Introducing Pulse

Well if you've been doing DNS zone transfers on VulnerableMinds.com then you know, but for the rest of you Pulse has been a mystery. Begun as Project Tango Pulse was meant to do one thing; give you a summarized, quick, complete look at the status of the information security threat landscape. It's a simple concept, but a lacking resource on the Internet.

Pulse came out of my own needs as a threat analyst. Work leaves me with no shortage of projects, research, emails, meetings, and yet the imperative need to have a complete view of what vulnerabilities, exploits, and malcode affecting all platforms. RSS feeds were a good start, but I quickly found myself reading dozens of feeds a day, many filled with useless information. Many I was able to replace or weed out, making it easy to get general news and the opinions, but I still needed more. I still needed information about threats, vulnerabilities and the code to exploit them, but struggled with so many feeds, and I still spent a huge amount of time reading unimportant information.

To this end I decided I needed a tool of my own, something to bring together all these feeds that bring into one place and yet eliminate the chaff, the low threat, the endless mailing list responses; the unnecessary.

The result is Pulse.

Now Pulse is a huge part of my daily workflow. I start my day with it, along with SANS Internet Storm Center and Arbor Networks Atlas portal. I feel that this combination gives me all the information I need to know to be on the "pulse" of the infosec threat landscape. 

I'll quit waxing philosophical about the why's and hows. It's straightforward, but I feel like it meets a need that isn't easily being filled by other services available on the Internet. So take a look, use it, enjoy, and feel free to send me feedback. Pulse isn't done, it's not finished, it's just beginning. To find out more:

• Introduction to Pulse - Presentation
  
• Project Tango Specification - Document

Since Defcon...

Sorry for the complete lack of updates from me since Defcon. I've had plenty to write up, share, and rant about (as is my want), but I'm in somewhat of a tenuious circumstance regarding my blogging, so I figure better safe than sorry, and thus I'm keeping my comments to a minimum. Hopefully some of the other Minds will pick up the slack. We shall see.

Bad Reputation vs Bad Assumptions

I was wandering through my blog list today and, by way of the ever enjoyable Observations of a Digitally Enlightened Mind, came across an interesting but, in my opinion, totally unfounded and flawed article related to security.

The article in question is one where PopSci published a list of the 10 Worst Jobs in Science. Many of them are truly awful and I wouldn't wish on my worst enemy. Mind numbingly, stomach turningly bad. It was #6, nearly half way down a terrifying list, that the job in question was described.

Now I've been a Microsoft hater in my day, no question. As a security type person they've been quite the headache at various times, and as an Apple fan I don't really find it an enjoyable system to use. That being said if Microsoft were to track me down and ask if I was interested in a job working with their security teams I'd jump at it. 

Now the article is very correct about one aspect of it. Microsoft does wear a big "Hack Me" sign. It'd be nonstop pandemonium. Attacks at every angle, computer criminals gunning for you every day. If it's not the operating system it's the office suite, if it's not the office suite, it's the browser. There are few pieces of code attacked as aggressively as Microsoft's, it comes with the territory when you dominate the market place in so many genres the way they do. Microsoft should wear that "Hack Me" sign proudly, maybe with a big gold chain (that they can afford) and some bling letters.

So yes, under attack constantly. While I can't speak for anyone else that's exactly why I'd want to work for them, and I think that's perfectly natural. Surgeons may not like people being sick or hurt, but they sure enjoy cutting them open, or so I'm told (by my uncle who is one). It's the same with information security. A week (like the past couple) with few large threats gets dull quickly. Now the week when the ANI attacks came out, that was fun. Would working for Microsoft be easy? Not in the least but rarely do people learn when they're "safe". They don't grow without challenges.

If I wanted easy I'd go be a security guy for a small mom and pop somewhere, nice and safe, with a small number of supported apps, a smaller number of machines, and five users I could personally beat for being stupid. The Microsoft's, Amazon's, Mozilla's, government groups and financials are in the thick of it, defending dozens of complex pieces of software, hundreds of thousands of machines, and billions of dollars. The Internet is a very dangerous place for groups like those and I believe that's the most attractive reason to work for them.

A Safer Apple Experience per Grandma Roberts

In these days where everyone is getting worked up over OS X vulnerabilities it's somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It's really quite touching and means a lot that she cares enough to take an interest in what I do.

It also throws some things into a different perspective for me. I often ask myself how this, be it a new vulnerability or defensive technology, would impact my grandmother. Now I've heard of this technique used to shift paradigms and gain a better understanding of a technology, but for me it's also protection, since I never know when my next call to Grandma could turn into "So Scott, is my Mac going to get broken into?"

What can I say? My grandma is a proactive person. It puts a lot of pressure on a guy. I'm used to explaining the newest vulnerabilities, exploits, worms, and attack techniques to a cadre of some of the finest information security analysts in the world. I'm used to producing technical write ups that go to highly skilled information security teams all over the world. Explaining how Dino D's exploit will impact my grand mother? Much more complicated. It can't be a "O don't worry, it'll be fine Grandma, I promise." No sir. Last time I tried that was over a printer, and so insistent was my grandmother to get it sorted out herself that I ended up wearing half a cartridge of printer ink. So I have to be prepared if Grandma gets wind of this to not just to explain whats going on and it's impact, but also how grandma can mitigate the issue for herself.

I figure such things might also be useful to the community in general. Perhaps you have a grandparent or parent with a similar iron will and determined interest. Perhaps you're just curious. Here goes.

Scott's Guide to Securing Grandmas Mac:

• Disable the automatic "Open 'Safe' files after download." in Safari.
  
• Disable Java in Safari.
• Turn on the Firewall.
• Stop using the Administrative Account for day to day stuff.
• Use strong passwords on all user accounts.
• Give Keychain a different password than your user password.
  
• Turn on Filevault.
  

There ya go. Thats the basics, as per Scott Roberts and, even though he may not remember it, Timothy Martin. Most of those steps, though very similar to those Dino himself recommended, were pulled from a presentation Tim and I gave as the Security Geniuses for the Penn State Mac Users Group more than two years ago. Oddly enough they're still relevant. Some things never change.

Not enough for you? You want more Mac security goodness? O well I've got that too:

• Want the next step up? Check out Apple's own Tiger Security Config (PDF) for a more in depth look at how to secure OS X.
• Want most of that fun without all the reading? If you know your system well then you can get a lot of automated security goodness out of Bastille for OS X. Jay Beale is a smart cookie.
• Not enough? My my, feeling ambitious, well if you want to lock your OS X down to National Security Agency Standards (something I refer as a Paperweight Lockdown) then check out the NSA's own Security Configuration Guide for OS X.

There ya go. That's four different ways to lock down your Mac. Are they perfect? No, not quite, but as fellow Vulnerable Mind Rolf constantly says "You're only 'secure' in a single moment. Staying secure is a process." Wise words from the Vulnerable Minds elder.

My Lunchtime Hack

If you're anything like me and you have a lot on your plate at work you may be inclined, as I often am, to take lunch at your desk. It's a common thing and often lets me get extra things accomplished without staying later than I already do. Still there is something to relaxing a bit away from the office when I usually go out to lunch.

I've since found a respite to go with whatever I packed for lunch. At the recommendation of al3x I started checking out Google's TechTalks. Described by Google as being "...designed to disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts." and lives up to it. More than a few are even security related, and not just any script kiddies.



So I recommend getting your sandwhich/salad/whatever, putting on some headphones, and really learning something next time you have a few minutes.

I know him, even if no one else does now

Every so often something hits the Internet that rocks the foundation of a group. Not simply because it's something new, something innovative, something that changes the way you think, but because you also know the guy who did it. Now I've had friends who've made their impact on the net. I've even been involved myself a few times. I had a friend who beat up a mugger with an iPod Mini, leading to a whole slew of jokes on various Apple related blogs.

This takes the cake.

In an act of extreme interest in the betterment of mankind and improving the security for us all an associate of mine, a one Mr. Mark Lance, has shown a huge flaw in the policies and procedures of the NoVA DMV.

Video 1


Video 2


Now this demonstrates many things about the insecurity of our main system of identification in this country. I don't think I need to insult you, nor repeat the already well spoken words of Mr. Bruce Schneier. But yeah, I know that guy. Crazy isn't it.

The Degree Debate - Is a degree necessary in tech?

This post is a little close to the vest (is that the actual phrase?) so I'm not quite sure where it's gonna go.

As I state quite freely in my 'About Me' bit on my blog I have not yet fully completed my Bachelors of Sciences degree in Information Sciences and Technology from Penn State. It's close, only 10.5 credits away.

The Breakdown:
- 3 credits of IST331 - An Introduction to Human/Computer Interaction.
- 3 credits of either IST412 (Structured Programming) or IST413 (User Interface Design).
- 3 credits of IST440w - IST Senior Capstone Class.
- 1.5 credits of Kinesology (aka Gym Class).

I planned on finishing all these requirements this past fall, taking a ninth semester. This choice was made last spring, and a week after got my job offer from my present employer. After deliberation I decided it was too good an offer to pass up, and so here I am outside our nations capitol, doing my thing.

Ever since then everyone and their brother (or more often mother) has harped on me about how important it is that I get my degree. I hear reasons like "You're so close!" or "You'll only go so high without a degree!" or "What if you lose your job?" day in and day out. I'm already wondering how many conversations I have with my family this Christmas will be 3 minutes about my new job and 7 minutes having a family member, who most likely is making less money than I do with lower job security and multiple mouths to feed, lecturing me about how I'm in an unstable situation and need to finish my degree.

The more I think about it I just want to turn to them all and ask "Do I really? I'm not so sure I really do." Honestly I'm not convinced. I have a few reasons for this. The computer industry is not the business industry of the 1980s. A Bachelors degree is not a magic ticket. While there are many talented people in this business that have degrees there are nearly as many equally talented people who don't have them. Nicholas Negroponte is building his own computer to change the world, and he has a PhD. Bill Gates and Steve Jobs also built their own computers that changed the world, and they were drop outs. Bruce Schneier has a Masters in computer science and is (or was depending on peoples opinions) a leader in the security field and holds a Masters from American University. H.D. Moore is also a leader of the security field and as far as I can tell never went to college at all. Even closer to home I have good friends who are leaders in the computer security world, some with degrees, many without.

Since it seems to have little to do with my overall success in my chosen field I always question what will a degree do to benefit me? If you scroll back up and look again at the classes I'm going to have to take I think you'll agree that they aren't really relevant to my career path. IST440w especially seems stupid, since the whole point is to prove you can survive in the business world. Guess what, I think I'll be ok. Maybe it's the gym class that I need.

Now that I've ranted enough about this I'm going to admit that I do plan to finish my degree soon. Between the combined forces of being so close, having an employer who will pay for it, the desire to be a professor someday (and thus need PhD to go with a BS), and my parents wishes are too much for me to fight against. I'm still not convinced it's necessary, nor a real boon in the InfoSec/Computer field anyway.

I'd love to hear various peoples thoughts on this. Do you think a degree has or will help you? What skills do you think you gained in an educational environment that will help you in business? What gym class should I take? These are all important question, and I hope some of you, my readers, will take the time to answer them.

Snort 3: Preview

Lately I've had an increasing interest in Snort, everyones favorite open source Intrusion Detection System. While my last project with it ended up being less than effective it has led to the possibility of a much more interesting project, so I count it a blessing in disguise.

I've been using Snort quite a bit since starting my new job but since this last project I've been studying it on a new level. Running two installations was a start, sometimes even running a third, since HenWen is easy and pretty. Last Monday I attended my first meeting of the new Northern Virgina Snort Users Group (no link sadly), a nice collection of professionals very willing to share their knowledge about Snort.

But this is where Snort is now. For those of your curious about the future here it is. A good read if you're interested in the future of IDS as it looks like Snort is going to push the envelope of what's expected from Intrusion Detection.

Is infosec all about the benjamins?

Author's Note: This post has been a very long time in coming and has been reworked more times than I care to count. Coming up with the correct perspective was tough, but I think I captured it. Finally. (On a second note I wrote this before I started my hopefully last set of revisions, so we'll see.)

