And before any weird rumors start, let me get out in front of them:  While it’s true that my best friend since I was 10, Dr. Bob the Rocket Scientist, happens to be a redhead — this post has nothing to do with any unrequited homo feelings for him.  It might, however, be attributed to the effect of his older redheaded sisters on a young, pre-pubescent Little Jimmy Jupiter.  But enough of that, I’ll save the rest for my shrink.

So I’ve dedicated this blog post to redheads on TV or in pop culture.  There’s no logic to this collection whatsoever.  Suggest your own, or even an informal comment-based vote for your favorite.  In order to see them all, YES, you have to click on the stupid “2″ for the remainder of this gallery on the next page.  Crappy NexGen gallery (boo!) – my apologies on their behalf.

[Show as slideshow]

12►

Got a favorite?

Osborn, the NBC News social media director, said he recently received one such suspicious email as Hurricane Irene was approaching New York. The email came from an unknown sender with the subject “Hurricane Alert” and the message: “Ryan, You need to get off TWITTER immediately and protect your family from the hurricane. That is an order.”

Osborn wrote back “I’m sorry. Who is this?” The sender then replied, “I’m the girl next door” with an attachment. Osborn said he mistakenly clicked on the attachment and it contained a Christmas tree.

This is the Social Media Director for NBC.  If there’s ANYBODY who should know better, you’d think it’s him.  What kind of idiot opens an attachment on a SECOND GO AROUND of a suspicious email.  Even after he QUESTIONED the first one’s validity?  Seriously – “the girl next door” gave him an “order” that came with an attachment.  If this doesn’t qualify as “suspicious email”, what does?

This is the digital equivalent of a terrorist handing somebody an improvised explosive device with a note that says “press this button right here, please”.  The next “nine-eleven” is going to be digital.  But this time it won’t require a lick of planning.  And we’ll even help carry it out, too!

To properly honor to the tenth anniversary, this post was delayed until Monday.

Now I’ve began the trip down memory lane, looking at the things that seemed shreddable to me at the time.  In true Jovain form, it seems I’ve decided to shred absolutely anything with my name associated with it.  Maybe that’s overkill, but it is what it is – better safe than sorry, I guess.  Then I came across something that caught my eye.  No, it wasn’t pictures from Defcon 16.  Nor was it any of the various restraining orders received during that time (those get framed!).  Something much more insidious…

First some backstory – it may come as a surprise to you, but yes, I’ve got a credit card.  And yes, it’s even issued in my own name (or rather, my alter ego).  At one point, I’d thought it was a good idea to take off the tinfoil hat and succumb to The Man and throw myself on the mercy of The System simply to be able to function in today’s plastic based society.  *sigh* – all because a guy can’t live underground forever if he wants access to premium online porn.  But back to the point at hand…

My credit card periodically sends out “checks” for use in paying off other credit card balances (like a balance transfer).  It kind of sucks that they’re checks that can just be written to anybody, and they’re sent to my house without me asking for it or expecting it in the mail.  But it only references the last four digits of my account number, so I guess it’s the same as a receipt from starbucks (not capitalized on purpose in an effort to extract some kind of vengance on them for making me pay $2.50 for a black freakin’ coffee anywhere I go now).

(no, i really, really don’t have ANY photoshop skillz).

But on closer inspection…

On the bottom of the check, next to the routing number, where the checking account number goes is 10 digits: not just any digits, but the last 10 digits of my credit card number.   Hmmm…  Six digits left – a potential one million possibilities.  But it’s got to be easier than that.  Our pal Google (aka “Wikipedia Index”), says those are the issuer identification number.  http://en.wikipedia.org/wiki/Bank_card_number.

So where would you find a bank’s IIN?  Back to Google: there are loads of Bank Identification Number (previous term for IIN) sites.  bindatabase.net is pretty well known, cited in wikipedia, and us reputed to have the most entries.  However, it doesn’t allow lookups starting with the bank.  More Google gives http://bindb.cc.  Neat.  I can lookup the IIN with Country, Bank name, and Card type:

Country?  Yeah, that’s in the letterhead.  US.

