We become more secure as a country by minding our own business and being kind to others. This way 95% of the world loves us. Then, when the 5% does pose a threat we are not only free to go and obliterate them, but we do so to a standing ovation.

be688838ca8686e5c90689bf2ab585cef1137c
999b48c70b92f67a5c34dc15697b5d11c982ed6d7
1be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 -

At RSA this year I caught a talk by a Google executive that discussed what makes Google’s Information Security team so unique. I found the talk quite informative and thought it was worth sharing. It would be great if more companies had this perspective.

Everyone on the Security Team is a Programmer

Read that again. Every single person on the team is a coder. This is beautiful. How many times have you heard a security guy say, “Hey, this is code. I don’t know how to code. Send this over to the programmers to look at.” Great, send it over to someone who has no idea whatsoever about security.

It’s my opinion that the security group should be elite within an organization. They should have the most IT experience, the most talent, and the most interest. Why should they not understand code as well? What about programming is so scary that it shouldn’t be included in the high standard that security needs to meet?

Nothing. I think Google is approaching this absolutely correctly. Security engineers should understand programming principles and should be at least moderate programmers themselves, ideally in at least the core languages and frameworks in use at the time.

Google’s Security Team Writes All of Their Security Libraries

Who better to write secure code than the security team, right? You know all of their authentication libraries? All their authorization stuff? Input validation? Output Encoding? Yeah, all of it is done by the security team. All the programming knowledge, all of the security knowledge — all in one place. Then you have the code review.

All Code is Reviewed by Peers

One way to ensure standards is to have not only QA look at your code, but your programming peers as well. While it likely introduces a lot of pressure it also brings a certain social element to the development process. You’re more likely to try and produce quality stuff if you know it’ll be under a microscope later. Not only can bad code be part of your evaluation but it might get you razzed in the cafeteria.

How They Test Code

One of the most interesting things I heard during the talk was a description of how Google tests code before it’s deployed. They essentially capture attacks being thrown at their applications and put them all into a database.

And here’s the cool part — they run the whole list of attacks against their new code while it’s in QA. So, in order to ensure that their new code isn’t vulnerable to ANYTHING they’ve ever seen, they run all the previous attacks against it. Awesome.

But that’s not all. They’re also constantly monitoring production and constantly updating the attack database. So when you test your code in QA you’re not just testing old attacks but rather all attacks they’ve ever seen up to the present. That’s sick.

Summary

Google is insanely successful, and the second best thing to being genius is following the path cleared by it. Anyone interested in doing security right should at least take a look at Google’s approach.:

From this article at InfoWars:

Federal law enforcement agencies co-opted sheriffs offices as well state and local police forces in three states last weekend for a vast round up operation that one sheriff’s deputy has described as “martial law training”.

This is just the paranoia in me speaking, but wouldn’t this be the way to prepare for a Gulf of Tonkin incident after which the government plans to declare martial law?

Yes, that sounds crazy, but at this point I don’t think certain people in our government are above it. Not our entire government, mind you — it’s not that organized or evil despite what conspiracy theorists like to believe — but it only takes a few key people.:

As those performing attacks against corporate IT assets become more professional we’re going to start seeing more of the following types of attacks:

• Bribery
• Extortion
• Blackmail

Think about who’s increasingly behind the information security attacks these days, and think of how they could more effectively attack an organization given large amounts of money and their willingness to engage in standard, physical crime.

The Problem

How hard is it to find out who works in IT in a large organization? How difficult would it be to make contact with someone who can disable or modify the anti-malware systems at one of these fortune 500 companies? And what would happen if someone with an Eastern European accent offered Bob, the mediocre (but dangerously knowledgeable) IT guy, the following sorts of propositions:

I’ll give you $50,000 cash to drop this piece of malware on your network. It’s undetectable by all of your malware detection and will remain so because this is the only place we’re going to use it. It will give us information we can use to silently extort your company’s C-level execs, and nobody will ever know how we got the information. They’re millionaires anyway. Think about it — all your debt instantly gone — plus a new home theater system that’ll be the envy of the neighborhood.

…and if/when Bob says no…

You’ll take the money and be happy or me and my meth-selling buddies will start getting real cozy with your wife, and we might accidentally burn down your house, too, or hurt your daughter. Don’t bother calling the police; we’re an international crime syndicate and that will just annoy us. Trust me, take the money and everything will go smooth. How about a new car?

Then there’s the blackmail angle if they’re willing to do some research and/or some setups. The point is that all they need is to get an internal employee to drop some of their highly specialized and virtually undetectable malware onto the internal LAN.

In short, the game is to overcome the internal employee’s fear of being caught using either fear or greed. And that’s precisely what this new type of traditional, organized criminal player is good at. They’re already into the classical elements, e.g. drugs, guns, violence and prostitution, so leveraging those resources to reap profits in the cyber world seems more inevitable than far-fetched.

This isn’t just movie plot stuff; there really are very organized criminal groups, with millions of dollars of backing, getting into the business of pulling the IT jewels out of top U.S. companies. And when they start figuring out that shmuck-boy the IT guy is the thing standing between them and a multi-billion dollar company’s most sensitive information — the games will begin. In fact, I’m willing to bet they’ve already started.

The Information Security Response

There are predictable ways that we in information security will react:

1. Increasing the types of background checks required to get into IT. Debts and overall life stability will be increasingly scrutinized, much in the same way it is for those with clearances in the intelligence community. In fact, clearances may become a new standard for certain IT shops.

