Network Security Blog

I love my DirecTivo, my DirecTV receiver with the Tivo built in. Without it I couldn’t find the time to watch half the television shows I do, and I’d have to actually, you know, *watch* the commercials. The DirecTivo is about four years old and I’m dreading the day something in the box dies, which I know can’t be too far off.

One of the features of the DirecTivo is a little advertisement that’s part of the main screen, usually a 3-5 minute infomercial. I often ignore it, but last night something caught my eye; the headline for the advertisement read “Crucial Wifi Security tips”. This was definitely something I had to take a few moments to check out, otherwise what kind of security professional would I be.

It turns out that its an advertisement for Symantec Norton 2008, but I have to give the guys at Symantec some credit, it’s also a pretty good primer on the dangers of using wireless hotspots. The video quality isn’t the highest quality, but that may be intentional (or it may be a factor of budget). It starts off by giving some general advice about security, or lack there of, at hotspots and explains in simple terms that the average user might not want to do any sensitive activities while using these hotspots.

I was impressed that Symantec decided to only explain two terms in the video and explained them in simple yet accurate language. The first term was ‘packet sniffing’ and the video explained in a few seconds how another curious patron or maybe a hacker could be sitting in the booth next to you capturing your passwords as they fly through the air. I immediately thought of Robert Graham and the grief he sometimes gives David Maynor concerning wireless.

The second term was ‘wi-phishing’. I’d never heard the term before, but I guess its easier to remember than man-in-the-middle or evil twin hotspot. The video explained that malicious attackers could set up hotspts that looked just like real hotspots but were just created to capture passwords and other account information or infect systems with malware. From that point on the video was an explanation of how Symantec Norton could protect users from these dangers as well as a host of others, but I’d heard most of this marketing before at RSA.

The video was only three minutes long and did a good job of explaining a few of the dangers of public wifi in the first two minutes. I’m actually pretty impressed with the content of the video and if I could get just the first part to use for educational purposes, I’d take it. This video would make a good starting point for a brown bag lunch or other short format awareness campaign at work. There are a couple more videos from Symantec waiting to be watched on the DirecTivo, which I might get to this weekend to see what they offer. Or maybe not; my tolerance for commercials has been greatly reduced over the last four years.

I’m mildly annoyed, but I find it hard to get too worked up over this issue: Jim Brady from WashingtonPost.com wants to know who the people are who are leaving comments on his site. He wants to know who the real person is making comments, not so he can track them, but so that he can make them accountable for their comments. That’s a laudable goal, but does this guy really have any idea how the Internet works?

Mr. Brady laments the fact that people are as anonymous as they want to be on the Internet and that the people who comment on his site are leaving nasty, bitter, derisive comments. He wants to have some sort of tracking system where he can positively identify everyone who comments on his site and block the problem children. As he sees it, this sort of accountability is the only way to ‘raise the level of discourse’ on his site. As if accountability would somehow accomplish this goal. Does he understand human psychology any better than he understands the Internet?

This isn’t a privacy issue; without major changes to the Internet, Mr. Brady’s wish is never going to become a reality. There are too many built in safeguards and too much complexity on the Internet to make positive identification of his commenters a reality any time soon. The WashingtonPost.com site has already experimented with blocking IP blocks and found that’s a good way to block large chunks of the Internet from his site. They’re experimenting with other technologies, but that’s not enough for him. I wonder if they’re looking at OpenID at all to solve his problems.

Online identity is a huge issue, one that’s not going to be solved because some editor wants track his commenters, even if it is the Washington Post. Mr. Brady has bigger problems though. First, he obviously doesn’t understand the Internet if he thinks there’s much possibility of reliably tracking users on the Internet. Anyone with even a modicum of computer knowledge could probably find a way around any tracking technology the Post puts in place. Even if they can’t, I’d be willing to bet there’d be a Firefox plugin or other application that gets around the technology. Oh, wait, we already have BugMeNot.

