Absent those who have gone gaga over the iPad, the top news for the past two weeks has been the earthquake and disaster in Haiti.  The concern, the outpourings of support (and, yes, the malware and phishing sites that have been attempting to capitalize on the crisis) are all reminiscent of the tsunami, Katrina, and other events stretching back in time.

Haiti has been different.  The major factor has been the total breakdown of infrastructure, and the consequent difficulty in getting the help to those who need it most.

Those of us in the security communities are always interested in disasters.  We are forever dealing with crises, both large and small, assessing risks, planning and comparing mitigation strategies, and looking at the management of it all.  So, I recall that, when Katrina struck, there were endless discussions of the latest details, the structures, the organization (and lack thereof) in the followup efforts.  One person made a donation to a charity, and challenged the group to match his gift.  I upped the stakes.  I challenged everyone to get trained for disasters.

Unfortunately for the point I’m trying to make, I am speaking from a position of privilege.  Canada has the best emergency structure in the world.  (Our disaster response team is in Haiti at the moment, and is always one of the first on the ground whenever there is a major incident, anywhere.)  British Columbia has the best emergency response management system in Canada.  (No, I’m not volunteering at the Olympics.  But for the past year, I’ve been working with a group that has been planning for the fact that, with the big event in town, even a minor crisis is probably going to mean that we may have to provide emergency lodging for a few hundred people.)  And the North Shore, where I live, has the best disaster training regime in BC.  (The group lodging thing isn’t done by VANOC: it’s an effort by the ESS volunteers from the North Shore, Vancouver, and Richmond.)

Emergency response, in a major disaster, is not simply a matter of having water, generators, blankets, and rescue dogs.  It has to do with organization, co-ordination, management, and, particularly, trained people.  Most of them volunteers, since nobody can afford to pay for a full-time staff of all those you need to have ready in an emergency.

That’s where you come in.

Get trained.

There is some emergency measures organization that covers your area, regardless of where you live.  Your local municpality probably has an office.  And they probably need volunteers.  And they provide training.

If you volunteer, you will probably get trained.  For free.  (You may also get additional perqs.  I get my flu shots paid for every year, since I’m an emergency worker.)

First of all, you’ll probably get trained on what you need for you and your family.  What do you need to survive the first 72 hours following a disaster?  Do you know how much water, what type of food, etc, you need, in the event of a total failure of utilities and other factors we rely on?

Then there are the skills you need to help other people.  Sometimes this might relate to first aid, or structural assessment of buildings after an earthquake, etc.  However, there are many necessary skills that are not quite so dramatic.  Most emergency response, believe it or not, has to do with paperwork.  Who is safe?  Who needs care?  Do families need to be reunited?  Documentation of all of this is a huge effort, which goes on long after the bottles of water and hot meals have been distributed.

Then there are management skills, to co-ordinate all of the other skills.  An awful lot of “charity” gets wasted because some people get too much help, and others don’t get enough.  Someone needs to oversee the efforts.

Training in all of this is available.  And, in an emergency, having trained people is probably more important than having stockpiles of tents.  Trained people can make or improvise shelter.

Maybe your municipality or county doesn’t have a formal emergency structure.  In that case, there are organizations covering the gap.  In Canada, the government doesn’t do it all.  The Red Cross and Salvation Army are two of the groups that have been working on this for years, and have specialists.  In BC we have courses provided by the Justice Institute in a number of areas.  The provincial government has created a marvelous structure, ensuring consistent organizational layout for all sizes and types of disasters, and all types of response.  But we don’t bother reinventing the wheel.  In our formal training curriculum, a number of the courses are prepared, provided and run by the groups that have been doing it for years, and know it best.  If your government doesn’t have the courses available, go to those who do.  They are around.

(For those who have security related certifications, like the CISSP, ongoing professional education is a requirement.  A constant complaint is that training is expensive, and getting the credits costs too much.  I get all kinds of training related to business continuity and disaster recovery.  I get almost all of it free.)

Get trained.  Volunteer.  You’ll get a wealth of experience that will help you plan for all kinds of events, not just for major disasters, but for the minor incidents that plague us and our companies every day.  You’ll be ready for the big stuff, too.  You’ll be able to keep yourself and those near to you safe.  You’ll be able to make a difference to others, certainly reducing suffering, and possibly saving lives.  If and when something major happens, you will be a part of the infrastructure necessary for the response to be effective.  You’ll be part of the solution, rather than part of the problem.

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research’s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

Continuing from Hiring Hackers - as speakers (part 1):

Are those who conduct breaches and intrusions of computer systems important sources of information?

I suppose it seems intuitively obvious that the answer is “yes.”  After all, these are the people who are breaking into the things we want to protect: surely they know how.  However, with a little consideration, the “obvious” answer evaporates.

First of all, in purely logical terms, it is not necessary that those who break into systems know all possible ways to do so.  In practice, it is true that many attacks these days involve multiple vulnerabilities, but logically it is only required that the attacker knows one.  This truism is well known, in slightly different form, in relation to testing and systems development: testing can be used to prove the presence of bugs, but never their absence.  Or, as I frequently point out in relation to system security, the attacker has a much easier job than the defender.  The defender must be correct in every single instance and activity.  The intruder only has to be right once.

Therefore, the interloper has the easier job, and can afford to be lazy.  If they can be lazy, they probably will be lazy: that is human nature.  (After all, a number of people would argue that blackhats have already shown themselves to be morally lazy.)  As the proverb has it, everything is always in the last place you look.  Once you’ve found it, why keep on looking?

(Oh, curiosity, you say?  Well, curiosity is great: it keeps us learning.  But it is hardly the exclusive preserve of those on the wrong side of the law  In addition, properly identifying, researching, and documenting what you find, in such a way that it will be useful to others, tends to require a lot of boring work, and discipline.)

So, at the very least, we can say that attackers have no advantage in terms of scope and a comprehensive view of vulnerabilities, and may be at a disadvantage.

Do intruders have any advantage in depth of knowledge?  This is almost impossible to answer in any meaningful way, of course.  Individuals vary in knowledge, comprehension, analytic ability, and creative or imaginative thought.  Despite years of attempts to create testing instruments and metrics for cognitive processes, we have only the most general ability to predict a specific person’s accomplishments in the real world.  We do know that ability varies widely, and it would be foolish in the extreme to contend that all whitehats would be as able as any given blackhat.

However, that said, I would suggest that it should be possible to assert that, collectively, security professionals are more knowledgeable than intruders.  This is due to my earlier argument: those people who have had more demands (even sometimes arbitrary demands) placed upon them will have more discipline (and more background) to address the problem.

The argument is sometimes made that we should study “successful” exploits.  The hypothesis here is a bit harder to dissect: after all, a “successful” exploit is simply one that works.  It is true that certain attacks are more effective in a given environment, and that intrusions or infections which work over very large numbers of systems tend to involve a number of factors, not all of them technical.  Historically, though, it seems to be that the most astounding and newsworthy of attacks are as much a surprise to their authors as they are to the rest of us.  It is unlikely, in the extreme, that our adversaries have these events fully planned, or understand all the determinants of an overpowering offensive.

It is a truism that two heads are better than one: this is recognized by fields as diverse as auditing and extreme programming.  This statement is formalized, in the open source community, by Linus’ Law: with sufficiently many eyeballs, all bugs are shallow.  Most systems professionals would recognize that the more people examine a system, the better (in terms of identification of vulnerabilities).  The “Hire a hacker” crowd tends to jump on this in advancing their cause: why not listen to the attackers when they come up with a new exploit?

This, however, is a spurious argument.  There is no choice between listening to an intruder or not knowing about the vulnerability at all.  Once a vulnerability is known, it can be explained by anyone who understands it, and can present it accurately and clearly.

Which brings up a final point.  As I said in the earlier piece, blackhats tend to have more-than-healthy egos.  Yet their opinion of their own prowess is seldom supported by the materials they produce in evidence.  I’ve read a great many “zines” produced by those in that community (and even the occasional book ostensibly written by a reformed or active hacker) and almost never have I found anything worth reading either for the technical content, or in regard to readability.  (Yes, those who have read my book reviews will know that I don’t think highly of all technical books, but sometimes I do find one worth reading.)  And, in fact, reading the books by professional authors who base their text on “as told to” information from those on the dark side gets to be very boring as repetitive as well.

Writing is a skill, and not everyone can do it well.  Teaching is a skill, and not everyone can do it well.  (Presenting at conferences is a slightly different skill and, as anyone who has ever attended a conference can tell you, not everyone can do it well.)  Both writing and teaching require, as well as certain technical competencies, a feeling and empathy for a large and often ill-defined audience.  Since criminal hackers have clearly demonstrated, by their actions (and continue to demonstrate, in subsequent interviews long after their intrusions, conviction, and even release), a lack of consideration for their victims, it is unlikely that they would make good teachers.

Or conference speakers.

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act?  Now you don’t have to choose: you can have the worst of both worlds!  Follow the US Congress hearings on PCI!  Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense).

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)

Somebody recently asked, on the CISSPforum, for some kind of reference supporting the concept that it was a good idea not to do development or testing on production systems.

I think Mim Britt said it best:

“Separation of test and production environments is one of those things that is such basic common sense that it wouldn’t occur to me to have to point to something that says to do it. The first time you test something on your production network and it breaks something else which breaks something else, etc etc etc is the LAST time they will ask you why it has to be done on a separate network.”

Somebody said we should make that into a sigquote, or blog it.  Mim said she’d be flattered if anyone did.  I think it’s a great idea.

A BBC story notes that a German re-insurance concern has raised the issue of increasing natural disasters, and a possible tie to climate change/global warming.

Now that the money/finance people are getting scared, will we finally do something?

Now that the money/finance people are getting scared, will we finally do something about business continuity and disaster planning?

(Likely answer: nah.)

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C.  A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President.  Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better.  This report has been promoted on a number of security mailing lists as an important set of recommendations.  It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

For those into security awareness:

This security awareness video (on YouTube), made by the infosec people in the state government of the Commonwealth of Virginia, covers some good, basic tips. It’s amusing, and only 13 minutes long. Some of the advice is specific to their security policy, and probably won’t match yours, but at least it’ll get you (or your staff) thinking about some of the issues.

If you want something more, the Virginia Information Technologies Agency (VITA) (state government agency) has an Information Security Awareness Toolkit site with copies of the video (both viewable and downloadable, and with subtitles and without), as well as other links and resources.

Wait a minute, I thought automation was supposed to involve some measure of intelligence, kinda by definition?

Oh, but it’s a specialized form of automation.

First we have to go way, way back.  Back to the days of random security technologies, when you had all kinds of different security technologies.  And they all had to be managed.  Seperately.

And then, oh joy, someone (either Marcus Ranum or Steve Bellovin, take your pick) invented firewalls!  And we wouldn’t have to manage security anymore!  And there was rejoicing!
Until we figured out that we were going to have to manage the firewalls.

And then someone invented Intrusion Detection Systems!  And there was rejoicing!

Until we figured out that we were going to have to manage the IDS.

And then some marketing department invented IPS.  And by this time, becoming jaded, we were asking questions.  Like, what’s the difference between IDS and IPS.  (Oh, really?  An IPS prevents a packet getting through, rather than just detecting it?  Then what’s the difference between an IPS and a firewall?  Oh, really?  An IPS is more intelligent?  How so?  Well, depends on which marketing department you ask.  That’s what you get for using terms invented by marketing departments …)

But that “intelligent” business seems to have had a bit of magic in it.  We’ve always had network monitoring, of one sort or another.  For a long time we’ve had tools to help us sort through our logs (after all, even IDS is only a form of real-time log analysis).  And people have been trying to sell us all “management” systems, to help with the work of, well, managing all the security bits and pieces.  So why not get a log analysis package, bolt on a few other items (maybe virus scanning or something), and call the whole thing “intelligent”!

Hey, presto!  A new marketing term!