Bank?  Yep, that’s the bank that sent the letter, also in the letterhead.

Card Type (three fields!)?  Well, that takes some thought.  A quick glance at the bank’s website shows it offers Visa.  Let’s go with that.  And it’s a Credit card, since the letter was for a balance transfer.  And now it wants the “flavor” (my term) of the card.  In the letter it says Platinum, so I’ll use that.

Security Code:  Simple captcha so I don’t harvest their db.  Fine.

Click “search”, and, well, I’ll be dipped – there’s the rest of my credit card number.  Well, I called my bank and asked WTF is up with this – they said it’s a security feature.  Good job, bank.  Please remove me from your identity theft victim pile, please, and stop sending me unrequested copies of my banking data.  No bananas - their business office doesn’t allow this – you can only opt out of receiving your requested documents.

So I guess for the rest of the day, I’ll be making a new tinfoil hat and continuing on through my gimungo pile of shreddables.  Thanks a lot, bank.

Somebody out there could use an acronym dictionary, or at least a member of the team that hasn’t evolved past the “totally gross jokes book” stage of their life:

http://www.nerc.com/files/HILF.pdf - High Impact, Low Frequency threats.

http://www.urbandictionary.com/define.php?term=hilf - Um… yeah.  I’ll leave that up to you.  MSFW (‘marginally’ safe for work).

Yeah, the first definition is kinda horrible; please don’t shoot the messenger.

Advanced Persistent Threat (APT) is the pointless (and silly) term that’s been made up by smart industry professionals (shout out to Kevin Mandia) and grossly misused by marketing and executives.

Who uses this term?  Usually, any dipshit who wants to come off “smarter than you are”.  Like ‘this unfortunate incident was a result of Advanced Persistent Threat’.  Or ‘Does your product defend against APT?  Our product is the only one on the market with this capability’ (God help me if I ever read that anywhere).

What does APT really mean?  Let’s break it down, Wikipedia style -

Advanced – It’s good.

Persistent – It’s not giving up.

Threat – It’s after you.

Wait…  Did I miss something here?  Isn’t this the threat that we, as the IT Security Community, really care about?  All this time were we supposed to be on the lookout for the Advanced Slacker Threat?  Or the Moronic Persistent Threat?  The Moronic Slacker Threat??  They make stuff for all of that (anti-virus/spam, I[D|P]S, Firewalls, Web Filters, etc), and if you don’t have that stuff, you’re Not Doing It Right.

But wait… Don’t we, as IT Security Professionals already calculate Risk based on Threats and Vulnerabilities and hasn’t it been around, like, forever?  Sure we do - Risk is a function of Threat and Vulnerability, or more commonly described as:

R = T * V

Well, whatever.  That might be the idea, but typically we do a crappy job of defining threats.  In (almost) all cases, it’s glossed over like “sure, threats exist, and they’re everywhere, both inside and outside your organization”.  Then they go on to blather on about vulnerabilities (V) because that’s the cool stuff.

In the physical security industry, a threat is defined as:

T = P(Ta) + M(Tm)
(See below for a long dissertation about physical security, or just trust me… )

Which is the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  If we plug in the physical value for Threat into the tried and true risk equation (and expanding out) we get:

R = P(Ta)*V + M(Tm)*V

Then there’s vulnerability.  Vulnerability is an inverse function of Effort to Remediate (Ee), expressable as V = 1 / Ee.  Vulnerability approaches zero as exploitation effort approaches infinity.  Hence, vulnerability is never zero.

