Sunday, February 23, 2014

Tech Job Postings are Funny! Post 2 Caradigm

In my last post, I promised to make fun of companies based on their job postings.  Some are silly, some are crazy, and some are unintentionally telling about a companies culture... A word to HR and recruiting, don't let your job ads destroy your company's facade of hugeness.

Enter Caradigm a joint venture between Microsoft and GE!  From the press release, this seems to be all about real-time healthcare data. They are talking about interoperability and collaboration with patient data.  Done right, this is great stuff, however, we are talking about highly sensitive personal data in a very regulated space, in terms of data security.

Microsoft and GE are two of America's largest companies.  I'm sure they have thought this all through... Caradigm is hiring the Information Security Manager. Copy here. While this role sounds like the manager of all InfoSec at Caradigm, surely they mean Manager in Information Security.  The top InfoSec role at a company of this stature, with its hands in or on so much highly regulated data, must be a VP or maybe even a C level role. Then again, maybe they didn't think it all through and don't think security is important enough to pay a high salary for.

Security covers a lot of ground; policy, risk management, governance, vendor management, architecture, hands on techy stuff around hosts, network stuff, app layer stuff.   The top role would cover all that.

And here is are a few of the job requirements...  That looks like the whole list to me.  Did we leave anything for the CISO to do?

• Participates in the architecture governance process. Provides technical guidance to project teams and vendors as appropriate.
• Implement Enterprise Information Security Standards
• Plans and supervises the support and maintenance for the enterprise information security including:
- Environment administration of all access rights to the overall network and applications within the network
- Monitoring
- Vulnerability scanning
- Firewall administration
- Risk assessments
- Penetration testing
• Plans, supervises and participates (either personally or through team members or vendors) in every project within the environment to assure that security standards are maintained while meeting the business requirements
• Coordinates all audit requirements related to Information Security across all platforms and projects working directly with process owners and vendors to ensure compliance
• Sponsors the teams, which analyzes all vulnerability and patch requirements and assess their impact to the Security environment. Integrate this team’s strategic roadmap into the overall IT strategy to ensure a plan to protect its information assets into the future.
• Maintains accountability for responsible information security program governance through formal reporting
• Develops and implements an information security risk profile that prioritizes risk and the investment and financial strategy required to mitigate those risks
• Creates and maintains security architecture for the enterprise and participate in the solution selection and process development
• Develops security requirements for information technology infrastructure initiatives, selected enterprise applications and, as appropriate, reviews and approves security design of initiatives
• Understanding of appropriate leading-edge security technologies and services
• Matrix managing large virtual, remote, and global project teams (15+ members)
• Hiring, developing, leading, motivating, performance managing, and coaching a cross-section of security and technology professionals and managers
• Understanding of emerging technologies and their impact on security architectures: Service Orientated Architecture, Enterprise Frameworks, Message Based information exchange, etc.
• Project managing in the security arena in a healthcare customer facing role
• Information Security Architecture technologies and concepts: Firewalls, intrusion detection, assessment tools, encryption, certificate authority, etc.
• Information systems security, including such areas as identity and access management, security program policies, processes, and procedures
• Understanding of information security and the relationship between threats, vulnerability and information value in the context of risk management
• Excellent vendor management skills with demonstrated experience. Comprehensive understanding of the physical security discipline, focusing on operations. Strong cross-team and cross-group collaboration skills.

I wont beat them up any more myself, but it looks like the top IT role is a Director level job.

Friday, February 21, 2014

Tech Job Postings are Funny! Post 1 Amazon.com

I get a lot of recruiters emailing me and I get job postings in my RSS feeds.  Many of these postings are unintentionally funny, some are downright embarrassing, and some just leak a lot of information about a company.

I've decided to start posting some of these with commentary.  The one that finally made this decision for me is from Amazon.com . A copy can be found here. I've added bold for emphasis.