There was a somewhat depressing message board post that I stumbled across today in the Security Basics list of SecLists.org:

Date: Fri, 01 Dec 2006 22:09:12 +0000

Evening,
Showing my age I'm finding it increasingly difficult to find security geeks who
are truly passionate about security. There seems to be a recent trend in
unpassionate people chasing either the money, an easy ride or something that
isn't as dull as network or system administration.
So how would you identify passion quickly, personally I like what cons have you
been to? If they are passionate but poor they would reply none but I'd like
to .... What books have they bought, what tools do they use what sites
do they visit email them at night and see how long it takes them to reply

what else?

--
Andy Cuff

I've been thinking a lot lately about the polarization of the information security industry as it's grown. Lets take a look back.

A few years ago there were no security jobs, and very little security industry. Hackers were pesky, annoying people who sysadmins had to cope with. Network worms were largely theoretical. Security was merely a secondary function of many different jobs, such as website designers, network managers, and client support teams. These admins, programmers, and support reps began learning new skills as necessary, related to their primary responsibilities. As security events became more prevalent, with more high profile computer compromises and worms like Code Red and Slammer, these people morphed into the vanguard of information security. Different jobs by trade, they quickly moved in to fill this emerging need. These were the first, the armatures who became more. Most of the information security ranks, large as they are now, are filled with these people. They come from computer science degrees, information systems degrees, business degrees. Many have no degree at all, merely drive, the ability to learn, and the desire to be pioneers. Many of them have been blackhat hackers themselves, turning over a new life, reinventing themselves as today's protectors, giving them an insight and understanding that few can conceive.

A few years ago this model was realized by the military, and later academic, community. They realized that as more and more value was placed on computers and on the Internet that we'd need more of these people. Until around 2000 these people had grown and learned organically, but universities decided they needed to be manufactured. The result? Degrees like: Security and Risk Analysis (from my own Alma Mater), Information Technology Security, Information Assurance, even (my personal favorite) Information Security Engineering, and many others. All these programs under all these names resulted in one thing, a new breed, 75% computer scientist, 15% script kiddie, 10% policy wonk, the Information Security Professional.

The piece of this post I've been missing, my point, was exactly what Andy brought up. I'm frustrated that this new generation, these Information Security Professionals, have no passion, no desire for it, no deep abiding curiosity. At first I figured it was more about the old guard hackers vs the new school professionals and thought that was the difference, but it didn't feel right. I got in my fair share of trouble and may have done some things in high school that wold loosely be defined as compromising a system, but I can't lay claim to ever being a blackhat. I can't claim to be a hacker in the media given sense of someone who pops boxes for fun. I am, have, and will, for most of my career, be a defender. I've been trained not from Phrack or attending 2600 meetings, but through personal research and even some classroom activity. Yet I feel more akin to those from that older group than these new "professionals". I wondered why this was as it often feels, based on my technical aptitude that I fall closer to the new breed. Passion I realized, that was the difference, the deciding factor. It's not taught, no matter how many 400 level Security Architecture, Ethical Hacking, and Risk assessment courses a person takes. That's the missing element, that's the difference, and I somehow think the future of this industry is going to hurt as a result.

So where's that leave us? I don't know, give me 10 years and I'll tell you. I hope things turn around but between now and then I know I am going to continue to try to surround myself with those who have the passion for what we do. Those people will be the difference between innovation, and simply firewall maintainers.

Before you mention it...

One of my least favorite things is when something from the infosec world makes the "real" news. There's stuff going on all the time that could drastically affect everyone who's ever even thought of being near a computer, but they're often ignored, and it's a mystery to see what becomes big news, and what's ignored.

Example:

Big issue That Was Largely Ignored: Net Neutrality

The Internet being segmented based solely on how much money you spend to be on the Internet. Spent millions per year to have multiple OC-3 connections directly to a backbone? You get priority. Spent $40 per month (which is still way too expensive Comcast) to get a mid range home cable connection? You're a second tier citizen who's needs an wants come second.
Results: Companies like Microsoft, Comcast, Verizon, and others paying to control the Internet to make even more money than they do now. For people like you and me YouTube becomes impossible to use, those with the desire to can run even fewer home servers than now, and the general expectations you have of how the Internet should act go out the window.

Minor Issue That Is Getting Huge Attention: The "Cyber Jihad" Against the United States Banking System

One small extremist website has announced they're going to attack the US financial infrastructure during the month of December. Hmmm, terrifying. Guess what, attacks happen all the time. Theres already attacks coming from every edge of the globe all the time. Crime goes where the money goes. Banks have money. Put two and two together. Figured it out?
Guess what, the banks have too, most of them back in the 1990's, and vast majority of them are well prepared. While I have no evidence to support this I feel pretty safe saying that the financial world is second only to the military in being ready to deal with cyber threats. In some cases the military could probably even learn a thing or two. I'm not really concerned that I'm going to wake up in the morning and find my bank compromised by Muslim extremists any more than I'm worried about the Falun Gong, the Tamil Tigers, or some random kid in a basement in Idaho.

Now I don't blame the people around me who get worked up about this sort of thing. I blame the media, their biases and their ignorance, for which stories get big play and make the 6 o'clock news, and which ones never get mentioned off the infosec specific news sites. That's not my friends and families fault. What I am tired of is when everyone from my friends and family to random people I meet on the street want to tell me about whatever issue makes it into the media as though I've never heard of it before, insinuating that I personally, and the security industry in general, aren't prepared for it, and in such a way that they've done me a favor by informing me of it.

Now asking me about something like the Cyber Jihad, knowing the field I'm in, is fine and I'd be happy to give my opinion if asked for it (I'm sure you're muttering something about my willingness to provide opinions right now). I actually enjoy that. That being said, don't insult me though by expecting I have no idea about something that you caught on CNN and acting like you're helping me out. Security people, be it information security, physical security, homeland security, or any other security, are news junkies of the highest caliber. Security thrives on being aware of the changing threat landscape, so it's safe to assume that not only is any security person you know very in tune with main stream media, but is also tapped into many industry specific news sources, and was probably intimately aware and already moved on past any event before it even makes it to some mainstream media editors desk.

So thanks for the tip, whatever it was, but I was already aware. Save the energy and give Security Focus or the Internet Storm Center a look. You might learn something.

Out of curiosity: Am I the only one who deals with this and feels this way?

So is H.D. Moore the InfoSec Gretsky?

Richard Bejtlich made one of his more fascinating posts today talking about the breakdown between offensive and defensive information security professionals, using an apt analogy about hockey.

Now I'm not much of a hockey player (though I did play lacrosse, the sport hockey was derived from), but most of his points, at least on the surface, made a lot of sense. I'm going to take over night to let it roll around and decide what I think, but I already posted a quick response in the comments section.

Give it a look, leave me your thoughts, and I'll be back with more sometime tomorrow.

Maybe I should take back those things I said about Pittsburgh

This past Friday I received a very interesting phone call from CERT, the United States Computer Emergency Response Team. For those not familiar with this group:

CERT is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, research long-term changes in networked systems, and develop information and training to help you improve security.

Needless to say this group includes some serious computer security ninjas and thus I felt flattered when asked to interview for one of their analyst jobs. Thankfully they were very understanding when I told them about my approaching start with a major security vendor. I was in fact very kindly congratulated and asked if I had any other colleagues to recommend to them (if you're interested contact me).

After this conversation I got curious about all the things CERT does, since while I knew of them I didn't really know much about their goals and operations. I poked around their site, read some of their whitepapers, and generally enjoyed their resources. My personal favorite, and the one I most wanted to share, was the CERT Survivability and Information Assurance Curriculum.

As someone who tried, with mixed success, learning Information Assurance at a major university I can say it's incredibly difficult. Classes tend to miss out on many things that are important, when working in network security especially. Professors are often out of touch with what it takes to survive in the work force and those focused on Information Security are often the farthest out of touch. They get caught up in current, or even slightly out of date, technologies and fail to teach basics like advanced networking, the C programming language, operating system architecture, and secure coding, the very things that need to be the core competency of an information security professional. By far one of the best resources I've found for plugging these educational gaps is the CERT Survivability & Information Assurance Curriculum. This curriculum includes many things like networking, basic information security and infrastructure protection, and even a complete set of labs to add a practical component.

This is my new favorite resource by far for basic learning, and I'm quickly finding, for review. I began looking through the CD image included to see if it would be worth suggesting as a resource to some of my fellow researchers at school and ended up going in depth with it. I'm now using it as my own review to prepare for my own start in Corporate America as a security analyst. So if you're interested in getting into Computer Security, Network Security, or general Information Assurace give it a look.