Infosec

This is a post that has had me thinking for the longest of whiles, and eventually I decided to put the proverbial pen to paper…sort of. See, I’ve reached a point where I wonder, when do we stop bothering with something? When do we stop trying to be the change we want to see in the world?

Let’s take a incident a few months ago. We entered a 4×4 Community competition, with my wife driving and me playing navigator. The rules were strict, in some obstacles, the navigator was allowed to walk outside of the vehicle and guide the driver, but at no point were the roles allowed to be swopped, i.e. the driver not driving the vehicle.

Come the prize-giving, and a certain lady ends up in second place, with my wife 4th. So we accept the points, but later, while looking at pictures of the event, we see this very lady walking outside the vehicle, with her husband / boyfriend / male friend driving the vehicle. When I queried it publicly on the thread with the organiser I didn’t get an answer (since a disqualification would have moved us in to 3rd). The other contestants made remarks of “the vehicle wasn’t capable, the driver wasn’t capable or even saying we’re just sour grapes”. Right up to today, I have yet to get an answer.. So, it kind of left a sour taste in our collective mouths about competitions and how they are run. One might think this is a isolated incident but it reminds me of a scenario I found myself in years ago.

I was competitively cycling in the Pedal Power Association’s Sub-Veterans League. Yet I was always upset about how the races were run etc, until I was told to put my money where my mouth is, and I got on to the ‘league sub-committee’. It went quite well and we did make a difference in a race or two, until Malmesbury. See, the head of the committee (let’s call him Frikkie), was second in the points standings for the 40 – 49 group. The particular weekend was the Cape Epic race. Suddenly on Friday afternoon, we are notified that Malmesbury was going to be a league points race. When I queried it, I was told by ‘Frikkie’ that he and the PPA’s CEO made the decision. Fine, but what about the guys riding the Cape Epic, who would lose out on the points that weekend? “No, they would choose the Epic anyway”.. Yes, maybe, but they should have been given the choice long in advance..

Needless to say, ‘Frikkie’ won his category that weekend, and gained an unassailable lead in the points that weekend due to his competition being absent. I resigned from the committee the Monday after the race, and soon after stopped competitive cycling to switch to triathlon. Of course ‘Frikkie’ phoned me to ask why I quit, gave me a ton of excuses but I had it with cycling by then.

Other incidents flaring up on social media lately is people parking in disabled bays, and then attacking those verbally and physically who ask them to move their vehicles. Do you bother with someone parking in a disabled bay because they can’t be bothered to walk the extra 20m to the shopping mall entrance? Or do you just look, shake your head and walk away, allowing those with a sense of entitlement (or just bone idle laziness) to get away with it repeatedly?

One cannot be the change we need in this world when the rest of humanity is out to make sure they are number one. A lot of people say “do something about it then!” when others are unhappy with a situation, but few realise how futile it is. Just ask Mr. H about the responses to his “you’re doing it wrong” talks… Kudus to him for sticking to his beliefs though…

Have you tried to make a difference somewhere and failed miserably? Do you even bother? Or do you sit on the sidelines and watch? Comments below please :)

I’m fortunate enough that the deployments that my employer puts me on are always fun and interesting. It’s like changing jobs every year :D

Currently I’m running a operational team at a financial institution (no more details needed), and it’s interesting to note the different styles of management. Being 38years old, I would like to consider myself a adult, and the youngest person in my team is 24years old. Also someone I would regard as an adult. Now, I’m billed out for 8 hours a day, so I make sure I work the 8 hours, even if I’m on site for 9 hours since I can’t bill the client for my lunch hour (that would not be ethical, even though 50% of the time I eat my lunch at my desk).

Yet, the team spends quite a substantial portion of their day doing timesheets on various systems. As team leader / manager, I’m now required to verify those times to clocking system etc, and report on deviations (either over or under). Essentially, this reminded me of the time I was with <my old employer>, and we were religiously “clock-watched”. You could sit nearly 3hours in the canteen and talk to your buddies drinking coffee, spend another hour smoking, and no-one would be the wiser. If you arrived 8:10am, you were frowned upon :( It almost reminded me of my national service days, where we stood roll-call every day twice a  day. This is not school, we are not children, please treat us like adults. A concept that never seemed to take hold.

Now, here is my question to my fellow Info-Sec practitioners. Do you work on timesheets, or output-based delivery? Yes, there are scenarios where services are outsourced, and the company pays for 40hours a week, thus the person needs to be on site for that amount of time, but I find that I am more and more leaning to the output-based delivery for the team not based on hours billed.

