Ed Smiley's Blog

Here are some interesting articles from this week:

- Google releases Skipfish – Skipfish is a open source and automated web application scanner.  It is written in C and can run on Linux, FreeBSD, Mac OS X, and Windows.  Have not had a chance to try it out yet, but appears to be similar to Nikto.  The Redspin Blog has a good initial write up on the install and some basic features.

- The Security Ninja has posted some great tutorials on the Burp Suite.  If you have not tried Burp Suite, what are you waiting for??  It allows you to attack web applications with both manual and automated techniques.  It is available for free with some higher level functionality disabled.  However, it is quite cheap for what it does at $225/year.  Anyhow, the tutorials on the SN site are excellent and cover the intruder, repeater and comparer tools and plans to go over the rest of the suite.  Check it out!

- SecurityTube Launches SecurityTube Questions - SecurityTube Questions has launched and is aimed to helping hackers, infosec professionals, enthusiasts and students solve security related problems. There are quite a few questions and lots of great answers.  Something to keep bookmarked and check back often.

- Pen Testing the Web with Firefox - Slides to the excellent Black Hat webinar given by Michael “theprez98″ Schaerer describing lots of great plugins to allow you to Pen Test websites.  There is also a great list of Web Application Security Penetration testing plugins found here.

- Looking for the Bad Stuff, Part 1 - Yet another great post from Harlan Carvey about searching Windows drives for bad things.  Gives lots of great tips on where to start, which log files to look though and many others.  Check out the comments section for some more great discussion.  As mentioned before, Harlan’s Windows Forensics Analysis is a MUST READ, along with his site.

I ran into this article this weekend about “Unchain the Office Computers! – Why corporate IT should let us browse any way we want.” by Farhad Manjoo.  The reaction went from Yeah right, this guy is nuts to maybe there is some merit to somewhere in between.

The article starts off talking about the somewhat hilarious answer to a State Department worker asking why they were unable to use Firefox on their work computers.  Being an IT Professional, I can understand the answer.  Every additional program installed is another one to install, patch, and support.  I am also unsure if there is a good way to block plugin installs, which could be a major issue.  So the expense of Firefox comes in other ways which might not be understandable to the enduser.

I think that the author does have some basic misconceptions of technology.  He states that he cannot forward his mail Gmail but others are allowed to forward to a Blackberry or Iphone.  What he is misunderstanding is that the problem is where the mail resides and who can have access to it.  Typically Blackberry’s and Iphone’s still keep mail on the organizations server, compared to Gmail, which who really knows where it goes, or how long it is actually kept.  The thing that amazes me if that this person seems quite alright trusting Google, but seems to have an inherent problem with his IT organization.  I guess it is because Google is that big ol’ free cloud that does everything right.

Where I do agree is that IT Professionals can be closed-minded and power hungry.  Our policy was that if a user could show business use, that we would try our best to accommodate the enduser.  (Keep in mind I work in academia!)  However, I have seen others in the same organization who would still rather run Windows 98, Eudora, and Netscape and won’t budge.  It think where the Farhad goes wrong is asking for unfettered access to their computers.

I wish he would spend one week in an IT Support person’s shoes.  While in IT support, I received request for anything from coupon printers, to WeatherBug, to even Bonzi Buddy.  What Farhad does not think about is that 6 months from now when some computers are overflowing with spyware, adware, etc., that the user will state that their computer is slow.  This is additional work for support to rectify which is easily handled with some of these rules (running with least privilege).  I guess you can put it into the category of one bad apple spoils the bunch.  I am sure that there are users that can take care of their computers just fine.  That launches right into my next point.

I stepped into a conversation on Twitter between Michael Santarcangelo (The Security Catalyst) and Ax0n discussing this article.  Michael wrote:

accountability requires pre-agreement (albeit implied)… without that and the ability to achieve, can accountability exist?

Then it came to me.  I remember from Michael’s book Into the Breach (really a book every IT Professional should read) that he talks how people will not realize their security gaffs until they are held accountable.  So I wonder this, would you accept unfettered access to your desktop in exchange for accountability?  Would you be willing to be docked pay for downtown, fined for breaches/compromises, or even fired for these offenses?  A put your money where your mouth is kinda deal.  I wonder how many people would step up.  Would you?  I have seen compromises from ad malware just from surfing to common sites such as Fox News or Yahoo.  Is having your IT freedom worth it??

I think it gets down to another point from Into the Breach, Users just want to get their work done.  Michael said it right: “We need more dialogue, which means we need to listen, learn and act…together.”

