Cuttlefish

I know, I know. The security and squid blog is located elsewhere. Sorry, but I just have to write about this article.

A short time ago, Chuan-Chin Chiao, Kenneth Wickiser, Justine J. Allen, Brock Genter and Roger T. Hanlon published the article Hyperspectral imaging of cuttlefish camouflage indicates good color match in the eyes of fish predators. (How can you resist an article with such a fascinating title?) For those that don’t thrill to reading academic articles about the eyes of coleoid cephalopods (you weirdos), there is a more accessible press release here.

Why am I fascinated about this? Well, cuttlefish have the ability to change their patterning to blending into the background. We’re familiar with how chameleons do this, but cuttlefish are a lot better at it. Not only are they better at it, but they’re also colorblind! (Like me.) That’s right, these critters are capable of changing their own coloration when they can’t even see it.  How do they do it?  Well, sorry to keep you in suspense, but we still don’t know.  There is some suspicion that it involves opsin transcripts, and evidence that body position may have something to do with it, but those theories are insufficient for complete explanation.  What’s interesting is the approach of the paper.

Science, as you know, is all about measurement.  There’s little room for guesswork and lots of opportunity to be wrong.  So if you’re going to measure camouflage, you’d better have a darn good way of doing it.  What these guys did was to take hyperspectral images with a HyperScan VNIR system.  Effectively, it measured the different amounts of 540 different colors to determine how well the cuttlefish blended in to their background.  They looked at their targets as if they were a super predator, with capabilities far beyond that of the predators we know… and the cuttlefish’s technique was still effective.

So what does this mean for us?  Well, for me it means that I lost out, as I am colorblind, but aren’t able to perceive the polarization of light like cuttlefish can (lucky critters).  However, for the rest of us as a group, it means this:

These creatures developed this ability over millions of years through a complex process of trying different ways to hide and, when they failed, being eaten.  From a business perspective, there is some value in failing fast… but little advantage in being eaten.  If you want to develop strong protections, you need to find a predator that lets you know when your defense is working and when it’s not, without eating you.  Ideally, this would be a super-predator that is better than most of the predators out there.

We call these people penetration testers.  Armed not with a HyperScan VNIR, but with tools like network mappers, vulnerability scanners and exploit frameworks, these people can assess your business and let you know if they could break through your defenses and how.  You can then protect yourself better by making appropriate changes.  Sadly, the industry is still young, and it’s hard to identify the super predators from the others. There is a project to help with this, but for now, here’s a quick evaluation process.  When you call a company (like mine) and ask for an evaluation, ask this handful of questions:

  1. How much will a penetration test cost?
  2. How much will a vulnerability assessment cost?
    • Rule of thumb: Due to the time involved, penetration tests cost at least ten times when vulnerability assessments do.  If they don’t, find another company.
  3. What is the difference between a penetration test and a vulnerability assessment?
    • Rule of thumb: If they only say “A penetration test tries to break in, a vulnerability assessment does not”, find another company.
  4. What is your assessment methodology?
    • Here, you should be looking for a standard and repeatable process.  You don’t need to dig into the weeds, but you do want to weed out companies that come across as “We just try stuff at random”.
  5. What problems have your tests caused in the past?
    • Here’s a secret of the industry.  Anyone worth their salt has broken something.  If you don’t sometimes break stuff, you’re not trying hard enough.  Companies that try to gloss over this and say “Oh, our tests are safe” are not super-predators.

Get the right help or get eaten.

It’s that simple.

Don’t Poke the Bear

Grizzly Bear (Ursus arctos horribilis)The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.

No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.

I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.

Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:

1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.

See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.

This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)

So what’s the point here?  The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.

No, whether you’re hiking or using the Internet, there are two simple rules:

1) Take basic precautions.
2) Don’t be stupid.

For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.

Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.

Lesson one of Internet security?    Don’t poke the bear.

Security Lessons from Nature – Autotomy

Autotomy is the fancy name that people give to the well-known tendency for certain lizards to throw off their tails to escape predators. The theory, is that the tail will thrash around and distract the predator, thereby giving the lizard a chance to get away. It must be noted that other critters like octopuses, crabs and some starfish also do this, as do sea cucumbers. (Though the sea cucumbers eject their internal organs instead.)

So what does this mean in the business/IT world? Well, the obvious analogy is to distract an incoming attacker by abandoning your resources and letting them go nuts while you relocate your business to Sri Lanka. However, some might consider this approach somewhat impractical.

However, if we stretch the analogy to the point of breaking (much like a lizard’s tail), perhaps it makes sense to build a business strategy around distracting attackers. There are some technologies that could assist with this. A honeypot is often used to trap attacks so that people can learn from them. This has become even easier now that virtualization has become prevalent. All you have to do is join one of many projects and you’ll have a nice fake network to distract attackers.

Another technique is tarpitting. This technology looks at incoming connections, and if they are not approved, it doesn’t reject them right away, but instead extends the time before the connection is closed. Thus, attackers are delayed and, in theory, you gain the time to build a defense.

In practice, of course, you need to actually be watching for the attack and take defensive action. This technique wouldn’t work very well if the lizard dropped it’s tail and then stared dumbly as the dog wrestled the tail into submission, ate it, digested it, napped for a bit, woke up, got a bit hungry than then saw a nearby tasty tailless lizard. So, if you decide to go after this option, you have to remember to “run and hide”. In other words, keep an eye out for the attacks and be ready to block them.

Security Lessons from Nature –

The Blue Glaucus, also known as the sea swallow, blue sea slug and blue ocean slug (’cause one name just isn’t cool enough for this sucker) is, as Wikipedia says, a pelagic aeolid nudibranch, a marine opisthobranch gastropod mollusk in the family Glaucidae. Which is fancy sciency way to say it’s a slug that lives in the ocean. (If you like to geek out on sciency stuff (like me), read this, and this and this.)

What makes this little critter particularly interesting is that it eats Portuguese Man o’ Wars (should that be “Men o’ War”?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, ’cause they’re cool too)). It can then concentrate the cells of all the Portuguese Mens o’ Wars it eats and thereby pack a stronger wallop than the original predator.

Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That’s not to say that commonality isn’t important… no acquisition is going to work out if you don’t share common proteins. However, a strategic acquisition isn’t going to be massively successful unless you can take advantage of and preserve the uniqueness.

The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn’t it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.

Of course, the other lesson to learn from Glaucy is that it’s not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that’s best practice right?

Wrong.

Best practice is protecting the business. That means making the business as successful as possible. I’m afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.

Security Lessons from Nature – Happy Groundhog Day

Happy groundhog day.  In honor of this special day, you get a picture and a scatter-shot of groundhog facts:

  • The groundhog is also known as a whistle-pig, due to its tendency to make a whistling noise when predators are near.  Much as monitoring systems will send SMS or email messages when an attack occurs.
  • Groundhogs have two layers of fur, both a soft undercoat and a guard hairs.  This is a classic defense in depth strategy, against both cold and damp threats.
  • Groundhogs mostly eat plants won’t pass up the occasional delicious grub or bug.  This allows them to supplement their dietary needs without having to track down the rare vegetative high-protein source like nuts or beans, which are needed in small quantities at various points in their lives.  This is much like an organization hiring a 1099 resource as needed.
  • They are one of the few creatures that truly hibernate and are generally utterly non-responsive for four to five months… which has no direct correlation to business, but there are days when I wish it did.
  • They have a wide range of predators, including owls, dogs, bears, bobcats and coyotes.  Younger ones are vulnerable to snakes and hawks.  Much as a security program is constantly evolving and loses vulnerability to some threats but not others, the successful groundhogs grow large enough to be immune to the snakes and hawks.
  • When predators strike, groundhogs will escape them by running to emergency burrows (hot site) or up a tree (cold site).
  • Groundhogs are mostly solitary but also live in small communal burrows.  This allows them to share the alerting responsibilities and leverage one another’s expertise… in much the same way that small teams can work most effectively in a small conference room where they can collaborate.
  • The groundhog is in the Sciuridae family along with the squirrels (and a fragment of their genetic code can be found here (as part of the SequenceJuxtaposer project (which has nothing to do with security, but is still pretty neat))).

Image in the Creative Commons and is courtesy of ~Sage~ on Flickr.