Wednesday, April 28, 2010

Book Review: Professional Penetration Testing

I recently read this book because I was looking to modernise my home penetration testing lab and being blunt, I haven't done a hands on role for awhile and missed it. So I wanted to familiarise myself with current trends/approachs and get back into it. I was particularly curious to see what this book had to promise me in that regard. I had seen the De-ICE disks harped on in Hackin9 magazine and thought "what the hell".

Firstly, I must add that this book was a serious disappointment to me - but I feel that this was more due to the misleading title.

Whilst it would be unfair to say it is useless to everyone, I must say I found it largely useless to me. Perhaps this could be that in my background I've conducted pentests, I've overseen pentests and I've acted as a security lead on multiple projects, including large scale e-commerce projects with multiple pentesters over multiple rounds of testing. So while my work has been hands off for some time, this is certainly familiar territory.

If you are anything like me, have pentesting experience or been doing pentesting for some time - please do yourself a favor and avoid this book. It is not technical AT ALL, it will offer you everything from career advice, to certification advice, to methodology advice, etc. Just about anything BUT setting up a home pentesting lab. Infact, the bulk of the book can be summed up as "Just install my De-ICE disks, read my forums, do my courses and away you go!".

On the other hand, if you have ZERO penetration testing experience (or perhaps are a black hat looking to go legit or a university graduate with minimal work experience) you could probably benefit from this book for the reasons stated above. This book discusses a lot of hte benefits of penetration testing within a corporate environment, how/why/where you apply methodologies (and the pros and cons of each), complementary skills and so on. In that regard, it is quite beneficial. But do not make any mistake - this book will NOT teach you how to set up a pentest lab. Moreover, even if you are a beginning penetration tester, I can think of far, far better textbooks for a novice (the OWASP Testing Guide for starters, which is free too).

No such review would be complete without some complementary feedback. So I will say that I found zero grammatical/spelling errors (that's not saying there are any - only I detected none). I did like how each chapter had review questions or "mini assignments" that required you to go off and do additional investigation to learn what the author was trying to convey and that such information cannot be gleaned from this book alone. That I thought was a good strategy at trying to get the reader to learn beyond the scope of the book.

However, we must refer back to the title. Do I feel that this book taught me how to establish my own pentesting lab? No, absolutely not. The title is horribly misleading and should be renamed "Professional Penetration Testing: A career from Black Hat to Ethical Hacker". I'm sure that the author is very techincally capable and was well intentioned in writing this book. Which is why I would suggest that my title is far more appropriate. But this is not a technical book and does the reader an injustice by advertising it as such.

My inadequate score is for the poor choice of title and despite the grammar and spelling seeming solid, there is the fact I feel very dirty after reading it.

Rating: 3/10 (*6/10 for those new to penetration testing as a career path).

- J.

Tuesday, April 27, 2010

Social Networking: Why You Should Be Worried

While social engineering as a method of compromising systems and networks is nothing new (and the art of deception going back long before the advent of TCP/IP), social networking amplifies the potential for abuse through a multitude of things. Mostly naiveté- why they won't be targeted, why they (individual users) have nothing to hide, mistaken or deluded notions how their personal information will be used, etc. 

I could trash these notions up and down but I really don't have the time. So instead, if you honestly kid yourself with any of the following excuses:
  • "I have nothing to hide!"
  • "I won't be targeted!"
  • "I trust 'them' with my personal information!"
Then you need to just skip to my References section in this post below. When you're done with reading the lot, then come back here. Because if you honestly think you are somehow going to magically escape the bullet, you are just wrong. Wrong, wrong, wrong. Dead wrong. 

Did I say wrong enough times?

What's more, your action (or worse yet, inaction) will have an impact on how information is used, global notions of privacy and furthermore, you may indirectly compromise your workplace, your colleagues, co-workers, friends or family.

What makes social networking a far greater threat than old fashioned social networking is that it compounds the problem on multiple levels. 


Information that was previously hard to come by (i.e. had to be acquired by being physically present or knowing certain individuals) can be now mined, remotely or privately. Websites such as pipl.com or tools like Maltego have shown the very real threat that remnant traces of data on the Internet can reveal.  We can see data in aggregate. And the aggregation of data compounds the risks as the sum is greater than its parts.

