NetAssassin.com

Workshop: Project TouchDroid

HP TouchPad

Just in case no one noticed, I have added a workshop to the site with some of my projects.  Follow along if you like, send tips and tricks too!  Right now the one that is most active is "Project TouchDroid"  This is several of us modifying HP Touchpads to run Android and eventually compiling useful penetration testing and network engineering tools on it.  

Lots of fun and a good one-stop location for links to useful how-to and blog/wiki sites doing the same kind of work.  E.g. when we find workarounds for little issues we encounter.  

Converged security, some shared physical security experiences from the trenches.

tumbler lock

 

Some background, about four years ago a recruiter came to me and asked if I thought I could take on a position that involved “converged security” at an entertainment company.  Having already done content protection and information security for what was the largest game publisher at the time for the prior ten years I thought “sure, what’s a few guards gates and guns” or the “3 G’s” as we call them.  After all, I have a background in law enforcement and have done my fair share of guarding people and places. 

 

So I reached out to other CSOs and CISOs that I know to ask them what I felt were quite important questions. 

 

Things to worry about as my kid goes online: (A parent/hacker's perspective)

Hand

Well it was bound to happen, my kid has gotten older and he wants to have his own computer, sync his iPod Touch on his own and choose what (read: approved by mom and dad) apps are loaded on it, and he likes the idea of using Skype to call me and his mother from his room upstairs.  Why is this so alien?  Well, for starters, he is five. I can't clearly recall what I was excited about when I was five, but I am sure it probably involved Army Men and being outside.  Sheesh.  

There was a media sensationalized buzz storm (or just "Media BS" for short) this week about how most people apparently don't know about CTRL-F; well I don't find this shocking for two reasons.  One, most people don't know much about anything they use; this is why we call them "users."  Two, my five-year-old knows a few sight words like "dog, cat, mom, dad, print, open, yes, no, load, save" but otherwise really can't read, and yet he can use Windows, OS X, and iOS with such efficiency one might believe he was quite literate.  His first day of kindergarten is Tuesday, so my fears will only grow as he actually does learn how to read. It's bad enough he can cruse YouTube all on his own and find all manor of cartoons to watch.  I am dreading the day he can do text searches.  

So what is a parent to do?  Well, if I learned one thing from my parents - I am not trusting him to make good decisions without proper guidance.  So the computer gets locked down, and I am running a transparent proxy on the network to filter online content. (I did say this was a hacker's perspective on this topic, so don't expect simple solutions.)  VNC is already on his little Windows machine so we can watch what he is looking at even from our smart phones.  I now have some dedicated space on my second monitor to keep his desktop in constant view.  

We had a lot of fun setting up his computer.  I used an old machine I had sitting in the corner of my office.  And, it was amazing for me to see his little eyes light up, and the onslaught of questions made me laugh several times.  Try this one on for size: "Dad! Why is it called a mouse?" "Because the cord looks like a tail and it is kind of mouse shaped." "Cord? It doesn't have a cord!" "Oh, well back in the 'old days' they had cords... I didn't notice they were all gone now."  This was only made even cooler when he found an old SGI three-button mouse in one of the bins and asked "Can I use this rock-looking mouse with the cord!  Because this one looks like a mouse, made out of rock!"  It's the old classic gray speckled SGI mouse, which does kind of resemble a rock texture.  So cool!  My kid has an old school mouse with a ball, three-buttons, and a "tail!"  Win for me because it won't eat up AA batteries like the wireless one does.  

