E-rant

All great artists tend to go through phases throughout their lifetime.  Just as Picasso had his blue period, it appears that prime time TV has entered it’s red period.  At first I thought it might be me, as a good lookin’ redhead certainly garners my attention, but Mrs. Jupiter has also taken notice of the exponential increase of gingers on the tube and/or in pop culture.  They’re everywhere – like Chicken Man (shout-out to Lajes AFB’s AFN radio station).

And before any weird rumors start, let me get out in front of them:  While it’s true that my best friend since I was 10, Dr. Bob the Rocket Scientist, happens to be a redhead — this post has nothing to do with any unrequited homo feelings for him.  It might, however, be attributed to the effect of his older redheaded sisters on a young, pre-pubescent Little Jimmy Jupiter.  But enough of that, I’ll save the rest for my shrink.

So I’ve dedicated this blog post to redheads on TV or in pop culture.  There’s no logic to this collection whatsoever.  Suggest your own, or even an informal comment-based vote for your favorite.  In order to see them all, YES, you have to click on the stupid “2″ for the remainder of this gallery on the next page.  Crappy NexGen gallery (boo!) – my apologies on their behalf.

[Show as slideshow]

12►

Got a favorite?

It will never change if the world at large continue to be MORONS.  This was part of an article at MSNBC covering the FBI probe of the NBC News Twitter account:

Osborn, the NBC News social media director, said he recently received one such suspicious email as Hurricane Irene was approaching New York. The email came from an unknown sender with the subject “Hurricane Alert” and the message: “Ryan, You need to get off TWITTER immediately and protect your family from the hurricane. That is an order.”

Osborn wrote back “I’m sorry. Who is this?” The sender then replied, “I’m the girl next door” with an attachment. Osborn said he mistakenly clicked on the attachment and it contained a Christmas tree.

This is the Social Media Director for NBC.  If there’s ANYBODY who should know better, you’d think it’s him.  What kind of idiot opens an attachment on a SECOND GO AROUND of a suspicious email.  Even after he QUESTIONED the first one’s validity?  Seriously – “the girl next door” gave him an “order” that came with an attachment.  If this doesn’t qualify as “suspicious email”, what does?

This is the digital equivalent of a terrorist handing somebody an improvised explosive device with a note that says “press this button right here, please”.  The next “nine-eleven” is going to be digital.  But this time it won’t require a lick of planning.  And we’ll even help carry it out, too!

To properly honor to the tenth anniversary, this post was delayed until Monday.

My shredder died, like 6 months ago.  We had a small but moving ceremony, attended by myself, the stapler and the three-hole-punch, with a moving eulogy given by my printer.  After the customary mourning period, we’ve all now moved on with our lives.  Since then, I’ve built up a ginormous pile of unshredded paper, and this week I finally got off my rear and got a replacement.  Thank you, Easy Button: 8 sheet cross-cutter, with a little window to see how full the bucket is.  All for just $35, which meets my notoriously frugal (read: “cheapskate”) budget.

Now I’ve began the trip down memory lane, looking at the things that seemed shreddable to me at the time.  In true Jovain form, it seems I’ve decided to shred absolutely anything with my name associated with it.  Maybe that’s overkill, but it is what it is – better safe than sorry, I guess.  Then I came across something that caught my eye.  No, it wasn’t pictures from Defcon 16.  Nor was it any of the various restraining orders received during that time (those get framed!).  Something much more insidious…

First some backstory – it may come as a surprise to you, but yes, I’ve got a credit card.  And yes, it’s even issued in my own name (or rather, my alter ego).  At one point, I’d thought it was a good idea to take off the tinfoil hat and succumb to The Man and throw myself on the mercy of The System simply to be able to function in today’s plastic based society.  *sigh* – all because a guy can’t live underground forever if he wants access to premium online porn.  But back to the point at hand…

My credit card periodically sends out “checks” for use in paying off other credit card balances (like a balance transfer).  It kind of sucks that they’re checks that can just be written to anybody, and they’re sent to my house without me asking for it or expecting it in the mail.  But it only references the last four digits of my account number, so I guess it’s the same as a receipt from starbucks (not capitalized on purpose in an effort to extract some kind of vengance on them for making me pay $2.50 for a black freakin’ coffee anywhere I go now).

(no, i really, really don’t have ANY photoshop skillz).

But on closer inspection…

On the bottom of the check, next to the routing number, where the checking account number goes is 10 digits: not just any digits, but the last 10 digits of my credit card number.   Hmmm…  Six digits left – a potential one million possibilities.  But it’s got to be easier than that.  Our pal Google (aka “Wikipedia Index”), says those are the issuer identification number.  http://en.wikipedia.org/wiki/Bank_card_number.

So where would you find a bank’s IIN?  Back to Google: there are loads of Bank Identification Number (previous term for IIN) sites.  bindatabase.net is pretty well known, cited in wikipedia, and us reputed to have the most entries.  However, it doesn’t allow lookups starting with the bank.  More Google gives http://bindb.cc.  Neat.  I can lookup the IIN with Country, Bank name, and Card type:

Country?  Yeah, that’s in the letterhead.  US.

Bank?  Yep, that’s the bank that sent the letter, also in the letterhead.

Card Type (three fields!)?  Well, that takes some thought.  A quick glance at the bank’s website shows it offers Visa.  Let’s go with that.  And it’s a Credit card, since the letter was for a balance transfer.  And now it wants the “flavor” (my term) of the card.  In the letter it says Platinum, so I’ll use that.

Security Code:  Simple captcha so I don’t harvest their db.  Fine.

Click “search”, and, well, I’ll be dipped – there’s the rest of my credit card number.  Well, I called my bank and asked WTF is up with this – they said it’s a security feature.  Good job, bank.  Please remove me from your identity theft victim pile, please, and stop sending me unrequested copies of my banking data.  No bananas - their business office doesn’t allow this – you can only opt out of receiving your requested documents.

So I guess for the rest of the day, I’ll be making a new tinfoil hat and continuing on through my gimungo pile of shreddables.  Thanks a lot, bank.

“HILF”.  Heh…  heh, heh. 

Somebody out there could use an acronym dictionary, or at least a member of the team that hasn’t evolved past the “totally gross jokes book” stage of their life:

http://www.nerc.com/files/HILF.pdf - High Impact, Low Frequency threats.

http://www.urbandictionary.com/define.php?term=hilf - Um… yeah.  I’ll leave that up to you.  MSFW (‘marginally’ safe for work).

Yeah, the first definition is kinda horrible; please don’t shoot the messenger.

I’ve been on about security threats being misunderstood and/or overblown.  And companies that are just plain doing it wrong.  But this one is a rare combination rant, about something that doesn’t exactly exist, and companies that are promoting this misconception.  And now it’s becoming a de-facto default answer due to stupid trade rags that regurgitate this piece of marketing excrement.  The recent RSA incident has finally sent me over the edge on this.

Advanced Persistent Threat (APT) is the pointless (and silly) term that’s been made up by smart industry professionals (shout out to Kevin Mandia) and grossly misused by marketing and executives.

Who uses this term?  Usually, any dipshit who wants to come off “smarter than you are”.  Like ‘this unfortunate incident was a result of Advanced Persistent Threat’.  Or ‘Does your product defend against APT?  Our product is the only one on the market with this capability’ (God help me if I ever read that anywhere).

What does APT really mean?  Let’s break it down, Wikipedia style -

Advanced – It’s good.

Persistent – It’s not giving up.

Threat – It’s after you.

Wait…  Did I miss something here?  Isn’t this the threat that we, as the IT Security Community, really care about?  All this time were we supposed to be on the lookout for the Advanced Slacker Threat?  Or the Moronic Persistent Threat?  The Moronic Slacker Threat??  They make stuff for all of that (anti-virus/spam, I[D|P]S, Firewalls, Web Filters, etc), and if you don’t have that stuff, you’re Not Doing It Right.

But wait… Don’t we, as IT Security Professionals already calculate Risk based on Threats and Vulnerabilities and hasn’t it been around, like, forever?  Sure we do - Risk is a function of Threat and Vulnerability, or more commonly described as:

R = T * V

Well, whatever.  That might be the idea, but typically we do a crappy job of defining threats.  In (almost) all cases, it’s glossed over like “sure, threats exist, and they’re everywhere, both inside and outside your organization”.  Then they go on to blather on about vulnerabilities (V) because that’s the cool stuff.

In the physical security industry, a threat is defined as:

T = P(Ta) + M(Tm)
(See below for a long dissertation about physical security, or just trust me… )

Which is the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  If we plug in the physical value for Threat into the tried and true risk equation (and expanding out) we get:

R = P(Ta)*V + M(Tm)*V

Then there’s vulnerability.  Vulnerability is an inverse function of Effort to Remediate (Ee), expressable as V = 1 / Ee.  Vulnerability approaches zero as exploitation effort approaches infinity.  Hence, vulnerability is never zero.

So what does this show?  First, it shows that as long as there is some kind asset loss that would result in harm to your organization, you will always have Risk – which we’ve always known.  But more importantly, it shows that if you don’t have an asset that is both worthwhile for an attacker to obtain and which causes harm to your business, you don’t have any Risk.  Here’s some practical scenarios (assuming that these descriptions are the extent of the incident for demonstration purposes):

Would you care about one workstation being compromised to join a spam-bot army?  Just spam?  No.
How about that same workstation with a keylogger that records passwords?  Yep.
How about a whole bunch of those keyloggers on a bunch of systems?  You bet.
How about a website compromised to spread malware to external visitors?  Not so much.
SQL / Command injection attempts against front end inventory management systems?  Hell yeah.
Clear text passwords in use to manage mailing list subscriptions?  No.
Users evading web filters to surf porn?  Nope (unless we’re the government, clergy, or known hostile workplace).
“Rogue” sniffers running the internal network?  Big trouble.
Denial of service attacks against a public web presence?  Meh.
Phishing?  No.
Spear-phishing / Social Engineering?  Oh, my, yes.

Are any of the above new scary attack vectors?  No.
Have we been worried about these for years?  Yes.
Are they considered parts of what the proverbial “APT” will attempt to get access.  Yep.

So is it possible to defend against APT?  We’ve been protecting against APT for years, just not calling it that.  Duh - Winning!

——————————–

Physical Security Threat:

In the physical security realm, the term “adversary” is used.  When performing what is referred to in the physical security industry as a “Threat Risk Assessment”, one of the core constructs is identifying the adversary and what they’re after - the ”Threat Agent”.  Threat agents are sometimes generalized into categories, such as vandal, disgruntled worker, violent criminal, white-collar criminal, organized crime ring, corporate spy, activist, or terrorist.  Each of these Threat Agents may have a different motivation.  For example, a vandal is motivated to defame the target, whereas a violent criminal is motivated to exact physical harm to individuals.  Likewise, a terrorist may be motivated to cause the most harm to an entity in any way possible, whereas a white-collar criminal is motivated to gather items of financial value.

But you’re not done yet – the meat of defining the threat is coupling the above with the magnitude of loss that could occur with a successful attack.  The magnitude of loss is dependent on the motivation (target) of the Threat Agent.  Typcially this is expressed as something like:

T = P(Ta) + M(Tm)

Where Threat (T) equals the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  Probability can be drawn from asset value – does your organization have something that the threat agent would like to have?  A lot of it?  If you’ve got a lot of it, you can safely assume a high probability.  If you lost that something, how bad would it be to your organization?  How about if you lost it several times (data is funny that way – reminds me of a joke about a prostitute, but I’ll save that for happy hour)?  That’s how to figure Magnitude.  This is a GREAT model to identify the threat, as it links the who, what, and why together.