Tech/Horsepower

My second day of the New York State Cyber Security Conference was equally as engaging as the first – dare I say thrilling at times. Before I share some of the meat, I’d like to again compliment the conference staff on an excellent program. What an absolute gem and a bargain ($50 public, $150, private). If you’re into information security I highly recommend a visit, June 9-10 2010 have already been set aside. You’ll see me there.

Our keynote to start the day was delivered by Raphael Perl, Head of the Action Against Terrorism Unit, Organization for Security and Co-operation in Europe (what’s with these titles? sheesh) who discussed global cybersecurity challenges for practitioners as well as the emerging threats and tactics of terrorism in cyberspace.

One of the items I thought most interesting was the explanation of overall approach on a political and military level. From a political perspective, it’s becoming understood and accepted that security is a global challenge requiring international information sharing. But the military is resisting, instead preferring to stay separate and secretive. As I pointed out on day 1, Philip Reitinger and others plainly state the biggest issue we face is hackers and other baddies becoming much more organized and globally sharing information at a rate the good guys can’t match. It would seem to me the military approach is destined for failure, and Raphael Perl made it clear he believes the same. Here’s a few other interesting points or facts from the discussion:

• Last June, 1 billion PC’s were in use worldwide. By 2012 this will double to 2 billion.
• 200 billion email messages are sent every day, Cisco estimates 90% of them are SPAM.
• There are currently 3-5000 active websites run by terrorists or are terrorist affiliated.
• In a non-scientific poll of sales at a major computer store, 10% of home users bought antivirus software with a new PC purchase. Business users bought it 90% of the time.

He devoted a lot of time to discussing the potential threat to cyberspace by terrorists. He believes terrorists are actively planning to disrupt the Internet, and will launch an attack in conjunction with a real attack or a major national disaster. The goal is interrupting services right when many need it most. He believes the information sharing and readily-available tools by hackers will help facilitate these attacks, as any cyberattack can be easily copied by terrorists. However, it was also made clear that not all experts agree with his opinion. Overall I found the discussion very intriguing and certainly worthy of deep future interest.

Day 2 tracks were Five Common Mistakes in Securing Web Applications, Are you Googling Your Privacy Away?, Are You Prepared for Data Loss, and PII (personally identifiable information): Taming the Beast (AKA how to discover and secure PII). Just like yesterday, they were all engaging and very well presented. The Google talk was particularly thrilling – yea I said thrilling. It’s incredible how much private information we *give* away to Google in exchange for their services. If you know me, you know I’m not afraid of talking about how much Google scares me. When it’s all laid out for you in a short presentation it’s even more resonating.

• Google is better than everyone else at screwing you and your privacy.
• Their cookies auto-renew every time you use any service.
• They’ve essentially built the best surveillance system ever created. You are a GUID (Google User ID), everything you do with them maps to this GUID, and it will follow you until you die. They aim to have a GUID for every person in the world.
• You readily give Google (and other social networking sites) vastly more information than the police can ask you.
• GMAIL really is email for life. According to the ECPA your data is only protected for 180 days, on day 181 Google can give it to law enforcement without a warrant, barely with a formal request. Our DOJ is working on depreciating the 180 day rule.
• Google has only indexed 20% of the internet.
• If you use Google Desktop with remote access, everything you have indexed is stored in the Googlesphere. You’re violating HIPAA, PCI, SOX, and most other compliance specifications (oops!).
• When using Chrome, Google knows every keystroke you type into the browser. Even fields you backspace/delete.
• They don’t have to ever delete anything you tell/ask them to. Google’s file system is designed not to delete.
• Does your phone run Andriod? They know everyone you talk to, where you are, where you’ve been.
• Goog411 is a slick, free 411 service, right? Actually, you’re training their voice recognition software.
• Google probably knows much more about you than any government agency.
• Remember that HIPAA, PCI, and SOX violation stuff? Hope you’re not using GMAIL since it’s stored (and indexed) in the Googlesphere.
• Google probably knows much more about you than any government agency.
• Yes, they can filter via your GUID and/or IP address and find all of your search terms.

I could go on, and the presentation was less than an hour. It’s freaking scary. Here’s the rest of my juicy tidbits from the day:

• 60% of top 100 websites had hosted or or were involved in malicious activity in 2008.
• Of all 2008 vulnerabilities, 58% were from web applications.
• From the 2008 total, 73% of those classed “easily exploitable” were web applications.
• Dear developers: Most hackers don’t use browsers to exploit web applications, client-side anything is fail.
• 80% of internet traffic crosses a Verizon network.
• In the vast majority of cases when a breach occurred due to a known software vulnerability, the patch was released for over a year.
• Top three types of malware are keyloggers, back doors, and capture-and-store programs.
• The majority of these are plain, un-customized and easily detectable by most antivirus programs.
• 49% of breaches go undiscovered for months.
• VerizonBusiness’ assessment of breach events over three years revealed 82% of organizations captured the attack(s) in logs, but the logs were either too complex or they lacked the tools to filter the data into a useful view.
• In this period, 69% of breaches were detected by a third party. 24% were detected internally passively (stumbling on), and 7% were detected actively.
• Over 260 million SSN’s have been leaked since 2005.
• There are a few open source tools for scanning/identifying PII.
• According to solution methodology, 89% of breaches could have been solved by data-at-rest protection (identification and removal or encryption, etc.)

I have 21 pages of notes and a large list of ideas/tasks taken over those two days. So let me say again what a fantastic event this conference was.

Chris

On the road in Albany for the New York State Cyber Security Conference. This two day conference is geared primarily toward the public sector, but welcoming private industry and packed full of great topics from both public and private organizations.

The morning began with welcoming remarks and an animated hacking demonstration themed around X-Men, which consisted of using a Linux distro to disable an NT password, Internet-mining to find information about an individual, and WireShark to sniff packets. Wasn’t exactly technically deep, but certainly not boring powerpoint stuff and if anything was pretty entertaining (Indian guy in a Wolverine wig, nice).

The keynote was delivered by Philip Reitinger, National Protection and Programs Directorate for the U.S. Department of Homeland Security (what a mouthful). Without powerpoint (bonus!), he discussed quite a bit on the 60-day Review(pdf) and where DHS is challenged with cybersecurity. He also candidly highlighted some of the largest challenges facing security professionals:

• Hackers getting better not just at hacking but with sharing information at a rate security professionals cannot match.
• Defenses not keeping pace with threats.
• Cybersecurity as an issue of national security (which the president recently accepted responsibility for, a great first step).
• Fostering public-private information sharing.
• Establishing reasonable metrics.

Overall a thoroughly interesting and engaging discussion. He also pushed pretty hard for good IT people, if you’re interested in moving into the Federal space, now might be a great time.

The three tracks I chose were Ensuring Network Protection While Meeting Compliance (PII, HIPAA, etc.), Computer Network Simulators, and Motivating People to Adopt Security Practices. You’d think these would be horribly boring, but I have to say how impressed I am not only with the conference organization but with the quality of the talks. Yes, really, I stayed engaged all day. Let me share a few tidbits of info I found particularly interesting throughout the day:

• Information Security Officers must be allowed a seat at the executive table and involved in business decisions. (there is a heavy push to remove the “wall” of security as a sub-position of IT or an afterthought)
• 35.7 million records potentially breached in 2008 *reported* – imagine what the actual number is. Dizzying.
• In 2008, missing or stolen equipment accounted for 42% of reported breach events – the second highest was employee negligence at 16%.
• Heathrow airport in England averages 900 unclaimed laptops per week – and after reasonable time unclaimed are auctioned off.
• 1 in 10 people click through SPAM and become infected with malware. On the surface, that’s not much. But think of an organization with 1000 or more people.
• There are 500,000 different variants of malware currently, 20,000 new ones are created every day.
• Personal observation: Most admins don’t have a clue how base32 encoded data looks (scary).
• People will not embrace security policies if they reduce their productivity, feel threatened, or are negatively reinforced.

Overall I’ve found the conference very well organized, technically awesome, and the people very welcoming. I also had a few great conversations with some of the sponsoring vendors. So far a great experience, and I’m looking forward to tomorrow. Until then, cheers from the Albany Pump House and my beer sampler.

P.S. I’ve been tweeting some of the conference, feel free to follow me.