Edit: Michael brought up a great point.  Not only have negative consequences, but have positive rewards.  Great idea!  Almost a new way of thinking.  Hold people accountable, reward them when they do well and people could actually want to learn how to be secure!

An interesting thought came to mind while reading the Windows Incident Response blog yesterday. A link provided by Claus brings up an interesting concept, XPM.  Windows XP Mode (XPM) is a “Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site.”  Sound cool, but what happens with the security patches that come out after SP3?  With so many people who don’t bother to patch their systems, would this just create a bigger problem with 2 possibly unpatched operating systems available as a target to exploit?  There seems to be some kinks that need to be worked out on the security end as I have not heard any talk of how this will be patched and what will happen once XP is no longer supported.  I will be curious to see how this pans out in the near future.

EDIT: Some more interesting news has been coming out about XPM (via Slashdot):

Microsoft, Intel goof up Windows 7′s “XP Mode”

Windows 7′s ‘XP mode’: Right idea, wrong technology

Windows 7′s ‘XP Mode’: A Great Idea, on Paper

As I looked at my calendar last weekend, I wondered why it was so packed.  Aside: Hey, I am a Sys Admin.  My meetings tend to be more spontaneous, like my computer is on fire or the website is down.

Turns out there were 6 great events going on this week:

1.  Pauldotcom put on Part 2 of Zen and the Art of an Internal Penetration Testing, which covered using tools such as Nessus, Core Impact, and Metasploit for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process.  I did not get a chance to listen to all of this, but look forward to a recording being released at a later time.

2.  Rob Lee brought us Memory Analysis for Incident Responders and Forensic Analysts.  I thought that this was an incredible webcast which gave great insight about why memory analysis is important, which tools to use for acquisition and analysis, and sample cases on memory analysis.  I would highly recommend anyone interested in security/forensics to go back and listen to this webcast.  Also, version 1.3 of the SIFT Workstation just released, so be sure to pick that up.

3.  Larry Pesce brought us the monthly Late-Breaking Attack Vectors Webcast where he discusses the latest happenings in attacks.  Items covered were the every so popular Mikeyy Twitter worm, OS X botnets, and many others.  Larry did an excellent job and this webcast is always worth a listen.

4.  Chris Nickerson and Mike Murray discussed Modern Social Engineering Part II – Top 5 Ways to Manipulate Humans Over the Wire.  Social Engineering is a technique usually not discussed as much as using vulnerabilities or exploits to get inside a network, but Chris and Mike go deep into how to manipulate people.  They do an excellent job expanding on Part I and give real world examples throughout.  Also at the end there is a fairly long Q&A which discusses some interesting techniques.  If you would like to learn more, check out ChicagoCon coming up.  Looks like a great opportunity to interact with some of the great minds in security and it is cheap! ($100).  Also be sure to check out Chris’ new podcast Exotic Liability.

5.  Pauldotcom celebrated its 150th episode with a 12 hour extravaganza featuring guests such as Lenny Zeltser, Martin McKeay, Johnny Long, Stephen Northcutt, and many others.  This episode will surly keep you entertained for a long while to come!

6.  Mike Murray and Danni Lupisella presented on many of the threats that popped up in quarter 1 2009 in their Midnight Hacking webcast.  This was a great webcast that allowed for interaction directly with the presenters and covered great content such as mobile phone vulnerabilities, SSL exploits, and Conficker.  These appear to be monthly and I look forward to attending them on a regular basis.

A little while back this question came up to the SecurityTwits feed from michealc:

Well Micheal, here is your answer.  These types of webcasts are probably the best online security training you can have for the money (free).  They allow you to hear an excellent presentation from some of the best minds in information security and then interact with those great minds during question and answer sessions.  I have been to a few trainings in the last year or so, but some of these webcasts are much better as far as content, presenter knowledge and style.  Keep your eyes on Twitter and the securitytwits feed for great more great webcasts/podcasts.

An study(PDF) put out by the Ponemon Institute yesterday has the average cost of a lost laptop at $49,246.  This includes the following components: replacement cost, detection, forensics, data breach, lost intellectual property, lost productivity, and legal expenses.  The total variation was incredibly large from just over $1K to just under $1M.

2 interesting points that I see:

Encryption makes a difference.  When lost laptops have encryption, the average cost of the lost laptop is $37,443. If it is not encrypted, the average cost is $56,165. This is almost a $20,000 difference in the cost

Only $20K?  I would think that having a properly encrypted laptop would take out mostly all costs other than replacement and lost productivity.  Of course, the best encryption is not going to defeat the user who tapes the encryption key on the laptop.  However, if all encryption rules are followed I pretty much thought this was a safe bet?