Back to securing the kiddo then - The firewall has been set to permit his IP, statically assigned by the DHCP server specifically to his MAC address, access to the Internet only during certain hours.  I can always amend this if he is being punished - thus I can "take away the Internet" if it is needed.  Once he gets smart enough to manually assign himself a new IP he will find that his personal VLAN only allows his one IP address access to the gateway.  I figure he is my kid, and for all I know this stuff is genetic, so I better take precautions.  At the rate he is going, hex math and figuring out subnets isn't going to be too far away.  If he is really naughty I will just put his port into admin disable mode and cut off access to the media server and other household resources such as printers, Sling Boxes, thermostats, gaming VLANs, etc.  This brings up another point, he isn't on the wireless network.  Why, because while I take precautions in keeping wifi isolated in many ways from my local LAN and enable the strongest encryption I can on the AP, I don't need some doorknob down the block watching what my kid does online or for that matter hijacking his sessions.  I don't trust wireless and the most valuable thing I am protecting on my home network is now my progeny.  I take this same precaution when the content for my employer is high value.  

I might even write MAC filters to restrict his mobile devices, right now an old iPod Touch but who knows what the future holds. I think a lot of parents focus on the computers, using things like Net Nanny etc., but they bypass the game consoles and mobile devices the kids walk around with.  I wrote in an earlier blog that you need, much like in corporate security, to do as much as you can with the infrastructure and on the wire rather then on the endpoint.  Especially when working on my household budget vs. a GL that I manage at work.  

I can't wait to really start teaching him how to do things.  Phase-one will be loosing Windows on his little workstation and replacing it with something more "admin" and less "user."  Probably a *NIX distro of some format, maybe a boot for Windows still left just for school work.  Our home has quite the enterprise level network with full on VPN concentrators to switches that support layer 2 and layer 3 filtering, true firewalls and a plethora of servers and services to explore right down to running our own DNS cache and MTA.  And why not, it's what I do for a living.  I bet he has his first sysadmin job while still in high school.  Great, I am that stereotypical dad trying to mold his son - except this isn't me hoping he will get a football scholarship, it's me hoping he will be even better than me one day at all things network and computer related.  Or, at least not some user who doesn't know the UI on most all operating systems has a search function enabled by CTRL (or command on a MAC) and the letter F  as in short for "Find. "

I'll write more on this topic as things develop and my son tries to work around my security. You know, because I will be teaching him how to do so and how it all is suppose to work... thus, how it doesn't.  (It's a hacker thing, it makes more sense when you don't think about it.)  

 

 

 

 

 

The importance of smaller infosec conferences.

BSides

Last week I had the privilege of speaking at Security BSides LA.  First, what a crazy cool venue and total Sothern Californa uniqueness.  We had our talks in a community center (very nice one) right on the beach.  Later that night, open talks were presented next to fires on the beach.  Second, being so laid back that speakers were encouraged to present while wearing beach attire made everyone very approachable and a completely friendly atmosphere was quite refreshing.  

Some key rules that make these conferences seller opportunities for your infosec team:  No advertisements, you can't mention brand names in talks nor are there vendor booths.  There are sponsors, but they have their logos on the banners and that is it.  Frankly, I was quite happy my company gave sponsorship money to help such a great organization.  It's free, yea attendance is free.  I know, it's kind of shocking.  But for the cost of mileage you can send your entire team to a quality conference where some of the best security researchers are presenting.  They even have a track dedicated to security management e.g. non technical.  Networking - if I were hiring I would be attending these looking for local talent.  What a great resource.

The format is an open forum, so while you are presenting questions are being asked.  This is intimate, energizing and more of a classroom setup vs. a conference hall filled with hundreds of people mostly tapping away on their phones and laptops vs. paying attention.  

Great speakers and researchers are flown in from all over the place.  This was one of the best parts.  While many of the speakers were from the greater Los Angeles area, there were a handful of people I would normally have to fly hundreds if not thousands of miles to see at a larger conference.  And these weren't simple talks... reviews of secure USB based computing, weaponizing telephones, lessons learned while being a professional spy, etc.  

Honestly, start to follow @SecurityBSides and find out when there will be a conference in your area... or better yet, make it happen and hold one yourself.  The BSides shows are completely volunteer based and they happen because local infosec people make it happen.  

