Why Is IT Security FUD So Prevalent

Screen Shot 2016-04-05 at 10.07.59 AM.png

By Art Reisman

CTO, APconnections
I just read an article by Rafal Los titled Abandon FUD, Scare Tactics and Marketing Hype.

In summary, he calls out all the vendor sales  presentations with slides citing all the statistics as to why you should be scared.  Here is the excerpt:

I want you to take out the last slide deck you either made, received, or reviewed on the topic of security.  Now open it up and tell me if it fits the following mold:

  • [Slides 1~4] – some slides telling you how horrible the state of information security is, how hackers are hacking everything, and probably at least 1-2 “clippings” of articles in recent media.
  • [Slides 4~7] – some slides telling you how you need to “act now,” “get compliant,” “protect your IP,” “protect your customer data,” or other catch phrases which fall into the category of “well, duh.”
  • [Slides 7~50+] – slides telling you how if you buy this product/service you will be protected from the threat du’jour and rainbows will appear as unicorns sing your praises.

Here’s the thing… did you find the slide deck you’re looking at more or less fits the above pattern? Experience tells me the odds of you nodding in agreement right now is fairly high.

And then he blasts all vendors in general with his disgust.

Ask yourself, if you write slide decks like this one I just described – who does that actually serve?  Are you expecting an executive, security leader, or practitioner to read your slides and suddenly have a “Eureka!” moment in which they realize hackers are out to get them and they should quickly act? 

I can certainly understand his frustration.  His rant reminded me of people complaining about crappy airline service and then continuing to fly that airline because it was cheapest.

Obviously FUD is around because there are still a good number of companies that make FUD driven purchases, just like there are good number of people that fly on airlines with crappy service.  Although it is not likely that you can effect a 180 degree industry turn you can certainly make a start by taking a stand.

If you get the chance try this the next time a Vendor offers you a salivating FUD-driven slide presentation.

Simply don’t talk to the sales team.  Sales teams are a thin veneer on top of a product’s warts. Request a meeting with the Engineering or Test team of a company. This may not be possible, if you are a small IT shop purchasing from Cisco, but remember you are the customer, you pay their salaries, and this should be a reasonable request.

I did this a couple of times when I was the lead architect for an AT&T product line. Yes, I had some clout due to the size of AT&T and the money involved in the decision. Vendors would always be trying to comp me hard with free tickets to sporting events, and yet my only request was this: “I want to visit your facility and talk directly to the engineering test team.”  After days of squirming and alternative venues offered, they granted me my  request. When the day finally came, it was not the impromptu sit down with the engineering team I was hoping for. It felt more like I was visiting North Korea. I had two VP’s escort me into their test facility, probably the first time they had ever set foot in there, and as I tried to ask questions directly with their test team, the VP’s almost peed their pants.  After a while the VP’s settled down, when they realized I was not looking to ruin them, I just wanted the truth about how their product performed.

FUD is much easier to sell than the product.


Encryption is Not Rocket Science

The recent Apple iPhone versus the FBI case being tried in the court of public opinion is an interesting example of the fact that encryption, and the use of encryption, can be created by any individual or any business to protect their data.    All those spy movies where computers easily crack password codes are just plain fantasy.  A well-engineered encrypted password cannot be broken. Unless, of course, the person that created the encryption is forced to put in a back door for the FBI.

The point is, if I really wanted to encrypt something from all entities, I would not rely on a commercial encryption version provided by Apple or my browser, because, as we have seen, the FBI will use whatever muscle they have to make sure that they can get in.

When you are done with the the encryption exercise  below, you can go ahead and tattoo your bank password on your face without a worry that anybody would ever figure it out.

Let’s start with a typical password that you  might use for a bank account “alfred!1”

First we’ll take the alphanumeric value of each letter such that a=01, l=12, f=06, r=18, e=05 d=04. And for the 1 we can use first letter of the alphabet so that 1=A, 2=B etc. So you could just make your password 011206180504!A, which is the numeric representation of alfred!1 (note I just left the “!” alone)

Now lets put some meaningless garbage on the front of the password. Two meaningless letters, such as CD.

Now lets add 2 to the original numbers in the password, so now we get


Now take the day of the month you were born in and add it to the first number. 03+21 = 24, I was born June 21

So now we have CF241408200706!A

Each time you apply a step to the password encryption the more difficult cracking it becomes.  I did not take this one far enough to make it impregnable to a sophisticated hacker,  but hopefully you see the point. Just keep applying  rules to your password changing it at each step. The more steps you apply, the more mathematically safe your password encryption becomes.

