While I was in the “giant kitty-litter box” some years ago, our base was 200 miles from anything. Our link to the outside world was a satellite Internet connection through a company in Dubai. We had a small 10-station computer lab with about as many VoIP phones behind a Linux firewall doing NAT.

Because everything was running on generators, and Joe the Infantryman couldn’t remember to fill the generators with fuel, our base had very unstable power. We would have an outage every day at around 2:00 in the afternoon.  The power situation and the sand caused the power supplies of the computers to die fairly quickly.

Then one day, a bad thing happened. The linux firewall lost the boot drive during a power failure and didn’t come back up. It went to the maintenance shell which, of course, requires you to log in with the root password. This is when people came and asked me to fix it.

All the firewall needed was a fsck, but I was out of luck–no password. I ripped open the case and booted off a CD but the drive wouldn’t take a fsck. I eventually ended up turning the firewall into a debian box. Using ethereal, I sniffed out a gateway and unused IP address, then I called the company who owned the equipment. We had a nice conversation about how it would take them a month to send out a tech to fix or replace the firewall, so in the mean time, I owned it.

Now the funny thing is that everything is slow when you don’t have the tools available. I had to take one of the workstations and rip out a CD drive to put one in the firewall. I had to sniff out a network connection just so I could download a bootable .iso. These are all fairly small, but they take time.

I think the whole time to get us up and running was about 12 hours. Definitely not the quickest job I’ve done. But at least our guys could call home.

Now the reason that I’m bringing this is is because I’m looking at the movies from Hack In the Box 2006 and there is one about hacking satellites: Hacking a Bird in the Sky – Hijacking VSAT Connections by Jim Geovedi and Raditya Iryandi. These guys used some of the same techniques that I did.

• Et Tu, TIC?
• Omigod, I’m Part of a Botnet?!?!?!
• Sir Bruce Mentions FDCC, World Goes Nuts
• Build a Hack Bag
• My Lunchtime Hobby: Collecting Badges

Back in the day when I was PFC Smith, they taught me in school that one of the definitions of good intelligence is that it had 3 qualities:

• Timely–you get the information with enough time to act on it
• Accurate–yes, it’s not an exact science, but as accurate as you can get and still be timely
• Relevant–it answers the questions that the commanders need to make decisions

You can extend these 3 qualities really to just about any piece of information such as vulnerability reports, security metrics, audit findings, or vendor presentations.

Now an interesting piece of trivia: Inside the US Federal Government, security practitioners are charged with providing “adequate security”. I’ve listened to Hord Tipton and his travails with the Cobell v. (Kempthorne|Norton|Babbit) case and it was interesting to me because he had to prove that his organization provided “adequate security”, so there was much talk about the definition of what that entailed.

Really what I’m looking for is a good, concise definition of “adequate security” in keeping with the values of good intelligence.

• Threat-specific–we protect against all likely types of attack
• Cost-effective–we’re not spending money just to check a box in a compliance framework
• Relevant–we support the business processes

• You Didn’t Outsource Your Responsibilities
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• Keys to the Outsourcing Kingdom
• How Much Security Should the Outsourcer Do?
• Split-Horizon Assessments and the Oversight Effect

Can you really kill the undead?  It’s an age-old question.

Anyway, check out this game (caveat for flash games is in effect) and learn how important it is to barricade your house and pull out the big guns.

And while you’re busy shooting zombies, have a happy D-Day!

• Training for the Zombie Pandemic
• Wednesday Zombie Post–Humans v/s Zombies
• Wednesday Zombie Post-How Zombies Work
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Zen of Zombie

There’s a nice article at the Smithsonian about the difference between riddles and mysteries. I received this via the security metrics email list.

Risks and Riddles

This reminds me of intelligence work, for obvious reasons.

There are 2 major types of offensive actions an army can conduct: deliberate attack and movement to contact. (Yes, those of you pedantic enough will bring up hasty attacks and a dozen other scenarios, I’m being a generalist here =) )

In a deliberate attack, you know roughly what the Bad Guys are doing–they are defending key terrain. The task for the intelligence people is to find specific Bad Guy battle positions down the the platoon level. This is a puzzle with a fairly established framework, you are interested in the details.

In a movement to contact, you have a very hazy idea that there are Bad Guys out there. You move with an eye towards retaining flexibility so that you can develop the situation based on what you learn during the mission. The task for the intelligence people is to determine the overall trend on what the Bad Guys are doing. This is a mystery, and you’re more concerned with finding out the overall direction than you are with the specifics–they’ll get lost due to “friction” anyway.

Now translated to information security, there is some of what we know about the Bad Guys that is static and therefore more of a puzzle–think about threats that have mature technologies like firewalls, Anti-virus, etc to counter them. Solutions to these threats are all about products.

On the other hand, we have the mysteries: 0-day attacks, covert channels, and the ever-popular insider threat. Just like a well-established military has problems understanding the mystery that is movement to contact, information security practitioners have problems responding to threats that have not been well-defined.

So information security, viewed in the light of puzzle v/s mystery becomes the following scenario: how much time, effort, and money do we spend on the puzzles versus how much time do we spend on mysteries? The risk geek in me wants to sit down and determine probabilities, rate of occurance, etc in order to make the all-important cost-benefit-risk comparison. But for mysteries I can’t, by definition of what a mystery is, do that, and our model goes back to peddling voodoo to the business consumers.

• It’s a Problem of Scale!
• The 10 CAG-egorically Wrong Ways to Introduce Standards
• Trouble Tickets
• Web 2.0 and Social Media Threats for Government
• MOUT and Risk Management

Why, out of all things, did they name the domain DILLIGAF? I still wonder to this day….

Our managed-services infrastructure was built by somebody else–temporary engineering labor from another business unit inside the company. They named the domain DILLIGAF.

For those of you not in the know, DILLIGAF is not a good word, it’s one of those quasi-military acronyms like “FUBAR”. It means the following:

• Do
• I
• Look
• Like
• I
• Give
• A
• F*ck?

Yes, we had some top-notch engineers working for us. Filthy buggers continued to charge us after they were done, too.

First time I heard the domain name, I got mad. Real mad. Reach out over the phone and hit somebody mad. I thought the guy just told me to go RTFM or something along those lines: “Oh, that server is part of the DILLIGAF domain.” Well, same to you, buddy.

But how can I explain the domain to my customers? “And this is where your data goes into the DILLIGAF network, where we take the utmost in care on how it is treated.” Answer is, I can’t say that with a straight face.

We had to change the domain. That’s an outage I gladly authorized. =)

• My System Environment
• My 2 Obsessions this Week
• Personnel Turnover
• In This Corner, the Business Reference Model
• Taking a Cue From Hermey the Elf

Back in my army days, most good leaders carried around a book with info on their squad.  We jokingly called these our “Book of Death”.

Anyway, I aggregated all the spreadsheets I’ve used over the past year, sanitized them, genericized them, and put them up on the web.  Feel free to borrow heavily or let me know what maybe needs to be added or expanded.

Really, I’m just testing the waters to see if there is interest in taking something like this on as a full project or if it should remain a Mike Smith skunkworks project like it has been so far.

CISO’s Book of Death V0.1

• William Jackson on FISMA: It Works, Maybe
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• Our “Peace Dividend”: DISA SRR Scripts
• CISO’s “Book of Death” for June 22nd
• All Quiet on the ISM-Community Front