Some of you might remember that a young man killed 2 babies and a care-taker in a daycare center a few weeks ago, while wounding about a dozen others.
Someone I know works in the IT department of one of the hospitals that was in the eye of the storm during the disaster and this afternoon we had the opportunity to discuss the impact on an IT department during abnormal disaster circumstances. It interested me because planning for probable disasters that may impact your business directly is one thing, planning for disasters that you will play a role in is in a completely different ballpark.
It’s obvious that I can not share all details that we discussed but here is some things that may be interesting.
a) During this type of circumstances your infrastructure might get unexpected demands. Press representatives might require wired or wireless access to the internet. If you don’t have an infrastructure to service third parties, what will you do to address these requests ? Which procedures are in place to handle request ? Healthcare information systems do have specific privacy and regulatory requirements. Will you succumb to pressure from either management or external sources to provide access to the internet through your LAN ?
b) In this disaster, victims were transported to different hospitals in the region. Babies don’t carry passports, generally there’s one caretaker for 8 babies. For identification purposes and to inform parents, digital photographs were used and sent to a central place. Most e-mail systems have outbound and/or inbound size limits, obviously in most cases controlled by a policy. How do you go about changing these limits ? Time is of the essence in these cases, there will probably not be enough time to get your ECB (Emergency Change Board) together.
c) Bandwidth is in high demand during disasters. If you don’t have burst capacity and haven’t done basic QoS you might run out of juice in a hurry. This is not the time to start messing with QoS settings and if your bandwidth can not be improved, communications can slow down or come to a grinding halt. If you are in this specific field of business, negotiate with your ISP and/or bandwidth provider. Consider rethinking your perimeter for specific, time-restricted needs. Rebuild processes to allow emergency waiver possibilities.
d) As a central crisis center will be deployed, communication is paramount. All players in the disaster will need to create ad hoc connections to this center. Again, these demand specific changes to network infrastructure. How far can you go in that ? What’s your process ? How can it be expedited ?
In general, most of these questions might be answered on the spot but cleaning everything up might prove a daunting task. It all depends on what you have ready. Obviously there is some national disaster planning that deals with a lot of questions but it won’t hurt to plan for this type of events independently. They might not directly impact your bottom line, but in this business it may make the difference between losing or saving a life.
I personally want to commend the team that I know. They did a great job for the people hurt in this disaster. They are some of the forgotten heroes.
Guys, you rock !
initially it would look interesting for an SMB to move (part of) it’s infrastructure to a cloudy environment. However, since I would now be relying on the internet as my main link with all business critical information, what has to change there. Especially here in Belgium we have 2 major ISPs (one providing DSL or Fiber, one providing Cable or Fiber). All other DSL providers use all or part of those 2 major players infrastructure to provide services.
What comes up in my mind directly :
1) What SLAs do I get from my ISP ?
It all depends on what type of applications you are running in the cloud. However, if you don’t know WHERE it is running, I’d figure your ISP can’t guarantee a lot … Time-sensitive applications should not be on your top-10 list of to-cloudify-applications.
2) How easy is it to take out all or part of the connectivity of a competitor ? Disabling his access to his critical information.
Too easy. How you protect yourself from it is a different story that includes €€€ or $$$. You’ll have to invest into connectivity BEFORE (or while) cloudifying your applications. If you don’t, you might be in for a bumpy ride.
3) How ‘open’ is the market for cloud computing in Belgium if the market for connectivity is only semi-open ?
If CCM = Cloud Computing Market and CM = Connectivity Market then Openness(CCM) <= Openness(CM) .
Particularly in Belgium, Cloud Computing may get owned by the two major players.
4) How does a controlled market impact normal evolution ?
I‘d say the messed up market in Belgium might have a very negative impact on how we evolve on this level.
Due to a status quo on the connectivity level, Belgium might miss a chance to ride the cloud wave and get behind
significantly.
5) Do I need at least 2 different providers without shared infrastructure to ensure connectivity to my cloudy infrastructure ?
There’s no easy answer here … I might come back at a later time with a ‘minimum required’ design. Let’s say that starting a crucial race with no spare tires is risky at least.
not security related but if you can spare a second, please vote on this bike and allow me to win something for once in my life 
On Saturday and Sunday, FOSDEM was happening in Brussels (Belgium) and since I didn’t make it to Shmoocon, it was a nice alternative. FOSDEM is a yearly gathering focusing on Free and Open Source (FOS, ha) development but they also feature systems and security track. I first learned about FOSDEM two years ago when HD Moore came over to present Metasploit 3.
This year there were 3 security talks scheduled, the first by the OWASP people, but I missed that talk because sunday morning is supposed to be family time. I have to keep the balance somehow.
The second talk was about FreeIPA, an open source alternative for Identity, Policy and Audit management. The talk wasn’t bad, it layed out how they approach the first build of the solution, based on the Fedora Directory Server and MIT Kerberos 5 as the main components. It also includes a CA (self-signed FTM, ugh), an Apache server to deliver a webbased admin interface, a command line, etc … etc … (it also includes a DNS server)
All in all FreeIPA seems like a nice hobby project to learn the concepts of IdM, Policy and Audit but I don’t feel the project has a real future. What amazed me is that while it touts the Open Source horns loudly, it sees itself as the solution that covers all IdM in a corporation revolves around. From what I understand, to use FreeIPA I have to make all the components in my infrastructure talk Kerberos. It may work in a greenfield approach, but I personally haven’t seen any greenfield IdM projects. For me, personally, IdM revolves around a) workflow and b) provisioning.
The solution does neither 
The contradiction in the solution is also, while it pretends to be ‘Open’, it doesn’t feel that way. It tries to do everything by itself. A good example is the DNS server. I can’t think of an environment that doesn’t have a DNS server these days. Why would I want a new DNS infrastructure just to support FreeIPA ? The same for the directory server. I may have one (or more) LDAP directories in my environment, why not be open to what I have and deliver additional building blocks for a complete solution ? That, to me, is what Open is about.
From what I read on their website (instead of focusing what the presenter said) it seems like it’s meant to be a SIEM solution for Identity, Policy and Audit information. I’m a little bit lost now.
The third security talk was about Fusil, the fuzzer, by Victor Stinner, a French hacker. Fusil is a python library, mainly focussed on fuzzing command line programs. Victor gave a great talk, with good momentum (I could see he was nervous, but he didn’t have to be) and great slides. I loved this talk and the tool might be something to look at for all you security researchers out there that want to put programs to the test.
In the end, FOSDEM was nice. I had the chance to chat up with @security4all and of course I’m looking forward to FOSDEM 2010. See you there !
So, I was asked to partake in a research project because they want to find out what impact your consumption of fruit has on how you feel. I haven’t been a healthy boy lately and since it concerns one of my favorite subjects ( FOOD ! OM NOM NOM!) I agreed. The good thing (or maybe not) is that they use ‘new media’ to follow up on their guinea pigs. We get a big fruit basket every week, for three weeks and everything is evaluated through chat sessions, we have to keep a (private, oh wait, not so much) blog and visit (and discuss) on a forum. Free fruit and even more internet time, I ain’t complaining.
The blogs however are where the problem is … They are private, you know, we have a login and a password. and that doesn’t allow us to visit other peoples blogs. I didn’t really try hard, in the top right corner there were the well known rss icons that led me to my private feed , something like http://researchsite/subject44/subject44.xml.
I’m sure you already guessed that pointing my brower to http://researchsite/subject43/subject43.xml allowed me to watch my fellow guinea pigs intimate musings on their fruit consumption, but also where they have been, where they work, who’s in their family …. I’m pretty sure anybody can pick up those RSS feeds and have a blast with that information.
Allow me to go back to my RSS reader and feed the voyeurist in me.
Have a nice and secure week !
W
Pete Herzog (the main man behind ISECOM) was so nice to reply to my blogpost related to OSSTMM.
Here’s is his complete answer :
Since you mentioned it….
The development behind the OSSTMM v.3 has been pretty amazing. We got a huge push from the OpenTC project which is funded by the EU and a lot of support from various governments around the world. But all this attention was for a reason- the OSSTMM v.3 needed to fix all the problems from the previous versions and that meant fixing a lot of the problems in the security industry. The worst being “best practices”. This meant that OSSTMM v.3 had to be a new methodology, completely rewritten, with each and every part of the method verified to be true and not just a common or “best” practice. Needless to say it’s a lot of work. But it did bring about some really cool findings about security (remember the OSSTMM just focuses 1/5th of itself on network and data security). Basically, the OSSTMM v.3 has become a collection of security facts in the form of a methodology for security testing and analysis. Some of the improvements and differences are:
- Gone are best practices
- Focus on the proper method for doing a security test and analysis from start to finish
- New modules with a cohesiveness to operational security metrics which measure accurately the attack surface of anything and trust metrics which can help you decide if you have a reason to trust someone or something.
- Self-auditing features with new test types, error types, and a means to qualitatively assure you, as the tester, are able to review problems you encountered while testing and improve yourself.
- Flexibility to apply it to any new technologies or processes.We’re going strong but we need a better way to communicate this effectively. We’re working on a new website which will have RSS capabilities so hopefully you will see the changes as we upload them.
Thanks Pete ! I’m looking forward to the new release.
I have liked OSSTMM v2 for different reasons but mainly because it is quite clear, quite unambigious, open and available for everybody to (re)view. The RAVs (Risk Assessment Values) that are included are very useful too in case you are doing a qualitative test. All in all something to look at.
