Security Ripcord

I’ve been doing a little running lately getting ready for the Corpus Christi Beach to Bay Relay. Today, instead of our usual four mile run, we decided to work on some sprints. We ran a mile and then started a series of 100 yard sprints with a 100 yard walk in between. Needless to say that the walking reset was filled full of huffing and puffing. At one point I noticed that I was hanging my head like most people do when they are tired. When I realized this I did what I always do, what I taught myself in the Marines after long runs and forced marches, I raised my head and started looking around. I use to do this because whenever you are the most tired is when you are the most vulnerable. You are not paying attention, you are breathing heavy, and you are doing everything you can just to take a break for a minute or two. Fortunately, the repercussions of me doing this now are not the same as they were back then.

All of this got me thinking about how we react to situations as a whole. I started thinking about how through training and effort we can begin to overcome hardships. I started thinking about how diligent practice can instill good habits and create muscle memory in any individual. Muscle memory is a condition where a body reacts without, or more precisely with only a little, thinking. You can see this by reviewing Rich Mogull’s posts on how he handled several car accidents after being out of the paramedics for a while. Rich did what came natural to him. He just reacted and, I’m sure, did a great job and a service.

“Yes, yes,” you are thinking to yourself right now. We have heard this all before. Practice makes perfect. Practice your incident response. Practice your backup procedures. Practice your disaster recovery. Practice makes perfect. Practice, Practice, Practice. Blah, blah, blah. Yes, I am tell you that. But what I want to emphasize is that you can train yourselves all day long and still make mistakes.

Running with my head down took me back to the days of running through the hills of Camp Pendleton and training myself to keep my head up and aware of my surroundings no matter how tired I was at the time. But what it really got me thinking about was being in the stack. Not the stack you are use to hearing about, the stack of Marines that are just about to enter a building or room that may contain hostiles. It didn’t matter where we were, once people started lining up and getting ready to move to action, their heads dropped. Not because they were tired or lazy, but because they were focused and waiting. Like a spring ready to uncoil all of its power. This occurred so often that it was not surprising to hear, “Keep your heads up in the stack!” whispered over the radio. Or have someone give you a quick rap on the helmet as a reminder. Everybody did it, everybody got sucked into it, and everybody was aware of it and watched out for their buddy, because that person was watching out for them.

So, how does this apply to us? Well, security professionals have a lot to accomplish on any given day. Logs to review, servers to patch, incidents to respond to, training to develop and give (and that is just the short list). Let’s face it. We are swamped with responsibility and duties. Everybody groans when we walk into a room but everybody notices when our duties start falling behind because it directly affects their business. With all of this activity, with all of this responsibility, it is very easy to get set into a common routine or mode. It is very easy for our heads to drop into our computers, logs, management consoles, spreadsheets, etc. We are doing our jobs and we are getting it done, but are we aware of our surroundings. Are we aware of the common sights and sounds of the office environment and server room. Are we listening to people talk when they need our guidance, input, or for us to listen for listening’s sake?

If you are, then good on you. Now look around and see who is not. Please, tap them on the head and tell them, “Keep your head up in the stack!”

Go forth and do good things,

Don C. Weber

One of the hardest things for a security group to overcome is the relationships between the information technology (IT) administrative groups, to include server and workstation groups if they are separate, and the security group. Whether an organization is small and the security personnel are integrated with the IT group or the organization is large enough to support a separate security group, many of the same problems persist. There are many common and well covered problems between these groups.

• IT Group
  • Does not trust the technical expertise of the security group.
  • Does not believe the security group understands why the technology has been deployed in a certain manner.
  • Does not think the security group has taken cost, technical and man-power, into consideration.
  • Views input from the security group as directives instead of recommendations.
  • Cannot take constructive criticism about their environment.
• Security Group
  • Takes it personally when their input is not acted upon, whether it was taken into consideration or summarily dismissed.
  • Believes the IT group does not have the technical expertise to secure their environment, whether or not they have the ability to deploy it effectively.
  • Believes that the IT group has not effectively identified their critical assets.
  • Believes that the IT group has not effectively evaluated the controls that protect their assets, critical or otherwise.

