Network Security Blog

MakeZine.com:

I got my first copy of Make: magazine this weekend. I’ve only read a couple of the smaller articles so far, but it looks pretty impressive. My son especially likes the article about Kite Ariel Photography. He was a little disappointed when I told him that, no, we will not be using Daddy’s nice, Olympus digital camera. He is still trying to convince me, and at the same time I’m trying to convince him that a disposable camera is the way to go. My wife just shakes her head and walks away.

Florida man sues bank over $90K wire fraud | The Register

Customer vs. Bank of America: Is the little guy to blame?

If your computer catches a trojan, your passwords are comprimised and money is taken out of your bank account as a result, who’s fault is it? Joe Lopez and his lawyer say it’s the bank’s fault for not warning him. I say it’s his own fault, and Donald Smith at SearchSecurity.com agrees.

I’m not going to analyze the case again, since the SearchSecurity article already does a pretty good job of it. But I’m tired of the ’somebody else’s fault’ syndrome so rampant in today’s society. I believe this is the root cause of so many of the problems with our culture; why take responsibility when you can pin it on someone else? It’s not the parent’s fault their child is unruly, it’s the teachers fault. It’s not the business’s fault all those financial records were exposed to the Internet, it’s those nasty hackers. The list goes on of people and corporations trying to place the blame everywhere but where it really belongs.

Deep breath. This is one of my hot buttons. I realize there’s little or nothing I can do to change society as a whole, so I’m doing what I can. I hope my children will grow knowing how to take responsibility for their own actions. And if they don’t, I can always blame the school and their peers.

Patch Tuesday linked to exploit time frame

Do you ever ‘Google’ your own name? I do this once every few months just to see what I’ve put out there. And occasionally I get a real surprise, like the article above.

I vaguely remember the conversation with Mr. Baard. And given my normal propensity to mouth off, I probably said the exact words in the article. I’ve received about half a dozen calls like this in the last year or so, but this is the first time I’ve seen my name in print. I’ll have to be a little more careful with my choice of words in the future. Not that I’m embarrassed by anything I said, but if I’m going to be quoted, I’d like it to sound a little more professional.

I also need to Google myself more often.

Technology Law Bulletin: winter2005.pdf

I have never been a fan of the Digital Millennium Copyright Act. I’ve always thought it was nothing more than an attempt by big businesses to control our access to the technology we purchase under the guise of protection from piracy. It never really protected anyone from piracy, it just allowed big business to silence their critics by suing scientist who research security vulnerability and limiting reverse engineering.

This court decision makes a good cut to the powers of DMCA. Hopefully the trend continues.

Windows Firewall Has A Backdoor

The title of this article is misleading. The author states that the Windows Firewall allows programs to add themselves to the Windows Internet Connection Firewall Exception list without the users knowledge if they are logged in as administrator (been playing with *nix systems a lot lately, almost said ‘root’). This can be done by a program without any interaction from the user.

This is a bad design, and no program should be allowed to add itself to the exception list without user intervention, but I would hardly call this a ‘backdoor’ as the author has. It’s also one of the weaknesses of having a personal firewall that’s integrated with your OS. I’ll go on the record to say that I’d rather have the Windows Firewall on someones system than no firewall at all. But I’d rather see a third-party firewall with a lot more robust security than what Microsoft is currently offering.

The other issue is logging into your Windows machine and running programs as administrator. I do it, most systems administrators do it, but it’s a habit we should try to break. The number of times I really need administrator access is few and far between. It’s a bad habit a lot of us need to break.

It Pays To Read License Agreements

I think I read one of the first Microsoft EULA (End-User Licensing Agreement) sometime in the late 80’s, but I’ve never read one since. Well, I guess PC Pitstop decided to make it worth your while to read their EULA. The included a clause in it that basically said, “Send us an email, we’ll send you a prize.” One lucky reader actually read the EULA, sent the email and got a check for $1000!

There point, and it’s a good one, is that you should read the EULA for any product you’re going to install on your computer. While PC Pit stop’s EULA surprise was a pleasant one, many of the clauses hidden in other companies software is not so beneficial. In many cases you’re giving the company the right to collect personal information, download additional software, modify your browser, or just plain do almost anything they want.

Hmmm, I wonder what Reed Freeman of Claria would have to say about this (see my last post). I’m not going to be installing anything that uses a Claria product any time soon, but I’m sure their EULA makes for some interesting reading.

Yes, EULA’s make for boring reading. Yes, they’re written in legalese and impossible for the average person to read. But occasionally they contain surprises we should be aware of, both positive and negative. Usually negative.

Adware maker joins federal privacy board | CNET News.com

D. Reed Freeman, an executive of Claria has been named as a member of the Homeland Security privacy board. Just in case you don’t know who Claria is, try the name Gator. The were one of the first of the pop-up, pop-under ad companies, probably best known for their inclusion with the free version of Kazaa.

I would agree that Claria, as a company, is an expert in privacy. But their expertise is on how to compromise your privacy, not protect it. This is like hiring a hacker to secure your network. On the other hand, there will be nineteen other members of the board, so hopefully the impact of Claria will be fairly minor. I just don’t see how a company as small as Claria fits in with the likes of IBM, Oracle and Intel. At least Microsoft doesn’t have a representative. Yet.

Sysinternals Freeware - Utilities for Windows NT and Windows 2000 - RootkitRevealer

Here’s a free tool for finding rootkits on your Windows system. I realize Microsoft is working or already has a similar tool, but using a MS tool to look for rootkits just doesn’t sit well with me. Maybe I’m (okay, not just maybe), but I always suspect that there are few loopholes built into MS products for their own use. Sysinternals has a good reputation, and I’m sure if someone with the skills asked nicely, the authors would allow others to review the source code.

If you have cause to use this program, drop me a line. I’m interested in hearing about your experience with it.

SecurityFocus HOME Infocus: Windows NTFS Alternate Data Streams

As an IDS administrator, this is the sort of thing that gives me migraines. How do I detect this sort of attack on the IDS? The example the author, Don Parker, uses is actually a simplistic version of what an attack from a talented hacker would look like. Someone with the skills to get through a corporate firewall would probably have the control traffic encrypted and would use standard ports, like HTTP or SMTP, masking their traffic in the flow of acceptable traffic. Where his article would really come in handy is the forensics after the compromise has been discovered, not the discovery process it’s self.

I’m gonna go get a couple of Tylenol. My head hurts just worrying about this stuff.

The CISSP and SSCP Open Study Guides Web site - (ISC)?? ANNOUNCES RETIREMENT OF CEO

Jim Duffy is retiring as President of the ISC^2. I’ve been a CISSP for 2.5 years now, I’ve met Mr. Duffy once and he seemed to be a nice guy, but dialogue with his constituency did not seem to be his strong point. When I met him, I brought up several points that were burning up the CISSP mailing list, and while he appeared to listen, I never got the impression that anything I was saying was actually being heard. He has done a lot of work for the ISC^2, and has taken it from a volunteer-led group to a professionally managed company, but I think it was at the expense of communication between the company and the people they serve. ISC^2 currently seems to be concentrating almost entirely on creating new CISSP’s rather than helping the ones that already exist. We’ll see if a new CEO changes this.

Of course, my opinions are mostly based on reading the CISSP forums, which are admittedly biased and vocal. But the only other communications I’ve received from ISC^2 have either been telling me to pay my dues or asking me to sign up for expensive classes to get my education credits. Heck, I don’t even see too many of those any more, since my mail client classifies anything from them as spam. I’m waiting to see what direction a new CEO will take the ISC^2 in. The next few months should be interesting.