SPC 2013 - Firewall

One of the tools in the infosec arsenal is the firewall.  Like any other tool, they can be used well and they can be used poorly.  When they are implemented incorrectly, they are an impediment for the good guys.  When they are implemented correctly, they act as a trusted sentinel for the good guys.

Here, I sing a song of praise for the well-designed and utilized firewall.

---

Firewall

Each packet tells a story,
A single thread in the vast woven tapestry
Of ports and protocols and payloads.

Each handshake, each broadcast, each multicast shout
Race by my eyes and ears.

I stand alone as judge and executioner,
Making no decision without guidance from my Maker,
But once I'm told right from wrong,
You cannot pass if I deny,
You only pass if I allow.

I've gotten smarter after years of tricks and feints,
Endless shadowboxing, jabbing probes and roundhouse floods,
But I don't tire any more quickly
Than the caffeine-fueled demons that drive the engines
Of DoS and phish and drive-by blasts.

I stand and watch them fall.
I guard and shepherd the bits of this world
That hope only to speak freely with their partners
On the other side of the wall.

SPC 2013 - Shoulder Surf Sonnet

It's that time of year again.  It's time for another EDUCAUSE Security Professionals Conference.  We begin with a poem composed while in flight from home to St. Louis, the arch of my plane ride matching that of the great St. Louis Gateway.

I think I succeeded in writing this in iambic octameter.

---

Shoulder Surf Sonnet

I shoulder surfed to watch you type
Your passwords, logins to web sites.
You did not hide secrets from me,
And all you are is what I'll be.

But I don't like just what you are,
The boring texts, pics from the bar.
I think instead I'll change your fate.
You can't deny; it is too late.

Your Facebook's now a shrine to cats.
Your Twitter tweets only 'bout bats.
Your Tumblr posts are all just spam.
Your email's linked to naughty cams.

Next time you type, you must take care
And watch for snooping meanies there.

Come At Me, Bro

BRO is a popular network analysis and monitoring platform among many higher education Security Offices.  Those who use it think very highly of it.  I dedicate this two minute play to them.

---

"Come At Me, Bro"

STAGE CENTER, BRO (MID-30S IT SECURITY PROFESSIONAL, BUSINESS CASUAL DRESS) SITTING AT A SIMPLE DESK WITH A LAPTOP HOOKED UP TO A MONITOR ON TOP.  BRO IS SEATED IN PROFILE, SO WE'RE LOOKING AT THE SIDE OF THE DESK AND BRO IS FACING STAGE LEFT.  SINGLE SPOTLIGHT SHINES FROM BACK OF THE HOUSE ON BRO AND DESK.

BRO (typing on laptop):

I see you.  (TYPING)  And I see you.  (MORE TYPING)  And you.  And you too.  I see what you are trying to do.

You there, the TCP packet with no state flags set.
You there, the spammer, sending with no regret.
From China from Russia from IPs in Bombay,
From Jersey, Seattle, San Francisco Way.
Your traffic flies by me, each bit hits my eye.
The gusts hit me hard, and I try not to cry.

BRO STANDS, CIRCLES THE DESK AND POINTS AT THE SCREEN

But I swallow my tears, my upper lip stiff.
I log it all down, then I start with a diff.
Then I pull out a regex and load my DB,
And the patterns that form are something to see.

BRO GETS PROGRESSIVELY LOUDER AND MANIC, YELLING AT THE SCREEN NOW

You think you can hide as you pop out of TOR?
You think you can 'sploit some hidden backdoor?
You think I won't notice when your DoSes ignite?
You think I will cower and run from this fight?

BRO GRABS THE MONITOR, YANKS IT FROM THE DESK, THE LAPTOP SCATTERS, HE'S NOW SCREAMING INTO THE FACE OF THE MONITOR AND SHAKING IT.

My name is Bro, and I'm on to you!
And I will be watching, whatever you do!
Go ahead, bring it.  I dare you to say,
"Come at me, Bro!" Oh, yeah.  Let's play!

I don't think I posted these before. I created them for a haiku contest that EDUCAUSE has sponsored a while back.

---

Mobile Device Haiku

Any time or place,
The world at our fingertips.
Data on the wind.

Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."

"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".

As was pointed out to me, these numbers do not represent real-life events. No one should assume these are accurate metrics over a twelve-day period for the average information security office. Now, if you add a few orders of magnitude...

---

The Twelve Days of Infosec

On the Twelfth Day of Infosec, the network gave to me...
Twelve hackers hacking,
Eleven spammers spamming,
Ten form injections,
Nine busted authNs,
Eight bad configures,
Seven crap encryptions,
Six plaintext cookies,
Five Pastebin posts!
Four calling cons,
Three Wikileaks,
Two credit cards,
And a forced password change for us all.

Happy Holidays from the Songs of Infosec!

One (More Hacked User)

As a kid, I loved the dark, scary feel of Metallica's video for their excellent song, "One".

http://www.youtube.com/watch?v=WM8bTdBs-cw

Some days, in the world of Infosec, things seem that scary.

---

One (More Hacked User)

I can't remember my accounts.
They seem to come in large amounts.
Deep down inside, terror mounts.
My Facebook account's gone now.

With all of the hackers through with me,
I'm freaking out, this cannot be!
Just ain't nothin' left, you see.
My data is all but gone now.

Hold me up as I try backups.
Oh, please help, IT!

Banking accounts are there to steal.
They grab all the stuff then make a deal.
Trade your ID for a cheap meal,
And the bank can't figure why.

Spam is flowing from my email:
Tourists in London needing bail,
Stock market hints, amazing kale.
All with a link to malware.

Hold me up as I try backups.
Oh, please help, IT!

Now my phone has gone dead, I mourn.
Oh, please help me!
Hold me up as I try backups.
Oh, please help, IT!

Hackers!
Impersonating
What I can be!
Absolute horror!
I cannot surf,
I cannot stream,
Trapped without hope,
Living with life off-line!

Malware!
Has taken my Mac!
Taken my phone!
Taken my Windows!
Taken my PIN!
Taken my cash!
Taken my soul!
Left me with ID fraauuuudd!

M3AAWG - 7726

Did you know you can report mobile text message (SMS) spam to you cell phone provider?

You can!

Forward the offending message to 7726 from your phone.

---

7726

Your mobile phone chimes.
Quick wind knocks screaming branches.
A new text arrives.

Interest falters,
Sun slips behind horizon.
It's a spam message!

Feel empowerment:
Use 7726!
Spite the spamming night.

M3AAWG - V6

The Internet is taking its time moving to IPv6 networking. The lack of speed is understandable, considering the plethora of issues that come along with a giant network migration.

---

V6

I've heard all these stories 'bout IPv6.
From what I can tell, we're in a great fix.
Imagine some puzzles, a maze in the mix.
That starts to describe the IPv6.

It gives more addresses than stars in the sky.
It counts them with hexes; makes net tools all die.
If you want to keep going, you'd better be spry.
Don't let this big change-up cause you to cry.

Get used to notation like /44.
You're tracking addresses? Your caches will soar.
Despite all the admins that think it's a bore,
You've got to adopt it, of that you be sure.

Lest one day you'll find someone can't reach your site.
You'll do troubleshooting late into the night,
And you'll find a solution: v6 is it, right?
Your powers that be will have a great fright!

M3AAWG - ESP

I'm attending the M3AAWG General Meeting this week. I've gotten to meet all sorts of interesting people from across the Internet, all with the common goal to make the Internet a safer place for everyone.

One group of people I newly met are employees of ESPs, Email Service Providers. I kinda knew these sorts of businesses existed, but this is the first time I'm hearing the term, since Higher Ed has traditionally used their own email services. (This is shifting quickly, though, with the promise of The Cloud(tm).)

It turns out, ESPs have the same problems as Higher Ed email and abuse admins.

---

ESP

I have
Something to say and
Something to send you.
I really do.

I am
One of your partners.
I want to do business,
But there's a big mess.

You have
Blocked all my email,
Hung up on my phone calls:
Discussion all stalls.

And you
Send something through us.
Attachments seem fishy.
Oh, you just spammed me?

And no,
It wasn't just to us.
You spammed half of Europe.
In spam traps we're chomped up.

Oh, no!
You included virii,
And ain't that a real shame
We're taking all the blame.

It seems
That email is chaos,
Our goose has been boiled,
Our business is foiled!

Guest Post - A Few of My Favorite Things

[I am hardly the only voice singing into the maelstrom. Today, I hand the mic over to a fellow infosec pro and all-around witmaster, Brad Judy. -Dan]

---

A Few of My Favorite Things

Like Dan, I'm an information security pro in higher education. I am currently the Director of Information Security for the Administrative Division of the University of Colorado (for professional info, see http://www.linkedin.com/pub/brad-judy/1/470/7b3). I'm a husband, father, traveler, photographer, wood turner and general geek. I like to sing to my one year old daughter on our walks and have recently been singing her items from The Sound of Music. With thanks to Dan for help on the meter, and apologies to Rogers, Hammerstein and Julie Andrews; I give you the infosec version of "My Favorite Things"

---

Full disk encryption and good virus scanners,
IDS updates and disaster planners,
Coding securely: the joy that it brings!
These are a few of my favorite things.

DLP networks and good central logging,
Firewall blocking and infosec blogging,
Checking the uptime with regular pings:
These are a few of my favorite things.

Two factor tokens and HIPAA compliance,
Incident handling and forensic science,
Regex that matches to sensitive strings:
These are a few of my favorite things!

When the bots come!
When the disk's lost!
When the feds have phoned!
I simply remember my favorite things,
And then I don't feel so owned!