All that said, I have added a few new friends from the conference to my tweet feed (See Security Tweets for that) and you should probably follow them if you aren't already:  @j0emccray (Joseph McCray) @shpantze (Gal Shpantze) @mattjay (Matt Johansen) @rogue_analyst (Derek Klein)  @kizz_my_anthia (Kizz MyAnthia)

I now know the secret to getting myself to go to a conference!

BSides

Yea, reading this blog will assure you of one thing - I don't attend many conferences any more.  I like to think I can go, but something always comes up at the last minute.  Mostly work to be honest.  So I started thinking, and after all the smoke cleared, I realized "why not make the conference 'work' and then you will have to go!"  Indeed I am quite brilliant!  

So, BSidesLA is the next stop for me because I am speaking!  Oh yea, you read that right.  I am going to talk in public without an NDA and it's going to be, wait for it - EPIC!  

"The topic?" you ask in your not so grammatically correct phrasing.  Well, that is the tricky bit as I have always been able to make amazing presentations and talk circles around even a minister... but I am not so good with the topics that seem snazzy.  Have you seen the titles of my blog postings?!  Yea, I need to find a class for that but I do know I am not taking notes from online news sites on how to do this.

The premise of the talk then!  Yes, honestly it is far more important than an eye-popping topic for the talk.  I will be speaking about spending your time, resources and budget on compliance and not on securing the company that employs you.  Or rather, the company demanding you spend your time, resources and budget doing nothing but compliance work instead of protecting their key assets.

Here are some things that might make it into the dialog... wikileaks and how process failed the US Government because there is apparently no compliance requirement for thinking.  Passed SOX, PCI and have that fancy SAS 70 type II certificate but lost your top secret intellectual property or say all the email and now it is in the public domain causing your stock to crash and people to loose their jobs.  Lot of good that did yea, hu?!

I won't be saying the two items are opposed to one another; rather the focus, especially when working towards compliance, should be the security of your corporate assets and intellectual property.  

Yea, now to go make the power point for all this.  I promise lots of pictures, as usual, and funny jokes... maybe some sock puppets.  I like sock puppets and funny voices.  

 

 

Check out the spike in security tweets!

Hacker

So some of you know I spent all of like 2.5 seconds and wrote a feed from twitter that contains security people and organizations that I follow... and it is hosted here on my website!  Yep! So proud! http://www.netassassin.com/node/29 Now go read and spread the news far and wide of my amazing prowess as a programmer.  (I'm really a bad programmer actually, I have to look things up all the time because I don't normally do it anymore and really you know, I forget things like semi-colons as if I am some kind of BS in CS N00b.)  

But the "chatter is spiking" as they might say in the C4I world. (Command, Control, Communications, Computers, and Intelligence)  So perhaps they/we are up to something.  You will all find out, no doubt, next week as all the main stream news media outlets start to misquote, fantasize, and glamorize Black Hat and DefCon.  

I might just start reporting all the convention shenanigans, oh yea I just said "shenanigans", on the blog for the rest of the world (all two or three of you that read this) to see.

 

 

It's Con time!

People Networking

 

It’s that time of the year, when I sit at my desk with a pile of corporate to-do items, movies to watch over, studios to call back, etc. and in the back of my head I am still thinking, “Vegas, no-Vegas, Vegas, no-Vegas.”  But the more important question is, “Franc, why do you think ‘Convention Time’ is only Black Hat and DefCon?”  Well, because it is in Vegas of course, and *everyone knows that Vegas is where real conventions happen.  All the other things are just odd gatherings of info sec geeks and warm-up for the talks and presentations at Black Hat.  Really, ask the other guys and they will tell you the same thing. That said I am probably speaking at Bsides LA, so just heads-up I will consider that a convention too since I am talking and I will have pretty slides with words and pictures on them to entertain the masses.  No sock puppets this time though; I was explicitly told “no sock puppets.” Sorry kids.

