Shpantzer on Security (SOS)

Personnel Security: A Musical Journey, guided by Warren Zevon

2012-01-06T06:33:00.001-05:00

(previously published elsewhere, now back home)

Warren Zevon: An Infosec Musical Journey

One analogy I learned early in my career is that Information security is a three-legged stool, consisting of Computer Security, Physical Security and Personnel Security. Compromise one of these legs and the stool falls over.

In some cases involving access to highly sensitive information, personnel security involves plumbing the depths of people's personal histories, up to and including very intrusive interviews and polygraphs. This part of information security is something that most practitioners and managers don't have to deal with, other than interfacing with HR or the personnel security office during the hiring process.

Where is the nexus between personal conduct and being trustworthy to protect sensitive information? That depends, amongst other factors, on the level of sensitivity of the information and the type of organization granting access to the information.

Let's take a musical journey through personnel security and rediscover an old classic, Lawyers, Guns and Money, by Warren Zevon.

According to Zevon, he wrote the lyrics to Lawyers, Guns and Money on wet cocktail napkins, while on vacation in Kauai, "after a long day of improbable and grotesque mischief."

http://www.youtube.com/watch?v=S5puAN1PGQw (mostly safe for work, has one four letter word that starts with S).

Let's analyze what we can learn from Zevon's lyrics as practitioners of information security, assuming that the subject of the song has sensitive information in his head and is being targeted for exploitation:

I went home with the waitress, the way I always do
How was I to know she was with the Russians too?

This is a classic honeypot situation, where an adversary uses an attractive person to get the target into a compromising position, in quite the literal sense, after which the target may be coerced to betray his country or captured for interrogation, or just killed.

Honeypots are fixtures of spy movie plots, from the James Bond franchise to Munich to The Good Shepherd.

One real life case of 'she was with the Russians' is that of Clayton Lonetree, who was in a sensitive US embassy security position in Moscow... http://www.hanford.gov/c.cfm/oci/ci_spy.cfm?dossier=72

A more recent example, more on point to information security, is the case of the missing Blackberry belonging to the aide to the British Prime Minister during a visit to China.
http://council.smallwarsjournal.com/archive/index.php/t-5775.html

More lyrics:

I was gambling in Havana
I took a little risk
Send lawyers, guns and money
Dad, get me outta this

This is another classic weakness that can result in becoming a more exploitable target, since gambling can become an addiction and result in grave financial hardship. Eventually someone with bad intentions may notice the weakness and may attempt to recruit the subject by using coercion or quid pro quo services demanded by people seeking cooperation from the target. "We give you money to take care of the gambling debts, the loan sharks won't break your bones and hey, no big deal, it's just some information, not like it's gonna hurt anybody..."

Next, we hear Zevon's character denying responsibility for his situation, declaring himself a victim of circumstance and bad luck:

I'm the innocent bystander
and somehow I got stuck
between a rock and a hard place
and I'm down on my luck

This denial of responsibility displays a lack of maturity and ability to recognize and correct personal flaws, which we all have to some degree. This is perhaps the worst offense committed by the subject of the song.

The US State Department website has a listing of the elements of the Whole Person concept that may be relevant to the adjudication of a background investigation for a security clearance. (Note that different parts of the US Government have different security-related priorities and bureacratic mechanisms, so there is not one place for a federal clearance).

http://www.state.gov/m/ds/clearances/60321.htm

If you read through the webpage, you'll find that Zevon's lyrics included behavior that would fall under several areas of concern in the Adjudicative Guidelines for Determining Eligibility to Classified Information:

Guideline D on Sexual Behavior, referring to "sexual behavior that causes an individual to be vulnerable to coercion, exploitation, or duress" as one of the specific concerns in the guideline.

Guideline F on Financial Considerations (explicitly mentioning compulsive gambling), and

Guideline E on Personal Conduct, which includes lack of full and open cooperation with investigators who are charged with determining if the subject of the investigation is trustworthy enough to obtain and keep a clearance. Specifically, "Refusal to provide full, frank and truthful answers to lawful questions of investigators, security officials, or other official representatives in connection with a personnel security or trustworthiness determination."

One good site for more specific examples of personnel security decisions is the Defense Office of Hearings and Appeals (DOHA), you can read about actual situations where people were denied clearances or lost them and appealed their cases to DOHA. These cases illustrate the balancing act involved in deciding whether to grant or deny a clearance and the legal underpinnings of the clearance adjudication process.

Many years of actual cases, including the latest ones from December 2011:
http://www.dod.gov/dodgc/doha/industrial/2011.html

The Adjudicative Desk Reference may be used as a guide by administrative judges and others in determining the outcome of personnel security matters. http://www.dhra.mil/perserec/products.html#ADR The reference was created by the Defense Department's Personnel Security Research Center (PERSEREC) as a tool to assist in making difficult decisions regarding suitability for cleared work.

Other products from PERSEREC may be of interest to those involved in HR, Insider Threat and Workplace Violence and other areas of research: Use with caution, this is not an exact science... The first link includes a pointer to a 2011 "Ethnographic Analysis of Second Life." http://www.dhra.mil/perserec/reports.html and http://www.dhra.mil/perserec/products.html

The Cons They Are a Changin'

2011-07-21T04:27:00.007-04:00

I took some time off of #TSASongs to bring you this tribute to BSides security conferences.

http://www.securitybsides.com/

Please sing along with me, to the tune of Bob Dylan's The Times They Are a Changin'

A Parody with a message...

Come gather round Tweeple wherever you roam
and admit that the BSides around you have grown
and accept it that soon you'll need skillz that are honed
if your time to you is worth savin
then you better start learnin or you’ll sink like a stone

for the times they are a changin

come PR flacks and keynotes who dominate with your spend
and keep your eyes wide the chance won’t come again
and don’t hype too soon for the FUD’s still in spin
there’s no tellin who that its shamin'
for the loser now will be later to win

for the times they are a changin

come vendors and pitchmen, please heed the call
don’t sell in the doorway don’t flog up the hall
for he that gets hurt will be he who cold called
the battle outside ragin
will soon shake your Windows, bypass your firewalls

for the times they are a changin

come conference planners throughout the land
and don’t criticize what you can’t understand
our cons and our parties are beyond your command
your old road is rapidly aging
please get outta the new one if you can’t lend your hand

for the times they are a changin

the line it is drawn, the curse it is cast
the expensive cons now will lose people fast
as the closed cons now will later be past
the order is rapidly fadin
but the BSides con is a guaranteed blast

for the times they are a changin

---------------------------------------------------------------

Dedicated to the BSides crew and volunteers.

All my (g)love,

@Shpantzer

Send In The Clowns (RIAA's Embarrassing Pursuits)

2009-09-29T01:46:00.007-04:00

Have you ever sat yourself down and wondered: Hey, just how lame is RIAA's ability to do technical detection of 'copyright infringement' or whatever it is they're calling it these days?

Well, it turns out there is good evidence that the lameness goes even deeper than the already low expectations we have become accustomed to from this group.

It's not like RIAA's lameness is any news, really... Some of the most sober and respected leaders of the information security community have called RIAA out for their wayward ways. No less than Dr. Eugene Schultz, not known for being overly hyperbolic in his word choice, spoke of the RIAA:

"Clearly, clowns rule the circus when it comes to at least some of the RIAA’s witch hunts."
http://blog.emagined.com/2008/07/08/the-entertainment-industry-and-copyright-violation-crackdowns-how-much-is-too-much/

How can I top that kind of piledriver-by-blog? I'm nowhere near as smart nor eloquent as Dr. Schultz.

So why do I add to this criticism of RIAA, after all these years of silence?

Because, dear readers, the technical evidence is really starting to get to me (I know it's almost 2010... ok, ok...)

Previously, I posted about ridiculous RIAA letters coming to University of Washington researchers (http://dmca.cs.washington.edu)

The last straw came recently, when I sat through a lecture at a Dartmouth infosec conference and had to keep picking my jaw up off the floor, time after time, as a computer science professor and law professor described in detail how they toiled to save a poor soul from the cold, unrelenting wrath of RIAA's legal attack dogs.

The poor soul in question had no computer in her home at the time of the alleged infringement...

