Network Security Blog

Tonight’s podcast is an interview with Marc Maifrett, Chief Technology
Officer for Eeye Digital Security.  I also talk a little bit about a
couple of the issues that caught my attention this week, a paper on the
Point of Sales vulnerabilities and the recent Sony rootkit on a USB
stick.  One thing I forgot to mention in the podcast is that Paul and Larry sent me a signed copy of their book, Linksys WRT54G Ultimate Hacking. 
I’m planning on turning my spare WRT54G (version 6) into a VPN server
in the not too distant future, so that next time I go to an event like
Defcon, I’m a little less worried about accessing the Internet.

Show Notes:

• Point of Sales Vulnerabilities
• Another Sony Case
• Ryan Rusell’s Blog
• Eeye Digital Security
• Tonight’s music:  Void (No Return) by DualCore

Network Security Podcast, Episode 74

Time:  42:04

The folks at DriveSavers have been recovering data from crashed, burnt and flooded hard drives for more than 20 years. They have a 90 percent recovery rate for getting the data off of drives that would otherwise be unrecoverable. Scott Gaidano is the president of DriveSavers, and talks about businesses that use DriveSavers as a backup solution, how his company got started, and why they have a professional crisis counselor on staff.

Earlier this year Gartner started enforcing a policy of no blogging for their analysts.  It’s understandable, if backwards, stance since they make their money from the intellectual production of their analysts.  Unluckily, this meant that one of my friends, Rich Mogull had to quit blogging, at least on any matters security or IT related.  As most people who blog would tell you, blogging would increase the value of an analyst rather than taking away from it, but that’s not how management sees it.  And since they sign the checks, they get to make the rules.

Rich is now back on the scene though!  He’s left the comfy world of being a renowned security analyst and is working for himself for the foreseeable future.  I’m glad to see that he’s got big things planned for his blog and, as it puts it, “other surprises”.  Rich’s time as a Gartner analyst has given him a unique viewpoint on the industry and I’m very interested in seeing what he has to say about it, now that he no longer under the restrictions of the corporate overlords.  He probably will have some contractual restrictions given his intimate relationship with the industry for the last seven years, but that’s nothing compared to what he had up until yesterday.

Welcome back to the world of blogging, Rich.  We expect big things from you in the future!  And we know there’s at least one opening at Gartner now. 

Technorati Tags: security, Rich Mogull, Gartner

As Brian Krebs points out, the Groucho Marx comment, “I don’t want to belong to any club that will accept me as a member” captures the spirit of the latest round of the Storm worm emails.  Following the simple rule of “if you didn’t ask for it, don’t open it” applies to these club membership spams just as well as it does to attachments.  I have to give these guys a little credit in saying that this is a new twist of social engineering that will probably get them some good results.  At least for a little while.

The list of clubs or online services these spams refer to is around 30 as of today, but you can be certain that it’ll keep growing as people catch on to the first wave of fake services.  But the problem with these worms is that they’re easy to update, so new face services will be added quickly, I’m sure.  Another annoying aspect of the Storm worm is that it changes it’s binary every 30 minutes, making signature based detection that much harder.

Winn Schwartau is a character and the brains behind Security Jeopardy every year at Defcon.  I met him at the event briefly this year and was able to talk him into giving me an interview for the podcast.  Of course, getting him to do the interview was as easy as asking, but setting up the call was a bit of a comedy of errors.  This interview was recorded Sunday, August 19th.

Show Notes:

• BaySec and CitySec - Attend one near you, just for the networking opportunities.  It’s an informal meeting of security professionals getting together to talk.
• Security Round Table:  Security Career Success
• Pearl Harbor dot Com - One of Winn’s books.  I haven’t watched the last two Die Hard movies, so send me an email if you read the book and seen the movie.
• Tonight’s Music:  I’m no Superman by DualCore

Network Security Podcast, Episode 73

Time:  33:50

Technorati Tags: security, podcast, Winn Schwartau

Robert Graham is the CEO of Errata Security, as well as being a well-known security blogger, appropriately at the Errata Security blog. We took a few minutes at Defcon to talk about the Wall of Sheep, as well as a vulnerability in Gmail and all of the major Web-based email systems. While such systems use HTTPS to establish a secure connection for the initial user name and password transactions, they do not continue to use HTTPS for the entire session. Because of this, anyone who intercepts the communication between your system and their servers can capture your cookies and impersonate you until the cookie expires. Robert explained this vulnerability during his talk at Black Hat.

I like “Beaker” a lot and while I sometimes disagree with his take on things, I found that I couldn’t agree more on his stance on digital watermarking of MP3 files.  Anyone who thinks that the current stance of watermarking files so that they can tell which songs are popular isn’t just an experiment to see if users are willing to accept the technology hasn’t been watching the extremes the music industry is willing to go to for a buck.  This is the same industry that was willing to compromise the security of your computer by placing a trojan on your computer to track usage of their audio tracks.

We already know that the MPAA is watermarking the movies they send out for review and can track back to the person who shared them fairly easily.  It’d only take a couple of cycles of computing power to add a serial number tied to your download account in the audio track of a song.  This is scary enough, but given the privacy track record of music companies, I wouldn’t be at all surprised if they included additional personal information to make it easier on themselves to hunt down ‘offenders’.  And what the RIAA puts into a MP3, some industrious individual will find a way to extract later.

The funny thing is, the same people who find a way to decode the watermarks will probably be only the same ones who’ll find a way to remove the watermark.  It’s an arms race between corporations trying to protect a dying paradigm and users who just want cheap music they can play anywhere.  If the recording industry would stop spending so much time trying to punish listeners for enjoying music and instead spend the same energy trying to get music to market cheaply enough that most people would rather buy it than take a chance on a bittorrent source, everyone would be happier.  The recording industry would probably make more money in the long run, even though they’d no longer have total control over the distribution of their music.  And that’s what this is all about, control and profit. 

By the way, anyone who thinks the line about “protecting the artists” is anything but crap hasn’t paid much attention to what happens to all but the top 2-3% of musicians.  I wish I could find some statistics on how many artists end up owing the recording companies money after their first album.

I’ve always been a proponent of ‘responsible disclosure’; that is, researchers give companies a reasonable amount of time to research and fix vulnerabilities and in return companies give researchers credit and treat them with respect.  This is a workable system, but it takes everyone involved to act like an adult and offers no hard and fast rules for how long a reasonable amount of time is.  It’s not easy, but it is workable.

There are extremes at both ends.  Some companies would prefer that researchers stop mucking around in there products and get real jobs.  The problem with that position is that the bad guys are going to continue to find vulnerabilities in products, because that’s where the money is.  So obviously, non-disclosure isn’t going to work.  At the other end of the spectrum, full disclosure, gives the bad guys too much information and doesn’t give the effected companies the time needed to come up with a defense.  Another problem with this is that you can sometimes anger much of the security community, which is apparently what happened in the case of Whitedust; they shut down operations last week in response from heavy criticism and backlash from the security community.

Most situations sit somewhere between the two extremes.  Security researchers are trying harder to work with the companies who produce the vulnerable software and in many cases companies are returning the favor and treating researchers with more respect.  This has yet to become the rule, as David Maynor’s nearly legendary relationship with the Apple corporation shows.  Apple would rather deny that the issues exist and let their PR department deal with any naysayers.  Companies like Google take a slightly different tact and say that the vulnerabilities reported to them are ‘expected behaviour‘, as happened to RSnake. 

It’s hard for a security researcher to continue to work with companies when the researcher is attacked or ignored.  I also understand why companies react so badly sometimes; after all, no one likes having their errors pointed out to them continuously.  But were to the point in the game where it’s up to companies to take the high ground, admit to their mistakes, fix them and credit the people who find the vulnerabilities.  Most researchers don’t have that much to lose if a company denies that a vulnerability exists, but then patches it a couple of months later.  On the other hand, every time a company does exactly that, it makes it less likely that the public is going to take the next denial at face value.

I’ve sometimes been hard on Microsoft for the security of their products.  But this is one area that I’ll give them the credit they deserve and say that Microsoft has made great strides in over the last few years.  They still stumble once in a while, but it’s a lot better than attacking the people who are researching you, or constantly threatening to sue anyone who exposes a vulnerability, like a certain database company who’s name starts with “O“.

The Security Round Table isn’t dead!  It’s been a busy last few months, but the latest episode is now available for download.  The audio’s a little rough, so we’re searching for an alternative to Skype for recording.  We’re already planning the next session, so hopefully there won’t be any more large gaps between episodes.

We had an excellent panel together to talk about how you can build a successful security career, with Michael Santarcangelo, Mike Murray, Dan Sweet and Ron Vereggen.  Any one of these gentlemen would be an outstanding career coach by themselves, but having them all together on one phone call made for an exceptionally enlightening session.  I add a little flavor as someone who’s in the middle of a job search right now. There’s a lot of good information here, whether you’ve already got a career in security or are contemplating one.

Download the podcast directly: 

Since February, I’ve been video blogging for Podtech as much as possible.  It started with me covering RSA for them and continues today with my coverage of Black Hat and Defcon.  I’m not going to be rich off of this work any time soon, but it’s definitely allowed me to go to events I might never have been able to attend otherwise.  One of the big reasons I got this opportunity was thanks to John Furrier, who has now stepped down as the CEO of Podtech.

I’ve talked to some of my friends recently about the different stages a company goes through in its life cycle.  There’s the initial start up, the growth phase, the maintenance phase, and eventually the shut down phase.  I’m sure there are a lot more phases than that, but this is my own rather simplistic view of it.  Each phase has it’s own requirements and skill sets necessary to be successful.  John’s strength is in the start up of a company and creating a vision of what that company is capable of becoming.  He’s the guy who’ll get everyone excited about the potential and vision.  But that’s not necessarily the kind of guy you need to be running a company as it moves from being a startup to being a growth company with many years ahead of it.

It takes a lot of guts to be able to admit that it’s time to move on, to hand something you’ve built from the ground up to someone else to manage.  John Furrier’s done the right thing and is turning the company over to someone who’s more skilled than he is at the growth phase.  It’s something that had to happen sooner or later, and now was probably a better time than later.   Now John can move on to the next great idea and get more people excited about it.