Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: rant

The more things change, the more they stay the same!

AKA: 10 years of FAIL!

As it gets closer to the end of the year, you can’t help but despair at the seemingly un-ending flow of prediction posts. Heck even I threw one up on the blog (although more of a joke than anything else). Everyone (not just those trapped in the InfoSec echo chamber) seem obsessed with the next big thing, the year to come and what the future holds. I can see the attraction… looking back at all the mistakes we’ve made is never a nice thing.

I’m willing to bet that most people reading this think things have changed a lot in the last 10 years. We’ve got web 2.0 and things are more complex than ever! I thought the same, until I stumbled on a little bit of history while cleaning out the bookshelves. If you’re as old as me you probably remember those “Top Internet Website Guides” from years gone by. Before the almighty Google took search engines to a new level, people actually had books listing interesting websites. It was just such a book that caught my eye, and I couldn’t resist looking through it to see what the World Wide Web looked like back in 2001.

Websites come and go… they fall from favour and in the blink of an eye they’re gone from the world… some however stand the test of time and surprisingly enough, look pretty much the same now as they did back in 2001. Timeless design? Simple to use interface? or just a little bit of proof that not much changes in 10 years, even on the Internet!

This slideshow requires JavaScript.

Look familiar? I’m pretty sure it wasn’t that long ago that Apple.com was still using the same design! Still, that’s all fun and good, but this is an InfoSec blog, so let’s get to the point.

This trip down memory lane got me thinking… what was the landscape like back in 2001. What were the threats, the vulnerabilities and the issue we hoped to fix. What were the predictions and promises we made back in 2002?

Just looking through the schedules for Blackhat (US | EU) and DefCon for 2001 shows just how far we’ve come and how little we’ve actually achieved! 10 years on and the things that we’ve fought against are still the things that we’re fighting against today.

Just to pull a few examples from those schedules .:

One-Way SQL Hacking: Futility of Firewalls in Web Hacking (JD Glaser & Saumil Udayan Shah)

WebApp Security: The Land that Information Security Forgot (Jeremiah Grossman)

Hackproofing Lotus Domino (David Litchfield)

Web Vulnerably & SQL Injection Countermeasures (1-2) (Tim Mullen)

GSM / WAP / SMS Security (Job de Haas)

Hacktavism Panel (cDc)

OS/X and Macintosh Security (Freaky)

Scary isn’t it! I’d love to see the reaction people would give if these talks were listed in a conference this year. I’m not sure about you, but I’d think it was a pretty good lineup and relevant to our current issues.

Whats the moral of this story… simple really. We’re failing. You’re failing, I’m failing, and everybody who thinks they’re not is deluding themselves. We’re stuck in this constant InfoSec circle-jerk where we each tell the next how much better things are and how we’re making the world a better, safer place. In reality all we’ve achieved in the last 10+ years is to form an industry around InfoSec that helps to maintain the status quo. We’ve built this virtual altar were we pray at the feet of so-called InfoSec rockstars. The people who we look to, to make things better for us. Well, sorry to say, but Dan Kaminsky isn’t going to come down your chimney this Christmas and leave you a shiny black box that solves all your APT woes! Although, I for one think it would make a cool movie plot! Jeremiah Grossman isn’t going to wave a magic wand and make your SQL injection vulnerabilities disappear in a puff of magical pink smoke… although, it would make a funny clip for next years DefCon (hint, hint)

The more things change, the more they stay the same!

Right about now you’re probably laughing, shouting or just saying to yourself “well he’s just pointing out the problems we already know about… where are the answers loudmouth!”. I don’t blame you, I’d be saying the same thing.

So, what would I do?

Well, in my VERY uneducated opinion these are the things I’d do to make a start in getting to security utopia.

Back to basics

No point in wasting that €75,000 on an all singing, all dancing WAF solution.

What do you expect that WAF to protect? Get to the REAL problem. Train your developers, implement (or begin to implement) an SDLC / process to ensure secure code is put on the web, not Friday afternoon code!

Invest in some basic code analysis… even if that’s just grep and some regex. Start small, and focus on the biggest issues. No point in spending all your budget on a single XSS flaw, when your site is riddled with SQL Injection bugs.

Hardening

Is this a lost art form?

Your WAF / IDS / IPS / Firewall / Black Box with blinky lights, is not going to stop everything. Hardening a system was always the FIRST thing people did before unleashing it on the Interwebz. How about we don’t forget that, and actually spend some time coming up with secure base images for systems!

Hardening goes beyond the external… make sure that when an attacker gets onto your box, and yes the WILL, that they’re tools are useless. Remove netcat, remove GCC and the Linux headers, chroot everything. None of these is a foolproof solution, but make them fight for every inch, and just maybe you won’t be on the front-page of every major newspaper the world over.

Balance

I’ve already posted my thoughts on relying on vendors for everything, and I stick by that. It’s important to have a balance between technology, process and the trained staff to run things. Too much of one or the other and your doomed to failure.

The black box with blinky lights needs somebody to monitor it, tune it, and manage it. If that’s not part of your budget (along with appropriate training and testing time) then what do you expect to gain from buying it. It’s an all or nothing package, and saying “we’ll train on the job” is the first step towards the cliff.

Know your systems, know your company

It’s a sad day when a company gets hacked through a system they didn’t even know they had! Just look at the Sun newspaper. Hacked through old outdated websites they probably didn’t even know still existed anymore. You think you know your network? Go and double-check, because there’s a server somewhere you never know you had!

Security isn’t all about systems… it’s about protecting the business. Most InfoSec professionals however, have almost zero knowledge about what information is valuable to the company. How can you protect something you don’t even know exists. You can’t stop every attack, and trying is a fool’s errand. Knowing where your crown jewels are stored allows you to protect what you know is important, while trying to keep everything else as safe as it can be!

Well that’s it… I don’t think I have a magic pill for the world… but I’d rather accept that we’re part of the problem and start looking to solve it, then just close my eyes and hope for InfoSec Santa to bring me a new Firewall!

Merry Christmas… let’s make it a happy new year!

5 Things I don’t want to see

This post stems from a short debate at HAR2009 (at the bar, obviously) over some of the talks that we’d seen at recent conferences. I thought a few times about whether or not to write this up, as I’m pretty sure there will be strong opinions. However that’s what blogging is for really. I hope this can stir up at least a mild response and make some of the conference organizers think twice about their selection process next year. After all it’s all about what people want to see.

Have you ever booked to attend a conference before you’ve seen the program ? Sure you have, sometimes it’s the only way to get the cheap flights, good hotels and early-bird entry prices. We all do it sometimes. In-fact I tend to book most of my conferences based on reviews of last years event, or word of mouth. This bought to mind my 2009 conference experiences so far. Most, if not all, have been very good. Lots of great people and a mixture of good, and not so good talks. Not everything can be good for everybody though. You can’t please us all. However, with that said, I’m sure they could be better. Don’t get me wrong, I know planning a conference is a very hard thing to do. I’ve no idea how some of these people manage it year after year. However I also know that nothing changes without feedback. So, without further padding, here are my 5 things (in no particular order), that I don’t want to see at a conference.

  • Another talk about Conficker/W32.Downadup

The Conficker worm has been one of the biggest talked about stories of 2009 so far. The media loved it. Mostly because they love everything doom and gloom, but that’s another story. Conficker even won a Pwnie award at Defcon this year for the most over-hyped bug. So naturally everybody and their 3rd cousins little sister wants to talk about it. We’ve had talks on how to combat it, talks on how it works, talks on how the AV vendors reverse engineered the worm and learnt how it worked. I saw a talk back at the beginning of the year on how Conficker helped secure peoples networks. I know what you’re thinking, but I tend to agree. Ask me about it over a drink and I’ll talk endless about it I’m sure. Still, that’s not the focus of this little rant (yes, I know this is a rant). To add to the fun, we’ve had all these talks for each different variant of the worm (A through E). Hell, I’ve even seen Microsoft talking about how they worked on the MS08-067 bug and fought against Conficker from the OS side. It was very interesting and I learnt a lot, but still, it’s time to say enough is enough and move on. Things are under control, nothing to see here, please move along. If we’re still seeing talks on this through till CCC in December, then I’ll be disappointed.

  • The Estonia/Georgia Cyberwar

Apart form the large percentage of security professionals that would be shouting “there’s no such thing as Cyberwar”, there is an equally large collection of people begging those who were involved in the various talks about it, to move on. The details of both these events, the social aspects, and the possible impact on future conflicts, have been examined, and re-examined, more times than most of us would care to discuss. I remember attending a talk on this at last years CCC and was already thinking the topic was old by then. I’m sure there are many aspects that still interest people, and they may be valid for a round-table discussion. However rehashing the same (limited) facts we have on these events doesn’t move us forward from my point of view. With the latest cyber attacks on the US that were rumoured to have come from North Korea (or England if you’ve read the same information I have), then I’m sure the next wave of talks with limited or no firm information is already being sent to the next Call For Papers. I’m sure the people who attend RSA next year will love it.

  • Speakers who’ve been here forever.. or the old boys club

Now, I know I’m going to get some hate-mail for this one, but I’m sure we’ve all seen it. You turn up to a talk from a speaker who was the hottest thing since pizza pockets at last years event (they’re better than sliced bread right ?), just to find that nobody ever asked what he/she was talking about this year. Now, I understand there are some researchers who want to keep things close to their chest for legal, personal, or just comedic reasons. However a Call For Papers should involve a little more than checking the name of the researcher and simply saying, “he gets accepted, last year he was great”. Surely their should be some kind of review involved. There are a lot of researchers out their doing really good work (see Security B-Sides and Dojosec for more information). It seems sometimes that the new breed of speakers are being left out in the cold while the established speakers (not all, but some) are resting on their reputations and have an almost guaranteed spot at some events. I don’t claim to be able to do better, but I’d rather see 5 new faces with interesting topics, than 20 regulars with nothing much to say. The various talks on attacking x.509 at this years Blackhat/Defcon spring to mind as a perfect example. I can’t imagine why they’d accept 3 talks that cover almost the same research unless nobody actually read the papers before they acceptance letters were sent out. I know this discovery was the “new hotness”, but really it only needed 1 person to explain the issues in one presentation. You can’t even fault the speakers, because from what I know, they didn’t even know that anybody else had found the issues until they’d given their talks. On the flipside however, I really would like to applaud the Blackhat/Defcon organisers and the whole Metasploit team for putting together a full track dedicated to Metasploit. This goes totally against the “boys club” mentality and was a breath of fresh air. I really hope it comes back next year in full force. Metacon anybody ?

  • Lets start with the basics…

This one is something I’ve been struggling with for a while, and I hope you guys understand where I’m coming from. Last week I sat in a talk that promised to cover advanced XSS exploitation, and other “blackhat” techniques. I’m always interested to learn new techniques. After all, as a security professional this is what I do, day in day out. What happened however, was all to familiar to people talking about advanced topics or new attacks. They started with 20 minutes of “What is XSS”. That’s 1/3 of the time allotted for the talk, with Q&A included. I know not everybody is at the same level, and I really understand how it feels to be left not understanding the more advanced stuff without having the basics explained. However this practise of every talk covering the basics quickly before moving on to the real meat of the talk, is holding back some good speakers with some really interesting stuff to say. If you claim to be talking about advanced methods of exploitation, then consider skipping the 101 at the beginning. If a certain percentage of the crowd doesn’t understand the basics, then they’ll have no chance of understanding the real technical parts of your presentation anyway. After all, XSS is an easy premise to grasp, but you can’t teach a stranger everything there is to know about XSS in 20 minutes. So why try to achieve the impossible. Leave it to the many good books, or the “intro to…” talks.

  • Look what our product does

I’m sure everybody has seen this before (many times). You see a talk in the conference program that peaks your interest, just to find that mysteriously the person talking thinks it’s all about the marketing. Many good presentations have turned into something completely different once the marketing team gets hold of the slides. Sure, it starts out innocent enough. A couple of introduction slides giving details of what company you work for, perhaps a page on the current projects. Then after the 3rd review phase, you find that the 45 minute presentation now only has about 20 minutes of real content, and a whole lot of “how great are our products”. It’s not always the fault of the speaker, and I almost feel bad listing it here (it could easily have been another topic, I have a few in reserve). This is as much a message to the marketing teams as it is to the conference organisers. Marketing is all well and good. Sometimes the speakers need their companies to stand behind them to enable the research, protect them from the big bad lawyers, and of course the costs involved in bringing these things to the public. I understand that companies do a lot of research to gain marketing opportunities. However when that marketing message takes center stage, and the real content is stuck somewhere in the back, the attendees start to get restless. There is a time and place for marketing. Conferences like RSA, Infosec Europe and some others are all about product placement. The people attending are interested in your products. The technical security conferences, they’re not such a good place.

Well there it is, my 5 things I don’t want to see at the next conference. I didn’t even mention the people who talk and tease a new tool that’s going to help end the world, just to find out that they’re never going to release it. I also didn’t mention the people that write a fuzzer for some random protocol, file format, or system and then shortly after the talk and buzz dies down, they abandon it, never to be looked at again. There are so many things that could easily have made it on the list, but that’s not what this list is all about. I know I can easily just look at the program and skip the talks that I’m not interested in. I’m sure somebody will probably say something imaginative like “if you don’t like the talks stay home”, and I understand the feeling. I can indeed skip the talks I don’t like.

However my goal here is to make things better for everybody. There are so many researchers out their right now trying to break into the conference scene. There ideas are good, even if they’ve never presented before, don’t have a large vendor paying for their ticket (or being a conference sponsor), and aren’t talking about the latest buzz around the corporate watercooler (I’m thinking cloud here for some reason). However these people need space as well. If we let the same old thing be presented at every conference, then the major conferences will slowly become obsolete.

If people say what they want, then conference organisers will listen. Fill out your feedback forms (I know it’s boring, but it helps), and email people if you think things were too “marketing”. In fact, email even when a talk was good. Sometimes no feedback is bad thing. Make your voice heard.

PayPal buyer non-protection

As some people might already know, I’ve been going through a payment dispute on PayPal for about 6 weeks now. To bring things into a short and crisp explanation, I purchased what was advertised as a book on Ebay. The seller was in America and I waited for the shipment. A couple of days passed and I received an email from Ebay saying that the seller had been banned and not to pay him. Well, a little late on that one. Still I waited in the hope of getting my book. A few days later I got a package form the US. What was inside this small package, a burned white-top CD containing an ebook. To make matters worse it wasn’t even the right ebook. So I email the seller in the hope of getting a response. Laughingly I did, although he suggested a good solution would be for me to download the right ebook from a torrent site. No I kid you not, he actually though that was a solution.

thumb_paypalSo off to PayPal and their dispute section. I filed the dispute and 2 weeks later was told if I mailed the CD back at my own cost I’d get a full refund. Right, I’m going to risk getting caught sending illegal goods out of the country and through US customs because PayPal say so.

Needless to say, I said no chance and PayPal closed the case without a second thought. I reopened the case and asked them to think a little clearer about the issues, and asked if PayPal condoned the selling and shipping of illegal materials. I waited like a good little customer for another 3 weeks. Tonight it came through load and clear.

“PayPal was not able to resolve this case because the item in question was virtual or intangible.”

I think they fail to see the point… or maybe they don’t. Perhaps this is how they make so much money. The buyer protection we all think is going to stop this kind of thing from happening is almost worthless. I’d think twice before using the service again, but what other choices are out there right now. I’m not sure, but I’ll be spending some time soon to find out that’s for sure.