The Coolness of Geek

Apparently, geek is becoming sexy. We've all known that geek was chic [pronounced sheek for those who think I'm saying chick]....but sexy, that's just hot! I think I've been waiting for this since the late seventies:

"The Nerd Girls may not look like your stereotypical pocket-protector-loving misfits—their adviser, Karen Panetta, has a thing for pink heels-but they're part of a growing breed of young women who are claiming the nerd label for themselves. In doing so, they're challenging the notion of what a geek should look like, either by intentionally sexing up their tech personas, or by simply finding no disconnect between their geeky pursuits and more traditionally girly interests such as fashion, makeup and high heels."
Newsweek, "Revenge of the Nerdette", 6/9/2008

As I sit here I get mini flashbacks of typing away on my TRS-80 in elementary school, writing my first snippets of code in BASIC, knowing that in the eyes of the masses I wasn't being cool. Then, in junior high, I graduated to the the Apple II, on which platform I launched my first BBS. Soon after I added multiple phone lines and had sister systems throughout the US. Ahh, the good 'ol days of the lawless wild west, shortly before William Gibson coined the term cyber in his 1982 book, Burning Chrome.

Newsweek Article [link]

-Steve Zenone
###

Equiped to Get the Job Done

I came across an article in USA Today titled, Some employees buy own laptops, phones for work. The article reports that more and more professionals are buying their own electronic equipment to get their work done. This includes equipment like cell phones and even laptops!

Nearly 40% of professionals recently surveyed by researcher In-Stat paid for a laptop that they regularly carried. Cellphone users often picked up their bill. And company-provided personal digital assistants (PDAs), cameras and Global Positioning Systems (GPS) are relatively rare, says the survey, released Monday.

As many organizations start to withdraw spending on materials and equipment, professionals are having to take matters into their own hands and purchase their own equipment. This reminds me of research done by Buckingham and Coffman. Their research paper summarized the twelve key factors in retaining star employees (there's a connection here - question #2 relates to employees having to purchase their own equipment).

In a nutshell, if employees can answer the below questions in the affirmative, then the work environment is probably very strong and productive:

1. Do I know what is expected of me at work?
2. Do I have the materials and equipment I need to do my work right?
3. At work, do I have the opportunity to do what I do best every day?
4. In the last seven days, have I received recognition or praise for good work?
5. Does my supervisor, or someone at work, seem to care about me as a person?
6. Is there someone at work who encourages my development?
7. At work, do my opinions seem to count?
8. Does the mission/purpose of my company make me feel like my work is important?
9. Are my co-workers committed to doing quality work?
10. Do I have a best friend at work?
11. In the last six months, have I talked with someone about my progress?
12. At work, have I had the opportunities to learn and grow?
    

As a manager, the above points are worth reflecting upon.

USA Today Article [link]
###

PCI Security Standards Council Mandates New Vulnerability Scoring

I recently learned that all Approved Scanning Vendors (ASVs) are required to use version 2 of the Common Vulnerability Scoring System (CVSS). Starting July 1, 2008, version 2 will be the new industry standard and all scans will be scored using this system.

Many of the ASVs that I have experience with continue to fail scans based upon false positives. Although PCI DSS requirement 11.3.1 necessitates a network-layer penetration test to be performed at least once a year and after any significant infrastructure upgrade or modification, the automated quarterly vulnerability scans will still show a compliance failure even if the flagged vulnerability is a false positive.

It'll be interesting to see how many merchants will move from compliance status of compliant to non-compliant after July 1.

Opinion: Responses to OpenSSL Vulnerability

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image: ZwahlenDesign]
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

• Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:

sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22

• Is there a single host that's bothering you and you want to block it?

sudo ufw deny from {IP address}

If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

BlackHat and DEFCON

It's that time of year again when I start looking at the logistics involved so that I can attend both BlackHat and DEFCON. It's also the time when I start figuring out costs and hope that work will cover them under the training budget...which is an entirely another story!

The two-day training at BlackHat, Enterprise Security from Day 1 to Completion, if I register now will cost $2200 and runs from August 4th to the 5th (all of the trainings look interesting, but I believe the Enterprise Security will give me the forum to answer some questions I have as an IT security professional). Next, there's the BlackHat briefings from August 6th to the 7th for a cost of $1495 - again, this is if I register now. By registering for BlackHat I will be able to get into DEFCON for free. DEFCON runs from August 8th to the 10th.

Next there's the cost of the flight - I'm estimating about $250 roundtrip. Lodging from August 3rd to the 10th will be about $1600...then there's the $320 for food.

Here's the rough breakdown:

Airfare.............$250
Conference Fees....$3695
Lodging............$1600
Meals...............$320
Car Rental (maybe)..$320
========================
Initial Total......$6185

Now it's time for me to get the funding to cover the training expenses this week so that I can register before prices go up.

I look forward to catching up with many of my colleagues, friends, and Security Twits!

UPDATE [5/15/2008]: I've received approval from my management for the training. Now I'm working with purchasing to get the travel request fulfilled.