Wednesday, March 30, 2011

Trust in Comodo, no really...

Contrary to popular belief (and self subscribed insantiy) Comodo is not "Hacker Proof" After the breach earlier this year at GlobalTrust It should come as no surprise that they have had yet another breach. Their CEO commented that We are rolling out improved authentication for all RA accounts. We are implementing both IP address restriction and hardware based two-factor authentication. The rollout of two-factor tokens is in progress but will take another couple of weeks to complete. Until that process is complete Comodo will review 100% of all RA validation work before issuing any certificate Reading statements like that, anyone who's studied for the CISSP in the past half decade could have told you two-factor tokenization was the norm at big shops like Verisign. Perhaps that's why Comodo's offerings are so much cheaper than the majority of their competitors. I guess trust really does have a pricetag.

Tuesday, December 28, 2010

Net Neutrality

Again, it's been in the news for a while and talking heads just DON'T GET IT. Which is no surprise, they aren't paid to get it. They're paid to push Snapple. So I wrote my congressman, to make it pretty clear what the issue is, as I'm sure they aren't fully aware. To be clear, this isn't a slight on politicians, but ask a lawyer you know what they know about net neutrality and you'll get a good idea how most congresspeople see the issue.


I know something as misunderstood as Net Neutrality is getting a lot of talk time with the pundits du jour, but I feel obligated to voice my concern. I understand the largest concerns being voiced are those of the largest "people" Google on one side and ATT on the other. The thing to be aware of here is that Google seems to be on the side of the people in this. They hold more fiber than any other entity in the United States.

The people of the US are already subject to traffic shaping and prioritization by their providers. This has been a well known fact by those of us in the industry who have to manage these devices. Netflix, Hulu, Amazon's digital download services (and soon Google TV) are threatening current content providers business models. This is to be accepted, as the Internet is still evolving the way we do business. The problem is the content providers also own the cables that run into our home. To use a bad analogy, the tubes are being squeezed into two different sections: the one the providers offer and the one they don't. If they aren't able to monetize the traffic they are putting it at a lower priority to your home.

The difficulty here is, some prioritization is good. For instance if you buy your phone service through this provider, you want the phone calls to come through even if your family is watching a TV show. But since there is no regulation in this area, there's no difference to the end users if the provider does the same thing to their Movie Service (TM) over Netflix or Hulu. This is clearly an abuse over the local monopolies we the American people have allowed the providers to hold.

As a congressman from the Tech State, I would hope you have heard from many people in this regard and work with your peers to present a rational (and easily understood) front to this threat to our digital democracy.

I'd urge many to do the same, as the more people advertising this the better. We, the American People, need to make sure our representatives understand our concern. We don't have a lobby that does it for us.

Monday, August 2, 2010

So you think your information has been compromised?

Here’s a quick cheat sheet on how to protect what you can.

  1. Pull out your emergency visa gift card.
    ( 50 dollars minimum Must not expire after 2017 or it won’t work on Experian, you can buy this at most retailers for $55!! Though the form submission post allowed for the value to be set to 2019 and my Target Gift Card validated. )

  2. On a hard line call your credit card companies and put a freeze on your accounts.

  3. On a hard line call your bank and report your cards lost.

  4. Get on Equifax’s website, enable a freeze.
    ( as of 08.02.2010)
    It costs an average of $10.

  5. Get on Transunion’s site and enable a freeze. (
    It costs an average of $10.

  6. Get on Experian’s site and enable a freeze.
    It costs an average of $10.

  7. Call your office and deactivate any badge codes or accounts you think may be compromised with the information in your wallet.

  8. The next day: Don’t forget, your license was in your wallet/purse too get it reissued and get a temporary or the added irony of getting pulled over and cited could be added to your list of inconveniences.

Your personal information is now protected against the larger credit companies and most large purchases. What this means is, you will now be protected from transactions that require a credit history look-up, since any attempt to view that data will fail. With the only downside being if you are filing for a loan you will need to release the credit freeze at the additional cost. The other bit to note is any accounts that have been opened before you lost control of your information will also be at risk, so make sure you contact those agencies (your phone company, utility companies, credit unions, insurers and make sure to set up security pins separate from any other data that your future identity attackers (it’s not a thief if they affect you forever) will use.

And yeah, I spent a week and a half at security conventions plus training in Vegas, and lost my wallet the day I got home. Loki loves to give me irony in large doses apparently.

Saturday, July 31, 2010

Cyber is the New Domain, but please don't turn off the lights

So this was triggered by reading the crappy article over at the inquirer, I sent them the full text of this before I posted it and even gave them 3 days to fix the article. So here's the real deal and I hope I didn't fuck anything up.

This little blurp is a watered down misinterpretation of the keynote. What Hayden actually said was nothing of the sort. His words were profound and direct. Very much with a purpose, and though he is no doubt used to being misrepresented in the news I cannot believe that this site would do such a terrible job of follow-up.

Let me reiterate his speech, and perhaps your author will learn to be more direct and less sensational.
I attended Black Hat as part of furthering my training as an IT Professional and with the added benefit of sitting in on some excellent, and not so excellent, briefings.

One highlight of the two day briefings was the second Day's keynote presented by Former Director of the CIA, General Hayden. Hayden began by explaining his former positions and his involvement in the US Government's CyberCom. His explanation, and breakdown of the roles the US, and truly all nations, are facing is thus:

The existing domains (as the military establishment terms land, sea, air, and space) are deeply understood by those involved. The newest domain, cyber, is almost as much a new dimension as it is a domain. Any action that effects the cyber domain, cannot (by virtue of it's multi-domain nature) go without making 'something in another domain go pop.'

The Cyber domain has requirements similar to the other four, it must be defended against infiltration and hardened against malicious attackers. It is also fair game for internationally accepted espionage practices, data gathering if you will. And finally, it is a domain to be considered when attacking one's enemies in time of war.

This is not to say that there should be no boundaries, he seemed to be fully of the belief that there are areas of the cyber domain that should be off limits to disruptive activities. For instance, when speaking of the power infrastructure he described the troubles governments have in attacking an enemy. If there is an armed conflict and a nation wishes to bring the power infrastructure down utilizing the cyber domain they had to have been within those systems BEFORE the fighting occurs.

This creates an interesting dilemma when looking at it on the world stage. Because of the nature of the beast, attackers must penetrate and reside on these systems perpetually. And when thinking of many nations all in different levels of "possible" armed conflict in the "future" that would mean these systems in many nations would be a battleground for multiple nations agents attempting to maintain control.

General Hayden made the correlation with chemical weapons being banned with the Geneva Protocol. This particular tenant was truly the only piece he mentioned as being 'off-limits' and truly only in the concept of preemptive system residence. Much to the dismay of some of the security professionals I spoke with later that day.

We will be in for an interesting future, seeing that now the US military establishment has taken full notice of the added dimension the Cyber domain has created for us all. It's only a matter of time before most other nations begin doing the same, Russia, China and the other G8 nations are notable examples of this. One thing is for certain, more are sure to follow.
I couldn't see him arguing against the use of the cyber domain to orchestrate attacks during armed conflict, as this is a large part of the CyberCom's stated mission:

"USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

I will be publishing this tomorrow, so if you'd like to correct this article before then I will make no reference to it.

Saturday, July 24, 2010

CISSP training with Shon Harris (and Michael Lester)

So finally I got off my ass and scheduled my CISSP training, why do you need CISSP training you might ask. Well, it's a problem of motivation. I can motivate myself to research the topics within each domain that interest me, but the overarching topics and high level strategic topics are where my eyes start to glaze over and all of a sudden I wake up with a 20 pound book on my lap and a drool stain on my shirt.

Having a training at Black Hat is an experience in it of itself, from literally having difficulty finding my room to having difficulty finding the conference room my training is in and getting lost to and from the luncheons about 100 meters away from each other.

I've found my learning potential is vast, and the training course is *only* about 6 hours a day. When the original certification prep exam is about 1100 pages long, and I've only read about 700 of those pages I still feel like a deer in headlights when it comes to nomenclature and some of the nuances of labels (IPS and IDS for instance are difficult to quantify in reality, but are easy to put your finger on in terms of test terminology.)

So far I've been impressed with Shon's ability to deal with a geek training crowd. Which is typically a challenge to begin with, and covering a 60/40 split of technical and managerial topics is a challenge with any group. Add on top the general disdain for "management" in a group like that and it could get pretty bad. To her credit the class has kept on topic and on focus the entire first day and I feel my knowledge of the first two domains is much more solidified.

The other students in the class have also been able to put real world examples to some of the more esoteric topics, which has also helped a great deal. I'm still nervous that I may not be prepared for such a voluminous body of knowledge but this is definitely giving me the tools I need to study in a much more comprehensive manner.
Michael Lester accompanied Shon in the training and brought much needed levity to many topics. His contributions to the more nitty-gritty technical details were almost always accompanied with a real world example. This made it much easier to digest, and his off-the-wall sense of humor made it an experience I would reccomend for anyone looking for assistance in learning the topics required for the CISSP. Michael was even able to describe fundamental issues with the exam, and help prepare us for mistakes on the exam that IT professionals will make.

The fast paced nature of the course has made it difficult to consume it all, but I supplemented the daily material with nightly quizes. From Shon's recommendation on the first day of the class, I went to to practice the questions. It is a great free CISSP test exam resource, and from what I've heard so is though it will cost you a little, I am certainly considering it as I need to keep up to date for the better part of a month before the ISC(squared) exam date.

I felt confident in the knowledge I garnered during the day's learning and was able to use it effectively on the last day of the conference to have a much needed success. My difficulty in encryption has always been when it gets to running the algorithm on the bits and bytes themselves. I have little difficulty visualizing concepts and even understanding logical operations, but something about the math I always struggled with. For instance, I reverse the operation for subnet calculations instead of attempting binary math. After this course, I was able to find the seed I needed to grow that tree of knowledge.

My only frustration was condensing a normal 5 day boot camp into 4 is difficult in any case, and this staggering amount of information makes it especially challenging. I'd hope the BlackHat planning committee considers adding a day to the schedule next year to get the full 5 day course many of the advanced certifications really need.

Shon was gracious enough to supplement the four days in class with an additional follow up online class that will provide coverage of the domains that were left out of the in person course. I'm really looking forward to participating as I'm going to be taking the exam soon and I feel eminently more prepared now than I did from just studying the books.

Sunday, May 2, 2010

For your protection, and defense

It begins as it always does, by hemorrhaging ideas out into the ether.

This time, I have a purpose. To provide people with easy to understand, accurate, sources on current security concerns.

To begin, the annual av-comparitives review of the top 20 antivirus products was released in February without much fan-fair.

The most interesting statistics in the report by far are the percentage caught/missed.

Product Percent Caught Misses
AVG 94.2 5.8
Sophos 93.7 6.3
Normon 92.7 7.3
Trend Micro 90.7 9.3
Kingsoft 81.8 18.2

Now I feel like calling the above out, as being amongst the worst of the successfully tested for a few reasons. First, they are orders of magnitude worse then their counterparts, with 18.2 being so far useless, that with some companies receiving hundreds of potential antivirus attacks a-day, letting *only* 18.2% of them through is not just unacceptable it is negligent.

I would say the same thing goes for the above vendors, but they have been improving over time, unfortunately they all suffer the same failings, they are primarily definition based antivirus products. Of course, those writing the malware know exactly how to deal with these types of products and will always be working to stay as close to one step ahead as humanly possible.