Just what I need, another feed/link/dashboard! But I will say I kinda like what Security Database has put up. I especially like the security tools alerts which are RSS-able.

It amazes me how slowly wireless has been tackled, especially as everyone has completely jumped on Office products and browsers with all sorts of problems. Perhaps this year will usher in some more changes?

By way of Whitedust, I was pointed over to a pair of NetworkWorld articles. The first deals with new laws and guidelines about business-run wireless networks, both public and those intended to be private. In addition, it tackles vendors who should not default insecure or at least give users some guidance on securing those devices. These are seemingly easy and no-brainer topics, but yet implementation is such that I am astounded about the lack of attention wireless technologies receive. Heck, even insecure cell phones get more press compared to the data networks! The second talks a little bit about 802.1X (in that sort-of-technical-but-not-really-technical way the NetworkWorld writes).

More laws make me happy when it comes to securing wireless and our digital world. But more laws also make me say, “D’oh!” a few more times, since I am one of those people who likes to drive around and see what open wireless networks there are, and hopping on one when I have a need (when traveling or at a friend’s place, for instance, and just hopping on an open neighbor network).

It is interesting to hear us be adamant about perfection in security, whether it be perfect devices, perfect approaches, or perfect coding. Really, digital integrity pales compared to personal safety. Do we expect perfection in being safe when on the road? Do we demand that cars be built to absolutely withstand the stupidity of drivers? Do we move to diminish the role of the user when driving? Do we do much beyond laws, liability, some technological improvements, and a common understanding that green is go, red is stop, yellow is speed up and pretend not to notice anyone else, and lines are guidelines on traffic flow except in parking lots where they are so much street grafitti? Ever try to play traffic cop in your car, where the guy behind you wants to speed and basically blows out his O-ring having a caniption fit behind you while you drive the limit (yeah, me too, it’s fun because I can be a dick now and then).

It is interesting that we accept a certain level of reasonality when it comes to our safety in life, but become hardassess when talking about digital security.

Have we achieved perfection in physical security, whether it be at home or in the workplace? It might sound like I am being defeatist. On the contrary, I say this all very enthusiastically. Update: I am going to amend, but not remove my original post above. Yes, there are differences in my choice of analogy and the security world. In too many cases, we don’t end up living with our bad choices on the road, but in digital insecurity, we end up living with them. Ask any identity theft victim how hellish their life has been since. Likewise, I accidentally dismissed one thing I thump a lot when it comes to the digital life: efficiency. If a traffic accident were like a digital security incident, then one accident might end up affecting every single car built in 2003 in the state that is currently on the road, and when others currently at rest get started up in the morning, they immediately suffer the same result. One obscure issue in MySpace that only 50 people even understand could result in a worm that affects many thousands of people.

Ordinary people see the means of victory but do not know the forms by which to ensure victory. -The Art of War Chapter 4: Formation

Am digging into my inner wireless geek this month as well. This means buying a little bit more hardware. Most of this stuff is best available on eBay and I plan to get my hands on some of these things soon.

Orinoco Classic Gold wireless PCMCIA card x2
Sharp Zaurus SL-6000
AmbiCom compact flash wireless card (or similar)

The Sharp Zaurus runs on Linux and has internal wireless. This means I can run Kismet on it. I already have an older Dell Axim X5 that I picked up at my old job and totally forgot I still had (and if I want another one for some reason, they seem dirt cheap on eBay). It has no internal wireless and runs Windows PocketPC, but I can put the compact flash wireless in this guy and get it to run. It also gives me the ability to run Ministumbler if I wanted to. I’d rather use Kismet and the Zaurus, but I got lucky in already possessing a little-used Axim.

Now, why would I want both Kismet and Ministumbler? First, some people simply respond better or worse to Linux or Windows. If I don’t want to show someone how to do wireless tricks, I’ll glaze their eyes over with Linux. If I’m looking to impress a gir…err…a manager with pretty colors and graphs so they spend money on or for me, I may get better results on Windows and Ministumbler. Second, Ministumbler is an active recon tool, so it will only see networks that have the SSID broadcast. Kismet is passive. While it will see non-broadcast SSID networks, I’m not yet sure how it sees them if there is no traffic on them..

Now I just need to pick out a GPS unit (I don’t want to spend much, I’m not an extreme outdoorsman who needs something amazing) and possibly decide if I want to explore an external antenna or hold off on that. All told, I don’t expect to spend more than $60 on the wireless cards and maybe $200 on the Zaurus.

