So, where is it all going to end?
Friday, 17 February 2012 09:32 | 
Written by Chris Roberts | 
| 
| Hits: 1
So, where is it all going to end?
We've had PCI and other regulations around for almost 10 years, InfoSec has grown substantially in that time and among other things we've all learned that we don't have the long lost uncle in Nigeria with $10M to send us...yet we continue to shed data faster than a politician change their mind, we've managed to not only create a commercial business out of ripping us off, but it's now competitive to the point of driving the prices down for OUR data.
Yahoo recently featured a news piece on the "top 25 worst passwords" looking through it we've identified several of our clients passwords, including a few IT Security/Technical professionals. Compounding this issue, we still have the easiest of all take-downs, the email spoof/click-through, just finished up on site where the senior exec of the organization clicked a link that was obviously spoofed and from a cracked site (thankfully, the individual had the wherewithal to alert that something seemed wrong before any damage was done.)
We regularly talk about locking systems down, about being responsible guardians of data, of understanding what to do, but from what I see in many cases these are empty words, and the governing controls, fiduciary and legal ramifications, appear to be nothing more than the new cost of doing business? I challenge someone to argue against me...it's one area I'd like to be proven wrong in!
Do we have to change the focus of corporations and organizations? They are (with few exceptions) about making money, about protecting shareholders...by making money...the very people we rely upon to make our nest egg larger are the very same who are told to keep costs down, cut corners and just "get it done" typically with little/no increases in workforce to help with the workload....all in the pursue of the almighty dollar...and all at the expense of OUR data security.
We demand that companies such as Microsoft makes a product that works, that is secure and that turns up on time, yet we also demand that they make double-digit profits and penalize them if they don't? You can't have all three, and at the moment we are woefully inadequately protecting OUR data across the various industries...
Someone asked me at a conference a while back how to solve the problem, how to create a solution that works...and it stumped me until I thought outside of the general box and areas of technology and looked at us as humans and the overall requirements we place on those who provide the very systems we use. Simply put the corporate and capitalist system is flawed. We know that, but it's time we thought about solving the bloody problem instead of simply putting useless controls around it and standing around watching a they fail to do their intended jobs.
"Occupy" seems to be a current phase we are going through...so why not occupy an OS, take the time to make it intuitive, to make it secure OUT-OF-THE-BOX, to shed all the extraneous crud that's installed as part of the buying process, why can't we cut Microsoft or someone a break on the stock market to actually develop something good again? Take a leaf from the Linux community and do it right...preferably in a flavor that companies would actually adopt!
This is not about making money, this is about doing the right thing, and throwing capitalism out of the bloody equation for a change...heck once we've sorted this out I promise you can go back to makings your billions...but for now we all need to kick it into touch and actually do the right thing.
Can we make a system that built from the ground up is intuitive, secure, capable, scalable...backed by an organization that actually cares, not just about themselves, but actually about their clients, their data and their Vendors/Business partners etc? In the retail world I tend to look up to companies like Patagonia and REI...they seem to have bucked the trend and actually CARE about things (you wait, I'll be proven wrong!) why can't we have the same in the IT world, let alone Banking/Finance, Healthcare industries...don't get me started on Pharmaceutical or Food production industries etc?
OWL will help with the security if anyone else wants to band together and actually make this work. We need a software OS company or two...any takers?
Ok, off the soapbox, back to cracking systems...got to love those vendor installed defaults..NOT!!
Life, Universe and Default Passwords:
Tuesday, 07 February 2012 12:48 | Written by Chris Roberts | | | Hits: 4
Life, Universe and Default Passwords:
We spend two days camped out in your car park, we monitor the milkman, waterman, pizza delivery guys and those security guards you have working from 6pm to 6am…
We get our gear ready, our lock picks, bump keys, slim set, card readers & clone devices we have more electronics packed into 4 USB keys and two laptops than is in most damn data centers.
We have BackTrack, AirNG, Katana, Samurai locked, loaded and ready to deploy, we have Spybots, Espy and all sorts of nasty and nefarious programs ready to crack, break, pry open your inner most secrets….
We are in fact READY!!
We’ve plotted the strategy, and we execute according to plan...We’ve managed to “follow” an unsuspecting individual in through the side door (NEVER shall this country ban smoking for it will be the undoing of an entire branch of Information Security Penetration Testing!)
We’re in, we look like a cross between a ninja and a geek on a 25 mile hike with all our equipment, poised and ready to deploy.
We find a nice quiet spot in a corner of an office and begin…plugged into the network your poor port is wide open to abuse, and we are happy to oblige and quickly accept the DHCP assigned internal IP address…
Yea! Score #1 for the bad guys, DHCP server is in the same chunk of the network as the rest of the servers, systems and all things good that go beep in the night and keep your company running…
…All this late night work, training, gym time and experience with all things dark and nefarious is paying off, we pat ourselves on the back and chug another red bull.
???What’s this, a switch, a nice juicy switch, the keys to the kingdom, the source of all things virtual and data related. Silently cursing that we’ve found it knowing it’s the storage fabric switch and will be guarded by lights, traps and three headed dogs answering to Cerberus, we note it and prepare to move onto a Windows server or something equally as mundane to crack…however, what’s this?
Our switch has port 80 open….and is asking me for a login ID/PWD...fiends I curse! How dare they tempt me!! How dare they provoke me with something that will be 20 characters long and impossible to guess! (You can see where this is going can’t you?)
Dejected, we bash the keyboard a few times with some random acts of violence and the field pre-fill decided to interrupt and puts “administrator” in one field and “pass” in the other…cussing Firefox we go to close the browser, but are interrupted by an applet loading…what’s this we ponder, another fiendish device mocking my pathetic attempts to break in? No! Score #2 for the bad guys, we own the aforementioned juicy switch…
Thinking it’s a mistake, we try it again, and again, and then again for a third time…yep, works we are in, we own the infrastructure, the systems and the data. Hmmmm, this poses a problem, we’re sitting here with our picks, probes and all things that go tick in the night and we haven’t used them. Our SANS “Hacking Everything” course laid to waste and the rest of the night off as we’ve planted a flag and can go have a coffee.
We get up, bash our head against the cupboard, we ponder, we think and we pack up all our tools and toys and realize that for all our technology, all our training and all our methodologies we’ve been defeated by a default ID and Password.
We are going to go back in our cupboard; we’ll replace the “break in case of emergency glass” and wait until the overall levels of competency have risen beyond the defaults.
DISCLAIMER: This is NO ONE SINGLE Assessment in particular, No one particular company can look at this and go "heck that's me...damn them!" however many companies we have worked with will see some similarities, some whom we have NOT worked with might think about this and hopefully will internalize it and review their own practices. It's intended as a learning piece, and one that's light hearted and (hopefully) a little educational. Our aim is to learn from the assessments we perform, and to pass that knowledge onto others, sometimes in this forum, sometimes in presentations and ALWAYS in how we approach new assignments.
Average Man
Thursday, 01 December 2011 23:51 | Written by Chris Roberts | | | Hits: 80
“I'm just an average man
With an average life
I work from nine to five
Hey, hell, I pay the price
All I want is to be left alone
In my average home
But why do I always feel
Like I'm in the twilight zone”-ROCKWELL “Somebody's Watching Me”
So I’m sitting out in front of an average home, in an average neighborhood, in an average town. Maybe your average home/neighborhood/town? Anyway, the high-gain sniffer is out and a small cute little box with a four foot rather obnoxious antenna is sticking out and quite visible since the box is suction-cupped to the inside of the front windshield. A cable is running to a laptop that yours truly is sitting in front of, cooling Charbucks cup next to me. What I’m doing here is, at the moment, waiting. What I’m supposed to be there for is to use your wireless network to pull company information off your laptop and use it to sell to whomever wants to foot the bill.
The Technology We Use Today
Thursday, 17 November 2011 02:16 | Written by Chris Roberts | | | Hits: 118
The technology we use today is central to so many areas of our lives. We understand some of this technology, but there is much we do not understand.
We have successfully managed to build complex systems that no single person understands, and we have evolved the technology to a place where few could have imagined; yet we suffer from the ever-increasing feeling that we’re losing more knowledge than we’re gaining. (During several on-site client visits, we have heard: “nobody knows what that old system in the corner does, but we know it’s needed.”) our computing use has gone so far beyond the data center that i think i can prove my microwave has more processing power than the icl and VaX systems i used to work on, and i certainly couldn’t have stuck the VaX in my bag and fired it up at the coffee shop! today, we interact with data through the extended network that we have built up during the past few years—and now we have to deal with support- and security-related issues as everyone clamors to connect to the enterprise architectures in our care. this convenience, unfortunately, takes the data we’ve been able to manage and control over the years into the public space, which, as we know, is not exactly a friendly environment.
SAS70 Why Bother?
Monday, 21 November 2011 02:11 | Written by Jay Weber | | | Hits: 15
As companies evaluate corporate IT security of partners and vendors, SAS 70 is often mentioned. Unfortunately, most security professionals agree that SAS70 is neither a meaningful security metric nor worth the cost to get the opinion.
The Statement of Auditing Standards (SAS) number 70 audit is an auditing standard that reviews the security policies and controls an enterprise has in place. The SAS70 audit was developed by the American Institute of Certified Public Accountants. The Service Auditor’s Report contains a description of the controls in place, and the auditor’s opinion of those controls. Many of the SAS70 audits that OWL has run across don't appear to even include any testing of the basic stated controls.
Sound great so far. So why does it appear as if SAS70 audits are held in such low regard by security professionals? In our opinion there are three fundamental problems with a SAS70 audit:
1. A SAS70 audit is largely based on self-reported security control objectives and control activities. In many cases there is little to no actual HANDS-ON testing of the stated controls in a standard audit. You tell the auditors you have controls in place and you follow them, you are SAS70 certified. Congratulations…until you are breeched.
One World Labs has seen SAS70 certified clients that “checked the box” for having firewalls for Internet security in their organization....and then later discovered the particular identified firewall in a rack, happily disconnected from the rest of the network. Compliant? Yes. Secure? No.
2. You don’t necessarily need to “pass” a SAS70 audit. The audit is merely a description of the control objectives and control activities that might be of interest to auditors. If an organization has a security policy that is ineffective ("We require complex passwords" but "Password1234" is considered complex....3 years after being last changed) the SAS 70 audit report would contain a favorable opinion because the control activities (none) matched the stated control objectives (none).
OWL has seen examples of this over and over. Clients waive SAS70 auditor reports in front of us and we're able to breach their network inside the first hours of an engagement using frighteningly low tech attacks, gain control over core infrastructure and access both client and company related information that, if released, would be highly detrimental to the organization.
3. Only CPA firms, not IT security firms can perform SAS70 audits. That’s like letting a hacker do your taxes. You don’t go to an IT guy to fix your car; likewise you shouldn’t go to your auditor to fix your IT security. The very skills and temperaments that make CPAs and auditors good at their day job make them terrible at playing a security role. CPA’s and auditors are not generally seen as ‘out of the box’ thinkers. Hackers are. Your security partner should be as well. One World Labs thinks and acts like those we are trying to protect your organization against which, in theory, makes us good at what we do.
If you find yourself considering a SAS70 audit, please STOP for a minute to reassess the situation. The lack of security policies and enforcement is a classic symptom of an underlying problem. Security and control is not an underlying part of the organization. Most organizations would be better off spending the money to address the control deficiencies rather than spending the money documenting the deficiencies.
Have your network tested by a professional IT security firm. For a fraction of the cost of a SAS70 audit, companies like One World Labs can provide a thorough, 360 degree security assessment including testing of controls to provide a true picture of your corporate security environment and controls. Most providers will also provide documentation that is suitable for sharing with customers, partners and prospects.
If your organization is evaluating service providers and partners, SAS70 is the wrong thing to ask for. You should be looking for proof that the security of the provider meets or exceeds industry best practices for security. Find a reputable company like One World Labs to truly understand the security posture of your organization and your partners.
