Doing it Wrong – Uncryption of the Enterprise
Doing it Wrong (DiW)
Jay Jacobs and David Meier
Dave: First I'd like to take this opportunity to say "Hi!" to all three SecurityStallion readers out there. I know things have been a bit sparse since September last year but that's changing in 2010. The Digs are back and there's also some new article formats we're going to be throwing around. So with that lead in I'd like to welcome the infamous Jay Jacobs. Jay is one of the more realistic security practitioners I've had the chance to work with (albeit indirectly) and I'm pleased that we can do this type of spot together respectably titled: "Doing it Wrong". But what is this and why should you care? Over to Jay for the explanation...
Jay: Dave and I have had many discussions on various topics and "doing it wrong" stuck out as a title because that's what I kept thinking about Dave and I think Dave kept thinking about me. These posts should reflect that mutual respect. I also like the title, not just the initial Ha-Ha-ness, but also because it reminds me that we learn best from mistakes. If I would have gotten Sendmail working right away, I might not be able to spoof email with telnet. Realizing I'm doing it wrong means that I may be able to fix it. I look forward to challenging my way of thinking here.
Dave: Seriously Jay, you're still using Sendmail? That's a whole other DiW I guess! But, back to the meat: Uncryption of the Enterprise. So what does that really mean? Well, I've been around the track a few times (from a consulting perspective - it's really just like NASCAR, left turn, left turn, left turn...) and I tend to get riled up when things in the enterprise, that should be encrypted, are being tossed around the network, well, unencrypted. In fact often times when I bring up the fact that maybe those NTP updates should be encrypted or that OSPF adjacency is left ripe for the picking, or even FTP still being used as a primary transport facility in very, very, very large enterprises! WTF people? W-T-F? The best (and oft heard) excuse by far has to be from a monitoring perspective: "well then we can't see what's going on". The simple answer to that: if it's important enough to encrypt (PII, authentication data, sensitive information, etc...) and you don't have access to a point where you can extract, or view that data in flight - then maybe, just maybe, you shouldn't be privy to said data in the first place. I know, this might be a real shocker, but just because you're sitting in the SOC or NOC doesn't mean that because you can control the data flow that it's implied you should be able to read it. Encrypt if you have it, right? Jay? I mean, really, why not?
Jay: Yeah, I was still using Sendmail on my 286, but decided to upgrade for Y2K. Encrypt if you have it? There's a saying around cryptography, encrypting data is easy, it's the decryption that gets you. It's really easy to sit on a high horse (or Stallion, Dave) and say that everything should be encrypted, it's a whole different ball game to actually do it. As soon as data gets encrypted, a key is created, and then two things happen:
- Auditors flip to a new tab in their spreadsheet because a whole new set of controls around cryptography and key management must be understood, or at least implemented. Most IT folks, rather than view this as a development opportunity, see this as just more ways to screw up, which leads to...
- The typical IT admin gets a glazed look on their face and a mad rush ensues to find someone else to dump this crazy "encryption" on. Normally intelligent people all of a sudden look like their being asked to captain the Titanic on her maiden voyage.
These two things are exasperated by overly-protective frameworks and compliance controls that treat all the keys like they are dipped in gold then encrusted with diamonds. Generally speaking, a key is just a long password (with a few caveats). So, while encrypting NTP is a no-brainer in theory, in reality the key management in the products stink and nobody wants to sign a form saying that they understand and accept their key custodian responsibilities (thanks for that one PCI).
Where to Fix (WTF)
Dave: I can see Jay's point (to a degree). To manage keying (as a process) and the keys themselves is a complex undertaking in large organizations. Fundamentally, however, encryption is a component of the enterprise. The task is simplifying it where it can be simplified. Use it as it was meant to be used: to keep things private. And don't, I repeat, don't use it as an afterthought or add-on unless there is no other option. If encryption wasn't designed into your system of systems from the beginning adding it after the fact usually buys you as much improved posture as the hunchback of Notre Dame.
Jay: That's the rub, nobody is capable of designing encryption in because everyone does it differently, people should get together and make some type of open and interoperable key management protocol. Because rather than simply saying everyone ought to turn on encryption everywhere, I think it's more appropriate to say that we need to focus on the support structure to implement encryption. Something like meetings once a week, "Cryptos Anonymous" I'd call it, where normally well-adjusted admins show up and say, "Hi, I'm Jay and I'm a key custodian". Either that, or a well defined key management governance structure with tools to back it up. Then we can start talk about encrypting the world.
Dave: "Encrypting the world" - <sinister laugh>Mua ha ha ha hahhhhhh!</sinister laugh>
The Digs – 02.01.2010
Well. Hi there! I know, it's been a while. So long, in fact, that I swear when I fired up this new post I could hear the gears of the backend squeak to life as they've been sitting idle since last September. Yes, it's been far too long and much has and hasn't changed. Why bore you with the details though? Let's get back to where we left off.
One quick note before we get started. A quick read would have noticed the name change to "The Digs". I find it laughable now (the wonder of hindsight) that I had such high hopes for being able to do this every day. Truth be told there's far too many things elsewhere and too little time. Here's your new SLA: "The Digs" will appear on average 2-3 times per week catching up between posts. And now, on to the digs...
First up is Gunnar. I like Gunnar 1) because what he says is most often highly cogent and 2) because he has to deal with cold shitty winters too. Thanks Gunnar. Oh and thanks for finally bringing up APT. There's a point in the post about the $6 billion in arms we're sending to Taiwan that will, likely, impose sanctions of what China buys from us in the future. Here's my reply: "Dear China, How's it going? Don't worry about that whole Taiwan thing. I've seen the shit we were selling to Taiwan a few years ago and you've got no worries. Really, it's kind of like the toy you get out of a Cracker Jack box (because it'll all be yours eventually anyway). If you don't understand the Cracker Jack thing I'm sure there's an article on Wikipedia. Later China!".
[APT - The Sonny Response or the Michael Response?]
I like hardware. Except when it sucks. I'm often confused why small (and even medium sized) businesses buy hardware from large vendors (like those that start with a 'C' and end with an 'isco' - don't get me wrong, there is a time and a place along with an OC-12) when all they want to do is bring in some simple routing functionality, with a sprinkle of firewall and maybe, if they're feeling saucy, some IPsec on top. So when I saw this new Netgear appliance and it's awesome price of roughly $275 I said to myself: "Wow, that underpowered old Linux kernel that will rarely ever be updated is just up my alley!". OK, I didn't say that. But, really, if you want that sort of thing people just pay someone to deploy and manage some pfSense boxes for you. But if you're really still interested, by all means...
[Netgear Releases New Gateway Security Appliance]
OK, full disclosure here: I am the whipping boy over at Securosis (aka 'the intern'). But I'm glad someone said it (thanks Adrian!). To all you big guns out there scrapping what you've got in house and churning out your next big thing - Agile & Scrum sux0r for your security. Yeah. SUX0R (with a capital zero).
[Firestarter: Agile Development and Security]
I laughed when I saw this next one. Make sure you defrag your "Secure End Point Management (SEPM) server boys and girls!". Well, for starters that implies it's probably running some old version of Windows. Oh yeah, they state 2003 in the article. Maybe it runs on Windows ME though, you never know. Oh, and it's x86. Awesome. SEPM jokes anyone? The article title just makes it sound incontinent or something.
[Defrag Your SEPM Server Regularly]
I'm not going to say much about this next gem I found over at NetWitness other than the fact that if you really think IDS started "several negative trends that are still affecting the psyche of security personnel today" then maybe the blue pill really is for you.
[IDS Legacy is Institutionalized Failure]
So last year I had a conversation with someone about IE6. To preface - I know of a special place I visit on a regular basis during the week that still has IE6 as part of their base workstation build. Anyway, so I had a conversation last year about when this individual thought IE6 would be irradicated from the environment. And their answer was around 2012 or 2013 when XP wouldn't be their base OS. I proceed to choke on my coffee. They, on the other hand, were serious. So I love to spam people like this with all of the love in the air for IE6 as of late. Because, really, you thought even Microsoft could save such a fine piece of work? Fat chance.
[Tide Turns Against IE6 as Usage Drops]
Let's round out our first post for 2010 (and hopefully not the last) with another great one that has to do with China. The EFF has an article up about how US based companies need to shore up selling products that "selling Chinese authorities the surveillance equipment used to commit or facilitate human rights abuses". This assumes that 1) China hasn't already ripped off IP from these companies which could be used to, well, remanufacture them and 2) that China doesn't have the upper hand from a monetary perspective right now. Just food for thought. Wasn't Cisco's source ripped off a few years ago anyway? China could just always run a big virtual network with GNS3 anyway, right? :)
[Seven "Corporations of Interest" in Selling Surveillance Tools to China"]
We'll leave you with these final links... Thanks for reading!
[New Laws Close in on Hackers] - Seems rather timely, no?
[Cable Modem Hacker Faces Potential 40 Year Prison Term] - The Internet just wants to be free, what can I say?
[Researchers Uncover Security Vulnerabilities in Femtocell Technology] - Where "technology" should say "hardware" because, surprise surpsrise! Your shitty embedded Linux hackery was reversed.
[Adobe Flash Security on Menu at BlackHat] - As if to say any Adobe technology hasn't been on the menu for the past, what, 5 years? Keep on keepin' on Mr. Mike Bailey!
Tags
Random Musings
Twitter: windexh8er
- Zoom whitening - more painful than expected but white white teeth!
- Inception in VIP at Showplace Icon FTW to celebrate resignation! Wooo hooo!
- Coke has hybrid electric delivery trucks, interesting. http://twitpic.com/27usw6
- Mog vs Rdio, the battle for my $10/month... (Mog is now on Android)
- Wow... TrueCrypt 7 benchmarks at 1GB/sec encrypt and decrypt on the i7 in the MBP. Too bad FileVault doesn't use AES-NI. :(