At the RSA security conference this week.  While it's less dramatic and shiny than something like DEFCON or a Black Hat briefing, I can actually convince the company to send me to this conference (mass transit to conference, no hotel?  Ok.)  Sometimes I really do feel like I work for some sub-department of the Laundry, without all the cool magical underpinnings.

I'll have a con report afterwards, but for now, let me just say that I'm always both thrilled and terrified by the attendee population.  I got to listen to Bruce Schneier's annual state of thinking speech, which was nifty. 

Now excuse me, I have to go write my daily allotment of prose before all of my remaining grey matter curls up in a quivering mess.  Oh, and super limited email and LJ activity as I'll be there for about 10 hours a day and then transiting for another 2.  Bleagh.

"Papers, please."

I got my new passport (hate the picture, of course). Less than a week total turn-around time. I think this heralds a new era of efficiency and a high-water mark. I've never had anything remotely associated with an official document take less than several weeks, typically just to get to the first tier.

I also get the nice new RFID, privacy leeching chip in my passport. Thankfully, I'm pretty sure I have some 2.4mm mesh shielded bags somewhere in my computer closet for my self-made passport holder. What me, paranoid? Nah, I just don't want to broadcast my picture and personal status to anyone with a RFID reader.

Oh, and this does mean I am going to Australia. I will be spending a few days being tourist. So far, I'm looking at: zoo, botanical gardens, opera house (possibly a show), maybe a harbor tour, and perhaps a beach day. Any sights you've been to or thought would be interesting to check out in Sydney?

I should have a whowants10 posting early next week related to agent queries. it was supposed to go out this week, but audit hell ate my brain.

Today's public service announcement is brought to you by the kind auditors of the world, who are overlooking the gaping defensive holes of password security.

As you may recall from earlier postings, I've been working on a $work project related to corporate password strength and compliance. I've now been auditing a few thousand accounts now for several months now. The main trust of my discovery is that some people are good at creating and retaining the practices of complex passwords and others are not. Some people will never understand why "Ilovepuppy1" is not a good password, or they don't realize why "Slytherinsux!" isn't unique and clever.

After repeated conversations with a few of the repeat offenders, I realize now that they just don't have a mindset that groks security on the online-appropriate level. We are now considering giving these or all employees a way to vault passwords securely and also to allow them to see the relative strength of their passwords.

There are some options out there one tool is "KeePass" [http://www.keepass.info]. Bruce Schneier's now open-sourced "Password Safe" [http://passwordsafe.sourceforge.net/index.html] is also a good option. Both tools are OSI-certified. We're recommending KeePass, because frankly it has a better website and documentation for the layperson. Both tools allow for auto-entry of passwords into websites and other web-based applications, as well as traditional apps. There are two sub-components that I think are the most useful are: the ability to generate strong(er) passwords with an indicator of the complexity as you type in a new password, and to have the repository on a USB fob. Instead of trusting IE, Firefox or Safari with your passwords, you can have the tools store them and enter them when you need to.

These tools allow you do something that is really handy, create, manage and enter individual passwords for all the websites you access. That way, even if someone steals one password, you're still secure on the other applications. Now, this doesn't mean you have to have super-sekrit password sites where you don't care that someone accesses your login. Just make sure you keep those online banking, insurance, credit card, bill payment, etc. application passwords secure and hard to guess.

And for the love of Pete, please refrain from the use of the following in your passphrase:

• team names
• manufacturers
• cities
• media figures
• fictional characters
• pet names
• dates
• times
• biblical or other religious references (chapter and verse is right out)
• any term you can find on Wikipedia or Google

• l33t sp34k won't make the password more secure, cracking tools and reverse brute force tools now include mangling rulesets
• other spoken or linguistic shortcuts are also right out. txt-ing shortcuts especially.
• typing things in backwards doesn't do squat. "rellimurd" is NOT hard to guess, and is part of the core of all most tools in
• keyboard combos do diddly squat. "!qazxsw@" is not hard to figure out, even if you use a dvorak combo, the combos are available for use

I've finally had a nice sit down with one of my friends on the whole XSLT thing, and am now slowly stumbling around the topic. And thanks to everyone else who helped out. I needed some face to face time to stumble around. I now know enough to be dangerous for myself.

The good news is that overall, I can probably do what I want, once I figure out the normalized database setup for the data I have. I think I will be able to manage the mapping and security information framework project into something that is truly useful for the enterprise this year. Neat stuff. At least three different security tools, corporate application maps and information on what data is where.

In other news, I now have a working title. I think the seeds of it come from avocadovpx and my hind brain. (Thanks Dip!) I was going to say I have a working title for Jonah, but I've decided that the luggage of the namesake it too large for this story concept. Jonah's new name is Cole. Strange, but it came to me in the middle of a shower, and I was: "Oh, oh yeah, that WORKS".