The almost certainly illegal and super ageist posting title is what caught my eye: "Systems Engineer - AWS Simple Storage Service (S3) -University Candidate: May 2014 Grads Only".

It was the wonderful nonsequitur requirements for job experience that really hooked me.

  • Experience running and maintaining a 24x7 Internet-oriented production environment, preferably across multiple data centers, involving (preferably) at least hundreds of machines.
  • Demonstrable expertise around specifying, designing, and/or implementing system health, performance monitoring tools, and software management tools for 24x7 environments.
  • Experience with very large distributed systems such as multi-terabyte storage farms, and/or horizontally scaled request processing fleets

Sure, there are plenty of 2014 Grads with expertise in the book sense and maybe some even in a more practical sense, but, really how does a grad get to a place where their college and work lives intersect with a large 24x7 operation?   Maybe I need to open my mind.  Maybe Amazon wants a 12th year senior who has been working in enterprise architecture while going to school at night?   That eliminates the ageism too!!

Sunday, February 9, 2014

Will Satya Nadella Save the Internet on April 8th 2014?

If you have worked for Microsoft, or any huge company, this will be no surprise; Microsoft has many groups working against each other or at least spending dollars in one department that could save or make millions in another. It’s not easy to align everything in a large company, especially when it has been run by the worst CEO in America for so long. Microsoft is regularly in the news “shutting down botnetsand doing other great pro-bono work to make the web safer.  I applaud this!

Yet, in the core operating systems orgs, they have let Windows XP, still the second most used desktop OS, lag behind in security and will stop issuing patches in April of 2014.  There is nothing wrong with XP, even the MS page on its retirement makes it clear that they don’t have to support it, by law, so they won’t.  There are no claims related to it not being good or safe.  I read it as, “There is no money in it for us, so we will spend the resources in a money making area”.  If you add no context, this is a totally rational business decision.  I won’t pretend to have all the data on the financial and opportunity costs of patching XP and enhancing it.  I have no idea how much money it costs Microsoft to fund the groups that take down botnets.  I also don’t know who the users of XP are, but I expect they are those who can’t afford to upgrade.  This may be due to the cost of the OS, lack of skills to safely upgrade, or in the case of businesses, economy of scale making it very expensive.

Figure 1 All OSs on the Web

WT OSs.gif

Figure 2 Windows OS Breakdown

Web OS Trends.gif

Here is what I do know.  MS will continue to support Server 2003 until July 2015.  XP and Server 2003 are mostly built on the same code base, so patching XP isn’t a complete diversion from their business.  If MS stops patching the OS that is nearly 30% of the desktop market, XP will become the most researched and exploited OS on the web in fairly short order.  The MS team that is taking down botnets will sure have their hands full then.  Maybe MS thinks that the fear of no patches will finally get users to upgrade.  In the case of the enterprise, I would think so.  In the case of small businesses and individuals, I expect this to be a boon for little IT shops; removing viruses and selling cheap fixes like host based firewalls, more anti-virus, anti-malware, and Advanced Persistent Controls.

Considering that Microsoft has zero legal or contractual obligations to improve or maintain XP, perhaps they can write off the cost of not turning the internet into a XP infested filthy virus zone.  OK, intentional hyperbole aside, I vehemently urge Mr. Nadella to throw his predecessor under the bus and take up the cause of keeping XP healthy.  This doesn’t just mean patching; it means a few basic enhancements that are needed.

OK, when I say, “there is nothing wrong with XP”, I know, it doesn’t have Address Space Layout Randomization and User Account Control, and many other benefits of post-XP OSs.  Let’s not confuse the “need” for the next best OS for an actual need to get off a dangerous OS.  I guess XP will be that OS soon, if Mr. Nadella doesn’t reconsider.

My in-depth focus on security is mainly around applied cryptography and identity management, so I welcome other suggestions in the comments. Below is my wish list for XP enhancements. 

