PhoneBoy's Security TheaterJekyll2023-02-22T20:00:25-08:00https://phoneboy.org/Dameon D. Welchhttps://phoneboy.org/dwelch@phoneboy.comhttps://phoneboy.org/2021/08/03/a-couple-decades-and-change-of-working-from-home2021-08-03T22:27:10-07:002021-08-03T22:27:10-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>When the Covid-19 pandemic was declared in March of 2020 and most every
high-tech business became “all remote all the time” literally overnight,
my first thought was: I’ve been training my whole life for this.</p>
<p>Because, really, I’ve been mostly working from home since 1998 when I moved
from Silicon Valley to Washington State, yet continued to work for companies
with offices in Silicon Valley. First, I worked for a now non-existent
Check Point reseller, then to what became the Security Appliance business
at Nokia, then for Check Point.</p>
<p>Needless to say, I’ve had a LOT of experience with <a href="https://www.checkpoint.com/quantum/remote-access-vpn/">Check Point Remote
Access VPN</a> over
the years. Experience I put to good use when our customers started asking
on <a href="https://community.checkpoint.com">CheckMates</a> about the various
remote access solutions.</p>
<p>Back in 1998, the applications I was accessing were fairly limited.
We’re talking email, maybe a case management system of some sort as
I was doing support back in the day, and that’s it. And I’m doing it
from one device. Now I’m not only accessing stuff hosted on premise,
I’m accessing stuff hosted in the cloud. And I’m doing it from multiple
devices.</p>
<p>I’m reminded of Daniel Burrus’ book Flash Foresight, something I
<a href="http://phoneboy.org/2016/06/04/infosec-related-insights-from-flash-foresight/">wrote about in 2016</a>. Specifically, I’m reminded of his concept of
Hard Trends, and three we’re all living with:</p>
<ul>
<li>Ever Increasing Connectivity</li>
<li>Ever Increasing Processing Power</li>
<li>Ever Increasing Storage</li>
</ul>
<p>This is both a challenge and an opportunity: both for us as consumers
and for the malicious actors out there who exploit this. Is it any
wonder we are seeing an ever-increasing amount of <a href="https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cyber-attack/">Cyber Attacks</a> out there?</p>
<p>All of this has been a boon in the current circumstances. I can tell you
that doing conference calls without video back in the 90s and early 2000s
was…no fun. And while video adds a human element to talking to people
remotely, you miss out on the spontaneous discussions that happen when
you’re visiting the office and bump into someone that you might not have
planned to have.</p>
<p>And, of course, these conferencing platforms have their security issues
also. In addition to the application specific vulnernabilities, there
are issues of data soverignty in terms of where the streams are routed
through. This is something of concern with any cloud service, of course.</p>
<p>The one thing I think has been made clear from the last 18 months or so
is: remote work is going to be “the new normal” for a lot of people.
We now have a whole generation of kids who’ve now done school remotely
(for better or worse) and I suspect some percentage of them will
demand remote work. Heck, even the current generations in the workforce
are seeing the value of it.</p>
<p>All of that said, we can’t forget the human touch. Nothing’s going to
replace getting together in person. While I can’t say there’s been a
huge improvement in remote interaction in the last 20+ years beyond
the addition of video (and what amounts to chat apps on a multitude of
devices), I feel like as the hard trends I highlight above keep moving
forward, we’ll get more “human” interactions over time.</p>
<p>Likewise, Cyber Security isn’t going anywhere. For those practioners,
the job will continue to expand into new frontiers, creating new
challenges…and opportunities to achieve better cyber security than
was possible before. But only if you’re up to the challenge.</p>
<p><strong>Disclaimer</strong>: My employer <a href="https://checkpoint.com">Check Point Software Technologies</a> is up to the challenge of cyber security in an ever-changing and
expanding environment. That said, these thoughts are mine.</p>
<p><a href="https://phoneboy.org/2021/08/03/a-couple-decades-and-change-of-working-from-home/">A Couple Decades (And Change) of Working From Home</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on August 03, 2021.</p>
https://phoneboy.org/2020/10/20/some-things-never-change-at-palo-alto-networks2020-10-20T16:27:10-07:002020-10-20T16:27:10-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p><a href="/2014/11/20/what-is-palo-alto-networks-afraid-of/">Ages ago</a>, I had written
about this gem I had found in the <a href="https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/legal/palo-alto-networks-end-user-license-agreement-eula.pdf">End User License Agreement for Palo Alto
Networks equipment</a>.
It’s still there in more or less the same form it was back in 2014:</p>
<blockquote>
2.c. Use Restrictions: You shall not: [...] vi. Disclose, publish or
otherwise make publicly available any benchmark, performance or comparison
tests that you (or a third part contraqcted by you) run on the Products,
in whole or in part;
</blockquote>
<p>And while NSS Labs is, sadly, no longer around to run afoul of this–they
ceased operations on 15 October 2020 due to Covid-19–<a href="https://www.paloaltonetworks.com">Palo Alto Networks</a> is still around and still using the legal
system to suppress published comparisons of their products to competitors.
Their current target: Orca Security, who dared to compare their products
against Palo Alto Network’s equivalent offerings and <a href="https://orca.security/prisma-cloud-security/">post the result of
their findings</a> on the Internet.</p>
<p>As <a href="https://orca.security/cybersecurity-community-transparency/">Orca Security Co-founder and CEO Avi Shua points out</a>:</p>
<blockquote>
It’s outrageous that the world’s largest cybersecurity vendor (its products being used by over 65,000 organizations according to its website), believes that its users aren’t entitled to share any benchmark or performance comparison of its products. According to its boilerplate contract terms that prohibit “disclosing, publishing, or otherwise making publicly available any benchmark, performance, or comparison tests” of its products, you’re in violation even if you publish the results of an internal comparison of Palo Alto Networks against other products as part of your procurement process. The same goes for the hundreds of Palo Alto Networks reviews on various sites that include G2 Crowd, Capterra, and Gartner Peer Insights. It means that only benchmarks approved by Palo Alto Networks can be published.
</blockquote>
<p>Of course, this is from the same company that, on average, takes <a href="http://tiny.cc/urgency">more than
four months</a> to fix reported security vulnerabilities
against their product. Explains why <a href="https://www.linkedin.com/feed/update/urn:li:activity:6724335188131872768?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A6724335188131872768%2C6724386869439713280%29">pentesters don’t even know their
firewalls are there</a>.</p>
<p><strong>Disclaimer</strong>: In the interest of transparency, which I believe is a good
thing, I know several people at Orca Security as they used to be co-workers
at my current employer, <a href="https://checkpoint.com">Check Point</a>, who did not
offer an opinion on this matter. These are just my own thoughts.</p>
<p><a href="https://phoneboy.org/2020/10/20/some-things-never-change-at-palo-alto-networks/">Some Things Never Change at Palo Alto Networks</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on October 20, 2020.</p>
https://phoneboy.org/2019/02/01/my-two-check-point-decades2019-02-01T08:30:00-08:002019-02-01T08:30:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>February 1999 was the last time I willingly changed employers. That’s…20
years, which, in this day and age, is an eternity to stick with the same
employer.</p>
<p>That’s not entirely true. I did change employers in April of 2009 when Check
Point Software Technologies completed the acquisition of the Nokia Security
Appliance business that I worked in. Because of this, when you look at my
official start date at Check Point, it reflects the day I started at Nokia,
which was in February of 1999.</p>
<h2 id="more-than-two-decades-actually">More than Two Decades, Actually</h2>
<p>But really, my Check Point experience goes back farther than that. It even
predates the <a href="https://www.checkpoint.com/cpx">Check Point Experience</a>
conferences currently going on right now, starting in 1996. I began working
for a company that resold, among other things, Check Point FireWall-1.</p>
<p>Back then, Check Point didn’t have a support site and there wasn’t much
information out there on the Check Point product. I ended up building
and maintaining a public FAQ, which got a lot of attention.</p>
<p>That FAQ did lead to my job at Nokia in 1999, where I was hired under a
telecommuting arrangement, which at that time was unusual. Most of my
co-workers were in the San Francisco Bay Area. I had just recently moved
to Washington State, and telecommuted with the occasional trip to the office.</p>
<p>Quite a lot has happened in the decade that followed. Nokia acquired many
companies, changed strategies a few times, reorganized, but our business
unit that produced appliances that ran primarily Check Point’s software
remained. The appliances were quite popular, as was our Technical Support,
where I worked in various roles. Our business unit had many names over the
years, including: IP Routing Group, Nokia Internet Communications, and Nokia
Enterprise Solutions. Our revenues were effectively rounding error when
compared to Nokia’s Mobile Phone business at the time, was profitable.</p>
<h2 id="the-winds-of-change-and-a-recession">The Winds of Change and a Recession</h2>
<p>By the end of 2007, the winds of change were definitely blowing. The iPhone
was announced at the beginning of 2007 and took the world by storm. This had
a massive effect on the mobile phone market as a whole, and Nokia in
particular. More specific to our business unit, I saw an organizational
chart that showed our business unit isolated from the rest of Nokia. Which,
in some ways, made sense since we operated pretty independently of
the larger Nokia. However, it foretold what was to come.</p>
<p>Near the end of September of 2008, a Nokia executive had inadvertently
made public they were in the advanced stages of selling the Nokia Security
Appliance business to a private investment firm. This began a rather
tumultuous 7 month period in my professional career.</p>
<p>While trying to do our jobs keeping customers happy and secure, we were
developing plans to become a company independent of Nokia. This involved
quite a lot of details that, working for an established company like Nokia,
you just don’t think about.</p>
<p>All this planning activity suddenly stopped, or at least management stopped
asking about it. Things got oddly quiet. Turns out, the recession that kicked
in during October 2008 “cooled off” the potential buyers.</p>
<h2 id="coming-home-to-check-point">Coming Home to Check Point</h2>
<p>Just before Christmas 2008, it was announced that Check Point was buying the
Nokia Security Appliances business. After three months of uncertainty, we were
starting all over again with a whole different set of concerns. Who would be
acquired? Who would end up staying at Nokia? Who would end up having to look
for work? And was any of this a good thing?</p>
<p>I’ll spare you the details of the three months that followed, but it involved
interviews with people at Check Point, a CFIUS review (we were a US asset that
was being purchased by a foreign-owned company), and a lot of unknowns. All,
meanwhile, while we were continuing to serve our customers.</p>
<p>In April of 2009, the acquisition of Nokia’s Security Appliance business
by Check Point closed. Some ended up staying with Nokia, some came over to
Check Point, others were given severance packages. And a whole new adventure
began as this was not only a change in employer for me, I changed jobs. Which,
as it turns out, was a great thing.</p>
<p>At first, my job wasn’t all that different. I was a sort of backline support
for the sales organization, interfacing between sales, R&D, and Product
Management. It wasn’t too different from what I was doing at Nokia, actually,
just with a different focus (pre-sales).</p>
<p>Eventually, my role evolved into a Security Architect, where I went on
customer sites, reviewing their security architecture, providing
recommendations for addressing the identified issues along with what Check
Point products would best address their needs. This got be a bit closer
to the actual sales process.</p>
<h2 id="back-to-the-future">Back to the Future</h2>
<p><img src="/images/CheckMates_1280x331.png" alt="CheckMates" /></p>
<p>Then, at the end of 2016, I was offered an interesting proposal that leads
me where I’m at now at Check Point: as the front man for Check Point’s user
community: <a href="https://community.checkpoint.com">CheckMates</a>. The funny thing
is, I’m doing a lot of what I was doing running the FireWall-1 FAQ back in
the 1990s, except Check Point is now paying me to do it.</p>
<p>A lot has changed in the last 20 years. The old days were fun, but I’m having
the time of my life right now! I’m not just doing some online thing from my
basement, I’m getting out there, meeting customers, spreading the good word.
