Hack The Planet

I was invited to be a guest at the University of Colorado to teach a networking class about Network Security. It was interesting to see how diverse the class was. You had the different groups you expect to find in a normal college classroom. The people there to learn, the people who think they already know everything you are talking about, and the people that are just trying to get a credit. There was also someone’s wife who was just hanging out with her husband.

There is a lot to cover under the umbrella of Network Security so I had to slim down what I went over. I went over vulnerability assessment, intrusion detection, social engineering, network access control, 802.1x and then gave some war stories.

I think that the next time I teach a class I will just build out one large scenario and then go over the security you would need to protect each section. I think it would be easier for the students to see how it all comes together to form a secure network environment.

I am not going to discuss politics in this forum but this is the first time in my life time that I have had hope for our nation.

The failing economy has obviously effected every market to a certain extent. The security market (which is the one I am in so it is the one I care most about) has been hit pretty hard. I did not believe that people could do without security but I was wrong. This comes down to lack of legislation forcing people to take responsibility for data breaches.

An interesting article over at Network World is a letter to the next President asking him to take a stand. The author makes a great statement about how there will be no change until there are real negative consequences for not being secure. CTO’s and CISO’s will continue to do the bare minimum until there is a reason for them to change their ways.

Everywhere I look I see links talking about ROI and let our tool show you how we can get you more ROI. Well, what is ROI? I get that ROI stands for Return on Investment and that it defines what monetary value this product will give you or save you for purchasing said product. Well, that is great when the ROI tool is designed by the person trying to sell you the product. I have some swamp land in Florida at discount prices if you are interested.

Seriously though, how can you show true ROI on a security product when the reason to purchase the product is to limit your risk of losing money through losing critical data, being DOS’d or having your competitors get your secret formula for that super secret project you are working on? You are purchasing the product to alleviate risk, some of which is unknown. It is very difficult to show true ROI because it is an unknown quantity. How much will you be fined for losing those 1,000,000 customer accounts? How much is your next product worth if you get it out before the competitors do? It is easier to build a case if you know what you are protecting and why.

When the reason to buy security is specifically ROI you are buying it for the wrong reason. Yes you do want to show that your purchase saved you countless headaches and hours or days of work when you are trying to recover from an incident.

It just seems like people want to “buy” security but don’t care if they are actually securing their networks and endpoints or have secure practices in place.

When you start looking to secure your network don’t settle for some fancy ROI chart. Look at how it will affect your infrastructure and make sure that it actually works. If you don’t, then I still have that swampland for sale at a low, low price.

I was just reading an article that was talking about Mafiaboy and what he is doing now, 8 years after knocking Yahoo offline. It struck me that “hackers” have changed from tinkerers to mafia types.

Once upon a time Timmy, hackers were people that just wanted to see what would happen if they touched that button or changed this byte. Now they are going around mugging tourists and they don’t care how they do it. There is so little curiousity left in the next generation of hackers that when the previous generation dies off from vitamin D deficiency all the tools will be lost also. Or at least new iterations of them.

All of the new attacks and new vulnerabilities seem to be coming from the previous generation. How do you teach innovation? How do you teach curiousity? I don’t think you can.

So one of the guys over at gizmodo created a video to show you how to get past the security password on the iPhone. As cool as Apple is the one thing they are definitely not is a security aware company.

Almost to add on my previous (or a previous) post I think one of the big things stopping people from moving to a more secure OS or infrastructure is the desire to not learn. It is really easy to sit back in our ignorance and blame outside sources for our security faults. What would the insurance company say if your house was robbed and they found out you left the doors and windows open all the time, even when you weren’t there. Your answer better not be “Well I didn’t know better.” They may not reimburse much if it is.

In our technology filled world it is no different. Being ignorant is no longer acceptable. If people are unwilling take the time to learn how to “lock their doors” then they are going to have to come to grips with getting hacked. I don’t mean that the hacker is not to blame but if you leave the sandwich on the counter, there is a good chance the dog will eat it.

I recently gave my parents a new computer and when I was installing it I couldn’t help but feel dread knowing that it was Windows. I have tried to move them over to Linux for the last few years but I have been unable to get them to switch. I think part of it has to do with their work computers being on Windows also. How do you show the value of change?

When I first tried to get them to switch it was because they had infected their computer beyond recovery. I installed Ubuntu as it is the most friendly Linux OS I have found. They gave up on it before they even logged in because it wasn’t Windows. Now they have Windows again and I can only imagine how long it will be before I have to rebuild the PC again.

There needs to be an easier way to get regular people to use a more secure OS.

I should have published this right after I got back from Defcon when it was all fresh in my mind. Sadly as things go I forgot to and now most of my memories of it have a shadow around them.

BlackHat this year was pretty good with some good talks this year. There are some very good presenters and there are some not so good ones. The information can be good but if you don’t know how to present it then a lot gets lost in translation. Not meaning dialect but meaning in what you mean and what the listener hears. One of the better speakers at the show was Jeremiah Grossman and also Dan Kaminsky who both know how to engage an audience.

Defcon was a bit more of the same old but I enjoyed the capture the flag as always. I don’t know why it interests me so much but it does. The parties were great also. The Freakshow went awesome. I think it was all about the contortionist though. She seemed to have a pretty captive audience for most the night.

The big thing I took away from this year was that you should spend your time looking into the easy solutions before you hammer away at the more difficult. So often we get caught up in the thing that looks coolest but is more likely to fail than trying to just walk in the front door. Low tech hacks are usually faster than a more complex (or even cooler) hack.

With the recent conflict between Russia and Georgia (not the US state although that would make things very, very interesting if it was) there is a lot of debate on what is cyber war. There is an article today on CNN.com that discusses potential cyberattacks on US infrastructure. There was another article somewhere, I forget where now, that talked about hackers as terrorists and DOS attacks as cyberwarfare. What constitutes a cyberattack? I mean, I know what should but what do government officials think cyberwarfare is? Defacing a website? Maybe throwing a few packets someones way? If we are so worried about hackers knocking out our power then why is the grid still open to those types of attacks? It seems like we as a country talk a lot about all of the ways we can be attacked and then we put in false security measures to make the masses feel safer. Airport security anyone?