Monday, December 31, 2012

2012 InfoSec Tweet Awards

Okay, so there are no actual awards. These are just some of my favorite funny, entertaining or thought provoking tweets from 2012. Enjoy!

Best Tweet Inspired by a Song

Best Tweet Inspired by a Book

Best Tweet Inspired by a Tool (Tie)

Best Tweet Inspired by Facebook (Tie)

Best Tweet That Should be on a T-Shirt

Best Tweet About CISSPs

Best Tweet About Programmers

Best Tweet About Noobs

Best Tweet on Education

Best Tweet on How to be a Hacker

Best Tweet on How to Succeed at InfoSec

...and last but not least:

Best Overall Tweet

Well that's it for 2012. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very happy new year!

Friday, November 2, 2012

"Hacking Back" is a Bad Idea

Yesterday at Hacker Halted in Miami, FL, David Willson, an attorney from Titan Info Security Group, presented a talk titled, "Hacking Back In Self-Defense: How Can I Do It Legally?". While not a new subject, there has been a lot of discussion recently about responding to attacks by "hacking back". To a degree this is understandable. Offensive security is fun and the desire for payback is a natural human reaction. With that said, there are several reasons why "hacking back" is not a good idea:

Legal Repercussions - An attack does not grant the victim a license to break the law. By taking an "eye for an eye" you are potentially exposing yourself to the same legal repercussions that the attacker is subject to.

Friendly Fire - Any attacker worth their salt (or who has watched the 1995 movie "Hackers") is not going to attack you from their home with a computer they own (it's "universally stupid"). Attribution is a serious concern.  Even if you can identify the origin of the attack, any retaliation will likely be targeted at an innocent bystander whose machine was compromised.

You're Not That Good - If you have the skills necessary to successfully compromise the attacker, why were these skills not used to identify the issues in your environment? After all, as a defender, this is why your employer gives you a paycheck. Which leads me to my next point...

You Have Better Things To Do - "Hacking back" implies that you have been compromised. Your efforts are better spent executing your incident response plan, reviewing lessons learned and taking steps to ensure that it doesn't happen again.

Escalation - Hypothetically, let’s say you have successfully compromised your attacker. Now what? You are performing a job, but to the attacker it has now become personal. You go home at the end of the day, they do not. "Hacking back" only provides additional motivation for the attacker to redouble their efforts. Even worse, if you truly are the target of real a state sponsored attack, retaliation might spark an international incident which could potentially lead to physical retaliation.

There will always be someone knocking on your door and jiggling the door handles. The best course of action is to appropriately secure your environment and continue to implement effective controls as your company changes and grows. In many cases, if an attacker cannot compromise your systems they will eventually move on to an easier target.

Sunday, September 23, 2012

This Blog is Dead, Long Live This Blog

When I originally started this blog I struggled for a name. After brainstorming over a long weekend I came up with a handful of possibilities. Unfortunately, all were taken. Not finding an industry relevant domain, I decided to look into names that were unrelated to the security industry. I finally settled on a play on my last name. Thus Maske[d] was born.

Skipping ahead to the present, I was recently assisting a family member in setting up their own web site. After logging into my domain registrar I received a notice that a domain I had previously tried to register was now available. In all honesty, I hesitated. Even though I've only posted a handful of times, I feel I've put effort into developing and branding this site. In the end my wife set me straight by pointing out that the new domain was just too good to pass up (much like my twitter handle).

With that said, I am now the proud owner of a shiny new domain, I'm working on a couple of posts that I hope everyone will find interesting. Stay tuned!

DISCLAIMER: I somehow managed to be oblivious of until after I registered Not wanting to step on any toes I reached out to Kevin Riggins to get his opinion. His response was, "No worries whatsoever as far as I'm concerned" and suggested I submit this blog to the Security Bloggers Network.  Thanks Kevin.

*Cross post with Maske[d]

Friday, August 24, 2012

Vote for the Four Horsemen of the Apocalypse

The InfoSec community frequently debates over the value of industry certifications. A frequent point of contention has been (ISC)2, an organization best known for the Certified Information Systems Security Professional (CISSP) certification. The CISSP is thought by many to be a necessary evil in that it is often required to pass through HR gatekeepers but doesn't actually certify real world knowledge or aptitude.