I've been involved in a fit or renaming. A large majority of the cast and organizational names have also been altered to be less "extruded sf-material" ( damn you Cory Doctorow for that meme :) ) I've also been stripping the role capitalization errors from the text.

I appear to have a four to six month fermentation process. If I wait that long for a story, I can re-approach it with fresh eyes. Anything under a couple of months and it is too familiar in form. All in all, I've been managing about five pages a night. At current word-count, that should end me up done with the revision at the end of May. One new scene, with at lest two more planned, with optional ones standing around in the wings. Then it goes off to the betas for any and all feedback.

Oh, and the parental invasion commences in... 10 days.  Whee!

Part of why I've been quiet for the past time period is that I have a lot of things going on and I try and keep most of the griping down to reasonable levels. That and I'm shy about expressing an inability to accomplish something I set my brain to.

At $work I have a lovely issue. I have a whole pirate-ship load of XML data files from various sources (like nMap) that I would like to import into a business-approved database (Access 2007 for you, swabbie). Unfortunately, said "database" does not easily take in XML data where the data is specified by attribute instead of elements.

Essentially what I'm trying to do is get the data from these various sources into a few tables, so that I query them from some complex information security analysis and reporting. Since I don't know how to shove the data in a format Access will accept without complaint, I am at a standstill.

I think it is a matter of unknown unknowns. I don't know what I don't know, since my world doesn't really revolve around XML and data transfer capabilities. I can read websites that say such things are done and the components involved, but it is all at a "It's all Greek to me" level at the moment. It is hugely frustrating knowing that such a thing can be done, and to still not be able to do it.

"Other men can climb that wall"

I feel rather like a young Miles, and have been scrabbling at the wall for some time now, and won't even make it to the top to fall down and break all my fragile bones.

So, anyone out there a XML guru who can explain things in short sentences? Or a brilliant MS Access guru?

This is what happens when you don't have a budget for analysis and yet $work demands superlative results from stone.

It will be a few days before I can get to any coherent thought out on the conferences and my promised ramblings. I've been having security geek nightmares around the issues talked about last week. Never give an analyst more information threats and larger unknowns. Eeep.

Anyone know a free network visualization tool? I need to group, map and display the current infrastructure. Hand-visio or similar won't work, as I'm talking about addresses scattered over the entire RFC1918 space. Then I have to correlate that map to threats in the enterprise. I need something that can eat XML or CSV data.

Writing is stalled, mostly to the winter depression set. I did at least have a moment of clarity last week where the tone and process will be for the final moments of Kaleb. Lot of fun to figure out how that will work out, now all I have to do is write it.

Still no luck on finding Lilly a home, starting to get desperate for solutions that don't end her up in a cat-lady home.

Off I go, need some rest.

Freddie Mercury is spinning in his grave so fast that you could power a small city. RSA had a horrible mashup of "Under Pressure" using security terms. I cannot even come close to describing the horror that was that show.

The keynotes from MS and Symantec were the usual business spiel. Interesting the MS is proposing certificates, IPSEC and IPv6 as a way of mitigating security risk. I did get a chuckle out of their claim that Vista was the first product of theirs built via the Trusted Computing Model. Guess that explains the myriad of vulns and issues already found in Vista.

Symantec's keynote was non-memorable, Chambers had been nattering on the same vein for years now. Honestly he isn't able to articular how to do anything other than try and sell you on Symantec. *yawn* Covellio from RSA at least had a interesting take on the industry, saying that companies will have to move security within the corporate applicaiton framework instead of latching on post-facto. The keynotes are somewhere up on the RSA conference website.

Bruce's speech on the psychology of fear has been wanting to touch base with my friend Derek and talk cognitive psychology for a few hours. Bruce's presentation and delivery was smooth as always, but I did want to ask about how security professionals can work that psychology to help organizations honestly assess their risk, instead of just combating the technical.

Great presentation yesterday from Peter Mell from NIST. Chatted about an initative where NIST, DISA and several other organizations are trying to get the vulnerability assessment players to standardize on the CCE, CVE, CPE, XCCDF and OVAL standards so that people can honestly assess the performance and functionality of scanners and patching in the enterprise. http://nvd.nist.gov and http://nvd.nist.gov/scap/scap.cfm. Needless to say, I'm hugely interested, since I abhor secret knowledge when it comes to the security posture of an enterprise.

The rest of the day was in presentations and walking the trade floor. Feet hurt and my brain is jello. Bumped into an old boss too, which was a bit of a trip. Got a little bit of schwag, but these days there's honestly very little handed out. No way I'm sitting through a dog and pony demo for the possibility of a ipod. *yeeech*

I do love the security geek and guru hairstyles. Always a blast to see the wild and varied cuts. Kind of like style archeology. Some from the 60's-present day. Down to only a few idiotic attempts at using non-security presentation people (aka booth babes), but frankly the geeks want tech details more than leather and latex these days (thank goodness).

Tomorrow brings lunch with BT Counterpane and some interesting presentations. I was kind of bummed out that Michael Chertoff canceled his presentation, I was so looking forward to what kind of reception he'd get from people who actually CAN handle incidents.

I'll be off geeking out for the next week or so at the RSA 2007 Conference in the city. An entire week of talks about various subjects, at high and low levels.  Might swing into some of the crypto-panels, just to make my brain ache.

Let me know if there are any products or companies you'd like inspected. Here are a few that will be ont he trade floor: [List]

Thrilled to be at a professional luncheon where I get to listen to a favorite security expert, Bruce Schneier, chat about his latest and where BT Counterpane is headed. Eager to hear more and listen attentively. Plus the restaurant should be good considering how much of a foodie Bruce is purported to be.

Also secretly hoping that we get some collision attack news on the SHA-1 MD5 front.  People have been moving to the exit corridors to flip to AES and some of the newer hashes.

--

Meanwhile in one of my other interest spaces, some less than stellar news. Sea Launch, a company that uses Russian Zenit (IIRC) rockets and launches them from a sea platform/ex oil platform, had a spectacularly bad day.

On the other hand, lots of news from the Masten-Space folks, as well as the ridiculously beautiful photo shots from XCor. And Monday we should be getting a lovely new tidbit from Armadillo Aerospace on what it takes to get a VTVL rocket insured and licensed for launch.

--

I'll be crazy busy until the end of next week, but expect a few tidbits here and there if I get inspired by the conference or if my brain revolts and demands right brain activity. Writing group Sunday, still trying to get Lilly a home (anyone up for a cute rescue kitty?).

There are some things that should not give me quite the unadulterated jolt of glee:

• Auditing account password strength and being able to bust X% of users for having insecure passwords
• Reveling in the fast that said password check only took 18 seconds on a middleweight server to find the X%
• Auditing security configurations on servers and workstations and pointing out deficiencies to smarter-than-thou admins
• Acquiring the rights to perform audits and checks on the enterprise, while ensuring that I do not have access to the credentials used for those audits (plausible deniability, baby!)
• Laughing at all the horrible passwords used by MySpace users (see previous post)

Recently, on a wide series of the security mailing lists, the results of a phishing attack on MySpace were posted. As each MySpace user attempted to login to the fake phishing site, their credentials would be captured and then passed to this file. Hirez grabbed a copy, as did many, many other security practicioners. The final count of logins, there appear to be approximately 41,000 unique logins that were captured until the link for the phish was broken. Now, to be fair, that works out to .041% of the entire MySpace user population (100 Mil as of 8/2006) However, if you then used those accounts as spring boards for building in new automatic phishing or other account capture links, this number could quickly grow.

One humorous aside is that a decent number of alert users and security geeks twigged to the phishing site, and starting adding in faux-accounts. The ASCII art built up from multiple attempted faux logins was, ahem, cute. The verbal abuse of the perpitraitor less so, but still kind of oddly funny. Would you mock someone you saw conning your best friend?

The breakdown of accounts is rather telling. Unsurprisingly, few users appear to have strong credentials when logging into MySpace. The trend, if not their name, is a proper noun/dictionary term prefixed or suffixed by a number. Honestly, I don't have a significant complaint, until you realize that most individuals, since they have a overabundance of accounts on the Internets (too many tubes), are likely to utilize the same username and password pair for other, more critical accounts. What happens when these usernames and password pairs are applied to a site like paypal, ebay or one of the online lower-tier banking sites (credit unions, etc.)?

What to do. Everyday users are going to fall for these attacks for as long as the technology out there allows them to mistake a website for legitimate. (A clever note, Firefox 2.0 had the link tagged as phishing within a day of the post to Full-Disclosure, where IE 6/7 happily let people connect). Of all of the people you know, could you blame them if just *one* of them for falling for a site that looked *just like* their normal login after visiting a "virtual friend's" cool link?

We're going to keep cycling through new mousetraps and cleverer mice until we as a technology society figure out how to validate bidirectionally that a site is valid or not. We've got some of the mechanisms for having the banks trust us when we login, but the reverse, these days is still very sketchy, because users are not trained to inspect and investigate that the authority of the site. Frankly, it's hard for a security geek, let alone people who have an entirely different life-focus.

The only thing I can think of is to transmute the public key of secure websites into a unique graphic or word set, instead of hex, and have that as a part of the browser display. And there are likely attacks against that methodology as well.

Reading on these types of issues:

Bruce Schneier, security industry guru - http://www.schneier.com/blog
Reading material - the security firehose via http://seclists.org/.
[Fyodor does an excellent job of pruning out the morons.]
Full Disclosure - http://seclists.org/fulldisclosure/ [the screechy, clever monkeys of internet security]
Security Basics - http://seclists.org/security-basics/ [good place for starting out]