Silicon Shecky: IT News, Opinions, and Reviews

Infosec: You are probably already doing it

December 28, 2015 By Michael Kavka Leave a Comment

Recently on Twitter, a bunch of people in the Infosec community have been talking about getting new people involved more. Helping the next round of professionals get up to speed or keeping them interested and getting them in the field. So what is the problem here? Why aren’t they coming in and switching over. Using the path I’ve taken to become a “professional” Infosec guy I figured I’d talk a bit about how daunting a task it can seem.

I WANT TO BREAK INTO INFOSEC!

This was my mantra for a long time. I did what I thought I could. I started going to the Burbsec meetings in Chicago so I could meet the professionals and ask advice. Still, even going to them, I felt like a schmuck. I had nowhere near their level of experience. When they talked tech at these get togethers, so much went over my head and I didn’t want to seem like I knew nothing. After time (and some encouragement from my SO to keep going to these meetings), I started feeling comfortable around the people. I didn’t have a ton more knowledge, but I was welcomed and talked to as an equal and if I had a question, it wasn’t looked at like I was some pariah. People like @j0hnnyxm4s, @Hacks4pancakes, @Ben0xA and many others not only encouraged me, but gave me tips on how to move forward in the industry.

I was doing Network Engineering, Administration and Design work for a living. Not what I would consider being an Infosec professional by any means. Still, I went to BSides Chicago, and even got up the gumption to give a talk about the Small Businesses and their security needs at the 2014 one. Even with all of that being an Infosec professional seemed as far away as ever. Why? Well…

I DON’T HAVE THE TRAINING/CERTIFICATIONS TO GET INTO THE FIELD

Working in the wonderful world of IT you hear a ton about certifications. Look at the alphabet soup out there: A+, Network+, Security+, CCNA, CCNE, MSCE, CISSP, CEH, GIAC and the list goes on and on. Classes alone for some of these can be in the thousands of dollars, and if you aren’t getting work to pay for them, can be unaffordable. Now, I am not trying to start a debate on certifications. The thing about them is they are a way in, by means of getting past the HR people, and in some instances are required for the job due to say Government involvement. They also are a way of learning some of the basics.

Speaking of learning, one thing I think is lacking is a repository of VMs that can be used for learning. Most people who want/are involved in Infosec tend to have their own labs. Today, with Virtual Machines, the cost of labs has gone drastically down. Sharing a VM or two with someone wanting to be involved can be extremely helpful, but so can helping that person set up their own lab.

RISK VERSUS REWARD

This is one of the biggest things in any form of security, so why should it not be brought up as part of the path. Sometimes, more often than you might think, you need to take that risk to get into the field. Maybe it is doing a talk at a con or local group meetup. Maybe it is applying for that job you think you have no chance in hell at. The rewards for taking those risks can be great, as long as you understand that rejection is nothing more than another learning experience. In most cases you can talk to the organizers or people you interviewed with and get some feedback so the next time you have a better shot. When I applied for my current position I took a risk, as I felt I was not what they wanted based on the job description and requirements. I was wrong because to my surprise I was told…

YOU ARE ALREADY DOING INFOSEC AT LEAST PART TIME

My boss leveled that on me when I was going through the interview process. His statement to me was since I was dealing with Firewalls and Firewall Rules, dealing with antivirus and antimalware, removing malware and dealing with PCI requirements for some, that I already had years of experience in the field. This floored me, because, like a lot of people trying to break into the field, I think of Pentesting, DFIR, Reverse Engineering, and finding zero days as the things Infosec Professionals do. That and Speak at a ton of conferences if you want to be well known. Reality set in that security is so much more than that. I had no idea that I was thought of in that fashion, but I came to understand it. Infosec is such a broad area, that especially people new to it, need to learn that they already took the first steps into the field by wanting to learn and doing day to day stuff. Going over logs to find an issue, opening up a pinhole in a firewall, taking care of vlans, patching systems, all of that is part of Infosec. To get into the “well known” items listed before it just takes a little bit more.

DON’T BE AFRAID

Talk to people out there. I have a twitter feed on the side of this page with a list of Infosec twitter accounts I follow. Use that if you have to as a starting point to talk to people, or at least follow them. Do some research, find out if there is a local Infosec meeting near to you that you can go to. Get to cons, and talk to people in the hallways, besides seeing the talks/panels. Also I recommend this post from @hacks4pancakes: Starting an InfoSec Career – The Megamix – Chapters 1-3. It is the start of a 2 part post that really will help.