The advantage of creating your own encryption scheme is that all you need to do is remember how to unwind these steps to recover your password, you do not need to remember your actual password, so any time the bank forces you to change your password go ahead and change it, and write it down on your hand, or face, or all over your refrigerator. As long as you remember your encoding method, you can keep your passwords in plain site.

Believe it or not I actually write my encrypted pin codes on my ATM cards!

NetEqualizer DDoS Firewall: Simple and Effective without the Bloat

One of the challenges when creating a security tool is validating that it works when the S$%^ hits the fan.  We have heard (via anonymous sources) that many of the high-dollar solutions out there create bloated, rotting piles of information, whose only purpose is to look impressive due to their voluminous output.  A typical $100K buys you a CYA report. A tool that covers  everything, leaving the customer to decide what to do; which is usually nothing or some misguided “make work”. These non-specific tools are about as useful as a weather forecast that predicts everything all the time. Rain, Snow, Wind, Hot, Cold, for everyday of the year. If you predict everything you can’t be wrong?

On the other hand, the reports from the field coming in for our DDoS tool are:

Yes, it works.

Yes, it is simple to use.

Yes, it takes action when appropriate.

We have confirmation that our DDoS tool, combined with our shaping algorithms, has kept some very large institutions up and running while under very heavy, sophisticated DDoS attacks.   The reasons are simple. We look at the pattern of incoming packets in a normal situation.  When the pattern reaches a watermark that is clearly beyond normal, we block those incoming circuits. If needed, we can also take a softer approach, so the attacker is not aware we are throttling them.  This is needed because in some situations outright blocking will alert the attacker you are on to them and cause the attacker to double-down.

When under DDoS attack you don’t need reports; you need immediate action. If you would like to discuss our solution in more detail feel free to contact us.

IT Security Business Is Your Frenemy

Is there a security company out there working in conjunction with a hacker, possibly creating the demand for their services? The old Insurance protection shakedown turned high tech? And, if so, how would you know?  I try to make it clear to our customers  that we are not in the security business for this very reason, but for most IT equipment and consulting companies security is becoming their main business driver.

If the world’s largest automaker will commit fraud to gain an advantage, there must be a few security companies out there that might rationalize breaking into a companies network, while at the same time offering them security equipment in order to make a sale.  Perhaps they are not meeting their sales goals, or facing bankruptcy, or just trying to grow. The fact is, IT investment in security is big business.   The train is rolling down the tracks, and just like our war on drugs, increased spending and manpower seems to have no measurable results.  Who makes more money, companies that make bank vaults, or the criminals that attempt to rob banks? I bet, if you add up all the revenue gleaned from stolen credit cards or other electronic assets, that it is pennies on the dollar when compared to spending on IT security.

Firewall Recipe for DDoS Attack Prevention and Mitigation

Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the debilitating effects on your public facing servers. Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers. For a detailed discussion of how a DDoS attack is initiated please visit http://computer.howstuffworks.com/zombie-computer3.htm zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line. As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity. This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at admin@apconnections.net.

Related Articles:

Defend your Web Server against DDoS Attacks – techrecipes.com

How DDoS Attacks Work, and Why They’re Hard to Stop

How to Launch a 65 gbps DDoS Attack – and How to Stop It

Notes from a cyber criminal

After a couple of recent high profile data thefts,   I put the question to myself,  how does a cyber thief convert a large amount of credit cards into a financial windfall?

I did some research, and then momentarily put on the shoes of a cyber thief, here are my notes and thoughts:

I am the greatest hacker in the world and I just got a-hold of twenty million  Home Depot debit cards and account numbers. What is my next move. Well I guess I could just start shopping at Home Depot every day and maxing out all my stolen account cards with a bunch of Lawn Mowers , Garden Hoses, and other items. How many times could I do this before I got caught ?  Probably not that many, I am sure the buying patterns would be flagged even before the consumer realized their card was stolen , especially if I was nowhere near the home area code of my victim(s).  And then I’d have to fence all those items to turn it into cash. But let’s assume I acted quickly and went on a home depot shopping spree with my twenty million cards.  Since I am a big time crook I am looking for a haul I can retire on, and so I’d want to buy and fence at least a few hundred thousand dollars worth of stuff out the gate. Now that is going to be quite a few craig(s) list advertisements, and one logistical nightmare to move those goods, and also I am leaving a trail back to me because at some point I have to exchange the goods with the buyer and they are going to want to pay by check . Let me re-think this…

Okay so I am getting smarter, forget the conventional method , what if I find some Russian portal where I can just sell the Home Depot cards and have the funds paid in Bitcoin to some third-party account that is untraceable.  How many people actually have Bitcoin accounts, and how many are interested in buying stolen credit cards on the black market, and then how to insure that the numbers have not been deactivated ? Suppose I sell to some Mafia type and the cards are not valid anymore ? Will they track me down and kill me ? Forget the Bitcoin,  I’ll have to use Paypal , again leaving a trail of some kind.  So now how do I market my credit card fencing site, I have 20 million cards to move and no customers.  A television advertisement , an underworld blog post ?  I need customers to buy these cards and I need them fast , once I start selling them Home Depot will only take a few days to shut down their cards . Maybe I can just have an agent hawk them in Thailand for $3 each , that way I stay anonymous, yeh that’s what I’ll do whew , I’ll be happy if I can net a few thousand dollars.

Conclusion: Although the theft of a data makes a great headline and is certainly not to be taken lightly , the ability for the crook(s) to convert bounty into a financial windfall, although possible is most likely a far more difficult task than the data theft . Stealing the data is one thing, but profiting from it on anything but the smallest scale is very difficult if not impossible.

The real problem for the hacked commercial institution is not the covering the loss of revenue from the theft, but the loss of company value from loss of public trust which can mount into the billions.

Although my main business is Bandwidth Control I do spend a good deal of thought cycles on Security as on occasion the two go hand in hand. For example some of the utilities we use on our NetEqualizer are used to thwart DOS attacks.  We also have our NetGladiator product which is simply the best and smartest tool out there for preventing an attack through your Website.

10 Web Application Security Tools You Can’t Do Without

By Zack Sanders – Directory of Security – APconnections

Since initiating our hacking challenge last year, we’ve helped multiple organizations shore up security flaws in their web application infrastructure. Proper web application security testing is always a mix of automated testing and manual testing. If you just run automated tests and don’t have the knowledge to interpret the results, the amount of false positives thrown at you will result in little value. If you don’t know the ins and outs of common vulnerabilities, manual testing alone will get you nowhere. With the right mix, you can create a baseline analysis from the automated tests that will help determine what areas of the application should be explored further manually.

Here are some of the tools I use the most when assessing a new web application along with brief descriptions*:

1) Metasploit – http://www.metasploit.com/ – Metasploit is an entire framework for penetration testing and security analysis. The tools are all open source and the community behind the software is outstanding.

2) DirBuster – http://sourceforge.net/projects/dirbuster/ – DirBuster is a directory brute force tool that allows you to create a tree view of a web application’s file system.

3) Nessus – http://www.tenable.com/products/nessus – Nessus is a great tool for identifying server-level vulnerabilities.

4) John the Ripper – http://www.openwall.com/john/ – JTR is a password cracker tool.

5) Havij – http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/ – Havij is an advanced SQL injection tool that provides a GUI for conducting injection tests.

6) Charles Web Proxy – http://www.charlesproxy.com/ – Charles is an awesome tool that allows you to modify requests and responses in web applications.

7) Tamper Data Firefox Add-On – https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ – Like Charles, this tool also allows you to modify requests.

8) Skipfish – http://code.google.com/p/skipfish/ – Skipfish is a web application security vulnerability scanner that will scan an entire website for issues. It results in quite a few false positives but also legitimate issues.

9) Firebug – https://getfirebug.com/ – This is a debugging tool for web developers but it is useful for security professionals in that you can easily see what is happening behind the scenes.

10) Websecurify – http://www.websecurify.com/ – Websecurify is an entire security environment meant for assisting in the manual testing phase.

These are only some of the tools out there for security professionals who are testing web applications. There are many more. But, they aren’t just available to the good guys. Bad guys have access to them too and are using them in attacks all the time. Let us know if we can run a security assessment for your organization using the same tools hackers do. The investment will be well worth it.

Contact us today at: ips@apconnections.net

*Use these tools at your own risk and only on websites you have permission to test.

%d bloggers like this: