Network Security Blog

I haven’t had a lot of time to blog lately, but here’s a good link to some ideas on how to keep your inbox spam-free.  I’ve been reading a lot of good stuff on Darknet.org latlely, this is just one of the latest stories.

Technorati Tags: security, spam

Wired News has a good article on protecting yourself from idenity theft.  I wasn’t aware that there is a phone number you can call to opt out of all those credit card offers we get in the mail.  I think I just discovered a way to cut my daily mail in half.

Technorati Tags: security, privacy, identity theft

Micheal Farnum and I are continuing our recently podcast conversation on NSA domestic spying in our blogs.  Previous comments here and here.  By the way, a listener, Benjamin, pointed out that we missed one point in our conversation.  We argued that perhaps the NSA needed an incredibly fast turn around time on their phone tapping.  However, the FISA laws allow for a 72 hour grace period where the agency can ask for a warrant.  The NSA never even tried to get those.

So you think I’m naive, do you, Michael?  I think you’re operating under a number of false assumptions that need to be examined.  The first assumption is that phone tapping is going to be effective in it’s stated goal of catching terrorists.  There is a chance that the NSA will catch a terrorist due to wholesale wiretapping of our phone calls, but if they do it will be more a matter of lucky happenstance than real investigative work.  If you’ve ever done any work with an Intrusion Detection System, you’re familiar with the concept of false positives and how easily they can overwhelm a system and hide the real attacks.  Maybe the NSA has created an algorithm that’s free of false positives, but I sincerely doubt it.  They’ll have to have a real human sifting through thousands of innocent citizen’s phone calls just for the possibility of catching one terrorist.

Your right when you say HUMINT is hard.  That’s one of the reasons it was phased out by the CIA and other intelligence agencies in the last several decades.  It takes a lot of work, it takes a lot of people and it takes time.  You have to hunt down a lot of false positives in HUMINT too.  It requires being involved with real people and communities.  It means agents have to be out in the field, getting their hands dirty and chasing down the real suspects.  Not listening in on my conversations with a friend in Texas.  HUMINT is hard, it does take time, but it’s effective, unlike the wholesale spying on innocent American citizens that the NSA is currently engaging in.

But my real issues with the NSA phone tapping really stems from two issues.  I don’t believe that very many people in the federal government really believe that listening to the phone calls of Americans is going to be effective.  This is just a smoke screen by the government to allow them to do something the NSA has wanted to do for years.  The tapping is more likely to be used just to spy on ordinary people going about their ordinary lives.  Ordinary people who make mistakes and do stupid things.  It’s a law enforcement dream, listen in on every conversation so you can nail average citizens doing things they shouldn’t.  That may sound great to you, catching every criminal everywhere, until you realize that there’s already a name for it; it’s called a police state.  Some of the best security you can get, if you don’t mind giving up all of your civil liberties in the process.  My privacy is a right, not a privelege.

And that’s my second problem with the NSA’s spying: by giving in to the fears and phobias the word ‘terrorism’ evokes, by allowing the NSA to do this in the name of ‘security’, we’ve allowed the terrorists to win.  They’ve induced a bigger change in the character of American life by making us so paranoid that we’d allow anything in the name of security than any act of terrorism ever could have.  We’ve become our own worst enemies, willing to give up the rights to freedom of speech and freedom from unlawful search and seizure for the illusion of security.  Which is all domestic phone tapping is going to give us, an illusion.

HUMINT will take time.  We should have been doing it for decades already,  but we haven’t.  A Band-Aid like phone tapping isn’t going to make up for that.  We have a lot of catch up to do, and we need to get started.  So what if it’s hard?  It’s the only thing that’s really going to be effective, so quit pretending that phone tapping’s really going to make up for several decades of being lazy.

Technorati Tags: security, paranoia, NSA, phone tapping

Here is the second half of my discussions with Michael Farnum of An Information Security Place and Dr. David Taylor for Protegrity.  Michael and I debate the NSA’s domestic spying and what it means, while Dr. Taylor and I discuss some of the basics of security.  And this one beats last weeks by a few minutes.

Michael and I are continuing our discussion of the NSA spying on our blogs.  Right now the ball’s in my court and I should be posting on this early tomorrow.  For now though, I’m off to meet my friend Jeremiah Owyang at SF Blogger Dinner at Hotel Utah.  If I can find the dang place that is.   One last thing, I tried encoding this podcast using Variable Bit Rate compression.  Let me know if you notice a difference in the sound quality.  Or the quality in general.

Network Security Podcast, Episode 31, June 13, 2006

Time:  47:29

• An Information Security Place
• Protegrity

Tonight’s music:  Return to you by Carra Barratt

I’ve been told it helps if I actually include the hyperlinks

Technorati Tags: podcast, security, NSA, Spying

Tonight I’ll be releasing the second part of my discussion with Michael Farnum and Dr. David Taylor from Protegrity.  I’ve been thinking more about the conversation with Micheal about the NSA’s spying and why it bothers me.  And I realized that we didn’t discuss one of the biggest problems with wholesale monitoring of phone calls:  it’s not effective.

