Archive

Archive for July, 2007

Bejtlich’s Guiness World Record @ Blackhat…Largest (Attempted) Ettercap MITM Attack

July 30th, 2007 1 comment

Bejtlich_2So after finally making it to Vegas ( after 3 flight cancellations out of Logan) I got into my hotel room @ Caesar’s last night at around 2am in preparation for the week’s festivities at Blackhat and DEFCON.

This morning started out with Day Zero of Richard Bejtlich’s ("bate-lik" as he’s kind to remind you) TCP/IP Weapons School: Black Hat Edition.

What’s both sad and good about these classes is the reminder that the new attack vectors always seem to root back to old-school protocol tampering and the manipulation and application of attacks and exploits of vulnerabilities that still haven’t been mitigated.

The first half of the day has focused on good ol’ Layer-2 attacks; smashing the switch and the hosts attached for fun and…this works up the stack to more progressively evil layered attacks and abuse of all things holy.

Some folks might yawn at this approach, but Rich’s philosophy of starting with at the bottom and working up the stack reminds us of just how delicate the networks we take for granted still are.  There are many folks in this class that know a hell of a lot about attack/defend that still take some time answering questions as we go through the Wireshark protocol decodes.  It’s good mental gymnastics.  I’m way out of practice in some of this stuff.

To the topic of the blog entry at hand, we have about 60 guys and gals in this class and Rich organized a "lab" exercise that had 10 sets of "triplets" (sender, MITM attacker, recipient) participating in MITM attacks using Ettercap.

While I’m sure we’ve set no actual records (or perhaps we have!) it was fun to see how many people would disable the firewall rules on their laptops and subject themselves to intercept abuse 😉  The Hoff, however, remains entirely too paranoid to attach his machine to anything resembling a network here — despite the fact that it’s a bulletproof Mac 😉

It’s sad that Rich won’t be teaching this class anytime soon given his new job @ GE, because he’s a great instructor and his courses give a good balance of refresher, practical application of toolsets and in-depth protocol analysis all in one concise tidy package.

Thanks, Mr. B.

/Hoff

Img00020

Categories: Uncategorized Tags:

Follow-Up to My Cisco/VMWare Commentary

July 28th, 2007 No comments

 

Cisco_2
Thanks very much to whomsoever at Cisco linked to my previous post(s) onVmware_2
Cisco/VMware and the Data Center 3.0 on the Cisco Networkers website! I can tell it was a person because they misnamed my blog as "Regional Security" instead of Rational Security… you can find it under the Blogs section here. 😉

The virtualization.info site had an interesting follow-up to the VMware/Cisco posts I blogged about previously.

DataCenter 3.0 is Actually Old?

Firstly, in a post titled "Cisco announces (old) datacenter automation solution" in which they discuss the legacy of the VFrame product in which they suggest that VFrame is actually a re-branded and updated version software from Cisco’s acquisition of TopSpin back in 2005:

Cisco is well resoluted to make the most out of virtualization hype: it first declares Datacenter 3.0 initiative (more ambitiously than IDC, which claimed Virtualization 2.0), then it re-launches a technology obtained by TopSpin acquisition in April 2005 and offered since September 2005 under new brand: VFrame.

Obviously the press release doesn’t even mention that VFrame just moved
from 3.0 (which exist since May 2004, when TopSpin was developing it)
to 3.1 in more than three years.

In the same posting, the ties between Cisco and VMWare are further highlighted:

A further confirmation is given by fact that VMware is involved in VFrame development program since May 2004, as reported in a Cisco confidential presentation of 2005 (page 35).

Cisco old presentation also adds a detail about what probably will be announced at VMworld, and an interesting claim:

…VFrame can provision ESX Servers over SAN.

…VMWare needs Cisco for scaling on blades…

This starts helping us understand even further as to why Mr. Chambers will be keynoting at VMWorld’07.

Meanwhile, Cisco Puts its Money where its Virtual Mouth Is

Secondly, VMware announced today that Cisco will invest $150 Million in VMware:

Cisco will purchase $150 million of VMware Class A common shares
currently held by EMC Corporation, VMware’s parent company, subject to
customary regulatory and other closing conditions including
Hart-Scott-Rodino (HSR) review. Upon closing of the investment, Cisco
will own approximately 1.6 percent of VMware’s total outstanding common
stock (less than one percent of the combined voting power of VMware’s
outstanding common stock).  VMware has agreed to consider the
appointment of a Cisco executive to VMware’s board of directors at a
future date.

