Following on the heels of my last post about the possible irresponsibility of many in the security profession. I want to look at the idea of responsibility from a different angle for a couple of reasons. First, I had  a couple of comments that brought up the topic of software vendors and developers being held responsible for poorly written and insecure code. Second, there is a new “effort” launched to take the message of secure software development to those outside the security profession.  There has been some conversation around whether we are wasting our time or if it will provide benefit. Third, I read this article the other day and it made me wonder if it wasn’t time to start holding web site owners responsible when their sites spread malware.

So who should be held responsible when things go wrong in “cyberspace”? (forgive me for using the word cyber I just couldn’t resist). Is it the person who wrote the software that was insecure. Maybe it is their boss or the QA department that didn’t test it fully. Maybe it’s the marketing department because they are the one’s who said that it would be released by a certain date. Possibly it is sales because they promised several customers this functionality in the next release which was already announced by Marketing. Then there is upper management who is pressuring the developers to get the new code out and they also approved the release date. Of course the share holders are also demanding results and missing dates hurts profits.

Or we could look at it from the angle that the developers haven’t been trained in secure coding practices so maybe the school that they got their degree from is the one who should be held responsible. If they didn’t go to school for coding then we can go back to blaming management for allowing them to code without proper training. But what about when you have a well written piece of software that is weakened by a poorly written piece that interacts with it. Who is to blame then?

What about web sites that are compromised because those responsible for it haven’t kept up to date with patches, upgrades and such? Do we then hold them responsible? What if they didn’t do these things because it caused another piece of software to break? Do we then hold that vendor/developer responsible?

You see there is no clear answer here because there are way too many variables. Too many ways things can go wrong. So again, what is the answer and who is responsible. Well, I don’t know the answer but I do have a suggestion. Those of us who do know how to do things securely have to help those who don’t. We have to help them understand the why and how. We have to take the message to the developers, the web admins, the small business owner who has an e-commerce site, the CXOs that run the companies.

Just as we wouldn’t expect our doctors to show us a Power Point presentation on how to set a broken bone and then tell us it’s our responsibility to do it from now on. We shouldn’t expect those who hasn’t been trained properly to secure a system. If they don’t have the skill or ability to do it themselves then they have the responsibility to ensure that it is done by someone who is competent to do it.

So this still doesn’t answer the question of who we hold responsible. I think the answer is everyone. We’re all responsible. We all have a responsibility to do our part and to pass our knowledge on to others. It’s almost impossible to nail it down to one thing as being responsible for a security problem. Just as in a ball game you can’t blame one person, one play or one mistake.  If something goes wrong the best we can hope for is that we have done  the best we can and covered all of our bases. Then we team up and work together to fix the problem, limit the damage and move forward.

I’m listening to the Panda Security Blogger Summit 2010 right now. Last year I was privileged to be a panelist in the first Security Blogger Summit and thoroughly enjoyed my trip to Madrid and the summit. Right now they are in the middle of a heated debate regarding the responsibility of the end user in security. We had this same debate last year and it has gone on and on in many other venues as well. You all know that I feel strongly that the user has a responsibility to act in a safe manner and that we, as security professionals, have a responsibility to help them learn what they need to learn.

One of the panelist said that the user has no responsibility and that we should no expect them to be responsible. In my opinion this is a irresponsible comment and attitude on his part and the part of anyone who feels the same way. Now before you all get mad at me let me give you an analogy.

I’m Joe Enduser and I have a PC that is connected to the internet via DSL. I have let my 30 day trial of Panda Internet Security 2010 expire. (I decided to use them since they are the ones that “fueled” the discussion) I also partake in risky behavior such as visiting porn sites, downloading movies from these sites and install the video codec that they say I need. I’ve got a friend who tries to give me “security” advice but I ignore him since we all know that security is a bother. Especially when we are trying to be productive at work. Let’s not forget the fact that I love to click on links in spam email because some of them take me to some very interesting sites.

