The Security Kitchen

The Belgian Federal Police has decided to block access to 4 different domains (leading to the same website) by requesting all ISPs to redirect traffic destined for the specific domain to a page informing surfers of the reasons why the content is blocked.  I agree and I disagree with this action, let me explain …

Why I agree

I strongly believe in the right of every convicted criminal to a second chance once they have done their time. That’s how our judicial system works, that’s how it is.  No individual or organisation has the right to publish private information about other people, whatever their crime has been. What this site is doing is against the Belgian privacy law and it is clear that this should be acted upon.

Why I disagree

As far as I’m informed there has been no ruling in court that supports the action taken by the Belgian police.  It was a question asked to all Belgian ISPs to which most of them complied.  This results in the fact that the site is blocked for some people and not for others. If you change your DNS servers to 4.2.2.2 or use OpenDNS, you’re through as well.  Not only is the control ineffective, the communication around it is completely non-existent and it’s legality is doubtful to say the least.

In short, I don’t support the goals of the blocked website and I believe it should be blocked, but our government has gone wrong by restricting access to content without a court order and more importantly by not communicating openly and transparently with the public about this.

http://abcnews.go.com/Technology/story?id=7356353&page=1

If I have to believe ABCNews, some company was crazy enough to offer the 17 year old that found a few XSS vulns in Twitter a job.    Now if the profile you are looking for is a narcistic, unethical, good-4-nothing hoodlum, you probably won the lottery but this for sure isn’t someone I would want on my team.  He has no education, he has no standards, he has no notion of working in a team and all he is looking for is limelight exposure.

He might as well be very unamused by the unrewarded work in the trenches that awaits him.

This blogpost is the follow-up from an interesting discussion started by @mubix on twitter yesterday, which continued with a more in-depth irc chat with @mattjay and @taiyed and others in the securitytwits irc channel.

The original questions from Rob were :

? Pen Testing TEAM based certification? Are some pentesting teams giving others a bad name? Not as skilled, or just bad. Interesting topic.

and

So here is the issue, from a corporate side of things, You want a Pentest team, but how do you pick one?

Here’s my point of view.

A team certification sounds difficult to me. What do you do when one of the team members leave? Do you lose your cert ? On what is the certification based, skill or achievement?

Assuming this is a know-nothing CxO looking for a pentest team I would advise him to hire a trusted 3rd party to help him in defining the scope of the project. This 3rd party will build the RFP together with him, requiring certain certifications from individual team members based on which technologies (and vendors) are used in the environment. Their job doesn’t end there though, they will also serve as the moderator between the company providing pen-testing services and the customer. I’d advise this customer to either select a partner that doesn’t have anything to lose in this project ( a long-time infrastructure partner might be a bad idea) OR define certain rules for communication (no direct lines between the 3rd party and the pentesting partner, etc …). In this approach, the customer knows he has a knowledgable partner he can rely on to evaluate the work done by the pentesters. I’ve engaged in this type of approach before and I can say that it works just fine as long as all parties involved are aware of their position and responsibility.

From the pentesters view, it’s a different story. Due to NDA’s, there’s not a lot of proof of expertise you can show your potential customer. I think this was Rob’s real question: “how can I show my customer that I’m a reliable, knowledgable and professional party for him?” . @tnicholson hit the nail on the head here saying that “we all do similar things, with the same tools, the difference is in how we do them” (not copied literally, but I think it boiled down to that, correct me if I’m wrong). I agree, it IS about methodology. I, for one, have always been wary of companies touting a “in house developed, secret” methodology. It usually means they have none. In the past I’ve worked with ISECOM‘s OSSTMM (Open Source Security Testing Methodology Manual). I’m not passing judgement on the manual itself. I personally liked v2, i’m eagerly awaiting v3. The good thing about the OSSTMM (say “ostem”) is 2-fold :
a) it is out there, open-source, for anyone to see. There’s no super-secret sauce you drizzle over your report, it’s the same bearnaise for everyone.
b) you can have your (anonimized) reports OSSTMM certified by ISECOM. This is what answers Rob’s question in my humble opinion. Your customer can check in with ISECOM to see how many certified reports you have completed. It doesn’t violate NDA’s (since no customer data is divulged).

I think this sums it up. I might come back to this once OSSTMM v3 is finally released. It looks like it’s gonna happen this year anyway. I’m seriously hoping the guys (and girls) over at ISECOM can continue the excellent work they did with v2.

Disclaimer
I am not an employee of, neither am I paid in any way by ISECOM.

Look, I’m not gonna hide it, I love IE8. It’s a strange feeling actually because generally I’ve avoided IE for the past two years or so. I did most of my work in Firefox and that was mainly because of the vast amount of plugins available for that browser. However, since version 3 came out, I felt it became slower (especially on start-up) and I started to use IE and Chrome together with Firefox. I can’t give which browser I use for which occassions but I use them all, when I feel like it or when something doesn’t work like it should in one of them.

But now, IE8 … what forbidden substance did they consume in Redmond ? It stands like a house. Compatibility view is genius (and it works !!). I really like how they incorporated ‘default secure’ in their UI. A good example is when you browse to a website that is served over https but some components or parts of the website are served over http (ads, iframes, …). In the past, IE would ask you if you wanted to see the insecure content. Now, in IE8, that’s different. IE will prompt, asking you if it is ok to only show you the secure content. If you click yes without reading the message … you’re still secure. It sounds stupid, but I love them for that alone.

Ok, on to the main topic of the blogpost. Deploying it in a corporate environment.
Don’t just approve the update through WSUS or allow your users to get the update through Windows Update.
The main issue here is InPrivate surfing. This is a function, new in IE8, that allows users to browse websites without leaving traces on the local computer. That is great when you’re using IE8 at home (you don’t want $spouse to find out you’ve been looking at miniature train websites all night again …) but it’s not something I want my users to use. It will ruin my chain of evidence since whatever I find on my proxy or packet trace can never be tied to the workstation (and subsequently the user).

a) check out the IEAK (Internet Explorer Administration Kit). This tool will allow you to create an installer package that installs IE8 just as you want it.
b) Use these recommendations to block InPrivate surfing.
c) Update the inetres.adm files (these contain group policy settings for IE8) in Active Directory.
d) If you decided that you don’t want to roll out IE8, use the blocker toolkit.

That’s it folks. Can I recommend IE8 ? Yes I can and I will to anybody that asks me. But be wise and don’t take this as a behind the curtains update. This is a brand new application with a whole set of nifty features.

Have a great weekend !