June 15th, 2011
Big headlining breaches are all over the news these days and the star of the show recently has been the group lulzsec. Lulzsec is extremely popular on Twitter right now due to their extremely cavalier approach to securing the Internet. As their name implies, they are in it just for the lulz and because it is just for the lulz, they put no restrictions on themselves. They gain access to companies, post stolen information, and openly mock said company for not being secure enough to stop them. Some agree with what they are doing and some disagree but the big question I have see is “Is lulzsec a necessary evil that will get companies to actually pay attention to the security of their own systems?”
I have heard security guys, for years, preach that companies are only skating by with the bear minimum when it comes to the security of their IT infrastructure. Its the mentality that you set the bar just slightly higher than your competitor so that attackers peruse the other guy first. From a business standpoint, I can see where it makes sense. You (theoretically) come out ahead with much less resources spent on the issue but it does not take the persistent threat into account and lulzsec is proving that. Notice how I left “advanced” out of that last statement? Persistence can triumph with a lack of advanced. As it appears right now, lulzsec is not advanced at all as they are utilizing basic SQL injection tactics to obliterate these companies. But are they a necessary evil?
I would have to say yes. Currently, there is no system that leaves companies accountable for less than reasonable security practices. I would like to point out the TJX breach as a prime example. After a breach of almost 50 million credit card numbers (by a WEP network), it seems they are going strong. I believe that they are still going strong because they play the roll of the innocent victim and people identify with that and continue shopping there. If lulzsec were to have been responsible for the TJX breach, there would have been no incentive to stay quiet for personal gain, and TJX couldn’t have played the victim card because lulzec would be publicly bashing them for having less than standard security practices. You can’t play victim when the main reasons you were breaches was because you aren’t doing it right to begin with.
I am personally cheering lulzsec on. Yes, what they are doing is illegal. Yes, they are hurting innocent bystanders in the process. And yes, they are causing catastrophe but until we come up with a better system for making companies accountable….we might as well have some lulz as we watch them be humiliated.
April 27th, 2011
The media has definitely been busy the past few months. There have been some very high priority compromises and news generating events recently. Some of the big headlines have been Epsilon breached and customer emails stolen, RSA SecurID compromised, Another attack against Iran?, FBI takes offensive against Coreflood Botnet, and Sony Playstation Network compromised and ALL personal data stolen. The term APT (advanced persistent threat) has also been thrown around in a lot of the compromises and it makes me wonder if these are isolated insentients or if they may be related in some way. Can we also expect to keep getting some of these high profile compromises or will they die down?
I love a good conspiracy so I would like to hear that they are all related and this Blog post by Krypt3ia strengthens my belief even more that China is up to no good and possibly ramping up for an all out attack in the Cyber Domain. Only time will tell but until then, I will keep theorizing about my conspiracies.
February 14th, 2011
It seems more and more recently, Security companies are getting owned. The three notable ones in the past month or so have been Goatse Security, Ligatt, and HBGary. If you were not aware of who Goatse Security are, then you may remember the breach quite a while ago that exposed the email addresses of iPad owners. That breach was guys from Goatse Security. HBGary is an incident response company and Ligatt Security is a company that has gained more visibility in the Security World than it should.
I will look at the Goatse Security compromise first. A screenshot of the site after getting owned can be seen here. There is not a whole lot behind this other than it was done for the “lolz” and a “look what I did” kind of thing. HBGary and Ligatt are much more interesting.
The entire subject of Ligatt so much material to write about that it constitutes more time than I want to give Ligatt Security and Gregory D Evans. For all of the background on Ligatt/Mr. Evans please see Attrition.org. Now what happened recently was that the website Ligatt Leaks has gone live in an attempt to expose all of the things wrong with Mr. Evans. Some of the fallout from Ligatt Leaks is that someone had gotten into Ligatt’s mail server for several days, pulled down all of the mail and released all of it in a torrent.
HBGary is the most interesting out of the three I have noted. I had never heard of HBGary until one of their higher ups went public stating that he had found all of the personal information of the people that run Anonymous and would be selling it to the FBI. Not only did Anonymous rebuke the information stating that it was not correct but that HBGary was going to turn over innocent people to the FBI. This also angered Anonymous and so they took a page from the Ligatt book, got into HBGary’s mail server and released all of the emails stored there detailing their attack on Anonymous and how HBGary was planning to start targeting WikiLeaks donors.
Being a security shop and getting hacked is a pretty big blow to not only your ego but your reputation as well but it occurs all too often. Some further examples include Dan Kaminsky gets hacked, Kaspersky gets hacked, and Kevin Mitnick’s website hacked.
In my eyes, it comes down to the fact that you don’t write all of the software that you use (personally or for business). If you do not write all of the code yourself then you can not be 100% certain that there are no holes nor can you fully trust it (and even if you do write it 100% yourself, you are human and make mistakes). Being in the Security Industry also requires a sense of humility as there will always be someone who will be able to find a hole. The key is to not piss these people off and if they do find a hole, work with them to try and get it fixed. Do not paint a bullseye on your back and ask for you. Many people have done this and many have failed (see LifeLock CEO and StrongWebmail contest).
Having been keeping tabs on this industry for several years, I can tell you that there are plenty of people that I would not dream of pissing off because I know how good they are at attacking technologies and that I would not stand a chance against them. It just boils down to the fact that you need to assume everything is vulnerable and someone will get in.
November 5th, 2010
One of the things that I see more than anything else during the 8 hours a day that I put in is the mass amount of bullshit. There is so much bullshit, I could swim in it. I have several colleagues that give our customer nothing but bullshit and this is because they don’t know what they are doing and they know it. It surprises me how many people in IT get by on nothing but good old fashioned bullshit. This does not only apply to my colleagues but my customers as well.
There are several reasons that I see as to why bullshit is so rampant but by far, it is the lack of training. There are more time that I can count where a customer is trying to rollout a new core router/firewall into their network but do not know the first thing on how to configure it. I normally come in at the point where they are pissed off because its not a plug and play solution. You’d be surprised how many large corporations I see this from. I don’t know why this is not completely obvious but if you need your network to function as a business, you should make sure your employees that are in charge of the network know what they are doing.
This is why I have been a huge proponent of training for a long time and is part of the reason why I will jump at every opportunity for that little additional training or anything where I can learn something. I never want to catch myself in the position where I am helpless because of my my own ignorance and have to rely on someone else to do it all for me.
October 9th, 2010
Stuxnet has been on of the biggest topics in InfoSec for a little while. I am not going to go into a whole lot of technical depth on it as I am more interested in the ramifications of it. There is a nice recap on Wikipedia if you need to catch up. Basically Stuxnet is the first confirmed (to the general public) attack on Supervisory Control and Data Acquisition (SCADA) systems. As it turns out, the systems that were attacked by Stuxnet had been infected for quite some time before being detected.
This scares me quite a bit as the writers of Stuxnet could have completely destroyed Nuclear Control Systems in any of the plants that it infected. I am not by any means an expert of anything but one of the first thoughts that come to my mind when I hear about this is the possibility of a remotely triggered nuclear accident to the extent of Chernobyl. If that does not scare anyone else, I am not sure what does.
I am sure there have been several controls put into place to prevent something like the Chernobyl accident happening again. We have had almost 25 years to learn from it and improve our technology and understanding of nuclear technology but one thing I have learned from the InfoSec world is to never say something can’t be done.