Social networking allows data to determine subject-object relationships. Context is revealed. So we know that Jarrod likes Mixed Martial Arts and that Ultimate Fighting Champsionship is an MMA event. So it would stand to reason that Jarrod would like to hear about the UFC. This is the value of data and relationships. This is the worldly view that Google and Facebook are trying to build. But sometimes these relationships can have unexpected consequences. 

E.g. An attacker finds out you work at XYZ Company in the Payroll area (LinkedIn) and you like going out to concerts and are a fan of Pink (Facebook). Searching on your email address which you have listed as public (pipl.com) reveals your blog and some very compromising pictures. Or maybe just a rant about how much you hate your boss. Or to distribute a finely crafted piece of malware which purpotes to be Pink playing live in your hometown with hopes of compromising your work machine...

Social relationships are important and I don't want to say "don't use social networking" but we need to be mindful of the information we are sharing isn't "just to our friends". We're sharing it with third parties that we have trusted and sometimes, that trust is misplaced, taken for granted (Google/Buzz) or just outright abused (Facebook). 

Locking down your profile doesn't always solve the problem because these companies can still share it with third parties or use it internally at whim (Google), they can still hold the data indefinitely (Facebook), or be riddled with security holes. To such a degree that even if you do the right thing, share the minimal amount required and lock down your privacy settings, etc, that you can be hit by those people you have as 'friends' because of their own lax approach to personal security and privacy (or because they install every sodding game or application under the sun).

This isn't intended to scare the crap out of you (although I'm sure it may for some if you start seeing how real world attack scenarios occur in my references section and the Google/China hack) but you need to realise how it can be abused. 

If you're going to use social networking services, you need to be mindful:
- what you share,
- who you share it with (companies/websites as well as individuals),
- default privacy/profile settings,
- if in doubt, just share the BARE MINIMUM required to maintain social contact!


- J.

References:

Wednesday, April 21, 2010

Wall of Shame: Security Education and Awareness

"It’s difficult to get a man to understand something when his salary depends on him not understanding it." - Al Gore (shamelessly ripped from 'Beautiful Security', Mark Curphey's chapter)

I had this discussion with two other security professionals today about security education and why it fails. This is another common failing within security. I'm going to break this into two categories:

  1. What security guys do wrong.
  2. What everyone else does wrong.
I'm also basing this on my own experiences too - including my mistakes. Too many people in this field are too busy talking about how bloody rockstar awesome they tell people about all the things they wish they did differently. Well not here. I've made more than my fair share of mistakes. I like to think I made them so other people won't have to.

What security guys do wrong
For starters, we're not prioritising well.

We try and target user behaviour because that's where the bulk of root cause stems from right? I mean it makes sense on a superficial level. Users are tricked by social engineering attempts, they run executibles they shouldn't, they hold doors open for total strangers to secure areas, etc. You get the idea. But is this a failing of the user or a failure of the system that allows and if not perpetuates this behaviour?

Good question. We'll get back to that another day though.

But right now, lets say its our fault. We blame the (l)users because its easier than admitting the truth. Our policies are crap because they're unenforceable. We don't hold people to account. We don't embed our controls into processes to otherwise automate things to make security as automatic as possible.

But what if we start being judicious in our education and say, start educating developers on secure programming practises and focused our efforts on them understanding the vulnerabilities, how they manifest in crappy code and demonstrate alternative methods for cutting code? Sure you won't solve the user behaviour but I bet your code will improve significantly. What if you focus on getting your administrators to harden their build environments. Yes, it won't stop stupid user behaviour - but it will help harden your environments.

We need to start picking the battles we can win, one day at a time.

How can you tell if you are on the winning side? Here's a simple test - if you're relying on your users to be secure by having a solid education and policy in place but lack controls to detect or enforce them, then you are doing it wrong.

I've spent massive amounts of time trying to educate users through massive education campaigns on the do's and don'ts of computer security. While I was proud of the work I've done in that space, I can honestly say now that those efforts were misguided and misspent. I could pick far better targets where that time and energy would be better spent.

What everyone else does wrong

This comes down to one simply axiom - people screw up because they don't know any better. Or perhaps, don't want to know any better.

Let's talk about programmers (hey, they're easy to bash on). They are often flogged to churn out functioning code in short sprints, regardless of other factors. So its often quite natural that security doesn't make the cut. Meeting deadlines, stability, functionality, interoperability - these are the true principles of today's programmer. Can we blame them? No - not at all. They have the same uncaring masters we do. Security isn't prioritised. And much like the user, they aren't given proper alteratives. So, to summarise - they aren't educated on security matters, they are rushed and often given unreasonable alternatives.

Let's digress for a sec and take a quick peek at four comp sci undergraduate degrees.I say comp sci because for this purpose, I want to compare apples with apples. And these were picked off the top of my head btw:

RMIT, University of Melbourne, Monash, Latrobe.

Not one of them offers a compulsory security unit for any of the bachelor degrees! (Although there are some standouts, lets be clear that NONE of them offer a mandatory security unit).

It is no wonder why developers are churning out insecure code. We shouldn't be blaming them, we need to blame the institutions responsible for qualifying them. As a profession we need to be more involved in the education sector and stress that these fundamental skill shortages are addressed.

Similar sob stories exist for the business stakeholders out there, the project managers and the like. They are paid to get a job done, on time, on budget (or less if they can!). Quality is often a negligible factor in whether they are deemed successful. Security is barely a blip on the radar of many of them. It is hard to get them to care when they are paid not to. If you're successful at engaging, can obtain early buy-in, organisational support and embed your own processes into a project to minimise all burdens on a project and come in on time and early (thus help the PM to be successful) you might be able to win the battle.

Again, for the operations managers. They're often there to keep the ship afloat. Uptime is more important than security. Unless you have an operations manager with an ounce of security savvy its hard to get them to justify applying a patch if it means downtime to core production hosts. I've heard absolute horror stories of infrstructure operations managers who refused to apply patches for fear of causing downtime. These same patches they chose not to apply allowed Conflicker onto their network. I think a lot of us have heard similar war stories.

But yes, Mark Curphy/Al Gore hit the nail on the head here.

So where to from here?

Honestly, this is a failing on our profession.

We talk about raising security education and awareness. I'm a big believer in it. However, our efforts are misguided. Nobody tells us how/where to spend the time and energy so we learn by trial and error. Its time to stop wasting our time and start chalking up wins on the board.

We do know better. We have no excuses.

- J.

Two Hacking Videos

Two hacking videos that everyone should see. If you are not an infosec professional you should definitely watch these.

For those reading who are, pass these videos onto your friends and family. The lessons and stories here must be told.

Four Corners special - 'Chinese Whispers'

Hackers In Wonderland

- J.

PS: This will segway nicely into my next few Wall of Shame posts.

Monday, April 19, 2010

Lessons from Enterprise Architects.

I think all security professionals could learn a lesson or three from enterprise architects.

By becoming the stick more often than the carrot, we've become little more than cost centres and barriers to business, which means we get bypassed.

A proven alignment with business strategy generates more revenue and spending on an entire enterprise environment than alignment with risk management. Has anyone bothered to ask why is that?

Don't get me wrong, I think an understanding of risk is crucial to understanding what it is the business is racing when it chooses to accept a risk or apply mitigating controls that do not adequately address the root case. But I do think focusing on shared objectives and business/IT alignment would help our cause a lot more often.

On the subject of risk, I was chatting to my manager today about why I hate risk management.This post of Richard Bejtlich just reminded me of it, in a way. We build our entire discipline around the art of risk management (and it is more art than science because we really do lack any data to make truly informed decisions). We advise people against entire decisions which could bring numerous benefits to the table (taking security out of the equation for a moment) with little more than unsubstantiated opinion, and we wonder why security rarely gets the budgets (or respect) it deserves.

On a related note, I recently saw a video on TOGAF 9 (an IT architecture framework). This video is very long (90min) but as someone still new to IT architecture frameworks, I found it amazing. No, seriously - it was amazing. Craig Martin's eloquence, depth of subject matter expertise and his ability to clearly articulate issues I've encountered in my travels and how EA has solutions - or at least the tools - to deal with them, literally floored me. I've shown this video to at least one other co-worker who was similarly impressed.

Seriously - if you work in information security, you need to start paying attention to enterprise architects. There are definite lessons to learn.

- J.

Wednesday, April 14, 2010

Book Review: Beautiful Security

It has been said there are two types of education - content expanding and context expanding. Content expanding is about acquiring a skill, knowledge, technical aptitude in order to carry out a task. Context expanding doesn't provide you with a specific skill so much as it allows you to apply what you already know to a broader number of situations. Beautiful Security falls into the latter category.

The book is a collection of stories from some of the true thought leaders of the industry. Some of them are war stories from the trenches, some of them are simply lessons the authors wish to impart but all of them are intended to convey to the reader a sense of how security can, infact, be beautiful. For those who sit outside of the industry, I think it is a good glimpse of the beauty we practitioners see when good security practises come together and a great deal of the time we take for granted.

What makes it difficult to review is that so many of the stories appealed to me. Some of them (Ch. 1, 3, 5, 10, 11) made me look at old problems in a new light. Most of them (Ch. 2,4,6,8,910,12,13, 14,16) I found educational but largely aimed at those coming into this book with no security experience (or perhaps specialists with a less broad focus perhaps).

I would like to draw particular attention to Chapters 5, 9, 13 and 15 done by Ed Bellis, Mark Curphy, Dr. Chuvakin and Peter Wayner respectively. In particular, the content in these chapters is something I'm quite familiar with for the most part. However, I was particularly impressed by the manner in which they conveyed their points. I hope that the reader sits back and considers the message, googles their names (if they have never heard of them) and truly gets a sense of the depth of their experience. In doing so, hopefully, the reader will give more serious consideration to how these lessons can be applied to their own lives.  This could be owing to my own experiences and particular interest in security architecture, so I must admit my bias - but nevertheless, I do think many security folk have tunnel vision and often neglect to see the wider sphere in which they operate.

I realise I have skipped a chapter. Where is Chapter 7? Alas, this chapter was the only downer for me - and it was a big one, given the author was Phil Zimmerman and Jon Callas. This chapter was basically a history piece, discussing PGP and explaining the concept of the web of trust. I'd like to be impartial and state that I'm sure this is an example of a chapter that was intended for those who do not work in information security, and as such, have no concept of the web of trust. That said, this chapter was so painful to read, so dry that it failed utterly in its ability to convey anything beautiful about cryptography, let alone security (infact, I think Mark Curphey did a much better job just touching on it when he explained how the ancient Egyptians used scytales on page 148). Infact, I found this chapter so badly written it soured my view of the book completely - to the degree I must suggest experienced infosec professionals simply skip it.

I don't want to belabour the point - but it soured my view so utterly, it forced me to consider just what was the message O'Reilly sent to the prsopective authors when proposing they write a piece on information security. All of the authors, in their own unique way were able to articulate their point and relate it back to what they found beautiful about security (or at least a specific scenario). Phil and Jon couldn't even achieve that. I'm sorry guys, but that's a Fail.

Do I think the book was worth it? Well, yes, it was given to me for free (thanks O'Reilly!). But yes, I would pay money for it. I think the book has real value for anyone. Heck, I could probably give it to my mother to get an inkling of what I do. For most part it is a reasonably easy digest. My honest hope is that prospective practitioners, perhaps fledgling uni students or high school students, will pick up the book and glean something that will inspire them to enter the field. Truth is, I wish I had more books like this when I knew this was the industry I wanted to work in.

Rating: 8.5/ 10

- J.

Monday, April 12, 2010

More on PDF vulnerabilities

I wanted to draw attention to this article.

It's worth noting even with the precautions of disabling javascript and disabling the execution of non-PDF file attachments, there is a (theoretical) risk that a malicious PDF could alter other PDFs using the incremental update feature. This is a growing area of interest for many security researchers, and whats more, it is only on the increase.

I agree with the original article's lamentation - why can't Adobe just stick to producing simple bloody documents?!? They used to do this so well. I swear to god - their offices must be lined with developers and architects just smoking crack and talking about what awesome features they'd like to embed in their products without any regard for other design or functional considerations! (ok, sorry for the vitriol - I'll get off my soapbox now).

I know there's a lot of love for Adobe and their work, and I've seen a lot of praise from the security industry pundits for their swift response to these issues. My question is - why are we having to deal with this in the first place? But seriously, why not just keep PDFs as a simple document, open format and as for all this other featureware bloat just be bundled into the commercial version of the application? Why is javascript even required?

I know that the incremental update feature is inherent to the PDF standard - so I can cut some slack that this as a geniune mistake. But when I look at the javascript feature (still on by default as of version 9 if I recall)   and I just think "they still don't get it". Maybe I'm just channelling Schneier a bit too much ("You're doing it wrong!")While Adobe have done what they can at this point, we're talking about fundamental issues not just with their software but with the standard. Regrettably, this is a problem that is not going to go away any time soon.

Checking out the talks from CanSecWest this year I dearly wish I had the time to start doing some serious fuzzing with Adobe Acrobat Reader and playing around with the PDF format . I think this is an exciting space to be getting your hands dirty in.

- J.

Responsible Disclosure: Part 2

I've touched on responsible disclosure of security vulnerabilities in the past but this got me thinking - when is it right to disclose a security vulnerability?

I think this is a prime example of a) when to disclose b) when to consider evaluating other vendors.

Literally, why is this even controversial? If a vendor is that lame when it comes to acknowledging security bugs, it highlights a complete lack of awareness, internal process for getting these things fixed and more it indicates a shameful attitude the vendor takes towards security. Even if they fix this bug (after you publicly disclose it) then why wouldn't you consider moving towards a competing product?

I've found myself in a similar situation in the past. FWIW, I've had senior management agree that public disclosure is the acceptable path if the vendor refuses to fix security bugs. It's definitely doable, you just need to be clear on your motives. It's not about getting the glory of the find at that point, its about fixing the vulnerabilities within your organisation and doing your job as best as you can.

Oh, and you also want to be damn sure you have something to mitigate the finding in the interim (or otherwise accept the interim risk until it is fixed).

- J.

Sunday, April 11, 2010

Trends in InfoSec for 2010

I probably should have done this earlier in the year but I figure I'll stake my turf and make a few calls right now for the next 12 months.

What are the hot areas of movement for information security? What do I predict will be key areas of growth and potential spending? I've some books and blogs on this stuff recently and I find myself either nodding in agreement or shaking my head.

In no particular order, here's mine:


1. Cloud Computing
Unless you've had your head in the sand for two+ years, you've heard of cloud computing by now. Apart from the obvious issues of cloud usage, I believe the bulk of spending for cloud will be on security consulting - risk assessment, assurance services, architecture. I suspect within this time, standards, compliance benchmarks and laws will start to emerge to help formalise key expectations and requirements on cloud usage. This means potential cloud clients will be spending, likewise CSPs will be looking for assistance. The demands put on them will only increase as the market demands a more mature offering.

I admit it may be a stretch to say that laws will be passed within 12 months for a specific technology - but I will go so far as to say that you will see something along those lines or at least calls or proposals for them. I think something more formal may come of the Cloud Security Alliance and ISACA alliance but that really is just a hunch.

2. Mobiles
Iphones, Ipads, Androids, the new Nokias, notebooks, etc, the list goes on. The ubiquity and pervasiveness of mobile technologies has never been greater and with it the need for data portability and therefore, security. The Rick Rolled Iphones are the tip of the iceberg. Lets face it, Windows was - and still is- the primary target for malware largely owing to its popularity. Iphone malware is coming. Everyone thinks Apple are somehow magically immune to security bugs and I think people are in for a rude awakening as the line between mobile phones and personal computers are heavily blurred. Also consider the number of applications being developed for Iphones. This potentially opens the proverbial can of worms. After all, your PC doesn't follow you everywhere, have GPS, a microphone that could be used to listen onto your daily conversations, let alone all your phone calls, rifle through your contacts, email and banking details whether you access it via. the phone or Internet!

Initially at least I imagine it will be consulting that is where the money will be spent - e.g. whether companies should evaluate their mobile usage policies, what controls can be embedded into the devices (e.g. tracking, remote wipe), more conventional technologies (data encryption), etc. I'm not heavily involved in the vendor side, but I would expect they would be conducting lots of testing to determine inherent weaknesses with their design. Within the next few years, I guarantee you this area will grow into a mainstream area of its own domain within information security. This segways nicely into my next point...

3. Application Security
I'm talking more about the Australian market now. Big Aussie institutions have been more aware of the need for application security for sometime and have been getting smarter over the past few years (although we definitely lagged behind many countries) . But far too many people remain largely ignorant. For organisations relatively immature in the appsec space, I expect we will see an awakening.

For the more mature ones (e.g banks) it will become more of streamlining processes, evaluating key areas of risk for enhancing already robust application development and testing procedures. Examples - application developer training, appsec metrics, static code analysis tools and vendor bake-offs, etc. If you work in the space and are reading, I'd love to know more about your thoughts on appsec metrics and just how many people are trying to put some measures on the effectiveness of application security. If you're developing payment applications and have to comply with PA-DSS, this is a no brainer too.

4. Contractual Obligations
Between SOX, HIPAA, various ISO standards, PCI-DSS, etc, everyone and their dog it seems has to be compliant with some piece of legislation or standard. This means more and more people are realising the need to be crystal clear in their expectations of their service providers, trusted partners, downstream clients, etc. Security requirements will be firmly embedded into these contracts. Conversely this will create top-down awareness in business stakeholders, which will drive the spending on information security. This has happened more in the US for some time, given the compliance driven market conditions however it is already trickling into the Australian arena. Our laissez-faire approach to contracts and compliance is starting to come to an end IMHO.


5. Managed Services
I've often wondered why people don't just ride the veritable cashcow of managed services? I imagine outsourcing security monitoring could be one awesome, easy to deliver service that makes a perfect example for managed services. Security operations requires teams of staff, ideally around the clock, a strong technical capability to distill potential threats from various sources, keeping the defences up to date, as well as stay abreast of arising threats. The overhead in managing all this is actually a very high cost. Inversely, as a managed service, the cost in doing this actually scales quite well. 

If you wanted to do your own startup, you should investigate this. In a world still recovering from the GFC and even in Australia, while we weren't hit as hard as the rest of the world, companies are still looking to cut their spending. The ability to outsource even some of their monitoring, if not all of it, could be quite enticing to companies look to shed some of their OPEX burden.

6. Training 
We are at a moment in time when information security in strong demand yet the actually skilled staff required are quite low. For those looking to break into infosec, they will pay for that training, out of their own pocket if they have to. This is a no brainer. Conversely, skilled staff will want to stay current and continue to push for training relevant to their role. If companies won't pay for their upskilling, chances are they will jump to find those who will. Or they will pay for themselves and then quit anyway. In cases where the responsibility must be delegated onto a staffer with an existing role, then those staff will most likely need to be upskilled accordingly.

If you maintain infosec staff in house, then you better be training your staff and keeping them happy campers because right now, the market is hot and for experienced staff they can take their pick of the jobs they want and practically name their price - because the alternative is to try and import the talent and that often comes at a significant cost. And even then, the pickings are slim (and no, I'm not just making this up either).

Anyway, thats it for me. I'd love to hear back from insights from other infosec professionals reading.

- J.

Thursday, April 8, 2010

Stop whining!

I'd like to take a moment from my regular broadcast to tip my hat to the people out there who aren't content to sit back and take life's knocks on the chin and actively seek to improve their lot in life. These are the people who are brave enough to take life by the balls and make something of it. They want either better work-life balance, more money, more skills, education, make the world safer, etc. They aren't content with second best and demand more from themselves. They kick themselves when they make mistakes and try to learn from past errors. The real smart ones try to learn from the mistakes of others too.

These are the people that make the world turn. These people are the rainmakers, the visionaries, the 'go-getters' of the world. The world is full of too many people are short sighted and think only of themselves and today and not tomorrow or of those who have to support the legacy of today.

I commend you people as you are the ones who hold the candle for a brighter, better tomorrow. You know who are. You lead by example and you inspire those around you - whether you're aware of it or not.

To those who don't, who meagerly accept their paycheck along with whatever else fate sends their way - you people need to take a good long hard look at yourselves and evaluate if you're going forwards, sideways or backwards. You then need to consider where you're going and whether or not you actually helping society. If you're not contributing, I'd like to say thankyou - because you make it easier for those of us who try to actually try to make a difference to stand out from amoungst the crowd for doing nothing more than staying true to our principles and to ourselves. To those of you who only try to save face and protect your own rep, karma will pay its own justice to you in the fullness of time. But even so, she's not so harsh a mistress that she will ever turn down a chance to make a difference.

If you're thinking you are hindering but want to change, try rocking the boat sometime. Don't accept mediocrity. Stand up for your principles. Don't take shit lying down. And for those times when you truly cannot fight the tide, get a lifeboat and get the hell out of there.

Life is too short to settle for second best.

- J.