Do you really need an explanation?  OK, I’ll give you one hint on the meme.

• Beware the Audit Hammer
• LOLCATS: Defending our Cyber-Turf
• The InfoSec D-List and IKANHAZFIZMA
• A Stable InfoSec Program?
• Exhaustive Security Testing is Bad For You

Go have a look at what Mike Murray and Lee Kushner have to say on what I endearingly refer to as “Stupid Contractor Tricks”.

Now I know Mike and Lee are supposed to be tactful, and they do a really good job at that.  This post is not about tact.  =)

You need to step back a bit and understand the business model for contractors.  Because their margins are low and fixed, it means a couple of things:

• You have large-volume contracts where you still have the same margin but more total net profit.
• You can’t keep a bench of people off-project because it rapidly eats into your margin.  For some companies, this means that anybody off-project for 2 weeks or more gets laid off.
• The name of the game is to win the proposal, get the work, then figure out how to staff it from rolling people onto the new project and bringing in new hires.  This is vastly inefficient.
• New hires can also be to backfill on contracts where you’ve moved key people off to work something new.

So on to my advice in this particular scenario that Mike and Lee discuss:  Run away as fast as you can from this offer.

There are a couple of other things that I’m thinking about here:

• A recruiter or HR person from Company A left for Company B and took their Rolodex of candidates.  Hence the surprise offer.  Either that, or Company A is now a sub for Company B or Company A is just the “staffing firm” getting paid $500/signed offer letter and doing business in bulk.
• The Government usually requires “Commitment Letters” from the people that have resumes submitted on a proposal.  The reason for this is that the Government realizes what kind of jackassery goes on involving staffing, and requiring a signed letter gives the candidate an opportunity to decide up front.
• If you sign an offer like this, you’re letting down the rest of the InfoSec community that are contractors by letting the recruiters commoditize what we do.  It’s bad for us and it’s bad for the Government.

Other stupid contractor tricks:

• Signing an exclusivity letter that they are the only people who can submit your resume on a contract.
• Making you sign an offer letter then letting the offer linger for 6+ months while you’re unemployed and could really use the ability to move on to a different job.
• Shopping resumes for people you have never met and/or do not intend to make an offer letter to.
• Changing the job completely after you have accepted the offer.
• …and you probably have more that you can put into the comments section below.  =)

• The CyberArmy You Have…
• When the News Breaks, We Fix it…
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• Engagement Economics and Security Assessments
• Analyzing Fortify’s Plan to “Fix” the Government’s Security Problem

This is something I’ve been working on in my spare brain cycles:  building a process for barcode hacking.

Limitations with barcode hacking:

• Feedback: is hard to get and depends on the scanner and the scanner app.  In other words, you really need access to a working setup to test any kind of techniques.  This isn’t web-based SQLi where you can compare the output against other results, you have to look “inside the guts” to see if a change happened.
• Reflections and Noise: Laser-based scanners have problems with reflection on phone screens.  This *almost* limits you to printed barcodes and reduces some of the interactivity.
• UPC: This symbology sucks for barcode hacking because you’re limited to 12 digits, no letters are supported.

Kernels of nummieness:

• Most modern barcodes are attached via USB and are recognized as a keyboard.
• Read the previous sentence again.  =)  You know what to do here.
• The USPS uses DataMatrix barcodes for postage.  These include command characters that “freak out” anything I read them on.  This has much potential, now if I can figure out how to harness this for the powers of mischief.
• I have a Symbol 2D barcode reader, you can buy them on eBay for ~$120.

The process should run something like this:

• Configuration injection: given the make and model of the scanner, turn on all available symbologies to increase the reader attack surfaces. These command sets are available from the manufacturer and there is a wealth of untapped firmware vulns in them.
• Discovery test: to determine which symbologies are supported by the barcode scanner.  The goal is to get something that supports the full ASCII set.  Code 128 (1D), PDF-417, QR, Aztec, and DataMatrix are your friends here.  For discovery, you can use “all 1’s” or something along those lines.
• Command injection: attempt to pass OS commands to the reader application and download and install a payload onto the OS via browser, ftp, etc or to gain a shell on the box.
• Application escape: Attempt to escape out of the application and into the OS.  Then it’s just a simple matter of regular exploits *or* if you’re lucky, you’re already admin.  At least try a ctrl-alt-del and see what happens.
• SQL injection: this you know, string concatenation that’s passed to the database.  The problem is that depending on the system, you might not get feedback so blind SQLi is harder.  “‘ or 1=1;–” probably won’t work because there isn’t really a login or when you’re scanning barcodes you’re already past that point.  I think the goal here should be command execution: add users, exec OS commands, and turn on additional services.
• Malformed barcode: as a last resort, try fuzzing with non-standards-compliant barcodes to get either the scanner or the application to barf.

BTW, all the kids with their barcodes that say “‘ or 1=1;–” crack me up because they’re being barcode skiddies and don’t understand how barcodes are really used.  =)

SQL Injection Bogus Example by ME!  Only you can stop the stupidity.

• Barcode Hacking
• QR Code Temporary Tattoos Howto
• Analyzing Fortify’s Plan to “Fix” the Government’s Security Problem
• Because Life Isn’t Random Enough
• A Little Story About a Tool Named #RefRef

Andrew Hay, aside from being an all-around handsome guy, talked on Tuesday at B-Sides San Francisco about his life on the Information Security D-List.  Bill Brenner picked it up for CSO-Online and now it’s preserved for posterity.  Andrew’s been interviewing D-Listers and blogging the interviews.  They’re awesome inspiration if you’re one of the unsung heroes who go to work, grapple with the compliance hydra or the security operations tarpit all day, and go home to some conference videos so you can learn new skills and move on to the next project.  Yeah, I’m a D-Lister just like you folks, and I have tons of love and respect for all of you.

• LOLCATS: Defending our Cyber-Turf
• Lolcats take on Laws, Sausage, Cyberwhatzits, and PCI
• A Stable InfoSec Program?
• Shmoocon: Less Moose, More LOLCATS
• IKANHAZFIZMA and Transparency

First, it was thundersnow.  Then a couple of weeks later, we have snowmageddon V2.0 and 3.0 right in the middle of ShmooCon.  Now maybe on Monday we’ll get even more.  How could IKANHAZFIZMA refuse this as a lolcat topic?

• IKANHAZFIZMA and Transparency
• Cyber-FEMA LOLCATS Prepare for Cyber-Katrina
• Happy New Year
• Exhaustive Security Testing is Bad For You
• LOLCATS: Defending our Cyber-Turf

Part 1

Part 2

Takeaways from the 20 CSC and what they do right (hey, it’s not all bad):

You have to prioritize. On a system basis, there are maybe 50-60 800-53 controls (out of a number just shy of 200) that need to be built 100% correctly and working every single time.  The rest (I know, I’m putting on my heretic hat here) can lapse from time to time.  For example, if I don’t have good event monitoring, my incident response team doesn’t have much work because I don’t know if I’m pwned or not.  What 20 CSC does is try to reduce that set of stuff that I should be concerned about into a set of controls that are technical, tactical, and track to classes taught by SANS vulnerability-based .

Common controls are more important than ever. They help you scope the smaller systems.  In fact, roughly half of the 20 CSC apply to the modern Enterprise and should be absorbed there, meaning that for systems not owning infrastructure, we only have 10 or so controls that I have to worry a bunch about, and 10 that I just need to be aware of what’s provided by my CISO.

Give examples. I’ll even go as far as to say this:  it should be a capital offense to release a catalog of controls without a reference implementation for both an Enterprise/GSS and a smaller IT system/Major Application inside of it.  20 CSC stops maybe one step short of that, but it’s pretty close in some controls to what I want if they were structured differently.

Security Management v/s IT Management. IT asset inventory, configuration management, change control:  these are IT management activities that somehow get pushed onto the security team because we are more serious about them than the people who should care.  I think 20 CSC does an OK job of just picking out the pieces that apply to security people instead of the “full meal deal” that ITIL and its ilk bring.

Control Key photo by .faramarz.

Now for what they did wrong:

It’s Still Not a Consensus, Dammit! That is, it’s a couple of smart people making a standard in a vacuum and detached from the folks who will have to live by the work that they do.  Seriously, ask around inside the agencies:  who admits to helping develop 20 CSC aside from “yeah, we looked at it briefly”?  And I’m not talking about the list that SANS claims, that’s stripped from the bios of the handful of people who did work on 20 CSC.  Sadly, this is the quick path to fail, it’s like building an IT system without asking the users what they need to get their job done on a daily basis.  Guys, we should know better than this.

It’s Still Not a Standard. It’s still written as guidance–more anecdote than hard requirements.  This isn’t something I can put into a contract and have my contractors execute without modifying it heavily.  It’s also not official, something I’ve already touched on before, which means that it’s not mandatory.  If you want to make this a standard, you need to turn it into ~50 controls each written as a “contracting shall”.  More to come on this in the future.

It Has Horrible Metrics. And I’m talking really horrible…it’s like the goatse of security metrics (NSFW link, even though it’s wikipedia).  Why?  Because they’re time-based for controls that are not time-based.  Metrics need to be a way to evaluate that the control works, not the indirect effects of the control.  Of course, metrics are just a number, but at the end of whatever assessment, my auditor/IG/GAO/$foo has to come up with some way to rank the work that I’ve done as a security officer.  If 20 CSC is the vehicle for the audit and the metrics are hosed, it doesn’t matter what I can do to provide real security, the perception from my management is that I don’t know what I’m doing.

• 20 Critical Security Controls: Control-by-Control
• Opportunity Costs and the 20 Critical Security Controls
• The Guerilla CISO Rants: Don’t Write a System Security Plan
• Federated Vulnerability Management
• How to Not Let FISMA Become a Paperwork Exercise