"If we could change ourselves, the tendencies in the world would also change. As a man changes his own nature, so does the attitude of the world change towards him. … We need not wait to see what others do."

--Mahatma Gandhi

Above is the quote that is often reinterpreted as "Be the change you want to see in the world". As a community we need to do this.  Last year the first steps were taken when Wim Remes (@wimremes) pursued and successfully obtained a seat on the (ISC)2 Board of Directors. This year promises to see additional change as "four horsemen of the impending infosec apocalypse" have risen to the challenge of holding (ISC)2 accountable to the security community.

Dave Lewis (@gattaca), Boris Sverdlik (@jadedsecurity), Scot Terban (@krypt3ia) and Chris Nickerson (@indi303/@isc4thepeople) have all declared their intentions to run for the (ISC)2 Board of Directors. They are the new blood (ISC)2 desperately needs. All four are highly regarded not only for their insight and technical prowess but for their dedication and contributions to our industry. None are bashful about standing up for what they believe in and they will undoubtedly continue to do so as board members.

Each person needs 500 endorsements to get on the ballot. If you hold an (ISC)2 certification (any certification) I encourage you to seriously consider these candidates:

  • Endorse Read the petition for Dave Lewis here

  • Endorse Read the petition for Boris Sverdlik here

  • Endorse Read the petition for Scot Terban here (new link)

  • Endorse Read the petition for Chris Nickerson here (new link)

UPDATE 8/24: As Nickerson pointed out in the comments (see below), there is no limit on the number of people you can endorse and this year you can vote for up to four candidates.

UPDATE 8/30: (ISC)2 has stated that webforms are not a valid way to submit endorsements. Please email your endorsements (along with your cert#) to:

  • Dave Lewis

  • Boris Sverdlik

  • Scot Terban

  • Chris Nickerson
     *The email addresses above are intentionally not clickable.

UPDATE 11/16: Voting is now open! (closes on 11/30/12 at 5:00pm EST). If you are an (ISC)2 member you can vote hereDave Lewis may be the only "Horseman" who made it on the ballot but you can still write in the other candidates.

*This post originally appeared on Maske[d]

Wednesday, April 25, 2012

Google Does *Not* Own Your Data

As an information security professional I find that I am acutely aware of attempts by vendors to propagate FUD and the media to sensationalize news. I was fortunate to attend SOURCE Boston last week and after watching Space Rouge's talk, "Media Hype in the Information Security Industry" I feel motivated to not only be aware of misinformation but to point it out as well.

This brings me to Google Drive. With yesterday's release of Google's file syncing service there has been a lot of concern over privacy and intellectual rights. In particular, the media has latched on to the following section of the Google Terms of Service:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.

Most seem to believe this implies that by uploading files to Google Drive you are transferring ownership. This is not the case.  First, it is important to note that these are general terms of service for all Google products and is not specific to Google Drive. Second, this is only part of the "Your Content in our Services" section. The beginning paragraph clearly states:
Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

It's highly plausible that the offending paragraph is the product of an overzealous lawyer attempting to cover every eventuality for all current and future products and services. It is not entirely inappropriate given the functionality built into Google Drive. For example, when uploading a scanned document Google uses OCR to index the file. The system is effectively reading your document to better make it available to you.

This may or may not make you comfortable using Google Drive. Regardless, I encourage you to read the complete Google Terms of Service so that you can make an educated decision on how much you are willing to share with Google.

*This post originally appeared on Maske[d]

Friday, March 30, 2012

Thoughts on Hackers & Handles

Recently I re-watched the testimony provided by L0pht Heavy Industries to the U.S. Senate on May 19, 1998 (available on YouTube here). As members of the "hacker think tank" were introduced by their aliases it gave me pause to contemplate my own online identity.

Personally, I hesitate to call myself a hacker. There's nothing wrong with the word.  Unlike the media I place no stigma on hackers and hacking.  Penetration Testing is part of my day job but when I think of hackers my mind turns to members of the L0pht and other well known names like Johnny Long, Chris Nickerson, Rob Fuller, David Kennedy and Adrian Crenshaw. I believe myself to be a competent pentester (good enough to make a living and not embarrass myself in conversations with the people mentioned above) but it's unlikely you'll find me discovering 0days or writing new tools or exploits.

I've operated under a number of handles over the years, mostly N∅MAD or TAGG (a name given to me in the early 90's by a dutch hacker... a story for another time). Unfortunately, by the time I finally decided to register a domain all the TLDs for every four and five character combination was long gone. This was equally true when it came to social media.

Currently you can find me on twitter as @ITSecurity. With such a simple name most people assume I was an early adopter. This is not the case. Twitter was launched on July 15, 2006 and I did not create an account for almost three years (Feb 18, 2009). Even then I did not start out as @ITSecurity. Originally my username was @smaske. It wasn't until June 24, 2010, almost four years after Twitter launched that I renamed my account.

I don't recall what prompted me to change my username. Originally I created an account at the behest of my employer and at some point I figured using my given name was, well... boring. Since Twitter names can be changed I thought I'd fall back on handles I've use in the past.

When selecting a username, Twitter automatically checks for availability as you type without the need to press enter. I tried them all:
TAGG ↻ Checking… This username is already taken!
N∅MAD ↻ Checking… Invalid username! Alphanumerics only!
N0MAD ↻ Checking… This username is already taken!
NOMAD ↻ Checking… This username is already taken!

After dozens of combinations I figured I’d try something industry specific:
InfoSecGuy ↻ Checking… This username is already taken!
ITSecurityGuy ↻ Checking… This username is already taken!

ITSecurity… I paused to think of something else to append. "Dude?" No, that’s lame. "Pro?" No, too arrogant.
ITSecurity ↻ Checking… Username is available.

Wait... really? It was too good to pass up. I clicked *Save*

As @ITSecurity, I'm just shy of 1400 followers (spammers & bots are blocked). I'm honestly not sure why people follow me. Perhaps they find my tweets interesting, perhaps it's the username and they assume I know what I'm talking about, perhaps they clicked follow by accident.

Using this account has had undesired results. @ITSecurity seem to be too professional of a username and I find myself occasionally censoring tweets. It also feels pretentious to introduce myself by my twitter handle (a common practice at cons):
"Hi, I'm @ITSecurity." - Ugh.
So, assuming you made it to the end of this blogpost, what do you think? Should I change my username? Is is pretentious? Have I invested too much time in the username to abandon it? I'd greatly appreciate your feedback. Please hit me up on twitter or leave a comment below.

*This post originally appeared on Maske[d]

Monday, February 6, 2012

Inadvertently Social Engineering the TSA

This post chronicles a run in (or lack thereof) with the TSA.
Back in October I finally got around to taking the CISSP exam (stay with me, it’s relevant to the story).  When the results arrived I thought it would be humorous to send an e-mail to my team with an image of a police badge saying that I had passed. After a quick Google search I stumbled upon ePoliceSupply a company that sells legitimate badges to law enforcement officers. The site has a great feature called "Visual Badge" that allows you to see the product with your custom text before ordering.  I quickly put together a mock-up and sent the e-mail.  The gag went over well and escalated with each of us mocking up different badges until our boss directed the team to come to a consensus on the design and order them.

Fast forward a month later.  I’m on my way to ShmooCon waiting in line for a security check at Logan airport.  I go through the motions, empty my pockets, take off my shoes and jacket, remove my laptop and TSA approved bag of liquids, etc.  When it's my turn to be screened I open my mouth to opt-out of the backscatter machine, but before I can say anything I'm waved over to the side.  "Okay", I thought, "I've been randomly selected for a pat down anyway".  This is not what happened.  The TSA agent opened the gate usually reserved for wheelchairs and flight crew, motioned for me to walk through and escorted me to my belongings.

What just happened? I couldn't figure it out.  I hadn't passed through the metal detector or any other type of scanner.  Why were they letting me go?  I didn't wait to ask.  Gathering my belongings I continued to the gate and tried to puzzle through it while waiting for my flight.  Was I just subjected to some previously unknown test?  Did they just want to speed up the line by using a handheld metal detector but forgot to actually "wand" me?

I told the story to a couple of my coworkers and one asked about my badge.  Yes, it was in my carry-on and the bag was being screened at about the same time I was pulled out of line.  We can't know for sure but we surmise that the badge was seen on the x-ray machine and I was mistaken for an air marshal...

DISCLAIMER: At no point have I ever claimed to be a law enforcement officer and I did not in any way knowingly mislead the TSA.

*This post originally appeared on Maske[d]

Tuesday, January 3, 2012

2011: A Personal Introspective

Over the last couple of weeks many bloggers have recapped the top InfoSec news of the past year and put forth their predictions for 2012. There are enough good (and bad) articles out there so rather than chiming in I'm going to take a moment to recap my personal top moments of the year. In no particular order:

New Job – In April I made the decision to put away my luggage and make the transition from a road warrior to an in-house security engineer. It's difficult to convey how much happier I am. It's not just that I am no longer traveling; I find my new position much more stimulating, the people are easier to get along with and I feel I have the opportunity to grow as an InfoSec professional. Not only that, I get to help grow and shape a security program over time instead of issuing my recommendations and leaving.  This has proven to be both frustrating and rewarding.  I had also forgotten how nice it is to sleep in my own bed during the weekdays. It's a luxury I won't soon forget.

Passing the CISSP Exam – I finally got around to taking the exam. Say what you will about the CISSP (I'll be right there beside you) but it is with a great sigh of relief that I can say I've put this milestone behind me. The subject matter wasn't difficult; the hardest part was getting in the right mindset (security management methodology vs. real world experience). I've always been skeptical about (ISC)2 but with the recent election of Wim Remes to the Board of Directors, I have hope that they will bring real value to the community.

Podcasts – This is the first year that I fully embraced listening to InfoSec podcasts on a regular basis. This is mostly due to the discovery of the "Listen" app in the Android market which now allows me to take podcasts on the go. Previously I had listened to shows sporadically from my desk but this was infrequent since I was rarely in the office and it wasn't acceptable to listen to them while at a client. My current subscriptions include (in alphabetical order):
  • Aluc.TV
  • Down the Security Rabbithole
  • Eurotrash Security Podcast: Security with funny accents
  • Exotic Liability
  • InfoSec Daily Podcast
  • Network Security Podcast
  • PaulDotCom Security Weekly
  • Risky Business
  • SecuraBit
  • Social-Engineer.Org PodCast
  • Sophos Podcasts
  • Tenable Network Security
This Blog – Creating a blog has been on my "to do" list for quite some time. Many thoughts and ideas have been set aside only to become old and stale simply because I didn't have some way to express them. It is my hope that I will be able to bring value to the community which has given me so much. Speaking of which....

The InfoSec Community – There is nothing quite like it. Nowhere else have I felt such a sense of comradery than with the InfoSec community. It's amazing how we can go to any city in the world and with a tweet, have dinner with someone we've never met in person but can connect with as if they were a long lost friend. I have met so many people this year. I don't expect them all to remember me but I would like to thank the people below, just for being awesome:

  • Rob Fuller (@mubix)
  • Jack Daniel (@jack_daniel)
  • Josh Abraham (Jabra)
  • Paul Asadoorian (@pauldotcom)
  • Marcus Carey (@threatagent)
  • Jon Cran (@jcran)
  • Jason (@n00bznet)
  • Tim Mugherini (@bug_bear)
  • Stacy Thayer (@stacythayer)
  • Wolfgang Goerlich (@Jwgoerlich)
  • Schuyler Towne (@shoebox)
  • Andy Ellis (@csoandy)
  • Joshua Corman (@joshcorman)
  • Wim Remes (@wimremes)
  • Apneet Jolly (@Jolly)
  • James Baker (@ABCecurity)
  • Martin McKeay (@mckeay)
  • Bill Brenner (@BillBrenner70)
  • Wendy Nather (@451wendy)
  • Nick Owen (@wikidsystems
  • Michelle Klinger (@diami03)
  • Tom Williams (@1_tjw)
  • BoB Rudis (@hrbrmstr)
...and anyone I inevitably missed.
It was a pleasure to meet all of you in person. Thank you again for letting me be a part of the community. I look forward to seeing you again in 2012.

*This post originally appeared on Maske[d]