Unfortunately, it’s been more than 2 years since the release of v3 has been announced, and only a lite version has been released in August of 08.
ISECOM hasn’t been that forthcoming with information, unfortunately, other than announcing the basics of v3 at conferences and (apparently, I’m not sure) certifying trainers on v3.
So the question remains, when will the security community at large be able to review and use the new version of the Open Source Security Testing Methodology Manual ? Or maybe we are witnessing the demise of a (again, IMHO) great open source project.
If anybody has the answer, please let me know !
Any self-respecting security geek has crossed paths with the Backtrack live CD. Backtrack 2 was good, Backtrack 3 still blows my mind away sometimes and Backtrack 4 won’t be anything else than a pentesters dream. A full-fledged Linux distro that allows you to update the (Debian based) system AND the security tools on it. Add to that support for RFID (all your tags are belong to us) and CUDA (unleash the power of your GPU) and you know you were waiting for this.
One remark I have to make is that I start to hear voices saying “w00tw00t, now I will run Backtrack as my main system”, “let’s migrate”, etc. etc. I’m thinking “stop right there”. What is the chance that your CISO (or the one working at your customer) will allow you on the network with a ‘secured laptop’ that is basically a high-end vacuum cleaner to suck up all of the confidential data on there ?
Backtrack 4 is fantastic news. Because now we can keep our gear up to date without all the hassle involved earlier. It will bring the cost of pentesting activities down (and I suspect that that is exactly why they moved to the full distro model). I’m looking forward, but I will not consider it as my primary environment.
A lot has been written on PCI in the light of the recent Heartland breach. Unfortunately I was still setting up this blog when Heartland happened.
In my (more than) humble opinion the fact that Heartland was breached has nothing at all to do with the company being PCI compliant, but with the perception by its management of the need to secure critical information. It is clear that this particular company took the following equation as a basis for their risk management :
Information Security Cost <= PCI compliance cost.
By doing that, the company made a critical error. They needed to be compliant in order to be able to process cardholder data and they made compliance their end goal.
At the same time, I came to realize that a lot of people see a ‘PCI Compliant’ sticker as a statement that their infrastructure is secure. It isn’t. It’s basically the same as with any other certification. Back in the day when ISO 900x was hot, every company made a procedural handbook. Were procedures used all of the time ? The hell they were. Every time the yearly review came around, hours were spend on re-learning the basics and special persons were selected and their answers prepared. Sometimes everybody had to go and review the handbook again. That is what compliance is about, retaining a quality label.
Basically, PCI in particular is a great effort in risk transferal by the CC industry. You have to commend them for that.
I like PCI, because to me it’s most basic role is raising and enforcing awareness.
Is it the only thing you should do ? No. Security, as we all know, is not a matter of checking boxes on a list. It’s also not a matter of implementing the next best firewall, IPS, SIEM or DLP technology. Security is a process and as such can never be certified, continuous improvement is paramount. Because it matters !
image under standard restrictions from http://www.sxc.hu
Some people might find Facebook extremely useful, I’ve personally never thought of it that way. I started using Facebook somewhere in the middle of 2008 because some friends were using it but it doesn’t really add value to ‘keeping in touch’ for me.
However, that is not the reason why I deleted my account. I am currently experiencing from the first row how Facebook can contribute to and/or stimulate/trigger mental issues with people. I am realizing that the whole SocNet thing can be kinda useful for thousands, if not millions but at this particular point I am appalled by the use of mind games they use to retain users.
One good example can be seen when you try to deactivate your account (deleting your account is burried deep in the interface). When you try to do so, it will show some of your ‘friends’ who will ‘miss you’. Facebook uses a lot of emotionally laden terminology which influences people a lot. The point I am making is that, whether it is useful to 10 or 10,000 or 10,000,000 people doesn’t matter to me, if it results in only one case of a person going into mental breakdown influence by Facebook, it is simply not worth it.
Should Facebook be banned ? Sure not, but the Facebook creators CAN do something. In the same way that they are able to detect fraudulent accounts, they are able to detect erratic usage of an account. Examples are frequent disabling/enabling of an account, frequent change of the profile picture, etc … etc … That way they should be able to detect whether a person is having a problem and they should be able to limit time spent with the account or give the user a forced time-out.
Another possibility, allthough I’m not sure it is someway achievable, is to have access to SocNet applications blocked on doctor’s prescription.
For the person that is dear to me, I will block the SocNet apps that he uses by switching him to OpenDNS. It’s the only way he will not have control over settings from his computer that I can think of right now.
Some people, at certain points in their lives, are next to nothing with ‘free choice’ as that choice isn’t really free at all. I don’t want to go too much into detail right now, but SocNet owners have a huge responsibility. I hope they become aware and set up the necessary systems to handle this type of problems the same way they are trying to set up security measures.
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire