One thing that seemed to be universal amongst my colleagues is that they all hate being audited. Since I used to be an auditor (please don’t hold it against me), I was thinking of writing a blog post on understanding and surviving an infosec audit. First though I decided to take a quick poll – I turned to securitytwits and asked people what they thought of audits. Although I only got five responses, the results were very surprising (to me at least):

• 2 people thought of audits as positive even if they can be annoying. (One compared it to a doctor’s visit).
• 2 people thought auditors could be positive because they could help bring attention to issues which are being ignored by management.
• Only 1 person had a negative comments, saying auditors were a waste of money.

I had expected the results to skew entirely the other way, so maybe an auditor field guide isn’t as necessary as I thought. I will however throw out two random thoughts.

1. Auditors are interested in what is measurable, not necessarily in what is meaningful (to you).
2. While you may not like them, management usually has to listen to auditors. While you can complain all you want, ultimately you have to either pass the audit, so you might as well stop the complaining and try to focus on passing.

I finally fell for the twitter hype and have been on twitter for a few months now. I still do NOT like the 140 byte limit – the world is  complex and complex ideas need more than 140 bytes. That being said I do like the running conversation and the way in which anyone can contribute and respond to anyone, so you can chalk me up as a reluctant convert. You can follow me @angelofsecurity.

According to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were hijacked. How this was done has not been revealed. Twitter seems to be dodging the brunt of the blame because their provider runs their DNS servers. (Confirmed by a quick nslookup below). While this may be true, that only reflects how twitter should react internally. The risk to twitter’s users is still the same. If the hackers had wanted to do damage instead of showing off by putting up a “look at me I’m so cool” type of page, then they would have forwarded users to a phishing page that intercepted authentication credentials. (While this has fairly trivial implications for twitter, imagine if they did this for a bank).

C:\>nslookup

> set type=ns
> twitter.com
Server:  UnKnown
Address:  x.x.x.x

(root)
primary name server = trafficdns1.ddc.com
responsible mail addr = hostmaster.jettissystems.com
serial  = 2009072301
refresh = 43200 (12 hours)
retry   = 3600 (1 hour)
expire  = 1209600 (14 days)
default TTL = 3600 (1 hour)

Update: more details on the DNS records can be found at SANS’ incident handler diary.