The second problem is that Mr. Brady is trying to solve a social issue with technology. This is the same trap we often fall into as security practitioners, trying to solve a people problem with more applications. And he’ll probably find out the same thing we keep finding over and over: technology fixes for people problems don’t work. People are going to find ways around the technology if it’s stopping them from doing what they want, period. If someone wants to be anonymous, they’ll find a way. We’ve found that with almost every technology that’s ever been used to secure a corporation. You put a block on a website, your users find a proxy. You try to keep users from installing software, they find a friend in IT to help them. They will find a way around technology if it gets between them and what they need/want to do. The technology is just a speed bump, and its an annoying one at that.

The real problem for WashingtonPost.com is that it takes people engaged with their readers to deal with this problem. It requires having someone monitoring the comments, deleting inappropriate posts and replying to the ones that are appropriate. He’s not going to get his tracking mechanism any time soon and rather than lament the lack of accountability, he needs to understand the real problem and deal with it as a human issue. People have been commenting anonymously to newspapers for as long as they’ve existed. How many of the letters the Post gets on a weekly basis have no return address and no indication of who sent them? The difference between the real world and the virtual one is that the editor has to consciously pick which comments get printed in the paper. That same power exists in the virtual world, it just takes human interaction in the form of comment moderation. Funny to think that the more things change, the more they stay the same.

It’s pretty certain that WashingtonPost.com is spending a fair amount of money on technologies to combat aggressive, insulting commenters on their site. They’re probably spending more on technologies and the people managing them then it would cost to hire one or more people to be responsible for moderating the comments. It’s easier to ask for the money to purchase a magic technology that will solve a problem than it is to ask for more people to get actively engaged. After all, technologies have a very clear cut reason for existing where as people have all these nasty issues that come with them, like personalities and mistakes. But if you want to solve a people problem, only people can deal with it.

By the way, does anyone really believe the Washington Post and other sites wouldn’t use all the identity information they collect for marketing if Jim Brady had his way? Me neither.

I’m sick and Rich is preparing for some anniversary celebration over the next couple of days. My family graciously shared a chest cold they’ve been fighting off with me and I’ve spent a good part of the last two days in bed. Rich is flying in, with his wife, from Arizona to spend the better part of a week wine tasting and whatever else you do to celebrate your wedding anniversary. They’ll be less than 30 miles from my home and they won’t be spending any time with me or my family. You gotta wonder about a guy who puts his wife (or his health) before his podcast.

We’ll return to our regularly scheduled dose of chaos next week. Honest.

I’ve attended my fair share of conventions, but this is a first: CTST 2008 is offering up a free night’s stay if you’ll attend their conference. Their event is next week and I’m pretty sure the offer isn’t transferable, but I find it very interesting that they feel like they need attendees badly enough that they’re willing to make this offer at all. Add this to the fact that my name showed up on the list of last year’s attendees and I think we have a convention that’s truly suffering and may not make the 2009 season.

I receive a lot of phone calls from vendors, but in general only from vendors who have access to the lists of events I’ve actually attended. This year I’m showing up on the list of people who attended CTST, despite the fact that I’ve never attended and have never been to Florida, where the event is held. It makes me wonder how much of the list of attendees is based on people who actually attended last year or if it’s based on the people who were invited. I may be a statistical outrider, but from what I know of the convention biz, I also won’t be surprised if I find out I’m not the only one.

CTST looks like a convention I’d be interested in; it’s all about payment cards and the ways in which different credit and debit cards can be secured. It’s a natural fit for just about anyone in the PCI arena. But right now I don’t have the time to attend, nor the energy to fly cross country even if I did. But listing me as an attendee for something I never showed up at is annoying, and if it happens again this year, I’m going to be more than annoyed; I might have to blog about it in an snarky, sarcastic manner.

