement (or begin to implement) an SDLC / process to ensure secure code is put on the web, not Friday afternoon code!

Invest in some basic code analysis… even if that’s just grep and some regex. Start small, and focus on the biggest issues. No point in spending all your budget on a single XSS flaw, when your site is riddled with SQL Injection bugs.

Hardening

Is this a lost art form?

Your WAF / IDS / IPS / Firewall / Black Box with blinky lights, is not going to stop everything. Hardening a system was always the FIRST thing people did before unleashing it on the Interwebz. How about we don’t forget that, and actually spend some time coming up with secure base images for systems!

Hardening goes beyond the external… make sure that when an attacker gets onto your box, and yes the WILL, that they’re tools are useless. Remove netcat, remove GCC and the Linux headers, chroot everything. None of these is a foolproof solution, but make them fight for every inch, and just maybe you won’t be on the front-page of every major newspaper the world over.

Balance

I’ve already posted my thoughts on relying on vendors for everything, and I stick by that. It’s important to have a balance between technology, process and the trained staff to run things. Too much of one or the other and your doomed to failure.

The black box with blinky lights needs somebody to monitor it, tune it, and manage it. If that’s not part of your budget (along with appropriate training and testing time) then what do you expect to gain from buying it. It’s an all or nothing package, and saying “we’ll train on the job” is the first step towards the cliff.

Know your systems, know your company

It’s a sad day when a company gets hacked through a system they didn’t even know they had! Just look at the Sun newspaper. Hacked through old outdated websites they probably didn’t even know still existed anymore. You think you know your network? Go and double-check, because there’s a server somewhere you never know you had!

Security isn’t all about systems… it’s about protecting the business. Most InfoSec professionals however, have almost zero knowledge about what information is valuable to the company. How can you protect something you don’t even know exists. You can’t stop every attack, and trying is a fool’s errand. Knowing where your crown jewels are stored allows you to protect what you know is important, while trying to keep everything else as safe as it can be!

Well that’s it… I don’t think I have a magic pill for the world… but I’d rather accept that we’re part of the problem and start looking to solve it, then just close my eyes and hope for InfoSec Santa to bring me a new Firewall!

Merry Christmas… let’s make it a happy new year!

Closing 2010… and opening 2011

Nobody could claim 2010 was an uneventful year for me… It’s been a year of highs and lows, that’s kept me on my toes. It’s not all been a bed of roses, but what doesn’t kill us makes us stronger. If this is the worst thing that happens to me in my life, then I’m still better off then most!

I’ve shied away from doing a predictions type posts, because most are nothing but rubbish from start to end. Filled with buzzwords from the last few months, with no real substance, and very little point to them. Right now we don’t have the solutions… just a whole heap of problems. So how can anything change? Everything will stay just about the same… companies will fail to secure themselves and the bad guys will keep in winning. Sad but true!

Anyway, as I sit and look back on last year and what I want this year to be, I want 2011 to be a year of firsts for me, as 2010 was in many ways.

2010 (Ghost of Christmas past)

  • I began to finally look at Python scripting
    • About darned time! How did I ever cope without scripting things?
  • My first Python tool was released (UA-Tester)
    • Followed by a few simple Python PoC scripts…
  • I gave a lightning talk dressed as a pimp
    • A moment not to be forgotten easily ;)
  • Eurotrash Security Podcast reached it’s 1st Birthday and is going strong
  • The blog reached the 3 year mark
  • LIGATT
    • What more is there to say!

2011 (Going boldly….)

It’s hard to say what the industry will do in 2011… I couldn’t tell you what the latest buzz words will be by the time DefCon rolls around, but I can at least say what I intend to achieve… or at least try to achieve!

  • Have my first Metasploit module accepted into SVN
    • A number of SAP modules are already waiting for the final go!
  • Reply to the CFP for at least 1 conference
  • Give at least 2 more lightning/fire talks in various subjects
  • Put the LIGATT issue to bed
    • I’m tired of it, you’re tired of it… time to put a nail in that coffin
  • Teach developers about security through workshops
    • Already in the works with 1 company, and hopefully more to come!

Here’s to a near year and new challenge… If there’s no challenge anymore, then it’s time to move on!

It’s 2010 already!

Wow how time flies. 10 years ago I was working in London for a share registrar company, and praying the NT4 systems we were using wouldn’t fold when Y2K hit. How times change. Now I’m living in Austria, and doing a job that I really like, instead of one that just pays the bills. Life’s too short to not enjoy your work.

In honor of the past and the future I’ve made a few (subtle) changes to the blog. Gone is the änal security guy (long story, ask me over a few beers) and I’ve gone back to using a nickname that I’ve not used in 5 years or so, catch22 (catch for short). That too is a long story, but at least the domain name c22.cc makes a little bit more sense now. Oh and I won’t have so many problems with badly programmed web-filters marking the blog as porn (hence the ä in the old title).

So what’s to come for me in 2010 ? It’s going to be another busy year I think. Lots of conferences planned already, and lots of things to get done. I’ve also come up with a few new years resolutions, and I plan to stick to them (this time). By posting them here you guys can all hassle me and call me a big fat liar if I don’t come through with the goods as well. No pressure ;)

  • Diet –> Because too many cons have taken their toll on my once slender and toned figure
  • Friends –> I’m notoriously bad for losing contact with people and spending too much time locked in a room alone… time for a change
  • Read more –> I keep getting new books, so time to read more and …
  • Watch TV less –> To make room for the books, friends and …
  • Projects –> Finish some, instead of leaving them half-finished with a blog post promising “more on that later”
  • Charity –> Life’s been good to me even through tough times. So it’s time to give back !

So, if you see me at a con this year and I’m breaking any of these rules, I give you the right to tell me to my face that I’m an idiot…. trust me, with my willpower, I need all the help I can get !

Happy New Year everyone, and lets hope that 2010 is the year people realise they’re just making things worse (in security and in general).

Stop being part of the problem, and start being part of the solution.

Be good to each other !

Follow

Get every new post delivered to your Inbox.

Join 243 other followers