Here it is, the evidence (as if we needed more of it), just so you too can say "Now I know" the answer to the question above (the one about the depths of RIAA's lameness):

Summary of victory against RIAA by Professor Embree from Franklin Pierce Law School:
http://www.piercelaw.edu/news/posts/2009-06-18-victory-in-downloading-case.php

The letter from Ms. Mavis Roy, the would-be-victim of RIAA's ridiculous behavior, thanking the staff of the law clinic run by Professor Embree:
http://www.piercelaw.edu/assets/pdf/release-mavis-letter.pdf

The expert report by Professor Bratus (techies, get a snack and a comfy chair, this is good stuff):
http://www.piercelaw.edu/assets/pdf/release-mavis-case-expert-report.pdf

Bio of the heroic Professor Embree http://www.piercelaw.edu/ashlynlembree/index.php

And so, in the tradition of legislating from the blog bench (yes I can do that)...

Previously, I brought you Shpantzer's Law of Endpoint Security (http://shpantzer.blogspot.com/2009/04/shpantzers-law-of-endpoint-security.html)

Today, I bring you Shpantzer's Law of RIAA Law(suits):

I propose that from now on, anytime you post anything about RIAA going after obviously innocent people, then you must type/sing/hum a legally correct snippet of Send In The Clowns. Maybe just a bar or two, check with your favorite entertainment lawyer.

It'll be like our little inside joke. Only you and the eight people who read this blog will know! It's like being a part of an elite secret society, just without the hazing!

My personal favorite is Grace Jones' disco version, cuz hey, go cheesy or go home! Streisand, Judy Dench, Mel Torme, Frank Sinatra, or any such personality will do in a pinch. It's all there on the intertubes to enjoy.

For now.

Send In The Clowns...

Or SEND IN ZEE CLOWNS! (Frau Farbissina from Austin Powers style)

PS MediaSentry, whose technical failures are described in the technical report, is not doing RIAA's dirty work any longer, last time I checked.

PPS For a list of many people who performed and recorded this song:
http://en.wikipedia.org/wiki/Send_in_the_Clowns

(Krusty The Klown, shoulda known)

DRM Watch now CopyrightandTechnology Blog

2009-09-16T06:42:00.002-04:00

The DRMWatch website is now (for some time) http://copyrightandtechnology.com/

Bill Rosenblatt compiles stories and commentary about Copyright, Digital Rights Management, Watermarking and other copyright-related technology and the strategic moves made by tech companies, copyright holders and enforces, congresscritters, ISPs and other players in the crazy copyright scene.

Word of the Day: Life Password

2009-06-01T12:23:00.002-04:00

Help your friends and family avoid using a Life Password...

Life Password
May 19, 2009 Urban Word of the Day from UrbanDictionary.com

The password that you use for every website, email account, facebook, twitter, everything. Having a 'life password' is not a good idea, but everyone does it.

My friend found out my life password and wrecked my facebook account, stole all my paypal money and emailed offensive images to my mother.

Professionalism in the Security Community, Part Deux (Clever Talkers)

2009-04-17T13:37:00.012-04:00

In this post, I will try to be clever and use the word 'clever' and its variations as much as reasonably possible. It might make me seem clever, or just obviously annoyed at the would-be clever cynics, you decide... As I've posted before, in the first installment of Professionalism, there are people (Marcus Ranum being one) who are both clever AND have a framework in which they discuss and enumerate specific arguments, definitions, etc.

This post is aimed not at them, as I don't have an issue with being clever, in fact I love to laugh and humor gets me through the day. I just have an issue with being clever as a complete substitute for real thinking. I mention no names and link to no specific articles, to avoid flame wars and to protect the guilty. :-) Here goes...

Rant Mode ON:

Dear Readers, Cyberwarriors, Those-Who-Follow-The-Cyberwar-on-"What-Is-Cyberwar," and of course Those-Who-Just-Like-Clever-Articles-About-Cyberwar:

There is a lot of discussion about cyberwar these days, which is probably a good thing, because we STILL need to figure out exactly what it is and isn't. Perhaps parallel to that effort (sigh...) we might be able to formulate a (reasonably) realistic strategy that will mitigate the effects of cyberwar on our side, allow our cyberwar practitioners to exploit the other side's networked weaknesses (war is about sides at some point, sorry) and be nimble enough to change with the speed of the network.

Cyberwar discussions are difficult for many reasons. One of them is the notion that we must not only prosecute said cyberwar properly on the strategic and tactical levels, to achieve certain results and avoid others, we must also strictly adhere, of course, to the laws of war (which ones again?) and we must be highly pundit-and-lawyer aware.

According to some, the tools and rules of cyberwar must be approved by multiple and conflicting interests, including, but not limited to: The Red Cross, John Yoo, the ACLU, Karl Rove, Katrina vanden Heuvel, EFF, current DoJ lawyers, EPIC, former DoJ lawyers (did I mention Yoo yet?), Pat Buchanan, Arianna Huffington, Ms. XXXXXXXXXXXXXX, General Jack D. Ripper, the ghost of General Curtis LeMay (via the Ouija board) and of course, the highly esteemed and indefatigable cyberwarrior, Dr. XXXXXXXXXXXXXXXXX.

See, I wasn't being TOO clever in that last paragraph, was I? OK, maybe too clever, but perhaps, and sadly so, not clever enough to qualify for the bevy of (cleverly) sarcastic and cynical articles about the supposed exploitation of the cyberwar issue by the various powers that be (are these powers 'the gummint' or 'the mainstream media' or are they think-tank thinker types?)

Apparently, some people think it's good enough to just be clever (or better yet, cynically clever), about the "cynical exploitation" alleged in their articles. These cynical mentions of cynical exploitation of cyberwar as a topic are sometimes explicit and sometimes more implicit (which is always more clever than actually being explicit).

For some people, being clever seems to be the main thing to strive for. Interestingly, some of these same people are the ones who deride FUD in the vendor space and yet fail to see the irony of their wayward ways. Are they falling into that trap of logical fallacy, you know the one that makes people think that making fun of someone or something (or both) is in and of itself the argument, or boosts the argument? Sorry folks, you can't just be clever and create an argument that's that implicit, not well articulated, or at times not even mentioned at all, strictly by means of making fun of people and concepts.

Argue by argument, not just cleverness. Derision is not discussion.

Are we trying to audition for the Daily Show correspondent position or are we talking about strategic warfare in cyberspace? Oh, both, I see...

Allow me to throw this thought-grenade onto the tinderbox of the cyberwar ABOUT cyberwar:

Being clever is great, and perhaps necessary, when discussing such amorphous topics. It is not helpful, however, to stop at being clever, to fail to continue with what you actually think cyberwar is, what it is not, and what you think is a good way to advance the discussion.

I will cleverly, but not cynically, stop now, having pointed out the clever fact that being clever about cyberwar is necessary but not sufficient to advance the discussion about cyberwar.

It is just the beginning. It might even be good to end with being clever. It is not, however, the end and should not even be the sole means to that end.

Read that as a promise that I'll discuss it further, and not rest on my clever laurels.

Rant Mode Off. Clever hammer back in toolbox. For now.

Shpantzer's Law of Endpoint Security (Grand Belated Unveiling!)

2009-04-07T06:31:00.011-04:00

Just going through some old emails this morning and I found this little unpublished gem. Revealed to the public for the first time, right here, right now (drumroll please...)

------------------------------------------------------------------------------------------
Title: Shpantzer's Law of Endpoint Security

Body: "The security of your endpoint (hence your network) is inversely proportional to the square of the number of applications installed on the endpoint."

------------------------------------------------------------------------------------------

This was from April 28, 2007. Hey, that's two years ago! Why didn't I publish this? I guess I'm just kinda shy that way sometimes...

Basically the issue emphasized here (did I mention this was two years ago, all the way back in April of 2007?) is that application security matters, on the client side too, and not just the OS.

Browsers, PDF readers, media players, apps for presentation, email, spreadsheets, you name it. They're all individually dangerous and can add vulnerabilities really quickly when combined. I surmised that the relationship between the number of apps and security is most likely nonlinear. Inverse square sounded good at the time!

I wonder what other buried treasure is in those old emails...

Gal

Correlation is not Causation

2009-04-05T13:40:00.004-04:00

Clever post by TheAtlantic.com blogger Megan McArdle:

"I'm forced to conclude that (the import of) Mexican lemons have improved highway safety a great deal. The vitamin C, maybe? The fragrance? Bioflavanoids?"

Read the short article, featuring a great graph, with near perfect correlation of increasing lemon imports and a reduction in US highway fatalities

A great reminder to ask the right questions about some of those problematic security surveys and studies that are being churned out at high rates with low integrity.

"What's the mechanism?" is one good question to ask.

http://meganmcardle.theatlantic.com/archives/2009/04/department_of_awful_statistics_6.php

PS I'm not partisan when it comes to information security, so McArdle's political spin is her own.