 

Back to convention time – Seriously, Black Hat Vegas is where all the major announcements will happen.  All the fantastic intrigue and conspiracy like which major manufacturer or software publisher will sick their lawyers on some small researcher to prevent them from telling the world how to do something naughty… you know what I am trying to say.  And! AND! Networking!  And not the kind using an OSI model, NO! Real networking where you talk to actual people who you probably have only seen once or maybe twice, but possibly never really at all, will be there for you. 

 

I haven’t gone in years.  Always too busy you know.  But, I think it is time.  After all, I did make it to Comic Con, and I don’t want to hear that I had to for work.  I totally walked the floor and gawked at some of the walking, talking, autonomous super heroines.  (Oh and I met Buck Rogers, aka “Gil Gerard” and he is super cool.) 

testing short links

going to delete this, so read it fast!  No really, read fast.
 
 
(I am so not deleting this post.  Ever) 

Cloud Based Networking & Security Overview

Network Nodes

 

This is yet another article, by yet another "expert" on cloud based security.  Why?  Because I so far have yet to find much of anything useful on the topic when I search, and the high-level drivel I do find such as "Top X security concerns for cloud computing" etc. could easily be a list of Top X concerns for a cardboard box with an Ethernet jack and all my secrets in it.  E.g. it's not an earth shattering epiphany but I am glad people have made a name for themselves posting such papers.  It keeps them from doing things, which would mean I would probably have to fix them. 

The one thing that is consistent is that most papers start by mentioning that there are different kinds of clouds, or concepts for the use of virtualized servers if they were trying to be accurate.  These concepts are IaaS, PaaS and SaaS.  I have linked to Wikipedia so you can read what those mean if you don't know.  After reading that, read this:  So what!?  It doesn't matter which of the three, or the next concept that a marketing firm develops, you intend for your cloud solution... because of a few factors:

1.) There is no such thing as a cloud.  The rest of us have been calling this the Internet (pronounced ˈintərˌnet) since about 1995 when the thing was commercialized.  

2.)  Running applications and architecture on a server has been around since we started to make servers.

3.) Virtualizing servers and services on those virtual servers has been something we have been doing for a very long time.

 

So then why is this all “new” and “freighting?”  Well, to be honest… few of us knew how to secure things before Marketing got all spun-up and started with the “cloud” campaign.  And now that things are launching into super fast-forward mode, some of my “peers” are doing two things… First, they are creating a market niche.  Second, they are clueless to begin with and you need to be able to identify their snake oil as just that… a placebo for actual skill and knowledge. 

 

But some things have changed and there is cause for attention (read: not "alarm.") from Security as well as from IT.

 

