Xkcd is the QED of our industry. Want proof? Check out Randall Munroe's comic on Password Strength.

Longer phrases trump mixed up passwords every time. "Correcthorsebatterystaple" will take significantly longer to crack than, say, "p@ssw0rd". Given this, you might wonder why the industry has not changed to longer phrases. I blame the vendors. There are a number of apps that I support and websites that I visit that still limit passwords to 14 characters. Moreover, many explicitly for prevent special characters. Software support is a problem.

There are other problems, too. See today's Dark Reading article for the pros and cons of using phrases.

Dark Reading: Passphrases A Viable Alternative To Passwords?

There is a wish among some enterprise users that they could institute phrases, but they're experiencing a technology lag within the software and identity management worlds that stymies the urge.

"One reason (organizations don't use passphrases) is the number of software applications that do not support long or complex passphrases," says J. Wolfgang Goerlich, Network Operations and Security Manager for a midwest financial services firm. "Length and special characters seem to be a challenge for some vendors. Sometimes referred to as technological debt, many IT departments must maintain a suite of apps that have not been updated with modern security recommendations."

"Want to find out how good someone is? Take away all their tools and say, 'Now do it.'" -- @SecShoggoth

Have you heard of Thomas Thwaite? He took a maker’s approach to toasters. By reverse engineering a £3.99 argo toaster, Thwaite was able to build his own model. He smelted the iron. He melted the plastics. He may have argued with a volleyball named Wilson. I am not sure on that last point. But after nine months and £1187.54, Thwaite had himself a toaster.

A tweet by Tyler Hudak (@SecShoggoth) had me comparing toasters to information technology. Just what is a tool? Is it that application you are using? Fine. Let’s rewrite the app to show how good we are. But wait … what about the IDE? Is that a tool? No worries. We will use cat and bang the C code out straight. What about the compiler? What about the language itself? The OS? The computer itself? How about the motherboard and daughter cards? What about ICs? The transistor?

"If you want to make an apple pie from scratch, you must first create the universe." Carl Sagan sums up the slippery slope we ride.

We live in a remix society. We -- in the IT and InfoSec industry -- work on the largest hackable platform in human history. Everything we do depends upon the work of others. Everything we make builds upon the tools of others. Every day we take from and give back to this hackable platform we call modern IT.

We can compare the new generation’s approach to IT as the Nintendo generation. Heck, they just download an app, point-and-click, and done. That’s not IT.

I recall folks lambasting my generation because we had a GUI. Heck, we had keyboards and mice. All we had to do was boot up, point-and-click, and done. That’s not IT. That’s not real computing.

I wager the generation before were heckled because they did not have to use punch cards. And don’t get me started about slackers who use transistors instead of vacuum tubes.

There is a certain rugged nostalgia for folks like Thomas Thwaite. People who toss aside the benefits of society to forge their own way are admirable. Equally admirable, in my opinion, are those who save time and money with clever hacks to the platform. These are folks that excel thru expert use of modern tools.

See, IT has become a team sport. The one man toaster and the lone sysadmin are throw backs. The way forward is mastery of your specific toolset combined with a team of folks equally skilled in complementary tools. Give me a team, tools, £1187.54, and nine months. We will change the world.

Wolfgang

Note this article comes from a discussion on Twitter between @SecShoggoth, @RogueClown, and @LenIsham. @SecShoggoth blogged on expanding your skillsets beyond the tools you are comfortable with here: Tools and News.

I am having some fun with DNS and covert channels over the holidays.

At its most simplest, DNS can be used as a text based covert channel. The DNS client sends the message via a CNAME lookup. The DNS server sends a message in response via a CNAME response. By co-opting this process, any character sequence can be sent back and forth.

What if we need to do more? Say, transfer a file? Or even browse the web? The answer here is text encoding.

Most IT folks would jump to the conclusion that the traffic simply needs to be Base64 encoded. There is a slight wrinkle. DNS CNAME queries only support 63 characters: alphabetical lower case, upper case, numeric, and dash (-). Base64 encoding is out.

The next possibility is Base32 encoding. While not often used, it fits within the DNS RFC and therefore works out of the box.

The disadvantages of Base32 over DNS is packet payload size and transmissions. DNS is UDP and, therefore, may suffer from dropped packets. Further, the packets can only be so long.  DNS host names are limited to 255 characters.

Dan Kaminsky came up with an interesting solution to these problems. He essentially tunneled IP over DNS using Base32 encoding. Such protocol layering handles the limitations of UDP. To increase the size, Kaminsky relied on the EDNS0 extension specified in RFC 2671. He released a proof of concept in the form of the OzymanDNS Perl scripts.

As a side note, the name OzymanDNS had me curious. I did some digging. It is a Watchmen comics reference which, in turn, traces back to an Egyptian pharaoh. Nothing says secret writings like comic books and pharoahs.

Anyways, in sum, covert channels over DNS are practical. With some clever protocol manipulation, binary files and even web browsing can be tunneled over DNS.

I was at a family event this past weekend. As so often happens at these events, the conversation goes something like:

Them: "Oh, you are in computer security? I got this virus. What should I do?"

Me: "Uhh … Well, that’s not really what I handle."

Malware infections in the corporate world are easy. First, we keep up on the patches. That prevents a lot of infections. Second, we have anti-virus software with updated signatures. This catches what gets thru. Finally, if computers do get infected, we have a silver bullet. A simple reimaging gets everything back in shape.

People at home are not so fortunate. Reimaging is not a fix for them because that often means losing valuable data and applications.

Until recently, my only advice was to reload. Then Brian @ Select Real Security put up an in-depth guide on removing malware. Now I have a better answer. “I got this virus. What should I do?” Check out this guide.

Malware Removal Guide for Windows
http://www.selectrealsecurity.com/malware-removal-guide

"This guide will help you clean your computer of malware. If you think your computer is infected with a virus or some other malicious software, you may want to use this guide. It contains instructions that, if done correctly and in order, will remove most malware infections on a Windows operating system. It highlights the tools and resources that are necessary to clean your system."

SearchSMBStorage.com has an article on 10 GbE. My team gets a mention. The link is below and on my Press mentions page.

For J. Wolfgang Goerlich, an IT professional at a 200-employee financial services company, making the switch to 10 Gigabit Ethernet (10 GbE) was a straightforward process. “Like many firms, we have a three-year technology refresh cycle. And last year, with a big push for private cloud, we looked at many things and decided 10 GbE would be an important enabler for those increased bandwidth needs."

10 Gigabit Ethernet technology: A viable option for SMBs?
http://searchsmbstorage.techtarget.com/news/2240079428/10-Gigabit-Ethernet-technology-A-viable-option-for-SMBs


My team built a Hyper-V grid in 2007-2008 that worked rather nicely at 1 Gbps speeds.We assumed 80% capacity on a network link, a density of 4:1, and an average of 20% (~200 Mbps) per vm. In operation, the spec was close. We had a "server as a Frisbee" model that meant non-redundant networking. This wasn’t a concern because if a Hyper-V host failed (3% per year) it only impacted up to four hosts (%2 of the environment) for about a minute.

When designing the new Hyper-V grid in 2010, we realized this bandwidth was no longer going to cut it. Our working density is 12:1 with our usable density of 40:1. That meant 2.4 Gbps to 8 Gbps per node. Our 2010 model is "fewer pieces, higher reliability" and that translates into redundant network links. This was more important when a good portion of our servers (10-15%) would be impacted by a link failure.

Let’s do a quick back of the napkin sketch. Traditional 1 Gbps Ethernet would require 10 primary and 10 secondary Ethernet connections. That’s ten dual 1 Gbps adapters: 10 x $250 = $2,500. That’s twenty 1 Gbps ports: 20 x $105 = $2,100. Then there’s the time and materials cost for cabling all that up. Let’s call that $500. By contrast, one dual port 10 GbE adapter  is $700. We need two 10 GbE ports: 2 x $930 = $1,860. We need two cables ($120/per) plus installation. Let’s call that $400.

The total cost per Hyper-V host for 10 GbE is $2,960. Compared to the cost of 1 Gbps ($5,100), we are looking at a savings of $2,140. For higher density Hyper-V grids, 10 GbE is easily cost justified.

It took some engineering and re-organizing. We have been able to squeeze quite a bit of functionality and performance from the new technology. Cost savings plus enhancements? Win.

You bought an all-in-one printer. It seemed like a good deal, right? All that multi-function goodness for only a few dollars more than the ink for your current laser printer. Bet it didn’t take long for the good feeling to sour. Jammed paper, smeared faxes, and the like.

Printers gave multi-function a bad name. But firewalls may bring multi-function back in vogue. Specifically, I am looking at the Fortinet Fortigate products. Fortinet has cornered the market on unified threat management (e.g., multi-function firewalls). These devices ship with built-in firewalls, routers, vpns, intrusion detection, Wi-Fi, and more.

Consider:

Use case 1: novice who needs to get up and running quick. The unified threat management gateway answers that need. The device is preconfigured and integrated. There are options to set, of course, but the time to get the system online is hours rather than weeks.

Use case 2: the dyed-in-the-wool security people. These folks have the time and budget and knowledge to continue to build dedicated security appliances. Such people have an edge over defending their networks for all these threats. You do the cost benefit and if you’re in a mixed role like mine, doing security operations and network operations, I wonder if it’s worth it.

Use case 3: the pragmatic security people. Compared to dedicated point solutions, the unified threat management gateway provides a majority of the security feature-set at a fraction of the cost. Pragmatic security folks can then redeploy their resources to addressing more pressing security concerns.

Needless to say, I am sold on Fortinet’s approach. Consider that every 18 months, silicon is pushing more bytes. We can either get better performance from a piece of hardware, or more functionality from the same hardware. Fortigate means simply doing more with less.

Do information security conferences seem a tad corporate these days? Too staid? A little too serious? Maybe, maybe not.

