Network Security Blog

Earlier this month when I interviewed Alan Shimel, I asked him when they were going to have a Virtual Machine install of their Strata Guard product.  Apparently, the answer is “today”.  You can download a copy of the virtual machine at www.stillsecure.org.  I hope I can find some time to take a look at it myself this weekend.  If you get a chance to try this out, send me some feedback at netsecpodcast@mckeay.net or 916-231-9479

Technorati Tags: security, stillsecure, IDS

Episode 20, for your perusal. I had an interesting talk with Mike Rothman and Alan Shimel about the recent demise of the Sourcefire – Check Point merger. Mark had some idea’s I hadn’t considered before. I also take some time to answer some listener feedback and my PCI segment is a comment on the value of information. I really learned a lot about the quirks of both my sound editors, Propaganda and Audacity.  I also have an interview with Alex Neihaus of Astaro Internet Security coming up, but I have to retrieve a copy from the iRiver.   Never open a sound file in both versions 1.2 and 1.3 of Audacity at the same time; the results are not pretty.

Tonight’s music is Blue Bird Tattoo by Circe Link

Network Security Podcast, episode 20, March 28, 2006

• Universal Air Travel Plan, Inc
• Why store sensetive information locally at all?

Thanks for listening, and thanks once again to Alan and Mike for joining me.

Technorati Tags: security, PCI, Sourcefire, Check Point

My friend, Alan Shimel, asks the question, “3rd Party Patches – Should you use them?“  And I have to answer with a resounding ‘NO’.  The first third-party patch out there was the WMF vulnerability patch from Ilfak Guilfanov, and while I appriecated the fact that he made it available and it worked well, I didn’t install it because I don’t know Ilfak or anything about him.  I know who Microsoft, and while I don’t always like or trust the patches they come out with, I always know who to call if their patches break something. 

I also know, barring some catastrophic compromise, any patch I download from Microsoft will not have a trojan built into software.  I’m sure Ilfak’s patch didn’t and I feel reasonably sure the patch being offered by eEye will also be safe.  But if we start getting in the habit of using third-party patches, we run the risk becoming complacent and opening ourselves to additional vulnerabilities or hidden capabilities in the patch.  It’s a question of trust and accountability for the patch and it’s repercussions.  I feel I can hold Microsoft fully accountable, while I’m not sure I could hold a third party equally accountable.

I’m not saying there’s never going to be a reason to use a third-party patch.  But it’s not something we should make a habit of.  Microsoft sometimes moves slowly, but there hasn’t been a vulnerability that was so critical I couldn’t find some other way to mitigate the vulnerability.  By your milage may vary.  If a vulnerability comes out that you can’t mitigate against, you may have to use someone else’s patch to protect yourself.  Just make absolutely sure you know what your getting yourself into ahead of time.

Technorati Tags: security, patching, microsoft

This is a great idea, and I’m surprised someone hadn’t done this sooner: a fully portable version of PuTTY that sits on a USB drive and doesn’t have any hooks into the Windows registry.  I’m going to start keeping a copy of this in my own USB drives.

Technorati Tags: security, putty, ssh client

I’ve been looking for information on how to use an Active Directory structure in a distributed environment where some of the networks are isolated from the Domain Controllers for a while now.  I’m hoping this series of articles from Microsoft, called “Server and Domain Isolation” will have some of the answers for me.

Found via Dana Epp’s via Jesper’s Blog

Technorati Tags: security, windows, active directory

I’m really disappointed that the government has interfered with this merger.

Technorati Tags: security, Sourcefire, IDS

According to this article at SC Magazine many U.K. online shops are vulnerable to brute force enumeration.  The sites return one error message when an invalid username is entered, but return a different error message when a valid username with an invalid password is entered.  And many of these same sites don’t have a lockout mechanism, so hackers can keep trying passwords until they get the right one.

I’ve encountered some of this in my own enterprise, and it’s not directly addressed in the Payment Card Industry requirements.  However, PCI does require that software be developed to industry standards and specifically calls out the Open Web Application Security Project standards.  I think I can safely say this vulnerability would fall under Improper Error Handling.  A better way to handle the logon errors would be to return the same “invalid username/password combination” error message whether the account existed or not.

Technorati Tags: security, PCI

Last week I talked with Dan Sweet from the Podcast Roundtable about The One (and only) Purpose for a Resume.  As I said in my last podcast, I’m currently working on updating my own resume.  Dan’s helping me rewrite my resume and I have some of the same questions about resume’s that everyone else does.  We’ll be doing these IT Employment podcasts every two weeks and keeping them around 15 minutes or less.  Please contact with any questions you may have;  Dan’ll answer the questions and I’ll learn from the experience.

IT Employment Podcast #2:  The One (and only one) Purpose for a resume.

Technorati Tags: employment, resume

Here it is, episode 19!  New toys, a lot of privacy concerns, and Google won their court case.  I also had some more to say on the still emerging debit card compromise.  I finished up with my review of the PCI requirements tonight and I’m looking for something PCI related to talk about from now on.  If you have any thoughts or questions, please drop me a line at 916-231-9479 or email me at netsecpodcast@mckeay.net.

Tonights music is Another Round by Enter the Haggis

Network Security Podcast, Episode 19, March 21, 2006

• My AWStats page
• Security Blog Log:  The sobering scope of data fraud
• Georgia Tech ‘Tiger Teams’
• Finding security’s next ‘American Idol‘
• Tiger Team Winners Announced
• Judge tells DoJ “No” on search queries
• Visa warns software may store customer data
• IRS plans to allow tax preparers to sell data

Thanks for taking the time to listen

Technorati Tags: security, podcast, PCI, privacy

Even though it’s at least as much advertisement as it is advisory, Sana Security’s coverage of a new rootkit is worth taking the time to read.  You just have to get past the “We’re so great!” aspects of the advisory.  This rootkit is being installed by a trojan and is capturing passwords on infected systems, as well as searching the system for previously saved passwords.

Technorati Tags: security, rootkit, trojan