Martin has finished editing and episode 8 is on the wire! You can find it here.

Download it, listen and let us know what you think. You can either comment on the web site, in ITunes or send a message to Martin, Steve or myself.

While you’re at it if you haven’t listened to episodes 1 – 7 download them as well. :)

This month we have a great meeting lined up. Security blogger, podcaster and Superstar Michael Farnum is coming in all the way from Houston, TX. Michael recently started the Houston chapter of NAISG and his employer, Accuvant, has agreed to allow him to do some travel promoting both Accuvant and NAISG. We are really excited about Michael joining us this month. Accuvant will also be sponsoring the meeting.

We’re also excited about our new location. Everyone seemed to agree that the Gordon Biersch Buckhead location is a great place to meet. We have a nice, private, quiet room that is big enough to hold us and the food and drinks are a hit as well. We plan on staying here as long as they will let us. (note to self don’t invite the Security Justice gang to any meetings).

Please join us for this months meeting. Atlanta NAISG is THE place to learn with and from some of the best in the Atlanta Information Security community. Please RSVP at:  members-atlanta at naisg.org so we can have a accurate head count.

What: Atlanta NAISG Meeting

When: March 10, 2010
7:00 – 9:00 pm

Where: Gordon Biersch Buckhead
3242 Peachtree Road NE
Buckhead, Atlanta, GA 30305
phone: 404-264-0253

Presentation: “Breaking Down the Enterprise Security Assessment”

Many enterprise security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered.

Come join a discussion on the breakdown of a security assessment, explore the essential attack vectors, and debate the depth to which the assessment should go.

Who: Michael R. Farnum, CISSP

Michael is a Senior Security Solutions Engineer with Accuvant’s South Central team in Houston, TX. Michael has over 15 years experience in IT and security, specializing in security infrastructure design and information security management. A skilled communicator, Michael is a well known security blogger and podcaster. He writes and podcasts at his personal blog, and he also blogs at Computerworld.com when feels like pissing off people on an international scale. Michael has also spoken on various security topics at several conferences and events across the United States. He holds several security and technology certifications, including the ever-controversial CISSP. Prior to joining Accuvant, Michael was the Information Security Manager at The Menninger Clinic in Houston, TX. Before that, Michael performed random acts of security lunacy at companies all over Houston. One good note: Michael has never worked for a security product manufacturer, though he has been told by a fellow security practitioner and friend that VARs and manufacturers were “kissing cousins”. Hey, we all gotta eat…**
Sponsor: Accuvant 

My friend Nick Owen of Wikid Systems pointed me to an article in the Atlanta Journal and Constitution about lots and lots of PII being disposed of at a local recycling center. This just goes to show how lack of understanding can affect your privacy and your identity. That or how apathy can affect them.

It seems that a local law firm needed to dispose of lots of documents and decided that taking them to the local recycling center was the environmentally responsible thing to do. Not to mention it’s lots cheaper than actually paying a shredding service to shred them securely. They had boxes and boxes of W2 forms, bankruptcy documents and other records containing all sorts of PII. Just think about what kind of info could/would possibly be on just the bankruptcy docs. Name; Address; SSN; Bank Info; Employer; Employment history; and I don’t even know what else. (Luckily, *knock on wood* I’ve never had to file for bankruptcy).

There are a couple of issue in this that I want to touch on and they both have to do with lack of understanding of privacy and identity theft. The courier who was dumping the boxes made the following statement.

“I was just instructed to dispose of the documents and my understanding was it was a secure site because it’s a very high and large dumpster,” he said. “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

There is a part of me that hopes that he was just grasping for something to say to keep out of trouble. Who honestly thinks that a “deep” dumpster provides security for physical documents. Or is he just that uninformed as to the potential risk. I shouldn’t be too hard on him because most likely he was just doing what he was told to do. Someone at the firm probably told him to dispose of them and suggested the recycling center. Now that is better than the office dumpster but I have to wonder did they not suggest the dumpster because it wouldn’t hold all the documents. Maybe they figured that they would have to pay extra if they filled it up.

