Wednesday, September 29, 2010

EMET for the win

Relatively recently (well, given my lapse in posting at least) Microsoft have scored a big win with their release of their EMET tool (Enhanced Mitigation Experience Toolkit) and some of the Adobe 0-days flying around. For anyone running a Windows based OS, I strongly recommend having a play around with this tool. I was testing it on a Windows 7 host but it will work on Vista, Windows XP (SP3+) and Windos Server 2003 and beyond. This tool enables users to apply DEP and ASLR to multiple applications, including legacy applications, effectively acting as a 'wrapper' (for want of a better term). Having tried this tool out I must say I am very impressed. It is easy to use and deploy and minimal hiccups.

One feature that is worth noting is that if you are running Bitlocker (as I was on my W7 build) then after applying EMET, after every reboot it will prompt you for your recovery keys. The solution is to suspend Bit Locker, reboot, then unsuspend Bit Locker (thanks to my co-worker Ed Luck for finding this fix and for putting me onto this tool).

I think this should be in the arsenal of every Windows system admin out there. Virtually every enterprise is running these operating systems and most of them have easy methods of deploying this. Even if you were to only ensure the core applications were protected (stuff like Office applications, browsers, Adobe and so on) you would knock on the head a good portion of the 'highly targeted' applications.

NOTE: ASLR + DEP is not a panacea for all your ills. Examples of defeating both are documented and widely known in the right circles.

That said, in terms of reducing the attack landscape Microsoft are continuing to push the boundaries and make it increasingly more difficult for exploits to work.

Kudos to Microsoft for the good work.

- J.

Sunday, September 12, 2010

Dimension Data Are Now Hiring

To anyone reading, Dimension Data is in the process of building up its security practise. At present we're looking for a senior penetration testers or pentesters looking to step up into a leadership role within a security practise.

You must be proficient with infrastructure penetration testing , web applications, code review. We're not interested in someone that can only do web applications only, you must be capable with almost any sort of technical challenge. Solid reverse engineering skills would be highly desirable as well (can you pull apart Java thick clients or Flash/Silverlight applications?). As you can see we're looking for someone with very broad yet very in-depth technical skills.

For this role it isn't sufficient to be a l33t h4x0r -- we're looking for someone who has excellent soft skills and a positive attitude to match (speaking for myself we've got a very strong, very positive team and maintaining that environment is something we really pride ourselves on). For this role we're looking someone who can act as a senior consultant and can also act as a thought leader and mentor for junior pentesters and can clearly articulate technical risk to the clients in terms they can relate to and place it within context.

This role is an important role within the practise and definitely not one that any pentester can fill. But if you think you have the right combination of technical and soft skills, please hit me up. Happy to have an informal chat first if you prefer.

Also, I cannot state with any certainty (as this is outside my realm) but Dimension Data do have a history of sponsoring work visas for the right people with the right skills. Given that the Melbourne market is quite tight at the moment I think there is a strong chance that we could sponsor the right person for this role. I would happily help drive this internally for the right person.

So if there are any experienced pentesters reading from overseas who'd like to work in Australia, hit me up! Send me a message via LinkedIn or Twitter  if you're interested, we'll go from there.

I haven't got a job advertisement handy but I'll see if I can find one and add it here.


- J.

Monday, September 6, 2010

Why I Don't Like Time & Materials Gigs (T&M).

Before I became a consultant I had no idea what the hell T&M was. Why should I - I'd never worked contract before? Even when I hired consultants it was always fixed price engagements with clearly defined scopes (well - as clear as they could be!). Now I know what it is and I have to say, I am not a fan.

Now I'm not as militant as some of my peers on this issue. I am sure there are times when there are legitimate needs for T&M staff. However, I am opposed to T&M for consultants.

Normally when a T&M gig is sold, whoever is responsible for the pre-sales, qualifying the opportunity, the scoping, etc, they determine what the client's problem is. This affects the service that is delivered or sold. Now what winds up actually being sold can really vary. It's up to the client to clearly articulate the problem. But more importantly, its up to whoever is doing the pre-sales on the consulting side to really listen to the client and try to truly determine their needs and provide the best service to meet that need. Sometimes that aligns to a pre-defined service offering, meaning its a nice checkbox deal for the consulting company (yay!). Other times, the client has an unusual problem or dilemma which often means that the individual doing the pre-sales needs to go off the beaten track.

Now this is where things go a bit pear shaped.

What SHOULD happen is that if a consultant is required, the person doing the pre-sales should pin the client down on their exact problem, define the problem, what is the solution the consultancy will provide and the expected deliverable the client will get at the end of the engagement. As part of this, a timeframe should be provided when the deliverable can be expected. The consultant responsible for the proposal needs to allow sufficient timeframe for the consultant to provide the deliverable. Now all this is as dependent on the skill of the consultant to negotiate and listen as it is for the client to articulate their needs (so a lot can go wrong on both sides of the fence here - if you follow me).

What OFTEN happens is a T&M engagement is sold.

There are a number of reasons why a T&M gig gets sold (and don't get me wrong, it isn't difficult to see why they happen - but that doesn't mean I excuse it):
  • The client can be difficult articulating their needs,
  • The consultant can't be bothered with the pre-sales/scoping,
  • The consultant honestly can't tell what the client wants,
  • Either the client and/or the consultant aren't sure how long the engagement will go for,
  • The client has an immediate staffing shortage and knows there is some urgent work required but not sure how much (e.g. when staff leave and there is no hand over, aka. bodyshopping),
  • The client has problems with the finance/billing angle for fixed price gigs (e.g. budget oversight/lack of authority),
The last example was a real opener for me - and I'm not just talking because they didn't have purchase authority. I have witnessed instances where the client was supposed to have already completed the work but didn't - and because they couldn't get purchase authority for a statement of work (where the deliverable would be in print that it was for work that should have been completed) a T&M gig was sold. Very dodgy indeed - but I digress.

My main reasons for not liking T&M however are for these reasons:
  • A consultant may not possess the right skills for the job (they might be ABLE to, but they might not be the best FIT),
  • A client can change the scope on the consultant (because there is no scope - at least nothing concrete),
  • There is no duration (which means the gig can potentially go on indefinitely),
  • The deliverable is not clear (so the client may not be happy with the output, likewise the consultant isn't sure of what to provide),
  • It just reeks of lazy scoping or justification (like the above example),
  • There is no protection for the client, consultancy or especially the consultant on-site.
But the bottom line is this:

I have yet to see a T&M job for a consultant yet that couldn't be defined as a fixed price gig. Not one.

To make this all worse, a consultancy may have no interest in ending a T&M gig, because usually the consultant will be pimped out a good daily rate and even if the rate is discounted, so long as the opportunity cost is not extreme, then its all good as they can maintain their utilisation. Likewise, a client may not want to end a T&M gig either, especially if they're using the consultant as backfill or in lieu of hiring a full time employee or contractor. Should this scenario occur, then it is the consultant is might be left to struggle to meet the client's need (should the scope change, expectations change, duration change, etc).

Compounding this again, if the scope changes and the consultant struggles to meet the client's needs, the client can build the perception that the consultant is squandering their time, twiddling their thumbs. While the consultant could be (in some cases, if they're crap) but lets assume he/she isn't crap. They might be stuck there because they're having problems with moving goal posts, staff not handing them the information they need, multiple distractions because the scope has widened, etc. This can leave the client with a very bad impression of the consultancy and their ability to deliver. If this should happen, this can jeopardise the consultancy's reputation!

Now when I am on-site, I am there as Jarrod Loidl. I might be working for Dimension Data but at the end of the day, it is me there doing the work. So if the client winds up with a bad perception of my work and its because I don't understand what I am expected to do, or the goal posts change, then that affects my professional reputation as much as it does Dimension Data's. This is a small world and even smaller industry and local market where everyone knows everyone. You burn a bridge today - intentionally or not - and you never know how it may come back and bite you. More than that, however, I actually take pride in my work. I would hate for a client to ever think that of me. So the best way I know how to assure the client a high level of service is to tell them what they will get, when they will get it and how I will go about delivering it. Ergo - a fixed price engagement.

In short, in order for a consultant to provide the best service to the client, the scope must be defined, the duration clearly stated, the work to be performed understood and the deliverable clearly articulated. This ensures that the client receives the highest quality of work from the most qualified resource available for the best price. It protects the client. It also protects the consultancy.

To summarise:
  • If you're a client in need of a consultant, don't settle for T&M. Don't ask for it. Don't accept it.
  • If you're a consultant, DON'T SELL IT! Define the problem, solution, deliverable and duration. Do the hard yakka upfront.

- J.

EDIT: I should postscript this...
Firstly if you decide to do T&M, that's your decision. But at least call a spade a spade and acknowledge that the practise is bodyshopping.
Secondly, this is something I just found today and I think everyone should read this "No One Nos: Learning to Say No to Bad Ideas", This is something everyone should do more in the workplace IMHO.

Sunday, September 5, 2010

Security in the media - truth versus reality

Recently Dimension Data are presenting on a number of topics learned from Black Hat and Defcon and the particular emphasis is on social media as well as mobile phone security.

I recently delivered the Sydney talk with a colleague doing the Melbourne one, with more on the way in other states. Now what I enjoyed about this talk was that it was that we were able to discusst attacks either demonstrated or theoretical discussions based on known weaknesses and how simple they were to exploit. The defensive strategies was where things get really complicated because they involve a number of serious issues.

For example - what is a "secure" use of social media in the workplace, or better phrased, what is an "appropriate" use of social media in the workplace? If you ban it in the workplace, you can't ban it outside of the office? If that's the case, then how do you secure your employees for threats ranging from phishing attacks to targeted malware and the latest buzzword "APT" (Advanced Persistent Threat)?

Mobile security is equally bad. The technology is evolving and spreading faster than our ability to secure it. In the desire to go to market means that factors like usability and client experience trump security, every time. Past lessons have been ignored, or assuming that mobiles are somehow immune to the security threats that affect our desktops, servers and notebooks daily.

Without going into too much detail (or belabouring the whole APT thing), these are complex issues with easy answer, largely dependent on a number of variables:  an organisation's risk appetite, company culture (open vs. closed, trusting vs untrusting), degree of secrecy required, how connected they are to the outside world, staff mobility, etc. And that's just off the top of my head.

However, these issues and while we love to talk about stuff like this, cloud, etc, its interesting that so few people really talk about the fundamentals. The Wall of Shame series discusses these fundamentals and highlights their failures. Yet you rarely hear about how people get owned due to ignoring the basics. Media focuses on sensational stories that sell. CIOs want to read about cloud security because they're looking at cutting costs by eliminating data centres. They do not want to read how their patch management program is failing because application owners are risk accepting not patching their environment and jerking around their sysadmins by refusing all maintenance windows. Or their new vulnerability management system is a waste of money because it spits out reports that aren't actioned on.

Unfortunately, this is often what security comes down to.

