Network Security Blog

SC Magazine US

I hate it when security analysts state things that other people have been saying for years and act like it’s a big revelation. Bruce Schneier has been telling us for years that it’s not about the tools we use but how we use them. I think the people at Gartner annoy me the most with their proclimations because senior managers at many companies take them so seriously and at face value. I guess if you don’t have the time to do a little research yourself, it helps to have a ‘guru’ to do your thinking for you.

Trust, but Verify: Physical Security: It Starts At Home

Mark Roxberry, a fellow CISSP, also watches ‘It Takes a Thief’. I missed the episode he mentioned, but I’m sure it was amusing to watch. I guess these people don’t read the fine print when they agree to be on the show, and have no idea what they’re getting into.

SC Magazine US

I must be psycho .. er, psychic or something. Monday I made a comment about some older Microsoft patches that did more harm than good, and now MS has produced a new batch of patches that are hurting more than they help. As always, test your patches in a test environment if possible before you release them on your corporation.

Discovery Channel :: It Takes a Thief

I caught an episode of this show over the weekend, and another tonight. It was great, showing how easy it is to break into the average house in the middle of the day with no one any the wiser. Okay, the frat house wasn’t average, and the one in the second show was a very upscale house, but in both cases, the attitudes the homeowners show was pretty average. Locking up their valuables was an afterthought, if they even thought about it at all.

One of the things I like the most about this show is that the hosts make it clear to the homeowners that the technical part of security, the locks etc, is only the beginning of securing their homes. It’s attitudes that have to change to make the tools effective. The hosts bring it home with a certain amount of visceral reality by actually trashing the houses as they tape the show. You should see the expressions on people’s faces when they walk into their recently burglarized house.

As a security professional, I try to keep myself aware of the human portion of network security. It’s easy to get my head so deep in firewall configurations, server builds and IDS rules that I forget the other portion of security: education. Reminding the HR clerk not to leave sensitive documents on the desktop, making users aware that it’s not okay to take home copies of sensitive documents, asking people to think before they send that spreadsheet with the company financials out over email. In a lot of ways, the human element of security is just as important as the technical element. We can’t afford to ignore either one.

SANS – Internet Storm Center – BO Status Update

If you have a Snort 2.4.x installation, upgrade it to the latest version immediately! I’m lucky in that the vast majority of the IDS installations in my environment don’t allow any UDP into or out of the network, but that’s unusual. And all it would take is a single firewall misconfiguration and what I just said will be null and void.

The scary part is how quickly the researcher, Kyle Haugsness was able to come up with a viable exploit for this vulnerabilty. Just the fact that Kyle is one of the handlers for the Internet Storm Center probably places him as more highly skilled than 99% of the hackers out there. But that last 1% is who is going to get you when you get complacent. And if Kyle was able to come up with an exploit, someone else will be able to also.

Pumpkin Carving and Pumpkin Carving Patterns for Halloween

I have young children, and every day they help me remember what it was like to be a kid. I like to think of Halloween as the kick-off for the whole holiday season, and we treat it as such at our house. By the way, this post has nothing to do with security, I just thought it was a cool site.

Everybody’s Guide to OpenDocument | Linux Journal

I’ve felt for a while now that the Commonwealth of Massachusetts was doing the right thing by deciding that they needed to require the use of the OpenDocument file format for all of their documents in the future. But what I didn’t realize is exactly what that meant. This article spells it out in a clear, easy to understand way. I’m especially impressed at how they take apart several of the arguments put forth by Fox News (oxymoron?).

One of the misconceptions I had about the decision to go OpenDocument was that it also meant they had to go with a Free Open Source Solution (FOSS). It doesn’t; the different organizations are free to choose any tool they want, as long as it supports the OpenDocument file format. Microsoft would be a perfectly acceptable alternative, if they supported OpenDocument.

They won’t though. The folks at Microsoft know that they’ve reached a point where one of the only reasons they’ve been able to keep their stranglehold on the desktop publishing environment is because of their closed standards. They have the most wide-spread appliciations, and if you’re files aren’t compatible with Microsoft’s apps, a lot of people won’t be able to use them. If they start letting everyone save files in an open format, they’ll have to start competing on a level playing field, where it’s features and usability that matter, not compatibility. And there are a lot of applications that can beat Microsoft on a features.

