I'm Stealing A Laptop Today!

Don't get excited. I haven't gone over to the Dark Side.

Yet.

Besides, it's my own laptop. That is, it's the laptop my employer has issued to me. And I'm not taking it home in my lunch box. This time.

I'm stealing it virtually!

You see, nobody steals laptops for the hardware anymore. It's all about the data. With the right access level, laptops, or any computer, can be stolen without ever busting a lock or leaving a fingerprint.

All with free tools easily available over the Internet. I'm not talking about "hacking tools" - you have to be brave to use that crap these days because you never know what might be hiding in them - I'm talking about legitimate software distributed by legitimate companies. In this case, VMware.

VMware distributes a nice little tool called the VMware vCenter Converter which allows you, among other things, to turn a real nuts and bolts box into a virtual machine.

Which is exactly what I'm doing now. As I type this, the bits and bytes of the hard disk in my laptop are flying over the Internet to a VMware server in my family room. When it's all over I will have an exact copy of my laptop, minus the hardware of course.

This is really No Big Deal. Anyone with the right amount of access can do this surreptitiously in your IT environment, cut the image to a USB thumb drive and take it home to hack at their leisure. Or sell to the highest bidder.

The trick is in doing it over the Internet. If I had a 32G USB drive I'd probably do it that way, but I don't. What I do have is a cable modem and three covert channels back to the office.

Plus an aging Linux box that I talked a former Boss into letting me install on the corporate network over eight years ago. If I had my way, Linux would only be allowed under the strictest security policy possible - it's just too damned powerful for mere mortals.

The biggest problem to overcome is establishing a common network share for the corporate and VMware boxes. That is accomplished with OpenVPN, the BEST damned Open Source SSL VPN on the planet.

That is covert channel #1. Channels 2 and 3 are port-forwarding SSH tunnels that connect back to HinkyNet over the corporate proxy. One of the SSH channels is established with a Cygwin service running on my corp workstation. The other is a bash script on a Debian VM that runs on the VMware GSX server on my workstation. All three will reconnect if the workstation is bounced and there is enough redundancy so that if any two of them go down the third can be used to bring the other two back up.

In practice, OpenVPN is the hardest to keep running, but that is due to the security limitations in our environment (many of which are of my own doing).

And because of that issue, I'm on my second attempt at this Proof of Concept exercise. I started yesterday and got 15 gigs downloaded before the OpenVPN connection crashed at 5AM this morning. I can also do this just as easily over SSH tunnels, but that would require using the VMware 2.0 server on my MythTV box, which currently has too much disk space dedicated to unwatched recordings of "Terminator" and "Life on Mars"!

The first time through is always a learning experience.

But the point remains: given enough time and enough access and the right tools, an insider can walk away with your company's entire IT infrastructure. I'm already looking into what can be done about this with the tools our company already has (like everyone else in this economy we're not spending cash we don't have). VMware and virtualization in general is so hot, no one is looking into the security implications these tools bring with them.

Or at least they're not publishing.

HINKY LINKS

Since I've been doing this crap at work for a few weeks now, I decided to aggregate my Google Alerts into a service for IT Security Pros and ethusiasts. The result: HINKY LINKS at blogspot.com!

Hopefully this means I won't bore you to death with this security crap anymore.

Any more than I have to. lol

Anyway, it's not as brutal on the eyes as this black background theme (most security wonks use the same theme on BlogSpot - a very curious phenom) and since it's primarily cut-and-paste the upkeep should be simple (famous last words).

But I am good at this, and even though it's not quite as fresh as it could be at the moment, I get content coming into my gmail account constantly. If you were a coworker, Hinky Links is exactly what you'd see at my work blog.

Lean Sock Puppets

sock puppet (noun) : a name or identity used online to deceive others and that is often used to direct praise or attention to oneself. (From Merriam-Webster's Open Dictionary)

Anyone who has spent any hard time in a corporation or bureaucracy knows that there are certain management fads that make the rounds. There is no escape. It's going to happen and it usually happens for a reason.

For our previous CIO, whose job it was to reorganize the IT department it was Who Moved My Cheese.

Back then, if you were a middle manager and didn't have a copy of the book prominently displayed somewhere in your loser cruiser or on your desktop, you could end up being branded as some sort of corporate insurgent. It was everywhere. The most faithful always carried a copy with them to meetings to spread the faith whether they believed it (or read it) or not.

The latest CIO is proselytizing The 7 Habits of Highly Effective People.

Ugh. Not again. The less said about that nonsense, the better. That crap has been making the rounds for almost twenty years now.

But this isn't about cheese or habits or CIOs. It's about IT Security and the CSO.

A few months back, the CSO sent us this link (don't bother reading it, it is crap) to an article on "Lean Security" and noted we would be hearing more about it in the months to come.

Uh-oh. In my mind that meant "here come the budget cuts, kiddies!"

I dutifully read the article and before going beyond the second paragraph I got an erie feeling of déjà vu.

I knew I had read it before, but something was different. The subject had come up in the late 90s, but back then it was "Lean IT". As I read on I became convinced that the author had simply recycled the "Lean IT" article by searching for "IT" and replacing it with "Security".

It was an astounding epiphany. "What now?" I asked myself. Was this going to be the Next Big Thing industry-wide? In order to answer that I created - what else? - a Google News Alert for "Lean Security".

The were very few hits over the next few months, and nearly all of them pointed back to the same article the CSO had provided a link to. That settled the "industry-wide" question in my own mind. There was no buzz. Anywhere.

The CSO never mentioned it again.

This brings us to the sock puppets. It turns out there's a Lean Enterprise Institute. They've been responsible for distributing this crud for over 11 years. It figures. They even have a Lean Forum, and that's where my most recent Google Alert came from. It pointed to this thread, which goes like this:

Sock Puppet #1: I've read several articles of applying LEAN principles to security operations. Can anyone suggest additional readings? Just a really interesting concept for me. Thanks!

Sock Puppet #2: It makes sense. Security is just another process, with a specified outcome.

Sock Puppet #3: I'd be happy to discuss this topic with you. I have co-authored the original article on applying lean principles to security and will continue a series of columns in Security Technology & Design Magazine for the next 10 months.

Oh, brother. Nothing stands out like a self-serving clusterfuck.