Why is it people think ~everything~ has to be spelled out to be
exposed? There seems to be a large population that believes that
Startfor's various sources, collaborators, etc. will be spelled out in
email and that will be that. That's a gross oversimplification of how
sources get exposed, their awareness, complicity or lack thereof, etc.
Agencies and organizations all over the world will not only be looking
at email address and names but they'll be checking their logs to see
who has been talking to these newly exposed email addresses. They'll
be doing basic OSINT to find area codes and check if there is some
correlation between suspect subversives and long-distance calls.
Harvest Skype information or nyms. etc. etc. That's not ever
addressing the contents of the emails, just the bloody headers. So it
annoys me, the hypocrisy, when people FREAK OUT (rightly so) about
Blue Coats in Syria but are a-OK with Anon/Anti/Lulz perhaps
indirectly exposing Syrian activists by providing a whos-who of who
they might be passing information to on the outside. Anyhow, just a
quick rant... -Ali

Take your pick of great strategic thinkers: George Washington, Carl
von Clausewitz, Garry Kasparov, Lord Nelson, Napoleon Bonaparte, Sun
Tzu, Herman Kahn, etc. Now, sit them at a table and have them look
over reams of InfoSec incident responses. Assuming you’ve accomplished
this time and culture travel they’ll already be well familiar with
Homer Simpson and, if we’re lucky, they’ll compare us favorably to
Homer’s professional accomplishments.

Mmmm… more blinky lights…

I find it’s useful to consider three contemporary fields in particular
when pondering InfoSec strategies and our future: Defense, Economics,
and Healthcare. And all three fields have grasped nonlinear
preventative and swarm tactics in a way InfoSec would be wise to
consider. And, like InfoSec, all three also have their snake oil
salesmen and demons to satiate.

Recently Meredith Patterson (@maradydd) tweeted about an opinion piece
in The New York Times (1) on Healthcare:

“If high touch medicine offers additional monitoring and services, how
can it save money? Arnold Milstein, now a Stanford professor,
identified physician groups that were above average in quality but
treated patients for 15 to 20 percent less money than average.

How did they do it? By preventing emergency room visits and subsequent
hospitalizations.”

I’d argue this approach is missing almost entirely in Enterprise
Security plans. Conceptually everybody talks about preventative care
(e.g. configuration/patch management, security life-cycles) and rapid
incident response. However, we discharge the patient as soon as
possible with a new gizmo hanging somewhere and pat ourselves on the
back. Only to be revisited by misery a short time later to do the
InfoSec triage over again.

Organizations need to invest in strategic longterm care of their
assets. Every response should be pervasive and prompt a re-examination
on existing architectures, controls, training, etc. Don’t scoff, it’s
really not that difficult. Your team has likely considered every
nuance in their minds more than once. Actually addressing them isn’t
as intensive each subsequent time. And, like the study (2) The New
York Times opinion piece covered, you’re going to see a cost savings
and quality improvement across your Enterprise.

When I broach this topic I usually get a range of responses but they
all circle one issue: Nobody cares about the longterm because they
won’t be there. That’s not frequently true, it simply can’t be,
because professionals need to have an accomplished and tangible record
to move on in the first place. And usually a significant body of work
to progress your career. Such a body of comprehensive and responsible
work, as I suggest above, would produce more data and metrics. It also
gives your colleagues and team more confidence in your leadership
abilities. In the respect you have for their body of work. There is
nothing an InfoSec professional hates more than to see their hard work
squandered.

Do you want your team to look at you as a Homer Simpson or a Lord Nelson?

(1) http://opinionator.blogs.nytimes.com/2011/11/16/saving-by-the-bundle/
(2) http://content.healthaffairs.org/content/28/5/1317.abstract

Homer Simpson is awesome and is © 20th Century Fox

The news today that Hezbollah's June claims of uncovering numerous CIA
agents in their ranks, Lebanon, Libya, Iran, Syria, etc. is being
confirmed by "unnamed" sources among some half-named sources. And this
is making plenty of news in the US today but what of Iran? Why didn't
Iran capitalize on this more in June and since? Basically because Iran
doesn't think this was a significant victory if a victory at all.