2. Separation of duties, least privilege, and auditing will start to get taken far more seriously by everyone. Everyone from the companies themselves to the groups that are auditing them are going to be looking very hard at how to limit the damage individual employees are able to do if they were to go bad.

3. Additional outsourcing of sensitive roles due to the specialized requirements of IT in the future. If clearances are needed, as well as training in how to deal with these types of threats, that’s just going to be that much more reason for companies to outsource the whole operation to external experts.

4. Additional professionalization of IT due to the newer, more stringent requirements. More requirements for college and/or certification plus the initial and ongoing background checks will raise the bar for entry into the field. This will further exacerbate any existing IT labor issues and complicate the discussion of using foreign-born workers.

So, is this movie-plot fiction or a real possibility?

So I’m trying out a new anti-spam combination:

1. Re-captcha
2. Akismet

If you have any problems with the CAPTCHA software, just reload the image or try the audio option. What I like most about the re-captcha system is that it doesn’t dump your post if you don’t get the CAPTCHA right. I tried another implementation a while back that did this, and got several emails threatening my safety.

Another cool thing about the re-captcha system is that every time you use it you’re helping a good cause. The re-captcha system is part of a project to digitize books, which is done using OCR software. Well, when the computer has a problem reading in a given piece of text it needs a human to help determine what the word is.

That’s what this system does — it’s using us to identify what the computer couldn’t do. And that just happens to be a good way to also keep those same words from being easily guessed by a computer. Or, to put it another way, if the words were easily guessed by computers (hence making a CAPTCHA text) they wouldn’t be in the system in the first place. Pretty cool.

Anyway, spam seemed to be picking up quite a bit recently and I needed to switch tactics due to the overhead of managing it. Let me know if this is unbearable, however, and I’ll adjust as necessary.

I just posted my first comment using OpenID (that worked). I’ve tried a few other things that use OpenID with my own server as my endpoint and I’ve had limited success. But Blogspot seems to be on top of things.

I’ve been obsessed with an idea for a while now of a networking and security tool that captures network data once and makes that data available to any kind of tool that asks for it. It’s not my idea; an buddy of mine named Eric, who I’ve since lost touch with, told me about it over lunch at Maggiano’s many years ago. I’ve been thinking about it ever since.

Anyway, Richard Bejtlich just put up an interesting post about something similar. One of his readers asked him whether he’d thought of a single capture box that runs multiple applications. This is not the same as , but the idea is the same: capture the data once, re-use it many times.

But the way I see this playing out is more like an interface to the data running on a single box, which is accessed from many separate tools, rather than multiple applications running on the capture box itself. Storage is getting cheaper all the time, as are computing resources, so the idea here for these boxes would be to:

1. Capture ALL traffic for a given segment (full packet captures).
2. Store it for as long as needed.
3. Present an open, agnostic interface to the data, including real-time and/or historic views.

Richard actually mentioned a couple of options that I’m not familiar with, Solara Networks and Endace Ninja. I’ll have to check into them.

Another interesting idea that was brought up was the power of taps. The problem there is that it’s only real-time and the storage bit would still fall onto multiple systems. It just seems so wasteful to have multiple network and security tools all over the network creating their own copies of packet data. Especially when they’re often stored in a proprietary format.

Imagine (John Lennon style) if they all spoke a single data retrieval protocol where you could ask a common interface for raw, untainted packet data — but at a particular level. So one security product could just ask for port data via one type of query, and another one could ask for flow data, and another could be pulling a full replay of all layers. The cool part would be that the output of the query would be a filtered data stream that was uniquely useful to the requesting application.

So if FooSecurityApp just needed flow data it could build a query to the Network Data Interface (NDI?) that only returned flow data, and in a clean, universal (compressed?) format. The idea being that it would save tons of bandwidth by giving you just what you needed.

And if a security tool decided it needed to see byte 13 of the TCP header on everything leaving the network from one machine, last Thursday between 1400 and 1430, it could build a query to get just that (and any requisite context, of course). Very little data would come back relative to pulling everything and filtering at the requesting app.

Anyway, that’s taking it to an extreme but it seems like an interesting idea, if nothing else.

Thoughts?

The Daily Kos just uncovered something that seems pretty interesting.

According to a Republican congressman (Dana Rohrabacher, (R) from California) who has just now become frustrated with the admnistration to the point of needing to speak out, there is strong evidence that links Terry Nichols (the Oklahoma City bomber) to Ramsey Yousef (the 93′ WTC bomber, and nephew of Khalid Sheikh Mohammad, organizer of 9/11).

Here’s a summary of the points he made:

• Nichols and Yousef happened to be in the same remote location, Cebu City, Phillipines, right before the Oklahoma City bombing.
• The Oklahoma City bombing and the 93′ WTC bombing “used similar bombs and methods” two years apart from each other.
• During his investigation, Rohrabacher secured Yousef’s phone records and discovered that he had, while in the NYC area before the 93′ WTC attack, he made calls to a house occupied by Terry Nichols’ cousins-in-law.
• Finally, congressman Rohrabacher faced what he considered to be significant obstruction from the Bush administration when trying to investigate the connection.

So what does this prove? Nothing really. But it does indicate that we should be paying more attention and asking more questions.: