Security Team of Barack Obama

Dear Secret Service,

Thank you for the fine work of protecting President George W. Bush. Regardless of my personal disagreements with about 90% of his administrations actions I wish nothing beyond a very irritating groin rash on the man who has been my president from 2000 – 2008.

I hope that you can do the same thing for President Obama. I am certain you’ll be proactive in your security techniques. I am definitely not questioning whether or not you are good at your job.

As an American citizen I just ask that you go one step further by looking at potential insider threats. I’m not trying to promote some sort of conspiracy theories or anything and I certainly don’t have any reason to believe that your current staff is stocked with traitors of the American Republic. I’m just pointing out potential threats.

To let harm befall such a great American who has become a symbol of hope for people around the world would be a serious blemish on YOU.

p.s. Congrats on the Win, President Obama

How to catch hackers on your wireless

Techdar talks about How to catch hackers on your wireless network and how to defend your Wi-Fi from future attacks

There are lots of tools around to help people carry out ARP-related exploits and if a malicious, Wi-Fi enabled neighbour decided to find out more about your network, this could be an effective way to do it. The good news is that there are some defences out there. The bad? They can be costly and don’t always deliver the protection you might expect.

Tools of Choice:

Arp Defender





Why is Internet Safety Important

Dangers on the Internet
The amazing freedom and availability of the Internet lends itself to a few major dangers: Pr0n, malware and how to perform illegal and/or dangerous activities.

Whether it is a curious person seeking these things out or the child accidentally clinking the wrong link and getting bombard with explicit pop-ups, the items lists can be harmful to an impressionable mind. Policies must be enforced.

There are a few groups that should have limited exposure to certain types of information on the Internet. Children, mentally handicapped or psychologically damaged people in settings such as schools, homes, rehabilitation or correctional facilities and group homes should be blocked, tracked and monitored while accessing the Internet. Certain information could destroy them if they don’t yet have the capacity to understand or put certain information in the proper context.

Protection from Pornography & Malware

In a professional setting there should be a written policy against accessing and/or downloading unacceptable material such as pornography. These items should be actively blocked whether in a working environment or at home among minors accessing the same system. Allowing impressionable or fragile minds unlimited access to certain graphic material is irresponsible. The law is also a good reason why Internet safety is important. If you are the owner or charged with immediate control of the system being used for illegal activity, you could be partially or wholly liable for the activity. An example is substitute teacher Julie Amero

On October 19, 2004, Julie Amero was substituting for a seventh-grade language class at Kelly Middle School in Norwich, Connecticut. The teacher’s computer was accessed by pupils while the regular teacher, Matthew Napp, was out of the room. When Julie took charge, the computer started showing pornographic images.

On January 5, 2007, Amero was convicted in Norwich Superior Court on four counts of risk of injury to a minor, or impairing the morals of a child. Her sentencing was delayed four times after her conviction, with both the prosecution and judge not satisfied that all aspects of the case had been assessed.[1] The felony charges for which she was originally convicted carry a maximum prison sentence of 40 years

– wikipedia

The Kelly Middle School systems were actually infected with malware that allowed the explicit pictures to pop up.

Access to Dangerous information

From the Columbine shooters to the Virginia Tech massacre, most of the killers had a recorded history of mental illness and/or psychologically instability. In many cases, they used public and/or home computers belonging to their parents to research bomb making or even purchase guns.

Controlling access is the best way to get on the Internet safely. Maintaining privacy of users is another important step in Internet safety, however that is a matter of educating users particularly if the frequent Social networks such as facebook or myspace. They need to be instructed about the dangers of stalkers, perverts and predators looking specifically for impressionable minds.

We are the keepers of these impressionable and fragile minds. That is the reason Internet safety is important and why we must be mindful of these subjects.

Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002

That which does not kill us makes us stronger.
-Friedrich Nietzsche

In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.

Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.

1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.

2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.

While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.

Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.

Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.

3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.

4. Distributed Denial-of-Service (DdoS) attacks (2000)
. After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.

5. Remote Control Trojan Horse Backdoors (1998 – 2000)
. In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.

Asset Labels: Security Markings

equipment label In the military one of the jobs I hated the most was what we called “ADPE”, Automated Data Processing Equipment custodian.  My job title was Equipment Control Officer (ECO).  My job was to ensure that every piece of equipment was present and accounted for.  We needed to know equipment status and keep track of its “life cycle” (life-cycle, is the purchase to decommission process that all ADPE goes through).  I did this for an entire military installation. Like I said, this was not my favorite thing to do.
But it was (is) very important.  Looking at the big picture, I noticed that literally millions of dollars worth of equipment had been lost prior to anyone taking ADPE seriously.  It got so bad that the U.S. government started really cracking down.  If units and organizations neglected to put security markings on their equipment, they were not allowed to purchase ANY new equipment (per base policy).  As the Equipment Control Officer, I started doing audits to ensure every thing was marked properly.

Before I saw the big picture, I thought it was a bit anal but the reality was that some of the equipment would get stolen, lost or just plain forgotten and in the long run this kind of neglect becomes extremely costly.
It is very important for organizations to account for all equipment.  The best way to do this is with a database and asset labels.  In the military we had our own asset labels, but companies like search offer very professional looking asset labels, asset tags, security labels and security printing.

There is no such thing as Security

I’ve noticed that there are two types of security people: anal “type A personalities” who live every moment by the rules, and those that realize that there is no real security.  Please understand that these two mindset don’t seem to have anything to do with talent.  I’ve met talented people with both mindset.  A talented security professional is mindful, aware, and always pays attention to detail.  The very best seem almost psychic in their ability to spot wrong doing, security breaches and even malicious intent.

Type A security people seem to thrive on “catching bad guys”.  Its like they are kids playing cops & robbers.  These people thrive on structure, order and regulations.  In information security they know how important it is to have lots of centralized control and a stardard configuration for all systems.  In the Meyers-Brigg’s personality test, these people are ESTJ’s (Extraverted Sensing Thinking Judging).  The thought of any getting away with breaking the law (ANY LAW) is unacceptable.  These guys make great Directors of Security, CSO’s and other policy creators as long as they don’t micromanage their people.  Their employees will either love them as a great mentor or hate them with every fiber of their being.

Those who realize that there is no such thing as security are hackers.  They are many times INFP’s (Introverted iNtuitive Feeling Perceptive).  Unlike the ESTJ’s they don’t care about structure and rules because the realize that rules are only suggestion to keep an acceptable level or order.  For them the most important rules are in a persons heart.  ESTJs will usually see these people as lazy and don’t really care but these people are just trying to find an easier way to do things.  If they don’t enforce certain rules or cut corners, it because the sincerely believe that the rule or enforcement (in that particular situation) is not needed.  Employees will usually love INFP’s unless they happen to be ESTJ’s.

I am a bit biased because I am in the second camp, INFP.  I don’t believe there is a such thing as “security”.  No one is ever completely safe.  All a malicious intending person needs is the element of surprise, time, and pressure an they can get away with anything they want.  Further, anyone at anytime can have malicious intent: employees, kids, bosses, friends, family not just random strangers.

Security is just an illusion.  The one good thing security does is ensure you are faster than the slowest person, organization, network or whatever on the block.  Those with malicious intent will typically go for the easiest target. 

Since many crime happen from people that the victims know all we can really do is not worry about it.  Life is too short to waste too much time fretting about every possible thing that can happen to you.     

I guess that is what Ben Franklin meant when he said:

“Those Who Sacrifice Liberty For Security Deserve Neither”  

If you worry so much about security that you can’t enjoy the fruits of your labor, then what is the point of the living and if you can’t enjoy living whats the point of protecting ANYTHING. – elamb

Security Geek Fired By Suits: For Doing His Job?

“A security geek is fired by executive management after the company is broken into by thieves and lose nearly $100k in equipment. The security geek had previously recommended safety measures that would have presented this, but they were shot down by those same executives! Who should have been fired in this story?”

Looks like they used this security guy as a scape goat to protect their own asses.  Doesn’t documentation mean anything?!  Ultimately, it is that company that will suffer from keeping incompetent and untrustworthy people (if that is the case.)

read more | digg story

1 2 3