Network Security Blog

I guess the bad guys are having fun playing with their new toy.  F-secure has discovered that any application that parses WMF files and uses SHIMGVW.DLL leaves you vulnerable to this 0-day vulnerability. 

There is a 0-day exploit currently in use against Windows machines that affects both Internet Explorer and Firefox.  The vulnerability this exploit attacks is currently unpatched, and given Microsofts adherence to their patching schedule, will probably remain unpatched for at least two weeks. 

Well, the final podcast of 2005 has been wrapped up.  It came in just a hair under thirty five minutes, and the new hardware sounds good.  I have to go back a little later and see what the raw audio sounds like on the new iRiver iFP895.  It’s nice to have a  backup to save me if  there’s  ever a power failure in the middle of a podcast. 

Network Security Podcast, December 27, 2005 – Episode 7

Tonight’s musical selection is Shades of Blue by Tony Deziel.  I hope I pronounced his last name correctly.  This music is Creative Commons licensed, and found on Garageband.

DHS interest into the Little Red Book was a hoax
Using Metasploit in the real-world
Congress has big plans for technology reform in 2006
Windows Metasploid data leakage
Only one E-voting company left in NC
Iowa State University hacked … again
Possible security breach, not details yet
This was written using Performancing for Firefox

Listen until the end of the podcast.  I’ve got some pretty big personal news, and I’ll be posting more here as the details become more solid.  Have a safe and sane New Years, and I’ll catch you next Tuesday.

I wonder if there’s a statistical correlation between Christmas and the release of new malware and hoaxes.  With all the new computers folks get as presents, I’m sure there must be at least a minor blip as these systems are hooked up without having anti-virus and personal firewalls installed.  Here’s another example of someone trying to take advantage of all those new computers, a piece of malware is pretending to be a beta for MSN Messenger 8.  First of all, be careful downloading any beta software; it’s beta for a reason and could harm your computer.  And never click on any link sent to you out of the blue without an explanation from the sender.  Even then, but cautious.
Edit:  I guess there really is a MSN 8, it’s just called Windows Live Messenger.

I completely agree with Donald Smith at the Internet Storm Center; it’s better to drop packets at the firewall rather than reject them.  Donald lists three reasons, and I’m not sure if he is prioritizing them or not, but I feel that preventing reverse mapping is the primary reason to drop by default.  Limiting information disclosure to the badguys is one of the first layers of network security.  It’s not quite ‘security through obscurity’ but it is related.

I’m a big fan of the Net Optics taps.  I’m also a fan of Richard Bejtlich.  In this article, Richard explains why you can’t mix a network tap with a hub.  Just in case you’ve never run into a network tap before, they’re passive devices that you place in line with a connection between two devices, say a firewall and a switch, and the tap mirrors all traffic on the wire between the two to a third device, usually a sniffer or Intrusion Detection System (IDS).  Taps capture the traffic cleanly without the need to mirror a port, and do not allow the IDS or sniffer to inject traffic back into the circuit.  And, in general, if the tap fails, it continues to pass traffic between the two devices, it just doesn’t mirror the traffic any more.

Personally, I prefer using a tap specifically because it removes the reliance on switch configuration.  I’ve had the traffic to the IDS  suddenly disappear or change too many times because some network administrator made changes with unintended consiquences.  And let’s not even talk about the fiobles of certain brands of switches (cough, Foundry, cough, cough).  I’d rather rely on a piece of equipment specifically designed for my sniffing needs.

By the way, if anyone wants to send me a copy of Richards latest book, Extrusion Detection, I’ll set up an Amazon wish list.  It’s on my ‘want’ list, but with Christmas just behind us, I haven’t had the money to get a copy for myself.  Well, Christmas and taking up podcasting that is.

Very few details are available as of yet, but there was apparently another recent security breach involving Visa.  I’m suspicious about this article, because usually this type of information doesn’t come out until the notification letters have been sent to the customers.  From my reading of the article, a total of three people had card issues, and that hardly constitutes a major security breach.  I’m going to watch this subject and see if this was a real incident or a case of a reporter making a story out of a poorly worded reply.

Earlier this month Iowa State University suffered a security breach on two computers earlier this month.  One computer had credit card information, which was encrypted, but the other computer had at least 3000 Social Security numbers that were stored in plain text.  The thing that amazes me the most about this article is that this is the second major security breach ISU has had this year.  You might have hoped they’d learn to better secure their network and computers after the first time.

It is becoming more obvious that it’s insufficient to just encrypt sensitive information in the database.  First of all, what I consider sensitive may be completely different than what someone else does.  For example, I consider my Social Security number to sensitive, and ISU obviously didn’t.  Second, the contents of the database needs to be protected from not only hackers, but everyday users who are abusing the rights given to them.  I have seen a number of varying statistics, but the best estimate I’ve seen places the percentage of insider-led crimes at around 70%.  That’s a signifiicantly greater threat than a hacker ever will be.

I encourage anyone out there creating a database that houses customer or employee information to encrypt the entire database.  There will be a cost in terms of CPU usage, but the added level of security is more than worth it.  CPU power is cheap, regaining customer trust after a breach isn’t.
Edit:  Here’s information about the security breach earlier this year.

Well, I guess I’m as gullible as the next person.  According to BoingBoing, the article about the University of Massachusetts student being visited by the DHS was just a made up story. 

Have a Merry Christmas everyone. I, for one, am signing off of my blog until the day after Christmas. I hope you can spend some time with your loved ones, and that you get what you really need for Christmas.

See you Monday.