dc0de’s & friends notes…

Lieberman Bill Gives Feds ‘Emergency’ Powers to Secure Civilian Nets | Danger Room | Wired.com.

I wonder if this is going to effect his already abysmal approval rating?

Lieberman’s approval rating in a poll taken January 4–5, 2010, was 25% approve versus 67% who disapprove, making him one of the least popular Senators currently in office.^[8]

http://en.wikipedia.org/wiki/Joe_Lieberman

Really, this isn’t new, it’s just another reach into the civil world.   The government doesn’t pay for the critical infrastructure, it just wants to control it.  Something here stinks…

how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps – what is the value of a certification that fails to detect such holes?

via NIST-certified USB Flash drives with hardware encryption cracked – The H Security: News and Features.

So we can’t seem to trust the FIPS 140-2 Level 2 certification any longer.  Who does this testing?  Who is responsible for this?  Someone needs to figure it out ricky-tick.

This type of vulnerability is going to make using USB devices simply unacceptable for everyone.

ATM Fraud: New Skimming Scheme Spreads.

Here we are again, coming up on the Holiday Season.  Hanukkah starts this Friday, December 11th, Christmas, and a few fake holidays are in December as well.  (See Festivus, and others… )

Of course, we want to go out and Spend!, Spend!, Spend! to stimulate the “bad economy”.  Well, there are a large group of people who want to stimulate their own pockets as well.  No, I don’t mean the Retail Giants, they’re getting theirs… I’m talking about criminals, who really don’t want to work too hard to get your money.

If you are out, and need some quick cash, you’re better off going to a drug store, or other retail chain, where you can use your Check Card/Debit Card to purchase a pack of gum and get a quick $20.  Using an ATM is getting increasingly more dangerous.  ATM Card Skimmers are getting harder and harder to spot. (Link to Google images of skimmers)

The main message? If you are not using the same ATM every time you pull money out of your account, look closely at the ATM.  Are there any new moldings or trim around it? Does anything look out of place?  Touch every surface of the ATM, and wiggle pieces, if they’re loose, report it to the Telephone number ON THE BACK OF YOUR CARD!  Don’t believe that the telephone number on the ATM is correct.  You may be calling the thieves to tell them you spotted their device.  Here’s my prevention tip of the year… Don’t use an ATM or ATM Card.  They’ll save you money in the long run.  Move back to Cash.  It works.

Either way, Please have a safe and secure Holiday Season.  Oh, and a Very Merry Christmas!

–

dc0de

Security Fix – Apple issues security updates for Mac OS X.

How can this be?  My father recently went to the Apple Store outside Chattanooga TN, and they told him, “Apple doesn’t need any anti-virus, or other security software.  It’s just secure.”

Apple’s Advertising program makes it out to be impervious to the threats that all of the other computers might also have

Even Brian Krebs (While I like and respect him), stated in his blog a few weeks back that to be secure on the internet, you should do your online transactions on a Mac.

Well… something seems to be amiss.

Let’s be clear here:

All Operating systems:

• Are flawed
• Will be attacked
• Need some sort of Anti-Virus
• Need a client based Firewall
• Need constant care and attention

The major issue with most operating systems is the User.  Most users, of any operating system, fiddle with the configuration.  This is similar to saying that “All drivers of a car, modify their car”.  This is somewhat true.  Let’s explore this for a minute:

Types of modifications drivers do to their cars:

• Seat Covers
• Floor Mats
• Rims / hub caps
• Exterior and Interior Trim
• Stereo System/GPS
• Tires
• Engine Modifications/Upgrades
• Suspension Modifications/Upgrades

Except for the last three items, most of these things, in moderation, are harmless to the driving safety of the vehicle.  However, if you don’t know what you’re doing, and you make some or all of the last three changes, you’re going to fall into one of the following categories:

• Outside your ability to drive the vehicle
• Creating an unsafe engine
• Creating an unstable vehicle to drive

Now, taking this analogy back to computers, if you make modifications on your computer system, like installing software un-proven software, or installing many of the gazillion web toys to play games online (for example, flash-based games), you’re inviting your system to be taken over.  When you add any of the other high risk behaviors that we’ve been asking people not to do for the past 12+ years on the internet, (e.g. surfing porn, downloading music and movies, file sharing, opening un-requested emails, not having a firewall, not having Anti-Virus & Anti-Spyware tools, etc…) you have a recipe for disaster.