Fresh from Source Boston, I definitely had an expectation of security conferences that the new BSides Detroit blew away. Forget vendors and booths. There were none. Forget nametags. How about a piece of tape with a sharpe, eh? Forget av equipment with wireless mics. Heck, forget even having a projector screen. Throw up the slides on an improvised canvas. Let’s get a room full of tech people with a hacker bent, get them talking, get them thinking, and get them outside of the typical conference mindset. 

Outside the norm: that defined the atmosphere this past weekend at the OmniCorpDetroit hackerspace. Present the can-do raw creative experience. BSides Detroit was different, fun, inspiring.

Highlights from the talks are below. I hear planning for a 2012 event is already underway, so more good content to come.

High-level talks:

Rafal Los: Ultimate Hack - Manipulating Layers 8+9 [Management & Budget] of the OSI Model. If you’ve been following Raf’s #SecBiz threads, you know he has been stirring the pot. Think social engineering meets Dilbert corporate America. For me, this was the talk that made the conference. I am hoping to get Rafal back into the area to give us an encore.

Chad Childers: Towards Data Centric, Technology Agnostic Security. I am sure there’s been at least once in your career where you have thought, heck, Bell-La Padula and Biba security models should be good enough for anyone. No? Well, good, you have not been touched by the CISSP mindset. Chad broke down the classic models and argued for a data-centric model, possibly based on ccREL, S/MIME, virtual smart cards, and DRM.

Nuts-and-bolts talks:

Brett Cunningham, Jack Crook, Matt Sabourin: Intelligent Fuzzy Hashing for Malware Similarity and Attribution. We all know that regular hashing (MD5/SHA) works great for finding identical files. But how do we find similar files? Use Fuzzy hashing with tools like ssdeep, which give an indication of how similar (in terms of percentage) two or more files are. Possible use cases include forensics, plagiarism, malware analysis, and data loss prevention. The cool thing is that they are launching a project (www.allsum.org) to integrate the technique with intrusion detection and malicious code detection. 

Kyle Creyts: Ain't Your Average Blacklist: Catching Synners. An interesting talk on geolocation of IP addresses, and on how to visualize and use the data. Made my inner SecViz geek happy.

Mark Stanislav: It's Vulnerable... Now What?: Three Diverse Tales of Woe and Remediation. I am not a PHP programmer. I am less AppSec, and more NetSec. But none of that mattered. Mark’s common sense talk on PHP security was good fun. What’s more, his emphasis on vulnerability disclosure as a community responsibility spoke to me. Just as we would not walk by garbage on the street without addressing it, we cannot ignore garbage in the code. We have an obligation to help keep our Internet clean.

True story. I worked with a guy maybe a decade ago. We’ve kept in touch. He sees an article on Slashdot and thinks, “wow, that sounds like Wolfgang. I should send him the link.” He clicks the link, only to find that I am in the piece. The guy called me laughing this morning and said he can't get away from my ideas on training.

Anyways, if you have worked with me, worked for me, or worked within ear shot of me, you’ve heard me say one or more of the following many, many times:

• In IT, you don’t hire people for what they know. You hire people for what they can learn and what they do. 
   
• Everything includes a training component. Train during every initiative, every implementation, and every project. 
   
• Technology is like sports: most of the work is training before the game. High performing teams and high performing techies spend 20% of the time training.
   
• Skimping on spending for training because of retention concerns is like saying: “I’m concerned that if people know what they’re doing, they’ll leave. And if they don’t know what they’re doing, they’ll stay.”
   
• IT management is a Chinese finger puzzle. You pull too hard, and you can’t get out. You put in too many hours, you get diminishing returns.

 Lisa Vaas at Software Quality Connection puts it all into perspective in “I Like My IT Budget Tight and My Developers Stupid”.

January 27: the day the Internet died.

Protests have been ongoing this week in Egypt. There has been a significant amount of press coverage on the political situation. The riots began on the January 25 and then, on January 27, President Hosni Mubarak unplugged Egypt from the Internet.

The reasons given for going dark are that the rioters were using the Web and Internet to coordinate. This makes sense, as we have seen Twitter and other social media sites used in recent unrests. The main concern for InfoSec is the precedence that Mubarak has set.

Will other countries, faced with similar situations, choose to unplug? It seems likely. For example, at the same time Egypt was unplugged, the U.S. re-introduced the “Internet kill switch” bill. (Read the bill at Thomas or see Wired’s kill switch coverage.) Of course, killing the Internet will have economic repercussions.

And that’s what I am thinking about today. Should the Internet be disabled, how would my firm continue to do business? How would we send and receive communications? In terms of InfoSec and engineering, what mitigations could be deployed for this risk?

J Wolfgang Goerlich 

How did they do it? Both Ars Technica and Wired have articles on the technical aspects of unplugging. How are people coping? The old standby is modem dialup, although some are calling others to post information, or faxing information out to the Internet. Wired also posted a Wiki on how to communicate if your government shuts off your Internet.

Wired has a how-to for rolling your own e-books. The following tools are covered for converting digital files to ePub. This could be quite handy for zapping study materials into e-books. 

The tools are: