New platform – now with more “s”

I moved my blog over to wordpress.com after I realized how ancient my server was getting. It was cost effective & ran quick as hell because it was an old Dell GX620 desktop with only 512MB of RAM using Centos minimal, free wordpress, & Duo for 2FA. The issue was many things were outdated & unsupported on the current platform. Doing the updates that were available was getting to be a challenge to remember and I wanted to move over to a TLS connection which was going to require a lot more research on how to host it locally & get a cert.

So I figured this was an ok replacement for now. While it’s a bit more in cost for the hosting & such, it’s not terrible compared to the electricity being lost as heat that was being generated by the super old desktop. Hopefully I’ll update this more often now too.

New house, new security system

I recently moved to a new house (August) and decided that I was going to have a security system to replace the antiquated ADT system the previous owners had installed. I started looking around & decided that there were 3 that provided what I was looking for in a system. Nest, Ring, and Simplisafe. There were a couple others I looked at but I was looking for things like a glass-break sensor, doorbell camera, or a panic button that they didn’t offer.

That lead me to look into the 3 options I mentioned previously. I’ll start with the drawbacks for all three, then the benefits for all three & why I settled on what I did and the issues I ended up having with it.

The Nest is well known and I already had the thermostat & the smoke detector so adding the other parts would have been an easy choice but their parts are almost universally more expensive than the other two. Also their subscription package was the highest cost year by year. The Ring system seemed to be a bit cheaper on price but they don’t offer the option of a key fob to let you into the house without having to run to the keypad. Neither of these two offered a glass-break sensor or a panic button. Simplisafe was the cheaper cost for hardware but it currently doesn’t have an outdoor camera (they are working on it) and their subscription is nearly as expensive as Nest. They were higher on price for the extra siren if you wanted to go with that but Nest doesn’t offer one. Nest does also charge each year if you want cellular back-up and it’s motion sensor is in the door sensor which could be a benefit for some, but read about my issue below & it’ll explain why it wasn’t great for me.

Each did have a number of benefits if I was to choose them. All 3 offered a doorbell and indoor cam, monitoring, and door/window sensors. Simplisafe’s price on most items was the biggest benefit and covered the most check boxes I was looking for in the hardware area. Ring was the cheapest overall for the monitoring & what parts I could get total and it allowed a battery powered camera which means no drilling into brick to put the camera up. Nest would have integrated with the items I already had and also had the outdoor camera I want.

I ended up going with the Simplisafe system based on a few friends who have it & say they have no issues and it was easy set up and that it was hassle free. I haven’t had a perfect install or hassle-free yet and I still want to be able to have the outdoor camera so I hope they release that soon. My issues are not only with the installation but also with the fact that their marketing department took an idea and ran with it without fact checking anything.

  • The sensors are very easy to set up using a “command-strip” style double-sided tape but the sticky part does not stick very well, even after you clean & dry the surface you want to stick them to beforehand. I replaced a number of them with 3M Command strips.
  • The motion sensors are supposed to be “pet friendly” and are even identified on the site with the text of “We precision-engineered our motion sensors to detect the unique heat signature of humans. Not pets.” This is not true & apparent marketing B.S. After a few emails to them asking why my motion sensor was tripped by my two less-than-35-pound puggles (resulting in a call from the monitoring company less than 5 mins from when I left home), it turns out they recommend that if you have pets larger than 30 lbs, or that they may get close to the sensor (it’s heat-based IR), that you put the sensor up upside down at around 4′ off the ground. This way it will catch someone walking through but not the dogs. I decided to put both motion sensors in the basement & order some new window sensors for the areas that the dog would be.
  • The doorbell installation was pretty easy but as soon as I connected the doorbell to my system, the mechanical chime started ringing constantly and causing the dogs to go crazy. Another call from tech support and they shipped out a “chime connector” which appears to be some sort of resistor that you put inline to the power going to your chime. This stopped the constant ringing and allowed me to finish the set up for this item.
  • The WiFi for both of the cameras is a little flaky and can result in a “not found” message for them when they try to record or you try to view them live. I will be contacting the support team about this in the future.
  • The indoor camera is set to record any time the system is armed or disarmed so that’s a little odd. I am unable to find a setting that would allow me to turn it off anywhere in the app or the site.
  • I am unable to find anywhere to set a profile other than Off/Home/Away. I would like the option of adding a profile where I could be home, open the doors upstairs, etc. but if someone were to come in the basement, the motion detectors would trip.

