Not to be used as a sedative
Loosely Typed in Ohio

General, Networking/Systems, Security The New York State Cyber Security Conference, Day 2

Posted by Chris Green on June 8th, 2009

My second day of the New York State Cyber Security Conference was equally as engaging as the first - dare I say thrilling at times. Before I share some of the meat, I’d like to again compliment the conference staff on an excellent program. What an absolute gem and a bargain ($50 public, $150, private). If you’re into information security I highly recommend a visit, June 9-10 2010 have already been set aside. You’ll see me there.

Our keynote to start the day was delivered by Raphael Perl, Head of the Action Against Terrorism Unit, Organization for Security and Co-operation in Europe (what’s with these titles? sheesh) who discussed global cybersecurity challenges for practitioners as well as the emerging threats and tactics of terrorism in cyberspace.

One of the items I thought most interesting was the explanation of overall approach on a political and military level. From a political perspective, it’s becoming understood and accepted that security is a global challenge requiring international information sharing. But the military is resisting, instead preferring to stay separate and secretive. As I pointed out on day 1, Philip Reitinger and others plainly state the biggest issue we face is hackers and other baddies becoming much more organized and globally sharing information at a rate the good guys can’t match. It would seem to me the military approach is destined for failure, and Raphael Perl made it clear he believes the same. Here’s a few other interesting points or facts from the discussion:

  • Last June, 1 billion PC’s were in use worldwide. By 2012 this will double to 2 billion.
  • 200 billion email messages are sent every day, Cisco estimates 90% of them are SPAM.
  • There are currently 3-5000 active websites run by terrorists or are terrorist affiliated.
  • In a non-scientific poll of sales at a major computer store, 10% of home users bought antivirus software with a new PC purchase. Business users bought it 90% of the time.

He devoted a lot of time to discussing the potential threat to cyberspace by terrorists. He believes terrorists are actively planning to disrupt the Internet, and will launch an attack in conjunction with a real attack or a major national disaster. The goal is interrupting services right when many need it most. He believes the information sharing and readily-available tools by hackers will help facilitate these attacks, as any cyberattack can be easily copied by terrorists. However, it was also made clear that not all experts agree with his opinion. Overall I found the discussion very intriguing and certainly worthy of deep future interest.

Day 2 tracks were Five Common Mistakes in Securing Web Applications, Are you Googling Your Privacy Away?, Are You Prepared for Data Loss, and PII (personally identifiable information): Taming the Beast (AKA how to discover and secure PII). Just like yesterday, they were all engaging and very well presented. The Google talk was particularly thrilling - yea I said thrilling. It’s incredible how much private information we give away to Google in exchange for their services. If you know me, you know I’m not afraid of talking about how much Google scares me. When it’s all laid out for you in a short presentation it’s even more resonating.

  • Google is better than everyone else at screwing you and your privacy.
  • Their cookies auto-renew every time you use any service.
  • They’ve essentially built the best surveillance system ever created. You are a GUID (Google User ID), everything you do with them maps to this GUID, and it will follow you until you die. They aim to have a GUID for every person in the world.
  • You readily give Google (and other social networking sites) vastly more information than the police can ask you.
  • GMAIL really is email for life. According to the ECPA your data is only protected for 180 days, on day 181 Google can give it to law enforcement without a warrant, barely with a formal request. Our DOJ is working on depreciating the 180 day rule.
  • Google has only indexed 20% of the internet.
  • If you use Google Desktop with remote access, everything you have indexed is stored in the Googlesphere. You’re violating HIPAA, PCI, SOX, and most other compliance specifications (oops!).
  • When using Chrome, Google knows every keystroke you type into the browser. Even fields you backspace/delete.
  • They don’t have to ever delete anything you tell/ask them to. Google’s file system is designed not to delete.
  • Does your phone run Andriod? They know everyone you talk to, where you are, where you’ve been.
  • Goog411 is a slick, free 411 service, right? Actually, you’re training their voice recognition software.
  • Google probably knows much more about you than any government agency.
  • Remember that HIPAA, PCI, and SOX violation stuff? Hope you’re not using GMAIL since it’s stored (and indexed) in the Googlesphere.
  • Google probably knows much more about you than any government agency.
  • Yes, they can filter via your GUID and/or IP address and find all of your search terms.

I could go on, and the presentation was less than an hour. It’s freaking scary. Here’s the rest of my juicy tidbits from the day:

  • 60% of top 100 websites had hosted or or were involved in malicious activity in 2008.
  • Of all 2008 vulnerabilities, 58% were from web applications.
  • From the 2008 total, 73% of those classed “easily exploitable” were web applications.
  • Dear developers: Most hackers don’t use browsers to exploit web applications, client-side anything is fail.
  • 80% of internet traffic crosses a Verizon network.
  • In the vast majority of cases when a breach occurred due to a known software vulnerability, the patch was released for over a year.
  • Top three types of malware are keyloggers, back doors, and capture-and-store programs.
  • The majority of these are plain, un-customized and easily detectable by most antivirus programs.
  • 49% of breaches go undiscovered for months.
  • VerizonBusiness’ assessment of breach events over three years revealed 82% of organizations captured the attack(s) in logs, but the logs were either too complex or they lacked the tools to filter the data into a useful view.
  • In this period, 69% of breaches were detected by a third party. 24% were detected internally passively (stumbling on), and 7% were detected actively.
  • Over 260 million SSN’s have been leaked since 2005.
  • There are a few open source tools for scanning/identifying PII.
  • According to solution methodology, 89% of breaches could have been solved by data-at-rest protection (identification and removal or encryption, etc.)

I have 21 pages of notes and a large list of ideas/tasks taken over those two days. So let me say again what a fantastic event this conference was.

Chris

permalink | no responses | share this

Culture, Networking/Systems, Security Greetings from the New York State Cyber Security Conference, Day 1

Posted by Chris Green on June 3rd, 2009

On the road again for the sake of security. This trip brings me to Albany for the New York State Cyber Security Conference. This two day conference is geared primarily toward the public sector, but welcoming private industry and packed full of great topics from both public and private organizations.

The morning began with welcoming remarks and an animated hacking demonstration themed around X-Men, which consisted of using a Linux distro to disable an NT password, Internet-mining to find information about an individual, and WireShark to sniff packets. Wasn’t exactly technically deep, but certainly not boring powerpoint stuff and if anything was pretty entertaining (Indian guy in a Wolverine wig, nice).

The keynote was delivered by Philip Reitinger, National Protection and Programs Directorate for the U.S. Department of Homeland Security (what a mouthful). Without powerpoint (bonus!), he discussed quite a bit on the 60-day Review(pdf) and where DHS is challenged with cybersecurity. He also candidly highlighted some of the largest challenges facing security professionals:

  • Hackers getting better not just at hacking but with sharing information at a rate security professionals cannot match.
  • Defenses not keeping pace with threats.
  • Cybersecurity as an issue of national security (which the president recently accepted responsibility for, a great first step).
  • Fostering public-private information sharing.
  • Establishing reasonable metrics.

Overall a thoroughly interesting and engaging discussion. He also pushed pretty hard for good IT people, (my boss stop reading here) if you’re interested in moving into the Federal space, now might be a great time.

The three tracks I chose were Ensuring Network Protection While Meeting Compliance (PII, HIPAA, etc.), Computer Network Simulators, and Motivating People to Adopt Security Practices. You’d think these would be horribly boring, but I have to say how impressed I am not only with the conference organization but with the quality of the talks. Yes, really, I stayed engaged all day. Let me share a few tidbits of info I found particularly interesting throughout the day:

  • Information Security Officers must be allowed a seat at the executive table and involved in business decisions. (there is a heavy push to remove the “wall” of security as a sub-position of IT or an afterthought)
  • 35.7 million records potentially breached in 2008 *reported* - imagine what the actual number is. Dizzying.
  • In 2008, missing or stolen equipment accounted for 42% of reported breach events - the second highest was employee negligence at 16%.
  • Heathrow airport in England averages 900 unclaimed laptops per week - and after reasonable time unclaimed are auctioned off.
  • 1 in 10 people click through SPAM and become infected with malware. On the surface, that’s not much. But think of an organization with 1000 or more people.
  • There are 500,000 different variants of malware currently, 20,000 new ones are created every day.
  • Personal observation: Most admins don’t have a clue how base32 encoded data looks (scary).
  • People will not embrace security policies if they reduce their productivity, feel threatened, or are negatively reinforced. [Innovaites, take special note here, I listened well to this one ;)]

