Another guy on the net talking about nothing specific.

IANS Lone Star Information Security Forum

July 9th, 2010 Posted in Computers, Intarweb, News, Software, Unspecific | No Comments »

On June 23-24, 2010 I attended the IANS Lone Star Information Security Forum.

Details of the event can be found here:

http://www.iansresearch.com/forums/splash.html?forum_id=51

A PDF of the forum program is attacked (Forum_Program51.pdf).

*UPDATE (7/12/2010)* All links and attachments to slides have been removed per the request of IANS.  Please request slides from them directly..

 

The following is a list of the discussions I attended and vendor presentations I attended and my thoughts on each as well as the best take-away ideas, in my personal opinions.  There were 5 tracks for the round table discussions.  I decided to attend the more operational and technical discussions as the management track did not seem to fit for my day to day work.  Two ideas were most prevalent throughout the conference; workflow and “cloud”.  Yes again a buzz word with vague and ambiguous definition leads the way.  “Cloud” is overused and I felt the push was that “we can’t control it, so just join it.”

 

This was my first IANS event so I was not sure what to expect.  The opening keynote was not promising.  Problems with the sound, machine used for the initial slides failed and a lot and it seemed very unorganized.  Luckily this was not how things configured.  It was explained that the idea behind IANS conferences were more about interactivity and participation, and less about presenter driven.  I wish I could say this was actually followed throughout all the talks, but where it was followed there were some good heated and interactive talks.

 

Each of the talks in a specific track either lead into the next talk or fed off the previous talk.  Here is a review of each of the ones I attended.

 

Round Table Discussions:

-          Proactive Threat Management – Security Operations

There were 2 parts to this discussion.  The first being a roundtable lead by Marcus Ranum and Rocky DeStefano followed by a case study by Tim Larson focusing on log management and a custom SIEM solution called Creating Actionable Security Intelligence and the slides are attached.  Proactive Threat Management sits between vulnerability management and incident response.    The exact definition of proactive threat management was a point of contention during the talk.    This was also the first roundtable, so it was not quite as interactive as it could have been.  What we did take away from the first half of this was that workflow was key.  Being proactive can be as simple as planning for each case possible.  Trying to prepare for the worse, and while this is not 100% proactive, this is the simplest method of being proactive without incurring operational costs in regards to purchasing new technology.

The case study was an interesting idea of how to tie together log management systems with a custom SIEM solution to be proactive.  During Tim’s talk he presenting the following formula for success;
Formula for Success = 50% process integration + 25% technology integration + 25% overcoming internal resistance.
which emphasizes that this is not about technology, but more about the process (workflow).  During this I made notes about creating a TIG and SIG.  TIG = Technology Integration Group, SIG = Stakeholder Integration Group.  These are groups that would be directly involved in security initiatives.  The TIG has to figure out how to implement the desired technologies and how it has to be integrated into existing systems.  The SIG has to determine what data is needed from the process as well as how the data will be used, which means the resulting workflow based on the newly implemented technology.  The end result of following all this to logical conclusion we end up with what was called a REMS.  REMS = Remediation and Escalation Management System.  This system is similar to a ticket tracking system, and to be successful would need to integrate into existing ticketing systems.  This is again a more complete workflow of how to prepare for an incident, how to handle an incident, where the data is held regarding an incident, or even a potential incident.

What I found impressive about their system was that each piece played off each other.  One example is that each system as set up to report to a central logging system, ArcSight.  There were also IDS systems, vulnerability assessments and other pieces of data being fed into the logging system.  The logic is that if any one of the monitoring systems see traffic to or from a device, it verifies it has been reported by the VA or IDS system and that it is being properly logged, including system and security logs from the system itself.  The data itself feeds the system what needs to be done.  The sample workflow might be something like this;
Add a new system to the network
It is seen by the IDS or a vulnerability scan
If it is not seen to be logging system logs a ticket is created to have the system configured to centrally log
If no vulnerability assessment data is available, a ticket is created to schedule a vulnerability assessment scan
Etc…  Using all bits of data that should be known to verify the system is properly configured and secured as necessary
The end result is what the company called their Security Knowledge Base, which is essentially a home grown SIEM with ties into commercial SIEM products, log management systems, VA systems, and the like.

