Skip to content

Be Prepared: What Cyber Security and the Rubicon Trail Have in Common

This past weekend I was lucky enough to experience what for some people is a “bucket list” item—I drove a 4×4 Jeep over the Rubicon Trail from Georgetown, California to Lake Tahoe. It was an amazing experience, but the best part fell into two simple categories:

1) There was a sense of danger and excitement in crawling over gigantic granite boulders, down steep chutes, up the side of a hill with a sheer drop-off on your right, and through this scary thing called “Little Sluice”—there was nothing little about it!

2) Sitting up on a rock with my friend and co-worker, Kim Ringeisen, drinking a Bud Light in fancy REI camp chairs watching meteorites go by. Also, not coincidentally, getting stung on the forehead by a yellow jacket—it must have known I was not a Georgia Tech fan. (War Eagle!)

Continue Reading →

Vendor Responsibility and Product Safety

For twenty years now I’ve been building and operating IT products: switches, routers, secure enclaves, etc. The overwhelming majority of vendors I know have a goal of building great products that meet or exceed customer expectations in performance, reliability, quality, etc. With the trend towards the consumerization of IT and an increasingly competitive marketplace I’ve witnessed an increased focus on time-to-market. There have been many examples cited where there is a significant first-mover advantage and a winner/fast-mover-takes-all type of outcome, whether we are discussing car sharing, home sharing, tablets, or the latest enterprise technology. This unerring focus on speed may be having some unintended consequences.

When you hurry a product schedule along you aim for the MVP – the minimum viable product. In short, what is the least we can do that will fulfill the customer’s expectation and hopefully enable this product to sell, capture some market share, and then based on real-world customer feedback add incremental capabilities to the offering to further expand the market and adoption rate. It is a model that has been getting a lot of press as it is more agile and nimble than the take-your-time, ‘nail it and scale it’ model. The costs, though, may be not only in quality and testing, but as we have seen more recently, cyber security is often being ignored in the overall product design and architecture. There have been too many reports over the past year of companies who should have known better shipping products with gross flaws and then ignoring the feedback from trusted security researchers.

Continue Reading →

5 Reasons to Not Use Skyport

“You shall not pass!”

Ever have that day where you just feel a bit contrarian? Like, just for fun, being a little bit of an ass? I think we all have that day now and then – it is that day I don’t feel like letting the guy cut me off when he didn’t get into the merge lane properly so I hug the tailgate of the car in front of me. Or I’m playing Blizzard’s new shooter Overwatch as Bastion, just repeatedly gunning down the same enemies again and again with the gatling gun while taunting them on the mic.

I was feeling a bit that way today, and I really don’t know why (maybe it was rolling off a great weekend of charity poker tournaments, beach visits, and dinners with friends and I need to re-balance), but I started thinking about ‘Why people should not buy the SkySecure Systems from us…’ Not being facetious about it either – you know those fake rhetorical questions we ask so we can make answers where using our product is really the only obvious solution such as:

Trite rhetorical question: ‘Who should NOT use Skyport?

Obviously contrived answer: ‘People who really want to get hacked soon and lose their jobs and customers and have their boss end up on the Wall street Journal bemoaning the evils of an unregulated Internet’. These are worse than Internet click-bait…Serious answers, though:

Continue Reading →

Five Necessary Improvements to the Swift (Not Taylor Swift) Security Model


@securiTay – Taylor has better security than some banks transferring millions using SWIFT

Recently there has been what is likely the beginning of a wave of break-ins and financial exfiltrations via the SWIFT Alliance.  Reports vary a bit, but between vendor/operator mistakes, weak security controls, lack of integrated forensics, and some not-so-best practices we have ended up witnessing the theft of over $80 million dollars.  (It could have been over $950 million dollars but for the successful identification of typos by some astute bank operators.)

I spent some time going through the SWIFT Alliance’s publication ‘Security Guidance for Alliance’ published on 18 March 2016 (current version is 29 April 2016) to understand what their baseline security recommendations and architecture are and then thought about how I would re-implement them to protect against some of the more malicious threats we are seeing today.

TLDR; the document is a fairly comprehensive approach to securing SWIFT against the types of attacks that were prevalent a decade ago.  Times have changed, their model does not seem to have adapted to the threat landscape we are facing today.  If you operate a SWIFT infrastructure or just find armchair quarterbacking and 20/20 hindsight to be fun to read – please continue!  I’ll do my best to make this entertaining and hopefully informative.

Continue Reading →

The Jump Box/Jump Server is Not Dead – it is more necessary than ever

a rather simple pictorial of a jump server logically segmenting admins from assets

a rather simple pictorial of a jump server logically segmenting admins from assets

I read two interesting articles on securing critical IT systems recently – rather diametrically opposed viewpoints on the role of the jump server or jump box as some people refer to it in securing the critical IT assets of an organization.

The first article was from 2013 by Roger Grimes discussing how to harden and secure your jump server.  It’s a good read and provides some advice worth implementing.

The second article taking the contrarian view was by Rajat Bhargava and ran on O’Reilly’s TechRadar.  In all fairness Rajat’s article discusses using jump servers in the cloud and argues they are less relevant – there are some merits to his arguments but I think he misses a few key points – one specifically highlighted in the notable Code Spaces hack or ‘corporate murder’.

Four Reasons I disagree with Mr. Bhargava… (although on most things I am very well aligned with his assertions!)

Continue Reading →

Securing Switches and Routers

In the last 7 years our ability to secure switches and routers has not improved - yet the threat landscape has evolved considerably

In the last 7 years our ability to secure switches and routers has not improved – yet the threat landscape has evolved considerably

I was having a fun discussion with a co-worker this week about how to secure network infrastructure.  The challenge being that if someone were to gain access to a switch, router, firewall, or other important transit device they could pretty easily execute a man-in-the-middle attack, or wreck complete havoc on an organization.  We saw a great example of this with the City of San Francisco back when Gavin Newsom was the mayor and Terry Childs, a former Cisco SE, decided to show, with great fanfare and aplomb, what power he wielded.

In 2008 he changed the passwords on the network equipment and then deleted the configuration stored on non-volatile flash.   The password recovery procedure requires a reboot of the device – thus the recovery of the password deletes the run-time configuration effectively rendering the device inoperative.  We can assume that the City of San Francisco did not have a configuration repository separate from what the network admins had access to, or any keystroke logging via a jump server (a few simple things that would have prevented this situation).

Seven years later, today – the password recovery procedure on the switches and routers has not changed.  Any networking admin or person with reasonable access and skills can hijack and destroy a network.  Vendors have done little to nothing to improve the security and operational manageability of the systems we all depend on.  A case in point: Ars Technica reported this week that “Attackers are hijacking critical networking gear from Cisco.”  I read through this article a few times and it basically occurred to me to say, “duh…  of course they are – vendors have been incredibly lazy regarding security.”Continue Reading →