E-rant

Last year, I made several predictions.  For the record / what it’s worth, I’m batting .500.   So this year, instead of trying to do better, I figured I’d just change the rules of the game.  For 2011, I’m making resolutions instead of predictions – significantly fewer unknown variables should result in a higher average.  For those of you interested in how the resolutions turned out, they’re at the bottom, below the resolutions.  But without further ado, here are my 2011 Resolutions To Make The World A Better Place:

1. Quit using bullet points and clip art in PowerPoint.  And no more than 10 words per slide, no less than 48 pt font.  Forced creativity. 
2. Learn how to actually use PhotoShop, not just doink around in it.  I think I’d have a ball pasting well-known people into rant-specific situations.
3. Host my own game show.  A recurring resolution that’s been on every Jovian wishlist since 1992.
4. Run a marathon OR keep my knee in one piece.  Either one would be ok.  Not holding out hope for both.
5. If I ever find these during an IT assessment:  
   a) default passwords
   b) weak passwords
   c) unpatched systems
   d) no (or uselessly configured) firewall
   e) no anti-virus
   … I will recommend the company immediately fire their freakin’ CIO and/or outsource IT to someone halfway competent.
6. Finally, I resolve to visit Lindsay Lohan in prison and sing her Justin Beiber’s “One Less Lonely Girl”, as I firmly believe she was the inspiration behind lonelygirl15.  (take that, Google PageRank!)

And here’s a quick recap of how my 2010 predictions turned out.  Please note that although they were for the year 2010, a Jovian “year” is 11.8 earth years, so I’m still holding out hope that in the next 10.8 years, some of these will make it.  Please check back on October 17, 2020 for an update.

1. Howard Schmidt lays low.  True!  Proven by his lily-livered, limp-writed, wussy (but timely) answers to questions in an interview with Newsweek.
2. Twitter dies.  Didn’t come true, damnit.
3. Andriod becomes hacker’s playground.  Missed this one, too, but I’m guessing I’m just ahead of the game and it’s coming.
4. Michael Jackson sightings rise astronomically.  True!  There’s a ton of them, the best ones recorded here.
5. Cloud computing suffers setbacks.  True!  Now that Microsoft has sunk its teeth into the buzzword, they’ll slowly beat it to death with odd permutations of what it means.  Then they’ll bury Azure like Microsoft BOB and ME. 
6. Control systems security appliances will flood the market.  Nope.  Again, I think I’m early.  When you’ve got an industry that tends to update technology on a semi-generational basis, the rush to market can be pretty slow.
7. Woods, Sheen, and Sanford in a TV ad.  I’m claiming true on this one because I saw a documentary on TV about “Sheen Woods” in Ireland, where there are a lot of redd foxx (get it??).
8. Cyber crime goes way up.  True, but really depends on your view. 
9. My love, Siobahn Gorman, gets a job at CNN.  Regrettably not true.  Interestingly, though, she’s steered clear of the Stuxnet hoo-ha other than her initial report where she quotes a US military official implying that “we” did it.
10. Netbooks overtake the “smart phone”.  Ok, so I missed this one entirely.  Note that this was written when the rumored name of the iPad was the iSlate.  And I incorrectly figured that the iPhone would be absorbed into it.  It amazes me how wrong I was – I totally forgot that Apple (et al.) would rather sell TWO devices to people.  Silly me!
11. Translator still laid off for 2010.  Not counting this one.

My alter ego was invited to host a round table at a conference recently, on the topic of “Security and Compliance in IT Networks”.  The conference was hosted by a network provider / integrator in town, and focused on topics such as migrating to high performance wide-area networks and the like – “carrier-class” topics.  The biggest security concern, for most attendees, is the prevention of denial of service.   And “compliance” doesn’t have a whole lot of applicability to carrier networks.   So I had a nice blank slate, and a “roundtable” that would likely be a bunch of 10 year old questions (questions on topics that are 10 years old; not implying that they’re coming from 10 year olds).

So in typical Jovian fashion, I decided I’d take the most controversial stance I could (while remaining on topic) that Compliance had nothing to do with security – in fact, they’re almost mutually exclusive.  I quoted the statistics from the latest Verizon Data Breach Investigations report, interpreting the statistics to match my agenda appropriately and prepared to engage in a pointed discussion.  Here’s a quick summary of how the statistics could be viewed (or “skewed”):

1. 21% of organizations subject to PCI were fully PCI compliant. 
2. Out of the remaining 79%, on the average, 39.75% of those were compliant with the majority of PCI requirements. 
3. In other words, 31.4% of the organizations subject to PCI were mostly or entirely non-compliant.

It then it goes on to say:

The [PCI] standard is authored to provide an approach towards security, built to make unauthorized access to systems and data iteratively harder through a series of control gates.

The idea here was that I would infer from this that organizations in compliance more (“comlplianter”?) would be less subject to breach – as one becomes compliant by implementing more “control gates”, you would be more secure as a result.  However, the data presented in the Verizon study simply don’t uphold that premise, since from above, rougly equal numbers of compliant, semi-compliant, and non-compliant organizations were represented in the study, with only a slight lead taken by those that are completely compliant.

At least that was the premise for the conversation, coupled with a liberal sprinkling of McAfee and Symantec threat report goodness for added flavor.  So how’d it go, you ask? 

Crickets.  Nobody wanted to talk about any of that hoo-ha, they just wanted to know how to keep their damn networks up.  So the round table became a dissertation on the techniques behind DDOS with a then-and-now perspective, talking about how easy it was to how complex it’s become, citing cases from February of 2000 through the most recent Yahoo and DNSmadeeasy.com’s attack.  Same conclusion as always:  fix it with more bandwidth and processing power.  Ho-hum.

But the real value was in preparing the presentation, because it tore me away from catching up on Snooki’s adventures in North Jersey and got me … well, thinking.  Compliance and Security are in fact closely related, and each entirely benefit from the other.  Now before you go thinking I’ve flipped my lid, let me explain:

To start with, the Random House Unabridged dictionary defines compliance as:

1. the act of conforming, acquiescing, or yielding.
2. a tendency to yield readily to others, esp. in a weak and subservient way.
3. conformity; accordance: “in compliance with orders”.
4. cooperation or obedience: “Compliance with the law is expected of all.”

Ok, so you can see this goes totally against every fiber of my being.  Sort of like Joe Walsh’s “Ordinary Average Guy”, you know – where he sings about the guy who takes out the garbage, cleans out the garage, goes bowling, average kids and wife – all the things I rebelled against as a starry(bloodshot?)-eyed young man aspiring to be a rock star.  And here I am, damnit, with a day job and a mortgage.  I blame my ex-wife for all of it.  But I’m digressing.

Regulatory Compliance is something that is enforced by some kind of regulatory body.  The enforcement is usually in the form of civil or criminal penalties.  Take PCI or HIPAA.  Both have fairly significant sanctions for non-compliance.  (yes, I know that enacting sanctions based on noncompliance for these involves zillions of dollars in court costs on behalf of the regulatory entity and the non-compliant entity, and that it’s challenging at best to even get a slap on the wrist administered, but just ride this out with me here). 

Sanctions are applied and delivered to the highest level of governance at the organization.  This tends to make the top of the organization angry, and that anger is typically directed through executive management as vague and poorly thought out, yet forecefully delivered, edicts.  That cascades through the organization and gathers size and steam – the proverbial poop-rolls-downhill metaphor in action.  By the time it ends up as a splattered steamy stain on your new Manolo-Blahniks, it’s death by stoning  for anyone who doesn’t prostrate themselves before their immediate supervisor to honor this new proclamation and do whatever it takes (lying, falsifying records, etc) to be compliant.

Are we secure yet?  Nope.  We’ve just witnessed a cultural ripple – a wave that made it to shore.  It’s what “actual security” can piggyback on and make it all the way through the organization.  Compliance (or rather, the impact of non-compliance) can bring with it serious cultural change in an organization – it can be the catalyst for implementing the security program you’ve been pitching to the board and seeing ignored due to lack of funding for years (although the new Aeron Chairs in all the conference rooms were clearly more important).  It’s something that you can totally leverage.  

The moral / conclusion to this long winded story?

1. Make sure you’re not responsible for compliance.
2. Scrap your security pitch, and rewrite it as if you’re implementing it in response to a gigantic non-compliance fine.
3. Get fined for non-compliance.  I don’t know, maybe hire a hacker, sell pictures to TMZ, whatever it takes.
4. Let chaos ensue.
5. Save the day with your new security compliance plan, get a raise and a promotion.  And one of those cool new aeron chairs.

Anybody who has read this blog probably already knows my reaction to the news that Google has mapped wi-fi networks across the country (or several countries) as described here.  It’s intended for commercial purposes – I totally dig it!  Where I can stop and use my phone to browse the web without running up a bill?  Cool!  Tell me where the closest T-Mobile hotspot is.  Groovy!  Find me a strip club with free wi-fi (not kidding).  Bitchin’!  And it works as promised – I’d recently used a site that knew I was hanging out at <plug>Satellite Coffee</plug> in Albuquerque on their free wi-fi via this feature.

So what’s the big deal?  Why are people getting all uppity about this public data collection?  Wireless network SSIDs that are broadcast are public – you can’t expect to keep something private that you know is public.  It’s like dressing in drag – you can’t exactly insist that people don’t take video of you dancing on the bar.  So I’m told. 

Well, maybe I’m late to the party, but I’ve just stumbled across something that’s swinging me over to Team Privacy.   (please note:  this rant is NOT about the snippets of drive-by packet content that have been collected, it’s ONLY about the access point info they’re collecting.  That’s material for an0ther rant with an entirely different argument)

Quick background:  HTML 5 is introducing a geolocation API specification.  The idea is that it’s a client-side request made by the browser after the user blesses the function with a click of an OK button.  It’s already implemented by the iPhone and Firefox (among others).  In phones, the call is a hook to the gps system.  In desktop browsers, it’s done differently by different vendors.

… So there I was, sitting in my corner office on the top floor of the Jovian Enterprises global headquarters, working on a nifty little mobile web application that brings geolocation capabilities to the escort industry, reading up on how to use the geolocation API.  Simply call navigator.geolocation and presto, you get a location object returned.  Use it to render whatever location-specific content you’ve got up your sleeve via another ajax call.  Sweet – distance to the nearest incall coming right up!

But how exactly does the browser know where I am, anyway?  Apparently, Firefox uses a geolocation provider to get the longitude and latitude.  Guess who?  Yep – Google.

Firefox 3.5 includes support for locating you based on your WiFi information using Google Location Services. In the transaction between Firefox 3.5 and Google, data is exchanged including WiFi Access Point data, an access token (similar to a 2 week cookie), and the user’s IP address. 
  – mozilla.org

“WiFi Access Point data”?  WTF do you think that is?  I’m a pretty adept googler, and couldn’t find anything, so it’s wireshark time.  First capture showed the connection to Google was SSL – how nice of them, protecting what has been proclaimed as PUBLIC DATA (using SSL here seems like an admission of guilt, but that’s a topic for another rant).  I don’t have a man-in-the-middle ssl proxy on hand, so I dug through Firefox’s about:config page full o’ magic, and removed the “s” from the geo.wifi.uri setting, leaving http://www.google.com/loc/json.  Back to wireshark, and http post data shows up as:

{
  "version":"1.1.0",
  "request_address":true,
  "access_token":"2:L23ADSJfdelxVrIu:6KzjqSfXQIFOzB57",
  "wifi_towers": 
    [
      {"mac_address":"00-1e-8d-0l-mn-0p","ssid":"JovianHQ","signal_strength":-68},
      {"mac_address":"00-24-00-52-47-fe","ssid":"Bills","signal_strength":-87}
    ]
} 

 That’s a JSON formatted data string of an anonymous hash (and yes, it’s been altered and it won’t return anything).  Interestingly, both my SSID and my neighbor’s SSID are listed, with signal strength.  And MAC addresses.   Access_token is described as the equivalent of a two week cookie.  “Request_address” is interesting, though.  On to the response:

{
  "location":
    {
      "latitude":34.076243,
      "longitude":-118.429224,
      "address":
        {
          "country":"United States",
          "country_code":"US",
          "region":"MY STATE",
          "county":"MY COUNTY",
          "city":"MY CITY",
          "street":"! MY STREET !",
          "street_number":"!! THREE HOUSES UP !!",
          "postal_code":"MY ZIP"
        },
      "accuracy":150.0
    }
}

Holy crap!  That’s a ton of information, and it’s really close to being dead-spankin’ on.  It’s literally three houses up from my house, on the same side of the street no less!  What application would ever need my street or (incorrect) house number??  So my browser now has all this information – I’m sure it wouldn’t all be shared with the web site, would it…?  Yep, it goes right on back to the script as attributes of the location.address object.   Well at least we’ve still got the security provided by the forced user interaction with the feature (you know, the same kind of security provided by the browser through incomprehensible SSL warnings and negative questions).    Phew!  At least we still have that!

Or do we? 

The draft says that the browsers must not send location information to the calling websites without explicit user permission.  Except:

Some user agents will have prearranged trust relationships that do not require such user interfaces. For example, while a Web browser will present a user interface when a Web site performs a geolocation request, a VOIP telephone may not present any user interface when using location information to perform an E911 function.

Oh, look – there’s NO required security!  According to the W3C standard, there’s a “prearranged trust” – also known as a way to avoid security checks and still be standards-compliant.  And since there’s none here, there’s likely none at the location provider.  So I tested the location provider by sending the same “cookie” and request that I sent from my desktop a few hours ago from a server out in New Jersey and get the same results.  Grrrr. 

Let’s look just a teensy bit deeper on who’s fault this is. 

• Browsers are implementing a feature that allows the browser to read system data when requested by a website script.  This isn’t anything that any other user-installable program can’t do, so no big problem there.  Tie score. 
• This collected data gets sent to a location provider (Google, in this case).  Google doesn’t authenticate that the request comes from a licensed partner application (i.e., approved browser).  Strike one for Google.
• Then Google dumps LOTS of information back to the browser.  Strike two for Google. 
• Then, like a well-mannered program, the browser hands ALL that data back to the website scripts without telling the user what exactly it was.  Strike one for the browser. 
• But the browser has the ability to shut it off completely, but de facto location provider Google does not have an opt out.  Strike three for Google. 

Final score:  Browser -1, Google -3.  Yes, I know there are mixed sports metaphors here, just deal with me.  One redeeming factor in this data transaction:  the website never gets my SSID or my access point’s MAC address – that stuff only goes to google. 

Suggested fix: 

1. Location providers (Google) should authenticate partner applications.  Perhaps cryptographically, since there’s already an SSL handshake going on?
2. Location providers (Google) should limit the data fields returned depending on the authenticated application.
3. Partner applications (Browsers) should alert the user and ask to approve ALL of the returned content per website.  Possibly a popup with checkboxes saying “select the information you’d like to share”.
4. Location providers (Google) should offer an opt out.
5. Bonus (previously undiscussed) suggestion:  A user should be able to register their ”home” location with their phone and automatically disable geolocation features within a certain radius.

Am I over reacting?  Is it really tinfoil hat time?  Let me know your thoughts – I’ll be down in the underground bunker with the blankets pulled up over my head.

OMG.  Now, I don’t use that term lightly, mind you.  I’d put other F’s and MF’s in there, too, but that just gets a little lowbrow for this blog (hard to believe, isn’t it?).  But this one is right on the cusp of deserving a couple of those extra consanants.  Where’s Vanna White when you need her?

I manage web infrastructre for a client that has to be PCI compliant.  Part of that is getting a quarterly vulnerability scan from a certified vendor.   In order to be a certified vendor, you need to pay a ton of money up front, and send your staff to some expensive training classes in order to represent this program.  You’d think that would keep the jokers out of the pile.  Nope.

This weekend, I got this love note from my client:

Hey [Jim] – Hope all is well with you these days…

I just got a failed PCI server scan. Wondering if something has changed on the server. The screen shot of issues below. Please let me know if you can login and see if you can fix from your side. Thanks!

Failed?!?  My server???  GTFOH*!  Never!!  Ok, well… maybe.  I’ve got it set to auto-update and maybe, just maybe, something got surreptitiously updated that impacted one of the dumb PCI compliance items.  Let’s go see what SecurityMetrics has to say: 

Vulnerability score of 9!!  And 8!!  Yipes!  Oh, wait… Lookee there – it seems it’s there because I have a firewall or other scan detection software in place.   Ya think?  A firewall or scan inhibitor install to secure a server subject to PCI compliance?  You betcha!  So why’d it show up now?  Well, I’d recently (since the last quarterly scan) enabled brute force login protection which watches for failed login attempts that come at a reasonbly rapid rate and blocks the source ip using iptables.  Simple and effective.  So, yes, that report is right – I have a firewall in place that is dynamically configured based on intrusion detection signatures.  Plus I’ve got another firewall that shuns portscans when detected.  Who doesn’t? 

So a little bit of digging on their website and their FAQ yeilds this gem:

It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances.

Umm… they do.  Now what?

Well, now they’re asking me to make exceptions to the existing level of network access by disabling security controls so they can tell me where there are security concerns.   Then they have the balls to follow that up with this nugget (in bold, just to make sure you see what crap these yokels are selling):  

Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments. 

No, SecurityMetrics, it actually doesn’t, it does just the opposite.   You’re (also) Doing It Wrong.  If this crappy brute-force scan would turn up a crackable password, I’m sure I’d be dinged for it.  I don’t know what “level” of a vulnerability it would give for this – if anybody knows please comment with it.  But that crackable password would only have been found if the traffic from the scanners does not get blocked.  Ugh.  It’s crappy services and mis-engineering like this that drives me up a friggin’ wall.  

What would un-crappy look like, you ask?

It would do exactly what it does now, but would identify when it gets blocked.  Then it would try from a different IP address, but at a significantly slower rate.  If blocked again, it would JUST SKIP the brute force attacks SINCE IT’S OBVIOUSLY NOT FREAKIN’ VULNERABLE and move on to a new attack vector.  Simple.  See?  Was that so hard? 

In my opinion, this “exception” I have to make means their service kind of sucks. 

So what did I do in response to this?  Did I pick a fight with them?  Did I tell them how hypocritical they are?  Did I insult their intelligence and call their mother names?  Did I poke them in the eye and tell them they should at least add one freakin’ sentence to that bolded untruth above to say ”We realize that we’re asking you to allow us additional access but we do this in order to keep this service affordable”?  Did I?  Did I???

Nope.  I don’t have time for a pissing match with them over this, so I whitelisted them from the brute-force blocker.   Told ’em to try again and they’ll be fine.  Arrgh.  *sigh*.

Postlog:  Scan passed with flying colors.

* – GTFOH: Get The [Heck] Outta Here

Breaking news from the Federal Buffons of Information:

a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence

What a unique idea!  I’m amazed that somebody could possibly be that insightful.  I think we should get some big standards body on the job RIGHT AWAY to document this earth-shattering breakthrough.  Like NIST!  

Where have I heard this before?  Let’s do a little digging, shall we?

First, there’s FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems”, published March 2006.  That’s a good place as any to start.  That one says FISMA (oh dear – that’s another rant altogether) requires categorization of systems “according to a range of risk levels”.  Risk is defined in that document as:

The level of impact on organizational operations … resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Threat occurs twice in that sentence.  It’s defined in the same document as:

the potential for a threat-source to successfully exploit a particular information system vulnerability

This brings the definition, fully fleshed out to be:

The level of impact on organizational operations … resulting from the operation of an information system given the potential impact of a threat-source to successfully exploit a particular information system vulnerability and the likelihood of that potential for a threat-source to successfully exploit a particular information system vulnerability occurring.

Ok, that isn’t a very easy sentence to digest - let’s remove some of the fluff.  While we’re at it, the “operation of an information system” is a given, since we’re talking about IT risk, so we’ll drop that, too.   And drop “successfully”, as it’s redundant in context, move “likelihood” to assume it into the sentence, fix a verb tense, and we now have risk being:

The level of impact on organizational operations given the likelihood of a threat-source exploiting a particular vulnerability

… or, algorithmically …

Risk = Threat x Vulnerability

Good enough and easy to understand, and Mr. Chabinsky’s point is made – there seems to be no mention of consequence.  But there is this word Impact, which is being used synonymously with Risk (e.g., “risk is the level of impact…”).  If we look further into FIPS 200, the recommendations for controls are based entirely on the security categorization from FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems”, from March 2004, which defines levels of impact for us.  That (astoundingly brief) document provides the categorization levels based on the adverse affect (impact) a loss of the “Holy Trinity” (confidentiality, integrity, and availability) would have.  They provide a scale of limited, serious, and catastrophic to rank the affects, and define those relative to i) degrading mission capability, ii) damage to assets, iii) financial loss and iv) harm to individuals.  Here’s that definition, neatly summarized in that document:

The security categories are based on the potential impact on an organization should certain events occur

It appears security category is* potential impact on an organization given certain events.  Seems that’s the same definition given for risk, too.  I can kind of understand that at a high level – systems that impart greater risk to the organization _should_ have more stringent controls.  Makes perfect sense.  But then it throws in this nugget:

Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.

Really?  Risk is to be used in conjunction with vulnerability and threat information in assessing risk?  Go figure.  Seems to explain why the feds have such a tough time with this.   Looking at all we have here so far, it appears that:

Risk is the impact on organizational operations given the potential of a threat-source to exploit a particular vulnerability, the likelihood of that occurring, taking into account… Risk.

Ha!  This is a fun game!  How’d we get to this clusterf*ck?  Let’s see what precipitated this.  NIST SP 800-30 is the “Risk Management Guide for Information Technology Systems”, dated July 2002.  Sounds like the authoritative source, no?  Step 7 of this document states:

The determination of risk for a particular threat/vulnerability pair can be expressed as a function of -

• The likelihood of a given threat-source’s attempting to exercise a given vulnerability
• The magnitude of the impact should a threat-source successfully exercise the vulnerability
• The adequacy of planned or existing security controls for reducing or eliminating risk

… which can be expressed algorithmically as …

Risk = probability x threat source x (vulnerability – adequacy of controls)) x impact

According to step six of this document, Impact is the adverse affect an event will have on the organization.  That’s another word for Consequence, I believe.  And we already know that the definition of threat is the probability of a source exploiting a vulnerability.  And a vulnerability is only a vulnerability if there are no (or ineffective) controls, so we can restate that as just vulnerability.  So this can restate the algorithm as:

Risk = Threat x Vulnerability x Consequence

Oh, it just can’t be this easy.  That’s from 2002.  A little more time travel puts us eight years earlier in 1996, with NIST SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems”, which uses the definition from yet another document, from way back in the day: NIST SP 800-12, “An Introduction to Computer Security: The NIST Handbook”.  Dated October 1995, it identifies the following things that need to be performed through data collection and analysis as a part of risk management: Asset Valuation, Consequence Assessment, Threat Identification, Safeguard Analysis, Vulnerability Analysis, Likelihood Assessment.  It also states:

A risk management methodology does not necessarily need to analyze each of the components of risk separately. For example, assets/consequences or threats/likelihoods may be analyzed together.

In that document, Asset Valuation includes its intrinsic value as well as the near and long term consequences of its compromise.   Sounds like there’s already a fair compromise by joining asset valuation with consequence analysis.  And it seems to me that combining down vulnerability and safeguard analyses into one makes sense as well.  With that, Risk is a function of asset value/consequence, threat/likelihood, and vulnerability/safeguards.  In algorithm form:

Risk = Consequence x Threat x Vulnerability

Ok, this is awkward now, and I’m starting to feel bad for the guy.  It’s now EVERYWHERE I LOOK.  I knew I read it somewhere, clearly delineated in federal-goverment-speak.  Fifteen years ago!  That’s back when Mullets were just going out of style, the New Kids on the Block were still kids (but no longer ‘new’), Netscape made it’s debut, there was only one Dolly the sheep, the Unibomber was just the Uniweirdo, and O.J. Simpson was still innocent**.  Brilliant new theory, Mr. Chabinsky.   

* – Yes, it uses the phrase “based on”, but the basis is a one-to-one relationship where a limited adverse effect equals a Low Impact, serious = moderate, and “severe or catastrophic” is High.  Same-same.

** – now he’s just not guilty.  Of the first crime.