The real question is why did they not hire a secure shredding service? Surely they know and understand the danger of just throwing away these types of documents. Was this just oversight on their part or just plain apathy as to the potential impact to their clients. Maybe they don’t charge enough an hour to afford secure disposal. (Sorry the more I think about this the more cynical I become).

So why blog about this on a security blog? Because this is a part of a good information security program. It goes beyond electronic data. It includes physical data, it includes audible data, it includes awareness. It includes helping others understand their responsibility in protecting the data that they work with. It’s about helping the business understand the risk that they face and giving them the means to mitigate the risk.

Who wants to take a guess at which company has their shredding business by the end of business today. :)

We all get spam that that makes us laugh. I’ve recently received a couple of pieces taht I wanted to share just becaus they made me laugh a little more than most.

What I liked about this one was it’s honesty. It says “Known as the Internet’s top Online Business!!!!”  I think it’s safe to say that phishing is possibly the internets top business. :)

Subject:  “Hey, check out this website”

Hey Guys!!!!

This is really surprising!!!

Watch out for this New Money Earning Online!!!!

<Click the link to view>

http://tiny.cc/newlinxxxxxusiness

It really does work!

This does not involve promoting affiliate products

http://tiny.cc/newlinxxxxusiness

Known as the Internet’s top Online Business!!!!

Why don’t you give a try?

Make a QUICK click to the link below:

http://tiny.cc/newlinxxxxxusiness

To your QUICK wealth success!!!!!!!!!!!!

http://tiny.cc/newlinxxxxxusiness

Best Regard,

—————————————————————————————————————————————————————————

I liked this one because it to was honest and as I read it I kept imagining spammers sending me spam written in poor English so I could clean it up for them.  I wonder if they would accept Redneck English? Actually they probably wouldn’t know the difference. :) I wonder how much it would make me if I cleaned this one up for them?

Dear Mr(s) (gotta love the personal touch)

At some point in our live, you need of having an extra income in order to pay a debt, or simply to acquire or make an extra activity that  with your basic income could not perform.

We offer you this job … Just read!  Pay attention! … this may be the job you were looking for.

Job Description:
We send you the texts with important information.
You will have to fix those texts with a
perfect english  and send back the fix text.

Salary:
We will pay you $4 for every 1Kb of the corrected text.
The salary is paid at the end of month.
Every month your salary will vary depending on your activity.

Example: In case you correct about 5Kb of text a day, you will get
over $460.00 at the end of the month.

Requirements:
- Location: U.S.A.
- Age: 22
- Ability to work at home
- Computer skills (MS Word), personal e-mail address
- Responsibility

If you are interested in this job, please, send the information.
at the address mentioned below:

schwarz.elitepartner@yahoo.de

FULL NAME:
HOME ADDRESS:
CITY, STATE, ZIP CODE:
Phone number (home or cell, it is desirable that it should be
available any day time):
E-MAIL:
AGE:
OCCUPATION:
EDUCATION:
AVAILABLE TIME TO WORK WITH US:
———-

As soon as we receive your application, we will investigate it and contact you with more information within 24 hours.

Please, do not hesitate to contact us if you have any questions.

We are looking forward to your application.

Best regards,

Elitepartner International

The other morning on my drive into work I listened to the train wreck that was the Pod casters Round Table at Shmoocon.  I have to admit that it was a wasted hour of my time. In fact the only part of it that I felt had any redeeming value was a 5 minute segment that dealt with penetration testing. My Southern Fried Security Co-host Martin Fisher called BS on some of the opinions that penetration testing had to include an exploit or it wasn’t valid and that if you forbid a pen tester from doing an exploit it would cause you to fail you PCI assessment.

This got me to thinking about this whole thing and so I decided to put my 2 cents worth in. First lets deal with the PCI issue.

This is directly from the PCI DSS v1.2.1 requirements:

11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or
application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a
web server added to the environment).  These penetration tests must include the following:
11.3.a Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment. Verify that noted vulnerabilities were corrected and testing repeated.
11.3.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
11.3.1 Network-layer penetration tests
11.3.1 Verify that the penetration test includes network layer
penetration tests. These tests should include
components that support network functions as well as
operating systems.
11.3.2 Application-layer penetration tests
11.3.2 Verify that the penetration test includes application-layer penetration tests. For web applications, the tests should include, at a minimum, the vulnerabilities listed in Requirement 6.5.

