Saturday, December 6, 2014

Web Encryption Algorithms Supported by the Top 25 US Banks

I've been exploring HTTP encryption configurations lately on an industry-scale using an automated SSL/TLS scanner that I wrote based on OpenSSL and SSLScan. Here are the SSL/TLS configurations of the top 25 US banks. It is good to note that just about everyone seems to have their crypto-house in order.

Observation: The majority of banks only support TLS - no SSL. The remaining support SSLv3 and TLS. No SSLv2.


Observation: No key lengths less than 128-bit. This is good. Over time, I expect that we'll see a decrease in 128-bit keys and an increase in 256-bit keys.




Saturday, November 15, 2014

A Venture Capitalist Valuation of Cybercrime - why every compromise hurts everyone

I've decided that every compromise - J.P. Morgan, Target, Home Depot, Dairy Queen, USPS - hurts everyone. Why? Because every profitable compromise attracts more resources to cybercrime, raising the threat level that every organization has to deal with.

At the root of every enterprise is investment - to fund research and development, operations, and so forth. This got me thinking - at what level would a venture capitalist fund cybercrime and how would different levels of revenue affect that level of investment. Let's use $2.5 billion as our baseline revenue level, because that what Group iB, a cybercrime investigations and research company, has pegged the Russian cybercrime revenue at in their report.

The basic venture capital formula determines the level of investment based on the projected future value of the investment (Future Value), the required required rate of return (IRR), and the number of years until that future value is realized (years). It all comes together in the formula show below.


Let's say that an enterprising criminal proposed to our venture capitalist a cybercrime enterprise that would be generating $2.5 billion in 5 years. The venture capitalist, seeing the risk in the enterprise requires an annual return of 75% and assumes the enterprise will be worth three-times revenue. In such a scenario, our venture capitalist would be willing to invest about $1.4 billion.



Let's assume that the criminals boost their revenue forecast to $3.5 billion because organizations are failing in their defenses even more frequently. Our venture capitalist revalues her level of investment and now is willing to invest nearly $2 billion.

Alternatively, what if revenue dropped to $1.5 billion because companies are being more successful in defending their assets? Now our investor is only willing to invest $840 million.

The point is every profitable compromise attracts more resources pursuing profits.

The threat level that every organization has to deal with is directly proportional to the global resources being invested in cybercrime. So, when Target or HomeDepot or J.P. Morgan get compromised, everyone gets compromised because each of these events attracts more resources. These resources go towards development of new exploit methods, compromise operations, and cash out operations.

So what does this mean? Ultimately, we have to starve the criminals of revenue so that the investment trends will reverse from growth to decline. First, take care of your own house so that you aren't contributing to the cybercrime revenue. And second, help out your neighbors so that they don't get compromised - because it matters. Crime begets crime. And if you live in a neighborhood where there is a lot of crime, eventually you are going to get compromised.


Monday, October 6, 2014

Infographic - The Web of the National Rifle Association

The NRA operates 144 distinct websites, by my count. You can learn a lot about the NRA just from their site hostnames. For example, who knew that the NRA sells hearing aids? Yep, www.nrahearingbenfits.com. And apparently they are in the prescription drug business too! www.nrarx.com. Other more well known facts include that the NRA does not like Obama (www.gunbanobama.com), and they aren't fond of Michael Bloomberg either (www.meetbloomberg.com).

Here is a visualization I created of the NRA's sites and their inter-relationships. I created this using Gephi with the Force Atlas 2 module.

Friday, September 26, 2014

King of the Forest....in my yard

Three moose have taken up residence in my yard - a bull and two females. Some quick facts about these beautiful creatures:
- top speed: 35 mph (55 km/h)
- weight: up to 1500 lbs (700 kg)
- height: up to 6'9" (2.1 m)





Moose are beautiful, but they will kill you if they want to. One of my scarier experiences was being chased by an angry mother moose down a mountain trail while riding my mountain bike.


Sunday, September 7, 2014

Advice for Getting into the Information Security Profession

Each Fall I am a guest speaker for Brigham Young University's Information Security graduate program. Much of the time is spent fielding questions of students. Last week, one student asked, "What should I be doing to ensure I can land a good technical job in Information Security?" Rather than answer right then, I asked if I could answer through a blog post. So here it is.

Assess the security of networks, systems and web apps.  Information Security is about protecting assets from unauthorized access and destruction. To be a good security practitioner you have to be familiar with the tactics and techniques for compromising systems. This will enable you to assess your own systems for vulnerabilities, as well as improve your ability to design and operate preventative and detective security controls. Get going on web application hacking with the OWASP WebGoat application, an intentionally insecure web application. Scan your own network and others you can get permission to assess using mmap, nessus, and other tools.

SecTools.org has a good listing of security software for assessing networks. Get familiar with these tools. Use them.

Code. Pick a language - whichever you prefer. And learn to code reasonably well. I am strongly of the opinion that you have to know how to code in order to know how computers work and how to secure them. Learn by building something. Pick a project and code it up, preferably something with network communication involved. Code a port scanner. Code a web application security scanner. There are a hundred out there, but by building your own you will develop expertise in that security domain.

Resources for learning to code: Codeacademy for getting going on the basics, Google searches and stackoverflow for when you get stuck.

Stand up and operate a small network that is Internet accessible. You have to know networking and you have to know what happens to networks on the Internet. Get a used  Cisco switch and use its capabilities to log and control access. Fire up Wireshark and learn the networking protocols.

Resources for networking: Cisco documentation. The Cisco Certified Network Associate (CCNA) material is pretty decent. Wireshark network protocol analyzer. Read TCP/IP Illustrated Volume 1 while you are analyzing network traffic.

Run a network IDS on your network. This will open your eyes to the attacks occurring on the Internet and get you into intrusion detection and response. Use Suricata or Snort.

Wrangle and analyze data. Data collection and analytics is increasingly important in Information Security. Know how to work your way around relational databases, NoSQL databases, and stretch for Hadoop if you have time. I recommend getting going with MySQL or PostGreSQL and Mongo. Use one of these databases in your coding project. Also, use a database to store and analyze traffic from your network.

Read. Set up an RSS reader such as Feedly and load it with Information Security research and general news sources. Also, stay up on the industry or industries you are interested in practicing information security. InfoSec doesn't exist in a vacuum. Know the context in which you want to practice Information Security well. Reading will also help you shape an increasingly integral picture of Information Security trends and inter-relationships.

Some of the better books on my shelf include Practical Unix and Internet Security, Applied Cryptography, Programming Ruby, Building Secure Software, TCP/IP Illustrated Volumes 1 and 2, all the Neal Stephenson books :), Security Engineering, Exploiting Software, Hadoop the Definitive Guide, and Network Security Assessment.

Write. Your ability to communicate well will determine the scope of responsibility you take on in your career. Write up your research. Post it to a blog. Present it at a conference. Be a student of writing well. If you have only one book on writing, get The Elements of Style by Strunk and White. Essential.