Given the significant increase in the velocity and impact of cyber threats,
the work that Check Point is doing to prevent them is more important than ever!</p>
<p>And while I’m not talented enough to develop solutions to cyber threats, I
can certainly communicate, educate, build trust, and collaborate. I can
occasionally develop solutions to some problems as the hundreds of posts
on CheckMates and the hundreds of FAQs I published years ago will confirm.</p>
<p>It’s what I’ve always done in my career, and yet, I’m just getting started.</p>
<p><a href="https://phoneboy.org/2019/02/01/my-two-check-point-decades/">My Two Check Point Decades</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on February 01, 2019.</p>
https://phoneboy.org/2017/11/09/an-updated-word-about-competition-in-the-information-security-industry2017-11-09T22:54:00-08:002017-11-09T22:54:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>A year ago, I had written a post about competition in the information
security space, of which I work as a part of for a vendor that has been
in it for nearly a quarter century: Check Point Software Technologies. A
few things have changed since I wrote the post and I decided, rather than
merely repost my previous post, create a new version of it and update with
some relevant information. I’ve removed the old post because it largely
says the same thing.</p>
<h2 id="why-im-in-this-industry">Why I’m In This Industry</h2>
<p>The devices, networks, and social institutions we use today are only
useful because, on the whole, most people largely trust them. If this trust
erodes, people will not make use of them.</p>
<p>It took me many years of working at Nokia to realize that regardless of what
I do in life, I am always going to be looking for where the flaws are in
the systems and do what I can to improve these systems so they will
remain trusted.</p>
<p>As a company, Check Point firmly believes customers deserve the best security
for their digital information. That, plus my long-time history with Check Point
was why I ultimately decided to go work for Check Point when they acquired
Nokia’s Security Appliance Business back in 2009. The talented, smart people
I work with day-in and day-out working toward the same goal is why I’m still
here, even though some have left for what they see as greener pastures, or
at the very least, a different pasture.</p>
<h2 id="what-about-the-competition">What About The Competition</h2>
<p>One of the things I’ve always tried to do online is to bring facts,
understanding, and details to light. This is what I did with the FireWall-1
FAQ back and the day and what I’m trying to do as part of my effort with
Check Point’s user community: <a href="https://community.checkpoint.com">CheckMates</a>.</p>
<p>You may have noticed that I occasionally delve into the subject of Check
Point’s competition in my online discourse. The main reason I do this is
because some of them are saying stuff that flat out isn’t true, a gross
misrepesentation, or they advocate a poor approach.</p>
<p>To be clear, I think healthy competition is a good thing. It raises all
boats, regardless of who you ultimately use. Despite our differences in
approach, there is a common enemy: the malicious actors who attempt to
penetrate and disrupt our customers networks. We would do better as an
industry to remember that and work better together toward defeating
that common enemy.</p>
<p>Despite that common goal, everyone who works for a security vendor,
particularly in a sales or marketing capacity, wants to succeed over
the competition. As part of that, each vendor puts outs information
that puts their offering in the best light. Certainly Check Point has
done this with some past marketing campaigns such as:</p>
<ul>
<li><a href="https://www.checkpoint.com/resources/cybersecurity-threats-fact-vs-hype/">Facts vs. Hype</a></li>
<li><a href="https://www.youtube.com/watch?v=8p5rQucaqns">50 Shades of PAN</a></li>
</ul>
<p>This is all part of normal, healthy competition that happens in any industry.</p>
<p>Palo Alto Networks is clearly a different competitor and seems to play
by different rules, particularly with respect to Check Point.</p>
<h2 id="its-personal-for-palo-alto-networks">It’s Personal for Palo Alto Networks</h2>
<p>Nir Zuk, the co-founder of Palo Alto Networks, drives a car with the
license plate CHKPKLR. <a href="https://www.sequoiacap.com/israel/company-story/palo-alto-networks-story/">This was widely known since at least 2005</a> and a picture
of said license plate was featured prominently at their 2016 Sales Kick Off:</p>
<p><img src="/images/chkpklr.png" alt="CHKPKLR" /></p>
<p>The guy up on stage? Their CEO Mark McLaughlin, propagating the “Check
Point Killer” message to the assembled masses.</p>
<p>Over the years, I’ve heard countless stories of how Nir Zuk would come in
to talk to a (potential) customer and spend a significant amount of time
talking about Check Point, to the point where he was thrown out of at
least one customer meeting! Given how some customers feel about Check Point,
I’m sure that tactic did help to drive some sales.</p>
<p>In the following picture, you can see Palo Alto Networks Chief Marketing
Officer Rene Bonvanie with a slide behind him of Check Point CEO
Gil Shwed:</p>
<p><img src="/images/gil-shwed-not-my-friend.png" alt="Gil Shwed is not my friend" /></p>
<p>To take it one step further, it was recently discovered that Palo
Alto Networks has a so-called “Check Point Kill Squad.” This was disclosed
by way of a screenshot of what appeared to be an internal portal from
Palo Alto Networks. There was no real information in this screenshot, just
partial bullet points of a few competitive talking points against
Check Point SandBlast and the fact they also have a Competitive team–nothing
that wasn’t already widely known or easily to deduce.</p>
<p>Rather than simply ignore it, Palo Alto Networks saw fit to issue a DMCA
takedown notice, causing <a href="https://www.linkedin.com/feed/update/urn:li:activity:6334640002059894784">Moti Sagey’s LinkedIn account to be temporarily suspended</a>.
Given their propensity to use <a href="http://phoneboy.org/2014/11/20/what-is-palo-alto-networks-afraid-of/">EULAs as a way to prevent the truth from being disclosed about their products</a>, using a DMCA takedown to needle someone at a competitor
doesn’t seem too far fetched.</p>
<h2 id="conclusion">Conclusion</h2>
<p>It’s clear the hatred of Check Point is institutionalized at Palo Alto
Networks and that it comes straight from the top. Given they <a href="https://www.youtube.com/watch?v=ThczL7U2It4">still haven’t
fixed potential bypasses in their product two years after they were reported</a>, it makes me question what
business they are truly in.</p>
<p><strong>Disclaimer</strong>: My blog, my personal opinions. I’m sure you knew that.</p>
<p><a href="https://phoneboy.org/2017/11/09/an-updated-word-about-competition-in-the-information-security-industry/">An Updated Word About Competition in the Information Security Industry</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on November 09, 2017.</p>
https://phoneboy.org/2017/09/06/taking-checkmates-on-the-road2017-09-06T14:16:00-07:002017-09-06T14:16:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>After a couple months of mostly being at home (nice change of pace), I’m
now taking the <a href="https://community.checkpoint.com">Check Point CheckMates</a>
community on the road!</p>
<p>Aside from building the community site, where we’ve definitely seen an
uptick in activity in recent weeks, part of my charter is to faciliate
in-person Check Point meetups. We are starting these <a href="https://community.checkpoint.com/community/checkmates-live">in a number of
locations</a>!
Four in particular I’d like to draw your attention to are ones I will
be at!</p>
<p>Sadly, I didn’t get the bright idea to do this before last week,
where I was in Cincinnati. However, it’s not too late to see me
in the following places over the next few weeks:</p>
<ul>
<li><a href="https://community.checkpoint.com/events/1034-join-us-in-st-louis-to-find-out-about-checkmates-and-r8010">St. Louis: Join us to find out about CheckMates and R80.10!</a></li>
<li><a href="https://community.checkpoint.com/events/1036-london-leveraging-the-r8010-api-to-automate-and-streamline-security-operations">London: Leveraging the R80.10 API to Automate and Streamline Security Operations</a></li>
<li><a href="https://community.checkpoint.com/events/1037-ireland-live-upgrade-of-check-point-r7730-to-r8010">Ireland: Live Upgrade of Check Point R77.30 to R80.10</a></li>
<li><a href="https://community.checkpoint.com/events/1031-checkmates-event-at-naked-city-brewing">Seattle: Join us at Naked City Brewing!</a></li>
</ul>
<p>Also, while I have your attention, I’d be remiss if I didn’t point out the
Ask Me Anything we’re doing with <a href="https://community.checkpoint.com/events/1033-ask-me-anything-dr-dorit-dor-and-team">Dr. Dorit Dor and her management team</a>
on the 18th of September. Get your questions in now!</p>
<p><a href="https://phoneboy.org/2017/09/06/taking-checkmates-on-the-road/">Taking CheckMates On The Road</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on September 06, 2017.</p>
https://phoneboy.org/2017/07/18/ye-olde-firewall-1-faq-is-back-in-a-manner-of-speaking2017-07-18T17:00:00-07:002017-07-18T17:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>Many of you probably remember the Check Point FireWall-1 FAQ I ran for many years. Many have told me it was their “go-to” source of information on all things Check Point, well before Check Point had SecureKnowledge.</p>
<p>Well, I’m here to say: it’s back…in a manner of speaking.</p>
<p>More specifically, I am back doing the activity I was doing twenty years ago, namely trying to help the Check Point community make the best use of the stuff they bought and make the resulting information available to everyone.</p>
<p>The one difference? I’m doing it for Check Point now, as opposed to doing it
as an independent effort. The name of the site? <a href="https://community.checkpoint.com">CheckMates</a>–and no, it’s not a dating site.</p>
<p>This site was previously called Exchange Point and was launched around the
time R80 was released a little over a year ago. Previously the site was just
focused on management, but it has been expanded to cover all of the products
that make up Check Point Infinity.</p>
<p>Even in the past, I personally didn’t have all the answers. The one thing I
did do was make what I did know and what others contributed available to all.
I had plenty of help from people in the community back then, including from
people at Check Point.</p>
<p>In that regard, nothing’s changed. CheckMates will be a collaborative effort.
Unlike in the past, Check Point’s role will be more prominent, especially
since they are hosting the site and paying my salary.</p>
<p>At the end of the day, I want CheckMates to be like phoneboy.com was back in
the day: to be the go-to resource for all things Check Point. It’s a tall
order, and I know what’s there is not much now, but phoneboy.com wasn’t
much back when I started, either.</p>
<p>To give you a small sample of the discussions on CheckMates, I’ve put together
<a href="https://community.checkpoint.com/blogs/about-checkmates/2017/07/14/this-week-in-checkmates-week-of-10th-july-2017">a small sample</a> of some of the
threads that happened last week.</p>
<p><a href="https://phoneboy.org/2017/07/18/ye-olde-firewall-1-faq-is-back-in-a-manner-of-speaking/">Ye Olde PhoneBoy FireWall-1 FAQ is Back…In A Manner of Speaking</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on July 18, 2017.</p>
https://phoneboy.org/2017/02/27/how-long-is-long-enough-for-a-password2017-02-27T17:00:00-08:002017-02-27T17:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>As much as we might want to see different authentication methods available, passwords aren’t going anyway anytime soon. This means a significant part of our security online comes down to choosing good passwords.</p>
<p>There are three basic rules for choosing good passwords:</p>
<ol>
<li>The more complex the better</li>
<li>The longer the better</li>
<li>Don’t use the same password on multiple sites</li>
</ol>
<p>Some services like Office 365 are <a href="https://answers.microsoft.com/en-us/windows/forum/windows_10-security/please-increase-the-16-character-password-limit/5de69b9a-ac5c-4891-94c5-349dc25957ae">being criticized for only allowing 16 character passwords</a>. Some services offer even less than this.</p>
<p>If you actually do a little math, and choose the characters in your password carefully enough, perhaps using a tool like <a href="https://lastpass.com">LastPass</a> to generate and manage the passwords, even a 16 character password is more than strong enough to withstand a brute force attack!</p>
<p>To demonstrate that, I’m going to use the <a href="https://www.grc.com/haystack.htm">GRC Haystacks</a> tool just to show the search space required in order to find a given password. Yes, I know there are some in the security community that poo-poo some of the contributions to information security that Steve Gibson has made. The tool is merely expressing the results of math and is being used for illustrative purposes.</p>
<p>A password can theoretically have four different types of characters:</p>
<ul>
<li>Uppercase characters (26 possible options)</li>
<li>Lowercase characters (26 possible options)</li>
<li>Numbers (10 possible options)</li>
<li>Special characters (33 characters)</li>
</ul>
<p>This gives us a total of 95 possible values for a given character of a password. Note that this may vary from site to site as some sites might restrict the special character space. Some sites might even allow for emoji, which I am excluding since outside of smartphone platforms, these are not universally available.</p>
<p>Let’s assume we pick a 16 character password that leverages all four character types and is relatively random. The time required to exhaustively search this space with a tool like <a href="https://hashcat.net/hashcat/">hashcat</a> or <a href="http://www.openwall.com/john/">John The Ripper</a>? A much longer time than I can even conceive of!</p>
<p><img src="/images/password-16-char-complex.png" alt="16 Character Complex Password" /></p>
<p>What about if I choose a 16 character password that is all lowercase, but random? Even if a lot of computing power is thrown at the password hash, we’re still looking at several years of computing time:</p>
<p><img src="/images/password-16-letter-lowercase.png" alt="16 Character Lowercase Password" /></p>
<p>However, by adding a little bit of complexity, say, uppercase characters, the search space suddenly increases by orders of magnitude!</p>
<p><img src="/images/password-16-character-upperlower.png" alt="16 Character Upper and Lowercase Password" /></p>
<p>Even a 12 character complex password has a pretty large search space to search through:</p>
<p><img src="/images/password-12-char-complex.png" alt="12 Character Complex Password" /></p>
<p>All of this assumes you are choosing truly random characters for your password. If you’re using a well-known password manager, it’s probably random enough. Obviously, if you choose dictionary words for your password, or simple variations thereof, the odds of someone guessing your 16 character password are <em>much</em> higher.</p>
<p>Then again, how might someone perform a brute force attack on your password? Certainly <a href="https://haveibeenpwned.com/">if someone leaks the hashed passwords</a> it’s possible. It’s likely not the result of an online brute force attack as that is likely to be detected and/or blocked and will most certainly take much longer.</p>
<p>And yes, the amount of time it takes to validate a password is a factor here. To illustrate this, let’s talk passcodes on phones. At least on Apple devices, if you enable the wipe feature, Apple will wipe the device after 10 failed passcode attempts. The phone only allows passcode entry via the screen and each attempt takes 80 milliseconds to process, <a href="http://phoneboy.org/2016/02/24/apple-vs-the-fbi-demonstrates-convenience-vs-security/">as I discussed previously</a>. After a few failed attempts, the phone will lock out additional attempts for a period of time. Which means, it’s not like someone can pick up your phone and a few seconds later, your phone is wiped.</p>
<p>With those constraints in place, how long and complex of a passcode do you really need to keep yours phone from being unlocked by someone other than you? Probably nowhere near as many as you think, so long as you avoid obvious and common ones. For the sake of argument, let’s look at an 8 digit passcode:</p>
<p><img src="/images/password-8-digits.png" alt="8 Digit PIN" /></p>
<p>To exhaustively search this space, assuming 80ms per guess and no other limiting factors, it would take about 103 days to try all possible combinations. Since there are other limiting factors as noted above, including the fact that the ability to automate passcode guessing is limited, it would take a bit longer. Of course, if the iPhone owner enabled the “erase after 10 failed attempts” option, all bets are off.</p>
<p>The bottom is line is, when you actually look at the math, you don’t need quite as long of a password as you think you do. Assuming the limit is at least 12 characters and <em>all</em> special characters are supported, you can make a complex enough password to sufficiently mitigate most brute force attacks. Even a 16 character password with just mixed case letters has a pretty large search space, assuming your passwords have sufficient entropy.</p>
<p>Having said all that, I’m all for sites supporting longer passwords. Length does allow people to make more complex passwords that are far easier to type, which can be good for people just learning <a href="http://phoneboy.org/2016/06/09/good-password-hygiene-key-to-protecting-social-media-accounts/">good password hygiene</a>. Also, if it helps people <em>feel</em> more secure to have a longer password and adding support for longer passwords is trivial, why not support it?</p>
<p>Obviously, if there is a massive increase in available computing power anytime soon, some of these assumptions will have to be reexamined. That said, I suspect we’ll have bigger issues to deal with than just the security of our passwords.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point Software Technologies</a>, didn’t offer an opinion on this issue. The above thoughts are my own.</p>
<p><a href="https://phoneboy.org/2017/02/27/how-long-is-long-enough-for-a-password/">How Long is Long Enough for a Password?</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on February 27, 2017.</p>
