Network Security Blog

I’m going to take a break from the blog and the computer for the next couple of days and come back on Monday.  Monday will also be my first official day blogging for ComputerWorld.  I’m not quite sure what my first topic will be over there, but check it out at http://www.computerworld.com/blogs/mckeay.  There’s just a placeholder there so far, but come Monday, I’ll be published on the website of nationally recognized trade publication.  Yay me!  2006 is starting to look like an exciting year from where I sit.

I just tried to get to the Google AdSense site, and it was down.  I wonder if this has anything to the malware that was found earlier today taking advantage of the AdSense program?

Edit: It’s back up this morning

A trojan has been sighted that targets Google Adsense.  The program infects the computer and serves up bogus web ads rather than the context-sensitive ads normally served up by Google.  It’s not immediately clear from the article if it is the system serving up the web page that is being infected or the end user’s machine that has to have been previously infected to serve up the bogus ads.  So far details on the issue are fairly sketchy, and most of them refer back to the Tech Shout aricle, but there’s a little more information on JenSense.

The Electronic Frontier Foundation has come to a tentative agreement that will settle a number of the class action lawsuits that have been brought against Sony.  I hope the Sony and the other music corporations will learn from this and take a little kinder and mature approach towards their customers in the future.

In related news, one of the RIAA’s primary tools for finding who has been sharing files is being challenged in court.  Called an ‘ex parte’ order, it’s basically a subpoena that allows the RIAA to go fishing through an ISP’s log files, and many judges have apparently been allowing this without much technical oversight.  The programmer, Zi Mei, is also challenging the validity of the IP addresses that the RIAA did find through these means.  Just because you had an IP they found in their logs at one time, doesn’t mean you were the one who ’stole’ their music.  Off the top of my head, I can probably think of a dozen ways the logs could be wrong, and I’m sure there are dozens more a good network engineer could explain.

I didn’t want to post it on the blog until the ink had dried; starting January 1st, I will be blogging for ComputerWorld.  This will be blogging in addition to what I do on a daily basis here, not a replacement for this blog.  Basically, one of the editors at ComputerWorld had seen my blog, notice that I occasionally have write something worth reading, and that I blog daily even if I don’t.  I’m really looking forward to this opportunity to expand my readership and a way to make a little money off of what has basically been a hobby until now.  Yeah, they’re actually going to pay me to blog.

I found this article while reading Geek News Central.  I have never understood why people have some expectation of privacy while on a cell phone.  When the average person gets on the cell phone, they tend to tune out the outside world, and expect the outside world to tune them out.  And in general, this is a reasonable expectation; no one cares if your talking to your kids about their chores, or your buddy about Sunday’s football game.  But those expectations are false when your talking about personal information.  You are broadcasting to everyone close enough to hear your voice, and while a number of automatic filters click into place for the average person while talking about minutia, when you start talking about your bank account, a lot of people start listening.  The illusion of privacy is just that, an illusion, and if you’re talking about something interesting, people will listen.  And there are a lot of people who will find your bank account information interesting.

Bleeding-Edge Snort  has a  signature available for the WMF vulnerability. 

#by mmlange
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT WMF Exploit"; flow:established; content:
"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00
00 00 00|"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user;
sid:2002734; rev:1;)

If you’re worried about the 0-day Microsoft vulnerability in the handling of WMF files, you can try this hint that Dave Klienman suggested on the CISSP mailing list:

;from Dave:

So this is what a Google employee does with his Chrismas bonus!

Here’s just one more reason to encrypt the entire database whether you consider the information sensetive or not.  Marriott International lost computer backup tapes containing sensitive information for more than 200,000 people.  That’s a lot of people.  Was this the incident that sparked the mysterious reports of a breach over the weekend, or does that incident have yet to be revealed?

How does a company manage to lose a backup tape anyways?  Most of the companies I’ve worked for have a rigid policy concerning backup tapes.  When they come out of the computer, they go immediately into a lock box that is stored in a secure off-site location, with several layers of tracking to follow them.  If they disappear along the way, it’s usually pretty obvious where in the system the tapes were interecepted.

There are two levels of encryption that could or should have been employed on these backups.  First of all, encrypt the data in the database.  Encryption has a cost, which is mainly measured in the speed of your databases and the CPU usage on the server.  Secondly, many backup services today offer the option of encrypting the data on the tapes.  Use that option.  Here, the trade-off is similar; it slows down the backup and can cause recovery issues if you lose the key.  But it’s worth the added level of security.  Encryption is cheap, rebuilding your reputation is not.