After reading so much hype concerning Stuxnet, I decided it was time to separate fact from fiction. With all due respects to the analysts and “experts” in this subject matter, I figured it was time to add my two cents to the pool coming from a “hacker’s” perspective. For the record, I’ve been professionally employed in the security arena since circa 1998 where my first “security based title” was a security engineer for Register.com which back when I worked there wasn’t a publicly traded company and had under 30 employees. Prior to my “professional” title, I had been involved with computing since 1991 where I began working at back then – Chemical Bank – where I specialized in a few roles with my exiting role assisting with fraud investigations under the “Accounts Reconciliation Department” at 55 Water Street, NYC. This gives me 19 years professional experience with the vast majority involved in security in almost all capacities.
Currently I worked at a Managed Services Provider where I create a variety of Managed Security Services and again – my role is very broad. I could be performing CSO functions one day, performing incident response and forensics the next followed by penetration testing, risk assessments, information security management, VoIP engineering, administration and design to name a few. My days are never dull, they’re never the same and I enjoy being able to dabble in enough different technology arenas including Digital Signage, Video Conferencing and the list goes on. With a brief bio out of the way, I’d also like to state that I have quite a few high level technical certifications (C|EH, CHFI, CPT, OSCP, etc., etc.), have been referenced in a few security related books and have been fortunate enough to collaborate with and have discussions with the heaviest hitters in the security industry.
read more…
Recently we underwent a SIGv5 audit for a customer of ours. From their page: “The Shared Assessments Program was created for all organizations that are concerned about information controls for personally identifiable client or consumer data in outsourced relationships. Originally created by six major US financial institutions, the Shared Assessments standards are used by outsourcers, service providers and assessment firms in a range of industries.” (http://www.sharedassessments.org/)
Of major concern to me was the information security assessment portion of the questionnaire. We had never truly implemented an in-house penetration test and rather than re-invent wheels, hire expensive contractors and so on, we developed our own “Red Team” to perform a quarterly penetration test and vulnerability assessment.
If you choose believe the writings of Mandiant, you’re under the impression that “Chinese hackers are hellbent on taking over every large corporation in the United States.” If you choose to follow the writings of McAfee[2], you’re under the impression that “Chinese hackers only wanted Google’s secret sauce” – their source code. If you choose to follow Damballa’s writings[3], the attackers who penetrated Google are amateur script kiddies. Take your pick, there is no lack of speculation.
read more…
Many security professionals have sent me irrate comments via e-mail like: “You’re insane! You can’t block China!”; “How long have you been in security! You can’t block a whole country!” These remarks come in response to my writings concerning “cyberwarfare“, “China” and similar themes. In today’s blog entry, I bring to you: “Advanced Persistent Errata – Defending The Castle;” in other words, “Blocking ANYONE you damn well choose to block.” Security managers will recognize some of these themes specifically as ISO27002 11.4.4, as well as other controls listed in ISO27002 (11.1.1, 11.4.1, 11.4.6, and don’t forget the mentions of ISO 18028-1:2006, ISO 18028-2:2006, ISO 18028-3:2005, ISO 18028-4:2005, ISO 18028-5:2006.) Enough about the numbering for now, as it can become headache inducing.
read more…
Over at Forbes they posted an article[1] documenting how “dozens of defense contractors” for the United States government were compromised and have been getting compromised since 2003. Since the article mentions the year, I’ll use that same year as a starting point; however, other articles point to infiltration much earlier. After reading much of the same, I pose the question: “What keeps going wrong and why don’t they just minimize the compromise?” There will be those in many large companies – especially those in the defense industry – who will spurt “we can’t! It’s too sophisticated! You don’t know Jack!” It’s to IT professionals making those wild claims (we can’t) that I say: “You shouldn’t be in this industry.”
read more…
Security professionals, industry heavyweights, forensics experts and others in the security realm are expounding many differing views of APT, which is becoming a more known buzzword thanks to media outlets (we’re no better). Many of these views are often confusing, and the fact that many in the industry aren’t privy to the full scope of an “APT” based attack is not helpful either. When I wrote the article “Defending Against the Advanced Persistent Threat”, it was based on publicly available information. Many professionals took shots at how I called it (I said that it was nothing new to see, so move along), and I still hold my ground when it comes to my views: There is nothing advanced here, so move along. Security professionals are highly competitive and rather than take cheap shots or call names, I will pick up from where I left off.
read more…
Wired has written a detailed report [1] on Mandiant’s findings in response to the hacks that targeted Google and other major companies and the report is both interesting and questionable. I have no reservations about the levels of expertise coming out of Mandiant or their findings; I do however, have reservations about the explanations and interpretation of what was summarized in the Wired article.
read more…
US government officials have demanded an investigation into the compromise of 52 government related websites being housed “in the cloud”. According to an article: “the hackers may have gained access through the content management system of third-party vendor GovTrends, although it cannot confirm this until more information is made available. It appears, however, that all the hacked websites are maintained through GovTrends. Joomla CMS, but not all House websites managed through this service, were victims of the attack.” [1] While Congress fiddles around demanding answers to “what happened?“, I sit wondering why a more specific question isn’t asked: “Why did it happen?“ Not “why did the compromise happen?”, but “why in the world did the government get suckered into the cloud?”
read more…
Cloud security enthusiasts and evangelists will be quick to downplay the significance of the latest “cloud compromise” news: “Hackers deface 49 Congressional House websites after State of the Union” Whatever any of them say, the reality is what it is – government data does not belong on the cloud, period. “Shortly after the President completed his State of the Union speech, a well-known group of Brazilian hackers, Red Eye Crew, apparently had their own comments to make. Unfortunately, they decided to voice their Obama-directed profanities on House Congressional members’ websites. The same hackers had previously broken into sites for the U.S. Department of Transportation, the U.S. Department of Agriculture and NASA. Apparently all sites were hosted and managed by GovTrends, an Alexandria, Va.-based Web services provider. Likewise, 18 of the 49 hacked sites experienced similar attacks less than a year ago, through vulnerability with the same vendor.”
read more…
TMCNET posted a pseudo-interesting document this morning entitled “Cloud Security Recommendations” and, in an investigative and logical fashion, I decided to analyze what was said by TMCNET and what is being said by others in the industry. I hereby introduce the “Top 10 Ways To Waste Corporate Money on Cloud Computing Security Assessments.”
read more…