The following 3 quotes are from the PCI Informational Supplement on 11.3

“A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a
penetration test attempts to exploit the vulnerabilities to determine whether unauthorized
access or other malicious activity is possible.”

“The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files
can be achieved. If access is achieved, the vulnerability should be corrected and the penetration test re-performed until the test is clean and no longer allows unauthorized access or other malicious activity.”

“Consider including all of these penetration-testing techniques (as well as others) in the methodology, such as social engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections.”

Sounds to me like neither of these says nor implies that not having a pen test that includes exploitation will cause you to not be compliant.

Now lets talk about finding vulnerabilities and dealing with them. Vulnerabilities come in all shapes and sizes. All of them need to be addressed in one way or another. It’s simple Risk Management. You look at the vulnerability, you look at what level of risk it puts you at and what it will take to fix it. Then you make a decision about what you will do. Patch it, deploy a work around or compensating control,  leave it alone or whatever. The point is that once you know of a vulnerability you need to make a decision regarding how you will deal with it. Even if it’s not exploitable by your Penetration Tester that doesn’t mean you just leave it be. Chances are there is someone out there who can and will (maybe even currently are) exploit it. If you find it do something about it that works for you and your business. I recommend patching it unless there is no patch or patching it breaks something or it would cost you more than the risk is worth.

If you find a vulnerability that there are known exploits for why do you need to take the extra step to exploit it? Sure it’s cool and sexy to exploit something but it also can and often does break things. Knowing about something and ignoring it is just plain irresponsible. Whether it’s the security manager, CISO, CIO, CFO, CEO, Board of Directors or whoever when something is know they have a responsibility to deal with it. Maybe the Risk Assessment puts the issue at rest and you choose to ignore it but at least you have done your homework and have made a educated decision. Those who insist that they won’t fix something unless you can prove exploit are not doing the job they are paid to do. They are being irresponsible and will end up hurting more than themselves.

The last thing I want to deal with here is how Management reacts to a Penetration Test that includes exploits. Several people talked about using different words when talking w/ upper management about exploits. That may work to a degree but if you lead them to believe that the test does not have the possibility of taking down a system then you had better have the Jack Daniel Cloud DR Plan in place. A copy of your resume on Google Docs.

So no matter how you word it you had better make sure that they fully understand that a Pen Test can cause problems especially if it includes exploits. No matter how careful the tester is there is no way to guarantee no problems. We’ve all seen Nessus and Nmap scans crash systems and when you introduce a exploit into the mix you are increasing the likelihood of problems. So when considering whether or not to have exploits done during your test needs to take into consideration what is being tested. When testing your E-commerce site you don’t want it to go down. Even if you have a backup ready you don’t want to have to explain to management why the system went down. Just knowing the vulnerabilities should be reason enough to fix them.

Management is about keeping the company running and making money. They aren’t about cool exploits and sexy hacks. They want to know the risks are and what it will take to mitigate them. You have to be careful how you deal with management and you have to know or learn what they are adverse to. So if someone tells you that their management is adverse to exploit then let it go. Don’t berate them or try to push your agenda on them. Don’t think that because you are the “3l337 h@x0r that you know what’s best for them. That is what I heard coming from some of the panelist and that is the attitude that hurts the industry. Those that are in the positions of leadership for their company hopefully know their environment enough to make educated and informed decisions. Your job, as a pen tester, is to help them find their weaknesses and give advice on how to fix them.

We all know how powerful social networking has become. We hear all the time how this blogger or group of bloggers has influenced this major issue or how social networking site “X” has been instrumental in this breakup, hook up, embarrassment, etc…  News, gossip and general junk spreads like wildfire on Twitter, Facebook and other places.

We’ve all heard how companies are are searching various social network sites and using search engines to find out what they can about potential employees and even current employees. Some companies have strict policies against blogging, tweeting, and talking about work or work related topics on the internet. Others don’t have any policy at all and more and more companies are maintaining their own blogs and encouraging employees to participate in social networks.

I’ve blogged in the past about how people put too much information on various sites and how seemingly harmless comments and questionnaires can actually divulge more information that you intended. I’ve gathered enough information from profiles and questionnaires to probably open up a credit card account.  Of course I’ve never actually tested this theory. :)

This evening I’m sitting here watching a “reality show” that my wife enjoys and on the show they were looking to hire a new employee for a pretty high profile position. They found the person that seemed to be perfect for the position. She had the skills, experiences and talent for the position. They offered her the job and she was to start on Monday. Shortly after she left the office someone did a vanity search on the company name and turned up some Tweets by the person they just hired. She was talking about the fact that she had an interview with the company, she was tweeting as she was entering the building and then tweeted as she left the office. She announced that she had been offered the job and was to start on Monday.

Sounds pretty harmless doesn’t it? Turns out that they had a very strict policy about social networking and she had violated the policy. Even though she was unaware of the policy it cost her the job. Due to the industry that they were in they weren’t willing to take the chance that information would be leaked via social networks.

So there is more proof that social networks are becoming more and more of a force in our every day lives. What we put on them can help or hurt us and/or others. Companies must not ignore them and must make a decision as to how they will use them and deal with employee use of them. As this happens it’s not as cut and dry as it may seem. Your policies need to be very clear as to what is and isn’t acceptable. If you are ambiguous in your wording employees will find ways around them and in the event of legal dealings how you word and enforce them will matter.

If you have been in IT for any length of time, especially if you are in Information Security, you are all too familiar with your friendly neighborhood auditor. Some of us only have to deal with external auditors and some of us are blessed with our own little bulldog internal auditor. Someone who either hounds us or leaves us alone and then blind sides us with their reports. Someone who can and often does make our life at work miserable.

Actually I like the auditors. I was being tongue in cheek because for many that is the way they view the auditors. But I’m sure all of us have heard that we should make friends with the auditors so that they will go easy on us. Even if they don’t go easy on us maybe they will be easier to work with if we are nice to them. Maybe they will be more patient, lenient, and kind to us. While this is true I think there is a better reason to befriend your auditor.

One of the primary complaints that I hear from my friends in information security is that they have little to know clout in their organization. They have a hard time getting things done because of push back from other teams, end users, management, etc. They are constantly fighting to get things approved, and implemented. Budgets are constantly being scrutinized and cut. Management doesn’t work with them because they don’t see ROI or value from information security. Management loves to talk about security being important but when it comes down to it talk is all it is.

That is where the auditor can really come in handy. In just about all companies the audit reports go to Senior Management and/or the Board of Directors. They take audit seriously because the regulators and investors listen to audit. When audit speaks they usually listen and act. When you work with your auditor you may be able to get some bite behind your bark. Help audit to understand why you need to be able to do this or that. Work with them not against them.

This can be tricky depending on the relationship of the auditor to the company. Often it is more of a subtle relationship where you make mention of things that you’d like to do all the while being careful not to make it to obvious. Sometimes you can come flat out and tell the auditor that you are working on getting approval for something that would eliminate or reduce the risk of something that they find. Then they will add it to their report and it gets additional exposure to management. If you are really lucky you have a relationship with audit where they come to you or you are free to go to them and say “I need X, can you help me?”

Now you have to be careful with this because you can over play the card and it can also come back to bite you. You can’t use it as a way to get all the cool toys you want. It has to be reserved for the things that really matter. It has to be used with discretion. When you are resourceful and wise then you can add some bite to your bark and actually get the work done that needs to be done.  As I told an auditor one time “I feel helpless, like a big ole’ toothless dog that barks loud but has no bite.” He looked at me and said “That’s OK, I’ve got the bite.”

Following on the heels of my last post about the possible irresponsibility of many in the security profession. I want to look at the idea of responsibility from a different angle for a couple of reasons. First, I had  a couple of comments that brought up the topic of software vendors and developers being held responsible for poorly written and insecure code. Second, there is a new “effort” launched to take the message of secure software development to those outside the security profession.  There has been some conversation around whether we are wasting our time or if it will provide benefit. Third, I read this article the other day and it made me wonder if it wasn’t time to start holding web site owners responsible when their sites spread malware.

So who should be held responsible when things go wrong in “cyberspace”? (forgive me for using the word cyber I just couldn’t resist). Is it the person who wrote the software that was insecure. Maybe it is their boss or the QA department that didn’t test it fully. Maybe it’s the marketing department because they are the one’s who said that it would be released by a certain date. Possibly it is sales because they promised several customers this functionality in the next release which was already announced by Marketing. Then there is upper management who is pressuring the developers to get the new code out and they also approved the release date. Of course the share holders are also demanding results and missing dates hurts profits.

Or we could look at it from the angle that the developers haven’t been trained in secure coding practices so maybe the school that they got their degree from is the one who should be held responsible. If they didn’t go to school for coding then we can go back to blaming management for allowing them to code without proper training. But what about when you have a well written piece of software that is weakened by a poorly written piece that interacts with it. Who is to blame then?

What about web sites that are compromised because those responsible for it haven’t kept up to date with patches, upgrades and such? Do we then hold them responsible? What if they didn’t do these things because it caused another piece of software to break? Do we then hold that vendor/developer responsible?

You see there is no clear answer here because there are way too many variables. Too many ways things can go wrong. So again, what is the answer and who is responsible. Well, I don’t know the answer but I do have a suggestion. Those of us who do know how to do things securely have to help those who don’t. We have to help them understand the why and how. We have to take the message to the developers, the web admins, the small business owner who has an e-commerce site, the CXOs that run the companies.

Just as we wouldn’t expect our doctors to show us a Power Point presentation on how to set a broken bone and then tell us it’s our responsibility to do it from now on. We shouldn’t expect those who hasn’t been trained properly to secure a system. If they don’t have the skill or ability to do it themselves then they have the responsibility to ensure that it is done by someone who is competent to do it.

So this still doesn’t answer the question of who we hold responsible. I think the answer is everyone. We’re all responsible. We all have a responsibility to do our part and to pass our knowledge on to others. It’s almost impossible to nail it down to one thing as being responsible for a security problem. Just as in a ball game you can’t blame one person, one play or one mistake.  If something goes wrong the best we can hope for is that we have done  the best we can and covered all of our bases. Then we team up and work together to fix the problem, limit the damage and move forward.

I’m listening to the Panda Security Blogger Summit 2010 right now. Last year I was privileged to be a panelist in the first Security Blogger Summit and thoroughly enjoyed my trip to Madrid and the summit. Right now they are in the middle of a heated debate regarding the responsibility of the end user in security. We had this same debate last year and it has gone on and on in many other venues as well. You all know that I feel strongly that the user has a responsibility to act in a safe manner and that we, as security professionals, have a responsibility to help them learn what they need to learn.

One of the panelist said that the user has no responsibility and that we should no expect them to be responsible. In my opinion this is a irresponsible comment and attitude on his part and the part of anyone who feels the same way. Now before you all get mad at me let me give you an analogy.

I’m Joe Enduser and I have a PC that is connected to the internet via DSL. I have let my 30 day trial of Panda Internet Security 2010 expire. (I decided to use them since they are the ones that “fueled” the discussion) I also partake in risky behavior such as visiting porn sites, downloading movies from these sites and install the video codec that they say I need. I’ve got a friend who tries to give me “security” advice but I ignore him since we all know that security is a bother. Especially when we are trying to be productive at work. Let’s not forget the fact that I love to click on links in spam email because some of them take me to some very interesting sites.

Of course with all of this risky behavior I have picked up a few pieces of malware (that I’m not aware of since my AV is expired and even got disabled by one of them) and there is a keystroke logger on my system. I’m pretty well off and my bank accounts are pretty tempting to criminals. So one day I discover that several thousand dollars have “disappeared” out of my accounts. Then a few days later I am paid a visit by the FBI because they have found child porn on a computer that was downloaded from my PC and to top things off my PC was part of a botnet that DDoS’d the NSA web site yesterday.