All in all I’m satisfied with my purchase and so far with the settings. I have set it and used it for a couple weeks and it doesn’t make me feel like I live in a prison but it does allow for a small bit of comfort against break-ins even if I do live in a lower crime area.

What are your thoughts? Did you have other things I should have considered?

Credit vs Debit cards

This post is probably going to be mostly questions as I know little about the payment card industry, but here goes.

I was going through the drive-thru at a fast food establishment the other day and I was thinking about what card to give them. I have read the stories about how credit cards are “safer” than debit cards because any lost money through fraudulent use is the credit card company’s issue. You don’t really have to do much of anything other than report it, they reverse the charges and they worry about tracking down what happened.

Debit cards on the other hand, you do have a dog in the fight. From the same stories it says that you are sometimes liable for up to $500 if you don’t report it in the first two days. Well if you’re not paranoid and checking your bank online every day it’s easy to go over that line. Plus if you lost the money in the account, you may bounce things while waiting for it to be returned.

This brings me to the question about chip & pin. So let’s say the geniuses in DC decide they are going to force chip & pin because it will limit fraud, save time, etc. Great idea right? What will the consumers say? We’ve all heard the stories about people being upset that they have to remember passwords for however many different accounts. Now add a different pin to every credit card they own. At what point will they say “enough is enough” and ditch them?

They already have to use a pin to get money out of the ATM though so what about putting a chip in those cards & starting chip & pin that way? Would that even be an option? I would assume that the start-up cost to upgrade all the ATMs along with all the swipe pay terminals would be huge. The question would be: Would consumers be willing to upgrade to a chip & pin system if it meant they were no longer liable for the money fraudulently taken from their debit account?

No idea, just throwing it out there. Though my guess is no, they’ll just complain.

Moving & Technology

So something I hadn’t thought about when moving until today was the lack of technology. Of course I’ll still have my phone but I’m moving on Saturday and I will be without internet for a week at my house. I will obviously live but it got me thinking. A lot of us rely on technology to do our day-to-day tasks like pay bills, chat with friends, look up directions, or just find a good restaurant. Many of these tasks have been transferred to our phone but there are things that are just easier when you have a keyboard.

Typing this blog entry would have taken forever on a phone, or I could let google/siri/whathaveyou try to translate my speech. Either way it is much easier to type out my thoughts and surf on a cable connection than a phone connection.

All in all it’s not the end of the world. I’ll be back online on Saturday the 22nd, and the blog will be down for a week. No big deal.

First working python code!

OK, so I decided I would write a temp converter for my first python program. It took me a few tries but it’s running now. It’s probably not the best way to code it, and I don’t have error handling in it but it runs!

Next steps:

  • Throw in an if statement for anything below absolute zero to return a message and exit
  • Return comment in response to an if statement for appropriate clothing to wear at the temperature entered
  • Error handling

If you have ideas of easy things to code for me to practice please let me know. I’ve already got one idea of a countdown to a specific day for a former coworker’s retirement so I may work on that this weekend too.

Code: http://pastebin.com/ZAtqqbab

THOTCon & Bsides Chicago

Well I’ve had a few days to recover from the awesomeness that is the Chicago Con Weekend. This year I was able to ride/stay with a friend from GrrCon who was attending with some coworkers, meaning the base for operations was in the city. This proved to be good for location but only average for room quality.

Friday morning we headed to THOTCon for networking, beer, food, talks, and just all-around awesomeness. Although I didn’t see all the talks I wanted, or the people I wanted to meet, I was able to catch the keynote, Ben Ten’s “Creating A Powerful User Defense Against Attackers”, James Arlen’s “The Message and The Messenger”, Cyberwar” with Josh Corman & Jericho, PhreakingGeek’s “Y U No Sanitize bro?” and David Schwartzberg’s “Fun with Exploit Kits for Tech Support”. You can find the information (but no recordings) at www.thotcon.org

Most of the talks I was able to see were good (the ones that weren’t don’t read my blog anyway). The information presented was relevant, and the speakers held their own on stage. James’ talk about presenting will help when I speak at GrrCon later this year, but I think the Cyberwar talk was by far my favorite. So much information was condensed into an hour talk it was hard to take it all in. What I did like was the discussion about the audience being a “cyber militia”. You do have to wonder if we all had to “fight” online, how many casualties would there be?

