October 13, 2007

Personal safety, do we take it for granted?

This post is a bit off-topic from the information-security focus. It does, however, belong because at the end of the day, we all want to be safe with our loved ones and know that the ones who we let into our lives will not hurt us, and information security as a field involves privacy and safety related issues like cyberstalking. Many of us in the information security field are also aware of physical security issues and understand that just as we can't take for granted the bad guys in cyberspace, we can't take for granted the bad guys in 'meatspace' either. So please read on and figure out for yourselves how information security professionals have so much to learn from and contribute to our colleagues in other safety and security related professions.

After recently meeting some people that work full-time advocating for abused women and children, I pulled out an old book from the mid 90's that deals with interpersonal violence, a topic I've studied both formally and informally for a many years.

Here's a quote that makes me think about the true meaning of relationships with family, friends and intimate partners, and how so many of us take for granted the personal safety we have grown up with or become accustomed to. It jarred me the first time I read it and still does today:

"I understand that I have escaped violence at home not because I am particularly strong or exceptional, but because I have been lucky... When I am half-asleep, my partner lifts his hand and gently caresses my hair. I cannot help but think about those women on whom a hand is descending, a hand that is not gentle." Claire Buchwald, Training for Safehouse

Some of us lead lives that allow us to drift off into the delusion that interpersonal violence is someone else's problem. Something that we'll never encounter personally, since we live in a 'safe' neighborhood, have great families and so on. This is a luxury that some of us have enjoyed and not given a second thought to, while some have struggled desperately to change their life's circumstances and escape abusive and violent people who 'love' them.

Their journey through this personal hell is eased by good people like Claire Buchwald who take the time, energy and personal risk to create a safe place for those whose homes have become a place so intolerable that they have to run for their lives, often leaving no trace and taking nothing with them of their personal possessions, in order to effect their escape.

Before I transitioned into information security full time, I had been in and out of the physical security and emergency medicine field, having done some things that would be considered scary or intense by some people. Still, I know that I don't have it in me to work up-close and personal with abused women and children. It would just be too much for me. I so admire and respect those who work in this field.

Perhaps information security practitioners can reach out to the .orgs in this niche and help make sure that the stalkers and abusers have a harder time tracking their victimes. This is hardly a new concept in pro bono IT work, just a thought for my own contributions. The other week I spent a couple hours at such a non-profit and know that my IT skills made a difference. I will be back. Basic IT skills, not to mention high-level security kung-fu are something that most .orgs can't afford to pay for. The opportunity cost for a .org paying street-value for IT/Security work on their network is very high, considering it could mean reduced levels of service for their clients.

So this post goes out to all of those people who volunteer their time or give up lucrative jobs in corporate law or other high-paying work, to dedicate themselves to the non-profit orgs that serve this need in our society. If you know someone like this, make sure to tell them how much you appreciate their work and sacrifice.

Stay safe out there,


October 11, 2007

From SANS NewsBites Oct. 9, 07 re: Patching

Ed Skoudis, John Pescatore and Dr. Johannes Ullrich comment on patching beyond the typical Microsoft Patch Tuesday. Please remember to patch all applications on your endpoints, the OS is just one piece of the puzzle. Browsers, office productivity apps, media players and other applications all have multiple critical vulnerabilities that we must address to properly mitigate risk. Even security products (GASP!) have flaws, so don't let your anti-virus, personal firewalls, backup software and other such apps be the weak link.



Adobe Publishes Workaround for PDF Flaw (October 5 & 8, 2007)
Adobe has acknowledged a flaw in its products that could allow an attacker to use maliciously crafted PDF files to take control of vulnerable computers. The problem affects Adobe Reader version 8.2 and earlier; Adobe Acrobat Standard, Professional and Elements 8.1 and earlier; and Adobe Acrobat 3D on systems running Microsoft Windows XP and Internet Explorer 7 (IE 7). Adobe is reportedly developing a fix for the problem in Adobe Reader and Acrobat versions 8.1 and earlier and plans to make it available by the end of October. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202400027-http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041338&source=rss_topic17-http://www.adobe.com/support/security/advisories/apsa07-04.html
[Editor's Note (Skoudis): With this significant flaw, as well as the JRE flaws described elsewhere in this NewsBites, it is very clear that we need to be serious about patching third-party applications on our Windows machines. Whenever we perform a penetration test, we almost always get in via unpatched third-party software. Please, make sure you have a solid process and technical support for testing and deploying patches to non-Microsoft software on Windows machines such as PDF readers, Java Runtime Environments, iTunes, Quicktime, Flash Player, Real Player, Firefox, and others. Leverage tools such as Microsoft's SMS or third-party patch management systems. ]

Sun Patches JRE Flaws (October 3 & 5, 2007)
Sun Microsystems has released patches for 11 critical vulnerabilities in its Java Runtime Environment (JRE). The flaws affect JRE versions 1.3.1, 1.4.2, 5.0 and 6.0 on Windows, Linux and Solaris systems. The flaws could be exploited to circumvent security measures, read and manipulate data, and compromise computers. -http://www.theregister.co.uk/2007/10/05/sun_patches_java/print.html-http://www.pcworld.com/article/id,138087-c,softwarebugs/article.html-http://blogs.zdnet.com/security/?p=562-http://secunia.com/advisories/27009/-http://blogs.sun.com/security/
[Editor's Note (Pescatore): The Adobe and Sun items point out that patching is not just something that has to be done after Microsoft's Vulnerability Tuesday each month. There have been many reports of active exploits against flaws in Solaris in recent months.
(Ullrich): We all know how much fun it is to patch Java. If you don't need it, remove it. If you do need it, make sure you have a good inventory of installed versions and a fool-proof method of keeping them patched. ]

October 10, 2007

First post

Welcome to Shpantzer on Security!

First things first: I'm not a guru/expert/know-it-all... I've just been privileged to be in the presence of great thinkers, movers, shakers, doers, actual gurus/experts...

I'm just a security professional with a desire to share my experience and perspective on timely and important issues in this field. Ideally this blog will generate some great discussions and who knows, some positive changes to our profession's contributions to the risk management field.

Simple enough, right?

I will strive valiantly to avoid unnecesary roughness, over-the-top cynicism and of course, shameless self-promotion.

Actually, I will self-promote, occasionally. I assure you, however, such promotions will be tinged with shame, so no shameless self-promotion after all.


Looking forward to contributing to the security community online and meeting with great people through this new blog.

Gal Shpantzer