-          Use Cases for SIEM – Security Operations
This had to be the most heated and interesting talk of the conference.  It was lead by Marcus Ranum and Rocky DeStefano and was supposed to be a discussion about how and why people are using SIEM products.  By the end of it I think I convinced everyone that SIEM is a buzz word with no well defined meaning.   Key talkers were from Verizon Corporate and Lockheed-Martin as well as myself.  It was determined that there are 2 types of SIEM uses, reporting/forensics and proactive.  This is where part of the heated discussion started.  According to popular vendors, i.e. ArcSight, a SIEM is proactive and should work automagically after configured to monitor, correlate and alert on real-time data.  Many of the users of these products were more interested in reporting of specifics for timeframes or for forensics.  The things that really came out of the talk were that before implementing a SIEM solution a company should define what they want to see out of it.  Working backwards seemed to be the most effective as far as showing usable results.  The other method was to point every bit of data you can at the SIEM and see what comes out.  This was determined to be less effective, but workable.

-          Seeking the APT – Independent
This round table was lead by Marcus Ranum and his slides are attached.  APT is another buzz word for the information security community for 2010.  APT is Advanced Persistent Threat and is the idea that the attackers are getting smarter and are being clever about how they utilize their access and when.  Long term goal for more data and more access versus the “Look at me” style attackers from the last 90’s.    The concept of hiding and waiting for the right moment is not new.  Examples given during the talk included Cliff Stoll’s “Cuckoo’s Egg” from 1989 (great book if you have not read it), the now defunct firewalls mailing list and DoD’s Orange book, the Trusted Computer System Evaluation Criteria, originally released in the mid 80’s.

Looking at the current trend in malware, it is leaning more and more to less destructive payloads and more covert communications.  The bot-nets we see today give a good idea of the covert command and control these tools are moving towards.  What we are seeing a trend towards more professionalism in the attack methods and style of malware being used.  This include countries and government controlled attack teams.  Ultimately it is more profitable to have a back door feeding information for a long period than to show your hand too quickly.  Threats could be as obvious as someone getting a job at Company X in the support department or the development department, building in and/or finding ways to circumvent security, then waiting months or even years to utilize or even sell these tools.

This all means that the threats are not as obvious.  We can’t guarantee where the threats are coming from, or where they are being controlled from.  How many companies are outsourcing to India?  How well does Indian companies do background checks or QA for the software they are producing?

More bad news, AV companies are seeing more and more simple malware being released before a real new tool is released.  Meaning the malware creators are creating artificial noise in the AV channels to hide what their real attack tool is, making it harder to spot or to dissect to verify what it can and can’t do, or how it might be used.  The malware writers are professional and are working to defeat the systems put in place to protect us.

The good news is we are getting better and better at spotting the bad guys.  New SIEM products allow for trending and reading of net-flow data, to look for anomalies.    Looking at something as simple as ntop can give you insight into what is going on in the network.  Trying to look at one piece of malware one at a time is a losing battle.  Broader strokes, casting a wider net, more has to be done at one time.  Looking for network anomalies is one way of detecting more with less.  As the security professionals find new method of attacks and how to protect against them, we need to do so in a more unified method so that we can starve the attackers of good attack vectors.  Information sharing is crucial as no one group can stay ahead.

Several tactics were discussed in this roundtable and can be found in Marcus’ slides attached.

-          Best Practices in Response – Security Operations
Roundtable lead by Marcus Ranum and Rocky DeStefano on how to respond to incidents.
This was another of Ranum’s talks and heavily focused on the concept of a playbook.   We started off by having a couple of people talking about what worked.  Normalization of incident types was one of the first steps in being able to create your playbook for incident response.  Once you have clearly defined the incident types you need to make your playbook and planning very simple to read and follow.  Flowcharts seemed to be popular among the participants and many stated that if it was more than 1 page, no one paid attention to it.

Another concept that was talked about was reaching out to local TLA so that you can having a good working relationship before you NEED them.  This might include inviting them to review your facilities and your processes, or even to include them in some mock training exercises.  Examples of groups to look into were also mentioned, like Infraguard and the North Texas Security Counsel.

As with so many other facets of information security, it came down to training.  The people who will deal with your workflow need to understand it first.  They need to understand the technologies involved and the environment in which they are working.  Without understanding the environment, you are only guessing at the right thing to do.

