Network Security Blog

I’m back to my old format of discussing a number of interesting security issues from the last week in tonight’s show.  My voice is still recovering from my illness over the Thanksgiving week.  I’m also working on the move to the new colo server and WordPress in the next week or two.  Hopefully I’ll be able to coordinate with Michael Farnum to join me on the podcast next week.

Show Notes:

Dave Slusher at the Evil Genius Chronicles is sick
Larry Pesce from Pauldotcom Security Weekly has a new book out, Wireshark and Ethereal.  Okay, he didn’t write it, but he contributed.
IHOP asks for customer’s drivers licenses and they give them
Is this a major break in the ATM system?  I don’t think so.
CJ Kelly thinks the DDoS attack is dead, but Michael Farnum and I disagree.  And the evidence is in our favor.
Adam sides with the Seahawks fans, but Rich thinks a pat down is just the price you have to pay to go to a safe game.

Network Security Podcast, Episode 54, December 28, 2006

Time: 25:00

Tonight’s music:  Bad Magic by Doug Macleod

Technorati Tags: Security, mckeay, podcast

I think Rich Tennant might know some of my users.

The 5th Wave, December 3rd, 2006

Technorati Tags: security, mckeay, humor, passwords

Just a warning, in the next two weeks I am planning on moving the entire site to a new server and WordPress.  I’m doing what I can to redirect the RSS feeds to the new site, but this is definitely not my strength.  I think I have a handle on how this will work, but consider yourself warned if the feeds suddenly stop working in the near future.

Late last week I had reason to point a number of co-workers to an article on DNS DDoS attacks.  The best explanation I found was an article by David Piscitello, “Anatomy of a DNS DDoS Amplification Attack“.  Today the same article showed up on Mike Rothman’s Daily Incite as one of the top security news items.  Great minds must think alike.  Or something like that, at least.

Technorati Tags: security, McKeay, DDoS, DNS

When independent researchers and concerned citizens talk about all of the potential probles with e-voting machines, it’s fairly easy for the manufacturers and government buyers to blow of our issues.  But when the National Institute of Standards and Technology (NIST) recommends against certifying the same DRE voting machines, it makes manufacturers sit up and take notice. 

I’m hopeful, but I don’t necessarily agree with Ed Felten when he says this will be the turning point in making e-voting machines as secure and usable as possible.  I’m hopeful, but the e-voting machine manufacturers have constantly show the ability to ignore the obvious and move in directions that are obviously wrong, as have the voting officials in many states and counties.  This report might finally be the stop sign that’s too big to ignore, but until we see how the final report actually reads, I’m not holding my breath.

Technorati Tags: security, mckeay, e-voting, DRE

It’s funny how these things come around in the blogosphere: on Tuesday I posted about a suit the EFF is participating in, Alan Shimel commented on it and now Michael Farnum has extended the conversation.  That’s the great thing about the blogosphere, everyone can have their own unique view on an issue.

Michael brings up an interesting issue: bosses who want to read their employees emails.  I’ve had a little experience with this in the past and it was one of the pivotal issues in my career that made me realize how much I really value the privacy of employees in the work place and how that has to be weighed against the needs of business.

More than a few years ago I was the administator for all things computer related at a small manufacturing business.  I’d been working there about 18 months, a manager had been hired recently in the inventory department and he had a very rocky relationship with several of his employees.  I’d worked with the manager in the past at a different company and had problems of my own with his style and personallity.  I don’t think it would have affected the incident if I’d gotten along better with him, but it’s a possibility.

One of this manager’s employees called in sick three days in a row, and on the fourth day, the manager demanded that I allow him to access her email account.  I refused in no uncertain terms, which the manager couldn’t understand: she was his employee so he had every right to read her email.  I told him that no, he didn’t, every employee had a certain level of expectation of privacy and I wasn’t going to give him access to the email without someone higher up in management overruling me.  This gave the manager a few hours pause, but he came back later to demand the access again.  I suspect he tried to get my one direct report to give him access but the was rebuffed and sent to me, though I never got confirmation of this.

We went back and forth over the the remainder of the day and finally came to a solution:  I would allow the manager to have access to his employee’s email, but only if he put his request in writing to his manager and HR; if they signed off on the request, I would give him the access he wanted for a limited time.  This satisfied his business need of accessing the email to review a business communication but also satisfied my desire to have management aware of the situation and make the manger responsible for any abuse of the employee’s email.  Quite frankly, very few people in the company understood why I was so adamant on this situation, but I felt I was protecting the company from a future lawsuit for the manager’s abuse of his ability to read his employee’s email.  Not to long after this incident the employee in question left the company and her manager was listed as one of the reasons she left.

This was one of the first times I wrote a privacy policy for a company.   After the incident, I wrote up what I considered to be an acceptable process for a manager to get access to their employee’s email, not because I knew about the creation of company  policy, but because I didn’t want to have to have the same day and a half of argument again.   I had other managers who came to me with similar requests, some of which were granted by their managers, but others were turned down due to insufficient need.  I didn’t want to stop managers from doing what they needed to get their job done, but I did want their to be an oversight process.

As Michael says, having a change control process is important, but more important is having a privacy policy in place.  It protects the employees by making them aware of the fact that their manager has the right to read any electronic communication created using company equipment.  It also protects the company by laying out guidelines concerning when reading employee communications is acceptable and under what circumstances.  A privacy policy for your business can prevent any number of lawsuits from ever coming into being.  It is the company’s right to monitor their employees, but the guidelines for this monitoring needs to be defined for everyone’s protection, not just created on the fly.

Technorati Tags: security, McKeay, email, privacy

I’ve never worked at a bank, but given what I’ve seen at my own bank, it doesn’t surprise me that someone posing as a copier repair guy would be able to easily access the network at a bank.  Looking at most of the businesses I’ve worked at before, it’d be relatively easy for someone to walk in and sit down at a unattended desk without even needing to pose as a repairmen. 

I’ve actually gotten nasty comments from co-workers in the past when I’ve questioned who a new person is or why a repairman is working on a particular piece of equipment.  And don’t even ask about some of the comments that have been made when I told contractors they couldn’t use personal equipment on the network. 

Technorati Tags: security, McKeay,