Certainly the list can go on and on for both sides. But when you really boil a lot of these issues down to their root cause, I think it is easy to see that they are all related to human behavior. Each one of the personnel that makes up these separate roles are merely defending their individual and group understanding of an issue. In most cases these are technical issues, something that the personnel can touch and feel. Something that they have molded and cared for during design, development, deployment, and maintenance. And when somebody comes along and starts providing input, whether critical or not, the individuals or group of individuals have a tenancy to take it personally. I like to refer to it as the “ugly baby problem.” (If I could remember where I first heard this I would reference it properly.) Nobody likes to hear that their baby is ugly. Even if the word “ugly” is not used, when you start pointing out how fat, baggy, pointy headed, close eyed, huge eared, etc a baby is all the parents hear is, “Damn, that is one ugly baby!” And so human nature kicks in. People pull back and either, privately or publicly, take a defensive stance. And when a person or group has taken a defensive position it is very hard to lure or pull them out of it. In the military we were told that when attacking a defensive position the attackers should bring three times as many personnel as those who are defending the position. In the business world I would advise managers planning a project that it is going to take three times as long to accomplish the project if there is a personality conflict between groups. Actually, I would say it will take more than three times, but no business manager will want to see those types of numbers and they may be more inclined to find somebody else who could breach the divide more quickly.

What is the solution, you ask? Well, you have often heard me speak about professionalism. Certainly we can all agree that professionalism is key within any organization and especially between groups and individuals. However, in special cases such as the relationship between IT and security personnel, it has to be taken one step further. There needs to be consistency to the professionalism. My current manager has given me a great quote, “Discipline practiced over time becomes habit.” (I am not sure who originally made this statement but it appears to be a common business management methodology.) As I am a manager within a security group I will say that it is the security group’s responsibility to take the lead on disciplined or consistent professionalism. Since the security group and manager have more to loose and gain from the state of its relationships with other groups, it is up to them to realize that they do have to adhere to a higher standard. The security group has to realize that they must be consistent in their actions, approaches, recommendations, interactions, relationships, and reactions.

There is a good part to this situation. Normally security professionals have selected their profession very specifically. They have volunteered to become a member of the security group, grunt or leader, and they are usually aware that they are being held to a higher standard and that their actions undergo a magnified evaluation. Hell, most security professionals have selected this profession because of this fact. What many of them did not expect is how operating under these conditions can affect them in and out of work. Operating under these conditions will, after time, begin to take their toll. This “toll” will begin to affect their approach to their responsibilities, how they view technologies, how they interact within their own group, and how they interact with other individuals and groups. We are back to the human nature aspect again. This is all natural, but it is often very hard for individuals to understand. To this end, security professionals need to band together in a support structure. Although security managers play a critical part in helping their team and individuals identify and overcoming these situations, it can also be accomplished by relationships within the group or through personal relationships with people throughout the security industry.

Security professionals who portray consistent professionalism in their careers are very noticeable and are often sought out for their guidance and input. I am willing to bet that everybody reading this post can point to one or two individuals, whether you know them personally or not, who falls into this category. It is these persons who have made a difference within their organizations, to the IT community, and the security profession as a whole. We need take their example. We need to apply their approach to professionalism during our interactions with groups within and outside of our organizations. By doing this a security professional will begin to break down the walls that have developed, bridge the gapes that have been formed, and create fruitful interactions that benefit all parties. It is consistency of actions that will help people understand approaches and methodologies. It is consistency during interactions that will open channels of communication. It is consistency in behavior that will breed thoughtful exchanges. These, and other, combined consistent professionalism behaviors will help everybody involved understand that yes, the baby is ugly, but over time it will grow into its skin and it will develop into something that is pleasant to behold.

Go forth and do good things,

Don C. Weber

professionalism, security, Security Ripcord

I have been reading a lot of articles saying that I have pointed the finger at LMH and PHC. I even received a comment to that effect.

#
jf
Comment @ 07/19/07 at 5:26 am |e

eyeroll, common everyone knows that the informant is icer/maynor which basically removes all credibility because (a) he’s a pathological liar and (b) he’s got beef with LMH. This stupid irc convo doesn’t prove anything other than you’re gullible.

So I responded

@jf

Actually the “informant” is not Maynor. Although I know him I have never talked to him via IRC. You can check out the comment my source made to Martin McKeay’s blog.

Also, I haven’t said anything in my post that proves LMH or PHC are involved. Actually, I try to follow up on the information the “informant” gave me but didn’t gather any more information than most people who knows these individuals are already aware of as old news. Now, if I had known about the Unmask program I would have performed some the actions HD Moore took as described in the article on Techzi.

The main thing this did was get this subject in the news so that the infosec sellout received more publicity then it was worth. What all of these players need to realize is that it is okay to be anonymous, it is okay to be a jerk, but the two shouldn’t be mixed.

Something I thought of afterwards. If you are trying to remain anonymous, and you could be fired for writing in a blog, you should not brag about developing a worm for any operating system. It is going to get you attention that you probably do not want as people will start looking at you a lot more closely. Infosecsellout found this out the hardway.

Go forth and do good things,
Cutaway

Unmask, infosecsellout, LMH, PHC, Techzi, Security Ripcord, HD Moore, David Maynor, Martin McKeay

Today I was minding my own business in a chatroom that I monitor when somebody posted something about infosecsellout. Normally I ignore anything pertaining to infosecsellout due to an unprofessional and childish comment posted about Alan Shimel. But this time I had to pay attention. This time somebody pointed a finger at who is behind the content posted on the infosecsellout blog site. The finger was pointed at LMH and the Phrack High Council (PHC) (yes, the link is broken but you can check out what it looked like here).

I have no way to confirm any of these statements, but here is the text of the conversation. And, yes, it has been edited to protect identities.

[3:37pm] [informant] okay- i have permission to officially leak it. we think
sellout is LMH and the PHC kids. spread the word
[3:37pm] [cutaway] HA
[3:37pm] [informant] and we think some of them engage in illegal hacks
[3:37pm] [cutaway] HA
[3:38pm] [cutaway] seriously on that last one?
[3:38pm] [informant] yep, btu no evidence
[3:38pm] [cutaway] That would be an interesting blog post
[3:38pm] [informant] yes it would
[3:38pm] [cutaway] Ou would love to drop that
[3:38pm] [informant] if you look up the phrack high club stuff, they state
clearly their goal is to trash the infosec industry
[3:39pm] [informant] what better way to do that than pretend to be insiders,
and make up a bunch of BS and disinformation
[3:39pm] [informant] a disinformation campaign against the infosec industry
[3:39pm] [informant] almost ingenious
[3:39pm] [informant] feel free to leak to ou if you want
[3:40pm] [innocent.bystander] I don’t think I want to be the one to post that.
that is sort of like saying – that group of kids is robbing houses – from
your front porch
[3:40pm] [cutaway] I just might wait on that one
[3:40pm] [cutaway] I was just thinking that
[3:40pm] [innocent.bystander] sort of invites them to come on in
[3:40pm] [informant] yeah, no proof on the illegal stuff
[3:40pm] [cutaway] but what points you in that direction?
[3:40pm] [informant] but we’re pretty sure they do it
[3:41pm] [cutaway] stuff they say or reference in the infosellout blog?
[3:41pm] [informant] when you hear enough rumors from enough sources, and
track that to behavior, eventually a rough picture emerges
[3:41pm] [informant] look at the language on the blog and the pHC stuff
[3:42pm] [cutaway] I am trying to think how to present it when I don’t
read sellout and I don’t have references to specifics
[3:42pm] [cutaway] not that I am asking you for any
[3:42pm] [cutaway] just thinking outloud
[3:43pm] [cutaway] Hmm, I’m going to have to play with that tonight
[3:43pm] [innocent.bystander] gotta go offline for some testing, back in a few
[3:43pm] [cutaway] If I don’t come up with something I’ll ping Ou
[3:43pm] innocent.bystander left the chat room.
[3:43pm] [cutaway] Unknown source of course
[3:43pm] [informant] of course
[3:44pm] [informant] you could just say you got an anonymous email, and that
they’re goal has been to sow chaos

Interesting, yes. Proving illegal activity….well….I doubt I even want to start digging around for that information. But I thought I would check into the claim of PHC trying to discredit the information security industry. First I started with the latest edition of Phrack where I found this:

Q: And about PHC?
A: Well, thats an interesting question. To be honest, PHC did not just do
those bad things we were used to learn from the web or irc, we like some
of them and even know very well a few others. Also, the two attempted
issues 62 and 63 of PHC had an incontestable renew in the spirit and
there were even some useful information on honeypots and protecting
exploits.

However, we have a problem with unjustified arrogance. If it’s true
the security world has a problem with white/black hats, we think that
the good way to resolve the problem is not to fight everyone,
especially such a poor demonstrative way. It’s not our conception of
hacking. Take the first 20 issues of Phrack and try to find unjustified
arrogant word/sentence/paragraph: you won’t find any. The essence of
hacking is different : it’s learning. Hacking to learn.

You can be a blackhat and working in the IT industry, it’s
not incompatible. We have nothing against PHC and we think the
Underground needs a group like PHC. But the Underground needs a magazine
like Phrack as well. The main battle of PHC is fighting whitehats but
it’s not Phrack’s battle. It’s never been the purpose of Phrack.
If we have to fight against something, it’s against the society and
not targeting whitehats personally (that doesn’t mean that we support
whitehat…). Phrack is about fighting the society by releasing
information about technologies that we are not supposed to learn. And
these technologies are not only Unix-related and/or software
vulnerabilities.

We agree with them when they say that recent issues of Phrack helped
probably too much the security industry and that there was a lack of
spirit. We’re doing our best to change it. But we still need technical
articles. If they want to change something in the Underground, they are
welcome to contribute to Phrack. Like everyone in the Underground
community.

Next I found this post to Full Disclosure:

—– Original Message —–
From: Phrack High Council
To: full-disclosure_at_lists.grok.org.uk
Sent: Thursday, November 24, 2005 1:29 PM
Subject: [Full-disclosure] Return of the Phrack High Council

Dear FD Reader,

It’s been a very long time since we last spoke, but just like the Pheonix (not the city, you dumbfuck!) i was reborn from my own ash. We, the PHC, been for too long in the underground (gathering informations, snooping whitehat tty’s, backdooring various boxes, etc.) to be able to keep up with the amount of bullshit that goes to this list on a daily basis. But NOW, the Phrack High Council is once more into the lights! We’ve been in the underground gathering informations about *YOU* and your fellow ‘ethical hackers’.

You should expect to find your mail spool and porn collection on our web page soon enough. Don’t assume you are safe because you are NOT! No, we don’t like you and no, we won’t stop. But, for now, we proudly present the inside of the Star Hackademy (www.thehackademy.net) and an early _final_ PDF version of their lame zine (thanks core, you are a real pal). We couldn’t get our hands on the hardcover; it’s scheduled to be released sometime in december. Sorry!

PHC is not a hacking group, it’s a state of mind. PHC is not a group of people, it’s a movement of people. We do not exist!

Please enjoy visiting http://phrack.efnet.ru as the next home of your mailspool *g* and remember ….

…. “keep pr0j3kt m4yh3m alive!”

The “keep pr0j3kt m4yh3m alive!” quote lead me to a mirror of the Phrack RU site index page:

Phrack High Council – 2005
“Keep pr0j3kt m4yh3m alive!”

Official Note

It’s been a long time, indeed. Two years of underground, now PHC is back into the scene. I bet
many of you have no fuckin clue *WHY* suddenly, the anti-infosec movement slowed down. Some of you
thought it might’ve been the fedz. Some others said PHC members got security jobs. There were also
some voices stating we have no exploits left. HAHAHAHA! Get real, son! We sit our asses on more
goodies than ISS and iDefense, altogether.

PHC is *NOT* a hacking group, it’s a state of mind! Stop asking about us,
we know all about YOU!

PHC was never *GONE*, we just reached a new state of mind, a new underground level. You, our
faithful follower, our friend, our brother, know where we’ve been. We’ve been scooping the infosec,
getting inside informations, KNOWING OUR ENEMY (thx Spitzc0q), puttin their lifes into misery! But,
in the mean time, we also had our eyes on the scene: some of you kept pr0j3kt m4yh3m alive. The rest
acted like sheeps left w/o sheppard: bowed yer heads to them wolves! This is your last chance: you
either change or become a target. Everyone can be a target: security professionals, CISSP (hi
Johnson aka [t]hief, still playing the ‘hacker’?), security companies, bugtraq wannabeez, all kinds
of wannabeez, them bitches, non-believers, haters, etc.

Gray is not a choice anymore. It’s US or THEM. It’s not a game. The IT Security industry is
affecting our day-to-day life. More and more east-europeans, chinese, indians, pakistani, etc.
think they will find milk and honey working at a security company; you fuckin twats! They’re just
exploiting you. You’re serving a cause that’s not yours, making your boss rich! If you don’t see
our point, then fuck you, you made it to our target list.

Everybody should remember gayh1tler’s last wish: keep pr0j3kt m4yh3m alive! Each and every of
you should follow his words of wisdom. You have no right to do otherwise! And if you do, we see you,
we know who you are and your ass is blast.

It’s the WHITEHAT HOLOCAUST! WHITEHATS, STEP INTO MY OVEN!!!!

– Phrack High Council, 2005 AD

Finally I figured I should check the infosecsellout site to see if I could locate any blantant FUD. The only thing that really stood out was the recent claim of a worm for OS X. Although this may or may not be an attempt to generate bogus information I did not see anything else that could not be described as just another person’s opinion.

Apparently, this information has also gotten around a bit already. It seems that infosecsellout has posted an email from LMH and/or the crew at info-pull that claims they are not affiliated with infosecsellout despite David Maynor‘s opinion.

You know, I am starting to wish I had ignored the original message about infosecsellout. Although I cannot say that there is any specific misinformation associated with the blog. The completely unprofessional attitude and behavior of its author(s) just reminds me of why I started, and should have continued, ignoring this blog, all conversations associated with it, and any claims about who the author(s) may or may not be. I’m also glad I did not bother George Ou with this. Infosecsellout does not need any more publicity than it already gets. I have also come to realize, it is just not that interesting. Although I would like to blame infosecsellout for wasting my time again, I can really only blame myself.

Go forth and do good things,
Cutaway

Phrack, PHC, LMH, Security Ripcord, Infosec Sellout, David Maynor, Alan Shimel, George Ou