I think that it is high time that we hold the software manufacturers accountable.  (Including Apple)  Software manufacturers have to OWN the risk, and share the risk with the general public.  After all, if you purchased an automobile that was prone to blowing up while you used it normally, wouldn’t it be recalled?  Couldn’t you sue the manufacturer?  It’s high time that companies get with the program, and start making software that is SECURE BY DEFAULT, instead of bolting on thousands of “patches”, “fixes”, and even stating, “We rely on third party companies to provide that functionality”.

Apple is the biggest failure in Truth in Advertising, and since there are so many Apple Fan Bois, (sic), it doesn’t seem to be happening.  Sorry, I’m not falling for the smoke screen.  Sadly, many of you are.

How about you “Man Up”, and ask your wonderful Apple manufacturer to be truthful?

That’s my 2¢, YMMV.

-

dc0de.

In Congress, a call to review internal cybersecurity policies – washingtonpost.com.

It’s not so nice when it happens to “Them”!!!

“The ethics committee operates in secrecy and has its own policy governing the handling of materials involving investigations. Under committee protocols, material generated by the panel is supposed to be stored in secure areas that are not accessible to anyone other than committee staff members. That goes for computer files and printouts of committee documents.”

The article goes on to describe how the members of Congress who were under investigation responded, and how shocked everyone was that the data was “at large”.

The laughable part, is that it was disclosed by a P2P application that was installed on a “Junior Member” of the Ethics committee.  I guess the Government doesn’t follow the same guidelines that the Commercial world does…

In the breach, the report was disclosed inadvertently by a junior committee staff member, who had apparently stored the file on a home computer with “peer-to-peer” software, congressional sources said. The popular software allows computer users to share music or other files and is easily available online. But it also allows anyone with the software on a computer to access documents of another user without permission, as long as the users are on a file-sharing network at the same time.

Now I have to question, how much more data was released?  What else was on this member’s shared folders?

It’s time that people wake up and smell the coffee… we’ve been PREACHING about these types of weaknesses, there are hundreds of products that can prevent these types of breaches, and what is being done about it?

Apparently, nothing.  Thanks everyone… it’s been fun… I’m going to bake some biscuits.

While working this past week, I encountered a problem that I first solved in 1997, while working in Norcross for a small start up firm. The problem that we were having was related to a client/server connection going through a Firewall, being shut down after 5 minutes of no activity. I was amazed that a Firewall would shut down an idle connection in 5 minutes, but that’s what was happening. To make matters worse, the Firewall (Cyberguard), was hard coded to shut down idle tcp sessions after 5 minutes, and you couldn’t modify it in any way.

Well, we replaced that firewall, with a different product, but later that same year, we encountered the problem when we encountered the CheckPoint default session timeout of 60 minutes. We considered modifying the setting to 2 or more hours, but realized the risks of doing so. Leaving tcp connections open for long periods of time invites potential session hijacking risks. Since we were a security conscious company, we decided to look for alternate solutions. We went back to the RFC’s and really dug into TCP/IP settings and TCP Tuning.

We looked at how the tcp stack is implemented in Windows and found several documents on how to modify the systems we were running. In fact, I used the technet article so often, I have it memorized.  It’s Q120642.    We made several registry modifications and I even used this knowledge to write a document for CheckPoint FireWall-1 on how to tune the TCP stack on a Windows host that runs FireWall-1.

