Data Loss Prevention has been a hot topic as of late.

In the past I always believed that DLP was only effective where you had a data labeling program.  Otherwise its just another product that doesn’t work well when you cant answer where the important information is.  Over time, I also became more concerned with throwing tech solutions at a people problem.  With that view, and no one asking for it, DLP never made it onto the priority list.

I’ve seen point solutions such as email gateways that look for credit card numbers.  And they find numbers everywhere they look.  And that is when you’re looking for something specific.  Something that can even be verified.   (luhn)  How will it deal with data.  Can DLP occur at all without management buy in.

There are some interesting possibilities.  Perhaps you have a particular webserver and nothing from that server should go out.  Perhaps you have templates.   And while the content might change somewhat, the DLP sees enough similarity to match.

A good DLP solution also allows enough flexibility in warning, quarantining (with release a possibility), and blocking.



closedIts been fun, and I hope that I’ve helped or informed in some small way these many years.   But its become clear that work policies and vender sensitivities dont allow for the type of blogging that I’d like to do.   Stay safe out there.

The Case of the Mixed Content

Recently a problem came up with some required training hosted on our Learning Mangement System.   Users would receive a warning “Only Secure Content is Displayed”.  While users could click ‘show content’ they received an error message ‘unable to connect to LMS’.   They could watch the training video still, but were not shown as completing the assignment in the LMS.

Mixed content refers to websites that contain some elements in HTTPS and other elements in HTTP.   An attacker could replace elements presented in HTTP, compromising the security of your computer and your access to the “secure” website.  Microsoft has an extensive writeup on IE9 and mixed content here.You would expect that upone clicking ‘show all content’ that the LMS presentation would work correctly.   But in this case the reload of the page to add the insecure content appears to have broken some sort of connection, probably authentication.

To troubleshoot this issue, I installed Fiddler, and enabled SSL description.   I then recorded traffic while reproducing the issue.   I was able to quickly determine that the HTTP content was a call to Google Fonts.   I then searched the Fiddler logs to determine which file included code with this call.    The change was tested and implemented with no further issues.   Microsoft summarizes the steps in this article.   To that I would add you need to enable SSL decryption in Fiddler, and may need to install a plugin to decompress content.

Be careful little hands what you type

see update at bottom of story

A story today in The Atlantic Wire tells the story of a couple who searched wrong.   There is also a writeup from the wife about her husband’s experience.

They searched for backpacks and later searched for pressure cookers.   Obviously, this could only be the work of a terrorist cell.

The question that comes to mind first is how did the government know?  Google searches are generally SSL encrypted.   This would have to be access at the Google servers.

The next thing that comes to mind is who will make the first parody add for a Google Search competitor.   “Use Google, and get a visit from big brother.”

After September 11th, people demanded to know why the intelligence community didn’t put the pieces together.   But this isn’t putting pieces together.   This is sifting everyone’s lives looking for evidence.  It reminds me of pre-Internet when the police might try to get access to library records because Lord knows reading Catcher in the Rye means you’re about to commit murder.


The Atlantic Wire uses a stock photo showing a swat team with a shield at the door of a house.   This is irresponsible journalism.   The write-up from the wife describes six men in casual clothing


The Suffolk County PD has reportedly issued a press release.  This release is not currently on their website.  But a copy is posted at outsidethebeltway.com

Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based computer company regarding suspicious computer searches conducted by a recently released employee. The former employee’s computer searches took place on this employee’s workplace computer. On that computer, the employee searched the terms “pressure cooker bombs” and “backpacks.”

So, that answers how the police became involved.  It wasn’t NSA intercepts.  The big brother here was the company IT guy.


Happy Blogaversary

On this date in 2004, I started this blog.

In some ways it was about playing with the technology, first MovableType and later WordPress.   In other ways its been a place to dump my brain with linked I wanted to remember.   It became a place to talk about my experiences.   Other people’s blogs and community posts have helped me out.   If I can save someone else a few minutes, why not give back in that small way.

I don’t know what the future will hold.   Whether you’re a regular reader so someone who drifted in on a bing/google search, thanks for the read.

All is quiet on the western front

Its been rather quiet on the blog for a while because of an unfortunate incident that occurred back in March.

I never really believed I was anonymous.   After all, the domain was originally registered publically rather than via a proxy, so it’s a simple matter to get my name and address.   Nevertheless it is a bit disconcerting when a big yellow vender goes to the trouble of contacting your workplace lawyers over something you write.   They felt that their product roadmap works best as a surprise to customers.   So, lesson learned.  Next time you’re told its ok to blog something, get it in writing if it’s not already on the internet.   What they don’t realize is that I could write the same article without the information they provided and they look much worse.

The greater can of worms that was opened is the company social media policy, quietly enacted last November, which forbids me from talking about the work vendors do for us.   So we may just have cat pictures until I feel more comfortable giving my direct, unfiltered, caustic opinion.



Infosec Introverts

ComputerWorld’s Best Careers for the Introverted IT Pro article caught my eye.  Information Security Analyst is one of the suggested jobs.   Laurence Shatkin, author of 50 Best Jobs for Your Personality says, “This career is so focused on data and, to a lesser extent, on hardware that it offers many opportunities for solitary work.”

This is so opposite the mantra that I hear from people regarding infosec work, I thought it worth comment.

According to the Bureau of Labor Statistics, Information Security Analysts:

Plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. May ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure. May respond to computer security breaches and viruses

Ok, nothing about chatting people up there.

But the Infosec Institute takes it further:

They are responsible for implementing any training required including instructing staff on proper security measures both in the office and online. The security analyst must work with business administrators as well as IT professionals in communicating flaws in security systems. They recommend changes that will improve every aspect of company security. The security analyst is also responsible for creating documentation to help the company in case there are any breaches.

It isn’t enough that the Infosec Analyst needs to have knowledge of every aspect of Information Security within a company.  They are train people, notify of vulnerabilities, work with business units, and influence executives.

It simply isn’t possible to be all things to all people.  Often the people that are great at influencing, dont have the same drive to staying current on the technology.   But to say that Infosec Analyst is a great job for an introvert because you just deal with computers and data is dated.   People are the layer 8 problem in security.   You ignore that to the detriment of your information security program.

On the whole, I think that ComputerWorld has succeeded with link bait, but failed to make great article.


The SANS blog post today about an AVG false positive in Windows XP reminded me that we’re just over a year away from XPiration.  (Think that will be a hashtag next year?).   So I’m getting an early start on the tech media flood of articles on the impending end of support for Windows XP.   On April 8th, 2014 you will no longer be able to get security updates from Microsoft.  On my network there are only a handful of XP machines left thanks to a successful Windows 7 migration.   Those machines should have forced retirement through lease expiration by that date.

I’m in a small to midsized environment, and I have the tools necessary to do my job.   Among the machines I control we have software inventory through SCCM.   Forescout provides OS identification for managed and unmanaged systems.   Because of this, I shouldn’t have any unknown systems popping up.

The retirement of Windows 95 wasn’t so simple.   It wasn’t a retirement of 95 per se, and I dont remember if this was before or after the Windows 95 retirement date Dec 31, 2001.  Rather we forced out Windows 9x by increasing the security requirements to a point where existing 9x clients didn’t work.   It turned out that the printer that cut checks was Windows 95.   smh.