  • Hardware has gotten much better and we can now run many virtual servers on one platform of hardware.  E.g. One modern blade server can run a handful of virtual servers.  In the past, it was necessary to buy new hardware for nearly every server you wanted to deploy, and this meant space, power, heat and hardware (OpEx) costs.  This caused the business to truly evaluate the options of bringing up a new server and the delays in hardware acquisition and time necessary to deploy the hardware bought security and IT time inside of Change Management to review what this would mean, the architecture, etc.  Now all that is needed is for an admin to click a few things on a screen and a new “server” is online and operational.
    • Solution – rework your ITSLA / COBIT processes around approval and vetting of new servers and services to account for the fact that virtual servers can be instantly enabled.
  • Physical vs. Virtual and the Human mind.  With physical servers and networking hardware it was easy to visualize and thus construct infrastructure that had things like database severs on non-routable back-end networks, front-end networks that were hardened and behind security appliances, ACLs setup to control the communications between these layers, etc.  Put everything into one piece of hardware and develop an entire virtual construct and some people just don’t do well in the Matrix.  Old lessons and rules are abandoned because of the absence of understanding that all along you were dealing with virtual space, but you had physically different items to deal with.  Now, you construct firewalls, routers, networks, servers, applications, rule sets, etc. on the same piece of hardware running all of this in different containers.
    • Solution – hire smarter people who have abstract though capabilities. 
  • You can now buy time using other peoples’ networks and servers.  Something new?  No, it’s how networking all began and the first reason for “hacking” was to get more time and resources on the large expensive servers.  But the scale is something light-years beyond what it ever was before.  Companies like Amazon started by developing their own high capacity clustered servers, and found they had a lot of space left… so they monetized it.  Other’s like Citrix found this as an optimal replacement for the dwindling need to have their other products in an enterprise environment and built their networks with the purpose of resale for time, bandwidth etc.  Why would this be a security concern?  You aren’t managing your own servers and the 3rd party, and maybe others, have access to your data.  Is this a big issue?  Depends on what you are putting on the server.  Like all things, risk vs. reward needs to be evaluated, once set it’s just the reality that Security needs to deal with.  I don’t suggest putting your corporate secrets on a leased virtual server, but there are plenty of reasons to do this from a cost perspective when the risks aren’t too high.
    • Solution – executive management needs to be made aware of what assets are being exposed to hosting by a 3rd party, and evaluate the overall financial impact to the company if that resource, which is out of your control, is compromised.  Don’t believe that if you hosted it yourself it would be any more secure, but your stock holders, customers, etc. might not agree with the level of due diligence when they find out you outsourced the server.  Just saying…

 

So fears over internal and external virtual server clusters… e.g. a “cloud.”  Well.. internal is a cost savings over standard old-school individual servers for each and everything you want to do.  But your team has to understand that what they are building, short of the physical boxes missing, is the same as they were building before and require all the same sophistication and though.  That means you need that virtual firewall, ACLs on the virtual network you setup, separation of DB servers from application servers, etc.  The benefits?  Scalability and cost of course!  That DB server needs more CPU, not a problem add more CPU to it and cluster up some other ancillary boxes to pump it up a bit.  You already have the CPU, you don’t need to buy more.  Need more RAM, hard drive, etc… add it.  Need 20 new servers to test something, spin them up… when you are done, put it all back to standby.  See… brilliant.

 

External (3rd party) risks well… think of it this way. If I told you we can save a bunch of money by putting an unprotected server on the Internet and then put high value content on it… you would tell me “no.”  Most  3rd party virtual clusters don’t give you a firewall, they don’t manage one either… they provide you with server operating system, CPU, RAM, and bandwidth… you know, all the things you need to make a server… oh yea, and a firewall.  So spend a bit of extra coin and buy two virtual servers.  One you make into a firewall, and behind it you put the web server.  Now you have some of your security back.  I know, revolutionary thinking on my part… perhaps I will get an award.  The 3rd party group will work with you on this stuff, really.  But if you just buy space and time, they are assuming you are smart enough to build what you need.

 

This brings us to the new trend to get the common person, e.g. my mom, to store everything from photos to important documents on clustered (hopefully) services.  I think this is a good idea for the average person who lacks either the funds or the know-how to build their own NAS, or other redundant file server at their house.  There are plenty of low-cost commercial solutions in the NAS market, I personally favor ReadyNas now owned by 3Com.  But if that is beyond your attention span or pocket book it isn’t a bad thing to use a service.  Do your homework though.  They aren’t regulated, nor are they consistent in what they offer to you. You want someone who does the following:

  • Encrypts your virtual storage space so no one at their office, or a hacker for that matter, can see your files.
  • Two-factor authentication is better than you just having a password.  This doesn’t just mean a token authentication method is the answer… it could be that only your computer is allowed to make a connection and thus it is part of the authentication process. 
  • Encryption between your workstation and the server.  You’re moving your files across the Internet people, you don’t want everyone with a router to see what you are doing.  Those files are probably personal in some regard, so find a service that at least uses SSL encryption.
  • Know their systems are backed up and are redundant.  If you end up putting all your eggs in one basket, understand what happens if that basket falls from the tree.  This may dictate costs, so understand that. But don’t believe a higher cost means someone is doing this for you.  You want to know if they have a plan for disaster recovery, you want access to your data when there is a big earthquake in California right?  Find out if they have redundant servers in another state.  What about tape backups?  What are they going to do if the server that stores your data completely dies?  Do you have a backup of all this data yourself?  After all, at the end of the day you are the only one with ultimate responsibility and probably a care in the world for that information.  E.g. those vacation pictures of you in France…

 

  

Security... podcasts and why you should be listening.

