Infosec Ramblings

So, just got back from our vacation and while I noticed many occasions where security was definitely not priority one, the most egregious was in pretty much every place we stayed. Most of the places we stayed have a policy where you return your room key to the front desk whenever you leave the hotel.

The epic fail comes in when we would return to the hotel from gallivanting about in exotic locations You walk up to the desk and say your room number and the helpful individual there hands you your key and off you go. No identity verification of any kind. Oops.

Now, if it is a small hotel with limited staff, the argument can be made that they recognize you and no further controls need to exist. Not really buying it, but there it is. The real problem I noticed is in the last hotel we stayed. Pretty much every day there was someone new behind the counter and over the course of four days I was asked for my name exactly once! To give credit to that indiviual, she even checked the register to ensure that I was the one staying in the room I asked for.

Second problem, the keys were located in plain view. This means it was easy to see which rooms were empty, i.e. key present, and which weren’t, i.e. key gone.

So what’s my point? I have an observation and a question.

1) don’t leave stuff you want to keep in your hotel room even if the hotel says it safe unless you can secure it somehow

2) When you see things like this do you/should you bring it to the attention of those responsible?

-Kevin

Howdy folks.

I am back from vacation.  Unfortunately, that means there are quite a few items in the old inbox to be read, RSS feeds to catch up on, messenger pigeons to respond to, etc…

I plan to start back up with Interesting Information Security Bits posts tomorrow or Wednesday at the latest, however I will not be posting a backlog from my time away.

Have a great day.

Kevin

A few weeks ago I wrote about participating in Cyber Defense Competitions as a Red Team member. This weekend I had the opportunity to do so again. This time with a bunch of High School students.

This weekend was the annual IT Olympics event that is put on by Iowa State. The event is an opportunity for the High School students who participate in the IT-Adventures program to get together and compete. There are three competitions:

1. Robotics
2. Game Design
3. Cyber Defense Competition

While the robotics and game design competitions were very interesting, I was there for the CDC.  The Red Team didn’t actually get to start attacking until Saturday morning, so I volunteered to show up on Friday and help the students with anything they might need during the setup period.  These kids are amazing.

Twenty-fourish teams showed up and we had about 20 Red Team members. In my previous post I mentioned three ways in which you can provide value to the students when participating in this type of event:

Keep good notes

Write down remedies

Attend the debrief

I am happy to say that we accomplished all three goals.  Probably the best decision made was to setup a Wiki with pages for each team where we could all keep notes as the contest progressed.  These notes then became the outline for our talks with the teams in the debrief.

If you have never had the opportunity to work with kids that are interested in IT, I highly recommend you find a way to do so.  It is truly a rewarding experience.

Kevin

Good Morning/Afternoon/Evening depending on where you are or when you read this. Another day full on interesting bits on the intarwebs.

http://www.liquidmatrix.org/blog/2008/04/23/its-a-hump-day-miracle/ - Dave Lewis talks about the difference between the reality of work as a CISO compared to the work of the average 9-5er. He is interested in your feedback.

Vladuz goes down. A case study for corporate activism - Richard Stiennon talks about cross jurisdictional cooperation between law enforcement agencies and companies.

My Information Security and Privacy Convergence Webcast Now Available - Realtime IT Compliance - Rebbecca Harold did a webcast for ISSA that is now available.

Security4all: The dangers of Web 2.0: information gathering tactics 101 - Benny Ketelslegers has a post up about the information we leave behind as we interact on the web. He points to a tool called maltego which can help you see what is out there.

Data Classification Is Dead - rmogull has put forth an interesting perspective on Data Classification.

Vulnerability notifications? - Keels Leune talks about customer notification when no verifiable breach has occurred and if it is warranted.

How to audit an Internet Facing Server with Nessus - The folks over at Tenable have some guidance on using Nessus to audit and Internet facing server.

Darknet points us to a nifty tool called Pash-the-Hash that allows us change our credentials in memory.

That’s it for now.  Have a great morning/afternoon/evening.

Kevin

I have moved my RSS feed to feedburner for anyone who is watching.

http://feeds.feedburner.com/InfosecRamblings

-Kevin