Category Archives: Security

Poetry, Security

The Interrupters

Leave a comment

I spend almost every day now reviewing breach data and analyzing threats to deconstruct vulnerabilities. Some of my more popular work recently has been to convince IT management that they need to improve their analysis of threats to understand them better.

Although there are many frustrating examples of negligence and ignorance when it comes to security, no one should feel satisfied to always blame the victim after an attack. That is why the security industry can help with more balanced risk analysis instead of pounding only on customer vulnerabilities and writing-off every threat as “sophisticated”.

After a presentation on cloud penetration testing at VMworld this week I was asked by a customer of a provider why their instance was constantly being broken into. First, I went over how they should pinpoint the threat and not just the vulnerability in their particular instance. That was because, second, I explained that if you have a nice house with big windows and live in a dangerous neighborhood when you can afford to move to a better neighborhood…the choices become more obvious when translated to a more familiar risk context.

A medical professional who injects a virus in a patient in order to test and build up antibodies, for another example, makes an excellent simile for penetration testing a cloud environment.

The viruses in the flu shot are killed (inactivated), so you cannot get the flu from a flu shot.

They say you can’t get the flu from a simulation of the flu, but we all know that the flu shot still carries risks.

There are some people who should not get a flu vaccine without first consulting a physician. These include:
[…]

  • People who have had a severe reaction to an influenza vaccination.

In the same vein (pun not intended) I strongly recommend to anyone interested in the study of information security and the interruption of threats (to protect the vulnerable) that they watch this movie:

Note that one of the movie protagonists, one of the Interrupters, is the daughter of Jeff Fort. He was a notorious Chicago gangster convicted of domestic terrorism in the 1980s.

For years Chicago’s El Rukns seemed like the average urban street gang, dabbling in racketeering, narcotics sales and the occasional murder. But El Rukns (Arabic for “the cornerstone”) was far more ambitious than that. Last week a federal jury convicted five members of conspiring to commit terrorist acts against the U.S. The plotters, prosecutors said, expected to receive $2.5 million from Libya’s Colonel Muammar Gaddafi for bombing buildings and airplanes and assassinating American politicians.

[…]

In the late ’70s, the 100-member organization turned to political militancy and religion. The leader, Jeff Fort, 40, regularly presided over meetings from an immense, high-backed throne atop a pedestal, surrounded by outsize posters of himself and Gaddafi.

The daughter of this guy is now trying to stop the violence. I would point you to a Wikipedia reference so you could read all about this amazing and inspirational woman — Ameena Mathews — who has dedicated her life to saving so many others, but a Wikipedia administrator — Fastily — has just decided to delete her page.

This page has been deleted. The deletion and move log for the page are provided below for reference.

00:03, 29 August 2011 Fastily (talk | contribs) deleted “Ameena Mathews” ‎ (Expired PROD, concern was: Does not meet notability guidelines. Lacks citations to significant coverage in reliable sources.)

Uh, she has been written up in the NYT, The Guardian, NPR, PBS…just type her name into a search engine to see the citations. Take her interview in indieWire as an example of the “coverage” she gets:

…you’ve been meeting up with similar groups across America. How has that been?

We met up with a lot of groups that replicated the model. There’s a lot of people out there doing a lot of great things, helping the war on poverty, getting kids in school so they can put the guns down.

[…]

There’s purple hearts for those that are wounded in Afghanistan, but not much for those who do our work.

Hey Wikipedia, get a f-ing clue. The Interrupters and their work to stop threats should be the very definition of notability. Let this be yet another giant blinking warning sign of why you should not automatically trust the supposedly well-intentioned administrators of cloud services to do some basic checks before they act, let alone care about risk and the security of information.

Security

BP Shoots and Kills Polar Bear

Leave a comment

Polar BearA guard at a BP facility in Alaska is said to have shot an endangered Polar Bear with an explosive shotgun charge. The bear died from internal injuries a few days later.

Late in the evening of Aug. 3, a security guard, employed by Purcell Security, saw what turned out to be a female polar bear walking down the Endicott causeway and headed for an employee housing area. The guard flashed his vehicle lights at the bear, honked his horn and sounded his siren but the bear would not leave the area and instead approached the vehicle and began to act aggressively.

The guard pulled out his 12-guage shotgun and fired what he thought was a bean bag round at the bear. The less-lethal ammunition is designed to hit the bear in the hind quarters and drive it away.

The bear did run off at that point and BP reported the incident to the Fish and Wildlife Service, as required.

But a few days later, the bear returned, swimming off to the west and ending up on a shallow island area near the four-mile long causeway and 30-acre gravel drilling pad.

BP workers could see the bear through binoculars and continued to monitor it. But sometime between the night of Sunday, Aug. 14 and Monday morning, Aug. 15, they realized the bear was dead.

Such a lethal and high-profile mistake has led BP to say it will now consider ways to avoid making another one.

[BP Alaska spokesman Steve] Rinehart said all ammunition will now be clearly marked by its type, with specific packaging colors and labels.

A “back-up bear hazer” also will be required to be on hand and verify that the correct ammunition for the level of hazing is about to be used, he said.

“We want to make completely sure that whatever guard is involved in a hazing incident knows exactly what type of hazing round is being used if it comes to that,” Rinehart said.

The solutions indicate confusion over ammunition type (lethal/nonlethal) and doubt from a single-source. In other words, they did not anticipate any harm from grabbing a lethal charge by accident; and they did not have any method setup for independent verification after a lethal accident. Both seem highly irresponsible management of risk when handling lethal force.

Here’s a good question for the investigators. At what point after shooting an endangered animal should a shooter inventory their ammunition and confirm that they did not harm the animal? Should they wait until it is dead? Was the facility manager looking through the binoculars and saying “Yup, she’s dead. I guess that means it was one of the lethal rounds…”?

It’s unfortunate that BP management demonstrates they will allow a lethal accident to happen before they take even simple measures to reduce the risk of that accident, let alone maintain controls (e.g. responsibility) for high-risk decisions.

You might think BP, a company full of environmental and mechanical engineers, could design and build a camp-site that is passively resistant to bears and therefore not threatened by them so easily. Perhaps instead they did a quick calculation and found it far less expensive to kill endangered animals in their way and just claim a lack of awareness?

Security

iRank App

Leave a comment

The National University of Singapore has announced the winner of a 24-hour coding competition. Here’s the goal:

…a 24-hour programming competition, encourages students and faculty to develop customized applications that advance the search and discovery process of scientific information.

So you might be thinking there would be some cool new scientific tools being developed. Maybe students have added perspective and a new way of thinking about problems, based on data discovery? No, instead the winner is a Google modification — a search engine that ranks scientific papers based on reputation.

First place: Zhao Shanheng and Zhong Zhi, of NUS, developed the iRank Apps, an application which ranks institutes by the number of papers returned in the top search results. This tool can help students decide where to apply for their PhD or pursue postdoctoral research in their chosen field.

Google’s reputation-based system has advantages, but it also has risks. It requires you to trust external sources of verification — the peer-review system depends on the quality of the peers. That seems highly unscientific. It’s a second-person or even third-person view of data.

So the first place award goes to an app that tells you what the search engines tell you about what the peers tell you about papers from institutes. It is a popularity contest app that is at least three steps removed from an actual review of source material.

The huge irony, of course, is that the contest appears to have had a controlled/trusted system to determine the winner. How quaint. Perhaps they should have instead thrown the apps into public search engines and let the one that hits the top search results win. Otherwise, I would say their decision to review and vote for iRank App in a closed system contradicts the mission of the iRank App…

Security

FedCloud at VMworld 2011

Leave a comment

I have been asked a few times about details of the Federal track at VMworld this year in Las Vegas so I thought I would just post the information here for convenience.

Note that all the Federal sessions are security and/or compliance related:

Session ID and Title

  • CAP1992 Building Resilient, High Performance, Distributed Applications that are Data-Intensive
  • SEC1544 Compliance and Trust in the Cloud
  • SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review
  • SEC1980 Department of Defense Reference Architecture using vShield
  • SEC2114 Customer Panel: Ensuring Compliance in a Virtual World
  • SEC2162 Achieving a Trusted Cloud
  • SEC2192 Case Study: Building a Virtual Data Center at the Department of Homeland Security to Meet FISMA Moderate to High Data Security Requirements
  • SEC2942 Building Trusted Clouds – Proof Points not Promises
  • EUC1988 Case Study: Using VMware View to Strengthen Disaster Response Systems for Federal Agencies
  • SEC2284 Securing Government Virtual Environments: Part II
  • EUC2048 Panel Discussion: Modernizing the Desktop to Provide Better Business Continuity while Reducing Operational Costs for State and Local Government

Aside from helping prepare some of the compliance sessions I am presenting on the art of applying penetration testing skills to the cloud. And I’ve been asked to sit on a PCI expert panel. Hope to see you there:

  • SEC1236 Penetration Testing the Cloud
  • SEC2484 PCI-DSS Compliant Cloud—Design and Architecture Best Practices

Come see how far things have progressed since the early days of VMware