Several of the settings were modified to allow a high connection load,others we made on the servers on different segments on the firewalls.

To improve Connection Load we modified these two settings:

ForwardBufferMemory – default was for enough for fifty 1480-byte packets, rounded to a multiple of 256  (ONLY 50!!!)  We increased this to 5000 (Note, if you change this, you have to change NumForwardPackets as well)

NumForwardPackets – default here was enough for fifty packet headers.  We increased this to 5000 as well.  (Note, if you change this, also change ForwardBufferMemory)

(For windows servers running Internet facing sites, where connections may be greater and you need to transmit more date, you may also want to modify the above listed parameters)

We modified much more and here isn’t the forum, however, Microsoft has actually written a very nice document on how to tune your 2008 servers for many different scenarios.  You can find it here: http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx (read it… it’s actually well written!)

Now for you Linux guys, I know… you want to know how to tune your stacks too! Well, all I can say is learn your distro.  Use Google.  Or better yet, let me do that for you…Click Here for Linux TCP Tuning Tips

BUT I DIGRESS….

This is really about trying to get people to OPEN their minds and think outside the box.  No, wait… No it’s not.  It’s about getting people to open their minds and listen to reason.  Here are some interesting facts about tcp_keep_alives.

• RFC 1122 states “A “keep-alive” mechanism periodically probes the other end of a connection when the connection is otherwise idle, even when there is no data to be sent. The TCP specification does not include a keep-alive mechanism because it could: (1) cause perfectly good connections to break during transient Internet failures; (2) consume unnecessary bandwidth (“if no one is using the connection, who cares if it is still good?”); and (3) cost money for an Internet path that charges for packets.”
• it goes on to state, “To confirm that an idle connection is still active, these implementations send a probe segment designed to elicit a response from the peer TCP. Such a segment generally contains SEG.SEQ = SND.NXT-1 and may or may not contain one garbage octet of data. Note that on a quiet connection SND.NXT = RCV.NXT, so that this SEG.SEQ will be outside the window. Therefore, the probe causes the receiver to return an acknowledgment segment, confirming that the connection is still live. If the peer has dropped the connection due to a network partition or a crash, it will respond with a RST instead of an acknowledgment segment.”
• This RFC was written in 1989!!!

I was asked what the “down side” of enabling keep alives were today, and there really is ONLY one.  BANDWIDTH.  In 1989, bandwidth was expensive.  Note in the section above, it mentions why the specification for TCP doesn’t REQUIRE a keep alive mechanism… to cause a good connection to fail during transient Internet Failures.  Wow… that doesn’t really happen in $20mil data centers…. does it? And it could cost more because you’re putting a packet on the wire, and it may cost more $$ in charges for packets… Do you really pay more for two packets totaling less than 256 bytes every n minutes?  On your internal 10Gig network? (I don’t think so)…

So, the downside is ≤ 256 bytes every n minutes, or, some intermediary security device will time out your “TIME_WAIT” connections every 30 or 60 minutes. (depending on your security products)

Product/Default Timeout
Juniper SRX / 30 minutes
CheckPoint FW-1/60 minutes
Cisco PIX-ASA/60 minutes
TCP Default / 120 minutes

So, if you’re a platform operations person, and you’re presented with this problem, should you:

A) Tell everyone to modify every protocol on every security device in the network to keep Applications that don’t support Application Level Keep-Alives connected?

B) Enable tcp keep alives on the server hosts that are running these broken applications?

BIG HINT, the answer is B!

Epilogue:

TCP settings are not specific to one product, one operating system or one device.  The TCP/IP stack is mostly deployed as a standard by “most” vendors, and your settings and capabilities most likely are going to vary.  If you are looking for the specifics of the Operating System, hardware, vendor or other product, PLEASE GOOGLE IT, or contact your vendor directly.  If they don’t know the TCP/IP tuning parameters, stop buying their equipment, they’re too stupid to deserve your money.  As always, this is my 2¢, YMMV.  All rights reserved for those products that I’ve mentioned by name.

The Internet is now like the Wild West: IBM consultant
500 per cent rise in malicious Web links: IBM report…

Really? This is new?  As if this wasn’t said before? Why is it now news? Slow news day?

Since as long as I can remember, we (the Infosec community) have been making this statement.

Here, see for yourself…http://tinyurl.com/msksqj and click on the “Timeline” feature…

Why is it now news? Slow news day?

I mean, come on, yes, there is a rise in malware, rise in attack vectors, rise in vulnerabilities… What are you going to do about it?

We’ve tried the DMCA, to keep people from reverse engineering software… that didn’t work….

We’ve tried to have products in place to be reactive to vulnerabilities, That doesn’t work either…

We’ve tried to educate our users… that works… somewhat… when they listen…

We’ve tried to put in firewalls, Intrusion Prevention, etc… that partially works…

We’ve tried to keep our operating systems patched, but the vendors don’t code with security in mind, so there are more and more vulnerabilities in our OS’s than we can shake a stick at… (all OS’s, not just windows, but Linux and Mac too…)

However, we haven’t had anything new n the information security industry in the past 5 years, no new technology, no new protections, no revolutions.

However, criminals are getting more organized, tools are getting easier to use, technology barriers to entry of data theft are lower, and the vulnerabilities are still coming.

Let’s get our collective heads out of our asses, and put them together and design something new, that can defend us from these threats…

By the way, the sky isn’t falling, it’s the same normal noise level we’ve had for the last 10 years… There’s just some show-boating going on.

Cisco wireless LAN vulnerability could open ‘back door’ – Network World.

Ok, really? Come on, you must be bluffing.  People ask me all the time why I don’t pursue a Cisco Certification path in my career.  Here is why.  This is the company that has foisted such slogans as

• “Changing the way we work, live, play, and learn.” (1996)
• “The Worldwide Leader in Networking for the Internet”(1997-2002)
• “Empowering the Internet generation.” (1998-2002)
• “The fastest way to increase your Internet Quotient.” (1999-2001)
• “This is the Power of the Network. now.” (2003)
• “Discover a new world of Productivity.” (2003)
• “The Network Works. No Excuses.” (????)
• “Data Center 3.0″ (????)
• “Welcome to the Human Network” (????)
• “The Network is the Platform” (????)
• “The Self-Healing Network” (????)

I mean really.  John Chambers should be PISSED.  This is the kind of engineering I expect from a “has-been” company, or a really STUPID startup.  However, if Cisco would have embraced the “hacker community” instead of shunning it, perhaps Cisco’s technical expertise and prowess would be still employed at Cisco, instead of being at Juniper Networks, CheckPoint, Microsoft, and others.

I’ve been saying this for years, but perhaps it’s now the clearest time for someone at Cisco to listen.  Get back to your core competency; Routing.  Everything else you try to do is a distraction.  Come on, do you really think that I’m going to build a data center with Cisco blade servers? (Who? Cisco? Servers? What?)  Pluuuheeese.  Stop trying to do everything, and do ONE THING RIGHT.

I refuse to believe that Cisco didn’t know about the above vulnerability when they purchased the product (We all know that Cisco doesn’t invent stuff anymore, unless it’s trying to patent someone else’s fix for a broken protocol), but really, I’m sure that a cost-benefit-analysis was done on the vulnerability, and it wasn’t “important” enough to fix at the time that they purchased, re-badged, and shipped out the “new” lightweight access points.

Any idiot with 1/2 a brain and has spent more than 30 minutes working on Wireless networks knows that you don’t send anything in the clear that you don’t want subverted, so really Cisco, how did this happen?

How about you reach out to the information security industry, (the same one that you claim to belong to), and ask for help?  There are many researchers who would be willing to help you, as long as you’ll sign a waiver to never sue…

Finally, I’m happy to be working on my Juniper certifications.  They aren’t perfect either, but at least they don’t sue researchers to not release vulnerabilities that you refuse to fix.  Oh, and they have a much faster platform.

That’s my 2¢, YMMV.

(Note, the comments above represent my personal opinion, and in no way are related to any positions I may have held in the past, present or with future companies.  These opinions are mine, and mine alone, and are not representative of any company, service, system, software, hardware, automobile, table, chair, any person (dead or alive), or anything.  If you want to try to sue someone, please sue yourself.)

Here I am, on the hunt again.  I can’t help but think of the poster available on Despair.com, that says, “Dysfunction – The only consistant feature of all of your dissatisfying relationships is you”.

I have been looking for the wrong types of companies to work for.  I realize that now.  I will no longer work for “start up” or privately funded, emerging technology companies.  I am going to work for a large name, public company, who has stability, experience, and where I can find a position where I can apply myself.  This may mean that I have to be “picky”, however, I will wait.  There are enough contract jobs to keep me busy for a while, and I will no longer seek those positions that sound so enticing.  I’ve learned a valuable lesson in the last 3 years, and that is, Start Up companies do not value their employees.

I have worked for many companies, and as far back as I can recall, they have replaced me with at least 3 new staff once I had departed.  I was burning myself out, taking on too much work and responsibility, without recognition for my accomplishments.  The sad part, is that I truly thought that I would be with those companies until I retired, and I therefore poured my heart and soul into my work.  My family suffered, as I worked long hours, and weekends, my health suffered, as I couldn’t “find time” to excersise, and my friendships suffered, as I no longer had time for anything or anyone else.  Well, to all those who have mentioned it to me, I have seen the truth.  (And thanks for the warnings, gripes, and reminders)

I am tired of being “A victim of my own abilities”.  I will work hard for my next employer, however, that work will end every day.  My weekends will be mine.  My time is MY TIME, and the companies time will be the companies.  I don’t know where I lost the balance between life and work, but I will focus on bringing it back to my life.  These few weeks off have given me the insight as to what is truly important in my life.  I have seen moments of my children’s life that I would have otherwise missed, and I’m a proud father, enjoying every little success of my children, regardless of how small.  I missed that feeling.  I am now bitter that I have already missed some significant achievements of my children over the past 3 years, to be told of them over the telephone, or to see a picture of them… it just isn’t the same.

So, my warning to all of you job seekers, keep in mind, BALANCE, it’s more important that you think.  And for any employers who may read this, I will work hard, until the day ends.  I can work odd hours, if it is ABSOLUTELY necessary, however, I will not burn the perverbial midnight oil just because someone else didn’t do their job.   Family and living come first, work is 2nd.  That’s the truth, and I will find the position where I can have the quality of life that my family and I deserve,even if I have to wait 10 years.

I didn’t mean for this to be a rant, but it is the truth.

My resume is posted online for those of you who are looking for a solid Information Security professional who is seeking a balanced job…

Let me know what you think…

Well, reading some of the PCI requirements can be quite boring… however, I stumbled across an interesting footnote on a failed scan recently.

Apparently, you will fail a PCI scan if you are using any IPSec VPN connections that allow a 768bit modulus for the Diffie-Hellman key exchange for IPSec tunnels.

The size of the modulus used to calculate the key varies according to the group:

• Group 1: 768-bit modulus (many attacks exist against Group 1 today… not recommended by this author)
• Group 2: 1024-bit modulus (even Group 2 is getting too small for practical security use)
• Group 5: 1536-bit modulus

It is however, VERY interesting, that you can keep your WEP encrypted wireless networks…. until 2010, but can’t deploy any NEW ones after March 31st, 2009!     

“New WEP deployments won’t be allowed after March 31, 2009, and current implementations must stop using WEP after June 30, 2010.”

Gotta love them standards…. So quick on the uptake…