Network Security Blog

The guys over at Errata Security found a memory corruption error in the new Windows beta of Safari before (to quote a friend) “the ink was even cold on the press release”.  And all using publicly available tools. Ouch.

Do you remember Julie Amero, the substitute teacher who got convicted of felony charges because she couldn’t stop pornographic pop-ups from malware infecting the school desktop?  Today a judge ordered a retrial for her, stating that there was information discovered after the fact that directly impacts her case.  I’ll be very surprised if she gets convicted of anything in her new trial.  It actually looks to me that the State now has the option to not pursue this any farther, which might be in their best interest. 

I’m not a forensics investigator, but it sounds like the initial investigators made almost every mistake in the book during the process and that her first lawyer barely knew enough about the technology to use email.  Everything I’m reading says this case probably shouldn’t have even gone to court.  Little things like your anti-virus and patches help a little in preventing this from ever happening too.  I’m glad people like Alex Eckelberry are helping to straighten this out.

Added:  A good summary and some good links over at Threat Level.

Technorati Tags: Julie Amero

Obviously, Chris Hoff doesn’t know the difference between an elf and a vulcan!

I’m almost as much of a geek as Michael Farnum with his fixation for the Teenage Mutant Ninja Turtles.  In case you didn’t know, Shadowrun is a Sci-fi/Fantasy role playing game where magic and machines existed together in the near future.  And yes, there were elves in skin tight armor with big guns in the game.  I gave my copy of the first addition rules away to a friend a couple of years ago.  Hmmm, maybe I win the geek contest with Michael after all.

Is it a sign that our industry is maturing that we’re starting to use sex to sell? Or is it a sign that we’re lacking in any substance worth selling and have to rely on sexy images? Obviously, the answer is a little bit of both, but the fact that a security company can afford a full page ad in USA today says something about the amount of money in security. 

I’m sure Alan will have a little something to say on this, given his previous rants on booth babes.  I don’t see this as any different.  And it works, so I don’t think this’ll be the last time we see it.

Early last month I accidentally left my ATM card in a local machine.  As a good security professional, I called and had the card canceled as soon as I realized what I’d done.  When I got the new card, everything was good again.  Except for the accounts I’d had using that card, such as my ISP.  Which I was reminded of by a banner across my browser this morning.

If losing one card can cause this much trouble, I hate to think of what recovering from a case of identity theft would be like for the victim.  The people I’ve talked to say the recovery is a several year long process, and can have repercussions for years.  Having to replace a single card is a cake walk in comparison.  I’m just glad of the excellent support staff at Sonic.net that had me back online within 30 minutes.

Have you had a personal experience with identity theft or know of a site about personal experiences?  Send me a link or leave a comment.

I’ve been trying hard to get adjusted to my new position as Cobia Product Evangelist, sometimes too hard.  Last week I realized I was over-analyzing everything and nearly paralyzing myself with the effort. So I’ve decided to get back to the basics, blog a lot, make some mistakes and quit worrying about it.  Better to do something and make some mistakes than spending all of your time worrying about that first mistake.

I’ll get back to my daily blogging schedule, or at least something like it.  The podcast is still going to suffer a little for a while, but I’ll try to get an episode out this week.   We’ve got the third episode of the Cobia Community Podcast if you can’t wait to hear my voice.  Slowly, as I get life under control again, the podcast will return to something like a regular schedule, but I fear my days of a weekly personal podcast are done for a while.  And on a side note, I have a small side project I’m doing with some friends, a 30′s detective drama.  Give that about six months until we get something that we actually feel is worth posting.

Thanks for sticking with me during this career transition.  Chris Hoff pointed out to me several weeks ago that the move I’ve made really is into a new career track than anything I’ve done before.  Change is stressful, but I’m learning a lot in the process.  Now I just have to figure out how to change a life of total chaos into something resembling controlled chaos. 

I’m not sure why it surprises anyone that a study indicates one in three IT employees would abuse their access.  To me, this just illustrates basic human nature; a certain number of people are going to abuse their power, no matter what.  It’s true in politics, it’s true in the board room, why would the server room be any different?

There’s been a lot of talk about the insider threat versus the threat of someone coming from the outside.  Both are important issues to deal with, but this study highlights two reasons I think the insider threat should be a bigger concern than it is.  First, the fact that this study surprises anyone is an indicator that we’re not taking the issue seriously enough.  Second, IT professionals have the opportunity and ability to access more internal resources than most users, all that needs to be added is a motive and you’ve got a breach.

This study was concerned with the abuse of passwords, but I wonder what a overall ethics survey of the IT field would turn up.  I’m willing to bet that to the more cynical amongst us, it wouldn’t be a big surprise.  I’d also like to see the same sort of survey given to a sample group of CISSP’s.  Now that survey might turn up a few surprises, since we signed a code of ethics to become certified.  Would we do all that much better than the rest of the IT field?

People are people, good, bad and ugly.  IT professionals are no better or worse than anyone else.  This is one of the reasons we have checks and counterbalances in our systems, so that the abuse of one person is hopefully caught by another professional. 

Cyber-Ark wanted to prove that passwords suck, the stuff about IT staffers was just what the blogosphere latched onto.  Guess what, everyone knows password’s suck, but we haven’t come up with a better alternative yet.  And even when we do, people are going to abuse their privileges.