The Security Kitchen

Dear Titania,

for years I have honestly appreciated your contribution to the community in the form of the useful tool called Nipper.  As an information security consultant, performing audits and pentests, it was just another tool in my toolset, that made my work easier. It translated a config from a device to a report that I was able to read and draw conclusions from.  Moreover, it was released under a GPL license, which made me like it even more.

In the past months, rumours were that you were going to close the source, turning Nipper into a commercial product. This would assume that you have established a niche for your product, and have a good outlook on a steady flow of money coming in.  Awesome !

GPL products going commercial is a natural progression. It happened before.  Nessus went commercial, but they allowed older versions to be used, and forked.  OpenVAS was developed from the older source code. The Nessus guys knew they had a quality product, but more than that, they had quality people and they knew that they could deliver added value to their prospective customers WITHOUT making a douche move on the community.

When Daniel Cid started developing OSSEC, it was a side project.  The guy is so awesome that not only was he able to release this awesome tool under the GPL, the product was later acquired by Third Brigade which build a quality support service around it.  His awesomeness was proven again earlier this year when TrendMicro acquired 3rd Brigade AND vowed to keep OSSEC under the GPL (v3) license.

You see, GPL + Commercial just works … if your product is worth it.

It can be done !

Whatever happened between some pints of lager stinks. By going commercial, you revoked access to all previous versions of Nipper and removed the GPL license.  I sincerely hope that nobody outside your ‘company’ ever contributed to Nipper, or will you give kickbacks ? You cut off a community that was behind you

Your tool (it’s a PARSER !) is awesome, but for a very limited audience.  How do you think you will enable your users, which are mainly network admins, network consultants, auditors, etc. to convince their managers to buy a license for a friggin parser (with a  GUI, w00t!) ? My guess is, those knowlegdable enough to do so will write their own for the 3 or 4 brands they support, others will sigh and just spend more time on ‘auditing’ their network.

You obviously feel there isn’t that big of a difference between earlier versions and v1. Not enough to entice customers to buy in your ‘earn money quick’ scheme. You obviously see the previous versions as competition.  And then, I’m not even talking about the way you mistreat the community that relentlessly supported your work which, again, up to this point was awesome.

Oh well, another day, another dollar.  Good luck and thanks for nothing.

Regards,

Wim

P.S. I will remove all links to Titania as of now.  I probably tool this a little too personal

We’ve got accustomed to it that whenever a breach happens or a security incident occured everybody in or around the entity goes mum.  No word is uttered, no message is written.  Marketing and PR gurus go in overdrive and try to minimize the perceived damage, which is primarily related to their image.

Seems like thos bureaucratic types can learn something from the open source community :
http://blogs.apache.org/infra/entry/apache_org_downtime_initial_report

Yes, Apache.org got hacked today.  It looks like one of their SSH keys got compromized and that’s how the bad guys got into the system.  The openness about the situation is what struck me though.  They don’t only admit that something happened, which is already more than what most companies would do, but they specify which systems, what OS they were running, how files were distributed over their environment and what happened afterwards and how they detect it.

For me this proves the following :

1. Apache.org has a very thought-true infrastructure, very well laid-out and completely under control.
2. They know what happens on the systems at any time, at any place.
3. They know how and they have the means to respond to security issues.
4. Apache.org is a reliable party

Sure you can get hacked, anybody can get hacked, it’s the way you handle it that sets apart the boys from the men.

(Shiny armour optional.)

Hear, hear,

Between November 6th and November 8th of this year two thousand and nine in the beautiful city of Wuxi, China Excaliburcon will unwind. This will be the first edition of this con and already the list of speakers is impressive !! Amongst others, Adam Laurie, FX, Shawn Moyer, Nathan Hamiel will be present to deliver top-notch presentations.

It doesn’t happen often that you can combine a learning experience with being submerged in an amazing culture, hence this conference is to be seriously considered by all of you.

You will find more information on : http://www.newcamelotcouncil.com/indexen.html

P.S. : yours truly will be presenting at this conference too.  Glad to share 一杯啤酒 with y’all !

As Belgian media outlets picked up steam on the Heartland and Hannaford breaches now that the indictments are revealed and all the juicy details are available, I sit back and am amazed.

When Hannaford, TJX, Heartland, … happened there was almost no coverage here. Now I know why : there was nothing spectacular to report ! Now all journalists are touting words like SQL Injection, target malware, antivirus evasion and quoting spectacular numbers “hundred million credit cards”. We clearly have evolved to a level of gutter press in our petite country.

I honestly believe that the press has a responsibility to inform the population about events that may have an effect on their life. Morover they also have a responsibility to educate that same population. In this case, whenever a breach happens, some knowledgeable journalist (I know, them is hard to find these days …) should be tasked to layout the facts, as far as they are available, and lessons a person can learn from these events. Even if it only prevents one person from entering her personal information on an insecure website, it’s worth the paper it’s printed on.

