IT Counterintelligence

August 22nd, 2016

I really don’t like blaming all IT-related intrusions on “hackers”. The elaborate ones aren’t just some kid that’s figured out how to do a ransomware scam. They’re run by criminals and spies, or a mix of both. Being attacked by just hackers has a bit of comfort implied in that wording – hackers only use computers, right? They’re people with poor social skills that never break out of that stereotypical mold, right? But to say that criminals or spies were involved means that the attackers have a wide range of tools at hand to get what they want. They’ll engage in blackmail, murder, deception, all that criminal and spy stuff along with the IT-related intrusions as part of a comprehensive program to gather information.

These guys have zero intention of compromising the target beyond what is needed to gather information. They prefer that there be no ransomware or worm taking things down. They want five nines of uptime as much as the CEO does. They penetrate deep into a network and they require more than just an IPS or DLP in place to keep them from taking secrets out. They need some really paranoid thinking on the part of the target’s employees to minimize what they’re able to gather.

To that end, I’m going to recommend two videos from YouTube about counterintelligence.

Take a look at https://www.youtube.com/watch?v=xbf2I5ObTrk It’s a little harsh, I agree, but it’s also for combat. All the same, it sets up a mindset I’d like users in general to have in regards to security. Don’t write down passwords. Don’t send information over unencrypted, unsecured channels. Don’t think for a minute that LinkedIn and Facebook aren’t unencrypted, unsecured channels… stuff like that…

Another video at https://www.youtube.com/watch?v=27qMsUxmHyo about tracking down and gathering information in a counterintelligence operation. It’s not just a matter of stopping the spies: it’s a matter of making sure that they don’t continue to penetrate one’s organization. If a firewall stops an attacker from getting in one way, it’s not necessarily a success. It just means an attacker will try to find another way in.

Real security is never thinking that the bad guys have given up and walked away. Some will, sure. But the rest? They’re always there, watching and probing. Real security means always watching and maintaining OPSEC‍ .

The Internet of Things with Pre-Installed Backdoors

August 12th, 2016


Threatpost: https://threatpost.com/undocumented-snmp-string-exposes-rockwell-plcs-to-remote-attacks/119865/

The SEO-friendly URL says it all. The Rockwell PLCs in question have a RW SNMP community common to a range of their devices, undocumented, but if you can find it, you can light up every one of them.

Correction: there’s another SNMP string that allows even more access, also undocumented. That’s what’s makes this newsworthy. Not one backdoor, that’s old news. Two pre-installed backdoors, now we got us a story!

If you work with PLCs, read the article above, check to see if you’re using any of them, and then contact the manufacturer. You need to get all over this like a donkey on a waffle.

The Internet of Things Still in Development

August 11th, 2016

So, I just read an article on some solar panels with a wifi connection that had a default admin name and password. That’s not news. What is news is that the solar panels were still in development and were mistakenly shipped to customers.

As we plunge deeper into the world of everything having an IP address, this incident highlights a new concern: what impact does improper labeling have on security? What if these were autonomous vehicles (our favorite bugbear) shipped to a dealer? More terrifying, what if these were controls for a LNG terminal or a nuclear reactor? It’s bad enough we have default credentials on production devices, but now we have to consider a mis-shipment of even less secure development devices.

Or, we can start to say “no”. The promises of cost savings and higher productivity need to be placed against a realistic risk assessment. Is saving a few bucks per IP-enabled lightbulb worth the possibility of a major PCI breach? OK, maybe I’m engaging in hyperbole, as well, but it’s no worse than the hyperbole of IoT marketers that aren’t telling the full story of how human fallibility is always a constant, even when we use computers to speed our poor decision-making processes.

We’ve had product recalls before, and we’ll have them again. But IoT ubiquity means a window of opportunity between the zero-day and the day of repair to wreak havoc, mayhem, and unintended accidents.