Cisco’s purchase is intended to strengthen inter-company
collaboration towards accelerating customer adoption of VMware
virtualization products with Cisco networking infrastructure and the
development of customer solutions that address the intersection of
virtualization and networking technologies. 

In addition, VMware and Cisco have entered into a routine and
customary collaboration agreement that expresses their intent to expand
cooperative efforts around joint development, marketing, customer and
industry initiatives.  Through improved coordination and integration of
networking and virtualized infrastructure, the companies intend to
foster solutions for enhanced datacenter optimization and extend the
benefits of virtualization beyond the datacenter to remote offices and
end-user desktops.

If should be crystal clear that Cisco and EMC are on a tear with regards to virtualization and that to Cisco, "bits is bits" and virtualizing those bits across the app. stack, network, security and storage departments coupled with a virtualized service management layer is integral to their datacenter strategy.

It’s also no mystery as to why Mr. Chambers is keynoting @ VMWorld now, either.

/Hoff

Categories: Cisco, Virtualization, VMware Tags:

Off to BlackHat and DEFCON…Sunday through Saturday

July 27th, 2007 No comments

Bhcircle2Off to Vegas for BlackHat and DEFCON for all of next week.

I’ll be there from Sunday (7/29) to Saturday (8/4)

What happens in Vegas will unfortunately, undoubtedly and unnecessarily NOT stay in Vegas because the FOIA and celebrity mugshots always undermines by best intentions.  A blog plea for bail money doesn’t help, either.

If you’re going to be there (and if you’re not, why not?) then hook up with The Hoff and his merry band of "InfoSec Professionals."  Give me a ping via email ( choff [@] packetfilter [dot] com ) or SMS/Call +1.978.349.8882

If you can’t find us, look for the smoke, sirens and g00n squad.

/Hoff

Noltemug

Categories: Travel Tags:

Remotely Exploitable Dead Frog with Embedded Web Server – The “Anatomy” of a Zero-Day Threat Surface

July 25th, 2007 No comments

WebserverfrogYou think I make this stuff up, don’t you?

Listen, I’m a renaissance man and I look for analogs to the security space anywhere and everywhere I can find them.

I maintain that next to the iPhone, this is the biggest thing to hit the security world since David Maynor found Jesus (in a pool hall, no less.)

I believe InfoSec Sellout already has produced a zero-day for this using real worms.  No Apple products were harmed during the production of this webserver, but I am sad to announce that there is no potential for adding your own apps to the KermitOS…an SDK is available, however.

The frog’s dead.  Suspended in a liquid.  In a Jar.  Connected to the network via an Ethernet cable.  You can connect to the embedded webserver wired into its body parts.  When you do this, you control which one of its legs twitch.  pwned!

You can find the pertinent information here.

A Snort signature will be available shortly.

/Hoff

(Image and text below thanks to Boing Boing)

The Experiments in Galvanism frog floats in mineral oil, a webserver
installed it its guts, with wires into its muscle groups. You can
access the frog over the network and send it galvanic signals that get
it to kick its limbs.

Experiments in Galvanism is the culmination of studio and gallery
experiments in which a miniature computer is implanted into the dead
body of a frog specimen. Akin to Damien Hirst’s bodies in formaldehyde,
the frog is suspended in clear liquid contained in a glass cube, with a
blue ethernet cable leading into its splayed abdomen. The computer
stores a website that enables users to trigger physical movement in the
corpse: the resulting movement can be seen in gallery, and through a
live streaming webcamera.

    – Risa Horowitz

Garnet Hertz has implanted a miniature webserver in the body of a
frog specimen, which is suspended in a clear glass container of mineral
oil, an inert liquid that does not conduct electricity. The frog is
viewable on the Internet, and on the computer monitor across the room,
through a webcam placed on the wall of the gallery. Through an Ethernet
cable connected to the embedded webserver, remote viewers can trigger
movement in either the right or left leg of the frog, thereby updating
Luigi Galvani’s original 1786 experiment causing the legs of a dead
frog to twitch simply by touching muscles and nerves with metal.

Experiments in Galvanism is both a reference to the origins of
electricity, one of the earliest new media, and, through Galvani’s
discovery that bioelectric forces exist within living tissue, a nod to
what many theorists and practitioners consider to be the new new media:
bio(tech) art.

    – Sarah Cook and Steve Dietz

San Francisco is DOWN: The Fragility of Web 2.0 Ecosystem – Common Sense Must Not Have Made the Feature List

July 25th, 2007 8 comments

Internetdown_2
I was just leaving the office for a client dinner last night when I noticed I
couldn’t get to my TypePad blog, but I chalked it up to a
"normal" Internet experience.   

When I fired up Firefox this morning (too much wine last night to care) I was surprised to say the least.

I am just awestruck by the fact that yesterday’s PG&E  power outage in San Francisco took down some of the most popular social networking and blogging sites on the planet.  Typepad (and associated services,) Craigslist, Technorati, NetFlix etc…all DOWN. (see bottom of post for a most interesting potential cause.)

I’m sure there were some very puzzled, distraught and disconnected people yesterday.  No blogging, no secondlife, no on-line video rentals.  Oh, the humanity!

I am, however, very happy for all of the people who were able to commiserate with one another as they apparently share the same gene that renders them ill-prepared for what is one of the most common outage causalities on the planet: power outages.

Here’s what the TypePad status update said this morning:

Update: commenting is again available on TypePad blogs; thank you for your patience.  We are continuing to monitor the service closely.

TypePad blogs experienced some downtime this afternoon due to a
power outage in San Francisco, and we wanted to provide you with the
basic information we have so far:

  • The outage began around 1:50 pm Pacific Daylight Time
  • TypePad blogs and the TypePad application were affected, as well as LiveJournal, Vox and other Six Apart-hosted services
  • No data has been lost from blogs.  We have restored access to blogs as well as access to the TypePad application. There
    may be some remaining issues for readers leaving comments on blogs; we
    are aware of this and are working as quickly as possible to resolve the
    issue
    . (See update above.)
  • TypePad members with appropriate opt-in settings should have
    received an email from us this afternoon about the outage.  We will
    send another email to members when the service has been fully restored.
  • We will also be posting more details about today’s outage to Everything TypePad.

We are truly sorry for the frustration and inconvenience that
you’ve experienced, and will provide as much additional information as
possible as soon as we have it. We also appreciate the commiseration
from the teams at many of the other sites that were affected, such as
Craigslist, Technorati, Yelp, hi5 and several others.

I don’t understand how the folks responsible for service delivery of these sites, given the availability and affordability of technology and hosting capability on-demand, don’t have BCP/DR sites or load-balanced distributed data centers to absorb a hit like this.   The management team of Sixapart has experience in companies that understand that the network and connectivity represent the lifeblood of their existence; what the hell happened here in that there’s no contingency for power outages?

Surely I’m missing something here.

Craigslist and Technorati are services I don’t pay for, so one might suggest taking the service disruption with a grain of SLA salt (or not, because it still doesn’t excuse not preparing for issues like this with contingencies)  but TypePad is something I *pay* for.  Even my little hosting company that houses my personal email and website has a clue.  I’m glad I’m not a Netflix customer, either.  At least I can walk down to Blockbuster…

Yes, I’m being harsh, but I there’s no excuse for this sort of thing in today’s  Internet-based economy.  It affects too many people and services but really does show the absolute fragility of our Internet-tethered society.

Common sense obviously didn’t make the feature list on the latest production roll.  Somebody other than me ought to be pissed off about this.  Maybe when Data Center 3.0 is ready to roll, we won’t have to worry about this any longer 😉

/Hoff

Interestingly, one of the other stories of affected sites relayed the woes of 365 Main, a colocation company, whose generators failed to start when the outage occurred.  I met the the CEO of 365 Main when he presented at the InterOp data center summit on the topic of flywheel UPS systems which are designed to absorb the gap between failure detection and GenStart.  This didn’t seem to work as planned, either. 

You can read all about this interesting story here.  This was problematic because the company had just issued a press release about a customer’s 2-year uninterrupted service the same day 😉

Valleywag reported that the cause of the failure @ 365 Main was due to a drunk employee who went berserk! This seemed a little odd when I read it, but check out how the reporter from Valleywag is now eating some very nasty Crow … his source was completely bogus!