Of course with all of this risky behavior I have picked up a few pieces of malware (that I’m not aware of since my AV is expired and even got disabled by one of them) and there is a keystroke logger on my system. I’m pretty well off and my bank accounts are pretty tempting to criminals. So one day I discover that several thousand dollars have “disappeared” out of my accounts. Then a few days later I am paid a visit by the FBI because they have found child porn on a computer that was downloaded from my PC and to top things off my PC was part of a botnet that DDoS’d the NSA web site yesterday.

You see my PC is connected to the internet and by default it is connected to every other PC, router, server, and switch on the internet. My PC is NOT an island and my irresponsible actions have enabled scum to view child porn, funded international crime and attacked the US Government. Yet I’m not expected to be held responsible for any of this because after all I’m just a “stupid user”.

If I am driving on a unfamiliar road in another city and don’t see the speed limit sign that told me that I had to quit traveling 45 mph and now must travel 25 mph I’m still held responsible when I get pulled over. If I’m in a town that has a law against spitting on the sidewalk and I spit on it I’m still held responsible if I get caught. Even though I’m not familiar with the town and it’s laws I still am responsible for my actions. I am expected to conduct myself in a manner that lines up with the laws of that town.

If I leave a loaded gun on my front porch and you pick it up and shoot someone with it you and I will be held responsible for our actions. Yet when it comes to using a PC that can be used to ruin someones life, attack a corporation or government, spread malicious content, etc I’m expected to remain completely ignorant and that’s OK. I can’t agree with that. If we expect our users to be stupid then they will be. If we expect them to learn how to reasonably act on their systems then most of them will.

If we want a voice in security then we need to ensure that our voice is not spouting irresponsible comments and encouraging irresponsible actions. We will never stop all stupid users and won’t even stop all users from doing some stupid things but that doesn’t mean that we shouldn’t do all that we can. It sure doesn’t mean that we can excuse their behavior and not expect them to do their part and make a change for the better.

Join Us!

February’s monthly NAISG meeting

Wednesday, February 10th

 

** NEW LOCATION: 

Gordon Biersch, Buckhead (the old Rock Bottom Brewery)

3242 Peachtree Road NE
Buckhead, Atlanta, GA 30305
tel 404-264-0253

·         Private Room. Please tell the hostess you’re there for the monthly NAISG meeting and she will escort you back.

 

Agenda:

7pm – Networking, Food & Drink

730pm – NAISG_ATL General Business

745pm – Keynote Presentation and Interactive Q&A

Nidhi Shah, research scientist, Barracuda Networks

Malicious Javascript – Beyond Level 101

815pm – End

 

Sponsor:

Barracuda Networks, Inc.

Please join us for this interactive session coming straight from the Lab, Barracuda Labs that is. We’ll supply plenty of appetizers, your first round of drinks (be sure to snag a drink ticket on your way in the door) and even a few very cool door prizes! You will not want to miss this month’s meeting in our new location – and yes, it has free wireless! So stack up on business cards, come hungry and ready to talk with old friends, meet with new, and to interact and share ideas across this hot topic. Invite your friends and colleagues – and don’t forget to RSVP!

 

 

Malicious Javascript – Beyond Level 101

Be it worms, phishing, malware or Rogue AV, javascript is one of the most common routes for malicious activities. Attackers are using clever obfuscation to deceive anti-viruses and combining sophisticated social engineering tactics to take advantage of user ignorance. In this talk, we present an in-depth review of javascript attacks, implementation scenarios and ways to uncover malicious endpoints.