Upgrade to schannel.  XP does not support Server Name Indication and TLS 1.2 with AES cipher suites.  There are some patches for 2003 that add AES cipher suites, but with TLS 1.1 and below are vulnerable to BEAST attacks, as the added cipher suites use CBC mode. Make all these changes part of critical updates, not hotfixes. No one applies hotfixes unless they know about the issue.

Force stronger NTLM settings as part of a Critical Update, rather than simply issuing advisories.  Nobody reads the advisories; they apply patches and cross their fingers.

Saturday, January 11, 2014

Godaddy Asks People NOT TO USE ITS HOSTED EMAIL and May Not Even Use It Themselves

Disclaimer, Godaddy made me angry with a billing issue.  This is what caused me to look into the value I get from them.  While my language may be angry and inflammatory, the facts are not disputable.  I have informed them about their messed up SMTP TLS, but have not heard back.

Try to send a secure mail to Godaddy hosted addresses and they will return this message

Sample server certificate, do not use on production systems!

Maybe they are hosting customers’ mail on non-production systems.   For additional irony, they are hosted in the domain, secureserver.net.

farmtomarketcreations.com. 3600 IN      MX      0      smtp.secureserver.net.

farmtomarketcreations.com. 3600 IN      MX      10    mailstore1.secureserver.net.

Even more irony!!!!  Godaddy doesn’t even use their own hosting for email, they use Microsoft!

                godaddy.com.            3600    IN MX      0     godaddy-com.mail.protection.outlook.com.

OK, so this could be that they just use MSs Cloud Anti-Spam and then relay the spam free mail into their systems, but I am dubious.

 

A quick word about SMTP and TLS.  It is a great way to keep mail more secure because it does not require an end user to know anything or that it is even there.  It just requires mildly qualified techs to configure their mail servers correctly.  TLS, done right, will protect the message in transit from one mail system to the next. 

Back to the hosting I pay for.  While the MX records do not change for my hosting, the corresponding A records change a bit, and multiple tests against the same IP render different results, in terms of TLS support. It appears they use technologies like global traffic management, round robin DNS, and load balancers, and every host was configured by a different incompetent tech.

Their MX records for both names seem to correspond to the same 4 IPs

smtp.secureserver.net. 300     IN      A       72.167.238.201

smtp.secureserver.net. 300     IN      A       72.167.238.29

smtp.secureserver.net. 300     IN      A       68.178.213.37

smtp.secureserver.net. 300     IN      A       216.69.186.201

mailstore1.secureserver.net. 300 IN     A       68.178.213.37

mailstore1.secureserver.net. 300 IN     A       216.69.186.201

mailstore1.secureserver.net. 300 IN     A       72.167.238.201

mailstore1.secureserver.net. 300 IN     A       72.167.238.29

 

Here’s what CheckTLS shows me over a decent number of tests. Never a score above 68 and never once a valid SSL certificate.  Of 18 tests, 2/3rds fail to even allow TLS.

Godaddy.png

 

So, let’s look at the hosts that do offer up SSL/TLS certificates.   First, they send their Root certificate twice, adding to handshake time and size.  The root and SSL certs are both 1024 bit.  We already covered the clearly stated “Do not use”.   The SSL certificate is good for 10 years?  At least it is not expired.  :-P Crazy… Finally, the subject common name on the SSL certificate doesn’t match any of their server names.   I guess they can’t afford certificates… Wait, isn’t Godaddy an SSL cert provider?

Certificate 1 of 3 in chain:

Certificate:

  Data:

    Version: 3 (0x2)

    Serial Number: 2 (0x2)

    Signature Algorithm: sha1WithRSAEncryption

    Issuer:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = CA

    Validity

      Not Before: Nov 18 14:58:26 2010 GMT

      Not After : Nov 15 14:58:26 2020 GMT

    Subject:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = Server

    Subject Public Key Info:

      Public Key Algorithm: rsaEncryption

        Public-Key: (1024 bit)

        Modulus:

          00:f3:89:dd:43:f0:ad:84:1a:dd:f1:fd:2c:83:bd:

          ae:01:17:d8:ab:4e:02:f4:7f:85:0a:ec:70:5e:8b:

          19:69:78:6c:61:b8:82:5b:dd:e8:ea:48:23:6b:9f:

          68:80:76:67:34:d3:94:e7:a4:54:38:bb:72:c7:ba:

          da:cc:d6:cb:f8:6b:91:53:f2:be:44:61:9c:a0:64:

          d1:02:e8:df:5b:95:7f:ae:e3:82:d1:e7:2a:96:eb:

          53:9e:17:b3:f5:d9:d1:7a:ca:dd:74:1e:97:3a:44:

          54:5d:02:54:8d:f0:7b:85:39:9f:e9:a3:f3:e7:20:

          14:1d:58:c9:f9:0d:63:fc:d3

        Exponent: 65537 (0x10001)

    X509v3 extensions:

      X509v3 Basic Constraints:

        CA:FALSE

      Netscape Comment:        

        Sample server certificate, do not use on production systems!

      Netscape Cert Type:

        SSL Server

      X509v3 Extended Key Usage:

        TLS Web Server Authentication

      X509v3 Key Usage:

        Digital Signature, Key Encipherment

  Signature Algorithm: sha1WithRSAEncryption

    38:d1:85:a8:51:8c:1b:04:a5:95:39:19:7c:6e:38:f6:e8:ef:

    27:23:40:17:11:ba:bc:7a:0c:be:39:ee:f4:2b:8d:5c:5d:dd:

    c4:ea:54:e1:d9:fd:7c:96:b2:a0:9b:67:cd:f9:06:ed:7e:02:

    8a:96:fd:f6:4d:bf:64:22:17:a5:9b:e3:33:15:7e:fe:a7:30:

    53:21:55:ba:20:c5:a6:19:50:f0:d2:44:e9:a9:1c:5a:37:20:

    cb:26:15:da:73:ba:67:29:f3:1d:f2:69:97:31:26:92:04:f9:

    6a:c3:ec:ff:6a:65:60:ef:78:54:44:7f:81:22:24:aa:e8:cd:

    fa:6b

-----BEGIN CERTIFICATE-----

MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEV

MBMGA1UEChMMU2FtcGxlLCBJbmMuMRAwDgYDVQQLEwdJVCBUZWFtMQswCQYDVQQD

EwJDQTAeFw0xMDExMTgxNDU4MjZaFw0yMDExMTUxNDU4MjZaMEcxCzAJBgNVBAYT

AlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0xDzAN

BgNVBAMTBlNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA84ndQ/Ct

hBrd8f0sg72uARfYq04C9H+FCuxwXosZaXhsYbiCW93o6kgja59ogHZnNNOU56RU

OLtyx7razNbL+GuRU/K+RGGcoGTRAujfW5V/ruOC0ecqlutTnhez9dnResrddB6X

OkRUXQJUjfB7hTmf6aPz5yAUHVjJ+Q1j/NMCAwEAAaOBkDCBjTAJBgNVHRMEAjAA

MEsGCWCGSAGG+EIBDQQ+FjxTYW1wbGUgc2VydmVyIGNlcnRpZmljYXRlLCBkbyBu

b3QgdXNlIG9uIHByb2R1Y3Rpb24gc3lzdGVtcyEwEQYJYIZIAYb4QgEBBAQDAgZA

MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUF

AAOBgQA40YWoUYwbBKWVORl8bjj26O8nI0AXEbq8egy+Oe70K41cXd3E6lTh2f18

lrKgm2fN+QbtfgKKlv32Tb9kIhelm+MzFX7+pzBTIVW6IMWmGVDw0kTpqRxaNyDL

JhXac7pnKfMd8mmXMSaSBPlqw+z/amVg73hURH+BIiSq6M36aw==

-----END CERTIFICATE-----                                                                                                                                                                                                                                      

[003.724]                             