I’ll raise another concern: what about device interoperability? I know that if I have medication A, I may have to abstain from substance B if I don’t want a horrendous drug interaction. When will we be able to look at IoT devices working with each other and possibly breaking code as a result of such interoperation?

We need to have a Serious Discussion of Things before we have an Internet of Things.

A Night at the Outsourcer

August 5th, 2016

Night-at-the-Opera-Contract

Driftwood: All right. It says the, uh, “The first part of the party of the first part shall be known in this contract as the first part of the party of the first part shall be known in this contract” – look, why should we quarrel about a thing like this? We’ll take it right out, eh?
Fiorello: Yeah, it’s a too long, anyhow. (They both tear off the tops of their contracts.) Now, what do we got left?
Driftwood: Well, I got about a foot and a half.

After talking with people from companies whose experiences with their outsourcing‍ contracts can be best described as “disappointing”, I wonder if they didn’t have the equivalent of the‍ Marx Brothers‍ representing them in their contract negotiations. I’m not saying that the corporate lawyers were idiots‍ , just that they may have been outclassed by the outsourcers’ lawyers. This is a specialized situation, after all.

Like the company doing the outsourcing, the outsourcer wants to maximize profits. Outsourcers are not charitable organizations, offering up low-cost business services to help the hapless firm with IT‍ needs. They want to get paid, Jack! Some may want a long-term, quality relationship with a client, but there are plenty out there that want to sign a contract that, on the surface, looks like it will reduce costs, but it contains hidden standard business practices‍ that will rake the clients over the coals.

One of the biggest gotchas in an outsourcing contract is the fact that the relationship between a company and its IT is no longer one of company to employee, but company to contractually provided service. That means the “one more thing” that managers like to ask for from their employees isn’t an automatic wish that will be granted. Did the contract authorize that one more thing? No? Well, that will cost extra, possibly a lot extra.

Another loss is the ability to say, “I know that’s what I wrote, but what I meant was…” as a preface to correcting a requested change. In-house staff can be more flexible and adapt to the refinement of the request. Outsourced staff? Well, it seems as though the staff were engaged to make a specific change, so there’s a charge for that, even though you decided to cancel the change in the middle of it. Now, the change you requested needs to be defined, submitted, and approved in order for us to arrange staff for the next change window…

There’s also the limit on the time-honored technique of troubleshooting the failed change and then making the troubleshooting part of the change. Consider a firewall change and then discovering that the vendor documentation left out a port needed for the application to work. In-house staff have no problem with adding that port and making things work. Outsourcers? If that change isn’t in writing, forget about it until it is. And, then, it may be a matter of rolling back the change and trying again, come the next change window.

Speaking of firewalls, that brings me to the “per line of code” charge. If the contract pays by the line of code, prepare for some bulky code if the contract does not explicitly state that lines of code must be consolidated whenever possible in order to be considered valid and, therefore, billable. Let me illustrate with an example.

My daughter is 14 and has zero experience with firewall rules. I asked her recently how many rules would be needed for two sources to speak to two destinations over five ports. She said five rules would be needed. I then gave a hint that the firewall help file said that ports could be grouped. Then, she proudly said, “one!”

While that’s the right answer for in-house IT staff, it’s the wrong answer for an outsourcer being paid by the line. 20 is the right answer in that case. It blew her mind when I told her how many different firms I’ve heard about that had 20 rules where one would do. As a teenager with a well-developed sense of justice, she was outraged. So long as contracts are signed that don’t specify when, how, and what to consolidate, she will continue to be outraged.

I didn’t have the heart to tell her about how some outsourcers contract to provide services like email, but the contract did not outline all the things we take for granted as part of email but which, technically, are not email. Shared calendars? Not email. Permissions for an admin assistant to open a boss’ Inbox? Not email. Spam filtering? Not email. Email is the mail server sending/receiving to other mail servers and allowing clients to access their own inboxes. Everything else is not email, according to the outsourcers’ interpretation of the contract. Email is just one example, and all the other assumptions made about all the other services add up with the above to create a situation in which the outsourcing costs significantly more than keeping the work in-house.

This can have significant impact on security. Is the outsourcer obligated to upgrade devices for security patching? Is the outsourcer obligated to tune security devices to run optimally? Is the outsourcer required to not use code libraries with security vulnerabilities? If the contract does not specify, then there is zero obligation. Worse, if the contract is a NoOps‍ affair in which the customer has zero visibility into devices or code, then the customer may never know which things need what vulnerabilities mitigated. There may be a hurried, post-signing negotiation of a new section about getting read rights on the firm’s own devices and code… and that’s going to come at a cost.

Another security angle: who owns the intellectual property in the outsourcing arrangement? Don’t make an assumption, read that contract! If the outsourcer owns the architecture and design, your firm may be in for a rough ride should it ever desire to terminate the contract or let it expire without renewing it.

I’m not even considering the quality of work done by the outsourcer or the potential for insider threat – those can be equal concerns for some in-house staff. The key here is that the contract is harsh, literal, and legally binding. That means vague instructions can have disastrous results. Tell an outsourcer to “make a peanut butter and jelly sandwich,” do not be surprised if the outsourcer rips open a bag of bread, smashes open the jars of peanut butter and jelly, mashes the masses of PB & J together, shoves the bread into that mass, and then pulls out the bread slices with a glob of peanut butter, jelly, glass, and plastic between them. He gave you what you specified: it’s not his fault that the instructions were vague.

There can be a place for oursourcing, particularly as a staffing solution for entry-level positions with high turnover. But every time I talk with someone from a place that either is currently in or is recovering from an outsourcing contract that went too far, I hear the horror stories. The outsourcers’ lawyers know what they’re doing and the firm’s lawyers fail to realize how specific they have to be with the contract language to keep from looking like they may as well have been the Marx Brothers‍.

Driftwood (offering his pen to sign the contract): Now just, uh, just you put your name right down there and then the deal is, uh, legal.
Fiorello: I forgot to tell you. I can’t write.
Driftwood: Well, that’s all right, there’s no ink in the pen anyhow. But listen, it’s a contract, isn’t it?
Fiorello: Oh sure.
Driftwood: We got a contract…
Fiorello: You bet.

Hell Hath No Fury Like an Admin Scorned

July 29th, 2016

Take a good look at this guy, because he may be potentially more devastating you your company than a major natural disaster. He is an admin, and he’s not happy about going to work every day.

maurice-moss

A network admin from Citibank was recently sentenced to 21 months in prison and $77,000 in fines for trashing his company’s core routers, taking down 90% of their network. Why did he do it? His manager got after him for poor performance.

I don’t know how the manager delivered his news, but it was enough to cause that admin to think he was about to be fired and that he wanted to take the whole company down to hell with him. Thing is, he could have done much worse.

What if he had decided to sell information about the network? What if he had started to exfiltrate data? What if he had set up a cron job to trash even more network devices after his two-week notice was over? And there could be worse scenarios than those… what can companies do about such threats?

It’s not like watching the admin will keep the admin from going berserk. This guy didn’t care about being watched. He admitted to it and frankly stated that he was getting them before they got him. His manager only reprimanded him – who knew the guy was going to do all that just for a reprimand? But, then, would the company have endured less damage if it had wrongfully terminated the admin, cut him a check for a settlement, and then walked him on out? So what about the other admins still there? Once they find out how things work, they could frown their way into a massive bonus and we’re heading towards one of those extremes I mentioned.

So what does a manager do with a poorly-performing employee that’s about to get bad news? Or an amazingly good employee that nobody (including him) is about 10 minutes away from an experience that will make him flip out? Maybe arranging a lateral transfer for the first guy while everyone changes admin passwords during the meeting… but the second guy… there was no warning. He just snapped.

Turns out, good managers don’t need warnings. Stephen Covey wrote about the emotional bank account, and IT talent needs a lot of deposits because the demands of the job result in a lot of withdraws. A good manager is alongside her direct reports, and they know she’s fighting battles for them. That means a great deal to an employee. I know it’s meant a great deal to me. My manager doesn’t have to be my buddy, but if my manager stands up for me, I remember that.

Higher up the ladder, there needs to be a realization in the company that it needs to pay the talent what it is worth. I’ve known people that earned their CCIE, expected a significant bump in pay, and got told that company policy does not allow a pay increase of greater than 3% in a year. They leave the company, get paid 20% more to work somewhere else for a year or two, and then their former employer hires them back for 20% more than that. By that time, though, they’re now used to following money and not growing roots to get benefits over time. By contrast, maybe a 20% bump – or even a 15% bump, maybe – could have kept the employee there.

What are the savings? Not just the pay. The firm doesn’t have to go through the costs of training someone to do the job of the person who’s left. The firm retains the talent, the talent is there longer and now has a reason to try to hold on to those benefits, and there’s a sense of loyalty that has a chance to develop.

If an employee has a sense of loyalty, feels like compensation is commensurate with skills, and has a manager that fights real battles, that employee is better able to ride out the storms of the job and not snap without warning. If that manager has to encourage an employee to do better, maybe then he’ll try harder instead of trashing all the routers.

There may be no way to completely prevent these damaging outbursts from happening, but the best solutions for people’s problems aren’t technological. They’re other people, doing what’s right.

Republican Party: Ur DOIN IT WRONG

July 27th, 2016

Well done, Rince Priebus. The chairman of the Republican National Committee (RNC) said, “Maybe our folks are better at securing our e-mail and our cloud and our data than the DNC. I don’t know what the answer to that is, Andrea, but at this point, we haven’t been hacked… but, I can assure if someone hacked my e-mails, they wouldn’t find me calculating against particular candidates and it’s not something that I would do.”

He could have saved some effort by simply saying, “We are pleased to announce a hackathon, starting now, directed against the RNC servers. While I doubt I have anything embarrassing on them, please feel free to share whatever you find with public sources of shared information including, but not limited to WikiLeaks, Pastebin, and an open Dropbox folder.” Or, for the even shorter translation that would produce the same invitation as in the above two comments: “ALL UR h4x R WEAKSAUSE!!!!@!~~~!!~~~!!!!111!!!eleven!!!”

Organizations need to have some defined style codes and talking points when representatives are speaking about security issues. Foremost among such codes and points should be an admonition to not tempt fate by declaring invulnerability to attacks or by saying there’s nothing worth finding on one’s network. Now, the people already attacking the RNC network are about to be joined by other, previously unmotivated individuals who now, out of a sense of curiosity or self-righteousness, are going to see if the RNC’s servers are indeed better secured and/or have nothing of value on them. Such information would then be shared, most likely on one of the Internets or maybe even a website, because Internets and websites are things hackers will use in their cyber.

I wrote that last sentence in jest, but it pains me to think that there are people in the RNC as well as the DNC, and a number of other organizations, that would have taken notes on that sentence if I presented it to them in a PowerPoint. I would then be asked follow up questions to clarify what is meant by “Internets”, “websites”, and “cyber.” Internet security is so much more than just looking both ways before crossing the street. It also involves not standing defiantly in the intersection while yelling “COME AT ME, BRO!” to approaching drivers.

Come to think of it, that would make another really cool slide. If you’re in the RNC or DNC, call me. I got a slide deck that will open your eyes!

This News Just in…

July 22nd, 2016

If you’re an infamous person that the government is out to get, don’t use iTunes. Or Facebook. The guy supposedly in charge of Kickass Torrents used both, his IP address for iTunes matched the IP address for editing his website’s Facebook page, and it was all over for him. He would seriously have benefited from adversary-resistant computing and adversary-resistant networking.

