Guest post - don't be a dumbass cheater

Hey there, I'm FCB and guest posting today. It's my b-day so Ray thought he'd throw me a bone and let me do a post on his blog of whatever I want. And boy do I have a rant.

Oh, just so's you know me, I'm a hacker for hire - Gray hat not gray beard - lol. I do all kinds of interesting security work and when I have time, I help out my friends.

So speaking of helping my friends. Some my friends are real idiots. And some of my clients are even dumber. On thing that I've heard way too much in the past few years is "boo hoo hoo, I was getting little action on the side and then my wife caught me." My first reaction is - ha ha, sucka. You managed to get yourself a steady sweetness and you fuk it all up. I mean, come on. I've just not had the same kinda luck with the ladies, but hey, your fubars means a wider pool for me.

Anywho, what really smokes me off is how dee you em bee these guys are about their cheatin. Don't they know the simplest things about operational security? Sheesh. Alright, i guess it's left to me to ejumacate 'em.

Lesson one: Keep your cell phone safe

First and foremorst, I hear the dumb guys getting caught cuz they've got incriminating text messages or logs on the cell phone. Hello? Anyone home, MacFly? If you ain't gonna password protect your phone or keep track of it - and honest, for some people, this is really hard. Duh... then ya know what you need to do? Get a second phone just for your "covert operations". In the hacker world, we call this air-gapping. Use a prepaid disposable second phone for all your communications with "under cover contact". If the phone becomes compromised, just deny it's yours. Hey, you found it the other day and forgot you were carrying it around. It's your friends phone. It's whatever, it's just not your phone and therefore any evidences pieces left on it aren't tied back to you. Look, for under twenty bucks and you can buy complete separation from your real life, keeping your secrets safe.

Lesson Two: Keep your email safe

This one's a knee-slapper. I've heard many variants of how a dumb cheater got caught with his proverbial pants down because his wife was reading his email. Two words - dumb ass. One guy commented to me "Oh, my wife never looks at my email." Guess what happened to him less than a week later. Another client once came whining to me that his wife hax0red his email account and gave the contents to a lawyer. Musta chose a stupid password, sucker. I've even heard of suspicious wifes hiring hackers to break in their hubby's emails to snoop around. Me, I've not gotten any of those kinds of gigs - but you bet your sweet patootie I'd take the job (if the price was right). The best (or worst) case I'd heard was this FOAF who actually told his wife his password and dared her to check his email. Well, she accepted his apparent honesty and didn't do it.. for a few months. Then finally when he spent too many long nights at the office, she delved deep and hard into his mail logs and guess what? Pay dirt. So the lesson is obvious, if you can't pick a good password and keep your email logged out when you're not home (you didn't "save" the password, did you?) then do like the phone and get a second email account. Keep it totally clean of anything tied to your real life and make it disposable and deniable if it gets compromised. Leave no traces, soldier.

Lesson three: Protect your ass-ets

A good buddy, who's way smarter than me in the ways of wimmen folk once told me the three key words to a successful relationship - "secret bank account" It's the same deal as above, if you can't protect your eggs then don't put them all in the same basket. No money trail for her to pick up on. And having a stash in a home-away-from-home is handy in case your little chickie decides to lay some large demands on you. You know, the old blackmail... well, then you're all set to go if you need it. And if the whole thing ever goes pear-shaped, you've got get away cash when the lawyers (or media, if you're a politico) descend upon you.

Okay, that's all my cheap advice. If you're gonna have flexible morals (like me, ha ha) and "expand your horizons", then you need to keep your secrets safe. Take it from a hacker and practice good operational security.

Fruit Cup Boy

Compliance vs Security

Almost as exciting as a few other epic throwdowns, I am lecturing tonight for the University of Washington's infosec certificate program. A few quick highlights from my lecture notes, which is based on the Source talk I gave this summer.

Compliance-driven security forces you to make certain bets on the big enterprise roulette table - but I only have so many chips to play, so I prefer not to be constrained in my choices.

As a consultant I saw primarily two kinds of organizations:  Those practicing good risk management who wanted to get better and  Those forced to be more secure because of compliance or a breach.

Why is there such restrictive compliance regimens? Without repeatable, evidence-based, agreed-upon risk methodologies, you cannot rely on third-parties to make security decisions with your data that are aligned with your interests, instead of theirs.

Compliance is a multi-dimensional object... and lot more than three.  You've got width - the general rules f the standard plus a few specific new ones based on how the organization interprets it.  This is the easiest dimension.  Depth: As most compliance acceptance is based on auditor opinion, which is driven by the individuals experience.  Plus, if the standard is somewhat worthwhile, it includes the appropriateness of risk model (relevance) to your problem.   Then there's several dimensions of scope: Time (past events, present controls, future possible events) and then the general usual dimension of Physical, virtual, sofware, network... what’s constitutes a a barrier in those domains.    And of course, all of this is moving.

Security is also multi-dimensional but it has slightly different dimensions and moves differently than compliance.

 Best practices?  In other words, “This worked in our organization once upon a time, So it should work for you too.”

Where I live is the intersection of:

1. What the auditors demand we do,

2. What we need to do to keep from getting breached, and 

3. What we can afford to do.

And I'm mot going to get all of all three.

Stupid compliance failures:

- Why is the absence of a particular control is a risk? A high risk?

- How can I be 100% compliant with an open standard? With a product lifecycle of 12-18 months?

- Hey, that's a feature not a high-risk vulnerability - it all depends on your context

- Impact does not equal risk. You forgot probability. Dumbass.