Certificate 2 of 3 in chain:

Certificate:

  Data:

    Version: 3 (0x2)

    Serial Number:

      92:69:45:90:f7:aa:ec:38

    Signature Algorithm: sha1WithRSAEncryption

    Issuer:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = CA

    Validity

      Not Before: Nov 18 14:58:26 2010 GMT

      Not After : Nov 15 14:58:26 2020 GMT

    Subject:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = CA

    Subject Public Key Info:

      Public Key Algorithm: rsaEncryption

        Public-Key: (1024 bit)

        Modulus:

          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:

          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:

          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:

          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:

          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:

          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:

          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:

          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:

          5d:4d:43:3a:24:59:95:29:7f

        Exponent: 65537 (0x10001)

    X509v3 extensions:

      X509v3 Basic Constraints:

        CA:TRUE

  Signature Algorithm: sha1WithRSAEncryption

    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:

    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:

    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:

    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:

    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:

    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:

    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:

    90:53

-----BEGIN CERTIFICATE-----

MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV

BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x

CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL

MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg

VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt

jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si

nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt

UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF

MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q

2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3

E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs

N2SEDulGkFM=

-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                                                                                                          

[003.768]                             

Certificate 3 of 3 in chain:

Certificate:

  Data:

    Version: 3 (0x2)

    Serial Number:

      92:69:45:90:f7:aa:ec:38

    Signature Algorithm: sha1WithRSAEncryption

    Issuer:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = CA

    Validity

      Not Before: Nov 18 14:58:26 2010 GMT

      Not After : Nov 15 14:58:26 2020 GMT

    Subject:

      countryName         = US

      organizationName      = Sample, Inc.

      organizationalUnitName  = IT Team

      commonName        = CA

    Subject Public Key Info:

      Public Key Algorithm: rsaEncryption

        Public-Key: (1024 bit)

        Modulus:

          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:

          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:

          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:

          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:

          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:

          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:

          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:

          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:

          5d:4d:43:3a:24:59:95:29:7f

        Exponent: 65537 (0x10001)

    X509v3 extensions:

      X509v3 Basic Constraints:

        CA:TRUE

  Signature Algorithm: sha1WithRSAEncryption

    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:

    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:

    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:

    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:

    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:

    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:

    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:

    90:53

-----BEGIN CERTIFICATE-----

MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV

BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x

CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL

MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg

VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt

jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si

nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt

UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF

MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q

2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3

E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs

N2SEDulGkFM=

-----END CERTIFICATE-----  

 

Monday, May 20, 2013

Demystifying Certificate Requirements in Mutual TLS

Understanding Certificates and SSL/TLS long ago became an IT fundamental.

Somehow, the industry seems to have not noticed.  In my quest to take fewer calls on this stuff, here is my attempt to help demystify all the certificates involved in Client SSL/Mutual TLS.  I seem to be spending 2+ hours a day on the phone talking web and server admins through this stuff.

The reason I am doing this is because Google failed me.  There are a lot of docs that focus on all the other aspects of the SSL/TLS negotiation, but none of them focuses on the certificates and what they do for us. Microsoft has one of the better papers on SSL/TLS, but there is a lot lacking around the certificates and the SSL/TLS handshakes are overly summarized.

Here is the handshake that MS shows us.

MSHandShake.gif

While this may be a four message handshake, there are a few different conversations taking place, simultaneously, in the handshake.  The conversations and their certificate requirements are more easily understood when they are pulled out of the stick context of the message format.

I will say that I am doing a bit of summarizing.  SSL/TLS has four major components: authentication, message integrity, key negotiation and encryption.  This post focuses heavily on the authentication aspect.  I am lumping SSL and TLS together as the basic functions of the negotiations are the same, only the implementation details vary a bit.  I am also leaving out a bit about session key generation. 

I break the handshake down into 4 different conversations.

A.      Hellos

a.       The client tells the server that it wants to go secure and offers the suite of ciphers it supports.

b.      The server selects a cipher from the list.

c.       No certificates are involved here.

B.      Server Certificate presentations

a.       The server sends over the SSL certificate AND the chain

b.      The server must have the private key for the SSL certificate.

c.       If the chain, (CA hierarchy) is not sent, negotiation MUST fail.

d.      The client SHOULD perform full cert and chain validation against these certs, making sure they chain to a Root CA that is trusted explicitly by the client.

C.      Key Exchanges

a.       The client and server exchange data that allows the negotiation of session encryption keys.

b.      If EDH is used, then the RSA/DSS key is used to block MITM of the key negotiation.

c.       If RSA key negotiation is used, the client encrypts its initial key material with the public key on the server SSL certificates, assuming cert and chain validation succeeded.

D.      Client Certificate  presentations

a.       The server issues a Certificate Request.  This lists the key types allowed on the certificate and a list of Distinguished Names (DNs).  These DNs are used as a hint to help the client determine which of its many possible certificates is the “right” one.

b.      The client selects a certificate, for which it MUST have the private key, and sends the certificate to the server.

c.       The client sends data that is signed using its private key, proving it holds the certificate in question.

d.      The server checks the signature.  If the signature passes, the server may be configured to pass/fail the client based on data in the certificate.  Often the certificate serial number or Subject DN must match a static list, or the certificate must be one that is on file.  The decision to pass/fail the client cert is not specified in any RFC.

 

2waySwimLane.gif

 

Certificates Needed

 

Client         

Server

A - Hellos

None

None

B - Server Certificate

Root CA Cert for Trust

SSL Cert and Chain to send

C - Key Exchange

Public key from Server Cert

Private key for Server Cert

D - Client Auth

Client Cert and Private key

Client cert for explicit trust or CA cert to implicit trust.  Cert values MAY be checked.

 

Client and Server Perspective

One often forgotten part of this is that when there are two parties, the role of client and server may change.   For instance, let's say A pushes a full DB copy every night to B, and then B pulls deltas hourly during the day. In this scheme, at night, B is the server, but during the day, B is the client.  This means that both parties need a cert and a server cert with chain, and they need to know how to implicitly or explicitly trust other clients, and they need Root CA certs so they can trust the server cert when they are the client.

Summary

Take the time to understand how your connections are established and it is fairly easy to figure out which certificates are used when. When it comes to figuring out what is wrong, you can usually figure out the issue by where the handshake fails.  The handshake failures usually can only be seen via packet captures.

 

Friday, March 29, 2013

Hello IT Person, Welcome to the Security Organization

This is a post that is long overdue.   The IT industry went through a revolution and most people in IT missed it and are still missing it. 

If you are in any form of IT related job, you are in the information security field.

You may say, “No, I’m just an IT Project Manager (analyst, whatever), security is another team”.  You are wrong and your career is heading towards a cliff.

It only takes a tiny bit of Googling to realize that everyone is getting hacked.  Even the biggies, RSA, Microsoft, Facebook, Symantec, and Apple aren’t immune. There are too many actors with too many motivations.  If it is connected to the web, there is either money in hacking it, or it can be used as a foothold to hack for money.  If it’s connected to the web, there is probably someone with a social or political agenda that makes it a target and if not, it is a platform for the hacktivists to leverage.  On top of the myriad of highly skilled and motivated attackers, there are thousands off wannabe hackers simply looking for low hanging fruit to test their skills or to get a thrill.  Even if you don’t have a penny to your name, your computing power is a commodity if it can be added to a botnet. Hopefully, you already know that it’s a given that everyone is a target.  If you still need persuading on this point--don’t worry, there are plenty of Wal-Marts that need greeters.  Get your app in early.  (That’s “app” as in “application”, which is a paper form you will fill out with a pen. You won’t need LinkedIn for this.—The Editor)

So, why is security your job?  Every day (week if you are a slacker?) you make decisions that impact security.  It doesn’t matter if you specialize in a niche, like UI or UX; or something broad, like program or project management.  If you are working with data in any way, that data has value to your organization.  There will certainly be negative impact if the data is compromised or corrupted.  Even if you run or maintain a static website in which the content is public and can easily be restored if lost, you don’t want your system to be a foothold into your important systems or take part in a DDoS attack.

Your Role

Backup Operators – Don’t lose the data and don’t lose those unencrypted backup files.  This role should be a no brainer.  This role has Confidentiality, Integrity, and Availability components.

Systems Administrators – Once again, this is a no brainer.  SAs have all the access themselves and they configure access to ALL of your data.  Remember, all of your applications sit on a host that an SA “owns”.

DBAs and DBOs – Please, for the love of all that is good, you guys MUST know you have to protect that data. Do you??

Project and Program Managers – I know lumping you guys onto one line will get me all sorts of hate mail.  You guys decide things like what use cases exist, for what users, accessing what data. You decide whether to engage formal security teams for assistance. You decide to cut product or project scope, and everyone knows security is the first to get cut.      

Developers – You guys are the worst.  Yeah, I’m saying it. Inventing your own “cryptography”, passwords in log files, backdoors, assuming users will use your apps the way you want them to, and on and on.  Seriously devs, get your acts together.    

Network Engineers – I think this is the only role that most folks actually think of as a security role.  In fact, this role is the least interesting in terms of security roles. Read those manuals and change those default passwords.  And stop using self-signed certs.  Can you really not remember how a MITM attack works long enough to say to a manager: “Wait, we need a real cert on that appliance admin portal page”?  You know what, if you can’t explain to a manager what a MITM attack is and why your choice of cert matters, you’re part of the problem.

 

Your day to day job may be focused on something else, but it is only a matter of time until IT folks start getting fired for massively bad security lapses.  If it is on the OWASP Top 10 or the SANS Top 25 and you don’t know a bit about it, you may want to pick up that Wal-Mart job app.  No one is asking you to figure everything out about security, but you need to at least understand some basics and keep your eyes out.  If you do run a system, you’d better become a security expert in the context of that system.

 

 

Friday, February 8, 2013

Senators Marco Rubio, Orrin Hatch, Amy Klobuchar hate America

I posted a snarky blog on H1B Visas last year, but it appears that based on current events, it is time to post again.  I doubt I will say anything that hasn’t been said before, but this needs to be said, over and over. 

H1Bs are a tool of “The Man” to keep America’s record breaking income disparity on track for even bigger numbers.   Yeah!  Maybe we can break a new record next year!

Proponents of the H1B, or increasing the allowed number of them, will tell you heartwarming patriotic tales of the U.S. needing these so we can keep companies on shore, in business, and competing against the world.  Capitalism is the best thing ever, but when you run out of local resources, you have to import them to keep your business from failing.  It’s just supply and demand. We have demand. If these companies can’t get smart employees, they will go out of business and then America loses.  Limit the H1Bs and Microsoft will have to fold up shop, then the Seattle area dies with it, then Silicon Valley and LA aren’t far behind.  Plus, hey, we are forced to pay all these folks prevailing wage.

All of this is horseshit. 

(Sorry, parents who are reading my blog to your kids before bed.  I’ll try not to use that language again…)

Why is it horseshit?  (Okay. I’m not trying very hard.)

Here’s why:

The H1B is simply access to a pool of lesser-paid employees.  In my previous post, I referred to them as indentured servants.  (Work at Microsoft for a few months, and you will see it. Comments welcome.)

Further, when the onshore talent is forced to compete against the indentured servants, they have to put in the same kind of hours the indentured do.  When it comes to supply and demand, the prevailing wage rule doesn’t let the market come into play.  The extra supply of labor hours drives down demand.  It’s just that simple.

H1Bs are anti-American and chip away at the American Dream every day.  One could make an argument that the visa is just opening a bigger market, thus very capitalist. But seriously, I kind of want America to be around and to have jobs when my kid grows up. 

Here’s how the H1Bs are ruining America.  If we stop or cut the H1B numbers, the demand for smart people goes up.  With demand up, wages go up.  Wages don’t just go up for the top tier professionals; they go up for every other tier as well.  Crap, there goes our chance at another Guinness Book Income Disparity Record.  If the wages go up, the jobs get much more attractive to America’s youth.  If demand for those jobs goes up, we need more training institutes for whatever technical jobs are in more demand.  Kids will go to college and get smart if there is a path to riches.  Right now, average wages for many of these jobs are comfortably nice, but they don’t scream, “Learn me, you can vacation in Park City every year and drive an Escalade!”

The H1B keeps kids from seeing any American Dream, so the ones lucky enough to afford college just get yet another Art History Degree and fill out that McDonald’s job application.

I have met a few folks who have left tech for trade jobs, because the pay is similar and the stress is lower.

One might make a claim that there is a short term need for the smart folk, as American kids aren’t up to speed yet.  I concede the possibility, but how do we fix the cycle?  On our current path, it seems that we don’t, we just continue to import cheap labor.

The market only works for us if you let it.

If that were the end of it, one might be able to let go.  As it turns out, and I won’t pretend to know everything about these companies, many of the big consumers of H1Bs are foreign owned companies who rarely hire Americans and specialize in filling headcount for companies who can’t get H1Bs or have more than their fair share. These companies are funneling their revenue right out of America.  These aren’t even American companies in need of talent, hoping they can compete!

Don’t get me wrong, I don’t hate foreigners; I worked with some great ones at MS and many great ones at T-Mobile.  What I want is to protect America, its future, and its market for high paying jobs.  Keeping wages low in this manner hurts America.  We need to fix this for our children.

H1B visas are nothing more than a way to keep money out of the hands of workers and in the hands of execs and larger shareholders.

Taking a look at some of the top H1B sponsors, I can’t help but notice three distinct categories.  We have offshore consultancies, household name tech companies, and banks/wall street firms. None of these companies are lacking in cash to bump up the pay of their employees or to fund training and education for the lesser employees with potential.  This is pure greed.  

Here a look at H1B data for 2001 – 2012

Household Names

Employer

Denied

Requested

Microsoft Corporation

206

38001

IBM Corporation

416

25067

Oracle Corporation

177

12587

Intel Corporation

86

11686

Qualcomm Inc

79

8492

Accenture Ltd

57

6637

Cisco Systems, Inc

125

6273

Google Inc

30

6241

Hewlett-Packard Company

98

5907

CVS Rx Services, Inc. dba CVS Pharmacy

47

5804

Rite Aid Corporation

89

5385

 

Wall Street

Employer

Denied

Requested

CitiGroup

187

8147

JPMorgan Chase & Co

75

6564

Goldman, Sachs & CO

51

6527

Bank of America

79

4304

Merrill Lynch & Co., Inc

65

4140

Credit Suisse First Boston

55

3760

UBS AG

61

3659

Capital One Financial Corp

65

3648

 

Offshore Consultancies

Employer

Denied

Requested

Satyam Computer Services, Ltd

163

29824

Tata Consultancy Services

155

17996

Infosys Limited

222

16013

Larsen & Toubro Infotech Limited

83

14105

Wipro Limited

67

13420

Infosys Technologies Limited

55

10139

Cognizant Technology Solutions

368

9375

Patni Americas, Inc

80

8146

 

 

Well, at least Steve Ballmer gets to keep his fleet of Ferraris.

…And Larry Ellison gets to keep tropical islands.

…and our children will get to keep…what?

Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).