The existence of a full backup increases the average cost of the lost laptop. There is an inverse relationship between the average cost of a lost laptop and the existence of a full backup. The average cost of a lost laptop with a full backup is $69,899 as opposed to $39,253 when there is no backup system. One possible reason for this is that the backup makes it easier to confirm the loss of sensitive or confidential data. In other words, it could be the ignorance is bliss hypothesis.

Wow, save money by not doing backups!  Quite an interesting piece of information with data to back it up.  Who is going to go to the VP and says we can save money by not doing backups?

Tie this in with 12,000 lost laptops per week at airports, and that is quite a large chunk of change.

These questions have been on my mind for a while, and a recent data breach makes me want to get some answers from the experts.

On plenty of breaches I read the following lines:

“We have no reason to believe that this information was accessed by unauthorized individuals…”

“It cannot be determined with certainty that any data was pulled from a computer by infectious software…”

“there is no indication that any of the information has been misused…”

These lines seem to be from the first pages of the “Breach Notification for Dummies” because I have hardly read an announcement without one of these type of statements.� My questions are how do they know that it has not been misused and if they know that is has not been misused, why can it not be determined if the data has been pulled from the computer?� I kinda thought that this was the whole point of forensic investigation, finding out what the bad guy did once they were on the machine.� Is it money, time, notification time (i.e cannot analyze the drive quick enough before notification is necessary), historical data (obviously every breached computer with PII does not lead to ID fraud) or a combination of everything?

Am I missing something here? � I would love to hear what everyone thinks.

UPDATE 04/16/2009: Dave Hull tweeted a link the Security Breach Notification Symposium that should give some great insight to the topics discussed in this post.� The audio/slides for the talks have recently been posted.� Thanks everyone for the great comments!

Jayson Steet tweeted a link to a Computer World article about the recent rash of security breaches in the academic environment.  (Aside: Follow Jayson as he will soon be releasing a book called F0rb1dd3n that looks awesome!).  There are a few interesting tidbits in this article and definitely worth the read if you work in academia.

I think the author might be too bold by saying that during the last few weeks of the semesters that breaches occur more often due to students being under duress.  I think pretty much everyone is under some sort of duress during these important final weeks of the semester.   From the faculty designing finals and grading, to the staff having to put up with the faculty, to the IT staff having to make sure everything is working .  Perhaps it is people trying to take shortcuts (such as taking PII home on their laptop, which then gets stolen) to get work done quickly in situations where time is limited, but I think you can hardly pin it just on the students.

Computer World also talks with the author of “Breaches in the Academia Sector“, John Correlli, who adds a spot on statement of “Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn’t a priority until it’s a problem.“  When is it considered a problem?  When you (being the college, unit, dean) need to spend money to notify victims of a breach?  When you suffer embarrassment due to a breach?   I think the ‘it can’t happen to us‘ way of thinking no longer applies as breaches have struck all areas of academia.  So why not take the steps to be proactive beforehand so you don’t have to pay for notifications or you don’t have to suffer the embarrassment?  Simple, people hate, fear, and resist change. Unfortunately, the open environment of academia hinders change and is typically used as an excuse to resist it.

John also says that the academia is prone to these threats due to “A customer user population that is relatively low paid, lives “on site” and experiences high turnover.”  I agree with this and not only in the customer user space, but in the IT Staff space.  Typically lower end IT Support/Sys Admin jobs are stepping stones for people to move onto better positions and typically on the lower end of the pay scale.  Although I don’t have any numbers (but would love to find some) on the pay differences between academia and business, I would say that academia IT is on the lower end of the pay scale compared the same position in the commercial sector.  Then a new person has to come in, make heads or tails of what the last person did (You mean every IT person does not document what they did?!?), and go on with their everyday job.  So then it comes to how do you keep talented young IT staff who can go work somewhere else for plenty more money, and most times much less grief.

So, the million dollar question is, how do we secure data and promote the open environment of academia?  I think Michael Santarcangelo has some great ideas in his book ‘Into the Breach‘ such as holding people accountable for their actions and engage the people whose data you are trying to protect.  Would love to hear how other people are doing it.

An interesting article came up in my Google Reader tonight from Michael Krigsman of the IT Project Failures Blog on ZDNet.� He discusses how Twitter is dangerous to businesses and governments due to the rapid nature information can spread.� He ends with an interesting question: “Is Twitter a weak link in the security chain?”

First of all, I don’t think he is picking directly on Twitter, but the any social network tools like Twitter, Facebook, My Space, and numerous others.� While I do agree that posting something on Twitter could easily reach hundreds of thousands (and possibly millions) of people in minutes. The important part is that someone has to be typing the 140 characters into Twitter to begin with.� While you can loosely say Twitter is a weak link in the security chain, it is only as the facilitator.� The weaker link in the security chain can be multiple other things, such as the misunderstanding of the power of Twitter or even the direct message function.

An example Michael uses is of US Congressman Pete Hoekstra (R-Michigan) tweeted information about a secret congressional envoy in Iraq.� Yes, probably a bad move.� However, this does not make Twitter a weak link, it makes Mr. Hoekstra a weak link to sensitive government information.� Come on, this guy is a ranking member of the House Intelligence Committee!� I am sure he has to handle loads of sensitive information and should know better.

You know how everyone says when you are all fired up, you should not belt out a nasty email?� Perhaps the same thought should be put in before you tweet things, such as congressional information, to the world.� I twittered a 140 character summary of what I wrote here to Michael and he responded with the another question: “The question is getting folks to think before tweeting confidential information. Easier said than done.“� He is absolutely correct, but how do we do it?� Twitter is a great tool because it is so open.� How far are we away from tweets being siphoned through company security or PR before getting posted, or is that already happening?

An interesting post came through the Educause Security list with a link to a recent NY Times article entitled “Do we need a new internet?“.� Reading the article, you would think that all hope is lost with quotes like:

�Unless we�re willing to rethink today�s Internet,� says Nick McKeown, a Stanford engineer involved in building a new Internet, �we�re just waiting for a series of public catastrophes.�

�If you�re looking for a digital Pearl Harbor, we now have the Japanese ships streaming toward us on the horizon,�

Wow.� As the person who posted to the list stated “Do you think it is really that bad?”.� I am very curious as to the replies that will follow.� Do we need a new internet or is it a combination of insecure operating systems, uneducated (security-wise) users, and poor patching?� If we repair these things can we repair the internet?� Can we repair these things??� A recent article in SCMagazine debated if security awareness is even worth doing.

The article brings up a good point about the current internet becoming “the bad neighborhood of cyberspace.”� We are implementing this kind of secure and unsecure network for our users.� Any user with administrator rights (see what running with Admin rights will do for you here) will be put on an ‘unsecure’ network with just a direct connection to the internet or “the bad neighborhood of cyberspace”.� These users will have no access to network shares or any part of the secure network.� Hopefully, our the users on the unsecure network will see the benefits of being on the secure network and make the unsecure network unnecessary.

A secure network will sacrifice things such as privacy and anonymity.� Will users decide not to give up those things and would rather wipe their computer every 6 months when it gets infected?� Quite an interesting article to debate!

EDIT: Excellent blog post by David Akin and one here from Gene Spafford from CERIAS

An interesting whitepaper was released by Beyond Trust (found via TaoSecurity) entitled “Reducing the Threat from Microsoft Vulnerabilities” (PDF)  Here are some of the key findings from the study:

• 92% of Critical Microsoft vulnerabilities are mitigated by configuring  users to operate without administrator rights.
• By removing administrator rights companies will be better protected  against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities.
• 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights.
• Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights.

If those stats don’t make you want to take away administrator rights from your users, I don’t know what will.  Coming from a scientific background, I love to see statistics, numbers, and facts.  In the past when discussing admin rights with users, I used an Eweek article entitled “Is System Lockdown the Secret Weapon” to drive home my point.  In short, they basically visited some nefarious websites using three separate computers.  One with Administrator rights, one with Power User rights, and one with User rights.  They then ran a malware/spyware scan afterwords and found that the computer with Administrator and Power User rights had 19 threats and over 2000 registry keys installed.  The computer with User rights had a single threat that was in the browser cache.  A single threat people!

In academia, removal of admin rights has been met with much resistance (by both faculty/staff and IT staff).  We have been making it work in our area by doing the following:

1. Working with the faculty and staff to find out their needs for computing.  Assuring them that they will continue to function in the same capacity they were able to with Admin rights.
2. Knowing that applications will need to be installed, we are very prompt when these requests arise to limit possible downtime.
3. Developing practices for our “road warriors” that keep them safe, but allow for emergency admin rights if necessary.
4. Set an example by having IT staff run as users when we are not performing tasks that require administrative rights and elevate our rights when necessary.

Following these steps, over 95% of our faculty/staff perform their jobs without admin rights.  It is getting to the point where this is going to have to be reality in academia.  Free and Open education can exist when having user rights and many places around the University (including us) have proven that and make it work.  The sad part is that I hardly ever hear it mentioned when trying to explain to faculty and staff about removing rights.