2010
04.28

When I was an external auditor there were many changes in technology. Shortly after I started I went from a black and white screen laptop to a color screen. We switched over from dot matrix portable printers, portable and dot matrix is an oxymoron, to small ink jet printers. We also went from having no out of office connections to our network, to having dial up access, to having VPN. Even though we had the ability to VPN in, a lot of times our clients didn’t have the infrastructure to allow us to connect through their networks. So we frequently used dial up on a rotating basis throughout the day. It was always interesting to see where a client would give you space to work and what types of connections you would have access to.

While working at a medium size city, we were given the old offices of the treasurer, complete with the walk up counter and all. Through out the day we would have residents walk in and ask how they could pay their taxes. We would kindly direct them down the hall to the “new” office for the treasurer. I generally got to do this since I was situated at the old counter, on a very comfortable {sarcasm} stool. One day a police officer walked in and asked us who called 9-1-1. The five of us working in the room assured the officer no one called 9-1-1. He explained it wasn’t a person, but panic button call. He knew the room had been equipped with one under the counter and was certain we had tripped it. After careful inspection we determined there was no such button and he left confused. A week later our friendly officer showed up again asking who pushed the button, and again we searched for the button that wasn’t there. He left even more confused and said he would have maintenance come and fix the problem.

After another week and a half, my manager arrived on-site and asked if I was going to hit the panic button again. We laughed, because we knew there was no panic button, and she said “every time I am here you guys call the cops.” Then she walked over to the phone jack and plugged here laptop in to dial in to the office. I heard her complaining how the connection never works the first time. As she dialed the phone number and got an error I realized what was going on. A few minutes later my friend the policeman wandered in the room. “I thought maintenance disconnected that panic button” he said. I explained to him that it wasn’t a panic button, that it was a technical problem with our dial up line and he left satisfied. My manager looked a bit uneasy.

The dialup application we used allowed us to modify the number based on our client. Most of our clients required some digit to be dialed to get an outside line like 7, 8, or 9. When the software didn’t have a local number to call it would use an 800 number so it the dialup number usually looked like 9-1-800-xxx-xxxx. The client my manager had been to previously required you to dial 9-1 and then the number, so she left the custom setting in and clicked on the dial 9 option while at this particular client. Thus the number she was dialing was 9-9-1-1-800-xxx-xxxx which dialed dispatch and gave off modem tones that they mistook for a panic button call. A month later the policeman stopped by and commented how he was glad maintenance finally found the panic button and disconnected it, apperently he didn’t trust the auditor.

2010
04.22

I recently gave a talk at Notacon 7 (Notice: Notacon is the Bomb) called “The Haiku of Security: Complexity through Simplicity”. The interesting thing about this talk was that it was my first time going to Notacon, and the first time doing a talk at a conference, or in public for that matter. I am not, under normal circumstances, a person who just would just get up and talk at a small staff meeting let alone a conference. Somehow, though, I decided I would try some new things in 2010 and giving a talk was one of them. Which brings me back to present day.

When my talk was accepted I was excited, and mildly nervous. I still had a few months to mull it over so the full onset of nerves stood at bay. Then April began and I knew I needed to get my thoughts in order and make some slides. Nerves went up a notch, but still manageable. Even at the begging of the week prior to Notacon I could still manage to function without just curling up under my desk. It wasn’t until I walked into the lobby of the conference that my nerves took hold, and I still had 11 hours to go till my time slot. I told myself it was nerves about meeting new people, but the rationalization didn’t make my nerves subside.

After meeting many cool people and hearing some good talks, I picked my wife up to give me moral support. As I stood outside the room where I would speak I told my wife “I am either going to curl up in a ball on the floor, or pee my pants when I get up there.” She assured me I would be fine, just to relax and have fun. Have fun, HAVE FUN. Really, I am about to loose all control of my bodily functions and this is fun. My wife knew I needed to keep my mind off things and she was doing her best to do just that. She walked me up, helped me set up the computer and then took a seat in the crowd. OK buddy, now is do or die, or pee.