https://phoneboy.org/2017/02/24/cloudflares-with-a-chance-of-goatse2017-02-24T17:00:00-08:002017-02-24T17:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>As I’m sure you’ve heard by now, <a href="https://www.Cloudflare.com">Cloudflare</a> had a case of <a href="https://blog.Cloudflare.com/incident-report-on-memory-leak-caused-by-Cloudflare-parser-bug/">CloudBleed</a>, causing what amounts to a massive privacy violation for <em>any</em> site that happened to use them, at least if they used one of three specific features of Cloudflare: Email Obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites. A <a href="https://github.com/pirate/sites-using-Cloudflare/blob/master/README.md">potential list of compromised sites</a> showed up, which may not be entirely accurate because plenty of sites use Cloudflare but may not necessarily use these features.</p>
<p>The advice that is given as a result of this bug?</p>
<blockquote>
<p>Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, it’s better to be safe than sorry.</p>
<p>Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.</p>
</blockquote>
<p>Which is fine if, like me, you actually use a password manager (<a href="https://lastpass.com">I recommend LastPass</a>). However, it’s not entirely complete advice as “HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” were leaked. Changing passwords won’t suddenly fix this disclosure issue, particularly if the sites in question do a poor job invalidating cookies and tokens. Think that’s far fetched? <a href="http://bgr.com/2017/02/16/yahoo-says-hackers-breached-your-account-in-new-attack-without-stealing-your-password/">Think again</a>.</p>
<p>Changing passwords also doesn’t fix applications that may have communicated on the backend to a Cloudflare-backed site (either on your behalf or otherwise). The potential scope of this issue is…scary.</p>
<p>That said, I can’t imagine every one who ever used a given service over the last several months had their information disclosed. While this event increases the risk above zero, it’s not clear by how much for a given user. Also, the impact of disclosure of a login cookie/token for my bank or a service like Cloudflare is <em>far different</em> than for a site like Techdirt, which <a href="https://www.techdirt.com/articles/20170224/16145636783/just-to-be-safe-were-resetting-all-techdirt-passwords-response-to-cloudbleed.shtml">out of an abundance of caution is forcing everyone to reset their password on the site</a>.</p>
<p>I feel sorry for the average Internet user, who has seen umpteen of these notifications lately (just from Yahoo alone)! The advice of “change all your passwords” is quite simply untenable for the vast majority of Internet users. Even though I use a password manager as part of <a href="http://phoneboy.org/2016/06/09/good-password-hygiene-key-to-protecting-social-media-accounts/">good password hygiene</a>, I certainly don’t have time to visit all the sites in LastPass, much less change all my passwords manually!</p>
<p>And, as I noted earlier, changing your password won’t fully address the issue. Still, it’s probably as a good a time as any to make sure your critical accounts are as protected as they can be. For me, that meant changing my Cloudflare password and API key as well as enabling multi-factor authentication. I’ve also changed the password for a few sites listed on the <a href="https://github.com/pirate/sites-using-Cloudflare/blob/master/README.md">potential list of compromised sites</a>. I will keep checking LastPass in case they decide to integrate this list of sites into their Security Challenge, which they’ve done in the past.</p>
<p>Even if you do none of this, <em>my guess</em> is that the vast majority of the users won’t be impacted by CloudBleed. At least I hope they won’t be.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point Software Technologies</a>, didn’t offer an opinion on this issue. The above thoughts are my own.</p>
<p><a href="https://phoneboy.org/2017/02/24/cloudflares-with-a-chance-of-goatse/">Cloudflares with a Chance of Goatse</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on February 24, 2017.</p>
https://phoneboy.org/2017/01/04/automation-orchestration-and-the-cloud2017-01-04T12:00:00-08:002017-01-04T12:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>A while ago, I posted the following as a somewhat cryptic message on Twitter and LinkedIn:</p>
<center>
<img src="/images/tweet-clear-skies-ahead.png" />
</center>
<p>To give this tweet a little more context, I’ll reference <a href="/2016/04/28/the-great-cloud-migration-existential-threat-or-opportunity/">a previous post about the cloud</a>, where I said the following:</p>
<blockquote>
<p>In the cloud, infrastructure and applications can come and go with the push of a button. Need another 10 webservers? Done. Need to burst to handle three times the traffic? No problem. Sure, you’ve got to have physical machines to run on, but racking and stacking that stuff is easy. The physical topology? Flat. The virtual topology? Changes every second.</p>
<p>If you’re not treating your “cloud” infrastructure in an automated fashion, you’re doing it wrong. You’re also doomed to make the same mistakes and more that you’re making today. While some of the same tools can be used in the cloud, they integrate a bit differently. There are also a number of additional considerations that must be made for cloud—considerations that, quite frankly, are very different from physical networks.</p>
</blockquote>
<p>I did get something wrong in the above statement, and it’s a mistake that a lot of people make. Instead of saying “automated fashion” I should have said “orchestrated fashion.” The reason is simple: while automation and orchestration are related, they are not the same thing.</p>
<p>Automation is something good sysadmins have been doing for 30+ years. Instead of doing a repetitive task over and over again, where you are bound to make mistakes, you build a script to do the hard work for you. If you’re clever, you might also create a system to execute that script on a number of systems. I actually worked on a system that did this back in the early 90s. <a href="https://www.chef.io/">Chef</a> is a more modern version of the framework we built using shell scripts and rsh (this was pre-SSH).</p>
<p>The key thing about automation is you still have to know how to do whatever it is you’re trying to do and the order in which those commands should be run. You have to be able to handle all the various error conditions and the like as well.</p>
<p>Orchestration is a level above automation, it’s about the intent. Automation is leveraged to bring that intent to life, but orchestration is less concerned with <em>how</em> the result is achieved, only that it is.</p>
<h2 id="what-does-automation-and-orchestration-have-to-do-with-the-cloud">What Does Automation and Orchestration Have To Do With The Cloud?</h2>
<p>Everything.</p>
<p>Automation and orchestration is what gives the cloud its magical properties. Automation makes it possible to build an entire application stack with the security you specify in seconds, orchestration tells the system when and where to spin it up. Orchestration is also able to monitor the application stack for load and spin up more capacity as required, with all the necessary steps automated so it happens.</p>
<p>Which means, if all your doing is taking your existing manually deployed applications and businesses processes and move them on AWS or Azure, all your doing is using someone else’s computer. You are gaining little to no benefit of the inherent automation and orchestration frameworks built into AWS or Azure.</p>
<p>By the way, the same thing goes for your VMware, Openstack, or other similar privately hosted environments. You might gain some benefit from the consolidation of hardware, but you will gain none of the agility and have to adjust to growing complexity.</p>
<p>Embracing automation and orchestration in a cloud environment (public and private) does require relearning some tasks. Some of the fundamental assumptions that underlie networking are a bit different. Which means you may not be able to deploy things the same way as you did in the past, but that’s ok. Not every component of every traditionally deployed application is necessarily automation and orchestration friendly.</p>
<p>The good news is that automation and orchestration can improve security by ensuring everything is deployed in it’s most secure manner by default, which includes using the most up-to-date components. It can also deploy full next generation threat prevention with <a href="https://www.checkpoint.com/products-solutions/vsec-cloud-security/">Check Point vSEC</a> or other, similar tools.</p>
<p>Patching? Upgrading? Who does that in the cloud? You just redeploy your apps with the new versions automatically. If it fails for some reason, you can easily put the old versions back in.</p>
<p>By the way, those Software as a Service applications you and everyone else uses? They’re built this way, all with automation and orchestration on the backend to make it “just work.” When your executives tell you to “move to the cloud,” this is what they really want: services that just work.</p>
<p>Many IT organizations have not delivered on this vision. This includes ones that have supposedly moved to the cloud. Because without automation and orchestration, the cloud is just another computer.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point Software Technologies</a>, is always trying to stay one step ahead of the threats, even in the cloud. The above thoughts are my own.</p>
<p><a href="https://phoneboy.org/2017/01/04/automation-orchestration-and-the-cloud/">Automation, Orchestration, and The Cloud</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on January 04, 2017.</p>
https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id2016-12-14T12:00:00-08:002016-12-14T12:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>Back when I started working with the Check Point product in 1996, things were much simpler. We still had plenty of IPv4 addresses, there weren’t a whole lot of users using the Internet, and applications were few and far between. To permit applications through a perimeter, it was generally considered best practice to open up the necessary TCP/UDP ports or use an application proxy.</p>
<p>For some applications, the act of opening up ports was complicated because the ports were determined dynamically. A good example of a classic protocol that does this is FTP. There were others, of course, but this was common back in the 1990s and is still used today. Check Point (and other vendors) had to have intelligence built into their product to account for FTP and a number of other protocols.</p>
<p>And then web-based applications became a thing. Now, if you’re allowing web traffic with no further classification, you might as well have an open firewall, because for all intents and purposes, it is. Even a single IP can host many different websites (some good, some not). And, of course, the content of a “good” website could also be “bad” at times. This created a clear need to control based not only on ports and IPs, but on other elements.</p>