Overall I’ve found the conference very well organized, technically awesome, and the people very welcoming. I also had a few great conversations with some of the sponsoring vendors. So far a great experience, and I’m looking forward to tomorrow. Until then, cheers from the Albany Pump House and my beer sampler.

P.S. I’ve been tweeting some of the conference, feel free to follow me.

Chris

permalink | one response | share this

General Customer and Data Support positions at CoverMyMeds

Posted by Matt Scantland on April 29th, 2009

We’re looking for new folks to join the team at CoverMyMeds, an exciting new service that helps pharmacies and physician offices collaborate to submit prior authorization requests for prescription drugs. This helps patients get their healthcare needs taken care of, and improves the lives of our healthcare provider users too.

permalink | no responses | share this

Software Undoing Commits in Git

Posted by Jon Canady on March 4th, 2009

Some days, more than others, I love having moved to Git.

Kent had pulled some changes from our central git repository to a staging environment. These changes weren’t tested very well in IE6, so he wanted to remove them entirely from the staging environment. In Subversion, we’d have done something like svn update -r120 if we were on revision 121.

After a little digging – Kent says I only roll 3d20 for Source Control now, because we’re geeks – I found that Kent could go into the staging environment and do git reset --hard HEAD^; that is, revert everything in this repository to the state it was in one commit before the current HEAD. Then, after making a second commit from dev and pushing it, we can do a normal git pull and it will fast-forward us to the new commit.

So this isn’t much different from Subversion so far. What you can do that SVN explicitly is designed to not let you do, is use that in your dev environment. If you haven’t yet pushed the changes to a remote repository, you can willy-nilly undo commits you’ve made.

Did you accidentally add and commit a file that shouldn’t be in the repository at all? git reset --hard HEAD^, just like before. Did you commit a little prematurely? git reset HEAD^, which does a soft reset, which leaves all the changes intact but removes them from the repository like they were never committed.

Put that in SVN’s pipe and smoke it.

permalink | no responses | share this

Software In PHP, Bugs Aren’t Bugs

Posted by Jon Canady on January 29th, 2009

Today is 29 January 2009. Ask someone today what next month is.

Their answer is “February”.

Ask PHP: print date('m/d/Y', strtotime('next month')); (In english: PHP, please give me a date that looks like MM/DD/YYYY for next month.)

03/01/2009 (1 March 2009)

As it turns out, like all things with computers, you’re asking it wrong. You should write print date('m/d/Y', strtotime(date('Y-m') . '-01 next month')) which is a convoluted way of saying “Give me a date, MM/DD/YYYY, for next month calculated from the first of this month.”

Okay, but this is a bug, right? I mean, php has a strtotime() function for the purpose of letting people write english statements and parsing them into real time values, and it’s acting incorrectly.

Wrong-o.

According to the PHP devs on numerous occasions this is purely correct behavior, and they even cite the GNU date format documentation as proof:

  • PHP says “add one to the month on the date you gave us”
  • You get 31 Feb 2009
  • PHP says “that doesn’t exist!” and rolls it up to the next available real date, 1 March 2009

Except this is bullshit.

By their own admission (in the second linked bug above), the PHP developers get a bunch of bug reports because this doesn’t work as expected. Waving your hands and pointing at the GNU guys doesn’t make it okay, that’s passing the buck. Pointing back at the PHP manual in your standard form reply to these doesn’t help either: the manual page for strtotime() mentions nothing of how it might not work the way you expect it to.

Lesson to be taken away: if your users think it’s a bug, take a good look at it. It might be a bug.

permalink | one response | share this

« Older Entries

©2009 Innova Partners • Powered by WordPress 2.7.1
Close
E-mail It
Socialized through Gregarious 42