Something is going on with Feedburner; yesterday my stats showed the highest number they’d ever shown, today they’re less than half that. I expect them to fluctuate some, but over the last month I’ve seen drops of over 1000 subscribers in a day, to be back up to their normal levels the next day. Today’s drop was nearly 2000 subscribers overnight.

Paperghost claims it’s got something to do with Netvibes, but I’m not sold. This has been happening to me a lot and for over a month, so it’s not too likely to be a single point causing this much fluctuation, unless that point happens to be part of Feedburner. There’s been very little written on this so far, so I’ll be very interested in seeing if Feedburner addresses the problem on their own. I suspect it has more to do with the integration with Google than anything else.

Anyone else seeing this type of fluctuation in your Feedburner stats? Or are you a little less stats obsessed than I am and only look at your subscriber numbers when there’s a reason? Hopefully there’s someone from Feedburner looking for posts like this who can answer my questions about stats fluctuations. Or maybe I need to tweet about it and hope they’re looking at Twitter too.

This was looking like it could have been a great story for the conspiracy theorists in all of us: Microsoft is helping law enforcement agencies by giving them USB keys with forensics tools to help with cybercrime investigations. It can ‘decrypt passwords and analyze a computer’s internet activity’, something every good law enforcement agent needs. The Computer Online Forensic Evidence Extractor (Cofee) offers up 150 commands (what do they mean by ‘command’? Is that 150 tools or one tool with 150 commands?) and makes it easier for beleaguered cops to perform an investigation.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

Welcome back to the world of blogging, George. After a brief haitus, George Ou has rejoined us with his appropriately titled George Ou’s Blog: Technology for Mortals. He has a co-author on the site, Justin James, and already has more than a few posts up. George’s short write-up of a computer he built for just over $400 is nice, since I’m contemplating building another computer my self. Of course, I’m always contemplating building a new computer, it’s just getting buy in from the wife that’s a problem. I also think George and I will be taking different sides of many PCI-related stories.

There were more than a few technical difficulties in recording tonight’s show. Thanks to Paul Asadoorian from PaulDotCom Security Weekly for hanging with us and getting a show recorded despite it all. If it hadn’t been for some quick thinking on his and Rich’s parts, I don’t think we could have had a show this week. I’m still working on my DSL line, but I’m pretty certain the wiring in my office is bad; the DSL has been fine since I moved the modem to a different wall plug in the bedroom. I just hope my wife is willing to ignore the bright yellow cable stretching across the hall until I can get a new telephone cable run.

Show Notes

 

 Network Security Podcast, Episode 103 [53:31m]: Play Now | Play in Popup | Download

Network Security Podcast, Episode 103, April 29, 2008

One of the things I have always hated about blogging is having to administer the web site. Moving to a hosted solution (Bluehost) earlier this year made life much easier, but there are still some issues I have to manage. One example is upgrading the Wordpress version, which Bluehost helps with by providing Fantastico and SimpleScripts to do scripted updates. Fantastico is good, but they’re a little slow to provide updates. SimpleScript also looks good, but the verbiage in the update makes it sound like they overwrite the whole directory, not a good thing. So I found a Wordpress plugin that handles all the messy stuff for me, Automatic Upgrade.

I’m not a total wimp when it comes to this sort of upgrade, but I’d rather have it done by a script that hopefully won’t hit the wrong key at the wrong time, something I’m prone to do. I like the fact that it backs up both the Wordpress directories and the database for you before proceeding with the upgrade. It was good at disabling all of the other plugins I had running on the site, but was no where near as good about bringing them back up. That was a minor concern and gave me a good reason to update all the plugins too.

With a vulnerability in the Wordpress 2.x installation that can result in admin access to your site, you’ll want to get upgraded as quickly as possible. I like my hosting company, but I can’t expect them to make upgrades to my site their first priority. So I have to make it one of mine.

Pick up your latest virtual version of the magazine on the [In]Secure site. There’s a few articles I plan to read in my copious amounts of spare time, starting with the Security Policy Considerations Payment Card Data articles.