OMG

People, just random ones on the street even, ask me "Hey Franc! Where can I go to get good information on and stay current with security?!" This is a good question, and while it would be even better if they asked "Hey Franc! How much money can I put in this wheelbarrow to get you to fix my problem." I am willing to help and give some information.  So here are a few suggestions, and hopefully this brings someone a few wheelbarrows full of money.

 

 Podcasts -

 

It's like getting a book on tape which you can listen to during your commute, while you work away on something else in your office, etc.  I am starting to consume these a lot more as I spend more time being an executive and less time being an engineer.  Did I mention... wheelbarrows of money?  Yes, yes I did.

 

Exotic Liability (http://www.exoticliability.com/) and @exoticliability I know both of these guys ( @indi303 and @lizborden )  First, they are true and real security practitioners.  (Do we call ourselves that, really?!) It's fast hitting, in a format much like a syndicated radio show with freeform DJ interaction with the guests and each other.  The dialogs are viral, the language is um... probably not safe for work, and out of them all this would make the best XM Radio show.  Personally, this podcast is the best use of my Apple TV II. (Not to confuse anyone, it's an audio podcast.)

 

InfoSec Daily Podcast (feed://www.isdpodcast.com) A bit funny, and out there at times, but hey... they keep you up to date with scene news and a bit of meat and potatoes (I love food analogies) behind the major news coverage of all things hacking.  Aka Anonymous, LuzSec, etc.  This too is an audio podcast.

 

HNN (http://www.hackernews.com/) and @ThisIsHNN is one I watch every now and then, yes you read that correctly "watch."  It is a video podcast, but don't expect a lot of on the scene footage or eye candy.  It's mostly "Space Rogue" wearing sunglasses styling his short haircut in front of a green screen with Max Headroom style graphics in the background. It's "the voice of reason" from the underground itself.  So expect dripping sarcasm towards the mass media lemmings and sheeple.

 

Risky Business (http://risky.biz/) is the last security podcast I will point out in this blog. Why no more, honestly this is already several hours a week for you to listen to and it's all quality stuff.  First, great accent... second, it's audio.. and third, a good back and forth dialog and interactive (online) community that reviews both mainstream and scene news and gives a lot of good detailed background on who, what when and where.  If you find yourself lost in a conversation, somehow asking "huh?" too often etc., you might need to go, quite literally, download this information and consume it quickly.  

 

 

Twitter - 

It's not just for advertising to all your friends when you stop to get a $9.00 coffee.  It actually has a lot of good uses, like keeping up with security researchers and practitioners that post new blog updates, interact with one another regarding our field, and in some cases it's the public voice of some of the more underground in our community.  If you are one of those people who don't want / like / understand / need Twitter, no worries I have built a stream on this website in the Security Tweets section that has everyone listed in this blog as well as a number of other very good researchers.  For those using twitter, checkout my account at @franklyfranc and see who I have on my list:  @franklyfranc/h4x0ring-n1nja5 Don't forget to add me too... I spend far more time posting there and interacting with my friends and peers then I do writing blogs.

I have made it a bit easy in my blog by making the system show you the twitter feeds and account information for those I have listed above by simply hovering over them with your mouse.  Follow them all if you are actually interested in being better in this field. 

 

p.s. We do tend to still tweet about coffee, jujitsu, present nerd kaiku, and tell bad geek jokes normally involving AD&D references and scene humor.

 

 

 

Syndicate content