 

Specifically, this session will:

·         Demonstrate various javascript features used in malicious javascript in Web pages and its interaction with other software such as Adobe, Flash and Silverlight

·         Classify javascript malware into specific categories

·         Distinguish various obfuscation techniques

·         Demonstrate how to trace malware distribution endpoints

·         Discuss challenges faced by current solution to block malicious java script

 

Nidhi Shah, Research Scientist

Nidhi Shah is a research scientist for Barracuda Networks. She joined Barracuda following the October 2009 acquisition of Purewire, Inc., a Web security SaaS provider. She brings a combination of fine grain program analysis and Web application security knowledge, and is focused on new innovation around methodologies for automated Web malware detection and prevention. Prior to working for Purewire, Nidhi worked as a R&D engineer for SPI Labs (Now HP’s Web Application Security Research Group)- a renowned Web application security research team for SPI Dynamics. Nidhi earned her master’s degree from Georgia Tech in Computer Engineering and is a published author with several IEEE papers on reverse engineering topics, and the SPI Labs’ Hybrid Analysis white paper. Her research areas include Web application security, binary program analysis, threat analysis for emerging technologies and obfuscation.

I’ve been talking with a few friends recently about things that users have done and the impact or effect of their actions. A couple of good ones that have stood out are worth retelling.

Story #1 – There is a reason we call it “private” information

A employee was issued a laptop when he started working for this company. He was in sales so he spent most of his time out of the office. As a result of this he most likely had data on his laptop that really shouldn’t have been there, but we all know that it’s just so much easier to have it on the laptop than to access it via the VPN.

One day he calls the help desk and tells them that he can’t get his laptop to boot. It keeps coming up with a BSoD or a boot loader error. So he is told to send it in and they will take a look at it. A day or so later a technician calls him to talk about  what happened, when, why, etc… so he has a good understanding of how this occurred. In talking with the user he casually mentions that he had let his girlfriend use the laptop and when she gave it back it wouldn’t boot.

Now the fact that he let his girlfriend use his work laptop is bad enough but it gets worse. It turns out that his girlfriend works for a competitor. Man, talk about someone who needs a clue by four.

Story #2 -Reply all means Reply ALL

An employee of this company sent out a questionnaire to his customers asking about service satisfaction and other things.  At some point (I think after the survey was submitted) a very large number of employees ended up being cc’d on some exchanges between the client and the employee. I believe the employee was doing some follow up on the answers to the questions. Apparently after several exchanges the client thought it would be funny to take the conversation to a more risque level and replied with the following (or something close) “The only thing I currently need from you is a reach around”. Of course this went to about 75% of the employees of the company. (I’m not going to define what a reach around is so if you don’t know ask someone else).

Just a little humor to help you get through the rest of the week.

China (allegedly) hacked Google and 30 some-odd other companies last month. Internet Explorer is being blamed as the attack vector. This is big news and now the world panics. OK, maybe not the whole world but there is enough panic going on to cause countries to recommend that their people switch browsers to something other than Internet Explorer.  Many, if not most, Information Security professionals have been recommending this for years. It just makes sense from a daily use perspective for the average home user. Or at least it did a couple of years ago.

Internet Explorer and Microsoft software in general has not had a good track record when it comes to security. They were more interested in ease of use and backward compatibility than anything else. Security wasn’t a high priority because it didn’t sell. Things have changed in the last few years. Security is more important and is getting more attention. As a result Microsoft has stepped up their game and they are developing applications that are much more secure than in the past. Do they still have weaknesses and vulnerabilities? Of course. Just like EVERY other piece of software out there.

So back to switching from IE to something else. Germany and France (and possibly others) have recommended that the citizens of their countries quit using IE and start using Firefox, Opera, Chrome, Safari (hahahahahahahaha) or some other browser. Is this good advice? Maybe. If they are using IE6 most definitely. If they are using IE7 or IE8 not necessarily. Why? Because IE7 and IE8 are more secure than IE6 but they still have their problems. So does Firefox, Opera, Chrome, Safari and every other browser out there and someone will find the vulnerability and exploit it. As a matter of fact there is a good chance that someone already has it and is just sitting on it until the right time.

Instead of making rash decisions such as changing platforms perhaps the leaders (or those in leadership positions) should step back and try to come up with a real solution. Telling your populace to switch browsers isn’t going to be any more effective in solving the problem (or fighting it) than having us remove our shoes when going through security at the airport. When the bad guys want to get past your defenses they will find a way just as the underwear bomber did.

We don’t need reaction we need solutions. Technology is NOT the solution. Technology will always have have weaknesses just as everything else does. In my humble opinion we have to keep improving our technology and we have to improve our people. People need to be taught how to act responsibly and securely. It’s a difficult task because there are so many cool things on the internet to explore and for way too many of them the cost to the user is so small that they are willing to pay it. Having your PC slow down a little due to the adware dropped on it is a small price to pay to be able to watch cool animation or play cool games. Even having a key logger on your system costs the user very little if anything. A little inconvenience when they discover that their credit card has been compromised but the banks cover the loss if you find and report it in a timely manner. So why give up your “free porn” if the banks pay for it?

Teaching users is a daunting task because there are lots of them and it’s a difficult task because many of them don’t want to learn. They just want to continue on with their irresponsible behavior that costs them nothing. Yet that doesn’t release those of us with a sense of responsibility from doing all we can to teach them. Their actions don’t just affect themselves because they are on the same internet as the rest of us. They may well deserve what they get but unfortunately they aren’t getting it and someone else is.

If every home user migrated from IE to some other browser it would reduce the attack footprint which would be good, but it still wouldn’t solve the problem because these same uninformed users will go to their jobs and use IE to make the same mistakes except now it’s not just their data that’s at risk but it’s their company data and their customers data. The problem is a people problem and has to be solved at the people level no matter how hard it is.

So, therefore I am declaring the statements by the French and German governments to be irresponsible. They are good advice but only if they are coupled with some additional information on how their people can protect themselves online. Only if they are willing to take additional steps to teach their people internet safety.

I’m a man of convictions. When I feel strongly about something I’ll usually stick to my guns regardless of the situation or circumstances. This transcends into most areas of my life. Most of you who know me know that I don’t like Apple, Google or AT&T. I have my reasons for not liking each of these companies. I don’t like Apple because I feel that they honestly don’t care about anyone except their investors and what they want to do. I don’t like AT&T because their network coverage is terrible and they told me that my business wasn’t worth them doing the right thing. I don’t like Google because they collect as much info about me as they can and will do with it what they want with no concern for what I want. Now, before I go any further let me say that I know that these are not the only companies like this and in some cases they are not even the worst. They are just companies that for one reason or another have ended up on my convictions list.

I have to admit that I would love to have a Mac book Pro and an IPhone. They are really cool and sexy and both are good products. I’d love to use Gmail, blogger, Google maps, YouTube, Google analytics, Google apps, etc… for all of my online life because in many cases their products are very good at what they do. Yet I can’t bring myself to use them except in rare cases.

A year or so ago I tried to de-Google my life and moved my blog from blogger to it’s own site. I quit using my Gmail account for all intentional purposes. When I watch YouTube videos I do it when I’m not signed in to Google. I quit using Google apps, Google search, Google reader, and Google maps. It went pretty well except for the reader and maps part. I was not able to find anything else that met my needs and requirements and did it well. So I went back to these two things until recently. Now that more time has gone by I’m moving away from Google reader again and going back to BlogLines. I’m no longer using Google maps for my map needs and an using either MapQuest or Yahoo Maps.

I feel better knowing that Google has to work a little harder in trying to find out who I am and what I’m doing. Not that I have anything to hide (just in case Google’s CEO wants to know) but I don’t like the idea of one company knowing that much about me with my help. Rich Mogul has a great post up on the Securosis blog about just how many ways Google can and does collect data on you.

So far I’m happy with the improvements in BlogLines and I’ve not gotten lost using MapQuest and Yahoo maps so hopefully this will work out and I can be as Google free as possible. I’m not having as much trouble staying Apple free. As a matter of fact when I started my new job they asked me if I wanted an IPhone or a Blackberry. My new boss know my feelings towards Apple and AT&T so it didn’t take any explaining when I decided on the Blackberry.

I’m now ready for all the hate mail for bashing Apple and I’m ready for all the mail from those telling me just how Google will still know all about me or how Microsoft is the biggest evil empire of them all.

********Update!*********

We now have a sponsor for this months NAISG Meeting! Thanks to Fishnet Security for stepping up and volunteering to sponsor us!

It’s a new year and for the Atlanta NAISG Chapter it’s a new meeting place! We’re still meeting at Taco Mac but we’re moving to what will hopefully be a more convenient and better location. We will be meeting at the Taco Mac in the Prado Shopping Center in Sandy Springs. We will be in a private room so just ask at the Host desk and they will point you in the right direction.

We do NOT have a sponsor for this months meeting so bring your cash or cards with you. I’m still working on finding one so hopefully you can hold onto your hard earned money and use it for something else.

When:

Wednesday, January 13, 2010

7pm – Networking

730pm – ATL NAISG Business

740pm – Keynote Presentation

830pm – End

Where:

Taco Mac – The Prado – Sandy Springs

5600 Roswell Road , Suite 3
Sandy Springs, GA 30342

What:

Get Out of the Trenches!

This brand new presentation will compare today’s world of Information Security to World War I. We will look at similarities and how we can and MUST make some big changes to prevent heavy causalities and forge ahead. Using military examples and analogies we will walk away with fresh ideas to help us “get out of the trenches” and move into warfare tactics that are better suited to keep our systems and networks safe and secure.

Who:

Martin Fisher

Manager-Computer Security Incident Response Team

Delta Air Lines

Martin Fisher currently is leading the Computer Security Incident Response Team at Delta Air Lines. His 20-year IT career includes a broad set of experiences, including working the last five years at Delta to develop enhanced security incident response. A leader focused on developing teams, Martin currently is working to create a consolidated CSIRT for the largest airline in the world.

Why:

Atlanta has lots of User groups and technology related organizations that meet every month. So why should you attend NAISG?

  1. Great opportunity to interact with some of Atlanta’s top security talent.
  2. Good food, conversation and networking.
  3. A focus on you and helping you in your day to day security endeavors.
  4. Relevant topics that are interesting, entertaining, informative and most of all not a vendor sales pitch.
  5. Focus on the needs of those in both operations and management.
  6. No membership fees, sales pitches, or pressure to do anything but show up and learn (having a good time is encouraged though)

Well after a longer than expected lay-off I’m finally back in the saddle. I was laid off from my previous job in July of 09 and fully expected to be reemployed within a few short days. I had actually interviewed for a position the day before my lay-off and felt that I was a shoe-in for it. Alas, about 3 days later I found out that the other candidate got the position. No worries though. Well the days turned into weeks and the weeks turned into months. Six months to be exact.

Well, as of Monday the 4th I started a new job. I’m in charge of the soon to be created security program. Soon to be created because, like many small companies they have been doing security but do not have an “official” program. Come to think of it lots of medium and large companies are the same way. In fact lots of them haven’t really been doing security they’ve just been doing IT. Kinda scary huh?

I’m excited about this position for several reasons.

  1. I now will have a regular paycheck again (hey, I’m just being honest).
  2. They really want me there. When I say they I mean the rest of the IT team and even Sr Management is on board. The position wasn’t in this years budget but they signed off on it. I’m sure the fact that a competitor was breached late last year didn’t hurt the case to bring someone on.
  3. I get the opportunity to build a program from the ground up again. I did this at my last position. At least as best as I could considering that I didn’t have the support needed to be effective.
  4. The IT team knows their stuff and they actually think about security. They understand that it is important, many of them read security blogs and listen to security podcasts. They think about it and that will make my job easier and more fun.
  5. The company seems to be a great place to work. The people are friendly and many have been there for quiet a while. The office atmosphere isn’t one of “I can’t wait to get home or to find a new job.”

So as 2010 moves forward I’m excited about the prospects and look forward to getting back into the swing of working and blogging more.

For the last few years blogs and podcasts have been a big part of my daily “learning”. I read lots of blogs and listen to several podcasts each week and because of this I started my blog 3 1/2 years ago and have considered doing a podcast. The dream of doing a podcast came to be a reality recently when my good friend Martin Fisher approached me about doing a podcast with him. We decided to also bring in a technical reporter and invited Steve Ragan to join us.

We recorded Episode zero a couple of weeks before Christmas and released it to a few people to get feedback. Then we recorded Episode 1 and it ended up on the cutting room floor due to recording issues. Now we release our first fully public episode for your listening pleasure (at least I hope it’s pleasurable).

You can find links to both Itunes and RSS on the web site and while you’re there take a look at some of the other pages on the site. We will be adding more content over time. Please, please, please give us feedback on the podcast especially the content. You can leave comments here or if you need to be really critical and nasty and don’t want to trash us in public you can email them to me.

2009 has been a very adventuresome year for me. There have been high’s, low’s, up’s and down’s. As I look back on it I see that lots has happened and I have lots to be grateful for. I’d like to take a few minutes and say thanks to a few people and organizations. I know that in doing this I risk leaving someone out and for that I apologize. I’m doing my best to remember all of you that have played a big part in this year.

  • One of the highlights of the year was when Panda Security invited me to participate in their first “Security Bloggers Summit” in Madrid, Spain in February. I spent the whole week in Madrid participating in meetings with Panda and several other security professionals from Spain and the US. I’d like to say a BIG thanks to all the people at Panda who made it possible for me to attend and especially to Sean-Paul Cornell who put my name in the hat to be on the panel.
  • I’d also like to thank the good people of SecureWorld who graciously gave me a press pass to this years event in Atlanta. I wasn’t too kind in return when I blogged about the conference because I just wasn’t impressed with the content of the talks that I attended. The team that planned and organized the event did a stellar job on the conference itself and I hope to attend again in 2010. Even if I have to pay for my ticket. :)
  • Another highlight of my year was helping to get the Atlanta Chapter of the National Information Security Group (NAISG) up and running. I’m working with a great group of people on the leadership team ( Ian Philpot, Renault Ross, MC Peterman, and Martin Fisher) and have been able to meet lots of security pros in the Atlanta area. Thanks to the leadership team and all of you who have attended the meeting this year.
  • I’d also like to thank my former employer MARTA for laying me off in July. I was very unhappy there and was getting very frustrated with the way things were going. I felt a lot like Howard Schmidt will probably feel in about 6 months. :)
  • I’d like to say a big thanks to those of you who supported me during my job search and who gave me leads and recommendations. I’d especially like to thank Michael Santarcangello for listening to me whine, complain, ponder, and talk through thoughts, issues and concerns. Also for his wisdom, advice and his willingness to plant a boot in my butt if necessary to get me going in the right direction.
  • I owe a great deal of gratitude to Greg Lowery of Forsythe Technologies for his friendship and for talking to lots of companies about me and trying to get me interviews. Greg actually introduced me to my new employer (whom I’ll announce soon) and was instrumental in getting me in the door there.
  • I’m excited about a new venture that I’m involved in. The Southern Fried Security Podcast. Thanks to Martin Fisher for the idea and to Steve Ragan for providing his “yankeness” to the podcast. We’ve recorded 2 episodes only one of which made the download site. We’re still working on the audio issues and plan on getting the ball rolling early in 2010.
  • I’m very thankful for those of you who read my ramblings here also. I know 2009 has been a very slow year for my blogging but now that I’ll be back in the swing of things I’m hoping 2010 will see me back to 2 or 3 posts a week.
  • I’m sure that I missed someone who I really should not have missed and for that I truly apologize. If and when I remember I’ll update this post.
  • Last, but certainly not least, I’m very grateful for my family. My wife has been amazingly supportive over the course of my job search and has stretched dollars to limits I didn’t know existed. One of the best things about not having a job is that I was able to spend lots and lots of time with my girls that I wouldn’t have had if I were working. I’m going to really miss spending my days with them.

During all of this year I’ve been amazed at how God has provided and taken care of us.  So I’d be remiss if I didn’t thank Him for his love, protection, provision and patience with me.

I hope all of you have a very Merry Christmas and for those who don’t celebrate Christmas I hope that your holiday season is all you want it to be.

Next Page »