Archive for the ‘What doesn’t work’ Category

Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.


Who are you, Where are you, What are your habits?  It’s no secret these days that your entire life is tracked one way or another, especially if you live in the US.  Your bank knows how much you pay for electricity, what foods you eat, and where you buy gas.  The search engines and social media sites know what you are looking for, what you like, and what your friends like.  And if you were not aware, those photos posted all over the internet provide detail about where you are at a particular time.

Forensic evidence analysis of logs and metadata provide the authorities and criminals everything they need to know.  Look at the CBS local news article from earlier this year that is linked below.  It explains how a suspected member of Anonymous sent a photo to the FBI, which ultimately led to an arrest.

What about your kid’s photos?  Look at this example posted by the FBI in 2011.

Masquerading IP addresses, eliminating log traces, scrubbing tags, and hiding metadata, these are all key skills every hacker or concerned parent must understand.  These skills are not new to those in the hacker community. EXIF news postings have been around for years, however with all the new avenues of media and mobile devices anyone can be caught off guard.  Therefore, caution leaving unknown tracks and understand what your kids may be posting online.

In terms of EXIF there are tools such as Pixelgarde that can change or remove geo tags on your Android and IOS devices.

Also most mobile phones have features to disable the GPS tracking, but sometimes these features are also used for tracking stolen devices.

On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability.  Many of my customers believe this is ridiculous and not practical, however I report it anyway.   Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out.  There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.;_ylt=AhIN_X.SMrgYGlzdK7zmNe8E1vAI

So you decide.  Should Anti-virus software be tested before deployment.

The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

  • Home directories /rc, /cg, /mailer

  • The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

  • The large directory listing with a plethora of information

  • The nice picture of your license

  • A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6



So why did I post this?

Two reasons.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.

Broken Links

Posted: July 26, 2007 in What doesn't work

Please at any time why’ll browsing this blog you notice a link is not working leave a comment or send an email.  Yesterday I noticed the policy whitepaper link is not working at Foundstone.  I am currently working with McAfee to try and figure out where the document moved or to get it uploaded back on the site.  My apologies, but in the future if you notice a problem with a link please point it out and I will update the site ASAP.  There is nothing more frustrating than broken links on a user’s website or blog.

It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct.  The link below has a summary of the disaster scenario

NYC Steam Blast Explosion  

Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city.  Usually the commuters take the Metro North trains.  Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.


More than 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action.  If you dialed the MTA-Info number listed on their web site you would be out of luck.  Response – All lines are busy.  The website did not have a service alert message for commuters. 

Ok phones out of service expected, except that only MTA’s phones are the issue.  Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City.  311 staff didn’t know the status of the MTA trains.  311 staff also couldn’t contact MTA because phones were still out of service at MTA.  Out on the street it was worse.  The police were controlling the area, so they were the only government staff that a person could ask a question.  The answer the police responded with was “you have to wait around”. 

I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north.  Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.


This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines.  MTA needs to update their current plan to include:

Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).

Faster update of the website for emergency situations.

Identify key contacts to improve downstream communications to the police on the street.

Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.

Good Practice

What did MTA do right?  They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.

More on Emergency Management and Business Continuity

FEMA has a great deal of information on Emergency Management

DRJ has a good deal of information on business continuity and disaster recovery

I could not help reading the Security 2.0 posts by Mark Curphey and I especially liked the Business Activity Monitoring discussion.  However, I see 2 major enemies that cause us pain every day and put organizations at great risk.  In my mind neither of these has been addressed properly.  


Enemy #1: Many internal penetration tests obtain the admin or root access by guessing passwords. 

Enemy #2: What do I say? Unpatched systems are an initial point of entry for many attacks both internally and externally.  Tools like Metasploit make it even easier.


Of course I’m not throwing out statistics, but I see first hand the results weekly.   One can only hope that the Security 2.0 solution addresses the problems with passwords and patches.