<p>Enter Palo Alto Networks, who in 2007 released the first version of their product that is built around applications versus IP and ports. To be clear, this wasn’t a new concept as firewalls have been doing this in some capacity for years. However, Palo Alto’s approach resonated with customers, they gained market share, and other vendors started implementing similar technology.</p>
<p>The technology that Palo Alto Networks developed is called App-ID and they explain it as follows in their <a href="https://www.paloaltonetworks.com/resources/techbriefs/app-id-tech-brief">APP-ID Tech Brief</a>:</p>
<blockquote>
<p>App-ID uses multiple identification techniques to determine the exact identity of applications traversing your network – irrespective of port, protocol, evasive tactic, or encryption. Identifying the application is the very first task performed by App-ID, providing you with the knowledge and flexibility needed to safely enable applications and secure your organization.</p>
</blockquote>
<p>Sounds magical. I can now build a security policy based on applications alone without regard to the ports they use? Or can I?</p>
<p><img src="/images/pan-appid-flow.png" alt="appid" /></p>
<p>Even Palo Alto Network’s own documentation says the very first check is based on IP and Port, exactly the way every other vendor does it. You know why? Because that’s the only way <em>to</em> do it.</p>
<p>If I open a TCP connection to 192.0.2.1 port 80, the first packet sent is a TCP SYN. Here’s what I know from that:</p>
<ol>
<li>It’s likely a web-based connection. That said, anything can use port 80, so that’s only an assumption.</li>
<li>It could be a connection to do a Google search, gmail, Google Maps, Google Drive, or any other Google property. Or Office 365 apps. Or something else.</li>
<li>I might be able to do a reverse lookup on the IP to see where it’s going, but that adds latency and provides no guarantee the lookup will show you anything that will help identify the app or website. Or tell you if the content being served up is actually safe.</li>
</ol>
<p>Bottom line: more information is needed. A few more packets must be let through on the connection before we know exactly what it is.</p>
<p>Let’s assume for a moment we take the position that we don’t care about ports at all, only applications, as I often hear Palo Alto Networks reps say. What can happen? First of all, you can do reconnaissance on anything beyond the firewall. If you do this rapidly, you’ll probably trigger the various protections in place to detect port scanning and similar activity, but it could easily be done in a “low and slow” manner that these detections probably won’t trigger.</p>
<p>Even Palo Alto Networks has a concept of ports that tie in with applications. This is configured on a per-rule/service basis, as shown below:</p>
<p><img src="/images/pan-application-default.png" alt="application-default" /></p>
<p><a href="https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default-Under-Service-Mean/ta-p/54167">Per a post on their community</a>, Application Default means:</p>
<blockquote>
<p>Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.</p>
</blockquote>
<p>Which is, of course, correct. Ports <em>do</em> matter as it filters out a lot of undesirable traffic. Palo Alto Networks simply masks this fact by allowing you to build only application-centric policies and not a separate policy for ports and applications the way Check Point currently does it.</p>
<p>Is an application-centric policy better? It certainly means less policies to have to configure and is one benefit to Palo Alto’s solution. Check Point will offer similar functionality in the R80.10 release, which, at this writing is currently available as a Public Early Availability release.</p>
<h2 id="whitelist-versus-blacklist">Whitelist versus Blacklist</h2>
<p>This whole post spawned out of a discussion I started on LinkedIn when I posted this graphic, highlighting the number of applications supported by the different next generation firewall vendors:</p>
<p><img src="/images/apps-supported-201610.png" alt="apps-supported-201610" /></p>
<p>Various Palo Alto reps on the thread pointed out the number of applications supported didn’t matter as much because the way you should do it is to only allow specific applications and block the rest. Which, if you have a single policy for ports and applications, is a little easier to achieve. It is also possible to achieve in Check Point, but it does require some additional effort compared to Palo Alto.</p>
<p>Even with a whitelist approach where you permit only a small number of applications to pass, you have to be able to differentiate safe traffic from malicious traffic. As an example, specific anonymizers can appear to behave like innocuous web browsing. This is why Palo Alto Networks and others can also identify specific malicious applications to help differentiate.</p>
<p>It’s also why the number of applications a particular solution can identify matters greatly. As an example, I ran a <a href="https://www.checkpoint.com/resources/securitycheckup/">Security Checkup</a> at a Palo Alto Networks customer and saw the following applications:</p>
<p><img src="/images/securitycheckup-anonymizers.png" alt="checkup-anonymizers" /></p>
<p>In this case, the Security Checkup appliance was positioned outside of a Palo Alto Networks gateway filtering traffic. The report from which this snapshot was taken ran in February 2016. You can see that Gom VPN and Betternet are clearly being allowed by the amount of traffic compared to some of the other ones, which are clearly being blocked due to the limited amount of traffic. I checked <a href="https://applipedia.paloaltonetworks.com/">Applipedia</a> and these anonymizers are <em>still</em> not supported (as of 11th December 2016, at least).</p>
<p>It’s also worth noting that a whitelist approach has a bit more administrative overhead and only works when the applications you want to allow are defined.</p>
<p>Clearly being able to detect more applications is better, even if you employ a whitelisting approach, which can have a bit more administrative overhead. Even then, it will only work when the applications you want to allow are defined. Thus again, more is better. And, as noted before, this whitelist strategy will be easier to implement in the Check Point R80.10 release.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point Software Technologies</a>, is always trying to stay one step ahead of the threats as well as the competition. The views above, however, are my own.</p>
<p><a href="https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/">Which Comes First, the Ports or the Application ID?</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on December 14, 2016.</p>
https://phoneboy.org/2016/12/08/networks-without-borders2016-12-08T16:00:00-08:002016-12-08T16:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>I’ve spent the better part of twenty years focusing on network security. That wasn’t what I started out to do in my life, I was just sort of there and the industry grew up around me. I now see a day where network security is the exception rather than the rule.</p>
<p>Twenty years ago, people were using a few apps mostly hosted onsite from a few, wired locations. Most of the communications were not encrypted to boot. This made it practical to use a perimeter security devices to restrict who could go where and monitor the flow of data.</p>
<p>These days, networks are abundant and broadband. Users have multiple devices to connect across multiple networks, few of which go through some sort of perimeter security device you can control. Communications are plentiful with an increasing percentage of them encrypted. The applications used are also plentiful and increasingly hosted in the cloud, i.e. on someone else’s infrastructure.</p>
<p>In new organizations where Software and/or Infrastructure as a Service, the traditional perimeter gateway serves almost no purpose. There’s nothing in the network to segment and there little you can do in the network to protect.</p>
<p>To be clear, the traditional perimeter is not going away anytime soon for many organizations. There’s far too much legacy infrastructure that still needs protecting and a perimeter gateway may be your best bet. However, if you’re only looking at security from a network perspective, you’re missing out on an increasingly larger part of the picture. In the long run, visibility and security controls has to move closer to the endpoints. Not only those the end user uses, which includes traditional desktop/laptop and mobile devices, but the servers they connect to.</p>
<p>For cloud infrastructure hosted in VMware, OpenStack, AWS, Azure, or similar, this can be done through the use of microsegmentation, but make sure you are able to inspect traffic beyond layers 3 and 4. The good news is that Software Defined Networking technologies make it easy to apply deep inspection only to the traffic that needs it and not for all traffic. With the right solutions, the security will be enforced dynamically based on groups defined in the virtualization environment without regard to IP addresses. Also, traditional physical network security controls can make use of this information to make more intellegent enforcement decisions!</p>
<p>For Software as a Service offerings, you may need to utilize something like a cloud access security broker (CASB), a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB allow you to integrate familiar security controls with SaaS applications to extend visibility and enforcement of security policy beyond on premise infrastructure.</p>
<p>On endpoints, it’s simply not enough to employ regular anti-virus anymore, but tools that can block zero-day threats, which can enter a system usually through a web browser, email, or USB. Some vendors offer solutions to this that use highly instrumented solutions similar to <a href="https://support.microsoft.com/en-us/kb/2458544">Microsoft EMET</a> or on-endpoint virtualization, which of course adds load to endpoints that probably already have too many agents installed. Keeping the protection lightweight and effective is key.</p>
<p>Mobile devices have their own challenges. Mobile Device Management is a good start, but for true bring your own device models, end users may object to the controls this provides. It also does not address issues of user/corporate data segmentation or mobile-focused malware. A specific threat prevention solution for mobile threats is definitely required.</p>
<p>Ideally, of course, all of these solutions can be managed centrally with events correlated across them. Some centralized identity framework that supports both on-premise and cloud-based applications will also be useful. Having identity correlated with your security events is even better.</p>
<p>It’s a challenge, but I feel like we finally have the technology to get this security thing right, or at least better than we’ve been able to do in the past. It’s going to take some effort to get there, along with supporting business processes and people, but I am hopeful organizations can and will get there.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point Software Technologies</a>, does offer solutions to some of the above challenges. The views above, however, are my own.</p>