One of the biggest problems the USA had leading up to the war in Iraq was intellegence.  We’d spend the better part of the last decade developing technological solutions to information gathering.  We had the capability to monitor phone calls, we had sattelites in the sky with cameras that could count the grains of sand.  We believed that all of the technology told us everything we needed to know about what was happening inside Iraq.  We were wrong.

One of the things we discovered in the wake of the war was that we were missing a lot of information.  We had abandoned decades of using people to gather information, in favor of technology.  But the real information was in the conversations happening between the people, not in how vehicles were moving across the desert.  We crippled ourselves by paying too much attention to bits and bytes, and not enough to the real people doing horrible things in the desert.  And we’re still paying for it.

So why does the NSA think stopping terrorism in the US will be any different?  A real terrorist knows that the NSA is using computer algarithms to monitor phone calls, and isn’t going to use them to communicate.  They’ll use messengers, they’ll use snail mail, they’ll meet face to face.  None of these will be picked up by the computers.  There will be misguided college students talking about ‘what if’ situations that will really trip the alarms.  It’ll be the wanna-be terrorists that are caught, the people who are too stupid to actually pull off an attack, but really want to talk big.  And the NSA is going to hold them up as being proof that the program is working. 

But while this happens, we’ll be missing the real communication between real terrorists.  This happens in the communities, in the informal get togethers, in back alley warehouses where these people meet.  Or it happens in living rooms and bars.  Only by getting involved in these organizations and communitees will the NSA be effective.  Get your spies in place, watch the people who are doing the planning, find people who are willing to be moles.  But quit listening to my phone calls without judicial oversight!  Knowing that I only call my mother once or twice a month but order out for pizza every Tuesday isn’t going to help protect me.  It’s only by hitting the ground and getting involved with real people is the NSA going to protect me.

I’ve had shut off comments, but send me an email at nsp@mckeay.net if you’ve got some feedback.  Or leave me a voicemail at 916-231-9479. 

Technorati Tags: security, spying, NSA, Human Intellegence

Once again, we’ve recorded another episode of the Podcast Roundtable.  I think this was the best Podcast Roundtable we’ve done so far, both from an audio quality and content quality stand point.  The topics included HP severely limiting telecommuting, the future of marketing in the corporation and a discussion about having too many passwords, which really was about Identity 2.0.  We’re hoping we can continue that conversation with one or two experts in the field, because it really is a topic worth further discussion.  Take a listen and tell us what you think.

Technorati Tags: podcast, Identity 2.0

Two of my blogging friends have decided to join the ranks of the podcasters.  The first is Alan Shimel from StillSecure, After All These Years.  Alan takes a few minutes to rant about security magazines, awards and how some magazines allow security companies to buy awards.  Alan’s a more than a little ticked, and who can blame him.  On the other hand, I’d always assumed that the awards were for sale if you advertised enough with the magazine, so I’m not really surprised by this.  Cutaway at the Cutaway Security blog has also created a new podcast.  His first subject is the necessity of teamwork as a security practitioner.  He found out the hard way exactly how much of a time sink creating a podcast can be! 

Take a few minutes to listen to the new podcast and give the guys some feedback.  They’re both under ten minutes and allow for streaming audio, so you won’t have to spend a lot of time to explore the podcasts. Alan’s been on the podcast a couple of times, so you might recognize his voice.  Cutaway will probably be on a future podcast.

Technorati Tags: security, podcast

The Veterans Affairs Department has decided they aren’t going to allow employees to use personal equipment for business anymore.  But why were they allowing it at all?  I’m quite surprised they were ever allowing this at all.  Every company I’ve worked at in the last decade has had very strict policies about attaching personal equipment to the network.  Though, to be truthful, it’s been less well enforced in some companies than in others. 

If an employee does a job that’s important enough for the to need remote access, they need to be using company equipment to be doing it.  The IT department can not be responsible for maintaining personal computers, nor can they guarantee patch levels and anti-virus configuration.  Only by using company equipment can the basic security level of the remote system be guaranteed.  This basic step also keeps data leakage to the personal systems.

Technorati Tags: security, personal equipment, data leakage, remote access

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering

This news surprised me a little, but given what they’ve been through recently, I guess it shouldn’t have.  The Department of Veterans Affairs is recalling every every laptop computer in the Agency, as was announced this morning.  We’ll have to wait to hear more about the recall, but I would guess that they’ll be auditing for the presence of sensitive information on the laptops and installing software to make sure a similar incident can’t happen in the future.  Of course, this is the Federal government, so they could possibly recalling them permanantly and making the employees work from desktops.  That’d be overkill, and only work until someone breaks into a branch office and steals several of the desktops with sensitive information on them.

Technorati Tags: security, Veterans Affairs