Saturday morning had us on the way to Bsides Chicago. This was set to be my first CTF experience and I wasn’t sure what to expect. I brought pretty much every piece of electronics I own with me and the weight of it tore my backpack. Learning how a CTF works and banging my head against the wall for most of the day was ironic when Nicolle Neulist’s talk about how to start with a CTF was at the end of the day 🙂

The CTF itself was not only brain-draining but a lot of fun! The challenges were set out in groups based on easy/hard/etc. When you get so close to solving one without knowing exactly what they are looking for, it can be frustrating, but seeing the points go up on the board makes it worth it. I was able to capture 8 flags total in what I feel was a respectable showing for a first-timer!

The THOTCon after-party was in downtown and had good food and drinks as well as DualCore on the mic for a short period. More people were met, more hands shaken, and more networking all the people!

All-in-all it was a great weekend and I’m glad I was able to see/make friends and most importantly learn a lot! Looking forward to Source Conference Dublin in a few weeks so I will see some of you again soon!

DLP and Business Needs

Well it’s been a while and I wanted to write an entry about something that I’ve been dealing with lately. Data Leak Prevention or DLP.

Most non-IT people know about DLP only when the IT organization contacts them to let them know they did something they shouldn’t have. For those of us that have to deal with the policies, the alerts, and sending those notices, it can be more complicated. You start with crafting the policies based on corporate standards, other organization requests, and maybe some good ideas. The alerts start coming through, and you take action where appropriate.

The issues start to happen when something triggers an alert-only policy and you notify the appropriate group, and they ask “well why was this not blocked?”. You begin to describe what policies monitor items versus the ones that block. You try to explain that you can’t block everything, the business still needs to get work done! An example of this is where you block a Word document from being sent from the company. Someone takes that document, scans it to create a .tif file and sends that out. The other organizations that don’t understand the technology will expect that file to be blocked as well…”Well it’s the same document!” Other issues can arise if someone is authorized to use USB devices, but you’re expected to block them from taking specific data that you’re notified about after the fact.

Like other security solutions, the promise of “Data Leak Prevention” is not perfect. The business expects DLP to work flawlessly and as those of us in the infosec community know, there is always a way around any restriction. Implementing DLP requires someone who understands the business needs to set up the policies and tweak them as appropriate. It also requires someone to monitor the alerts and either send a notification, escalate as appropriate, or update policies to catch something that was not getting the visibility it should. What can be the most difficult is trying to translate this process to business customers who tell us what they want to see or know about.

Has anyone had any success explaining the nuances of DLP software to the business? If so please note and share some suggestions.

Security Job Titles Revisited

So I had an another thought along the lines of Security Job Titles. I threw out a tweet regarding the “Team Lead” title. There are a number of people that I’ve discussed this with at my day job and the opinion varied between a manager-in-training and the most technical of the team. While I think my coworkers are pretty knowledgeable, they don’t necessarily know what goes on outside our company so I thought I’d ask what others thought: “Team lead: top techy on the team or manager in training…and why?” Here are a few of the answers I’ve gotten from followers on Twitter:

While they left off the “…and why?”, I can understand the line of thinking. Others were definitely in a similar mindset but provided some additional detail:

  • @securityninja – “For us it is generally management as well as lead techy, we are line managers for the team and all others in it”

Two people came close to what I would assume when someone tells me that they are the “Team lead”:

  • @rogueclown – “manager in training. i’m surely biased, but i’d still like to spend my time dealing with cranky computers, not managing people.”
  • @georgiaweidman – “id say the one with the best skills for managing regardless of whether job title is tech or business side. case by case basis”

There were also those that pointed out that someone else shouldn’t choose for the individual and I completely agree:

  • @jjarmoc – “either, sometimes both. But forcing good techies into management roles is often a mistake.”
  • @DSchwartzberg – “I believe it’s up to the individual. Why-because any role you take can be what you make of it. Criticism comes with the outcome”

I think that when it comes down to it, the title is going to vary based on the company. Some organizations may see it as the most technically capable person on that team, where others may see it as a mid-level management layer to keep the day to day operations going. One suggestion I can offer is to split the title in two: Tech Lead / Team Lead. One for the most seasoned/knowledgeable, the other for the area manager.

The one thing that I’m getting out of all this is that a job title can’t tell you what a person is capable of or what they do day-to-day. Leave me a note and tell me what you think. Are job titles a convoluted jumble of words or something you should fight for and own as part of your career?

Security Job Titles

I was seeing job postings the other day through one of my email blasts that I receive and it got me thinking. Who comes up with these job titles? When I worked for a small CPA firm and I was allowed to choose my own title, I chose “LAN Administrator”. It fit my job fairly well, I was responsible for the servers, the network, the PCs, etc. I moved to the helpdesk, and for a while I was a “Helpdesk Analyst”. A title that also makes complete sense. After a year or so though, HR decided to change our titles in IT. I got changed from the “Helpdesk Analyst” to a “Systems Software Engineer Analyst”. I had never engineered anything but a good case of loathing for users at that point.

When I moved to the Security Administration area, my title changed to a “Systems Software Engineer Specialist”. Again, complete and utter nonsense. I was a security administrator. Create accounts, grant rights, revoke rights, delete accounts, rinse, repeat. The only thing I was specializing in was creating copy/paste emails to send to users who were impatiently waiting to get Microsoft Visio.

Within a couple years I get promoted to a “IT Security Specialist”. Hmm…ok, at least this is a little closer. We were no longer called “IT Security” but working in Information Security, I at least had “security” in my title! Then HR comes in and says they are going to change things again. They were going to have “HR Titles” and “Internal Titles” because HR titles needed to match other jobs in the industry while our internal titles would closer match what we actually do. I was skeptical and it turns out it was warranted. It took them until I was promoted again to finally take hold. My HR title became “IT Security Sr Specialist”, while my internal title became “Vulnerability Management Senior Specialist”. While I’m trying to get more into the Vulnerability arena, it’s a very small part of what I do. I still do governance of the Security Administration area, I do some vulnerability scans, some security awareness, and a host of other “who can we get to do this” tasks. Someone who is a level above me at our company is listed as a “IT Security Sr Tech Specialist” yet my job is much more technical than that person.

I considered consulting our HR group on this issue but I didn’t think I would get very far, so I reached out to my friend @HackerHuntress and asked for her opinion on my confusion. She talks with job seekers as well as hiring managers on a daily basis. Her response cemented my opinion that job titles are really not geared towards what a user does and more on being able to gauge a salary band the user can fit into.

I asked her a couple questions including if she saw the title discrepancy and if so where, any tricks for our friends out there trying to find a job and deciphering the job postings, and if she thinks HR would ever get in the game and match titles to what we actually do. Her response was very informative in that she has seen the job title game played mostly at companies with internal security practices. (Think F-500 companies that do their own security but don’t do security as a service). Her comment to this was “Most companies, though, go the “security specialist” or “security analyst” route. In my experience a security analyst can be anything from a firewall engineer to a QSA.” She doesn’t hold out any hope that HR will ever get to the point that they are lining up with what the security individual is doing because most don’t know what the user’s responsibilities even are.

On the topic of how to assist our friends still looking for jobs, she said to talk to recruiters & hiring managers. Getting as close to the person as you can who is doing the hiring will help you in determining what you are getting into at that company. You may be listed as the ‘Security Guru’ in a large company but if all you’re doing is making sure everyone is swiping their ID badge as they walk in, it may not be the job for you.

Secureholio
-Chief Cook & Bottle Washer

Stupid users or stupid us? Yes.

Today while working I noticed that I was starting to drift into the “stupid users!” thoughts. What causes us to do this? Yes I understand that you may not know how to reboot your system, although the methods haven’t changed much in the last decade or so, but that’s not the point. We as IT Professionals can start to run down this path of “Well what do you mean you don’t know how to configure your local firewall!? It’s on your computer!” Many times we work inside of a larger organization who’s main business is something other than IT. You’re going to be dealing with people who are very smart in what they know. They may be someone who is a banker, or a doctor, or a lawyer. They are very good at determining what is going on in their profession. What they are not proficient at is knowing how configuration files should look, or how to write a batch script, or why when they go to a website all of the sudden you want to reload their computer.

All they know is that something inside the box you gave them is holding up their work. They want it fixed and they want it fixed now. You getting frustrated at them is not going to make them any happier. Now I don’t want anyone to get the wrong idea, because after working on the helpless desk for over five years I know that sometimes you can’t just keep taking the beating they’re giving to you. The idea is to get them working, off the phone, and out of your life as fast as possible. You may not know how to fight a court case, underwrite an insurance policy, or treat a patient, but they do. If you can work together and get the problem solved faster it’s going to go a lot easier on everyone.

Let’s all try to stop calling them “stupid users” and maybe they’ll stop calling us “stupid IT”.