<p><a href="https://phoneboy.org/2016/12/08/networks-without-borders/">Networks Without Borders</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on December 08, 2016.</p>
https://phoneboy.org/2016/11/19/get-over-windows-defender-already-av-vendors2016-11-19T16:00:00-08:002016-11-19T16:00:00-08:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>From <a href="https://eugene.kaspersky.com/2016/11/10/thats-it-ive-had-enough/">That’s It. I’ve Had Enough!</a>:</p>
<blockquote>
<p>Users of Windows 10 have been complaining that the system is changing settings, uninstalling user-installed apps, and replacing them with standard Microsoft ones.</p>
<p>A similar thing’s been happening with security products.</p>
<p>When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it – its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible? Even if software did manage to be compatible according to the initial check before the upgrade, weird things tended to happen and Defender would still take over.</p>
</blockquote>
<p>And then the piece goes on to talk about how Microsoft is being anti-competitive and Kaspersky is going to take this up with official government bodies in the EU and Russia.</p>
<p>If we’re simply talking about Anti-Virus here, I don’t know that Kaspersky, or anyone else for that matter, is doing anything that much better than anyone else. The technology has inherent limits and, generally speaking, efficacy comes down to how quickly signatures are generated and deployed.</p>
<p>We know how effective AV is in general. It’s why Check Point and numerous other vendors, including Kaspersky, offer different solutions that address threats AV cannot by itself. This is where security software vendors should be focusing their efforts. Stop fighting with Microsoft over Windows Defender.</p>
<p><strong>Disclaimer</strong>: My blog, my personal opinions. I’m sure you knew that.</p>
<p><a href="https://phoneboy.org/2016/11/19/get-over-windows-defender-already-av-vendors/">Get Over Windows Defender Already, AV Vendors!</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on November 19, 2016.</p>
https://phoneboy.org/2016/09/01/a-word-about-competition-in-the-information-security-industry2016-09-01T00:00:00-07:002016-09-01T00:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p><a href="https://phoneboy.org/2016/09/01/a-word-about-competition-in-the-information-security-industry/">A Word About Competition In The Information Security Industry</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on September 01, 2016.</p>
https://phoneboy.org/2016/08/15/is-past-security-performance-indicative-of-future-results2016-08-15T11:00:00-07:002016-08-15T11:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>It’s a phrase you will see in the fine print of any document related to past performance of a money manager, mutual fund, or managed financial account: “Past performance is not necessarily indicative of future results.” The same disclaimer could easily be applied to information security products and their ability to stop threats.</p>
<p>The most obvious technology this statement applies to: anti-virus. While it does a great job at doing what it was designed to do–block known, malicious files–it has limitations in the kinds of malicious files it can identify. It also can be a source of additional vulnerabilities, <a href="http://www.scmagazine.com/vulnerabilities-in-symantec-products-create-worst-case-scenario-users-urged-to-update/article/506853/">such as what recently was discovered in Symantec’s Endpoint products by Google</a>. I suspect any widely security technology will suffer a similar fate: either the technology itself is attacked or the technology is rendered ineffective through innovation by the bad guys.</p>
<p>Where I think “past performance” is indicative with security products is: how quickly are security issues discovered with the product remediated. Because let’s face it: every security product will be vulnerable to some discovered issue at some point. What ultimately matters is: how quickly do you remediate these issues.</p>
<p>For a company that uses “Prevention is Non-Negotiable” as their marketing message, <a href="http://paloaltonetworks.security">Palo Alto Networks</a> is not so good at fixing security issues discovered in their products. Here’s the latest example from the <a href="https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-4-addressed-issues#91886">PAN-OS 7.1.4 release notes</a>:</p>
<p><img src="/images/panos-714-cve.png" alt="PAN OS 7.1.4 Fixed CVE" /></p>
<p>The <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547">National Vulnerability Database</a> lists this as a high-severity issue. The time to issue a public patch? <strong>Nearly 6 months from date of discovery</strong>. Based on the response times Check Point has seen when <a href="https://www.checkpoint.com/3rd-party-security-vulnerabilities-advisories/">security vulnerabilities were responsibly disclosed to them</a>, this timeframe doesn’t seem all that surprising.</p>
<p>To be fair, it’s possible that Palo Alto Networks did a risk assessment on these issues and determined the likelihood of exploit is low enough that they didn’t need to fix these issues urgently. They may be right, but when you preach “Prevention is Non-Negotiable,” taking 6 months to fix a known security vulnerability in your product <em>just looks bad</em>. Actions, ultimately, speak louder than marketing.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point</a>, believes in addressing issues like this quickly. These views, however, are my own.</p>
<p><a href="https://phoneboy.org/2016/08/15/is-past-security-performance-indicative-of-future-results/">Is Past (Security) Performance Indicative of Future Results?</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on August 15, 2016.</p>
https://phoneboy.org/2016/07/15/do-you-really-need-threat-intelligence2016-07-15T15:00:00-07:002016-07-15T15:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>From <a href="http://www.osint.fail/2016/07/12/whack-a-mole-intel/">Beyond Whack-A-Mole “Intel”</a>:</p>
<blockquote>
<p>In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?</p>
</blockquote>
<p>To put it another way: you spend a lot of time figuring out what happened, but not <em>why</em> it happened. Not the technical reasons–those are easy–but who was behind the attack, what was their motivation, what are they really after, and so on.</p>
<p>The author of this piece suggests a need to actually perform this research–after whacking the mole, of course. I see a couple of problems with this suggestion:</p>
<ol>
<li>Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.</li>
<li>The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.</li>
</ol>
<p>I’m not saying threat intelligence is a bad thing, I’m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.</p>
<p>What I think would be useful to a larger percentage of organization are tools that leverage threat research <em>others</em> are already doing and actually <em>act</em> on that research automatically. And no, I’m not talking about just IOCs (which will undoubtedly be part of this)</p>
<p>I know what you’re thinking: it sounds like an easy button for security. It doesn’t exist today, but I have no doubt someone will create it. We’re going to need it to stay one step ahead.</p>
<p><strong>Disclaimer</strong>: My employer, <a href="https://www.checkpoint.com">Check Point</a>, may or may not be working on such a thing, I don’t know. These views, however, are my own.</p>
<p><a href="https://phoneboy.org/2016/07/15/do-you-really-need-threat-intelligence/">Do You Really Need Threat Intelligence?</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on July 15, 2016.</p>
https://phoneboy.org/2016/06/30/resisting-comparison2016-06-30T16:30:00-07:002016-06-30T16:30:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>From <a href="https://blogs.sophos.com/2016/06/29/thoughts-on-comparative-testing/">Sophos Blog: Thoughts on Comparative Testing</a></p>
<blockquote>
<p>Cylance itself has acquired access to many other vendors’ products, including Sophos, and has been using them in its own competitive testing in public demos, in violation of end user licenses. In fact, Cylance just renewed its licenses for Sophos products through one of our partners. When Cylance acquires our software we don’t threaten the reseller. Note that despite our efforts, to date, Cylance has been unwilling to allow us to license its products.</p>
</blockquote>
<p>As long as there has been a marketplace for products, vendors of products have always sought to acquire the competition’s products to understand if they are better and how. Likewise, third party analyst firms acquire products from a number of vendors in a space to compare and contrast them. No matter what vendors might try to do, <a href="/2014/11/20/what-is-palo-alto-networks-afraid-of/">including End User License Agreements to restrict product uses</a>, these activities will continue unabated.</p>
<p>It seems silly to me that organizations deploy products to protect their critical assets without doing due diligence to make sure the <a href="/2016/01/26/third-party-validation-of-security-solutions-now-more-important-than-ever/">products do what their marketing claims it does</a>. That said, information security departments in companies of all sizes are understaffed and barely have the time to operate the tools they have, much less evaluate the efficacy of new tools.</p>
<p>A quality information security product should stand up to reputable third party scrutiny. Even if you don’t do a direct comparison yourself, there are plenty of analyst firms who do these sorts of comparative evaluations and publish their results (usually for a fee). While it’s impossible for vendors to participate in all third party testing and not all third party evaluations are created equal, a dearth of third party evaluations for a particular vendor’s products should be a huge red flag.</p>
<p>The one sort of scrutiny that no vendor can ignore is the scrutiny of the bad guys. They are <strong>guaranteed</strong> to find the product flaws you didn’t find in testing or didn’t find documented in the third party evaluation reports that you didn’t read.</p>
<p><strong>Disclaimer</strong>: My employer, Check Point, also recently <a href="https://www.checkpoint.com/resources/cybersecurity-threats-fact-vs-hype/">called out a competitor</a> on their marketing claims. These views, however, are my own.</p>
<p><a href="https://phoneboy.org/2016/06/30/resisting-comparison/">Resisting Comparison</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on June 30, 2016.</p>
https://phoneboy.org/2016/06/09/good-password-hygiene-key-to-protecting-social-media-accounts2016-06-09T15:00:00-07:002016-06-09T15:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>From <a href="http://arstechnica.com/security/2016/06/nfls-breached-twitter-account-falsely-claims-commissioner-goodell-is-dead/">Miscreants breach NFL’s Twitter account, reveal its weak password</a></p>