Additionally, some nitwit on the news this afternoon mentioned that Belgian credit cards are more secure because we have a chip and don’t use the magstripe to exchange information at a terminal. It’s complete and utter BS, sir. Last time i checked, my credit card still has the magstripe AND embossed number on it. Why ? Backward compatibility. If I want to use my card at a gas station in the south of Spain, they can still use the paper copy that I sign. When I use my card in the US, they can still swipe the magstripe on the terminal to credit my account. Even tougher, it was only a few weeks ago they used the magstripe to credit my account here in Belgium.

It doesn’t make a friggin difference when WE have adopted stronger security, if we need to stay compatible with older, less secure, systems … we didn’t win that much.

To the journalists … I hope you sold more paper, cuz that seems to be your only goal today. Congratulations on that too.

In which case am I better off as a citizen :

a) (Part of) my personal information is registered with individual governement departments and private companies. The central authority allows (partial) access to a central register for those departments and private companies to verify my identity. Each entity requiring my identification has its own approach to securing my personal information.

b) All my personal information is centralized in a government repository (of whichever kind).

In the former case, I have control over which information is shared with the several entities. Remembering which information was given to which entity would be quite cumbersome. Moreover I would trust each entity to handle my information with due care. Trust hurts.

In the latter scenario, I trust the government to handle my information … trust hurts even more With a proper federation technology I would be allowed to control what information can be shared with which entity and I gain centralized control …

I’d go for option b) but what about you ??

“I got a bad case of pwning you …”

We’re spending some time visiting several doctors for one of our kids lately and while waiting for another appointment, something caught my eye.  They had completely redesigned the pediatric department and it was looking good but wait … at every door there is a small electronic display … noice … the hospital is going high tech

I walked up to one of the frames, cuz it looked like it had an error message on it. Lo and behold : “wifi network not available.”
uhoh … wifi-enabled photo-frames ?? what were you thinking.  But wait, it gets better, at the end of the corridor one of the frames was completely blue, so I walked up to that one and what did I see  …

this frame is connected to the server.
this is the email address you can use to send pictures to.
this is your username and password.

my jaw dropped to the floor … this can’t be happening for real. When I got home, I tried the password I wrote down and surely it worked.  As the frames were installed only recently, most of them have no pictures uploaded yet but I can upload whatever I want. what about a small porn slideshow in the pediatric waiting area …

That’s only reputational damage however, which computers do you think the doctors and nurses use to modify the pictures on their frames.  I could create some malicious pictures and … no, I’ll just give ‘m a call.

A good lesson however is that, even when you do interior design, you should include your security goons in the project.  Whoever decided to use an external picture server to serve those frames should be fired.

John, Peter and Frank recently met eachother at a security conference and as they seem to get along quite well, they
decided to put their noodles into the same bowl and start their own company.  There’s too much bad security products
out there and they KNOW they can do better …

Today, they meet in a bar :

Peter : “Our customers need a product that detects and resolves all possible security flaws in their infrastructure…”
John : “And we are gonna give them that !!”
Frank : “Through our awesome network of resellers.”
Peter : “How?”
Frank : “Cloud.”
John (he’s the marketing guy) : “yeah man, as a service.”
Peter (putting his thumbs behind his suspenders) : “Elastiiiiiiiiic.”
John : “Windows ? Linux ?”
Peter : “both ! and Red Hat too !!”
Frank : “X-platform security… we’re digging gold here.”
John : “We can haz happy customers ?”
Peter : burps (he empties his bottle of Bud Light)
Frank : “I want smiley faces on the website !”
Peter : “Done !”
John : “Duuude …”
Frank : “Sweet !”
Sylvia (she’s behind the bar) : “Hey you geeks, who’s gonna pay that bill.”
Peter : “One … Two … Three!”
They bolt

And thus ended the story of the security startup that would never be.

Today, cisco.com suffered an outage of sorts and it left a bunch of people puzzled and guessing after the reason why this happened.

(I included a Cisco blog-post here, but was alerted that this blogpost concerned an outage of 2 years ago, apparently Cisco has not officially answered as to the cause of this outage)

When it happened, I did a little detective work.  first thing you try is to see if you can ping the host (www.cisco.com), that didn’t work obviously.  Next came name resolution, not a problem there : www.cisco.com resolved nicely to 198.133.219.25.  As a ping doesn’t really tell you anything (most businesses block ICMP on the gateway anyway), I tried to connect to port 80 on the ip address.  No luck there either.  I followed through with a traceroute and strangely, it bricked after the second hop.  Wow !

It took me a little more time to find out 198.133.219.0/24 is part of AS 109, a BGP autonomous system owned and operated by Cisco itself.  And as it turns out … the whole AS was out of service, not only cisco.com. If you know BGP, you need much more than one router (or one datacenter) to go down before this happens …

The chance that this all was caused by a “power outage” is small to non-existant …

If I can’t trust you with your own network, why should I trust you with mine ?

Update :

There is a nice thread on the NANOG mailing list

This video nicely shows how AS 109 disappeared from the internet (thanks @craigbalding )

Cisco’s only somewhat offical answer (“the website is being updated”) was mentioned on Theregister.co.uk