If you want to come in at 9:30am, leave at 5pm that is your prerogative. If I ask you to do something by a certain date or time, and you don’t, then I’m going to be annoyed. If you want to do it at 9pm while at home while VPN’d in, that is your bad planning (or maybe your choice). You committed to deliver work at a time and date, and how you manage your time is up to you. If calls are piling up, tickets are unresolved and service to the business suffers, then those timesheets are not going to mean anything. You have bigger problems in your team(s) which need addressing.

When you manage your teams, do you clock-watch, or do you measure them on delivery?

So, I mailed ISC2 about CPE’s for completing #evilMsc, only to be told this: “We do not allow submission of CPEs for preparation for exams, out-of-classroom assignments or the writing of these/dissertation.”

I don’t quite know what to make of it. I spent a year researching, analysing and writing a 106 page thesis about a security topic, and the (and I quote) “(ISC)2, is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers.” won’t let me claim any CPE’s for it.

I’m more confused and perplexed than upset to be honest :)

Graduated

Just under two and a half years of work paid off this weekend. I managed to graduate with my #evilMsc. Finished my corrections over Easter weekend, and handed it in Thursday afternoon after an 11hour drive down to Grahamstown. Friday morning was grad ceremony, and I crossed the stage and got my parchment. Saturday morning we left and drove up a little slower staying over 1/2 way.

So, for now I’m chilling out, not stressing about academia for a bit. Did submit an abstract for ISSA 2013 conference, hopefully will hear in the next week or two if its been accepted and then will produce a paper for it. Other than that, I’m going to try and wheel the living shit out of my 4×4 for a few months.

Am considering MBL through UNISA though…

So, I’ve been surprisingly quiet the last few months. The biggest reason for this has been #evilMsc. During the last weeks of November, and most of December I was finishing up the thesis. Getting it ready was a lot more tedious than I thought, and a few times I did question my sanity for doing this at my age. In the end though, I got the all clear to print and hand in. 19 December 2012 it went off to the university, and now we wait for the results. Hopefully it won’t be too bad, with ‘corrections to supervisor satisfaction’ which I can do in March and then hopefully graduate.

Apart from that, I’ve been relaxing a bit. Reading about web exploit kits every day for the last few months has made me a bit tired of all the negative news in information security. I’ve started getting back in to my gaming quite heavily, playing a lot of titles I bought during the Steam sales which I never installed due to the thesis and being rather committed to handing in on time.

On the 4×4 front we’ve tried to do a few trails, and that’s been awesome to get out and forget about thesis for a bit. Alas not everything goes well and the wife managed to break  a shock-absorber in half on one trail, needless to say, some stronger replacements were bought. Then my old LWB Pajero’s motor finally decided to go…completely. It’s now in for a completely rebuilt engine, but I should have it back before the end of the month. We’re looking at the next few trips, and pondering going through Lesotho again, but this time staying a day extra. Also, looking at going to Kruger for a few days when my leave balance allows it again :)

Right, expect some more updates in the near future, since I’ll have a bit more time to do them now :)

I’ve had the flu all week, and this has given me the idea for this blog post. If we as information security practitioners are being told that our industry is so broken, then how come the medical industry can’t cure the common cold?

Computers have only been around the last century or so, give or take what you call a modern computer with information worth protecting. Lets just say that we can use WWII as a starting point. That gives us 60 – 70years.

Wikipedia will have us believe the medical industry has been around a lot longer. The father of medicine, Hippocrates, lived 460 – 370BC!! Thats over two and a half thousand years ago. So, in some form of another, medical research has been going on for all that time (if not before!). I would say medical vs infosec…they’ve had a long head start.

Information security has a wide variety of information to protect, with the landscape constantly changing; thus we are faced with a few challenges. Don’t tell me the medical industry hasn’t faced the same problems, BUT, I’d like to speculate they’ve had a LOT longer to research and FIX it! How many new true frightening diseases have we discovered in the last 20 years? AIDS, Ebola? I’d guess less than the game changing incidents in information security, aka Stuxnet or Flame. Yet, they can’t cure the common cold?

So, if you’re going to start calling our industry broken, I suggest first reconsidering the true aim of your medical aid.. (and go watch The Constant Gardener)

Last night I decided to trawl the web and see if I could find active SEP campaigns manually. Currently the automated data gathering is going, but not getting the good hits I want. This could be for various reasons, but I suspect Google has its act together when it comes to trending topics (most of the time).

Using the McAffee dangerous top celebrities as my base I started trawling, and wasn’t long before I hit paydirt. Several of the celebrities hit the same format. See the screenshots:

So I fired up a trusty (or should I say untrusted) VM running IE6 and XP SP2, and opened the page. Once you land, there is what looks like a flash type player.

Once I clicked on it, it informed that I needed to download a plugin to play it. So of course we did. Once the file was downloaded I sent it off to Virustotal for analysis, and it came back as a variety of bugs (probably different naming conventions etc).

SHA256: 837d13abaa49c043020f7012202a976572867cc95dce780f3a7e93d37a9be5b1
File name: install_flashplayer.exe

The best description came from McAfee who described it as part of the Zero Access set of rootkits. Read more about it here.

As per behavior that I spoke about at IT Web Security Summit, the page then redirects you to two or three different hosts, before landing you up at some dodgy porn site. I don’t want to disclose any of the redirecting DNS entries yet, since I’m still trawling for info, but all the destination sites are registered through Moniker. No surprise here. If you don’t know who Moniker are, just go read here: https://www.moniker.com/domainnames/domainprivacy.jsp

 

Matt pointed me to Thug, a low interaction honeyclient that I could possibly run the url’s I’m collecting through. So off I went to try and install it (and fsck me, I’m no propeller-head sysadmin anymore), with limited success. Luckily I found this post, which made installation a bit easier: http://blog.xanda.org/2012/05/21/installation-of-thug-a-python-low-interaction-honeyclient-on-ubuntudebian/

Now, problem (so please help?)

Everything runs fine, dependencies all install etc, but the moment I try and run it, it breaks.

I’m sure ‘libemu’ built fine, so fsck knows.. too tired to think, and too dumb to figure it out, so please someone, post me a ‘you are a dumbass, fix it like this:’ comment so I can get this working in a ‘for’ loop and start testing dodgy URL’s.

** Edit: So 30 seconds after I posted this I figured out it was a $PATH issue and fixed it…right at the time Etienne also posts something about $PATH on twitter. Let it be a lesson folks, don’t sysamin when you are tired :)

It’s with interest that I read Haroon’s article “Infosec needs an injection of honesty“, since it echo’s quite a bit what’s been going on in the blogosphere and twittersphere lately. I disagree though, our industry doesn’t need as much an injection of honesty, as business needs an injection of honesty.

There, I’m disagreeing with Haroon (who I do think is one of the single smartest people I know). In some circles, to use an example, anti-virus vendors have almost been labelled worse than the child molester in the Santa suit handing out sweets outside a school. It’s true though, some of the vendors are terrible, but they should not take the brunt for the problem. Business should, and this is why.

In my previous employment I worked for a large retailer as a ISO for 11 years. We had a AV product, and the product was terrible. We went through the process of doing POC’s on new AV software, trialled it for weeks, even months, and when the time came to sign on the dotted line for the purchase order, we were simply told we are renewing the old licences.

The question then begs, who is to blame in such a situation? The bad AV vendor for making a bad product in the beginning? The good vendor for not selling his product well enough? Or the $CIO for not making the right decision? This situation repeated itself ad-infinitum during POC’s for products that would actually really secure the business, or in scenarios where business processes needed to change, or or or… Sure, you can blame the ISO for not being able to convince the CIO that the product needs changing, you can blame the project manager for not convincing the CIO that there is enough time and resources to make the change, or you can blame the business analyst for not convincing the CIO of the benefits of the change on the business. Ultimately, if all those people did their jobs, and the CIO still makes the decision not to change, it’s a business decision.

The company (which shall remain unnamed for this article) launched a loyalty card / program, with a huge infrastructure back-end etc, and the first time ‘security’ was made aware of the program was at the launch. When asking the enterprise architect if a pentest or other security initiatives had been done, the answer was “no, and before you do we need to fix one or two things”. Is this the infosec area’s fault, or is this the fault of business that wanted to launch a campaign in secret without considering the impact of over four million users details being leaked should there be a breach? How can security make the business aware, when it has been excluded from the process completely?

The point I’m trying to make is that, infosec as a industry might have some problems, but I don’t believe we’re to blame. Business is to blame for the situation it finds itself in. As a consultant (luckily not too green), I see many organisations where the problem isn’t a lack of will to secure the systems, the problems are political minefields where budgets and ego’s play a far bigger role in choosing bad designs and products. Business should not be allowed to choose products and services based on what happens on a gholf course. Hell, most info-sec guys I know don’t even know how to play gholf! Then again, no-one ever got fired for buying IBM or SAP.

Luckily at Performanta, we offer consulting, services and products that I will stand by. Our consultants actually have a clue, our services guys actually know what measurable metrics are, and our products are some of the best in the industry.

To quote the other party in our unsuccessful attempts at getting our mark for one module adjusted:

…while I have once again had my lack of faith in the performance standards of some academics confirmed, one has to chose one’s battles, and this, for me, is not it..anymore…

I know this, a UCT former lecturer with a M, a Harvard MBA and myself got it wrong.. Best practice is shit, sweeping statements, snide remarks and personal comments in assignments are what is needed to score high..