Chris

Previously posted and imported from elsewhere (Day 2 and 4 by Jon)

Today brought us the real meat of the week, conference day one. This is my first industry engagement and I found it quite easy to get registered, figure out where things are happening and understand the lay of the land. Quite a bit happening all at once; three different presentation tracks, a bustling vendor area, many coffee-and-tea stops (which I used frequently!), people moving all around, and just a lot of good energy around the building. To keep this on the lighter side, I’ll bullet out what presentations I chose with a quick comment.

• DHS Software Assurance Initiatives: A thorough discussion on integrating security into the SDLC with government best practices. Keyed me into a lot of materials I’d like to read!
• HTTP Bot Research: This was a great talk on botnets, past present and future by shadowserver. A lot of time was spent on the Georgia conflict and looking at the first botnet attack from the U.S. and the second from Russia. I really enjoyed it!
• Get Rich or Die Trying – Making Money on The Web, The Black Hat Way: This was my (and Jon’s) favorite talk. It was a veiled comic presentation that hammers home business logic flaws.
• Using Layer 8 and OWASP to Secure Web Applications: Two of the City of New York’s security guys lead this presentation on how they’ve developed their software development policies and practices.
• Industry Outlook Panel: Several big names in corporate security discussed their thoughts on a variety of topics. I really wish it was a double session, 50 minutes wasn’t nearly enough time.
• OWASP Testing Guide – Offensive Assessing Financial Applications: This was presented by a jet-lagged no-BS Brit who laid out some good testing primer.

*cough* we skipped the next hour and half (nothing we really wanted to hear) to run back to the hotel and grab some great Thai food in the East Village.

• OWASP Live CD: This turned out to be a lot less on the live CD and a lot more about a beta email phishing project loaded into a VM image. It scared the devil out of me, very powerful software. Apparently scared a few other folks too as it may not ever get released because it works so well.

Finished the night up with the (ISC)2 cocktail hour (free booze!) and they announced a new certification, the CSSLP. Then we took a walk to Times Square again which is infinitely cooler at night (duh).

Back in and getting rested for tomorrow. Can’t believe it’s nearly Thursday already!

Goodnight from Grand (street)!

Previously posted and imported from elsewhere

Friend and codemonkey Jon and I had a great day at OWASP AppSec. For a couple of NYC newbs, we’re getting around really well! Starting at 7:30a, we hopped on the subway for the trip to the Park Central Hotel. OWASP is taking very good care of its attendees and we got in and settled easily.

The management training was very informative and challenged how I think about security. Coming from a small SaaS firm, I was in the minority as the training was geared heavily to large organizations. This was excellent because I learned from hardened policies established by industry leading companies. I took a lot away from the group discussions because many large firms had representatives, but I also felt I was able to provide some insightful “grassroots” knowledge and approaches that working with a small organization affords. The training also provided a nice primer on attack styles, best practices to secure them, statistics on vulnerability and business effects, and how to “sell” security. Looking very forward to putting together lessons I learned to enhance how we approach current and future security opportunities.

Jon seems to really dig his defensive coding training, we’ve been chatting and trading ideas back and forth all night. It will be interesting to see what the second day of his course brings.

Personally, we’ve been having a great time experiencing NYC in our off-time. Had lunch at the Carnegie Deli then took a stroll to Times Square. Got our real NYC pizza fix at Arturo’s for dinner tonight, then strolled around for a couple hours just seeing what there is to see. NYC easily makes you feel very, very small!

Cheers from Chinatown

Previously posted and imported from elsewhere

I was on vacation last week on the fine island of Puerto Rico. My fiancée’s good friend was married on Friday, so we spent the week in the territory and had a great time. We chose Delta, an airline which I mostly despise (but not totally despise, like American Airlines, but that could be another story). Delta was the cheapest airline available, we purchased our tickets just as they were emerging from bankruptcy but were also being threatened with a hostile takeover. A fantastic time to buy airline tickets, for sure.

The flights to the island were relatively uneventful, the typical pain-in-the-ass which is relegated only to air travel and a root canal with Orin Scrivello, DDS. The picture worth a thousand words (if it wasn’t terrorism) took place on the flights back from San Juan. At the check-in portion of airport terminals, it seems that many airlines (especially Delta) have replaced most or all real people with these ridiculously monotonous and extremely unfriendly “kiosks”. Enter part of your name on the touch-screen or slide in a credit card (no thanks, Delta, I’ll enter my name) and you get to check yourself right in. To make it worse (if forgetting that most people despise computers isn’t the worst) they usually have one or two obviously overworked and underpaid employees manning all twelve kiosks. These poor people are charged with not only having to hold the hand of most travelers through the process of check-in on these kiosks, and in most cases just doing it for them, they also have to check-and-tag each checked bag from every passenger at every kiosk. Nice.

So I was standing there, marveling at what an efficient process it would be if people liked to use computers and the employees were robots, wondering exactly how much money Delta saves by investing in these kiosks and canning real people. Just as I was deciding that Delta surely couldn’t be making money on a flawed system of very expensive but impersonal computers and overworked, understaffed employees pissing off all of their customers, I noticed something at the corner of my eye. Kiosk #1, all the way the beginning of the row, looked funny. Its screen was black. I glanced at my fiancée and pointed to the kiosk so she would know where I was going, strolled up, and a horrifying site beheld. It was a Windows 98 black screen of death! The screen with something to the tune of ‘Windows 98 cannot start because the following file is missing or corrupt: “c:\windows\system32”’ – it’s been so long since I’ve seen one that I can’t even recall the exact words. I was taken aback. The system in charge of running the airline’s check-in is based on WINDOWS? Not just Windows, but a vastly outdated, terribly insecure, networking-inefficient FAT-based version of Windows?!

Yikes. I didn’t know whether to laugh or be really, really afraid. So I chose to laugh, which attracted the attention of the manager-looking Delta employee who was giving me a very unnerving look. Just as it dawned on me to grab the camera so I could take a picture, he gave the nearby TSA “agent” a look of “come over here and get this guy to stop laughing at my broken kiosk”. We were ready to head to security, so I decided not to push the issue. Jail in San Juan for taking pictures of the airport was not something I was to tempt. The flight to Orlando to connect to Columbus wouldn’t have been bad if it wasn’t for the air conditioner leaking buckets of water all over the front of the cabin. The steward closest, in first class, was too busy taking drink orders to notice the three gallons of water pouring onto the floor. So I walked up, gently tapped him on the shoulder and said “excuse me, the plane is leaking” and pointed to the pond in the middle of the floor. He looked at the pond, then up at me and said “Oh, so it is!” and stood there looking very nervous. My goodness. The next 30 minutes was filled with hilarity as three janitors hooted and hollered around the leaking air conditioner, mopping up the water only to be mocked by another gallon of water pouring out, and attempting to “wipe” the water away from the ceiling panel from which it was dripping as if wiping it with a handful of paper towels would somehow stop the deluge. It really was hilarious.

But back to the story. We eventually landed in Orlando and are walking to our next gate for the flight home. We stop by one of the big monitors for arrivals and departures so we can find our gate, and what do I see in the lower-right corner? The Windows XP “desktop cleanup wizard” popup bubble, reminding every passenger that Delta has not run the wizard in over 30 days, and it might be a good idea to clean up the desktop icons. Again, as innocent as it is, I didn’t feel like being hassled about taking pictures inside the airport, so I passed on this hilarious picture opportunity as well. So it seems most of Delta’s computer infrastructure is Windows based. Hey, at least this one is XP.

Having something critical to say of Windows is probably coming as a shock to my friends; they know I’ve never shared their same spooks about Microsoft. There is great deal of value in their products when properly chosen, implemented, and understood. However in this case I’m pretty frightened that a major airline would trust so many systems (and who knows how many mission-critical systems) to something as, in the very least, fickle as Windows. A nicely chosen Linux distro seems to be a much more favorable alternative for reasons I shouldn’t even have to list. Google ‘Linux versus Windows security’ to start. The first topic that comes up today is from a favorite news source, The Register, I recommend taking a look.

So, in this case, two pictures would certainly be worth a couple-thousand words, but not at the risk of being branded a terrorist. Instead I deliver 1,033 (according to Microsoft Word).