metlstorm's blog

According to The New York Times, "sophisticated attackers" stole large quantities of customer data from Citi, using computers.

You can read the article here.

We know the attackers used computers, because they typed an account number into a URL bar, and computers have URL bars. Computers are sophisticated, and anyone who uses them is, apparently, "especially ingenious". Just read the article.

Building security testing into your project lifecycle is one of those critical growing-up points for a business.

All enterprises must eventually accept that security is just one more part of software or system development lifecycle. Both designs and implementations must be reviewed, developers need security training and infosec teams need the power to veto go-live dates.

Lots of businesses have arrived at this point. But what often happens as a result is security gets siloed per project. The project scope determines where security people will see, where there is budget, and critically, where the incentive to fix the problems lies.

This means that the way that project siloes interact -- the reefs between scope islands -- are never in scope. And as we all know, scope is for project managers, auditors and security consultants. Hackers don't care about your scope.

Let's look at how scoping can create some pretty peverse outcomes.

During a recent infosec-industry beers-and-shoptalk shindig one of the regulars questioned my standard assertion that given 20 mins, I'd be able to escalate privilege to root on any production UNIX box.

"They're making us roll out Active Directory," he whined, looking for sympathy from a fellow UNIXnerd. But the sad, awful truth is this: Windows infrastructure is actually usable -- and perhaps even securable -- in the enterprise.

Hi. I'm a wiseass. A "repeat business" wiseass. I know this because a CIO told me. "Do you get any repeat business, being such a wiseass?" he asked me during the Q&A portion of my presentation to a group of a couple of dozen CIOs.

Normally at these sorts of events protocol dictates that I have a sales department chaperone present at all times to make sure I use the correct fork for the shrimp cocktail, etc, and this was no exception.

My technical colleague and I riffed away, deftly interspersing witty-yet-topical infosec anecdotes with sales patter and doomsaying while we charmed the gathered CIOs with our analysis of the threat insiders posed to their organisations.

Now, you and I know that any sort of insider access is game-fuckin-over, but for the purposes of making the presentation more sales-friendly than a singe powerpoint slide saying, "you're all fucked, plz give us some money while you're still in business," we humoured them.

As I drew to a close, I looked around the audience, fruit platters on the table, a few shunned greasy pastries (they did have bacon, at least) and stewed coffee. I went for my concluding slide -- the last bit of useful information to be shared with the room before the sales drones would activate and attack.

When my sales-chaperone guy saw it he started twitching up the back -- it was off topic and he knows how I roll.

I want to believe I'm wrong; that the infosec industry isn't a fraud, fleecing the chumps of their cash. "Surely, Metl," you say. "Surely its not 1994 any more, you don't just NFS mount .mil boxen any more, you don't roll with slammer or blaster or code-red. You don't get thousands of open ports when you nmap an corporate Internet perimeter, things are better."

Sure, maybe its not 1994AD any more. But let me posit this, which I culpably dub Metlstorm's Assertion:

The cost of owning a corporation is a fraction of a percent of their annual infosec spend.

Lets go with 0.1%. Can you think of any organisation you've worked for, or on, or with, or pwned that you couldn't own for the sales margin on a single Check Point device?