I was so nervous I could barely get the mic on me, and when I was asked to speak so they could check the sound levels I froze. I had been practicing in my head and out loud all week how my talk would go, but I didn’t practice the sound check. I stood looking at the mic and sound guys like an idiot. “Say Mary had a little lamb, just talk” the mic guy said. The sound guy looked impatiently at me like oh great we got a pee-er. I finally choked out Mary had a little lamb and got the mic placed properly. I was introduced, and left to begin. I would like to say I had a sudden rush of calmness, and everything was cake after that. I can’t. My body was on high alert and my mouth just decided to start running.

I talked through the first introductory slide and got some laughs out of the crowd, and then moved to the next slide. Some people say imagine the people in the room in their underwear, or find a place along the back wall you can look to make it appear like you are making eye contact. I did neither of those. I looked directly into people’s eye, and not just people I knew. “What in the world are you doing” i thought “this isn’t how you are supposed to do things, are you nuts!” The funny thing is, some part of my brain just took over and made my mouth move and apparently kept the fear inside. Another part of my brain kept a firm hold on my bladder, a very very firm hold. I think, besides my wife, the thing that saved me the most was I spoke about something I enjoyed.

I am happy to say I did not pee my pants or curl up in a ball on the floor, and in the end I realized I had fun. I may be a little less nervous next time, and each time after that, but I want to have the experience again.

2010
04.21

The Recap

While replacing screens ripped by a dogs’ toenails, it was discovered that someone had attempted to remove the screens from windows to gain entry to a residence.

The Lesson

My dog has a bad habit of running up to the windows and pawing at the screens when someone even casually passes by outside on the sidewalk. Several of our windows needed to have the screens replaced before we began to open up the house as spring is fast approaching. While pulling the screens out of the windows my wife noticed that the pins holding the screens in place had all been pulled down. This meant the screens could be removed and a person could then attempt to open, and climb through, a window that was unlocked. Anyone who has been locked out of a house with first floor windows knows this trick all to well.

Physical security is important, but the lesson here is something different. Windows, whether in a car or a house, provide a way for someone to look in and see what valuables we may have. They also are a very easy point of entry when someone wants to break in. Public facing websites can also be a wealth of information for online intruders to find an organizations valuables. As a business you need to put information in a public forum about what you are selling, what value you can provide clients. Sometimes this involves divulging your inventory, or explaining what type of data you manage. So hiding all the goods from a potential attacker would hurt your business. The question is, are you giving away information that doesn’t belong out on the web.

There are many stories in the news where private documents were stolen using a search engine and the correct search terms. In addition to sensitive documents, websites can leak information about the internal network architecture and internal user names. With these pieces in the (im)proper hands, all it could take is a person with time to breach your systems. It is important that we don’t just say “I didn’t put it on the website so we are ok”, we need to verify exactly what is being exposed.  Knowing the windows into our organizations are a very weak barrier, we need to be more careful about what can be seen through them.

2010
04.12

Evacuation

It is always interesting when you work on small clients because all the functions are packed into a small space. I was working on a small village where the fire station, police station, and village hall all were sharing a somewhat small building. After a morning of reading minutes from meetings and footing some reports I walked out to my car to have my lunch. I wasn’t outside more than ten minutes when I noticed everyone from the building was coming out the back door. Curious, I set down my sandwich and walked over to my co-workers to ask what was happening. Another 40 minutes passed with people sitting outside when the police chief came out and told us we could return to the offices.

Someone asked the chief what happened, why did they feel itchy. The chief chuckled and proceeded to tell the story. Apparently the village drunk came in to complain about being harassed by his neighbors dog. When the man felt the police weren’t being attentive enough to his plight he attempted to climb over the counter. The dispatcher and two officers behind the counter reacting quickly each hit the man with a full can of pepper spray, which then got pumped into all the rooms of the building through the ventilation system. The chief then looked at us auditor’s and said “You all wanna try my patience” and burst out laughing.

Can You Believe?

During an audit of a school district I discovered that the records for the high school lunch room were short by roughly $1,000 over the course of a year. By law, schools can not allow a student to go without lunch. Usually schools implement some type of tracking process to ensure students who forget their lunch or lunch money pay it back before grades are released. The problem was the process had broken down and the amount deposited, plus what was in the  drawers was less than what the register tapes said was sold. I spent well over a week working with the treasurer and the lunchroom staff to validate the amounts and communicate where things went wrong. In the end the lunchroom supervisor had to pay the school back the money.

A few months later I was auditing the library in the same city as the school. This was a first year client for me, but the pre-audit meeting went well. As I was walking out of the office the treasurer said “can you believe what happened to the lunch lady as she was retiring, some auditor made her pay money back to the school.” I looked at the treasurer and said “that auditor was me.” The look of shock took a while to wear off, but eventually she attempted to chuckle and said “oh my, well then.” Needless to say all her records were in good order, and I finished the audit in near record time.

2010
04.07

The Recap

A man was driving with a chair on the top of his car, and kept stopping as the chair would fall off. Police stopped the driver and advised him to leave the chair and return with a different vehicle.

The Lesson

The first thought that came to mind was “You’re doing it wrong!” I think we all have been in this position before. You have a tool you think can do the job, and because of the investment you have made you don’t want to try a different tool. After taking the time to develop or acquire the tools you need to address some threat, admitting maybe you need something different is difficult. This doesn’t mean you need to scrap what you have, you just need to expand the tool set to address new and changing threats. The problem security professionals face comes down to budgets and buy in. Limited budgets means you need to make the case to bring in a new technology or tool and when it doesn’t perform as expected, or a new threat arises we feel we need to make what we have work. No one wants to have to go back and ask for more funding and answer the question of why didn’t you fix this with your previous acquisition.

We need to make sure we communicate not only the importance of adding new technologies or tools to our defensive posture, but also the need to continue to monitor new threats that circumvent those technologies we have. Just because the mans car couldn’t transport the chair from point A to point B doesn’t mean the car still doesn’t serve a purpose. The car will still get the man where he needs to go, he just needs to use specialized vehicles when he transports items larger than his cars capacity. With each new threat make sure you have the right tools, and when appropriate make sure you communicate why certain threats require special tools not already in your arsenal.

2010
04.02

When you think about auditing, what do you imagine. Probably someone sitting at a desk pouring over documents or in some office grilling a poor client with question after question. In all you probably find the idea of auditing boring. It isn’t always the process that provides good stories, sometimes it is what happens when you interact with your clients environment that makes for interesting “audit” stories.

“I Need Scissors. NOW!”

As a newer auditor it was known amongst managers that I was the “cheapy”, meaning if your project looked like it might go over budget you could bring me in to get more hours for less cost. So I found myself heading to a small school district for a few weeks to do those tasks a cheapy can do with little supervision (I won’t bore you with details here). Walking into the building I was to report to, I was greeted by the treasurer and superintendent of the district. They led me through the gym, and up a set of stairs to the “backstage” area. My co-workers greeted me and got me settled. The first two weeks went on without incident, boring auditing as usual.

I must step back and let you know that the elementary school and the administration building were only separated by a playground/parking lot. The kids walked to the admin building each day for lunch and gym. Now lets move on. Monday of the third week had just come to an end as I walked out to my car. When I turned the key in the ignition, nothing happened. I wasn’t too concerned because a few weeks before I had come back from my honeymoon and my car had sat in the snow. This caused water to build up in the fuel line, and a little dry gas did the trick to make it start. I got out of the car and walked around to the trunk to get a container of dry gas so I could fix the problem.

It became obvious why my car wouldn’t start, something was stuck in the exhaust pipe. I walked back into our work area very flustered and shouted “I need scissors, NOW!” Someone handed me a pair of scissors as I ran back out the door. After digging out what looked like a ball of ice, I found an orange very neatly stuffed in the exhaust. With the orange in hand I calmly walked back into my co-workers and laid the orange and scissors down on the table. My co-workers looked at me for a few minutes and then burst out laughing. “Looks like we have a little prankster” said my in-charge.

The next day I found myself in the superintendent’s office, something only five years before I would have been frightened by, discussing the “incident”. By now I had calmed down and found the humor in the situation, and had earlier discouraged my in-charge from reporting this to the client. The superintendent was a good humored person and assured me he knew who it was, but without any witnesses probably couldn’t do anything. I suppose we all know who the prankster is in our lives, and we design our controls around them. Of course only after we have been a victim to their fun.