Cisco Responds to My Data Center Virtualization Post…

July 24th, 2007 2 comments

Cisco
"…I will squash him like a liiiiittle bug, that Hoff!"

OK, well they weren’t responding directly to my post from last night, but as they say in the big show, "timing is everything."

My last blog entry detailed some navel gazing regarding some interesting long term strategic moves by Cisco to further embrace the virtualized data center and the impact this would have on the current and future product roadmaps.  I found it very telling that Chambers will be keynoting at this year’s VMWorld and what this means for the future.

Not 8 hours after my posting (completely coincidental I’m sure 😉 the PR machine spit out the following set of announcements from Networkers Cisco Live titled "Cisco Unveils Plans to Transform the Data Center."    You can find more detailed information from Cisco’s web here.

This announcement focused on outlining some of the near-term (2 year) proofpoints and touts the introduction of "…New Data Center Products, Services and Programs to Support a Holistic View of the Data Center." 

There’s an enormous amount of data to digest in this announcement, but the interesting bits for me to focus on are the two elements pertaining to security virtualization as well as service composition, provisioning and intelligent virtualized service delivery.   This sort of language is near and dear to my heart.

I’m only highlighting a small subsection of the release as there is a ton of storage, data mobility, multiservice fabric and WAAS stuff in there too.  This is all very important stuff, but I wanted to pay attention to the VFrame Data Center orchestration platform and the ACE XML security gateway functions since they pertain to what I have been writing about recently:

If you can choke back the bile from the  "Data Center v3.0" moniker:

…Cisco announced at a press conference today its
vision for
next-generation data centers, called Data Center 3.0. The
Cisco vision for
Data Center 3.0 entails the real-time, dynamic orchestration
of
infrastructure services from shared pools of virtualized
server, storage
and network resources, while optimizing application performance,
service
levels, efficiency and collaboration.

Over the next 24 months, Cisco will deliver innovative new
products,
programs, and capabilities to help customers realize the
Cisco Data Center
3.0 vision. New products and programs announced today support
that vision,
representing the first steps in helping customers to create
next-generation
data centers.

Cisco VFrame Data Center

VFrame Data Center (VFrame DC) is an orchestration platform
that leverages
network intelligence to provision resources together as
virtualized
services. This industry-first approach greatly reduces application
deployment times, improves overall resource utilization,
and offers greater
business agility. Further, VFrame DC includes an open API,
and easily
integrates with third party management applications, as
well as
best-of-breed server and storage virtualization offerings.

With VFrame DC, customers can now link their compute, networking
and
storage infrastructures together as a set of virtualized
services. This
services approach provides a simple yet powerful way to
quickly view all
the services configured at the application level to improve
troubleshooting
and change management. VFrame DC offers a policy engine
for automating
resource changes in response to infrastructure outages and
performance
changes. Additionally, these changes can be controlled by
external
monitoring systems via integration with the VFrame DC web
services
application programming interface (API).

I think that from my view of the world, these two elements represent a step in the right direction for Cisco.  Gasp!  Yes, I said it.  While Chambers prides himself on hyping Cisco’s sensitivity to "market transitions" it’s clear that Cisco gets that virtualization across both the network, host and storage is actually a real market.  They’re still working the security piecem however they, like Microsoft, mean business when they enter a space and it’s no doubt they’re swinging to fences with VFrame. 

I think the VFrame API is critical and how robust it is will determine the success of VFrame.  It’s interesting that VFrame is productized as an appliance, but I think I get what Chambers is going to be talking about at VMWorld — how VFrame will interoperate/interact with VMWare provisioning and management toolsets. 

Interestingly, the UI and template functionality looks a hell of a lot like some others I’ve blogged about and is meant to provide an umbrella management "layer" that allows for discovery, design, provisioning, deployment and automation of services and virtualized components across resource pools of servers, network components, security and storage:

Cisco VFrame Data Center components include:

  • Cisco VFrame Data Center Appliance: Central controller that connects to Ethernet and Fibre Channel networks
  • Cisco VFrame Data Center GUI: Java-based client that accesses application running on VFrame Data Center Appliance
  • Cisco VFrame Web Services Interface and Software Development Kit:
    Programmable interface that allows scripting of actions for Cisco
    VFrame Data Center
  • Cisco VFrame Host Agent: Host agent that provides server heartbeat,
    capacity utilization metrics, shutdown, and other capabilities
  • Cisco VFrame Data Center Macros: Open interface that allows administrators to create custom provisioning actions

That’s ambitious to say the least.

It’s still a raucous debate with me regarding where a lot of this stuff belongs (in the network or as a service layer) and I maintain the latter.  Innovation driven by companies such as 3Tera demonstrate that the best ideas are always copied by the 800 pound gorillas once they become mainstream.

Enhanced Cisco ACE XML Gateway Software

The new Cisco Application Control Engine (ACE) Extensible
Markup Language
(XML) Gateway software delivers enhanced capabilities for
enabling secure
Web services, providing customers with better management,
visibility, and
performance of their XML applications and Web 2.0 services.
The new
software includes a wide variety of new capabilities and
features plus
enhanced performance monitoring and reporting, providing
improved
operations and capacity planning for Web services secured
by the Cisco ACE
XML Gateway.

I’d say this is a long overdue component for Cisco; since Chambers has been doing nothing but squawking about Web2.0, collaboration, etc., the need to integrate XML security into the security portfolio is a must, especially as we see XML as the Internet-based messaging bus for just about everything these days.

All in all I’d say Cisco is doing a good job of continuing to push the message along and while one shouldn’t see this faint praise as me softening my stance on Cisco’s execution potential, it’s yet to be seen if trying to be everything to everyone will deliver levels of service commensurate with what customers need.

Only time will tell.

/Hoff

 

Categories: Cisco, Networking, Virtualization Tags:

Cisco & VMWare – The Revolution will be…Virtualized?

July 24th, 2007 No comments

Blogrevolution
During my tour of duty at Crossbeam, I’ve closely tracked the convergence of the virtualization strategies of companies such as VMWare with Cisco’s published long term product direction. 

One of the selfish reasons for doing so is that from a product-perspective, Crossbeam’s platform provides a competitively open, virtualized routing and switching platform combined with a blade-based processing compute stack powered by a hardened, Linux based operating system that allows customers to run the security applications of their choice. 

This provides an on-demand security architecture allowing customers to simply add a blade in order to add an application service component when needed.

Basically this allows one to virtualize networking/transport, applications/security contexts and security policies across any area of the network into which this service layer is plumbed and control the flows in order to manipulate in serial or parallel the path traffic takes through these various security software components.

So that’s the setup.  Yes, it’s intertwined with a bit of a commercial, but hey…perhaps liberty and beer are your idea of "free," but my blogoliciousness ain’t.  What’s really interesting is some of the deeper background on the collision of traditional networking with server virtualization technology.

While it wasn’t the first time we’ve heard it (and it won’t be the last,) back in December 2006, Phil Hochmuth from Network World wrote an article that appeared on the front page which was titled "Cisco’s IOS set for radical pricing, feature changes."  This article quoted Cliff Metzler, senior vice president of the company’s Network Management Technology Group as saying these very important words:

Cisco’s intention is to decouple IOS software from the hardware it
sells, which could let users add enhancements such as security or VoIP
more quickly,
without having to reinstall IOS images on routers and
switches. The vendor also plans to virtualize many of its network
services and applications, which currently are tied to
hardware-specific modules or appliances.

This
shift would make network gear operate more like a virtualized server,
running multiple operating systems and applications on top of a
VMware-like layer, as opposed to a router with a closed operating
system
, in which applications are run on hardware-based blades and
modules. Ultimately, these changes will make it less expensive to
deploy and manage services that run on top of IP networks, such as
security, VoIP and management features, Cisco says.

“The way we’ve sold software in the past is we’ve bolted it onto a
piece of hardware, and we shipped [customers] the hardware,” Metzler
said. “We need more flexibility to allow customers to purchase software
and to deploy it according to their terms.
” 

IOS upgrades require a reinstall of the new software image on the
router or switch — which causes downtime — or, “we say, not a problem,
UPS will arrive soon, here’s another blade” to run your new service or
application
, Metzler said. “This adds months to the deployment cycle,
which is not good for customers or Cisco’s business.”

The article above fundamentally demonstrates the identical functional software-based architecture that Crossbeam offers for exactly the right reasons; make security simpler, less expensive, easier to manage and more flexible to deploy on hardware that scales performance-wise.

Now couple this with the announcement that John Chambers will be delivering a keynote at VMWorld and things get even more interesting in a hurry.  Alessandro Perilli over at the Virtualization.info blog shares his perspective on why this is important and what it might mean:

Chambers presence possibly means announcement of a major partnership
between VMware and Cisco, which may be related to network equipment
virtualization or endpoint security support.

Many customers in these years prayed to have capability to use
virtual machines as routers inside VMware virtual networks. So far this
has been impossible:
despite Cisco proprietary IOS relies on standard
x86 hardware, it still requires a dedicated EEPROM to work, which
VMware doesn’t include in its virtual hardware set. Maybe Cisco is now
ready to virtualize its hardware equipment.

On the other side VMware may have a deal in place with Cisco about
its Assured Computing Environment (ACE) product: Cisco endpoint
security solution called Network Admission Control (NAC) may work with
VMware ACE as an endpoint security agent, eliminating any need to
install more software inside host or guest operating systems.

In any case a partnership between VMware and Cisco may greatly enhance virtual infrastructures capabilities.

This is interesting for sure and if you look at the way in which the demand for flexibility of software combined with generally-available COTS compute stacks and specific network processing where required, the notion that Cisco might partner with VMWare or a similar vendor such as SWSoft looks compelling.  Of course with functionality like KVM in the Linux kernel, there’s no reason they have to buy or ally…

Certainly there are already elements of virtualization within Cisco’s routing, switching and security infrastructure, but many might argue that it requires a refresh in order to meet the requirements of their customers.  It seems that their CEO does.

I think that this type of architecture looks promising.  Of course, you could have purchased it 6 years ago — as you can today — by talking to these folks. But I’m biased. 😉

/Hoff

Categories: Cisco, Virtualization, VMware Tags:

I Promised I Wouldn’t, but I Did…iPhone Smoothies! Die, iPhone…Die!

July 23rd, 2007 No comments

I’m so damned iSick of everything iPhone.  This is beautiful.  Die, iPhone, Die!

Brings new meaning to the phrase "blended threat."

If you’ve got NoScript running, here’s the link.

/Hoff

Categories: Uncategorized Tags:

Security RROI (Reduction of Risk on Investment)

July 23rd, 2007 5 comments

Money_scale
The security blogosphere sure is exciting these days.  I can’t decide whether to tune into the iPhone junkie wars, the InfoSec Sellout soap opera or the Security ROI cage match!

I’m going to pick the latter because quite honestly, the other two are about as inflated as Bea Arthur’s girdle…

(edit: link added for Cutaway whose predilection towards Bea Arthur and her undergarments are disturbing at best…) Warning…May Cause Chaffing…)

Unless you’ve been under a rock (or actually, gasp!, working) you’ve no doubt seen Rich Bejtlich’s little gem titled "No ROI?  No Problem" that re-kindled all sorts of emotive back and forth debating the existence of Security ROI.

It was revisited by Rich here and then here…and then picked up by Lindstrom, Hutton, Cutaway and the rest of the risk management cognoscenti.  All good stuff.

It seems that the unofficial scoring has the majority of contributors to the debate suggesting that Security ROI does not exist…sort of.  The qualification of the word "return" really seems to be the important lynchpin here as contribution (margin, profit, etc.) versus cost avoidance really is what sends people off the deep end.

It appears that if we define ‘return’ to suggest that what you get back is a way of avoiding shelling out money, then indeed, one may quantify a return on the investment made.

Fine.  I’m good with that.  To a point.

However, I’ve never used ROI in any metric I’ve produced.  NPV?  Nope.  ROSI?  Nuh-uh.

What I have chosen to use is RROI — the reduction of risk on investment.  HA!  Another term.

Basically, I’ve used various combinations of metrics and measurements to quantify data points and answer the question:

"If I invest in some element of my security program (people, process, technology) — or after I have invested in it — am I more secure than I was before and how much more?  Furthermore, how should I manage my investment portfolio to give me the best reduction of risk?"

One doesn’t hire security guards because of an expectation that this action will cause one to be more profitable; it’s a cost of doing business that allows one to asses the risk based on impact and decide how, if at all, one could or should invest in security to defray the impact and cost associated with the event(s) one is trying to mitigate.

Ah yes, the old "why would you spend $1000 to protect a $10 asset?" question.  Can you answer this question for every security investment you make?