-          Risks and Rewards from Social Media – Independent
Roundtable lead by Ron Ritchey and focusing on Facebook and Twitter because they are most popular.  We discussed plenty of risks and very few rewards.  The first thing I remember about this was the moderator told us that some companies are now requiring potential employees to give complete access to facebook, as in provide login credentials, for review prior to being hired.  I don’t see this going over too well with most professionals, but it reminds you what you should or should not post.  Slides for this should be attached as well.

We start by discussing WHY people use Social Media sites.  The reasons are numerous, but it comes down to how nimble and intimate the site makes the experience.  Social media sites can scoop regular news media sites and even provide faster updates and media since it has so many users that may be “in the thick of it”.  The same concepts allow people to work together as never before.  One example was a military training task that was supposed to take the .gov weeks to complete and a group of FB users had it done in a day.  This is because of how quickly people can request or donate resources.

It was brought up that as of last year the average age of people on Social Medias site (specifically looking at FB and Twitter) is 35-44.  I am in the group and I understand why.  These are the people that were the first generation to grow up with technology and are more comfortable with it.  That age range is also the same range that a lot of the innovators of recent web and internet technologies fall into.

The biggest risk, as if it is not obvious, is potential for loss of privacy.  Between what you post, who has access and then more recent events like the “Robin Sage” incident, there is always potential for this risk.  There are several examples in recent past that can be found easily, including people being fooled by fake profiles, data from profiles ruining military operations, and even MI6 chief having issues with his info leaking because of his wife’s profile.  These information leaks can be substantial, such as military troops positions to data to perform more targeted spear-phishing attacks.

Another risk is the pollution of your personality through your friends and what they do.  Meaning your friends reflect the type of person you are assumed to be.  Whether it be new friends or potential employers, who you hang out with, even online, can get you into trouble, make you look bad (or good) and can seriously affect your ability to be employed.

Ultimately, they are not going away and we need to learn how to live with them,  use them to our advantage and for our personal usage, learn to be smart about who you friend and what you post.

 

Vendor Discussions:

-          Qualys
Vulnerability Assessment.
This was me questioning Qualys for 30 minutes and them defending themselves for the rest of the time.  Qualys is very simply a Service as a Service service model for the cloud.  Wonder why I hate the term?  They very simply do vulnerability assessment and generate reports based on their scans.  The scan are daily, and light weight, but help with a checkbox for PCI and other regulations.  You can have one of their device installed in your datacenter, as to be behind the firewalls and other things you have in place, but here is my biggest issue… ALL YOUR DATA BELONG TO THEM.  Everything that is stored, is stored on their server.  Even if you have an appliance it reports all findings back to their office.  I have serious issues with this for multiple reasons.  They have a comeback for every concern, but it does not make me feel better.  If they get compromised, every vulnerability, inside and out, is in the hands of the compromiser.   Yes the data is SSL encrypted on the wire and stored in an encrypted method, but I don’t want MY data stored on a shared server.  Same reason I won’t recommend certain features or functions be moved to the “cloud”.

-          Q1 Labs
SIEM
This was one of the talks where we only briefly discussed the product.  This was MUCH more open and we discussed SIEM in general, how a SIEM might work in the “cloud” and logging and alerting in general.  I was impressed with how open the Q1 Labs guys where as far as not making this just a sales talk like many others did.  They did show off the product and give specific examples that pertained to what we were discussing, but it was not pushy.  If nothing else, that was impressive.

-          Tenable
Vulnerability Assessment
I was very pleased with the current state of their Security Center (or whatever the name).  Being able to schedule scans, compare scans, allow integration into an AD forest for authentication and utilizing groups to allow read only access to specific reports for specific IPs or host types.  This will make several people’s life easier.  It does a lot more, but I am still waiting to get a full demo.

-          WhiteHat
Web application scanning and security verification service.
This is not your typical scanning service.  This is web app specific.  This is not automated.  This is reviewed by a train staff before reported to you.  It is based on years of work by the WhiteHat team and means there are less false positives and less chance of it causing issues.  This is also one of the few web app scanning that is designed to be done in production rather than QA or dev.  NOTE:  I worked with Jeremiah Grossman, one of the founders of WhiteHat, in a previous life and do consider him a friend.

-          Nitro Security
SIEM
Look, yet another SIEM.  Their claim to being better than everyone else is the DB on the backend.  They are also one of the ones that said they can import actual net-flows to do some basic trending and anomaly detection.  They also are one of the companies that does application monitoring, such as databases, by just sniffing the traffic.  See Imperva below for some of thoughts on doing things this way.  Just like all other SIEM vendors, their sales pitch was a “single pain of glass” to see what was going on and monitor.  This is a good point, but functionality is more important than being able to go one place to find the data you need.

Workflow was used here as well.  See my “buzzwords” below.  The application monitoring appears to be based on Snort and uses snort rules, as well as custom written rules, but it is still based on inline snort.  One of the founders was one of the developers of Hogwash(?) and inline port of Snort from 10-15 years ago.

-          Bit 9
Application white listing
Most security experts agree that white listing is the most secure method of protecting yourself. As a reader of this you should know that white listing means, deny everything and then list what you want to allow.  This is a tool that works like an AV client, as to how it ties into the OS.  This tool looks at the publisher and signer of executables, libraries and drivers.  They have one of the largest list of applications, according to the sales pitch.  This is a Global Software registry that contains all the info to allow you to decide if you will allow an app.  We discussed they have a “verify” mode that allows the end user to say “ok” and run or install the apps that get flagged as being unknown.  Overall this is a good idea, but I don’t get why any vendor would be focusing on a Windows only solution in today’s environment.  I don’t remember working at any Windows-only company in the past 20 years of working.  I am a Mac and Linux fan personally, but….  Macs are going to be hit hard soon with malware.

-          Cipher Optics
Network encryption
This was interesting, but nothing mind-blowing.  This was a sales pitch.  The products they provide are VPN endpoints.  The interesting part is that they sit inline and are supposed to be transparent.  They can encrypt at layers 3 or 4, meaning they can encrypt everything or just the TCP data field.  Most interesting thing from this discussion was how their devices were having issues when encrypting at layer 3 and connecting to servers inside mainland China and it would fail over time, but once they moved it to encrypting only at layer 4, hiding the encryption headers, it works fine.  Ease of use and some nice standard security, like rekeying, were the key features.

-          Imperva
Application firewalls.
This was another heavy sales talk and not very interactive, and these guys were the worst for misusing the term “Hacker”.  I don’t like the misuse of the term hacker.  So Imperva focuses on data security.  They did have some interesting features in their suite of tools.  Virtual patching, Usage Audits and Rights management were some of those key features.  They work with WhiteHat and other scanning providers to offer their virtual patching.  This is basically custom IPS signature based on scan results to block bad content from ever hitting the server.  This is neat, but not real security.  This is like a company saying they know of the problem, but rather than fixing the problem  you just hide it and make it harder to get to.  Yes, they said it is so the developers have time to fix the problem, but if you offer a workaround for overworked teams, it will be ignored as long as possible.  Protection level will be based on how far away from the app the Imperva device is installed.  The more hops away, the better the chance of finding a hole in your mitigation.  Like others we saw here, there Database security tools are based on sniffers and “decoding” the data.  This only works if you are not using any database network security.  As long as you can sniff the traffic, you can alert on specific events or a series of events again.  It will also do performance monitoring and rights management/auditing.  My 2 big issues are more things inline can cause more points of failure, and if it’s not inline, the usefulness of the “real time” protection goes away.

 

CISO Panel:

The panelists were;

Phil Klassen from JC Penney
Jon Allen from Baylor
Martin Carmichael from TD Ameritrade
Russell Murell from Dell
Wendy Nather from the Texas Education Agency

This was a waste of times mostly.  We had 30 minutes and at least 1 of the panelist should never have been allowed to get in front of an audience.  I’ll just leave it at that.

 

Buzz Words:

The following words were heard at the conference.  These are words I had not heard before, had not heard before in this context, held a central theme to one or more talks or just made me giggle.  The definitions are based on the discussions and conversations at the conference.  No they are not all jokes.

-          Cloud
A pointless term that no one can agree upon that basically means the Internet.  Based on the “Internet” icon from Visio being a cloud, it is now popular when referring to hosted or managed assets ranging from virtual servers, hosted services or applications to access to an API to get access to a dataset. This was mentioned every 2-5 minutes and it has been decided if you don’t ‘heart’ the cloud, you will lose your job.

-          Playbook
What everyone should have for incident response.   This is a flowchart, checklist, details on how to handle incidents.  This was discussed in the incident response and APT talks.

-          Workflow
This was a key concept in many of the talks.  Ranum was especially fond of this term.  Your playbook would define your workflow, but you don’t need a playbook to have a workflow.  This is as simple as it sounds; it is the process (the steps) someone takes when dealing with a situation.  This can be an incident, daily procedures, reviews, or anything really.  A workflow helps with producing useable and repeatable results.

-          Trending
This is not a new term, but was also used quite a bit during talks, especially when discussing Security Incident and Event Management (SIEM) tools and APT.  The concept is not new either, as finding a baseline, looking at standard trends and then investigating anomalies is a standard method for troubleshooting and monitoring in many fields and disciplines.

-          Suborn
This was another term used by Ranum in a couple of his talks.  I had not heard the word used in this fashion before.  In the APT talk, Ranum said (see slides) as a method to address APT to “Suborn command/control where possible.”  In classic definitions, suborn means to induce someone to do something illegal.  I am fairly certain this is not what Ranum meant, but rather to take control of the command/control methods where possible, or to inject other commands into a command/control stream.

 

-          Petri dish
The idea of a Petri dish is simple enough, but I had not heard it used in reference to computers and malware the way it was discussed here.  Again this was from a couple of Ranum’s discussions.   In computer security, the concept is not far from the original use.  Again, the concepts are detailed in the attached slides, but ultimately it is a place to allow malware to run and one can see how it communicates and attempts to spread.

-          Transitive Trust
Another term from the APT talk by Ranum.  Searching you will find it is normally referenced by Active Directory installations and a relationship between parent and child domains.  In this instance we were discussing the trust of networks, that if A trusts B and B trusts C then A should trust C, but with the current malware and APT infiltration we ask if we can still trust networks this way.

-          Threatscape
This was introduced during the CISO round table at the end of the 2nd day.  This is one I have heard plenty of times before, but it still sounds like a bad movie from the 80’s.  The idea is simple enough as it is the various possible threats in your current environment/situation.

-          Metricized
Another term mentioned during the CISO round.  How can we turn number into a metric to be followed or tracked, well you metricize it of course.    Now, this is not the “official” definition, but this was how it was used by one of the CISOs and since they are good enough to become CISO, they can create words to pass on the new concepts.  This brought up an interesting idea, like what is the difference between a number and a metric?

-          Ethicacy
Really?  My spell check is getting a workout in this section.  As far as I could tell from context-clues, this just meant how ethical something is.  I am just going to leave it at that.

 

Kewl Tees…

June 9th, 2010 Posted in Unspecific | No Comments »

I don’t wear many T Shirts anymore (thanks to my significant other) but some of these are cool.  He has quite a few at his website.  Old school video game, Star Trek and other pop culture references included.

Don’t know the guy, but I am pimping his wears.

No Good Deed Goes Unpunished

May 24th, 2010 Posted in Unspecific | 1 Comment »

So I rescued a dog this weekend.  Her name is Lucy and she is very sweet.  She is a big dog, weighing about 80-90 lbs.  She is a mix of Rhodesian Ridgeback and we think lab.  She needs a good home.  She was found wondering the back roads of the country, on the far side of Weatherford.  The owner was never found.  She was then given to a single mom, who is a cat person, for protection.  She did not have the room or ability to take care of Lucy, so I picked her up.

Here is the catch.  Lucy appears to have a broken leg.  The sad thing is that she has been limping since they found her a year ago.  She can not straighten her left leg and does not put much pressure on it.  It is obvious she is in pain.  When I pet her, she sits and gives me her hurt leg with the most pityful “Help Me” look I have ever seen from a dog.

Lucy is a GREAT dog.  We think she is around 7 years old.  She is a medium length hair that is soft and fluffy and oh so lovable.  It appears she may have been mistreated as she has a very shy and quiet demeanor.   Like a ridgeback she is a very touchy-feely dog.  She follows me all over the house and will lay as close as she can get to me.  She is house trained.  I left her in the house for ~8 hours yesterday with no accidents or messes.  She evidently was not allowed on the carpet, as she would not go on carpet without a lot of loving, and when the loving stopped she would go back to the tile floor and lay next to the door.  She is very loving and spent the past 10 months with a young child and 3 cats and a small dog.  She seems to do well around anyone.

HERE IS THE PROBLEM: I am in the middle of working on a house to bring my family back from Florida.  I am strapped for cash and can not afford to take Lucy to the vet.  I am looking to my friends on Facebook and other places to help me.  Suggestions, donations, I don’t know.  I need help getting the poor dog out of pain.

 

 

 

Scarborough Weekend

May 7th, 2010 Posted in Photography, Unspecific | No Comments »

I went to Scarborough Faire last weekend and took my camera as always…  find the gallery here:

Young Girl

“Cloud” Computing Security

May 5th, 2010 Posted in Unspecific | No Comments »

I am so tired of hearing about “Cloud Computing.”  This is what we called ‘hosting’ back in the day.  Application hosting, service hosting, server hosting, etc…  all wrapped up into one trendy little package.  This trendy little package is confusing some and making liars out of others.  There is article after article about cloud computing that address one aspect of hosting and miss all the rest, therefor misrepresenting the author or the author just using what he wants to make the point he has been ordered to amke.

Here is a perfect example:
http://www.infoworld.com/d/security-central/cloud-computing-more-secure-you-think-575

Now, I have been working with Internet technologies for about 15 years and I have been doing computer security for about 10 years and I have been playing with computers and programming for about 30 years.  I don’t consider myself an expert, but I am not dumb either.

Mr Roger Grimes here says that Cloud Computing is more secure than we really think.  Based on what?  Well according to his definition of cloud computing, which is not stated in the article, he says

“One of the biggest advantages of running a cloud is that a single fix affects all customers simultaneously.”

I need help with this one.  Last I checked, there is still an OS, and the OS that the “Cloud” is running on is not one single virtual machine running on hundreds of servers at the same time.  So how does patching one OS fix all your customers?   MAYBE he means if you are selling applications as a service?  If you patch that application they all get patched?  If they all run off the same environment.  Maybe I am just not familiar enough with the latest cloud technologies.  Replication of data across database servers…  wait, that means there is more than one again.

Here is my problem, articles like this don’t really say anything.  It says that some “cloud companies” that he has reviewed have better security than some smaller companies because they are larger.  Ok, but that has nothing to do with the cloud.  That has to do with resources the larger company has available and what they are willing to spend to get the job done.

He also states that “An HTTPS-versus-HTTP transaction can run 200 to 300 percent slower.” and that Google turned on HTTPS for all of Gmail because it had the cloud.  I want to know where the 200-300% slower number comes from.  I want to verify that, because last I checked, servers were getting faster and faster, with more memory, faster CPUs, faster buses, and so on…  I don’t think SSL add that big of a hit.  But I could be wrong.  That is just a big number to through out without any proof.  So I do a little Googling.  This one will confuse you…  on the server side, HTTPS is ~10% FASTER.  REF:
http://stackoverflow.com/questions/1468648/https-vs-http-speed-comparison

That being said, that is not a true exhaustive test, but it does show that HTTPS on modern servers and browsers does not add that much overhead.  Another mark against Mr Grimes.

He does say, on page 3 of 3, that he is worried about the security of the cloud, but then says it is the same as today.  Wait…  you mean with _my_ data residing on the same servers as someone else’s data, where people I don’t know have the same access as I do, is the same risk as me having _my_ data on _my_ servers where only I have access?  Maybe I am not the only one that is not understanding what the “Cloud” is.  Once again, this is just hosting…  Mail hosting, database hosting, etc…  I have to say that if there is a flaw in that MySQL and someone who is paying the X dollars a month through the web sign up page roots the SQL server, they have ALL my data, assuming you didn’t pay enough to have a dedicated SQL server, then it is a different story.  Then you have to worry about someone rooting the hypervisor of the virtual machine and gaining access to the host OS and then having access to all the guest servers.

The “cloud” is not as secure as hosting it yourself.  It never will be.  That does not mean it does not have it’s place.  Small to medium sized business could find some great resources in managed hosting.  Email, database, web and the like are easier to deal with if you are letting someone else do it and you can focus on your app.  If you only need to host a blog, or a common web app, it’s easy to find a “cloud” company that can do it, so all the company has to worry about is content.

BUT, if you are a larger company and have real concerns for security, unless something changes, the cloud is not going to be a secure option.  Something in the cloud is being shared and you can’t guarantee who else has access to it.  I am not talking about the employees of the hosting company, I mean their other customers…  shared firewalls, shared servers, shared applications.  A hole in any one of these could allow another customer with nefarious intent access to your data.  And the one who will look bad will bad will be your company along with the “Cloud” provider.

 

These services have been around forever.  I have worked for a few hosting companies in my past.  Some of them do a great job, others not so much.  I am not saying that hosting is bad.  I am saying “Cloud” is bad as it is a vague reference based on a Visio diagram of a large number of services.   I am also saying that someone else hosting your data on shared equipment is never going to be as secure as you hosting it yourself or someone (who knows what they are doing) hosting it on dedicated equipment.

 

Good luck with the FUD, tell me where I made mistakes and as always, Enjoy;
Lee ‘MadHat’ Heath

Scarborough 2010-05-02

May 3rd, 2010 Posted in Photography | No Comments »

It was an awesome day… Lots of fun. Very tiring. I took over 750 picts, and uploaded 61 here:

http://picasaweb.google.com/madhat/Scarborough20100502#

Lost Blogs

November 10th, 2009 Posted in Unspecific | No Comments »

This is a blog post that has been removed due to strong-arming by Microsoft (or so the story goes).

Breaking Bing Cashback

Posted November 4th, 2009 by Samir

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20.  Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=<orderid>&jfmid=<merchantid>
&m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID.  When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant.  And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings.  In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

NINE WORDS WOMEN USE

November 3rd, 2009 Posted in Unspecific | No Comments »

As received form my fiancé…  words of warning or advice.

1 ) Fine: This is the word women use to end an argument when they are right and you need to shut up.

2 ) Five Minutes: If she is getting dressed, this means one-half hour.  Five minutes is only five minutes if you have just been given five more minutes to watch the game before helping around the house.

3) Nothing: This is the calm before the storm.  This means something, and you should be on your toes.  Arguments that begin with nothing usually end in fine.

4 ) Go Ahead: This is a dare, not permission. Don’t Do It!

5 ) Loud Sigh: This is actually a word, but is a non-verbal statement often misunderstood by men.  A loud sigh means she thinks you are an idiot and wonders why she is wasting her time standing here and arguing with you about nothing.  (Refer back to # 3 for the meaning of nothing.)

6) That’s Okay: This is one of the most dangerous statements a woman can make to a man. That’s okay means she wants to think long and hard before deciding how and when you will pay for your mistake.

7 ) Thanks: A woman is thanking you, do not question, or faint.. Just say you’re welcome.  (This is true, unless she says ‘Thanks a lot’ – which is PURE sarcasm and she is not thanking you at all.  DO NOT say ‘you’re welcome’ — that will bring on a ‘whatever’.)

8 ) Whatever: Is a woman’s way of saying F– YOU!

9 ) Don’t worry about it, I’ve got it: Another dangerous statement , meaning this is something that a woman has told a man to do several times, but is now doing it herself. This will later result in a man asking, ‘What’s wrong?’ For the woman’s response, refer to # 3.

SSL-Cipher-Check v1.6

October 21st, 2009 Posted in Computers, Software, Unspecific | No Comments »

SSL-Cipher-Check v1.6 (http://unspecific.com/ssl/) Released. Bugfix for SSLv2 incomplete handshake causing false positive.

Steven Andrés (of Special Ops Security) pointed out a flaw and gave me a fix.
” For some cipher combinations, OpenSSL will return a “verify return” command but then later on fail with the “no cipher list” error. Since you check the former and not the latter, you false positive on these ciphers. ”

His patch has been applied and all is working well.

Chaos

October 18th, 2009 Posted in Unspecific | No Comments »
011000100110100101101110011000010111001001111001001000000110100101110011
001000000111010001101000011001010010000001100101011100000110100101110100
011011110110110101100101001000000110111101100110001000000110111101110010
01100100011001010111001000001010