Working in information security is not always fun, sexy, interesting or glamorous. Infact, it can be - and often is - dry, tedious, boring and often stressful.
(Caveat: what follows is a description of what it is like working in infosec for the uninitiated. For people who think its all about penetration testing, vulnerability research and exploit development, read on at your own discretion).
  • Imagine sitting in meeting rooms, having "spirited discussions" with application owners, system admins, business analysts, project managers, line managers, software developers, auditors and convincing them why they need to perform data validation on a web application during development, why the sunk cost is necessary and also why you need a stack of cash to perform penetration testing.    
  • It means reviewing SIEM logs, addressing false alarms by hunting down the root cause and fixing the bloody problem as opposed to creating a filter to ignore the white noise. So unless you work in a place where you have admin rights on everything, this often means talking with the appropriate techie, raising a change request, going through a lot of red tape for a 5min change.
  • It means reading vulnerability reports and actually getting them fixed. Talking to the asset owner, making them accountable, raising it in the risk register and getting it recorded, ensure they get it fixed within a mutually agreeable timeframe that doesn't fall outside of the next six months.
  • It means reviewing the patching process and explaining to people why not patching Flash, Reader and Java represent massive security risks. If you somehow convince people that this is a serious enough priority for the business (good luck with that) then you have to explore technology options that will enable you to patch all these applications, the processes by which this will be achieved, who will do it and how to minimise outages and business impact, etc.
  • It means creating policies, procedures and standards that people can read, understand and work with and reviewing them regularly. It means satisfying the right stakeholders and getting the right buy-in from execs to endorse it. And if the policies are broken/not working, having the sense of mind to honestly critique them and evaluate whether the policy/process is flawed or whether people are just being too lazy and not adhering to it.
This is the stuff you won't see in films or read in the news yet it is a good chunk of what happens every day. Moreover it is these battles that are the ones most infosec staff struggle with, the ones which are the most important and sadly the ones that get the least coverage. The media is always so concerned with the latest threat, hack, exploit, terminology or technological trend. And this isn't unwarranted or without understanding.

I guess what is disappointing is that we don't spent time on these basics enough. If you get your detection capabilities right, your basic patching and vulnerability management processes up, you have a lot more time to devote to the more 'interesting' parts of security.

I used to love reading a lot of bodybuilding magazines growing up, and in retrospect, I now find it hillarious reading about 'shock' programs designed to add 2 inches to your biceps in a month or some crap. What isn't drilled in enough is that people need to clean up their diets to get the results they need. Instead they'll interview some steroid laden Olympian frontrunner and ask about his routine. Said Olympian presents an incredible program which will cause overtraining in no-time for the average reader because they're ignoring the fact that this guy had his diet micromanaged for years prior to even touching steroids, takes an afternoon nap to aid recovery and then is juicing like a madman to facilitate even more rapid recovery.

While I am not excusing or condoning that behaviour, I am making the point that these are people who have mastered the basics in their field. These magazines would be more effective from a training view point if they interviewed bodybuilders and asked them how they managed their diets, how they prepared their meals, how do they cook, how to they deal with temptation to cheat, how do they deal with restaurants, etc.  Whether they would be commercially viable is another point entirely.

As a consultant, I'm finding more often than not, I'm called in to evaluate a particular project, design, issue, etc, and the threats that the client is concerned with is insignificant with the real threats that are there, clear and present. I think this myopic view comes from seeing the issue for so long, your mind tunes it out. In these instances I simply point out the white elephant which is being ignored and remind them that they have bigger problems. Helping to put some context around this and prioritising threats is some of the fun parts of the job.

I think one of the reasons I haven't blogged for awhile, isn't so much due to a lack of passion or time (although the time factor has certainly been there!) but rather that the more I look, the more I see it is these same basics which need tending to. I don't see a deep mystery with it for the most part. It just seems more and more like common sense - which is often in short supply.

I guess in many ways I see the media playing a role in not addressing them. It would be nice to see journalists being more responsible here. There are some journalists I used to follow quite closely because I thought they were authoritative, information and interesting. Now I am a little more discerning with my time.

I can see why these same fundamentals are not attractive to the media or its readership. The truth hurts after all. But it would be nice once in awhile if journalists did a post incident review using root cause analysis. You could still get the scoop as well as intrigue your readers and maybe educate them at the same time. I certainly see this responsibility as one that should lie predominately with media outlets, journalists and publications that pride themselves on being "security journalists" or targeting "security professionals".

I don't expect journalists to try and change the world, I'm just talking about journalists aiming to do a better job of reporting facts and educating readers rather than using FUD to increase readership. Is that too much to ask?

- J.