It would seem at least some Iranians believe the US used "idiots"
intentionally to take Hezbollah and others off of the "true"
operational pathways. This is somewhat curious to me because it really
attributes a degree of strategic forethought to the US leadership. At
the same time many of these same people have berated the US for the
levels of stupidity in not understanding the Egyptian Spring, Afghani
tribal politics, or Iraq. Had anybody in this circle been tied to say,
a captured American "hiker", then it would have been a completely
different (and victorious) story. While I read and listened to the
back-and-forth in this particular chatroom two things occurred to me:

- Iranian armchair geopoliticians have their conspiracies
diametrically opposed to one another

- The Iranian "grip" on the Internet and media is more effective than I thought

It's the latter point that was more bothersome to me. Indeed it does
appear that many people inside of Iran that were familiar with tools
like Tor actually do believe, and repeat emphatically, that various
sources of software inside of Iran include countermeasures and
poisoned versions of various anonymity and anti-censorship tools. This
had come up on one of the Tor lists fairly recently and when pressed
for sample or details, nothing came of it. I also dismissed it. Now
I'm seeing/hearing it from people that should know better and again,
when pressed, they are afraid to get involved or provide evidence. And
simultaneously they had a degree of faith in this video/voice/text
chatroom? However, this time I'm having a harder time dismissing the
initial claim entirely.

Anyhow, random rambling musings of the evening. Cheers, -Ali

Anybody who knows me also knows that I have ridiculously thick and
fast growing facial hair. I've kept it a manageable goatee for most of
my life but every November I participate in Movember events. This year
I tried a different style of facial hair known as either "The Mexican"
or "Fu Manchu".

http://lockerz.com/s/155222904

My first mention of this was online via Twitter and the response was
mild and supportive. And that ended the positive reception. In the few
days since I've lost count of how many "friends" and professionals
have commented that I look "Mexican" and I should get rid of it. More
than once I was told it's "unprofessional" and, again, "it looks
Mexican"..

So I decided to ask somebody I trust from a Fortune 100 company if
this facial hair would really be a deciding factor for a position. An
excerpt of the conversation quoted to the best of my memory a few
hours later:

Him: "Yeah, of course, it looks low-class and hoodlum."

Me: "Are you talking customer-facing or just generally?"

Him: "It doesn't matter, it wouldn't go over well with
upper-management. I just wouldn't hire the person."

Me: "Even me?"

Him: "*pause* Well, I guess not, I know you though. That's not a good
comparison."

I'm honestly more than a bit taken aback. I get dressing
professionally and being clean. I understand pretty people do better.
If this happens to a professional man for facial hair that wasn't, in
my opinion, unusual.. then what the heck do women go through?!
*boggles* -Ali

More-so in the past three months than I remember at anytime since the
'great cryptography wars' of the 90s, InfoSec has become overrun with
Fear, Uncertainty, and Doubt (FUD). Marketing pitches have somehow
moved beyond guarantees of protection against APTs straight into
Dragon Tear Mace. We're on the verge of bottoming-out and
reconstructing our collective industry souls. The next three years
will be exciting times for our industry.

And the first major breakthrough will be finding our pariahs.

Every major movement has a pariah moment that, whether remembered or
not, change the approach of The People radically and quickly. In
environmental activism it came from Bjorn Lomborg ("The Skeptical
Environmentalist") and in military projection/geopolitics it came from
Thomas P.M. Barnett ("The Pentagon's New Map"). You can endlessly
debate the staying power and nuances of the messages but the bottom
line is that the ~way~ people thought about problems changed
significantly w/ Lomborg and Barnett.

You may not remember it well but take a good look through Google News,
LexisNexis, and Factiva. You'll notice the same, roughly, three-year
cycle whereby a small vocal group of "thought leaders" responded that
Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept
into The Economist, NY Times, WSJ, etc. And finally, while
simultaneously dismissing their contributions, people started sounded
more-and-more like Lomborg and Barnett. In Lomborg's case it went so
far as institutional character assassination later rebuked/reversed by
larger Government investigations.

I think it beneficial to concentrate on Lomborg for the moment. In
particular these three books which he wrote or edited:

The Skeptical Environmentalist (2001)
Solutions to the World's Biggest Problems (2007)
Global Crises, Global Solutions (2009)

Specifics on each book's details or proposed solutions is not the key
takeaway. The key takeaway was that Lomborg and contributing authors
proposed using resource and fiscal economics balanced against
measurable metrics of human well-being as the basis for ~all~ big
decisions.

OK, so a bunch of you are going: "I do that! This is old news! Pfft,
tell me something I don't know!"..

Yeah, you're probably right. I'd wager most of my Twitter friends
actually think similarly to this already. And have for quite some
time. However, the InfoSec Industry as a whole does not. And we need a
voice or a few voices to totally shatter the "thought leaders" of
yesterday. Of today even. Who decided who these so-called thought
leaders are? Where was this committee convened? Consider for a moment
that encryption, courtesy of Bruce Schneier, is still quite frequently
considered the end-all of security. It's been nearly two decades since
"Applied Cryptography" and even Schneier can't shake this Ghost of
Security.

Here is the good news… great news actually. Lomborg and Barnett had to
come from the proverbial left field to make their impact. Our change
is evolving internally due to a pervasive awareness of bigger issues
(e.g. environmentalism and geopolitics) by practitioners in InfoSec.
Our pariahs are already in place but not well recognized outside of
our community. (I'm going to avoid naming names, unless asked
directly, simply because it'd be unfair of me to singularly nominate
some people.)

So here is what I'm proposing..

Take the community models that have driven InfoSec's greatest changes
of the past decade. In particular a fairly new entry into the
community, PTES (Penetration Testing Execution Standard), and base an
outreach program on that model. An informal to semi-formalized
committee of peer reviewing open Wiki publishing InfoSec practice
ideals. Things that can translate to Congressional Hearings, DoD
Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.
Explicitly not built upon an existing certification or standards
group. Not ISC, not Jericho, not SANs, nobody.. something more organic
and peer driven.

A group like this can take public perception and discussion in a
better direction than either Anti-virus or new-fangled Anti-Dragon
Tear's APT Conan Swords. A group like this can hold enough weight to
temper the FUD of a few whoring repetitive messages in the press. CNN,
Christian Science Monitor, Fox, etc. need a more balanced message? We
got it. Congress needs more reasonable perspective? We got it.

Yes? Can't this be done in a community driven, organic, and
professional way? I do indeed believe so!

So who wants put their name in the hat as a prospective Pariah? It'll
be the most fulfilling skewering you ever get. -Ali

Just thinking out-loud and have not contacted the BSides people (as
required) per their very clear and helpful instructions. It came up
today because a group I've worked with was offering up conference
space and telling me stories of small-ish conferences they host w/
Busch Gardens trips on the side. And immediately #BSidesBeerSides
imprinted on my brain. However, I can think of many places better than
Busch Gardens to take speakers and attendees but having that family
friendly option is always good. Rambling, -Ali

A lot of people reacted the same way when the news came out that Los
Zetas had (unknowingly?) released the Anonymous captive they had, then
actually knew they had, and Anonymous (again) called off #OpCartel.
Which might be on again.

You'd be forgiven for getting mixed up and I'm confident I still am.
Oh yeah, so a lot of people went..... Say what?! Los Zetas released
somebody alive?!

(UPDATE: Meanwhile The Grey Lady updates their coverage at
http://www.nytimes.com/2011/11/05/world/americas/in-mexico-facts-blur-as-onli...
..)

So I decided to do some digging because some discussions on IRC
indicated Los Zetas actually has released prisoners in the past and
participated in swaps. However, I can find nothing to corroborate this
in the tsunami of Los Zetas news. Quite simply, the only people being
released by Los Zetas alive seem to be the upwards of three hundred
prisoners broken out of Mexican prisons w/ the help (alleged) of Los
Zetas. In news between 2008 and mid-2011, and looking across multiple
cartels and operations across Latin America, there seems to be no
reason to believe Gulf, Sinaloa, La Familia, New Republic, Beltran
Leyva, etc. (much less Los Zetas) made a habit of releasing much of
anybody alive. There does appear to be affiliated kidnap and ransom
releases further down into South America but I'm not seeing much tied
to the numerous Mexican drug cartels.

So here is my thought now... is this a lose-lose-lose for Anonymous
regardless? Even if they release nothing and back off #OpCartel
completely the coverage of this issue has been insane.

If you goto news.google.com and select "past hour" you'll notice the
Spanish language sources alone was in the 600 - 1200 range. A majority
of that is syndicated distribution of sorts but regardless, it's a
huge amount of very loud coverage. The question becomes, when it comes
to drug cartels, is there no such thing as bad press? And as this is a
compelling storyline for many, does Los Zetas have something to gain
by continuing it in a traditional fashion w/ Anonymous?

What I'm saying is... I'm not sure Anonymous and Barrett Brown can
just walk away from #OpCartel even if they want to. They might be
done-and-done but Los Zetas sets the rules and the pace in this
engagement.

I have said elsewhere and before that organizations like Los Zetas
operate more like Nation States in African war-torn regions than
anything most are familiar with. That's my longtime perception
although I won't claim any expertise. The thing about that is though,
you don't touch Nation States unless you're one. It's part of the club
rules. You can kick and scream and moan (e.g. WikiLeaks) but you just
don't touch.

I think this story gets a lot louder before it goes away. Cheers, -Ali

In the opening barrage
(https://www.infosecisland.com/blogview/17677-EntSec-Not-Business-Relevant.html),
I suggested the greatest sin of security professionals is not using
their skills to produce better product for the Enterprise. Both
internal and customer deliverable product. My second point, and the
topic of this post, was stated as "Security needs to provide product,
service, and visibility to the core business" and in retrospect that
was possibly the worst way of saying "Security needs to be a selling
point for all products and services"..

Now that we've decided we're going to engage our skill set through
side-channels to help our Enterprise deliver better product, increase
our business relevance, and integrate ourselves into the development
lifecycle we're going to ~market~ our new-found Enterprise Religion to
the outside world. Marketing and Engineering won't like this, I can
almost promise that. However, when those same exact people are
customers elsewhere they fall prey to market-speak about security like
the infamous 'Military-grade encryption' gambit. So it's time we take
back our own marketing and talk about security and privacy as we
expect our own family members and professional counterparts to
practice it.

I don't know a better way of expressing this than through hypothetical
examples...

Lets say you're Zerocks and rolling out a new multi-function
copier/printer/fax/bagel toaster. Don't be afraid to talk about how
you've integrated security into the development lifecycle. Right on
the one/two page PDF put information on where they can find out about
your privacy policy for support, your security contacts for reports
and questions, your downloads for security errata. Just like the total
page lifecycle and failure rates are stated, make sure your security
message and availability is provided. You work 24/7, monitor your
email, stay up hoping not to see your company name on Pastebin.. let
them know exactly how hard you work for their security. Everyone is
going to suffer escapes, and just like technical incident response,
it's how you communicate and make yourself available to customers that
defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled
bluetooth enabled health recording device. What's the security model?
How do you wipe the device? Is your on-line portal for syncing to say,
Nyke, tested regularly for vulnerabilities? All of this needs to be
clearly documented, turned into standard work, and integrated into the
marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk
about these ideas and see how receptive a new employer is to raising
the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that
Engineers would for an Industrial product. Have you increased fuel
efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your
integrated security lifecycle and participation discussed in the prior
post. Start, with humility, to take credit for it and communicate it
pervasively. This stuff matters to customers, it really does. Now, I
know that Sony and others have seemingly gotten away with massive
escapes, but that tide has shifted. It may not have reflected in stock
prices yet, but if you wait until it does, you've waited too long. It
can be a competitive advantage now and, in particular, with the key
tech and privacy savvy influencers of families, Universities, and
classmates. Respect of a brand can carry with someone through decades.
It's my belief that if you influence through Enterprise Security that
you will attract a better breed of customer and customer loyalty. This
is a worthy selling point and worth marketing. And you still don't
have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it
(1), and I hope you agree that my rambling musings can help you slowly
get a bigger cut for your Enterprise Security department.

Cheers, -Ali

(1) Daniel Geer and Peter Kuper:
http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf

When Rafal Los (@Wh1t3Rabbit) asked people to describe Enterprise
Security in three words I took the humor approach with selections like
"Complete Cluster Fsck" and "Advanced Persistent Marketing". Rafal was
kind enough to post a running document with all suggestions for
reference at http://t.co/iqWlkudO and a blog post at
http://bolt.thexfil.es/3sqzj. Now, I was being quite cynical in my
responses but I do have very serious and strong feelings about this
topic.

Enterprise Security is Not Business Relevant. Now, that's quite the
inflammatory statement but unless your business is security then it's
true in practice today. Before the flaming begins let me start by
saying I believe firmly it ~IS~ business critical but I want to make
it actually _relevant_. I'm going to briefly explore what this means
to me:

- Security needs to produce better product
- Security needs to provide product, service, and visibility to the
core business
- Security needs to instill trust and good faith amongst employees and customers
- Security needs to be a competitive advantage

I'm going to talk about the first point in this post; Security needs
to produce better product.

I'm not talking about Security vendors here, I'm talking about
Enterprise Security departments within industrials, banks,
pharmaceuticals, etc. Security and privacy offers all stages of the
product lifecycle lessons, expertise, and benefits not immediately
thought of by most internal customers. Some examples:

- Security Engineering frequently identifies bugs and
incompatibilities that present themselves in non-traditional or
internationalized use-cases. Or with popular but untested software and
up-and-coming standards. I've yet to see a security oriented code
review that didn't improve the tightness, readability, documentation,
etc. of code. Or that didn't also improve stability and compatibility
in some aspect or another.

- Techniques used by security professionals can be used to improve the
performance and stability of almost any production environment. We
look at things through the lens of DTrace or Packet Captures in a way
most people do not. Working alongside developers and systems
administrators in this way can yield, once again, better development
and product.

- Security professionals can instill in your staff better overall
intellectual property protections by also making the privacy and
security of the end-user product better. When devops consider the
end-user privacy in the context of their own then they will also
further that practice with enterprise data. (This parallels what I've
referred to as 'Security through undoing Facebook' which I will
re-visit in another post.)

- Security professionals have almost endless bandwidth for
understanding innovation. This is somewhat vague and arrogant but I
truly believe it from what I've seen over the past fifteen years.
Security professionals can "get" almost anything you're trying to do
and brainstorm and critique with the best of people. It's not
something that is taught, I just believe it's something that also
draws people to the security field.

Taking these examples and trying to put them into practice and play is
non-trivial in most environments. There are institutional barriers,
egos (our own included), hours in a day, etc. that all get in the way.
However, it's critical that Security becomes more engrained in the
production of product and thus business relevant if we ever want to
get the funding, respect, and eventually rest we all desire.

How do I suggest you do this? Well, my first and most important step
would be to actually ~DO~ it. Seriously.. start with the developers
and see if they have a bug system you can peruse, check out a copy of
their code, submit a patch. Work with them in an agile environment.
That's effectively your road-show to the developers. Just get in the
muck and pain with them without prejudice or reservation. Don't
differentiate yourself in any way except the output. Comments,
patches, etc. You might have to learn new APIs or languages even but
it's about bleeding with them for their blood in return. Secondly
provide unsolicited observations of the end-product in well written,
visualized if possible, and non-judgmental ways. Over a decade ago I
first did this with a few page analysis of the core daemon for a
software product. I provided information based on profiling, disk IO,
network traffic, etc. that was all of interest to me in building a
security model BUT I didn't say any of that. I just provided it to
them in the numerous contexts of improving their product performance,
lessening infrastructure dependencies, and improving stability. By the
time they got done appreciating and implementing all that I only had a
minimal number of "security" issues to address and they were more than
happy to oblige. This lesson stuck with me ever since and it's been
endlessly valuable. And finally you evangelize and take pride in your
companies products and services. We're a cynical bunch but we can be
fanboys too. Try it sometime and those who fund you and you need to
influence will appreciate it. It's not social engineering exactly..
well.. OK, so it is in a sense but you'll be happier for it I wager.

That's the short of it for now. I will build on this basis in future
posts and appreciate any feedback. Cheers, -Ali

Recently on LinkedIn and Twitter, Rafal Los (@Wh1t3Rabbit) of HP was
hashing out the qualifications of a CISO/CSO. Should they be business
or technically backed?

To consider this properly a little historical context is in order.
Consider where business was ten and twenty years ago? I affectionately
cal it the Jack Welch era. Where is business today? More agile,
adapting to niche markets, passionate individualism, engaged directly
with the customers, distributed worldwide by default, etc. How
different is that from the GE model of the 1990s? According to Fortune
and others, it's as night and day as you get. However, when you talk
to business insiders - and I've been fortunate (unfortunate?) to have
spent a lot of hours with some big Fortune 100 C-levels - they say
it's evolutionary and they re-tool and adapt regularly. So no panic
there.

Now, consider IT over that same period... and you'll notice agile,
niche, passionate individualism, engaged directly w/ end-users,
distributed by default, etc. That sounds familiar, does it not?
However, we can't retool completely because systems have to keep
business running 24/7/365 and our customers don't see the
architectural rot that we do. So we have layers of hugely disparate
systems that linger for decades. A bit of panic.

What alo has happened is that ~casual~ life expectations have aligned
themselves across ALL industries in such a way that we're all our own
C-levels. Things like personal finance and taxes have moved upward and
things like "manufacturing" (aka DIY) have moved down-ladder. Likewise
families and communities have become distributed geographically
through the Internet while simultaneously insular on the neighborhood
level. So, tying this all together, we now have a generation of Open
Source and Open Community Citizen Engineers led by early frontrunners
Linus Torvalds and Larry Wall that looks remarkably like the business
play-books of the Fortune 100. The Soccer Mom management edict of
communities put on steroids dealing with bigger egos, language
barriers, and the eyes of everyone. Our OS/OC Citizen Engineers have
created their own Six Sigmas and are rocking industry after industry
through trial-by-fire growth.

This is not to say that business professionals and C-levels don't have
massive amounts of expertise and perspective that everybody else does
not. They most certainly do. However, we can now relate to business
people in a way we could not a decade or two ago. Likewise in other
industries (e.g. Medical, Legal, ..) we have the same commoditization
to the Citizen of the basic underpinnings. As I'm sure we're all
aware, this trend has potentially catastrophic downsides too but
that's for another debate.

OK, ~NOW~ consider Security over the same timeframes and there is one
notable difference. There. Is. No. Baseline. As an industry we're
still selling snake oil and have huge differences of opinion with
about the same market result (e.g. hacked, stock doesn't budge). The
rules of engagement that have made it down to the end-user are so
ridiculously primitive that if we were Doctors our version of WebMD
would say "have an Apple and an Aspirin" for ~every~ ailment.

Back to the first paragraph.. it's because of that, because of the
organic nature and relative immaturity of our field, that I feel
strongly that you can't teach a CSO/CISO the ~S~ on the job. They have
to already lived and breathed that for the past decade to have even a
fighting chance of being the C-level over the Anarchist mass of
Security Professionals. When the baseline customer is used to posting
the most intimate details of their lives and passwords, install AV,
and patching is all they know otherwise.. well.. you're screwed at
that starting gate. If "Turing Complete" triggers a visit to Expedia,
you might as well pack up your data and leave it in the mall parking
lot.

I guess a rude way of saying it would be that you can't teach insanely
dangerous intellectual curiosity. We haz it. Sorry for the random
rant, just thinking out-loud, Cheers, -Ali