Professionalism in the Security Community

2009-03-11T14:05:00.004-04:00

Marcus Ranum recently started discussing CyberWar and its basis in reality (or lack thereof). He first presented the Cyberwar is BS talk at HackInTheBox in Singapore and more recently at DojoSec in Columbia, MD.

The talk was naturally controversial because, hey, that's Ranum's style and it's also the subject matter itself. Some people have resorted to delighting in Ranum's alleged '0wn@ge' since his talk supposedly got some nasty feedback, including some people calling him an idiot or saying that he doesn't know what he's talking about, etc. (more on that later...)

I welcome a sober discussion on cyberwar (what it is, why it's real or not, etc) and while I don't agree with everything he said at DojoSec, http://www.vimeo.com/3519680 , I would never call Marcus Ranum an idiot. Why not?

A few reasons just off the top of my head:

1. He is clearly not "an idiot." He's been around the infosec block for a long time, on both the technical and business side and he has the experience and technical skills to match any young ankle-biter I know who wants to take Ranum down a notch by calling him names.

2. Even if I thought he was wrong about some, most or even ALL of his points, he'd still not be "an idiot," he'd just be wrong. It would be my responsibility to say why I thought so, privately and/or publicly, but in a respectful manner.

3. He owns a very accurate rifle and knows how to use it...http://ranum.com/fun/bsu/diy-dealy/index.html

But seriously... Let's stop calling each other names and trying to take people down in order to make ourselves look good... and let's get back to contributing CONSTRUCTIVELY to the community.

A community where, I might add, Marcus Ranum is a longstanding, honorable member and leader. There are plenty of people who disagree with some of the content in the "Cyberwar is BS" talk, but there are those in our community who can disagree with someone and still display professionalism and respect.

Like, say, Richard Bejtlich, who blogs at TaoSecurity and himself is fully qualified to discuss cyberwar and its implications: http://taosecurity.blogspot.com/2008/11/response-to-marcus-ranum-hitb-cyberwar.html

Guess what? I too disagree with some of Ranum's points in the "Cyberwar is BS" talk and I found myself occasionally squirming in my seat at DojoSec during his talk. I emailed him to tell him so instead of calling him names, telling him that I'd try to formulate a cogent argument for modifying some of these points (coming soon). Ranum will take good points and revise his thinking and presentation if it makes sense to him.

With that said, I couldn't agree more with what Ranum asked of his audience at DojoSec on March 5th:

"I am totally OK with people who say I don't know what I'm talking about, but what really makes me happy is if you tell me WHY I don't know what I'm talking about.

You can sit there until you're purple in the face and say 'ah he's an idiot' but if you tell me WHY I'm an idiot, you've got my undivided attention. So if you wanna argue with me about this, I am yours until hell freezes over, but don't just say I'm stupid, cuz I'll just say you're stupid back"

Please, people, don't fall into the the cynicism/namecalling trap: It's counterproductive, unprofessional and makes you look disrespectful to fellow security people and possibly others outside the community. It will never elevate your status long-term, even if you happen to be right about a certain part of an argument. Keep it cool and calm: We're expected to be graceful under fire, after all.

BTW, if you think I'm an idiot for saying this, re-read the above quotes and let me know WHY...

How terrorist groups end (RAND)

2009-02-23T17:39:00.004-05:00

This has some interesting implications to hacking groups, both financially and politically motivated. While sending a Hellfire-equipped Predator drone after hacktivists is typically regarded in polite society as "a bit much," the lessons learned here can be grafted to the online world with some modification.

The list is certainly not exhaustive in terms of case studies, but it is valuable for the framework of tracking a tango group from cradle-to-grave, with time and cause of death available.

http://www.rand.org/pubs/monographs/MG741-1/

911.gov project site at UMaryland

2009-02-23T14:34:00.003-05:00

http://www.cs.umd.edu/hcil/911gov/index.shtml

This is an interesting project that seeks to exploit the capabilities of the web to enable better communications between citizens and government during a crisis (ideally a two-way street...)

This is rife with possibilities and of course security challenges, well worth a look.

RAND on the prospect of a Domestic Intelligence Agency for the US

2009-02-23T13:52:00.005-05:00

RAND studies western European experience with domestic intelligence agencies and gives US policymakers some pointers.

http://www.rand.org/pubs/monographs/MG805/

(relevant to infosec since a lot of surveillance/prosecution these days is digital...)

Vulnerabilities in the Terrorist Attack Cycle (Stratfor)

2009-02-23T12:45:00.006-05:00

DHS, Infragard and other such organizations that work to mitigate infrastructure threats have constituents that seek their advice on where to spend scarce resources on preventing attacks.

Where are the best places for defenders to disrupt the attacks before it's too late?

Some thoughts here (still relevant from 2005):
http://www.stratfor.com/vulnerabilities_terrorist_attack_cycle

It's official, I'm a twit...

2009-02-23T11:40:00.002-05:00

As if you didn't know THAT.

But seriously, I'm on Twitter now... Sad but true.

Twitter.com/shpantzer

Rejoice?

On the discipline of good writing

2008-10-23T10:43:00.002-04:00

It's easy to be cheesy, when writing a long piece or just writing for a long period of time, the tendency to get lazy appears. Resist the temptation.

Gal

If you flatter and fawn upon your potential audience, I might add, you are patronizing them and insulting them. By the same token, if I write an article and I quote somebody and for space reasons put in an ellipsis like this (…), I swear on my children that I am not leaving out anything that, if quoted in full, would alter the original meaning or its significance. Those who violate this pact with readers or viewers are to be despised.

Christopher Hitchens, a controversial commentator and writer, in a scathing piece on yet another, even more controversial filmmaker.

History of Computer Security project

2008-08-02T16:41:00.000-04:00

Here are some of the classic papers in computer security from the 1970s and early 1980s.

http://seclab.cs.ucdavis.edu/projects/history/seminal.html

Is there much new under the sun or are we just repeating old mistakes we learned about 20-30 years ago?

Hmmm...

Gal

Great Research on P2P takedown notices

2008-07-08T15:16:00.003-04:00

http://dmca.cs.washington.edu/ is the site for the research into the credibility of some takedown notices for alleged copyright violations enabled by P2P such as BitTorrent.

The alarming, yet sadly unsurprising highlights, from the overview page:

Practically any Internet user can be framed for copyright infringement today.
By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.
Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.

Personal safety, do we take it for granted?

2007-10-13T14:18:00.001-04:00

This post is a bit off-topic from the information-security focus. It does, however, belong because at the end of the day, we all want to be safe with our loved ones and know that the ones who we let into our lives will not hurt us, and information security as a field involves privacy and safety related issues like cyberstalking. Many of us in the information security field are also aware of physical security issues and understand that just as we can't take for granted the bad guys in cyberspace, we can't take for granted the bad guys in 'meatspace' either. So please read on and figure out for yourselves how information security professionals have so much to learn from and contribute to our colleagues in other safety and security related professions.

After recently meeting some people that work full-time advocating for abused women and children, I pulled out an old book from the mid 90's that deals with interpersonal violence, a topic I've studied both formally and informally for a many years.

Here's a quote that makes me think about the true meaning of relationships with family, friends and intimate partners, and how so many of us take for granted the personal safety we have grown up with or become accustomed to. It jarred me the first time I read it and still does today:

"I understand that I have escaped violence at home not because I am particularly strong or exceptional, but because I have been lucky... When I am half-asleep, my partner lifts his hand and gently caresses my hair. I cannot help but think about those women on whom a hand is descending, a hand that is not gentle." Claire Buchwald, Training for Safehouse

Some of us lead lives that allow us to drift off into the delusion that interpersonal violence is someone else's problem. Something that we'll never encounter personally, since we live in a 'safe' neighborhood, have great families and so on. This is a luxury that some of us have enjoyed and not given a second thought to, while some have struggled desperately to change their life's circumstances and escape abusive and violent people who 'love' them.

Their journey through this personal hell is eased by good people like Claire Buchwald who take the time, energy and personal risk to create a safe place for those whose homes have become a place so intolerable that they have to run for their lives, often leaving no trace and taking nothing with them of their personal possessions, in order to effect their escape.

Before I transitioned into information security full time, I had been in and out of the physical security and emergency medicine field, having done some things that would be considered scary or intense by some people. Still, I know that I don't have it in me to work up-close and personal with abused women and children. It would just be too much for me. I so admire and respect those who work in this field.

Perhaps information security practitioners can reach out to the .orgs in this niche and help make sure that the stalkers and abusers have a harder time tracking their victimes. This is hardly a new concept in pro bono IT work, just a thought for my own contributions. The other week I spent a couple hours at such a non-profit and know that my IT skills made a difference. I will be back. Basic IT skills, not to mention high-level security kung-fu are something that most .orgs can't afford to pay for. The opportunity cost for a .org paying street-value for IT/Security work on their network is very high, considering it could mean reduced levels of service for their clients.

So this post goes out to all of those people who volunteer their time or give up lucrative jobs in corporate law or other high-paying work, to dedicate themselves to the non-profit orgs that serve this need in our society. If you know someone like this, make sure to tell them how much you appreciate their work and sacrifice.

Stay safe out there,

Gal

From SANS NewsBites Oct. 9, 07 re: Patching

2007-10-11T19:30:00.000-04:00

Ed Skoudis, John Pescatore and Dr. Johannes Ullrich comment on patching beyond the typical Microsoft Patch Tuesday. Please remember to patch all applications on your endpoints, the OS is just one piece of the puzzle. Browsers, office productivity apps, media players and other applications all have multiple critical vulnerabilities that we must address to properly mitigate risk. Even security products (GASP!) have flaws, so don't let your anti-virus, personal firewalls, backup software and other such apps be the weak link.

Gal

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=80&portal=62bb46baa92ba4e4b77924d8b54602ea#sID306

Adobe Publishes Workaround for PDF Flaw (October 5 & 8, 2007)
Adobe has acknowledged a flaw in its products that could allow an attacker to use maliciously crafted PDF files to take control of vulnerable computers. The problem affects Adobe Reader version 8.2 and earlier; Adobe Acrobat Standard, Professional and Elements 8.1 and earlier; and Adobe Acrobat 3D on systems running Microsoft Windows XP and Internet Explorer 7 (IE 7). Adobe is reportedly developing a fix for the problem in Adobe Reader and Acrobat versions 8.1 and earlier and plans to make it available by the end of October. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202400027-http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041338&source=rss_topic17-http://www.adobe.com/support/security/advisories/apsa07-04.html
[Editor's Note (Skoudis): With this significant flaw, as well as the JRE flaws described elsewhere in this NewsBites, it is very clear that we need to be serious about patching third-party applications on our Windows machines. Whenever we perform a penetration test, we almost always get in via unpatched third-party software. Please, make sure you have a solid process and technical support for testing and deploying patches to non-Microsoft software on Windows machines such as PDF readers, Java Runtime Environments, iTunes, Quicktime, Flash Player, Real Player, Firefox, and others. Leverage tools such as Microsoft's SMS or third-party patch management systems. ]

Sun Patches JRE Flaws (October 3 & 5, 2007)
Sun Microsystems has released patches for 11 critical vulnerabilities in its Java Runtime Environment (JRE). The flaws affect JRE versions 1.3.1, 1.4.2, 5.0 and 6.0 on Windows, Linux and Solaris systems. The flaws could be exploited to circumvent security measures, read and manipulate data, and compromise computers. -http://www.theregister.co.uk/2007/10/05/sun_patches_java/print.html-http://www.pcworld.com/article/id,138087-c,softwarebugs/article.html-http://blogs.zdnet.com/security/?p=562-http://secunia.com/advisories/27009/-http://blogs.sun.com/security/
[Editor's Note (Pescatore): The Adobe and Sun items point out that patching is not just something that has to be done after Microsoft's Vulnerability Tuesday each month. There have been many reports of active exploits against flaws in Solaris in recent months.
(Ullrich): We all know how much fun it is to patch Java. If you don't need it, remove it. If you do need it, make sure you have a good inventory of installed versions and a fool-proof method of keeping them patched. ]

First post

2007-10-10T17:36:00.000-04:00

Welcome to Shpantzer on Security!

First things first: I'm not a guru/expert/know-it-all... I've just been privileged to be in the presence of great thinkers, movers, shakers, doers, actual gurus/experts...

I'm just a security professional with a desire to share my experience and perspective on timely and important issues in this field. Ideally this blog will generate some great discussions and who knows, some positive changes to our profession's contributions to the risk management field.

Simple enough, right?

I will strive valiantly to avoid unnecesary roughness, over-the-top cynicism and of course, shameless self-promotion.

Actually, I will self-promote, occasionally. I assure you, however, such promotions will be tinged with shame, so no shameless self-promotion after all.

:-)

Looking forward to contributing to the security community online and meeting with great people through this new blog.

Gal Shpantzer