So what does this show?  First, it shows that as long as there is some kind asset loss that would result in harm to your organization, you will always have Risk – which we’ve always known.  But more importantly, it shows that if you don’t have an asset that is both worthwhile for an attacker to obtain and which causes harm to your business, you don’t have any Risk.  Here’s some practical scenarios (assuming that these descriptions are the extent of the incident for demonstration purposes):

Would you care about one workstation being compromised to join a spam-bot army?  Just spam?  No.
How about that same workstation with a keylogger that records passwords?  Yep.
How about a whole bunch of those keyloggers on a bunch of systems?  You bet.
How about a website compromised to spread malware to external visitors?  Not so much.
SQL / Command injection attempts against front end inventory management systems?  Hell yeah.
Clear text passwords in use to manage mailing list subscriptions?  No.
Users evading web filters to surf porn?  Nope (unless we’re the government, clergy, or known hostile workplace).
“Rogue” sniffers running the internal network?  Big trouble.
Denial of service attacks against a public web presence?  Meh.
Phishing?  No.
Spear-phishing / Social Engineering?  Oh, my, yes.

Are any of the above new scary attack vectors?  No.
Have we been worried about these for years?  Yes.
Are they considered parts of what the proverbial “APT” will attempt to get access.  Yep.

So is it possible to defend against APT?  We’ve been protecting against APT for years, just not calling it that.  Duh - Winning!

——————————–

Physical Security Threat:

In the physical security realm, the term “adversary” is used.  When performing what is referred to in the physical security industry as a “Threat Risk Assessment”, one of the core constructs is identifying the adversary and what they’re after - the ”Threat Agent”.  Threat agents are sometimes generalized into categories, such as vandal, disgruntled worker, violent criminal, white-collar criminal, organized crime ring, corporate spy, activist, or terrorist.  Each of these Threat Agents may have a different motivation.  For example, a vandal is motivated to defame the target, whereas a violent criminal is motivated to exact physical harm to individuals.  Likewise, a terrorist may be motivated to cause the most harm to an entity in any way possible, whereas a white-collar criminal is motivated to gather items of financial value.

But you’re not done yet – the meat of defining the threat is coupling the above with the magnitude of loss that could occur with a successful attack.  The magnitude of loss is dependent on the motivation (target) of the Threat Agent.  Typcially this is expressed as something like:

T = P(Ta) + M(Tm)

Where Threat (T) equals the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  Probability can be drawn from asset value – does your organization have something that the threat agent would like to have?  A lot of it?  If you’ve got a lot of it, you can safely assume a high probability.  If you lost that something, how bad would it be to your organization?  How about if you lost it several times (data is funny that way – reminds me of a joke about a prostitute, but I’ll save that for happy hour)?  That’s how to figure Magnitude.  This is a GREAT model to identify the threat, as it links the who, what, and why together.

The beauty of Shodan is that you can search for anything in an http header (as opposed to the html header), including the server response codes (y’know, like 200 or 401 or 500), the www-authenticate header, or the server header – or anything else you can imagine.

Which brings me to my pet project:  Searching for open surveillance or security cameras.  This is also where you, the esteemed reader, can lend a hand.  I’ve compiled this (embarassingly short) list of http headers that identify cameras.  This, plus google to find default usernames and passwords (not that you’d ever do that, nor would I ever advocate it, of course) should keep you busy for hours.

Server: D-Link Internet Camera

Server: SQ-WEBCAM

Server: Imagiatek

Server: Imagiatek
www-authenticate:  .*Ipcam

Server: DCS-5220

Axis Network Camera

EvoCam

And even with this short little list, I’ve already got a growing compendium of stills from the best of the feeds.

…  But I’m only scratching the surface.  I KNOW there are physical security geeks in my vast pool of rabid readership.  Got any up your sleeve?  Pelco?  P3?  ATN?  Logitech, even?  Know what ports that the video stream is transmitted over?  Anything else to make this easier, please??  Please email me or comment here on this page – I’ll keep you as anonymous as you want to be.

!!!Updates!!!

Server: PelcoNet-Webserver

I consider myself to be a Competent Coder.  Capable and Cunning.  Composer of Cogent and Compelling Code.  Creative, without being Clever*.   Until I was put in my place by stupid cross-site scripting.

There I was, in the fall of last year, undergoing PCI scans from Coalfire, a reputable vendor that employs a bunch of smart guys (yep, that’s a free plug).  Figured this’d be a quick scan, fix some encryption settings, and I’m off to the races.  But that was not to be. 

Couple of findings on SSL self-signed certificates, and cross-site scripting.  Piece of cake – purchase stupid commercial certs, and fix up the xss.  Easy fix.

Not so easy.  The cross-site scripting drove me up a freakin’ wall.  Cross-site scripting!  Easiest thing to beat, right?  Just sanitize your input, and Bob’s your uncle.  But noooooo!!  This simple little freakin’ fix was completely out of my reach.  Hell if I knew why – I’m passing all my damn input through cgi.pm, then stripping out html entities manually…  but no bananas.  Jason (a rather patient guy) rescans and it’s still a problem.  “But…, but…, but… but it looks fine to me” I say to myself.  No xss in firefox, IE9, Safari, or Chrome.  It looks fine when viewing the source.  Hell, I even went as far as using wget to see what the f* the scanner sees.  And then just a “raw” telent request…

[clouds part, cue violin and harp music]

…And there it was – stupid, stupid, stupid html entities in the telent output.  Turns out all the browsers I used have a built in xss prevention mechanism that I didn’t disable (even freakin’ wget!).  But not telnet (obviously).  F*ck me. 

But why doesn’t the damn input sanitization routine work right?  Telnet shows I’m still outputting html entities to the page.  I even went so far as to use HTML::Entities to encode / decode before putting to the page to make sure I wasn’t missing some oddball character set.  Still - no go. 

After tracking this through the code, it turns out I was short-cutting some url rewriting, using environmental variables to create urls (a “Clever” solution).  Like for links to “next page” or other navigation items so that I could magically carry variables across to the next page view without having to know what was in the url in the first place (like changing page=1 to page=2 by regex on the REQUEST_URI and QUERY_STRING environmental variables).  Environmental variables aren’t “input”, per se, so they didn’t go through the filter.  ARRRGH!  So I run them through the filter, back out all the overkill crap I’d put in place trying to beat this fix into submission, and politely (sheepishly?) request a re-scan.  Presto, it’s clean.

So finally, after passing, I asked Jason (the patient guy who did the scans) what he was using to validate the finding, and he says “IE 8 with xss filter disabled”.  Duh!  That simple question could have saved me hours and hours if I asked it early on.

The moral(s) of the story:

1. Find the “disable xss filtering” option in your browser when validating this kind of thing.
2. Treat environmental variables as “input”. 
3. Your PCI QSV can provide a ton of information if you put your overblown ego to the side and just freakin’ ask.

Through this whole experience, I really, really, really tried to stay as professional as possible when dealing with the scanning vendor.  I came dangerously close to unloading on him out of sheer frustration caused by my own crappy code, but I bit my tongue.  Damn glad I did.

The end.

* – “Clever”, in this context, is a synonym for unintelligible.  If you’ve ever seen a “clever” solution to a problem, it’s probably in that block of code you skipped over because it didn’t make any sense.  Then when you finally sort out all the places the output goes, you come to realize that it’s a complete kludge.  “Clever”, my ass.  I’ve had a history of very clever solutions that I look at now and only see random ascii characters.

1. Quit using bullet points and clip art in PowerPoint.  And no more than 10 words per slide, no less than 48 pt font.  Forced creativity. 
2. Learn how to actually use PhotoShop, not just doink around in it.  I think I’d have a ball pasting well-known people into rant-specific situations.
3. Host my own game show.  A recurring resolution that’s been on every Jovian wishlist since 1992.
4. Run a marathon OR keep my knee in one piece.  Either one would be ok.  Not holding out hope for both.
5. If I ever find these during an IT assessment:  
   a) default passwords
   b) weak passwords
   c) unpatched systems
   d) no (or uselessly configured) firewall
   e) no anti-virus
   … I will recommend the company immediately fire their freakin’ CIO and/or outsource IT to someone halfway competent.
6. Finally, I resolve to visit Lindsay Lohan in prison and sing her Justin Beiber’s “One Less Lonely Girl”, as I firmly believe she was the inspiration behind lonelygirl15.  (take that, Google PageRank!)

And here’s a quick recap of how my 2010 predictions turned out.  Please note that although they were for the year 2010, a Jovian “year” is 11.8 earth years, so I’m still holding out hope that in the next 10.8 years, some of these will make it.  Please check back on October 17, 2020 for an update.

1. Howard Schmidt lays low.  True!  Proven by his lily-livered, limp-writed, wussy (but timely) answers to questions in an interview with Newsweek.
2. Twitter dies.  Didn’t come true, damnit.
3. Andriod becomes hacker’s playground.  Missed this one, too, but I’m guessing I’m just ahead of the game and it’s coming.
4. Michael Jackson sightings rise astronomically.  True!  There’s a ton of them, the best ones recorded here.
5. Cloud computing suffers setbacks.  True!  Now that Microsoft has sunk its teeth into the buzzword, they’ll slowly beat it to death with odd permutations of what it means.  Then they’ll bury Azure like Microsoft BOB and ME. 
6. Control systems security appliances will flood the market.  Nope.  Again, I think I’m early.  When you’ve got an industry that tends to update technology on a semi-generational basis, the rush to market can be pretty slow.
7. Woods, Sheen, and Sanford in a TV ad.  I’m claiming true on this one because I saw a documentary on TV about “Sheen Woods” in Ireland, where there are a lot of redd foxx (get it??).
8. Cyber crime goes way up.  True, but really depends on your view. 
9. My love, Siobahn Gorman, gets a job at CNN.  Regrettably not true.  Interestingly, though, she’s steered clear of the Stuxnet hoo-ha other than her initial report where she quotes a US military official implying that “we” did it.
10. Netbooks overtake the “smart phone”.  Ok, so I missed this one entirely.  Note that this was written when the rumored name of the iPad was the iSlate.  And I incorrectly figured that the iPhone would be absorbed into it.  It amazes me how wrong I was – I totally forgot that Apple (et al.) would rather sell TWO devices to people.  Silly me!
11. Translator still laid off for 2010.  Not counting this one.

Microsoft is killing off the term “Cloud”. 

I just sat through yet another stupid “cloud” commercial from Microsoft.  Of the two of these that I’ve seen, one is about Picture-Maker, which is a locally installed application, and the other is Remote Desktop.  Both of these have nothing to do with a “cloud”.  Picture Maker, in fact, can operate with no network connection, except for the “share” function – which has nothing whatsoever to do with the perfectly cropped images she seamlessly drags and drops into place.  And how in God’s green earth did remote desktop become a cloud service?  What the hell, Microsoft?  Have you lost your mind?  Are you (again) trying to redefine things so you can say you invented them (see “MS TCP/IP”, and “IE”)?  You’re like a freaking Dilbert strip.

The Oracle of all things ludicrous has spoken.

Per Fox news – Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.

A standard reply on subjects of national security, I suppose.  But you may note that there’s not a whole lot of hoopla going on or statements from the Pentagon that we’re scrambling to make sure it’s not going to happen here.  While it’s true there are serious things going on led by serious people in serious organizations to reduce the possibility that it will happen here (mad props to my homies at NERC / FERC / even DOE), but no official statement from the Pentagon encouraging the private sector to batten down the hatches. 

On the other hand, the only place I could find this wishy-washy, standard-practice Pentagon statement was via Fox News, so take that for what it’s worth.

All in all, I still stand my previous implications of the Chapman / Jackson spy team.