RSAC 2016 Reading List

March 4th, 2016

Hello one and all, and I hope you’re in a security frame of mind. Here’s a list of things to read up on, as recommended by presenters at RSA Conference 2016:

Getk9.org: free proxy server for home use from Blue Coat. I’m using it now. Although I needed to open up YouTube for personal use, I like knowing that it’s leveraging that vendor’s ability to block malicious content. Proxies aren’t just for kids anymore. Every layer of personal security helps.

The Security Awareness Company: Lots of free stuff here, including humorous parody videos. Worth a visit or three, and there may be something useful for your enterprise here.

Google Hacking for Penetration Testers: A very juicy PDF with information on how to Google things up like you never dreamed possible. If you like it, consider buying the book.

How to Fool a GPS: suggested in the session that dealt with hacking the XBEE traffic in a commercial drone.

Janell Burley Hofmann’s Contract: This is for the kids and their parents. Parents would do well to sign a slightly modified version of the contract.

SFS.Gov: Instead of having ROTC pay for college, how about getting the NSF to pay, with the students working in the US Government cyber-security services after graduation? An excellent way to start a career in security.

CERT Guide to Insider Threats: PDF of contents, index, and sample chapter. If you want a complete picture of security, you need to look at the threat within, and the authors of this book really know their stuff.

ICS CERT Summary of Ukraine Power Grid Hack: Nice summary, should get you thinking, hopefully researching on this matter further. The means by which the hack was accomplished was not all that difficult to mitigate.

ASD Top 4 Mitigation Strategies: Your firm would do well to adopt these as standards.

I hope this helps you all to have some very paranoid fun.

Interview Guide, Part Four

February 3rd, 2014

Let’s talk about telling the truth in an interview. Too often, depressed people use the phrase, “BUT IT’S THE TRUTH!” when they say horrible things about themselves. I like to tell them to feel free to rot in the hell of their own creation. It’ll save me some time when I rise from the depths of Sunken R’Lyeh to ruin everybody’s day. People say that’s harsh, and I respond back with “Not as harsh as you’re being on yourself. Lighten up, bub.”

And that’s the truth: job hunting is a massive beat-down in so many ways. It extracts a spiritual, intellectual, and even physical toll on the job-seeker. Your job as a job-seeker, your number one job as a job-seeker, is to stay positive in spite of the storms that beset you. That is the hardest thing to do, but the most necessary thing to do. No matter what you’ve got on your resume, no matter how impressive your history may be, one lousy interview and you’ll never have the job you seek. If you go into an interview ready to tell the truth in the best way possible, you have a strong chance of coming across as the best fit for the job.

It’s a simple thing, really… often, it’s easier to train someone in technical areas than it is to teach someone how to be a more enjoyable person to be around. You will work with other people, and they want to know that you’ll be someone that fits in with the rest of the team. Not knowing how to be positive or upbeat will destroy your chances in the interview. So, you go in, you tell the truth, and you make it sound good.

Say you’ve been out of work for a year or two. That’s harsh. The wrong way to explain that gap is to say, “I was out of work for two years.” Sure, that’s the truth, but that’s a way of putting it that makes the speaker sound like nothing special.

“I couldn’t find a job for two years.” Oof. Even more depressing. I won’t give you a job, but I might give you a hug and tell you to cheer up.

“I’ve been out of work for two years. It’s been a tough local market, but now I’m able to start looking outside my area.” Better. What else can you add to it? Have you taken training classes? Have you volunteered for charity work? (A word on charity – even if it’s not in your field, if you have nothing else, do that. It tells your potential employer that you’re willing to do hard work and that you have a good heart. What could be wrong with that?) Did you do any internships? *Can* you look outside your area?

However you dress it up, don’t lie, but also don’t be depressing. My minions have observed people with hard felony time and unusual gaps in their job history go into interviews with a good attitude, tell the truth in a positive light, and – here’s the payoff – get the job. That’s right, they get the job. Ten years in prison, twenty years of parole served, no IT job worth mentioning in the last few years: with a good attitude, this guy can get an IT job.

When you think of reasons why you left previous positions, think more of what you were walking towards than running away from. Even if you hated a job, it still gave you experience, and it wasn’t totally without merit. Be positive. If you have hopes and aspirations, here’s where they come out as you discuss your leaving past jobs.

When you talk about one of your weaknesses, remember that you have strengths and that, compared to your strengths, you have skills that aren’t as strong. Those are your weaknesses. Personally, I’m a great motivator. Compared to my motivation and leadership skills, I’m not as good of an administrator. That’s a great way of introducing my weakness. I don’t leave it there, though: I mention what I’m doing to improve my weakness. If it’s something that’s not true right now, then I need to make it true right now so that I won’t be lying in the interview.

If you’re asked something technical and you don’t know the answer, just say that you don’t know. That will help your employer figure out what training you need when you get hired. Worst case, you may be interviewing for the wrong job – the one that will make you miserable – and revealing that you don’t actually have the expertise for the role will help you avoid being in a job you are not prepared to do properly. If you really want the job, be honest about what you don’t know and ask what needs to be done in order to close the gap between where you are now and what you need to have to be qualified for the job. Then, go and do those things.

Above all, learn about where you’re going to interview at and get some genuine excitement for the possibilities. Read up on your potential employer and think of three great things that would go with working there. Is it close to home? Is it a growing company? Does it have an interesting focus? Does it provide a needed service? Do other people like working there? Find out what’s good about it, and use that in your answer when you’re asked why do you want to work there. If you say something along the lines of how it’s just another job, then you’re just another applicant. If you can be excited to be there, they can be excited to have you be there.

Interview Guide, Part Three

January 31st, 2014

Body language is very simple, really. Lots of people think that it makes a huge difference and teevee shows are full of guys that study body language for “tells” into the mind of the person they’re studying. Set all that pop psychology stuff aside and focus on one big, happy truth:

If you are comfortable and not hiding anything, you look and feel relaxed and confident.

And, its corollary:

If you look like you’re relaxed and confident, employers will think better of you over someone that looked nervous, sad, agitated, angry, or comatose.

That’s key to getting a job. People want to hire people that they like. People like people that are relaxed and confident. So, get your body language in order.

Step one is to take a good shower, get a clean shave, fix your hair nicely, wear appropriate makeup, ditch the facial piercings (see part two for the rest of looking the part), and wear clothes that both look good and feel good on you. You don’t want them causing you to have a pained expression, do you? Comfy clothes that look good let you relax and feel confident.

Step two is to smile. Smiling is the most important form of body language. It’s reassuring, comforting, cheery, and pleasant. Do you think employers want to hire the depressing, abrasive, gloomy, or unpleasant? They don’t, so smile and you won’t be part of that group.

Step three is to play to tell the truth in the best way possible. You may have to drop your smile when you explain a serious bit, like, “I had to be out of work for a year while I took care of my aging mother,” but if you can smile at the end of it, there’s a happy ending and the truth wasn’t so bad. If you plan to tell the truth, you’ll have nothing to fear. If you have nothing to fear, you can relax and feel confident. That’ll put a smile on your face, won’t it?

Do keep your posture open, but don’t go into a panic if you discover that you’ve accidentally crossed your arms. Just uncross them and keep smiling. Do sit up straight, but don’t give up hope should you find that you’ve developed a bit of a slouch. Sit up, roll your shoulders back, and smile. If you commit any other pop psychology faux pas, just fix it and smile so that you stay relaxed and confident.

As you can see, body language is easy. It’s not a matter of following a list of what to do and what not to do. It’s a matter of putting your own mind at ease and where the mind goes, the body will follow.