You see my PC is connected to the internet and by default it is connected to every other PC, router, server, and switch on the internet. My PC is NOT an island and my irresponsible actions have enabled scum to view child porn, funded international crime and attacked the US Government. Yet I’m not expected to be held responsible for any of this because after all I’m just a “stupid user”.

If I am driving on a unfamiliar road in another city and don’t see the speed limit sign that told me that I had to quit traveling 45 mph and now must travel 25 mph I’m still held responsible when I get pulled over. If I’m in a town that has a law against spitting on the sidewalk and I spit on it I’m still held responsible if I get caught. Even though I’m not familiar with the town and it’s laws I still am responsible for my actions. I am expected to conduct myself in a manner that lines up with the laws of that town.

If I leave a loaded gun on my front porch and you pick it up and shoot someone with it you and I will be held responsible for our actions. Yet when it comes to using a PC that can be used to ruin someones life, attack a corporation or government, spread malicious content, etc I’m expected to remain completely ignorant and that’s OK. I can’t agree with that. If we expect our users to be stupid then they will be. If we expect them to learn how to reasonably act on their systems then most of them will.

If we want a voice in security then we need to ensure that our voice is not spouting irresponsible comments and encouraging irresponsible actions. We will never stop all stupid users and won’t even stop all users from doing some stupid things but that doesn’t mean that we shouldn’t do all that we can. It sure doesn’t mean that we can excuse their behavior and not expect them to do their part and make a change for the better.

Join Us!

February’s monthly NAISG meeting

Wednesday, February 10th

 

** NEW LOCATION: 

Gordon Biersch, Buckhead (the old Rock Bottom Brewery)

3242 Peachtree Road NE
Buckhead, Atlanta, GA 30305
tel 404-264-0253

·         Private Room. Please tell the hostess you’re there for the monthly NAISG meeting and she will escort you back.

 

Agenda:

7pm – Networking, Food & Drink

730pm – NAISG_ATL General Business

745pm – Keynote Presentation and Interactive Q&A

Nidhi Shah, research scientist, Barracuda Networks

Malicious Javascript – Beyond Level 101

815pm – End

 

Sponsor:

Barracuda Networks, Inc.

Please join us for this interactive session coming straight from the Lab, Barracuda Labs that is. We’ll supply plenty of appetizers, your first round of drinks (be sure to snag a drink ticket on your way in the door) and even a few very cool door prizes! You will not want to miss this month’s meeting in our new location – and yes, it has free wireless! So stack up on business cards, come hungry and ready to talk with old friends, meet with new, and to interact and share ideas across this hot topic. Invite your friends and colleagues – and don’t forget to RSVP!

 

 

Malicious Javascript – Beyond Level 101

Be it worms, phishing, malware or Rogue AV, javascript is one of the most common routes for malicious activities. Attackers are using clever obfuscation to deceive anti-viruses and combining sophisticated social engineering tactics to take advantage of user ignorance. In this talk, we present an in-depth review of javascript attacks, implementation scenarios and ways to uncover malicious endpoints.

 

Specifically, this session will:

·         Demonstrate various javascript features used in malicious javascript in Web pages and its interaction with other software such as Adobe, Flash and Silverlight

·         Classify javascript malware into specific categories

·         Distinguish various obfuscation techniques

·         Demonstrate how to trace malware distribution endpoints

·         Discuss challenges faced by current solution to block malicious java script

 

Nidhi Shah, Research Scientist

Nidhi Shah is a research scientist for Barracuda Networks. She joined Barracuda following the October 2009 acquisition of Purewire, Inc., a Web security SaaS provider. She brings a combination of fine grain program analysis and Web application security knowledge, and is focused on new innovation around methodologies for automated Web malware detection and prevention. Prior to working for Purewire, Nidhi worked as a R&D engineer for SPI Labs (Now HP’s Web Application Security Research Group)- a renowned Web application security research team for SPI Dynamics. Nidhi earned her master’s degree from Georgia Tech in Computer Engineering and is a published author with several IEEE papers on reverse engineering topics, and the SPI Labs’ Hybrid Analysis white paper. Her research areas include Web application security, binary program analysis, threat analysis for emerging technologies and obfuscation.

Next Page »