| About Blog Cheatsheets Defense Links Offense |
Controversial Thoughts
|
Introduction This is the blog of IndianZ, topic is set to controversial thoughts. More than 10 years of experience (and frustrations) in the information technology and security industry hopefully allow me to say something useful here from time to time. The purpose of this blog is to publicly reflect common things in information technology and security overall or to present things worth to mention. It's not a classical blog, because no commenting feature is included :p. |
|
2012-01-11 - Smartphones Ever needed to choose a new mobile phone? Perhaps opted for a smart phone? Well, I must admit, this indeed is a difficult choice. As pure and simple (but working most of the time) is no longer available, you always need to accept drawbacks. Especially if you don't like social network or even cloud backup of your private data. There are only a few reasonable operating systems available, and more and more normal synchronisation locally seems to be no longer supported, but with whatever social network or cloud you can sync everything. Did you notice the first mobile banking apps coming onto the market now? Isn't this dangerous, as mobile phone networks are not considered secure as well? And what about this app insanity going on at the moment? Instead of knowing things by your head, we get accustomed to look it up with our smart phones. I personally think this is a dangerous trend, as we make us dependent of technology. Not everybody wants to have everything of his private life on the mobile device. Furthermore, a lot of our mobile devices have proprietary things on it (like statistic trojans) or locked functionality; so the user cannot choose anymore freely. Manufacturers once respected the whishes of customers, to make the products better; now customers need to take what is available, as manufacturer try to ourival each other by functionality or design. And the best is, most of the people accept this and comply to this burden without even questioning. Devices with higher complexity have higher failure rates and also are more vulnerable, this is a proven fact... Top |
|
2011-12-08 - Information In the early ages of the internet, information was requested to be open and freely distributed. Nowadays, as money rules more and more over freedom, this changes. The shift started when companies started to implement personalization and filtering of content, especially on the web. There are algorithms which allow editing of web content real-time and not transparently for the user. Content is customized by our surfing behavior, meaning we just see what these algorithms think we want to see. Not only search engines do this, but also news sites and social networks. The whole filtering has negative side effects, as filtering of news and content might lead to invisibility of information. This can be wanted but normally informational content is customized only based on our behavior. This can result in a view of our world, which is not really our reality. Thinking more offensive, we put ourselfs on a information diet or feed a lot of junk information to our minds. Is this healthy? Make yourself some proof of this, for example search with a friend the same terms on popular search engines. If history and cookies are not cleaned (but sometimes also with cleaning), you might not see the same content when results are presented. If you like to use a search engine not filtering or tracking your surfing behavior, have a look at duckduckgo ;)... (inspired from eli pariser - the filter bubble, what google and facebook are hiding) Top |
|
2011-11-25 - Infowar The world knew about the cold war period, where the balance of rearm of the superpower politics preventetd war. Nowadays it is information war time, information is the most wanted object (either controlling it or offense control). Infowar can be of defensive nature like information assurance, defense technologies and protective measures - or it can be of offensive nature like computer network attacks, media manipulation and psychological operations. The sector is already old, chinese sun tzu wrote 2500 years ago about psychology and deceit in military strategies and tactics. Information is collected, correlated and pierces all through our daily lives. Think about traces you leave with your creditcard your mobile phone and your store cards. Do an ego googling for your name and find yourself surprised what can be gathered publicly (surely heavily dependant on your exposure awareness and counter-measures). Whistleblowing is about secret information published, which normally expose unfair conditions related to work or authority. We live in the information age, but I ask myself, when there is too much information available, than we are able to process in reasonable time? Top |
|
2011-11-22 - Obsolescence A common problem of today is obsolescence, which describes objects or products no longer desirable, either because something superior is available or it is no longer trendy. This all despite the fact, the object or product might still be working as expected. This is not only applicable to mobile devices like smart phones; it can be anything in our life, from clothes over cars to toothbrushes. Marketing also influences here, as products are developed further over time and replacements with more functions get available. Obsolescence also is linked to growth, as products can be built to decay faster, which means cheaper but faster replaced things, this is called planned obsolescence. Did you wonder already, why printers stop working after some time and need replacement of strange things (duplexer, transfer kit)? There might be a counter in the hardware or firmware, ensuring you needing support from time to time. Or did you wonder, why newer operating systems on older hardware models runs sometimes terribly slow, forcing you to upgrade the hardware? Ask yourself, do I really need object a in several flavors? Do I really need 10 slightly different pieces of object b? Marketing is trying to force you buying things, even not needed ones, and replace it with a more fancy and further developed shortly after? Where will this trend to obsolescence lead to in future? Top |
|
2011-10-30 - PTES There is a new methodology available for penetration testing, the PTES, penetration testing execution standard. This standard is published online (first draft in 2010), an aggregated and ongoing effort of several experienced security testers from all around the world and known to the community. The PTES is available as mind maps for overview of the process steps or phases, and also as technical guideline with overwhelming information about all aspects of penetration testing. The process layout is simple: the pre-engagement interactions take care about contractual issues like scope, goal, limitations, liabilities and more. Intelligence gathering describes information gathering, either passively or actively, like foot printing of the internet presence, protocol and port scanning as well as fingerprinting of services. The step threat modeling inherent threat and risk analysis, for estimating the impact of vulnerabilities and classifying critical systems, but also attack paths may be defined here. Vulnerability analysis can be done automated with a vulnerability scanner or manually, by comparing found service versions with public vulnerability databases. The phase exploitation means to exploit the identified vulnerabilities, this allows minimizing false positives. The step post-exploitation contains privilege escalation, pilfering, further penetration of network, dual-homed systems and more. And last but not least there is the last step as usual, reporting, where the documentation is written, countermeasures recommended and findings presented. Beside the OSSTMM for security assessments with RAV-trending and OWASP for web application security, this newly introduced standard PTES provides solid information useful for penetration testing. Happy testing with the PTES ;) Top |
|
2011-10-03 - Growth Nowadays we can see more an more impact in our business world because of growth. Companies tend to grow and some growth in a healthy manner can indeed be good. But the actual run concerning growth (think about investment banking or companies wich need natural resources), always getting bigger an bigger, gaining more and more money, this can't be ongoing forever like this. But growth is naturally balanced, for everybody who win something, there is also somebody who loses at the same time. But people (especially management) seem to forget that very fast. Growth also means power, the bigger a company the more it can influence the market. And growth also means reputation, being mentioned in the fortune 500 means bigger clients and more contracts. And for realizing growth, companies decreased the quality to be able to produce cheaper what means being able to produce or sell more. Sometimes one could get the impression that it does not matter what quality a product has, instead, increasing growth of the company is focussed in every aspect possible. But I can't understand how companies really can forecast and realize more and more growth, on a planet with limited resources this seems really silly somehow. Healthy management of resources and business seems no longer to be worthful, only unlimited and unhealthy growth. Be well prepared when this growth may lead to the next economic crash in future... Top |
|
2011-09-07 Desensitisation Loosing our senstisation is somewhat related to other blog entries here. Desensitisation first is known from medicine, where people using drugs need to take more after some time for having the same desired effect. Our body gets used to drug substances and this implies some desensitisation is happening in ourselves. Perhaps you remember that story of a bored shepherd, which screams for help because a wolf is coming. After some time he did that, people running to him were frustrated, because there was no wolf, just a bored shepherd having fun. Some day then, a real wolf came and attacked the sheeps. The shepherd screamed for help, but nobody was coming fighting the wolf. This also implies desensitisation, as people thought, he would joke again. Now these examples can easily transfered to our daily lives. Think about the homeland security alert colors, which were introduced shortly after 9/11. The colors always showed yellow or orange alert concerning terrorist attacks, despite the real situation (mostly nothing happend after these "alerts"). This also implies desensitisation happening here, because people in fear accept more easily increasing public surveillance and decreasing privacy rights. Another effect is also happening here, that the terrorist thread now is accepted by the mass of people. By the way, the confusing color scheme now was abadonned, after almost 10 years . Marketing also is a good example, if people see things over and over again, the brains of people start to integrate these things happily into their reality and lives. Think also about the rising violence in films and games, this lead to rising violence in societies as well. Desensitisation is happening all over the place, also in information technologies. All too long, apple was free from malware. So people don't care too much about that topic. But as more and more apple devices are used, they get more and more into the focus for malware writers, so this will change (slowly, because of the fact the design of apple is harder against malware compared to other platforms), altough not invulnerable. Actually, isn't this again a scream for help against the wolf attack ;)? Top |
|
2011-08-18 Transparency After some thinking concerning my last blog entry about quality, I came to an interesting conclusion. As you might have read already, one of the problems today is the decrease of quality in all aspects of our life. And I personally think this is - of course beside other influences like optimization of costs and benefits - directly linked to missing transparency. I see companies, removing pictures of employees of the homepage, no longer transparently showing the engagement of the people (for hiding the actual human resource fluctuation). I see also management of companies no longer communicates transparently it's goals, prohibiting identification with the company from employees and self-initiative. More and more politic and psychological operations take place in companies and also in our life instead of open information and transparent communication. Clever marketing and reputation management take over now. Corporations try to hide their intentions, denying obvious visible responsibilities, engaging psychological operations instead of fixing injustice, environmental or social damage the have done with frauds and other actions (mostly only to get bigger and/or more gains). But isn't exactly this what leads to whistle blowing and unsatisfied people in our society? On the one side, there are a lot of secret shades from governments and also corporations - on the other side we can see rising general surveillance and economic espionage. Times of mistrust came over us, authorities theightening control and people fearing more and more loss of privacy. Yet we have another conflict there, people screaming for privacy but uploading half-naked pictures of their drunk weekend adventure to social networks online... Do we have a classical double-thinking (movie 1984) case here? Perhaps we should go back to the old school hacker ethics: Public information should be free. Private information must be protected. Practice critical thinking and apply common sense. Promote decentralization (as this prevents unhealthy power concentrations) and mistrust authorities always a bit. And curiousity about how this world works itself is no crime... Top |
|
Quality - 2011-07-26 We hear a lot about quality management nowadays, everybody wants ensured quality or increased quality. Good quality of something is not bad at all. Actually, it can be said, that better quality is needed, not only because of obsolescence of products (throw-away-lifecycle of cheap and replaceable products). Selling companies needed to rise their turnover - and as everybody already had a certain prodcut with (more or less) enduring quality, they are not able to sell them the same product anymore. The outcome of that situation is that they finally lowered the quality of their products (product will break and be replaced) to be able to sell more but cheaper products (re-selling bad-quality products to same customers over and over again). Even worsening the situation, quality can and must be measured and controlled. That's were standards come into the game. But some managers have wrong expectations from quality standards - they expect to rise the quality of products overall. But a quality standard (like the ISO family) only measures if the processes in place are documented and working correctly (beside other organisational or structural recommendations and proposals). The quality of the end product is not measured at all, only the processes to get there. So a quality standard normally only helps to get rid of lots of money and to have processes documented in a standardized and formal way. The formal overhead is also a big problem of quality standards, they generate a lot of additional work and documentation, and this must be followed as long as the company bows to the quality standard choosen. Also, a standard is only as good as the implementation of it - and that's where most of the companies fail. They follow a certain standard, but they forget to check the implementation and efficiency afterwards. And also, instead of a quality standard, common sense might be applicable as well. What if the money spend on quality compliance would have been invested into product quality for the consumer in the first place? Top |
|
Malware - 2011-07-14 The evolution of malware continues, faster than ever before, not only but also because of mobile devices, increasing global network interconnection, overwhelming amounts of users on public technologies or platforms as well as financial profits. Cybercrime happens always where the money is. Beside cost savings (banks need less employees when clients use internet banking), the trend goes clearly in direction of extending mobile services like banking applications. Even worse, some of the mobile device platforms are not secure at all or it is very hard to bring some basic security features to them. Another problem is, that users of computer infrastructure do not have the awareness nor the knowledge to protect themselves at least reasonable. And private consumer devices and business devices are mixed up in the office world, which makes general security almost impossible. Putting everything online on social networks or cloud based services worsens the situation even more. Malware itself evolves as well, stuxnet started another chapter concerning malware threats in terms of cyberwarfare, and now the hard to detect and remove tdl4 botnet is following this path as well. The possibilities and opportunities for malicious software are almost unlimited. Think about rootkits for databases (like sap), for hardware (like eeprooms) or even virtualization technologies (like hypervisors). We have to admit that security measures, especially anti-malware measures are less effective today than ever before. And malware writers perfect their skills, combining trojan and rootkit functionality, including 0day-exploits or modular updating features. We will for sure see some malware threats in future, which are very scary for everybody and/or almost undetectable. Be prepared and ensure your technical security as well as your personal safety anytime, anywhere... Top |
|
OSSTMM 3 Test - 2011-07-11 Long enough waited for, I now had the opportunity to audit a system with the OSSTMM version 3.0 including the most actual RAV calculation. And I really must admit, the methodology is more straightforward and complete, better structured and more thorough than ever. One can feel the difference to the older versions of the OSSTMM, where parts were not really logically connected or even missing full integration. I did not verify the mathematics of the RAV calculation in detail (yet :p), but it seems to represent more or less the feeling the tester got when trying to break the machine. As analyst I need to say, that the loss controls for me are a bit questionable though, as there might be services, which hardly can be protected by all 10 loss controls (UDP based services for example). This question is matching also the result, a really hardened Windows 7 client install only got a RAV somewhat over 80%. Perhaps it is influenced more than thought by trusts, as functions related to a windows forest are hard to prevent without breaking functionality of the client machine. The threshold of magic RAV over 90% seems very difficult to reach, especially if business justification requires some (and not only one) services activated. At least, and this is a big plus for the OSSTMM 3.0, a RAV of 80% and more is accepted as threshold for trusted environments (trusted in the sense of controlled, patched, maintained and protected). Additionally, it may be my experience or also the OSSTMM 3.0, the security test could be executed in a smoothely manner and the reporting phase could also be completed without problems in time. Just good to know, the reporting phase may need a bit more than half of the testing time, so taking adequately testing time and reporting time might be a good choice (some spare time ;). I need some more hand-on experience with more testing (also several machines in one test), until then, have fun trying or using the OSSTMM and enjoy true security testing! Top |
|
Data Loss - 2011-07-04 After several hacker attacks in the last months, the public knows now that stored user accounts and passwords may not be as safe as thought in the first place. Also, companies with trade secrets or innovative property, financial or privacy relevant data may become more and more concerned if data breaches with data loss may happen to them as well. The reality proves it daily, data breaches happen more and more. One can understand, that people try to prevent data loss respectively want to try to protect enterprise intellectual property. This led to another product and service which is sold to customers; so called data loss prevention DLP or enterprise intellectual property EIP. These products want to prevent subjects to steal/copy informational objects, both intentionally and unintentionally. But the problem with these kind of products is, the more restrictive they are implemented, the less usable the daily work becomes. Also people tend to try very creative ways to circumvent such mechanisms, think about making pictures with a mobile camera directly from the screen, tunneling information out over allowed protocols or just taking a piece of paper out with handwritten notes. Also, the classification of documents is critical to DLP/EIP, but be aware that users may classify information lower than needed, just to not have to encrypt it. Some technical measures to prohibit silly and dangerous behaviour (like automatically encrypt important business documents copied to memory sticks) make really sense, but do not think to solve the whole problem just by implementing some solution. As private and business data get more and more mixed up, this also makes it more difficult to control access to information. The trend of working on privately owned devices opens additional attack surface, and users sending business documents at their home email may really not know risks associated. It may be worthful to focus on user education, because if users understand why something is important, they have finally a lot more motivation to do so. And last but not least, user awareness probably is less expensive also than implementation and maintenance of any DLP/EIP solutions. Top |
|
Cyberwar - 2011-06-25 Cyberwar is becoming reality nowadays. The complexity of information systems as well as the global internet(working) brought us heavily connected and vulnerable society and business systems, which are dependent on critical infrastructure. Think about all the things needed for energy distribution, for traffic control in the air, on the sea and land, the whole financial sector with stock exchange and cash dispensers as well as communication services like phones, television, rfids and wireless. On the way of optimization of business processes, cost savings were asked and realized with outsourcing and replacing humans with information systems, remotely accessible. This lead to a very vulnerable world with big attack surfaces and a lot of vulnerabilities. Even worse, an attacker can do harm very targeted with not much resources. The defender, on the opposite, needs to be prepared for all kind of attacks, which makes this task almost impossible. Also, most of the companies responsible know it is best practice, not connecting the critical infrastructure to the internet. Mostly, they connect the internet somehow to the internal company network - and the network for critical infrastructure also. So it is not impossible to get from the internet to the critical infrastructure in fact. And if they have really separated the networks physically, it is a good bet to send an infected USB stick for policy-offending data transfers into the company. Actually also hacking evolves a lot, today there are more and more hackers which are capable of finding more and more vulnerabilities. It is possible to do surgical attacks very targeted, involving social networks you even can target very important persons very easily. Malware evolves too, as we saw in stuxnet, it may get unnoticed for quite some time. Cyberspace dominance is the key, there are some forces which want exactly this. Be prepared for an ongoing and intensifying battle in the internet. And do not connect houses, fridges or coffee machines to the internet; this will make us only more vulnerable... Top |
|
Consumer Devices - 2011-06-21 A lot of people fail to see, how broken the security of the market and the consumer devices are nowadays. Even large corporations fail to provide even basic security concepts, just have a look at the last few big attacks which happened in the internet and how consumers are ignored or put into the darkness of uncertainty. People tend to trust into companies, they would not go onto the market with a not ready device. They surely have done their homework and ensuring the security of their infrastructure adequately. Also people need less and less know-how to operate gadgets and devices, which also implies that security principles and deeper understanding of possible risks are no longer relevant. This leads to a situation where a lot of insecure devices are used and people are not aware of the risks associated. Probably it just has not happened enough data loss or personal consequences yet, but this for sure will change over time. Also, there are a lot of MBA's, security specialists and so called risk managers acting, but in a way which does not serve for more security or safety. Also, lot of security managers/specialists don't live real security, trusting fully their android or apple gadgets or using free email services in the internet without encryption. Security testing today is degraded to vulnerability scanning and to identify false negatives and false positives from the results. But this only scratches the surface of security and has nothing to do what real security testing should be. A real security test goes into deeper understanding of the scope to be analyzed and also identify vulnerabilities there. But this needs the real hackers again, not just these internet criminals public society tend to identify as hackers. But corporations prefer to engage MBA's, security specialists or risk managers, where they only have to compare to industry baselines (relevant is only what the competitors are doing) or some obscure compliance-driven objectives. Stop this craziness and engage some real security professionals! (inspired from Pete Herzog - How to pen-test crazy) Top |
|
Life-/Work-Balance - 2011-06-05 Our businesses and societies are performance- and efficiency-driven, do more while cost less. To grow is the main target, more money, more sales, more market coverage. So the employees are forced to do more with less resources, because profit is all what counts. It's very hard to resist and to dive into career - but for which price? Being able to buy a cool house with pool but not being at home to enjoy it with your family most of the time? Companies make work-life-balance, making employees more productive and happy on the job - but we need to have a psychologist to maintain our private life? Some companies try to attract young employees to stay most of the time in the office, by having everything they want/need/wish ready at their hands. This is a dangerous game, as business and private worlds grow together and to differ between is becoming more and more difficult. Social networks and always-on smart-phones do not help here either. I rather would call it life-/work-balance, as most of us may have family and need to make this split between life and work (don't forget, it's 8-9 hours of work, and 15-16 hours life per day). We really should take care about our time and how we invest it, as life time is limited for everybody... Top |
|
Linux - 2011-05-21 After luckily using mainly Gentoo Linux for the last years, I had some issues with maintaining this distribution, it's just too time consuming for general updating tasks (always compiling from source). Also, some complicated setups were hard to realize in real life, so I wanted to switch the Linux distribution (once again). But there are a lot of Linux versions and distributions out there, so it's hard to choose the right one. Source-based distributions (like Gentoo, Sorcerer/Lunar Linux/Source Mage) are harder to maintain but provide the most customization for users. Minimalist distributions (like Linux from Scratch, Crux, Slackware, Arch Linux) try to provide a simple and minimalist Linux experience. General distributions (like Debian, Fedora, Frugal-ware, Red-hat) are here to fit most of the purposes of a production oriented Linux system. There are also beginner distributions (like Ubuntu, Mandriva, openSUSE, PcLinuxOs, Linux Mint), which provide an automatized windows replacement for Linux newbies. Last but not least, there is the BSD family (like NetBSD, OpenBSD and FreeBSD), these are the purest Unix-like Linux distributions. The problem with recent Linux distributions is, that beginner as well as general distributions tend to fully automatize tasks and configurations. If you want to have control over this, you have to break these automatism's or even choose another more minimal distribution. Generally speaking, Mac-users switching to Linux might find Ubuntu with Unity very cool, Windows-users probably like Debian with KDE and people like me, which want to have fine control over things and no hidden automatism's, they rather stick to a minimalist distribution (like Arch Linux ;). For security testing, by the way, the Backtrack distribution probably is the first choice. So have fun with a more and more mature Linux world... Top |
|
Ethics - 2011-04-14 A lot of companies call themselves an "ethical" company, but what's ethical anyway? Ethics always has something to do with personal moral standards, the do's and dont's related to business behavior, relation to customers and also employees. But, under the influence of American management standards, more and more of ethic behavior gets lost. The problem is, that short-time quick wins are more lucrative than long term customer relationships and quality standards we known before. What about the established Swiss quality standards in economy? They are no longer worth something, only bonus payments and additional value for egoistic management is counting. We live in a world, where long-living products have no longer a chance on the markets, because companies always need to grow, make more profits than last year, giving a higher amount of money to their stakeholders. So they invented the throw-away-life-cycle-management of products. It's about making lots of cheap products, and if a product stops working, you can throw it away and buy cheaply a new one. One can see, that the problems will get worse over time, then the double-thinking also increases drastically. Yes, we need nuclear power plants, but we all hope, no catastrophic event will blow the radioactive content all over our place. All people know, that energy saving and energy efficiency is important, but power consumption rises still. Everybody knows, that the climate change is bad, but everybody continues to use cars with gasoline power engines. People know, that animal experiments of pharma companies are rising, beside the fact there are technologies and methods out there, to come up with valuable results without sacrificing animals. Is it justified, to kill thousands of animals, for to being able to heal some hundreds of people? What if it would have to be humans? How many we are willing to torture for scientific reasons? Or even kill? And if it would be your children? It is sad, that people seem to see the problem, but are unable to stand up and fight. But probably it is easier, to switch off the light in ourselfs, than to enlighten and change our environment to the good... Top |
|
Cloud Computing - 2011-04-06 We're going to the cloud, moving to the cloud - it's stated everywhere in the IT scene right now. But there's nothing mystical there, just renamed good old plain outsourcing implemented with even more risks. On the first view it seems very tempting, to have all your applications (SaaS - Software as a Service), platforms (PaaS - platform as a Service) or even full infrastructures (IaaS - Infrastructure as a Service) every-time and everywhere handy at your fingertips, but there are remaining questions. What about privacy? Do you fully trust your CSP (Cloud Service Provider)? Where is the data located? Can it be exported and re-imported in-house somehow? What about legal aspects of contracts? In the times of of lawful interception, do you REALLY trust your service provider? Marketing created a new need, everybody want's to join this magical experience of "cloud computing", it has to be "in the cloud". But people seem to ignore obviously visible risks (no definable perimeter anymore, lack of transparency, exclusive reliance on a provider, quality assurance problems, missing security reporting and auditing), ignore common sense and put all data online somewhere. I know some legal consultants, which use googledocs and gmail for business purposes, or even worse, IT security companies using salesforce as customer management tool. Cloud Computing means your data on someones others hard-drive, you loose basic control over environmental aspects concerning you data. Saving money is mentioned as a reason for doing Cloud Computing. But if you don't control on-demand manageable resources, you could generate a lot of additional costs. And what if the cloud for "some" reason is not available at the moment? Up-time calculations re-gain importance. There is one rule of thumb concerning Cloud Computing: If it's security-related and/or contains business/trade secrets/legal relevant stuff, don't put it into the cloud! The loss of control over things in the cloud outweighs all of this magical marketing buzz soup can promise you in the end... Top |
|
Exploits - 2011-02-25 Often in IT security we hear the term exploit. It's about exploiting a vulnerability, which means to circumvent protective measures and break into a system (remote exploits) or to escalate privileges to a higher privileged account like root or administrator (local exploits). Exploiting is possible, because if the computer expects data and sees code instead, it happily tries to execute it. So when an attacker can write more into a buffer (input of buffer is not checked), he/she can write beyond that and overwrite other parts of the memory. Normally nowadays, there are big software packages like an operating system, and more than one developer is working on it. People tend to make errors, so if looking at some tens of millions of code in an OS, we will find for sure some errors. Even worse, developers code modules, these are patch-worked together - if functions pass data in-between, did they really checked all the buffers? OK, at least some life-cycle management is done, like static analysis of the source code, looking for insecure functions and unchecked buffers, but they do not catch them all. We also know private exploits, which are shared in the hacker scene without knowing officially about it's existence and public exploits, which were released into public (mailing-list, exploit db's, metasploit). If an exploit is released before a patch exists, we speak about a 0day (zero day) exploit. A lot of discussions is going on about that, if disclosure of an exploit has to be done in cooperation with the manufacturer. Sometimes they do not react, so the exploit developer tries to put pressure on the manufacturer of the concerning software to make a patch by releasing the exploit into public. A private exploit of some important software can be worth hundreds of thousands, so today a lot of business is going on here. Exploit/vulnerability researchers more and more try to get money for their work, as they fix products in curiosity and their free time (where customers pay fees to use it finally). Companies like Google already pay for found bugs in their software, others like Sony try to sue them legally and prohibit public knowledge of the issue. Where will this lead to? Top |
|
Missing Skills - 2011-02-05 I see a lot of people with missing skills nowadays, some basic know-how seems to get lost more and more. We even didn't learn these skills at school, not in apprenticeship, not when studying - in fact, nobody teaches such stuff. Three important missing skills come to my mind: 1) how to learn really (not only repeating things thrown at us), 2) critical thinking (challenging facts, know motivations/benefits behind facts, marketing tricks) and 3) information verification (sources, quality of information, details, benefit for whom/motivation behind). A lot of people tend to accept shortcuts in mind, where proven facts get truth (we've done that 40 years like this, so it has to be right) or decisions are taken without really thinking (social proven means everybody does it so it has to be right for me as well). We should re-learn to ask questions, to challenge traditions and general behavior, apply common sense more often, searching for motivation and benefits behind, be aware of psychology, marketing and communication tricks. To verify information (very important as more and more information is floating around), one should use 3 to 6 independent sources, verify the quality, if the important details match, background of situation, political aspects, and so on. We should be and remain curious, always being interested in learning new stuff, be open-minded, always being adaptive and pro-active. Stop double thinking and double moral standards, free your mind... (inspired from George Orwell's 1984) Top |
|
Lifecycle Management - 2011-01-31 Life-cycle management means the management of projects and systems over the full life-cycle (planning, development, implementation, deployment, production and disposal). This not only takes care technical aspects but all aspects relevant to the system and it's environment, application and data. A common problem with life-cycle management is, that there is no central repository of projects and systems, no overview over the whole system/project landscape. Another common problem is, that security often is involved very late in system/project management, so less time to implement and more costs could result when security need to be established at a late project phase. If security is a hot topic, the first task should be to enforce security at project milestones, like penetration tests and implementation checks. Ideally, this should be a gap analysis, comparing what is planned on paper and how it is implemented in reality. Too often, papers do not reflect real system configuration - as documentation is not always updated when changes are applied. Also, security should be enforceable - so if the system/project does not fulfill the security needs, it can not continue to the next phase until the security needs are fixed accordingly. Security should also have the power to stop projects and systems, if they pose too much risk to the system landscape or security in general. It is important as well, that project managers and developers are aware of security problems, if systems are built without security, this could result in big incident cases with data loss and reputational and/or financial damage. Top |
|
Vulnerability Management - 2011-01-16 Vulnerability management is a continuing process handling cyclic checking of systems for vulnerabilities. More and more it is used not only for internet facing and other exposed systems but also for clients and servers in general. Vulnerability management provides reports for scheduled scans of protocols, ports and services - these reports contain a list with found vulnerabilities and proposals for remediation of the problem at the end. The quality of vulnerability scans depends a lot on the product as well on the person scheduling the assessment. Not all products provide the same quality or configuration options, and with all vulnerability scanning/management solutions, there exists a general problem. Vulnerability scanning/management does rely on version-information for finding known vulnerabilities for the detected version. This implies, that the version information could be wrong, faked or just not detected correctly. If the detected version is wrong, also the found vulnerabilities could be wrong. Also it's possible, that a vulnerability is not found, because it is too new, not configured in the scan or not integrated into the vulnerability scanning/management solution yet. One way to measure the validity of a vulnerability scan is, to let a penetration tester verify the results manually, so false positives and negatives can be found and eliminated. People should be aware, that vulnerability management is not always correct, but it can provide valuable information about the state of patch management concerning the scanned systems. In the area of security testing, vulnerability scanning/management is only providing added value, if results are interpreted and analyzed for real remediation's, not only providing the vulnerability scanning report spewed out from the tool directly to the client. Top |
|
Compliance/Governance - 2010-12-29 Compliance describes the fulfilling of all legal requirements, which a company generally has to in the legal environment it operates in. Governance means own rules and regulations, which the company fulfill by choice, like ethics, management rules, investment rules and human resources. Both topics - compliance and governance are linked somehow to security but are misunderstood most of the time. To be compliant do not obligatory mean to be secure. One can be compliant to all regulations but still not secure. Also governance only means to be compliant to all self-imposed rules of the company itself. Compliance and governance respond both not to security directly but to risks. Because of risk calculations, regulations and governance was invented. To financial risks we respond with SOx and Basel standards, to technical risks we respond with ISO standards or the BSI baseline catalog. To ethic risks we respond with governance, where the equal treatment of workers is outlined. So what is this all about. Compliance and governance are part of security, but they only give some sense of security back to the architecture and operation in daily business. Compliance and governance are related to risks, and risks are estimated in general, not measured technically. But in security we should always measure detailed, not only make assumptions or estimations. It's not about denying the need compliance or governance, but to see them in the right perspective and weight. Top |
|
OSSTMM 3 - 2010-12-15 Finally :), it got released - the OSSTMM 3. And I really must admit, in a very cool outfit and really mind-blowing content. I did have just light contact with the ISECOM crew over the past few months or even years, but still using versions 2.x and 3 light when testing stuff (as OPST and OPSA). As I saw the evolution from 2.0 up to 2.2, the method had missing links and could be manipulated - now it ended as a complete rewrite. I read it fully through since release, fascinating! Trust analysis is new and the RAV (risk assessment values) model was overworked, new with the attack surface. RAV now seem to reflect real security in the right relations. The 211 pager is a good and easy reading (congratulation to ISECOM for that), modules are perfectly matching together and it contains a self explanatory work-flow after all. If you are already somewhat familiar to the OSSTMM, have a deeper look into the new version. For me it gives a new way of thinking about security and safety in general, seeing all the ongoing security madness in a new way. Take care, this could make you definitely more secure and more effective in security overall! It has to be noted, that security and safety are not the same. Security comes from the military and means to separate an asset from a threat (somewhat perimeter-based). Safety means to control the effects of a threat on an asset when separation isn't an option. One last word, the OSSTMM provides some real good thoughts, like: Security awareness should be the continuing practice of a skill and not the continuous reminder of a threat. Happy testing with the OSSTMM ;) (inspired from Pete Herzog and the OSSTMM 3) Top |
|
Wrong Security - 2010-12-05 After being witness of the security theater of our security-industry for quite some time, I personally think something goes terribly wrong. We're throwing more and more money into security - but the financial loss by hackers/crackers is rising accordingly. So, what's the problem? The problem is first, that the classical security measures do not work anymore - because they're relying on a defined perimeter. But the perimeter becomes flexible and harder to define, because of mobile devices, cloud computing and mixing up private and business devices. And second, because we assume, that if we just would prevent malicious activities online, the malware problem is solved. So security makes everything technically feasible, to prevent users doing dangerous activities. The problem with this is, that the security logic is built into soft-/hardware, but humans can always find ways to circumvent it (because it's predefined). If we would make our users more aware (and don't forget about management and VIP's, nowadays they're the first target) I think, security could become more effective. Common sense seem to be forgotten completely in our days, applied to general internet users. Help them to educate, to get knowledge of the dangers out there (of course without scaring them too much). Tell them what one can do to protect them-self, what's needed to know for safe and secure internet experience. (inspired from Chris Nickerson - The state of (in)Security and Pete Herzog - No More of the Same Bad Security) Top |
|
Legal information and liability: This is a private homepage. Responsible for the content of this website is the owner of indianz.ch. Despite careful checking of the content, indianz.ch does deny any liability for the content of this page and also of external links. For the content of linked/referred pages only the operator/owner of the particular site is responsible. |