@jgamblin

Naturally Ebullient. Security Geek At The Capitol. I Learn Everything The Hard Way.

The Most Difficult Question In Security.

I was having a conversation about security today with a good friend and the subject came up of what is the most difficult question in security to answer?

After a few minutes of back and we fourth we settled on the following question: 

Who would want to hack us?

This question is nearly always asked with the person asking it implying they aren’t important enough to be hacked.  

As security professionals we mostly do a terrible job at answering this question. Normally we end up answering with something vague like “hackers”.

image(This is what a hacker looks like.)

When we answer back with a vague answer like “hackers” we dont make the threat real to the person asking the question.  They will care and think about hackers as much as they do the nebulous bad guy who might break into their car and steal their 3 Doors Down CD.

The best way I have found to answer this question is by asking a question back. 

Here are a few questions I always try to ask back when someone asks me who would want to hack us?

Have you ever had an employee leave on bad terms?
Have you ever made a competitor mad?
Is there anyone that would enjoy you having negative publicity?

Everyone can think of an answer to one of these questions and it plants a mental image of someone who would actually want to do their company harm and not a guy with a ski mask.

How do you answer the question: Who would want to hack us?

Swinging For The Fences

I am going to whack the ball the over the fence.

That was my four year olds response when I reminded him that his first T-Ball game was later that day as I woke him up.  I love my son but he spent 80% of his first and only T-Ball practice trying to make the other kids on his team laugh. He is no Jose Abreu.

My first instinct was to tell him:

Logically the chances of you hitting the ball over the fence are not very realistic, why don’t we concentrate on a single and hustling to first base? 

As I sit on his bed getting ready to tell him why he isn’t going to hit a home run he tells me:

I can’t wait for my game tonight, it is going to be a so much fun!

At that moment my 4 year old reminded me that baseball it isn’t as much fun if you aren’t swinging for the fences. The same can be said about life. I can hit singles and hustle to first all day but wouldn’t it be a lot more fun to swing for the fences?

Even if you dont hit a home run you might even end up on 3rd base talking to your friend.

Security Is Fundamentally A Battle Of Mistakes

This morning I was out running some errands and NPR had an interview with a David Sklansky a poker player who wrote a book called “The Theory Of Poker" and he said the most important thing to remember about poker is that:

Poker Is Fundamentally A Battle Of Mistakes

That quote stuck with me all day and when I got some time to sit down and Google it tonight I found this amazing excerpt from his book: 

Every time you play a hand differently from the way you would have played it if you could see all your opponents’ cards, they gain; and every time you play your hand the same way you would have played it if you could see all their cards, they lose.

Lets make this about security:

Every time you secure your network differently from the way you would have if you could see all your opponents’ attacks, they gain; and every time you secure your network the same way you would have if you could see all their attacks, they lose.

Poker players spend just as much time while at the table thinking about who they are playing than what they are playing.  Security professionals on the other hand spend a lot of time and a lot of money trying to prevent attacks that people attacking their networks wont or cant use.  I know small companies who are more worried about APT’s than they are of phishing attacks because they watched a 60 minutes story about it.

Can you answer these five questions about the people who would likely attack your network:

Who would want to attack my network?
Why are they attacking my network?
What do they want to steal or change?
Is it possible for them to access the information they want to steal?
If I were them how would I try to steal the information?

I think if you can answer those five questions you would be off to a good start on understanding the correct way to secure your network because:

Security Is Fundamentally A Battle Of Mistakes. 

If you’re the smartest person in the room…

I have a mentor who sends me a motivational quote a couple of times a week and today he dropped this on me:

If you’re the smartest person in the room, then you need to find another room.

I have heard that quote before and actually used it in an opening slide of a talk to make a self deprecating joke.  I get the underlaying meaning of the quote but I think few people would actually admit to thinking that they are the smartest person in the room.

So either the person who wrote this quote was an egomaniac or wasn’t clear in his writing.  Here is what I think he is talking about:

image

I have an amazing four year old at home who challenges me all the time by asking me questions I don’t know the answer to (Why are bananas yellow?) and asking me questions that make me think about life (Why do we have a house and my friend lives in an apartment?).

To be honest a lot of time I turn into this guy:

image

One thing my son does everyday is challenges me to think and learn. So after thinking about that quote for a little bit I responded with this:

If  you’re in a room with people who don’t challenge you, then you need to find another room.

Are you being challenged in your personal and professional life or is it time to find another room?

Malicious Copy and Paste Appending

Earlier today I was reading this article on Rollingstone.com about how FXX plans to show all 552 episodes of The Simpson’s this August and noticed when I copied anything from the website it appends a link and copyright notice.  That got me thinking about what else could be appended to copied text and how bad guys could use.

So after a little looking around I found this JavaScript that will append text to anything copied.  To test my theory out I setup a secondary tumblr account called badcopypaste.tumblr.com and added this javascript to the head of the document:

javascript<script type=”text/javascript”>
function addLink() {
    var body_element = document.getElementsByTagName(‘body’)[0];
    var selection;
    selection = window.getSelection();
        var pagelink = “<br></br> du <br></br> ; // change this if you want
    var copytext = selection + pagelink;
    var newdiv = document.createElement(‘div’);
    newdiv.style.position=’absolute’;
    newdiv.style.left=’-99999px’;
    body_element.appendChild(newdiv);
    newdiv.innerHTML = copytext;
    selection.selectAllChildren(newdiv);
    window.setTimeout(function() {
        body_element.removeChild(newdiv);
    },0);
}
document.oncopy = addLink;
</script>

and posted this post:

image

When you copy and paste the echo $PATH command in Firefox and Chrome you get this:

echo $PATH

du

If you copy and paste directly into a terminal window you get this:


In the javascript I added a non-malicious DU command as an example. You cant see it until you already pasted it and it could just as easily been rm -rf / or a command to SCP all your SSH keys to “The Bad Guys™”.

That is why it is always a good idea to paste all commands into a notepad and not directly into a terminal and a dumb idea to let javascript add information to your clipboard.

How To Be A Security Expert On Twitter

So you want to be a Twitter security expert? I have come up with an easy to follow list to make sure you are:

All Cons, All The Time!
If you are not tweeting about flying to, attending, partying at, or flying home from a con at least once a month you cant be a security expert.  Also try not to mention what you actually do for a living.  It removes some of the expert shine.

Be an expert on EVERYTHING.
Heartbleed? Drones? Malaysia Airlines Flight 370? Top Secret NSA Domestic Spying Programs? Windows Patching? Programming?  All in your wheelhouse.  If you are going to be a twitter security expert you need to know this stuff.  Skimming half a wikipedia page qualifies you to speak on any subject authoritatively. 

Everything is your business.
A company you own no stock in appoints someone you dont like to their board of directors or CEO? Good thing you are an expert on EVERYTHING!  Time to be really outraged and let everyone know it!

It is all about you!
This is the main rule of being a security expert on twitter! Every time somebody expresses an opinion with which you disagree, they are doing it to anger you personally. It would be wrong to not to take it as a deeply personal insult.

How many followers do you have?
Make you sure you are have at minimum one bot a week tweet about how many followers, re-tweet and mentions you have.  You need people to know how important and influential you are!

My goodbye letter to Windows XP

Dear Windows XP,

So this is how it feels to feel abandoned?  That is the question you have to be asking yourself this morning.  For the last 4549 days you have been a constant workhorse for PCs around the world and this morning Microsoft has decided that you are no longer worthy of support.

I remember the first time I meet you.  I was a 20 something systems admin who was in love with Redhat 7.1  and I thought you were going to be the end of the enterprise operating system.  A few service packs later you were a solid work horse who did her job without any real complaints.

You have been great to me and my career.  I owe you a lot and until Windows 7 came out you had been what I have used and supported nearly every day of my life for 10 years (I am still sorry about that fling I had with Vista in 2007. She was shiny, pretty and had so much promise. I am wrong and glad we can move on.).

I know you will live on in unprepared and underfunded schools, banks and grandparents systems for the next 10 years but  I am going to miss you.  Thanks for all the good memories you gave me and thanks for taking me this far in my career!

 Yours Truly,


Jerry Gamblin

"Life’s greatest difficulties always happen right before life’s greatest breakthroughs."

"If you’re tired of starting over, stop giving up."

How To Disable Twitter Photo Tagging

Twitter added a photo tagging feature today and like Facebook decided to have the default setting to allow anyone to tag you.

For your own saftey you should change it to this:image

The steps to do this are easy:

1) Login to Twitter.com
2) Go to the Settings tab.
3) Go to the Security tab.
4) Under Photo Tagging click “Do not allow anyone to tag me in photos”.
5) Scroll to the bottom of the page and Click “Save changes”
6) Enter your password to save your changes.

The Goonies is my favorite hacking movie.

My favorite conference asked the following question this morning: 

My answer was the noncontroversial WarGames and the controversial The Goonies.

My friend Steve Lord asks the question that inspired this blog post:

Why yes it is. Please let me explain:

Gooines: A group of working class families are being evicted from their houses to make room for an expansion of a country club.


Hacking:


Goonies:

Hacking:

Goonies:

Hacking:  Data was the original hardware hacker.  Any security conference you attend will have at least one talk of someone hacking non security related hardware.

Goonies:

Hacking: The Fratellis are basically a group of blackhat hackers who think they are a smarter than they really are and can be easily defeated by a group of teenagers. 


Goonies:

Hacking: The hacking community is basically built on taking a group of socially awkward people and forming tight knit and caring communities.

"If you aren’t training new leaders you are on autopilot and you won’t succeed."

Facebook vs Twitter

Today I had a “Classic Jerry” moment and had a pen explode as I was spinning it around in a meeting.

This was the aftermath:

Afterwards I post the exact same same stats to my FaceBook and Twitter account:
My pen broke while I spinning it around in a meeting it ruined my shirt and got ink all over my face.

The reactions couldn’t have been more different.

On twitter I get made fun of:

and on Facebook I get tips on how to remove the stain:

© @jgamblin