Since I discovered podcasts a couple of months ago, one of the sites I like to visit on an irregular basis is the IT Conversations website. They have a wide variety of podcasts from different authors, many of them having been recorded at live IT events around the country. One of the more recent podcasts come from the BlogHer Conference several months ago. Titled Legal Tips: What You Can Get Away With, it goes over many of the concerns facing bloggers today. Can I blog about my boss without getting fired? What if someone post copyrighted content on my site? What is copyright law and the Creative Common License? The presentation starts with one of those standard disclaimers, but this one I have to agree with: If you’re having legal problems, go see a lawyer, don’t rely on what you hear on a podcast for your protection.

Listening to the Legal Tips podcast led me to another site worth looking at if you blog, Chilling Effects Clearinghouse. There have been numerous examples over the last couple of years of bloggers being silenced by the mere threat of legal action. I’ve blogged about it a few times myself, and, more importantly, refrained from blogging on several occasions because of possible legal repercussions. One of my most recent examples was the presentation Michael Lynn gave at the BlackHat Briefings; I refrained from posting a copy of his presentation because of the Cease and Desist orders a number of sites recieved. If I’d had a chance to read Chilling Effects prior to this event I might have posted his presentation. At the very least, read the FAQ if you blog.

The Chilling Effect in turn brought me to my final link of the night, the Electronic Freedom Frontier’s Legal Guide for bloggers. I’ve long been a fan of the EFF, even when I had only the sketchiest idea of who they were. I mean, anyone who’s willing to fight the Digital Millenium Copyright Act can’t be all bad, and they’re also one of the biggest defenders against the Recording Industry Association of America. The EFF is one of the sponsors of Chilling Effects, right in line with their goal of helping us keep all of our freedoms in the digital realm as we enter the 21st century.

If you blog, and you think there’s even a slim chance you might annoy some one, some day, take the 30 or so minutes it takes to listen to Legal Tips podcast. Then bookmark the Chilling Effects and EFF Legal Guide websites for the future. Hopefully neither you nor I will ever need to refer to these sites in a real world legal battle, but you want to know where to find them, just in case. And one of the biggest keys to winning a legal battle is knowing how to avoid one in the first place.

Dilbert on Email Retention and Backups

You may, or may not, have noticed that all of the blog entries today have come in fairly short order in the last hour or so. I’m being kept so busy at my new job I rarely have the time blog at work, unless something really important or aggrivating comes up. Somehow, I can still find the time to rant. Anyways, I’m going to try keeping track of some of the articles that catch my eye during the day and blog about them when I get home at night, some time after I get the kids to bed. We’ll see how that works out. As long as it doesn’t take too much time away from City of Heroes, we should all be okay. The only problem is that I’ll probably write a cranky entry, like my last one.

Another issue I’m dealing with tonight is blog spam. I’ve made some minor changes that should deal with the problem for now, but one of these days I have to bite the bullet and upgrade my blog software to something that has more anti-blogspam features built in. I’ve been pretty happy with MovableType for the last few years, but if I’m going to upgrade, I’m going to have to at least look at other products. But first, I’m going to have to convince my wife to allow me to spend some more money on hardware. Another one of those things that’ll have to wait until after Christmas.

Finally, and most noteworthy, is that I got a surprising reply to a comment I made in the blog last week. Ron Gula, the CTO of Tenable Security and Dragon IDS fame, sent me an email offering to give me an interview. Basically, he wants a chance to defend Tenable’s decision to remove Nessus from the Open Source arena. I’d like to talk to/exchange email’s with Mr. Gula and post the interview here, but I’ve never done an interview before. Which means I need a little help; if you’ve got questions you’ld like to pose to Ron Gula or Renaud Deraison (the guy who actually wrote Nessus), send them to me or post them here. I’ve exchanged a couple of emails with Mr. Gula, but eventually I’m going to find the time to take him up on his offer. So help me out a little and see if I should branch out to interviews, or if I should stick to my rants.