<blockquote>
<p>Online miscreants took over the National Football League’s Twitter account and used it to falsely report the death of league commissioner Roger Goodell.</p>
<p>During the brief span that @NFL was taken over, it followed exactly one new Twitter account—specifically, @IDissEverything, which has now been suspended. Before the account was suspended, it claimed the password protecting the NFL Twitter feed was “olsen3culvercam88.” The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message.” It’s still not clear how the group got access to the e-mail account.</p>
</blockquote>
<p>Between all the various password dumps that have taken place recently—<a href="http://techcrunch.com/2016/06/08/twitter-hack/">32 million Twitter credentials, anyone?</a>, generally poor password choices, and even poorer password hygiene, it seems a lot of social media accounts are getting hacked these days. Including <a href="http://www.bizjournals.com/sanfrancisco/blog/techflash/2016/06/linkedin-breach-mark-zuckerberg-hacking-security.html">those of Facebook CEO Mark Zuckerberg</a> and <a href="http://mashable.com/2016/06/08/ev-williams-twitter-hacked/">Twitter co-founder Ev Williams</a>.</p>
<p>Given how people are slow to change their habits, I don’t see this trend changing anytime soon. To make matters worse, social media services themselves can have security issues, too. <a href="http://blog.checkpoint.com/2016/06/07/facebook-maliciouschat/">My colleagues at Check Point helped Facebook find a pretty serious issue in their Messenger application</a>.</p>
<p>Earlier this week, I was interviewed by reporter <a href="https://twitter.com/AnnieGaus">Annie Gaus</a> for an article on these credential breaches. <a href="http://www.bizjournals.com/sanfrancisco/blog/techflash/2016/06/ceos-hacked-zuckerberg-facebook-twitter-linkedin.html">The advice I was quoted giving in the article</a> shouldn’t be anything you haven’t heard before. Now might be a good time to implement it, especially if you happen to be a high-profile person or someone who manages the social media accounts of organizations.</p>
<h2 id="use-strong-unique-passwords-for-each-site">Use Strong, Unique Passwords For Each Site</h2>
<p>If there’s one thing these recent site hacks taught us, it’s that using the same password on every site is a bad idea. People still generally pick passwords that, in the <a href="http://www.imdb.com/title/tt0094012/quotes">immortal words of Spaceballs</a>, an idiot would have on their luggage!</p>
<p>So, yes, use a unique password on each site. Also, make sure it’s not something simple. Complexity is good. Length is better. Long and complex is even better!</p>
<p>My favorite way to get a sense how good of a password I’ve chosen is to use the <a href="https://www.grc.com/haystack.htm">Password Haystack page</a> from Gibson Research. It’s not a “password strength meter” but it gives you a good idea how long it would take for your password to be guessed via brute force. There’s also some good advice on this page on how to construct a password that is both easy to remember and strong enough to hold up to brute force guessing.</p>
<h2 id="use-a-password-manager">Use A Password Manager</h2>
<p>While it is true a password manager creates a single point of attack—and failure—a good password manager has several benefits that outweigh the risks. This assumes you use it with a strong master password, of course.</p>
<ul>
<li>Provides a way to securely sync password vaults across multiple computers and mobile devices.</li>
<li>Allows you to use more complex passwords without having to remember them.</li>
<li>Provides an indication of the last time you used a specific password.</li>
<li>Provides an indication of the last time you changed a specific password.</li>
<li>Provides a mechanism to tell you when you are using the same password on multiple sites.</li>
</ul>
<p><a href="https://lastpass.com">LastPass</a> is my password manager of choice. Other people like <a href="https://1password.com/">1Password</a>. I can’t speak for others that may exist, though I can assure you they are not all created equal.</p>
<h2 id="use-two-factor-authentication">Use Two Factor Authentication</h2>
<p>Many services now offer Two Factor Authentication, either using SMS or the relatively standard TOTP/HOTP tokens implemented by Google Authenticator, Authy, and others. While it does prevent someone from brute-force guessing your password, it doesn’t prevent someone from phishing you. Be careful out there!</p>
<h2 id="if-youre-not-using-a-social-media-account-close-it">If You’re Not Using a Social Media Account, Close It</h2>
<p>Given people’s propensity to use the same login and password everywhere, and the ever increasing odds of sites getting hack, close social media accounts you’re not using. That said, you might consider changing the password to something complex before you close it on the off chance the service doesn’t actually delete your data and the site later gets hacked.</p>
<h2 id="assume-all-social-media-is-public-act-accordingly">Assume All Social Media Is Public, Act Accordingly</h2>
<p>This is not necessarily a security issue, and wasn’t one of the items highlighted in the article I was quoted in, but it is a privacy issue and important none the less.</p>
<p>Personally, I don’t think Facebook and the like are intentionally trying to make everything you do public (though plenty have good reason to think that). I’m saying this because, like everything else, social media accounts can and will be hacked. Or are vulnerable to issues through their API. Also, people can easily screenshot any social media interaction—including and especially private ones—and make it public instantly.</p>
<p>You’re better off assuming anything you input into social media, SMS, iMessage, WhatsApp, Telegram, or whatever can and will be made public. Act and share accordingly.</p>
<h2 id="if-you-have-to-share-social-media-passwords-do-it-securely">If You Have To Share Social Media Passwords, Do It Securely</h2>
<p>While it is generally bad practice to share any passwords, individuals in companies who maintain a corporate social media presence often end up having to share credentials as a practical matter. Twitter is one common example.</p>
<p>If you absolutely have to do this, then you should not share passwords over email, SMS, WhatsApp, and so on in plaintext. These mechanisms, or the device you run them on, could be compromised in some way.</p>
<p>An encrypted container of some kind is the way to go. For example, I use Microsoft Word documents protected with <a href="https://www.checkpoint.com/products/capsule-docs/">Check Point Capsule Docs</a>, which encrypts the document and allows me to restict documents to specific individuals only. Only those individuals will be able to read the document. I can also restrict what they are able to do with the documents as well.</p>
<p>Another way to accomplish the same task: LastPass, which also has a password sharing feature.</p>
<h2 id="change-your-passwords-occasionally">Change Your Passwords Occasionally</h2>
<p>Even if you use complex, unique passwords on every site, changing passwords occasionally is not a bad idea. Once a year is probably often enough, though some events may necessitate changing your password more often:</p>
<ul>
<li>If it’s a shared password (see above), change it if someone no longer needs access to the account (e.g. when they leave the organization or change roles).</li>
<li>A breach is reported on a specific site.</li>
<li>If you got a password reset email that you didn’t request.</li>
</ul>
<p>Changing your password will allow your password to be hashed with stronger algorithms, which sites will often switch to over time.</p>
<p><strong>Disclaimer</strong>: If you don’t know by now, I work for Check Point Software Technologies. However, these are my own thoughts.</p>
<p><a href="https://phoneboy.org/2016/06/09/good-password-hygiene-key-to-protecting-social-media-accounts/">Good Password Hygiene Key To Protecting Social Media Accounts</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on June 09, 2016.</p>
https://phoneboy.org/2016/06/04/infosec-related-insights-from-flash-foresight2016-06-04T23:00:00-07:002016-06-04T23:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>One of the things I did not expect to get out of the recent Check Point Experience conference was: a book to read. That’s exactly what happened when, due to an encounter with Flash Foresight author Daniel Burrus on Twitter, a book showed up on my doorstep.</p>
<p>The Twitter encounter happened because Daniel Burrus spoke at Check Point Experience and I tweeted a few photos from his talk. Though he had about a half an hour slot, I could have listened to him for hours. Many of his insights could easily apply to the field of information security. In fact, plenty of the trends he discusses have immediate implications to the field.</p>
<p>Depending on how quick you read, you may be able to knock it out in an evening or two. This book is definitely a recommended read. Unlike many “business” books I’ve read, this was an easy read and found it to immediately resonate with my own experiences. I also found it to be very optimistic. Specifically, the problems we have today will be solved. The question is, by whom and how? If you apply some of the principles of Flash Foresight, maybe it could be you?</p>
<h2 id="walking-through-the-seven-flash-foresight-principles">Walking Through the Seven Flash Foresight Principles</h2>
<p>Daniel Burrus breaks down the process of Flash Foresight into seven principles. The application of one or more of these principles can be used to solve a variety of challenges. Surely, they can help us in infosec, no?</p>
<p>The first place to start: certainty. Specifically, what you know. That is largely reflected by trends:</p>
<center><img src="/images/hard-soft-trends.jpg" /></center>
<p>The main difference between hard trends and soft trends is: level of certainty in the trend. They can sometimes be hard to tell apart, and people often make poor decisions because they can’t tell the difference.</p>
<p>A soft trend are “future maybes.” They can be changed. For example, your organization’s information security budget. The time it takes you to respond to the inevitable breach. You do have a response plan, right?</p>
<p>A hard trend cannot easily be changed. For example, the level of technological innovation, particularly in three key areas: processing power, storage, and bandwidth. The trends point to an ever increasing quantity of all three at ever decreasing costs.</p>
<p>Think that doesn’t have implications in information security? You bet it does, and I bet you’re already seeing it: more business information on more devices from more places in the world. The problems will only get worse.</p>
<p>It’s far easier to see the future when you start with what you know. If you look at the hard trends and know where innovation is taking us, it’s pretty easy to anticipate the future (the second principle).</p>
<p>As some of you probably know, I spent 10 years working for Nokia, which was, in those days, the largest mobile phone manufacturer in the world. They were also in the network security business, which is where I worked. That said, I was exposed to many of the mobile phones Nokia made and thus I saw these Pathways to Innovation play themselves out from a vantage point somewhat different from a typical consumer:</p>
<center><img src="/images/pathways-to-innovation.jpg" /></center>
<p>It was very obvious to me in the 2000s that smartphones would become our personal computing devices–personal computing devices that accessed websites and had data on them. Nokia, being in the handset business, the network infrastructure business, as well as the security business, was uniquely positioned to provide this security both on the handsets and within the network.</p>
<p>It was one of the many opportunities that Nokia did not have the foresight to take advantage of. Nokia, as mighty as it once was in the smartphone industry, lost out and lost big. Had they made a proper transformation from the inside out (the third principle) as they had done several times throughout their 152 year history, they might still be a household name. Instead, since they transformed largely as a result of external forces and trends, they are barely a blip on the radar.</p>
<p>Another thing Nokia failed to do: take their biggest problem and skip it (the fourth principle). At the time, one of their biggest challenges as far as breaking into the US market: working with the US mobile operators. They wanted nothing to do with Nokia’s products. Meanwhile, they could have easily marketed and sold the products to the US public directly, bypassing the operators.</p>
<p>To bring this back to information security for a moment, what is our biggest problem in information security? Surely it has to be all that data on all those devices connecting from everywhere with data hosted everywhere using our traditional information security tools. What if we could skip that problem and bake security into the data and/or the method used to access that data?</p>
<p>Sometimes, the solutions to your problems are also in the opposite direction everyone else is looking (the fifth principle). For example, I see a lot of newer security vendors focusing on detection of threats rather than prevention of threats. While I’ve said a few times this is not an either/or proposition, I openly wonder: as infrastructures grow more complex and more virtualized, all driven by hard trends, how helpful is detection by itself going to be in the long run? Unless it is followed by automatic remediation—or better, preventing the incident in the first place—it will be just one more signal that gets ignored.</p>
<p>Information security has no choice but to redefine and reinvent how and what it does (the sixth principle). The underlying infrastructure that supports our business is commoditizing and evolving rapidly at a rate that will only accelerate. Likewise, security vendors will have to find a way to continue to provide unique value in this environment else their products will be replaced.</p>
<p>Finally, the future is largely what we envision it to be (the seventh principle). Do we envision a future where the threats run rampant over our networks or do we envision remaining one step ahead and keeping the threats at bay (or at least contained)? You may need other resources to achieve it, but it starts with a clear future vision. To shape the future will require communication, collaboration, and trust—all something information security is in the critical path to ensure happens.</p>
<p>This diagram in the book I think illustrates something that I already lived:</p>
<center><img src="/images/wisdom-is-valuable.jpg" /></center>
<p>I’ll ask those of you who used my FireWall-1 FAQ back in the day: what did that content represent to you? Data? Information? Knowledge? Wisdom? I’ll settle for knowledge since what I had there was largely product specific. Wisdom is probably stretching it.</p>
<p>But is it? I’ve had numerous people come up to me over the years thanking me for that FAQ as it helped them become information security professionals. Back in the 1990s, there wasn’t a whole lot of information out there. Rather than keep it locked up, I shared it with the Internet. I collaborated with people on the Internet to improve it. And, because the information was largely accurate, and I was accountable for mistakes, people ultimately trusted it.</p>
<p>Even though I haven’t operated that FAQ site in more than 10 years, I built a very nice career for myself as a result. Maybe if the information security industry would communicate better, truly collaborated with each other, and operated in a truly trustworthy matter, we could all be one step ahead.</p>
<p><a href="https://phoneboy.org/2016/06/04/infosec-related-insights-from-flash-foresight/">Infosec-Related Insights From Flash Foresight</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on June 04, 2016.</p>
https://phoneboy.org/2016/05/31/how-to-separate-security-solutions-from-snake-oil2016-05-31T12:00:00-07:002016-05-31T12:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>From <a href="https://eugene.kaspersky.com/2016/05/27/darwinism-in-it-security-pt-3-time-to-deal-with-these-no-good-parasites/">Darwinism in IT Security, Pt. 3: Time to Deal with These No-Good Parasites</a>:</p>
<blockquote>
<p>[Detection] adoption has become the norm in the IT-security industry; and based on that, a whole ecosystem of parasites now successfully bullshits (successfully – i.e., keeps getting away with it!) the public. No, I am not making this up.</p>
<p>What all parasites agree on is their opposition to ‘traditional methods’ (the very same scanning methods they adopt via VirusTotal) and their love of all things ‘next generation’ (though what exactly is new about detection copy-and-pasting – and also AI – they don’t point out).</p>
<p>Conclusion: if you get approached by folks from an unknown company bandying about words like ‘next-gen’, ‘behavioral analysis’, ‘artificial intelligence’, etc., with no results of independent tests to make those words mean something real, watch out. The marketing materials of such companies show that the only artificial intelligence they use is that for peaking on real IT-security companies via the cloud.</p>
</blockquote>
<p><a href="http://phoneboy.org/2016/01/26/third-party-validation-of-security-solutions-now-more-important-than-ever/">It’s like I said before</a>, you have to wonder about security vendors who do not willingly submit themselves to third party scrutiny. If their products are as good as their marketing claims, this will prove itself out in third party testing, or better yet, your own testing using objective criteria. Reputable security vendors are more than willing to support such an effort.</p>
<p>If you rely purely on marketing to make decisions about what security solutions to buy, you may be buying <a href="https://en.wikipedia.org/wiki/Snake_oil">snake oil</a>. Caveat emptor!</p>
<p><a href="https://phoneboy.org/2016/05/31/how-to-separate-security-solutions-from-snake-oil/">How To Separate Security Solutions from Snake Oil</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on May 31, 2016.</p>
https://phoneboy.org/2016/05/30/old-password-breaches-are-new-again2016-05-30T12:00:00-07:002016-05-30T12:00:00-07:00Dameon D. Welchhttps://phoneboy.orgdwelch@phoneboy.com
<p>In the past couple of weeks, a couple of old breaches of social media sites have come into the news again, mostly because the data from the breaches of MySpace, LinkedIn, Tumblr, and some site called Fling that I never heard of before, <a href="https://www.troyhunt.com/the-emergence-of-historical-mega-breaches/">are for sale on the dark web</a>. Aside from chatter on Twitter, the first thing that could be deemed a “formal” notification came from Troy Hunt’s site <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>, something I recommend everyone subscribe to as he seems to do a better job of notifying people than the providers do.</p>
<p>You might wonder why we who care about information security care about years-old breaches from social media sites. It’s pretty simple: most “normal” people use the same login and password everywhere they go on the web. It’s also quite possible they didn’t get the memo the first time these breaches occurred, either.</p>
<p>And let’s be honest, even if you changed your password when the breach was first announced, what are the odds you changed the password since then? Most likely, you haven’t and now is as good a time as any to change your password for these sites, if for no other reason than to leverage improved password hashing algorithms these sites are surely implementing.</p>
<p>Of course, a couple of other pieces of advice to implement:</p>
<ul>
<li><strong>Different Passwords on Every Site</strong>: As noted above, password re-use is what makes these older breaches relevant to a lot of people. You can mitigate this risk in the future by using unique passwords on each site you authenticate to.</li>
<li><strong>Use Two Factor Authentication</strong>: Even if someone is able to crack your password, two factor authentication should slow down any determined hacker. That said, two factor authentication is still not something the majority of people do because it’s still not easy. Also, systems have a reliance on SMS (which itself can be compromised) or a token that operates only on a <em>single</em> smartphone. What happens when you lose your phone?</li>
<li><strong>Use a Password Manager</strong>: The primary benefit of a password manager is the ability to use unique, complex passwords on all the sites without having to type or remember them. Yes, your password manager becomes a huge target, but the security benefits outweigh the risks.</li>
</ul>
<p><a href="https://lastpass.com">LastPass</a> is my password manager of choice. Works across all the platforms I use (Mac, PC, Linux, Android, and iOS). At $12/year, it’s an absolute no-brainer. Yes, I know a lot of people like 1Password, but I find their apps a much more expensive propopsition.</p>
<p>Perhaps one of my favorite features of LassPass is their Security Challenge. It evaluates all the passwords I have in my vault to see which passwords may have been compromised, ones that are weak, ones I’ve reused, and ones that haven’t been changed in more than a year. This allows me to quickly identify which accounts might need a new password–one I can make significantly more complex thanks to LastPass. Note that even without using the Security Challenge, I’m warned when I reuse a password–a very good thing.</p>
<p><strong>Disclaimer</strong>: My employer Check Point Software Technologies might have a different point of view on passwords, these are my own.</p>
<p><a href="https://phoneboy.org/2016/05/30/old-password-breaches-are-new-again/">Old Password Breaches are New Again</a> was originally published by Dameon D. Welch at <a href="https://phoneboy.org">PhoneBoy's Security Theater</a> on May 30, 2016.</p>