Network Security Blog

Ron Baklarz from the Red Cross got back to me early this afternoon. If you receive any scam emails trying to take advantage of the disaster in the Gulf area, forward the email to infosec@usa.redcross.org. Help catch these guys. I know that this sort of scam is going to be running rampant for the next couple of months, which burns me up. So let’s do what we can to help catch some of these guys.

I don’t have an email address I can post here yet, but I have a contact at the Red Cross who is looking for any and all scams related to Hurricane Katrina. If you recieve any emails asking you to send in money to support disaster relief, you can almost guarantee that it’s a scam. The American Red Cross, and most other charitable organizations, are never going to send you an email asking for donations, so it’s safe to assume any such emails you recieve are bogus.

Email me at martin_at_mckeay_dot_net (obfuscation is annoying, aint it) if you get any scam emails.

Edit:

Well, since this information has already been posted to a site with a lot more traffic than mine (www.cccure.org), I might as well post the information so you can contact the Red Cross directly if you see any phishing come across your desk.

– From the CISSP Forum –

Typically after a significant event such as Katrina, we see a lot of
fraudulent activity associated with Red Cross donation solicitations.
The obvious forms of fraud manifest themselves as email solicitations
and web sites. If you happen to come across any type of Internet-
based fraudulent activity please pass on to me at
BaklarzR@usa.redcross.org so we can investigate and turn over to Law
Enforcement. We already had a miscreant on Monday post to a bbs that
he sent out 14 Million email solicitations for Red Cross donations
with an embedded link to a fraudulent web site.

Thank you,

——————–
Ron Baklarz CISSP, CISM, CISA, IAM, IEM
Chief Information Security Officer
FIRST Representative ARCcert
The American Red Cross
8111 Gatehouse Road
Falls Church, VA 22042
MS: 4201
Email: BaklarzR@usa.redcross.org

Visa Payment Card Industry Data Security Standards

If you haven’t already read this document, you probably should. This is a minimum standard set forth to protect your credit card data when you use it to purchase something from a merchant. And it bears repeating, minimum standards. I hope most merchants use this as a starting point and continue from there. The folks at CardSystems Solutions Inc. forgot several of the points in this document, such as:

3.1 Keep cardholder storage to a minimum.

I’m sure keeping live customer data for testing breaks this and several other rules.

CISSP vs. CCISP creating confusion for certification holders

This one makes my eyeballs itch. I had to re-read the article several times to make sure I was reading the correct acronym in several paragraphs, not to mention proofread this entry very carefully. Do the folks at the Critical Infrastructure Institute really believe they’ve got anyone fooled?

The CII website is minimal to say the least. There’s no real information on the site, other than how to sign up for their classes, none of which are up to date. There is information on what is covered in the classes, and I guess we’re supposed to extrapolate from this what the CCISP is going to cover.

This looks like a cheap shot to use the reputation of the CISSP to build their own business. But looking at the number of classes that have been postponed, and the fact that there are currently no classes scheduled (TBA doesn’t count), I believe this is a flash in the pan. By the way, the ISSA site does list the CCISP, but the disclaimer at the top of the page makes it clear that this in no way constitutes an endorsement.

W32.Wullik.B@mm worm burrows into shipping Zen Neeon – Engadget – www.engadget.com

This is a great example of a bad production process. I didn’t even know the Zen Neeon had enough computing power on it to host a virus.

Podcasts catching on

This is from my local newspaper, The Press Democrat. I’d realized that Leo Laporte lived in the northern Bay Area, but I hadn’t realized how close he really was until recently.

I only discovered the Podcasting phenomena about two weeks ago myself. I’ve been toying with the idea of starting my own, but it feels too much like a ‘me too’ sort of thing. The other problem I have is that a lot of the podcasts I’ve seen so far aren’t much more than an audio version of a link blog. That is, they’re just rehashing other people’s news stories. I do that too much on the blog already.

Leo Laporte’s got his This Week in Tech podcast, and his new Security Now! cast with Steve Gibson. Are there any other computer security related podcasts out there? There’s 2600 and a couple of other hacker-related podcasts, but that’s not what I want to listen to.

What do you think: would it be worth it to do a 30 minute podcast on current security events once every week or two? Is there someone out there, besides Leo, already doing this? One possibility that comes to mind for me is enlisting the help of a couple other security professionals I’ve corresponded with via email, but have never met. With the burgeoning VoIP products out there, it would be easy to do a podcast with people all over the world. The only stumbling block I have is that I hate the sound of my own voice once it’s been recorded.

EFF: EFF Launches Cooperating Techs Listserv
EFF: EFF Launches Cooperating Techs Listserv – Take Two

The Electronic Freedom Frontier is looking for technologists to hook up with lawyers to answer questions on, well, technology in civil liberties cases. If you’ve been looking for an opportunity to volunteer your time, or maybe even get paid a little, this could be an excellent place to start.

Google is finally allowing you to use whatever From address you want, provided you can verify the address. So, I no longer have to see ‘@gmail.com’ in my return address field. A small step, but one I’ve been hoping for since I first got my Gmail account.

I’ve been looking into various network taps lately and I was referred to a company called Network Critical. I’d never heard of them before and was wondering if anyone else out there has used them? I’m also looking at Fluke Networks and NetOptics taps, but the more vendors I can review, the better I’ll feel about the eventual decision. Anyone have other tap companies they’d like to suggest? I need a multiport aggregator tap, with multiple outputs. Let me know what you use.

I’ve found a new way to occupy my commute time. I have a drive of over 50 miles each way to and from work each day. During that drive, I pass through a number of different areas were none of the radio stations I like to listen to come in clearly, and the CD player in my car got a disk stuck in it several days after the warranty ran out (Why couldn’t this have happened BEFORE the warranty ran out). So, until recently I’ve just had to deal with it.

Monday morning I went to Costco and picked up the VR3 FM Modulator. If you’re unfamiliar with the device, it plugs into your cigarette lighter and either reads MP3 files off of a USB thumbdrive or from another device plugged in via a 1/8″ plug. You set the VR3 to an unused FM frequency, between 87.5 and 88.9 I think, and set your stereo to the same frequency. Viola! Instant access to your MP3’s on your car stereo. The sound is okay, but clipped, meaning the highs and lows are muted a lot. And with some music there’s a lot of distortion, especially if there’s a lot of high notes. I like to listen to Annie Lennox, and the VR3 is just not up to the range of her voice.

On the other hand, I’ve found an even better use for the VR3: podcasts. Until about 3 weeks ago, I’d never listened to a podcast. Then I found TWiT (See my last entry). I’ve always liked Leo, and the TWiT podcast is worth listening to. This morning I listened to the Geek News Central podcast. All in all, it’s an enjoyable way to spend the commute and get caught up on stuff on the same time.

I’m still new to the podcasting scene. Over at the JoatWiki, there is a small list of tech podcasts. There’s also the TechPodCasts site there is an long list of podcasts directly related to tech. But what are you listening too? Who’s out there saying the things you find interesting? I commute 10 hours a week, so I’m looking for at least 5 hours of podcasts per week to listen too. Tell me who you’re listening to.