Also just saw this 2-part article on SecurityFocus about wireless forensics.

Not a huge deal, but it looks like one of those nicer sites that I don’t see many people talk about has had a facelift. Whitedust doesn’t display correctly for me at work on IE7, but it does look like they have ramped up their news coverage and now report quite a wide array of things in the RSS feed. Their news reminds me a lot of Rootsecure: some news, some articles, some podcasts, and so on. Always been some good stuff there despite them being a relative new-comer to the scene and UK-based.

One of my favorite questions to ask pen-testers or other security assessors is how often they are successful and what techniques are the most successful. I imagine social engineering and physical attacks have a very high rate of success; in fact, I wouldn’t bat an eyelash if pen-testers claim those are 100% successful when attempted. I’m sure there are many other ways they can own a network, but when they run into a tough cookie to break, I wouldn’t be surprised if those methods combined with some wire sniffing yields positive results almost all the time. This article I read this morning caught my imagination:

Core Security Technologies has never failed in its spear phishing tests
against large organizations, Caceres said, an indication of the task DOD
faces as it attempts to battle its latest network threat. The human
factor which requires e-mail users to carefully examine their messages,
plays a critical role in defeating spear phishing, Caceres said.

I think this is why discussion on user education is still rather mixed. Most everywhere I read that user education is necessary as we build security awareness and programs in organizations, with this as proof that we need more education. Others will claim that user education is not going to solve this, and we should focus more on technology and other aspects. They will also cite these results by saying that getting intelligent users who consistently make the correct decisions is a losing battle.

At any rate, I love hearing about success rates and common means of access into networks. Jeremiah Grossman has been doing a related survey for web application specialists for a few months now, and has been quite readily and hungrily accepted.

I wonder if there are similar surveys or data for pen-testers?

Update: Of interest, Dana Epp pointed me over to a presentation on combating social engineering.

I’ve decided that as I move forward with my site here and my posts, I’m not necessarily going to be completely PC and try to be pleasing to people. I want to take a stance and not feel like I have to assuage anyone else, especially with my own feelings and site. 🙂

So, where do I stand with full disclosure? First, I think we need to buck up, let people do their thing, stop quibbling about how to properly disclose, and just move forward with our goal: security. We don’t sit here whining about how we can’t control the environment and then let security slide until we can control the environment. It is unknown, ephemeral, ever-changing. Whether someone practices full-disclosure or protected disclosure, I don’t much care: I still have to practice security and I need to be able to roll with the punches and what the environment hands me.

There are two caveats to this debate, which few people seem to address when passionately debating this topic. First, there is the entire full disclosure concept and whether we should practice it. Second, there is the question on whether security professionals should practice full disclosure or more “responsible” disclosure.

Whether an attack vector, vulnerability, or known proof-of-concept exploit is available or not, I would rather know about these items as opposed to not know about them and hope that an attacker doesn’t secretly use them against me. If someone has found a hole and will report it to the vendor reasonably, it should be a security researcher’s position to assume two other people in the world know about the issue as well. And are actively exploiting it or soon going to. Or maybe have been previously. We cannot squealch communication amongst ourselves and expect to keep up with attackers. I am in favor of full disclosure.

On the second part about security professionals, I have less opinion and think it is a case-by-case issue.

In the end, like nature, what doesn’t kill us only makes us stronger and more resilient.

Update: I just wanted to add to this that I really don’t necessarily trust vendors. Vendors are economic entities, and most of the time the media and researchers end up interfacing with the ineffectual and smoke-screening PR and Marketing sides. I don’t trust that, and if I were to weigh my trust of vendors against my desire to know about the problems, the vendors do not typically win. This would change if vendors not only fessed up to holes they patch, but would also be liable for any damages incurred through direct use of those holes. Of course, then I see vendors getting slimier and doing the whole lawyer dance jig… In the end, vendors need to also get off the soapbox about responsible disclosure and just be up front and honest with the community and the world. Painting a picture of rosy security happiness where even puppies and rainbows can use their software without a care in the world is a dying approach. Security is merging with business in the back office, but what about the front office?

Andy, ITGuy pointed out an article on Computer World 10 things to do to be more secure when using public wireless hotspots. Nice article.

The good tips that will slowly disappear as Windows fixes its wireless management:

– disable ad hoc mode
– turn off network discovery

The just plain good tips:

– turn off file sharing
– disable your wireless adapter when not in use
– turn on your firewall
– watch out for shoulder-surfers

Then Preston has a few more interesting suggestions. He suggests to encrypt your e-mail, but sadly gives no more information about how to accomplish this. For most consumers, they will stop there, give an annoyed huff, and skip that step. Encrypting one’s email is not as easy to many users as it can be, and is completely email provider-specific. It might be as easy as changing a couple connection settings in the client, or as complicated as figuring out PGP or some other service that claims secure email (by simply never transmitting it off their webmail servers and forcing your recipients to make accounts to retrieve the mail…bleh!). Some users will just be out of luck when it comes to secure mail transmission and won’t have corporate recourse for checking mail beyond port 110 and cleartext messages. In those cases, just don’t do it.

Carry an encrypted USB drive. I’m not sure if this is worthy of a bullet point, but if someone will be going through the trouble of using an encrypted USB drive for data, why not encrypt the whole laptop disk? Besides, if an attacker takes over the system, they should be savvy enough to impersonate an admin or the user and access most encryption. It makes some sense, but I think it is more effort than is necessary. I dislike having to track multiple “portable” devices, especially ones that can be lost as easily as a USB drive. To me, data encryption on the disk is a “data at rest” issue, not a wireless security issue.

Protect yourself with a virtual private network. I’m not sure I would suggest people use a third-party VPN service. Home consumers on their own equipment, sure, but not corporate users who think it would be safe to transmit possibly-sensitive information through a third-party who may or may not be credible. Too many people think that just because they pay money for it, it must be on the up-and-up. Instead, corporate users should look into what their corporate support is for VPN use. Home users can go the *very* technical route of hosting their own VPN/proxy system, or utilize the pay-for service if they want. I think if email is encrypted, web site logins are protected via SSL, and cleartext IM service not used, most users will be fine without a VPN.

Beware phony hotspots. First, I hate the term “evil twins.” We’ve had a better term for this for years now: “rogue AP.” While there is not much most users can do to protect against the rogue AP problems, I do like his two suggestions. Ask the staff if they have a hotspot and what the name is. And if you see two of the same name, don’t connect to either one. Any futher security against a rogue AP is either overkill for most users, or is really the responsibility of the hotspot establishment.

IE has been beaten up over the years, and now that Firefox has gained ground, it also is under fire. While Office has been beaten up last year, now perhaps Open Office will be subjected to the lean eyes of the hacking underground. This post by Brian Krebs is timely, but I particularly love the first couple comments; the first about Open Office, and the second about a just-today-released-patch for an issue in Open Office.
As applications keep getting attacked, especially Office and web browsers, more and more people are scattering over to lesser-known and oft-times free software to accomplish their tasks, myself included. But just because it has not been hit yet, does not make it secure. It might be a little bit safer to use as the odds of an attack are lower, but obscurity alone does not necessarily provide security.

“If you can make it clear what is to be rewarded and what punished, make your directives reliable, keep your machines in good repair, train and exercise your officers and troops, and let their strengths be known so as to overcome the opponent psychologically, this is considered very good.” -The Art of War, Chapter 3: Planning the Attack

The Muse (yeah, I’m stealing a concept from my days of writing…maybe I should call this my Geek Muse?) visits at some odd times. I saw a post on Security Renaissance about a new method of staying ahead of phishers as posted on the F-Secure blog. For some reason before I even clicked on the link, I quickly thought about a device in front of the spam filters that scans every email for links and compiles them all into a greylist. That way when corporate users receive an email, any links in that email will already be either blocked or placed into a higher level of alert, perhaps on a web proxy.

For about 2 minutes I thought that was a cool idea, but then I did think about how many legitimate email links would get flagged. So maybe that is not so much a cool idea for a corporate network, but for a company whose lifeblood is email or email/spam/virus protection, a realtime catcher like that along with human bodies evaluating the trends and list of sites would be valuable. You can’t always wait for the spikes in traffic or the reports from users AFTER they have received all the phishing emails and gone to those sites and turned their computer into a bomb. Either way, this is still reaction, just higher upstream than most people tend to react, and not technically prevention.

Chances are, the big boys in this field already do this, but thinking about such things makes my brain smile.

First of all, I have a new link in the dashboards section. I like dashboards. Management goes gaa-gaa over dashboards. That makes me like dashboards even more! I’ve never linked to it (amazingly) on the menu, but I just added one for the F-Secure Worldmap which is kinda cool.

Now, that dashboard is pretty pastel-laden. However, check out the wallpaper pics of what the F-Secure internal, realtime dashboard looks like. Pardon me, but that’s fuckin’ awesome!