Security Slimebags or How to be forced to pay for security

October 5, 2015 By Michael Kavka Leave a Comment

Android is the most popular mobile OS in the world. It also has some of the most frightening security holes, currently Stagefright. The carriers know this and use it to legally to seemingly extort their customers.

Apple has one thing that Android doesn’t have, and that is a decent patch cycle. You can see people still using the iPhone 4s today. They don’t have to get a new device just to be secure, but not everyone likes the iPhone. Android, on the other hand, is awash in situations. From the heavy fragmentation of the OS, to the majority of phone snot getting critical security updates thanks to the carriers, it really is the wild west. The best bet is to get an unlocked phone that will get updates directly from Google, but the cost of an unlocked phone is high, and the everyday person might not realize that is an option.

Carriers such as Verizon, AT&T, T-Mobile, and Sprint know this and use it against the everyday person. Heck, last year when Android 5 came out, the list of phones to get it included mine. I still have not seen that update, even though Android 6 was just announced. So in my wisdom with Stagefright out there, now in two versions original and even better, I went through my phone settings to see when the last update was pushed out to me. The answer was June, before Stagefright, even though there have been patches made by Google and approved by the phone makers to patch Stagefright version 1, and soon version 2. Now why would a carrier not push out such critical patches? The only answer I can come up with is profit.

Think about it, they don’t send out the patches, you need a new phone to be secure! With the changes all the companies have been making this year to move away from plans and phone subsidies, it is the perfect plan. Extort the customers to make them secure! It is a perfect plan, especially considering no one has done the one thing that could end this. Sue the carriers once hacked. Lawsuits, especially class action ones are going to be the only way to get non-rooted, locked phones timely updates. The carriers have to be held responsible. The problem is those of us that know the carriers are doing this, root our phones, or get the Nexus line of phones. The lack of communication with the layman who uses an Android phone, continues to allow this pattern to continue.

The only other option is for everyone to move to iPhones, but without the competition how bad will the iPhone get? Think about it, most of the “great new features” on a iPhone are features that were already available on an Android phone. Apple just refines the feature a bit and whammo, now people are saying how Apple invented x, y, and z. Without Android what would spur iOS’s development?

One last thought though on all of this, and that is mobile payment, buying things online. Maybe someone else out there knows, but doesn’t being able to use your phone to make payments and the way it does subject the phones or carriers to some part of the PCI standard? If so, how many of us or them are truly compliant?

CISA and other Political gambits

June 15, 2015 By Michael Kavka Leave a Comment

Last week, the Office of Personnel Management revealed it had been hacked. The White House and FBI are wanting backdoors in encryption. The world of politics not only wants us to be spied upon, but less secure and then complains about being hacked.

The “fun” of a bill such as CISA is how vague they wind up being. It attempts to cast a huge net without much forethought of how that net can be abused. In the case of CISA, it can create less privacy. Researchers already do what they can to share vulnerabilities that they find, and still get ignore by the companies that have them. OPM hadn’t kept up on a basic security program, such as patching, multifactor authentication and auditing.

Wait, there is more. the FBI and White House are now complaining about encryption. you know the idea of securing communication and data so it is unreadable without the proper key? They want backdoors put into it. Now how is that going to help us? It doesn’t. In fact, I would guess that if a backdoor was put into encryption standards, it would take less than 48 hours for the hackers out there to find it and start exploiting it for their own ends.

Truth be told, politicians want to look like they are doing something about a variety of things without thinking of consequences. The authors of the Patriot Act have said over the years that it is not being used how they envisioned. We have laws on the table that criminalize behavior that is trivial (remember what Aaron Swartz was arrested for), and those laws give unproportional sentence guidelines. We have laws and reforms that have been presented that could make security researchers criminals. None of this really protects us. None of it makes logical sense. A criminal is not going to follow the law. Hackers in other countries are not subject to laws here in the U.S. Making research basically illegal at worst, or a gray area at best just opens up more holes for the criminals to use.

Unfortunately this is the case in this day and age. People don’t think things through. Politicians even more so, as they listen to lobbyists and staff members, without asking help from the real experts. We want a more secure society, and one that embraces privacy? We have to pressure our politicians from local to federal to listen to us and to think things through. Best intentions often go awry. they have to think of the worst use for the wording of laws they pass.