Network Security Blog

Woot!  Episode 3 of the Security Roundtable is ready for your listening pleasure.  The bunch of us got together to talk about about the liabilities for reporting and responding to vulnerabilities.  This was the impetus for the discussion Alan Shimel and I have been having on perspective blogs (my half is on my Computerworld blog).  If we keep having discussions like this, someone might start believing that we really are professionals and spend a considerable amount of time thinking about this sort of stuff. 

You can either go to the SRT site and listen to the podcast there, or you can download the MP3 directly. 

Technorati Tags: security, vulnerability, responsible disclosure

Imagine you’ve told your company’s management of the risks of not making security enhancements to their site, then one of the scenario’s you outlined actually happens.  You lead the company recovery efforts and then are summarily fired for incompetence, because they didn’t follow your suggestions.  This is exactly what’s happened to a friend of the Security Monkey.

This really is one of the nightmares I’ve had before.  As in ‘wake up covered in sweat’ nightmare.  We do our best, we tell management the risks, but it’s up to them to make the decisions as to whether or not to follow through.  But what do you do when they won’t listen to common sense and then blame you after the fact?

I hope more details come out on this case.  I agree with several of the comments on the posting:  this security professional needs to consult a lawyer as soon as possible.  If what he says is true, he has one heck of a case against his former company.  I’d also like to hear some of the details from the company’s perspective.  Not to say the professional is lying, but our own personal viewpoints always taint our stories.  I’m sure the CEO would tell a slightly different story; question is, would he tell the truth or just tell us what he needed to to cover his own rear?

Technorati Tags: secrity, termination, physical security

I make no secret of the fact that I’m a big proponent of personally privacy and that I’ve felt that our own government has been one of the biggest enemies to our privacy over the last few years.  The President and the NSA have participated in numerous examples of spying on American citizens that I personally feel are wholy inappropriate in a democracy such as ours.  And one of the best examples of this spying has been the cooperation between the NSA and AT&T.  I was very happy when I heard that the Electronic Frontier Foundation had filed a class action lawsuit against AT&T.  I wasn’t too surprised when I heard that the Federal government had moved to have the whole case dismissed under the providence of states secrets privileges.  Today, I was very happy to hear that the judge in the case has denied that motion and the case will be allowed to procede.  Yippee!  A strike for our civil liberites.

I’m not going to get into the whole argument again, but you can read some of the discussions I’ve had with Michael Farnum on this issue (1, 2, 3), or go back and listen to the two podcasts we did together(1, 2).  I encourage you to take some time and research the issue and make up your own mind.  I just hope I haven’t gotten myself of some government watch list over the last couple of months by objecting to being monitored.

Technorati Tags: security, spying, NSA, AT&T, EFF

This is from The Daily Show.  May not be technically accurate, but funny!

There’s been a lot of good stuff published on Dark Reading lately.  This article on a penetration tester who used his shopping card to gain access to a facility is another one to add to the list.

I also think the points made in the article about social engineering and how helpful some of the employees at the company were in giving directions is pretty indicative of most companies.  No one wants to be thought of as rude, so of course they’re going to answer requests for directions.  To bad the employees never wondered if the penetration testers should have been there in the first place.

Technorati Tags: security, penetration testing

This is going around the net, and looks like it’ll be worth reading.  It’s a case study of a compromise of a site that was taken down because of it’s political affilliations.

Technorati Tags: security, case study, hacking

Yesterday afternoon, I received an email on a mailing list that set of alarms in my head.  Marc Freedman was recommending people disable Windows Genuine Advantage and install NetChk Protect from Shavlik Software.  So far so good.  But then I started looking at the link in the email and the wiki it pointed to; everything about it looked funny to me and I had to speak up about it in the mailing list.  First of all, here’s the link that was posted in the mailing list:

• http://MyLinkWiki.com/Software : When I hit the page, the wiki had been edited 13 minutes prior.  I’m not a Wiki expert, but this was one of the first things to make me cautious.  The wiki itself is rather sparse and looks pretty new.
• P2P File Sharing:  The first link on the Wiki page about NetChk led to a site called P2P File Sharing and a post also written Marc.  Flags for me were the self-reference from the wiki, the fact that it’s a P2P site and the general layout, which looks to me too much like a blog aggregator site (Is there a better name for those sites use bots to take blog entries from various sites and republish them as their own?) 
• Windows Secrets Newsletter:  The second link on the page was to a newsletter talking about NetChk.  This page didn’t have much that would have tripped any alarms in and of itself, but there were a dozen or so minor issues on the site that did nothing to make me less cautious about the original post and site.
• The fourth link on the site was actually a link to Shavlik and NetChk Protect.
• Marc’s own site, Dallas Blue, has several popups that were blocked by Firefox when I visited it, at least one of which was a script.  I’m not the best web designer in the world (obviously), but Dallas Blue doesn’t look like it’s had it’s site redesigned since the early 90′s.  Sites using pop-ups are always going to be suspect, but a script is doubly so.  I’m including the link for completeness, but until I hear from someone who has the time to review the script, I would not advise visiting the site:  Dallas Blue.

Now Marc has come back on the list and very calmly stated that his site is on the up and up.  I have not found anything on his sites that is actively malicious, I want to make that very clear.  But I only had about 5 minutes to make my first post on the mailing list, and I decided it was better to make people cautious about visiting his site than remain silent and possibly be right in my suspicions.

I know I’ve still got comments disabled, but take a look at Marc’s site, and let me know how you would have reacted to the posting.  Either give me a call at 1-916-231-9479 or email me at nsp@mckeay.net.  I’m including the original mail to the list in my extended entry to help you make your own judgement.

Continue Reading »

Note to self, don’t schedule interview before the second cup of coffe.  This past Sunday morning I had a chance to talk to Brian Contos from ArcSight, who has a book coming out next month, Enemy at the Water Cooler: True Stories of Insider Threats and Countrmeasures.  Brian has a lot of great stories and experience dealing with the insider threat in the real world, which he’s more than willing to share with us.  There’s a lot more Brian has to share, so we’ll very likely be hearing from him again in the near future.  It ended up being a long interview, but I hope you get as much out of our conversation as I did. 

Network Security Podcast, Episode 35, July 18th, 2006

Time:  51:20

Tonight’s Music:  Michael Burks – Heartless from Alligator Records

The Office of Management and Budget has mandated that federal agencies notify the US-CERT within an hour of discovery of an information security breach, even if it is only suspected.  This does not mean that the public will get notification of a breach any quicker, but it does mean that agencies won’t be able to keep this information internal for months on end.  

Technorati Tags: security, government, disclosure

Congratulations to Mark for being made a Tehcnical Fellow at Microsoft in the process.  I’ve been following Sysinternals for most of my career in IT, so I’m happy for Mark, Bryce Cogswell and everyone else at Winternals Software, but I’m left with a little hollow spot.  Will Mark still be able to dig into interesting projects, like the Sony Rootkit?  I’m hoping we can look forward to more of this type of work from him without too much influence from his higher up’s at Microsoft.  We’ll have to wait and see.

Technorati Tags: security, Winternals, Sysinternals