I’d say that I’ve always been able to communicate what the "return" (see above) would be on investments made and done so in a manner that has always seen my security budgets grow when necessary and trim when warranted.  The transparency I strive to produce is communicated in business terms that anyone who can understand basic math and business logic can process.  Maybe I’m just lucky. 

I’m not saying I have the problem licked or that I found the holy grail, but the problem just doesn’t seem to be as daunting as some would have you believe.  Start small, be rational and build and manage your portfolio accordingly.

So, how many of you have risk dashboards that can, in near-time, communicate where you invest, why and how this maps to the business and helps you most effectively manage risk per dollar spent?  This is what’s really important.

I’m just wondering that instead of trying to globally force-feed a definition across a contentious landscape of religion and philosophy, perhaps we could spend the time arguing less about terms and more about solving problems.  Ask the business how they want to see your security value communicated and go from there.  If they want ROI, then fine…define the "R" appropriately and move on.

I’m going to "return" to work now… 😉

/Hoff

Security Pay It Forward (Literally) – Giving Back to Tranax/Triton ATM Owners

July 21st, 2007 4 comments

Atms
The only thing worse than when people find out you’re in the "computer industry" and ask you to diagnose why their USB-powered combo blender/Easy-bake oven keeps giving them the BSOD is when they find out you’re in the "computer security" field and ask you to diagnose why their Symantec (nee Norton) Uber Blocking Pop-Up Personal Firewall prevents them from connecting to AOL.

Sometimes, however, I feel compelled to volunteer myself when I know I can quickly help so I can feel good about "giving back" and make the world a more secure place.

Today was such a day.

I took the kids to our local candlestick bowling joint en route to a matinee screening of "Hairspray" the movie (very good, by the way.)  As the kids were knocking down frames thanks to the bumpers in the gutters, I went to the ATM for monetary reinforcement in order to buy the requisite pop and pizza.

As I approached the machine, the floor manager — noticing that I was going to use the ATM — scurried to plug the machine in so I could use it.  Noticing that it was a Tranax unit since this particular marque has been in the news lately due to security concerns, I happily queried the manager as to whether or not they had changed the default password on the machine.

I don’t really know why I did this.  Perhaps because I wanted to settle a bet with myself or just to show off my mad security current event skillz.  Honestly, I think I just wanted to see what would happen under controlled circumstances.  Nevertheless, I asked and waited patiently for a response as the machine whirred and clicked.

She looked at me puzzled and asked what I meant and why.  At which point I was going to be content in alerting her to the potential that someone could easily use the Internet to gain 10 seconds of courage and rip them off by re-programming the ATM to think it was giving out $5 bills instead of $20 bills by gaining access to the admin. interface via the default password.

At the exact moment I said this, the machine finished booting as she walked away shrugging her shoulders wondering no doubt why this tattooed idiot in bowling shoes was trying to "help."  As she did this, the screen started blinking alerting me that the cash magazine was empty and if would I like to enter the Administrator mode.

I called her back over to the ATM and said "watch" at which point I was queried for the administrative password which I dutifully keyed in as "######" (not shown so I don’t enable those idiots who can’t manage to find the real number via Google.)  The myriad of administrative options was splayed out before me and we walked through the various scenarios that might appear should we execute.

Das machine was owned and now she understood.

We agreed that this was a bad thing and that she should unplug the machine until the owner who serviced the unit could be contacted.  I suggested that she find a way to make sure that nobody could plug it back in easily and I walked her through changing the password.

I figured I’d done a good deed and proceeded go out into the parking lot and scour my car for loose change so I could at least buy the kids a soda since I could no longer get cash and I didn’t exactly trust their security to use my credit card at this point.

I returned to find the manager giving me back the $23 I paid for bowling in return for the security lesson.

I thanked her for the trade and got the hell out of there before she asked me how to update the anti-virus signatures on the point of sale terminal that took credit card payments…

The moral of the story?  Don’t be afraid to offer a little security help every once in a while.  You never know, it might earn you $23 and some free bowling.  Karma.  Nice.

Now I’m going to visit the Mobil station down by the highway…they have the same machines.  I could always use some free gas 😉

As Cutaway would say…"Go forth and do good things."

/Hoff

Categories: General Rants & Raves Tags: