Friday, September 26, 2014

Weird Little Details Matter

I would love to extensively write about Shell Shock, the latest vulnerability-with-a-brand-name. I do have a few hours invested in it, but this is the sort of thing that can be difficult to approach.

If I were mitigating this on a gig, I likely couldn't mention much; certainly nothing that could identify the client in any way. Because ethics. I am fine with that. First off, it indicates that some organizations that I care about have matters in hand. Good on them; this is not a simple thing to do.

Secondly, I get to sit back and take notes on things like the ugly beginning of this thing, how rapidly the exploit attempts began, how rapidly affected systems could be identified (a shell is used in places which might surprise you), speed and completeness of vendor response, etc. This is good data to have, and if I were neck-deep in an operational security work flow, prioritizing systems by criticality, etc., I wouldn't have it.

That work is a sunk cost; it needed to be done in any event, for professional reasons, whether it ever provides any direct reward or not. That is just the nature of the business; you do not get paid for everything you do, but it still has to be done.

It Would Have Been a Busy Week Without Shell Shock

It has been difficult to post lately. There is so very much going on right now. Some of it is structural; this the end of a major part of the Conference Season, and there have been important results. Some is just in the nature of the weird little details that crop up now and then.

As an example of the weird little things, consider tamper-evident labels. These can greatly simplify the life of a security practitioner, from physical inventories (in combination with bar code scanners) to defending against hardware keystroke loggers (the variant that is placed inside the keyboard), and more. In 2008, I was recommending a line available from Grainger, but by 4/6/11, it had become unavailable.

TE Connectivity has a nice line, but at least some of it requires thermal-transfer printing, and lot sizes start at 10,000 units, depending on just what you are after. Good to be aware of, but I am not closer to finding an industrial supply house who can supply a useful product in lot sizes from the hundreds to the low thousands. I need to be, in that "No problem, go here" is a lot more useful than "I've been working on it".

So there you are, from broad strokes to one (there have been others this week) example of a weird little detail. I often think that weird little details are the more important, and I can offer Shell Shock as an example.



Tuesday, September 16, 2014

Defense In Depth: 2500 Years and Counting

That 2,500 year number is probably conservative. Funding issues, for those security worker-bees trying to deploy along the lines of a defense in depth strategy, may be even older. It seems likely to me that the first bright spark who thought of it either could not get the tribal elder to agree, records from more than 2,500 years ago have not survived, or (more likely) I have suffered a research failure.

This image is of a defense in depth deployment, c. 500 BCE. 2500 years ago, at DĂșn Aonghasa, County Galway, Ireland. The Iron Age. Brutal weapons, very little medical knowledge, and a life expectancy of 26 years.

It is probably safe to say that defense mattered to these people, on a level more fundamental than identity theft, problems with current near-field payment schemes, or any other current IT security concern. Being hacked by an iron sword has more immediacy than being hacked by a network intruder. The prospect of a horribly painful death tends to focus the mind on what actually works.

Note that

  • No military (collectively, they know a thing or two about horribly painful death) of any nation, has ever had a problem with the value of a defense in depth strategy
  • Even the militaristic United States of 2014 has funding problems

Monday, September 15, 2014

A Problem With IRC Chat

A lot of discussion related to development and support in the Open Source world happens over IRC. If you are part of that community, this may be relevant to you.

[16:04] [MOTD] - **************************************************************
[16:04] [MOTD] -                       SECURITY ALERT
[16:04] [MOTD] -
[16:04] [MOTD] - Over the weekend of 13th-14th September freenode staff noticed
[16:04] [MOTD] - some compromised binaries present on a number of servers.
[16:04] [MOTD] - The servers in question have been removed from the network and
[16:04] [MOTD] - shut down.  However, it's possible that network traffic  -
[16:04] [MOTD] - including SSL traffic - has been sniffed and passwords
[16:04] [MOTD] - exposed.
[16:04] [MOTD] -
[16:04] [MOTD] - We therefore recommend that all users change their nickserv
[16:04] [MOTD] - password(s) to a new value which is not shared with any
[16:04] [MOTD] - other service.
[16:04] [MOTD] -
[16:04] [MOTD] - You can do this with /msg nickserv set password newpasshere
[16:04] [MOTD] -
[16:04] [MOTD] - Please note that investigation is ongoing to discover the root
[16:04] [MOTD] - cause of the attack, and until this investigation is complete
[16:04] [MOTD] - we cannot be 100% certain that all traces of the compromises
[16:04] [MOTD] - have been removed. We may have to ask you to change your
[16:04] [MOTD] - passwords again after analysis has completed.
[16:04] [MOTD] -
[16:04] [MOTD] - Further details will appear on https://blog.freenode.net/

As an aside: not posting for a while (things are busy) seems to have foxed those annoying +1 bots for the moment. The ones that +1 every post you make, seconds after submission. Alas, it won't last.