2018-07-11

IT (and InfoSec) titles and descriptions are mostly BS



What's in a word?

The following is a true story. Only the names have been changed to protect the guilty.



So this morning (GMT+2) I perused LinkedIn [1] ;) and stumbled upon a few titles and headlines that immediately gave  food for thought - Not least combined with (some) knowledge of the suspects.

(Disclaimer: There's some genuinely good people using the word salads discussed below, so please be nice to them - or, actually, be nice to everyone).

General offenders

Anyone using the terms innovation or disruption appear to have never done any innovation or disruption themselves, but merely just talk about it. If You're copying (or repeating) what others have done You're not innovating, and certainly not disrupting. While we all stand on the shoulders of giants and are building on previous knowledge (which we should) there's nothing worse than listening to "Motivational Quotes" from someone you know as a mediocre developer and/or manager. Just stop it and use your time on becoming a good leader or whatever else makes you happy.
But that is likely too  hard when You've spent your career being a sycophant?

Digitalization; If You're in IT, maybe you should think hard about your career if you missed the digitalization part of IT.

But more about that below.

Other headlines/titles

During the self-flaggelation (remember; Perusing LinkedIn) I stumbled upon this gem:

"Collaborative strategy enabler by means of IT and Digitalization"

What does this even mean?

IT is needed for Digitalization, so redundant information here, and some (most?) companies have a collaborative strategy [2], but it is likely to be different depending on the organizations business strategy and vision, so how does that ensure you can enable company X's specific strategy?
 So basically it means "I'm in IT, maybe a leader"?

Last, but not least

Calling yourself a Rock Star or Thought Leader.....





Who the f... do you think you are, calling yourself a "Cyber Security Architect"?
Well, what's wrong with being a hypocrite! [3]

2018-07-08

How to get above the Security Poverty line


The Security Poverty Line

Failing miserably trying to communicate the basics of security?
Do everyone else believe in the stories told on the vendor floor of RSA/BlackHat/Whatever?
Do you feel like no-one listens (as depicted by @EFFINBIRDS below)?



Fear no more.

You just need to get above the Security Poverty Line.
And what is that, you may ask?
Well, as most things in Information Security this is pretty hard to quantify, but what if we used the CIS Critical Security Controls [4] as a baseline?

Would it be fair to say that if you don't do the Critical Security Controls at a CMMI level of at least 3, then Your Organization is below the Security Poverty Line?
In order to assess the maturity of your implementation of the 20 Critical Security Controls I find the Assessment tools from AuditScripts very useful. [1] & [2].

But what do you think?
Is this a valuable way of expressing security maturity?
How do we communicate Security better to management?
Please comment :)


Please note that I have no affiliation with AuditScripts, but just happen to like this free resource from them.

2018-06-23

FileZilla :: Another Supply Chain attack or just bad practices

It appears that FileZilla is serving malicious code with its current bundle ("FileZilla_3.29.0_win64-setup_bundled.exe"). Furthermore they're trying to downplay the actual issue on the official forum, see: 
https://forum.filezilla-project.org/viewtopic.php?f=2&t=48441

The responses from FileZilla on the forum certainly does not provide any assurance, so do NOT use FileZilla install bundles on any system.

Also please note that Windows 10 now have both SSH and SCP installed (latest builds). Otherwise install the Windows Subsystem for Linux (WSL), or just run your favorite *Nix distro on your dev boxes.


2018-04-28

Stupid Never Dies

Information Security in the Seventh Circle of Hell

No, end-users aren't stupid.

Compliance is. InfoSec is. IT is.




The other day Daniel Miessler Twitter: @DanielMiessler published this awesome post on asset management: If You’re Not Doing Continuous Asset Management You’re Not Doing Security

This is spot on, and something that we really need to invest in to raise the bar for security.

However most of the time this is what is going on:

Compliance:
There is a CMDB ✔ (Ignoring that the contents is largely outdated, and not really covering our actual needs wrt. actual information about the assets)
Here's the "Systems Acceptance" policy that everyone at $company must adhere to ✔ (Ignoring that it is not really implemented nor understood by anyone)
You must have a password of at least  8 characters with complexity requirements ✔ (Ignoring - or not understanding - that this is REALLY BAD security advice)

Security:
We have installed yet another firewall, thereby minimizing risk ✔ (Ignoring that it actually adds to complexity and not really knowing what we were trying to protect and why)
We have had a pentest  ✔ (Ignoring that it was performed by a pentest puppy mill, and is basically just a glorified vulnerability scan)

IT:
We just put out this fire [insert regular incident here] ✔ (Ignoring the need to do root cause and understand the impacted service end-to-end).

The solution?

Follow Daniel's advice, and start with Asset Management - It's been on the top 20 Critical Security Controls for a very long time. so even Compliance should be able to understand this:
[/RANT]

2018-03-24

GDPR: Everybody panic and run around screaming "Consent & Fines"

As the May 25th deadline approaches, many companies approach to this looks more and more like a dumpster fire, with project managers, lawyers, and vendors becoming increasingly hysterical.




What could have been a boon to privacy and security seems to have turned into something of an exercise in pointlessness and hiding skeletons in the closet by implementing technology quick-fixes flogged by vendors touting silver bullets.

I hate saying this, but start getting the basics right. If you don't understand what you have you can't ensure privacy or security - Implementing even  the best controls on shaky ground is just going to add complexity, and potentially decrease the protection of your information (whether PII or just your own Intellectual Property). Encrypting databases when everyone is local admin on the database servers, everyone has access to all key material, and SQLi is the best documented means to access the data anyway isn't really helping, but just playing pretend and that is going to make us all look bad in the end.

[/RANT]

Recommended reading:
https://www.cnil.fr/en/pia-software-updates-beta-version
https://www.peerlyst.com/posts/gdpr-compliance-step-by-step-part-1-the-prerequisites-david-froud
http://www.davidfroud.com/free-resource-the-gdpr-in-plain-english/
https://www.peerlyst.com/posts/the-gdpr-wiki-nicole-lamoureux
https://www.cisecurity.org/cybersecurity-best-practices/
https://www.sans.org/
http://www.pragmaticcso.com/
https://www.itculate.io/2017/06/p2-mapping-microservice-relationships/




2018-03-22

Managing leap-seconds on NTP Servers

On all of your NTP servers it is a good idea to keep track of leap seconds. This is done by using the leap-seconds.list file available from IETF (and others).

Using CRON
Add the following to the /etc/ntp.conf file: leapfile /var/lib/ntp/leap-seconds.list
Now restart the ntp daemon and run: # ntptime
The current difference between UTC and International Atomic Time (TAI) is 37 seconds - TAI is ahead of UTC by this amount, so the output of the above should contain a line similar to the following:
maximum error 436 us, estimated error 6 us, TAI offset 37
To keep the leap-seconds.list file updated, check the file regularly (once a month, as the leap-seconds.list file will be updated almost 6 months ahead of the actual date of the leap second). This can be done using the update-leap command and the following cron script, so add this script to /etc/cron.monthly as e.g. update-leap:

#!/bin/sh
#
# leap-seconds.list file download cron monthly
set -e
# if leap-seconds file exist check if new available
if [ -f /var/lib/ntp/leap-seconds.list ]; then
# Log start of checking for updated leap-seconds.list file from IETF.
# Not that update-leap does not like HTTPS :(
/usr/bin/logger "checking for updated leap seconds file" -t "leap"
# Run update-leap, grep the INFO: line (it throws a lot of garbage at us), remove INFO: and log the output
/usr/bin/update-leap -f /etc/ntp.conf -s http://www.ietf.org/timezones/data/leap-seconds.list -d /var/lib/ntp/leap-seconds.list 2>%1 | grep -i info | sed 's/.*: //' | /usr/bin/logger -t "leap" &
fi
exit 0

Then:
#chmod 755 /etc/cron.monthly/update-leap
#touch /var/lib/ntp/leap-seconds.list
The touch command creates an empty file, which is needed for the first run as the script above doesn’t do anything if there is no file present. if [ -f /var/lib/ntp/leap-seconds.list ]
Now test-run the script:/etc/cron.monthly/update-leap
And check that it ran, using # grep -i leap: /var/log/syslog
If this is the first it runs (with an empty leap-seconds.list file) or there is a newer file, your output should be similar to the following:

Jan 22 21:39:56 ntpserver leap: checking for updated leap seconds file
Jan 22 21:39:57 ntpserver leap: Download of http://www.ietf.org/timezones/data/leap-seconds.list succeeded

If there’s no update to the file, the output should look similar to the following:

Jan 22 19:00:48 ntpserver leap: checking for updated leap seconds file
Jan 22 19:00:48 ntpserver leap: Not time to replace /var/lib/ntp/leap-seconds.list

Please note that the ntp daemon checks daily for updates to the leapfile, so there is no need to restart it after updating the file.
In order not to overwhelm the IETF server with the leap-seconds.list file, copy the file to a central location on-site and let the NTP servers fetch it from there. Something like
Cron job on central server:

.
.
/usr/bin/update-leap -f /etc/ntp.conf -s http://www.ietf.org/timezones/data/leap-seconds.list -d /var/www/ntp/leap-seconds.list 2>%1 | grep -i info | sed 's/.*: //' | /usr/bin/logger -t "leap" &
.
.

Cron job on NTP servers:

.
.
/usr/bin/update-leap -f /etc/ntp.conf -s http://internalwebserver/ntp/leap-seconds.list -d /var/www/ntp/leap-seconds.list 2>%1 | grep -i info | sed 's/.*: //' | /usr/bin/logger -t "leap" &
.
.

The above works for the reference implementation of NTP (http://www.ntp.org/), if you’re running ntpsec, use ntpleapfetch instead, and adjust the logging output to match.
And before you ask, I hate leap seconds almost as much as DST 😊

Using systemd timers

Update 2019-07-18: Go to https://github.com/martinboller/update-leap for a script to install NTP and update-leap.

Instead of good ol’ CRON, on systemd based systems, you can do the following.
Add the update-leap script as /usr/local/bin/update-leap, then create a service file and a timer file.
Please note that systemd timers do not like the cleanup and redirection, so remove that, so your script looks like this:
#!/bin/sh
#
# leap-seconds.list file download cron monthly
set -e
# if leap-seconds file exist check if new available
if [ -f /var/lib/ntp/leap-seconds.list ]; then
# Log start of checking for updated leap-seconds.list file from IETF.
# Not that update-leap does not like HTTPS :(
/usr/bin/logger "checking for updated leap seconds file" -t "update-leap"
# Run update-leap
/usr/bin/update-leap -f /etc/ntp.conf -s http://www.ietf.org/timezones/data/leap-seconds.list -d /var/lib/ntp/leap-seconds.list
fi
exit 0


Service File
The service (as well as the timer file) location depends on the distro, for Debian they are in /lib/systemd/system/ (on Arch, /usr/lib/systemd/system). Do not add them to /etc/systemd/ those are for systemd itself.
update-leap.service
# service file running update-leap
# triggered by update-leap.timer
[Unit]
Description=service file running update-leap
Documentation=man:update-leap
[Service]
ExecStart=/usr/local/bin/update-leap

Timer File
The timer file, goes in the same directory as the service file above.
update-leap.timer
# runs update-leap monthly.
[Unit]
Description=Monthly job to check for updated leap-seconds.list file
Documentation=man:update-leap
[Timer]
# Don't run for the first 15 minutes after boot
OnBootSec=15min
# Run monthly
OnCalendar=Monthly
# Specify service
Unit=update-leap.service
[Install]
WantedBy=multi-user.target

Configuring the timer to run
For timers you do not enable the service, but the timer.
As root:
# systemctl enable update-leap.timer
# systemctl start update-leap.timer
To make sure everything works, you can start the service
# systemctl restart update-leap.service
Then check syslog for update-leap entries as discussed above

Note: This post first appeared on peerlyst

References:
http://www.ntp.org/
https://www.eecis.udel.edu/~mills/leap.html
http://tycho.usno.navy.mil/leapsec.html
https://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat (no leap second for June 2018)
https://developers.google.com/time/smear (Interesting approach to handling the leap-second at Google)
https://www.ntpsec.org