Network Security Blog

In my last blog entry I linked to an excellent writeup on how to do log analysis on the cheap using Kiwi Syslog Daemon. One thing I wanted to know is if Kiwi could be set up to listen on an interface that doesn’t have an IP address and is just listening in promiscuous mode. So I sent the folks at Kiwi an email asking. They got back to me within an hour or so! That’s great customer service, especially from a company who’s supporting a freeware product. The full text of their reply is in the extended entry. By the way, so far, the answer to my question was ‘no’.

Continue Reading »

Cisco Network Log Analysis for Cheap Bastards

Here’s a great article by Mark Lachinet on how to set up a logging server on the cheap for your network edge. Or anywhere in the network for that matter.

Novell server hacked, used to scan for vulnerable computers – Computerworld

Novell employees set up a server outside the firewall that they were using to play games, which got compromised and used to scan for vulnerable SSH systems. D’ooohhh! I wonder if the guys who set this up will still be employed on Monday?

DRM Talk for Hewlett-Packard Research

This is a really good article on Digital Rights Management by Cory Doctrow of Electronic Frontier Foundation fame. It’s plain text, which make it a little hard to read for some.

The following two paragraphs were my favorite part of the whole paper:

In DRM use-restriction scenarios, there is only a sender and an attacker, *who is also the intended recipient of the message*. I transmit a song to you so that you can listen to it, but try to stop you from copying it. This requires that your terminal obey my commands, even when you want it to obey *your* commands.

Understood this way, use-restriction and privacy are antithetical. As is often the case in security, increasing the security on one axis weakens the security on another. A terminal that is capable of being remotely controlled by a third party who is adversarial to its owner is a terminal that is capable of betraying its owner’s privacy in numerous ways without the owner’s consent or knowledge. A terminal that can *never* be used to override its owner’s wishes is by definition a terminal that is better at protecting its owner’s privacy.

Sunday night my wife and I went out to a local community center and saw an artist I’ve liked for quite a while, Sophie B. Hawkins. After the show Ms. Hawkins had a meet and greet and was signing copies of her newest CD, Wilderness. It was a great concert at a small venue and overall it was a really good experience.

Forward to last night: I finally got the chance to put the CD I had purchase into my laptop and play it. Or rather try and play it. The laptop in question is off the network for various reasons and I generally just use it to play CD’s through a stereo (old laptop, really old stereo). When I placed the CD in the laptop, it immediately started trying to access the Internet. I thought that was odd and opened up Windows Explorer to look at the disk. Normally there would be a number of .cda files that are the actuall songs, but instead there were a host of installation files and subdirectories. I took the CD to my main computer where I could access the Internet. When I tried to play the CD this time, it opened Winamp, which is apparently incompatible with whatever technology is used to protect this CD.

I haven’t played Wilderness on a regular CD player yet, and quite frankly I’m more than a little annoyed that I should have to. This is the second CD I’ve purchase this year that has some sort of DRM that cripples it’s usage on a computer, and I returned the first one. I’d return this one too if I hadn’t purchased it directly from the artist and had her sign it. I’m not trying to pirate a CD, I’m just trying to use it as intended. Heck, I wasn’t even trying to rip the CD to MP3 format, though I’m definitely going to do that now.

If you believe that Digital Rights Management (DRM) technologies are aimed at protecting the artists against having their music shared on the Internet, you haven’t been paying attention for the last several years. More and more, it becomes obvious that DRM is only about limiting when and where the end user can use the product, not for the user’s good, or even the artists good, but for the record companies profit. And I’m not willing to contribute to their bottom line.

I don’t know the exact technology used to protect this CD yet, but I will figure it out. I’m not sure if the DRM protection was put in place with the approval of Sophie B. Hawkins, but quite frankly I probably won’t be buying any more of her music. Which is too bad, since I really liked her up to now. What was advertised as a way of protecting her music has now cost her at least on listener.

Phishers’ latest hook: SSL certificates

Phishers are working even harder to make the sites they maintain look like the real bank websites. By providing bogus SSL certificates to browser, the user is getting all the indications that they’ve reached a secure site. For the average user, any errors they recieve on the SSL certificate are just going to look like it’s a problem at the bank.

RSA Security – Press Release – RSA Security Survey Reveals Multiple Passwords Creating Security Risks and End User Frustration

Passwords seem to be in the news a lot recently; first it was someone at Microsoft saying we should right them down, then Leo Laporte and Steve Gibson discussing the same (along with half the geeks in North America) and now RSA has come out with this article on how much people hate their passwords.

So, we all know that passwords are a pain in the rear, but how are we going to replace them? Passwords are easy to implement, don’t require any additional hardware and are easy to replace. No other technology offers all those in one place. Biometrics is still going through growing pains (Remember the article on fooling fingerprint scanners with jello?). Digital Certificates work, but there’s a whole technical issue to get over with the average user and there’s no one standard. The different key fob technologies are all pretty expensive. And voice recognition just isn’t ready for prime time.

Even discounting the Unix servers that will still be around when my grandkids are old, I think passwords are here to stay. Unless you want to have that subdermal RFID implant placed in a fleshy part of your anatomy, that is.

Credit card companies can keep data ID theft secret | The Register

Security breach disclosure law faces court test

This really burns me up, especially since it’s happening in my own backyard. In 2003, California put into effect SB1386, a law forcing companies who have suffered loss of credit card information to notify their customers or face stiff penalties. There have always been a number of rather large loopholes in the law, but over all, it was a good first attempt at forcing companies to take responsibility for the security of credit card information in their care, and a number of other states have followed California’s example.

This episode all started earlier this year when it was revealed that CardSystems Solutions suffered a security breach and as many as 20 million credit card numbers may have been exposed to hackers, and as many as 260,000 records were taken. CardSystems does not directly do credit card business, but is a data processor and takes care of payment data for other companies. They had kept a copy of the data they were processing for other companies for use in thier own testing, which is a direct violation of Visa and MasterCard policy. It was this copy of the database that hackers were able to get access to.

Shortly after the breach was revealed, a class action suit was filed against Visa and MasterCard seeking damages. The credit card companies responded that they are not responsible for notifying costomers or paying damage, since they are not the merchant, just the bank issuing the credit cards. And as much as it pains me to say it, their probably correct. At least for now, the law is on their side, but hopefully that will change in the future.

CardSystems Solutions is the real culprit here, they only reason they aren’t the primary target of the suit is because they don’t have deep enough pockets. They knowingly broke the policies set forth by Visa and Mastercard, and now a lot of people are going to pay for it. The only good thing I see coming out of this is that Visa has cut all ties with CardSystems, which is probably the death knell for the company. Would you want to business with a company that has proven it can’t protect itself and the resources it’s designed to protect? Not me.

IT Manager’s Journal | Five common mistakes that Linux IT managers make

I saw this over on In the Trenches, and Kevin is spot on: Linux managers are not the only ones susceptable to these mistakes. Actually, from what I can tell, even most of the security people out there commit these five mistakes from time to time. At least I know I do.

Security demo hacked at confab | News.blog | CNET News.com

Here’s a great example of why you shouldn’t let the marketing guys set up the security for your demos. If your company’s product is an Internet security product, your basic security needs to be much tighter than most networks, because hackers are going to look at you as a challenge.

I understand that business needs are going to outweigh security needs in some cases. It’s just the nature of the beast that you sometimes what is secure is not necessarily going to win, especially if it interferes with a sales drone’s ability to work. But it’s my job as a security professional to be aware of what the tradeoffs are and make the company aware of them. And who do you think is going to get in more trouble over this situation, the security guy or the sales guy?