Network Security Blog

I managed to catch up with Ivan Arce, chief techology officer for Core Security to talk about a new class of SQL vulnerability that’s dependent on a algorithm common to most SQL databases. This was following a talk Ivan gave at Black Hat describing the nature of the vulnerability and how it could be used in the future.

I ran into Ivan a couple times at Defcon too, though I didn’t interview him again.  I may be able to get him on the podcast for a bit longer talk in the future, since what Core Security does is pretty interesting.  Of course, I could just leave the interviews with Core to Paul and Larry at PauldotCom.

Monday, August 20th, is the date of the next BaySec meeting.  I’ve been disappointed because I’ve been out of town for each of the previous Baysec meetings, but I’m going to make this one.  I’ve met many of the folks who are helping organize this, but I’m looking forward to meeting more local security professionals.  If you’re thinking of going to this event and are coming from the North Bay, drop me a line (contact information is on the site, top right) and we can talk about carpooling.  It’d be nice to be able to use the carpool lane for a change.  I plan on hanging out for at least the alleged 3 hours, but I also plan on being sober enough to drive.

Four years of blogging as of today!  Thanks to everyone who’s supported me while I’ve been doing it and hello to all the friends I’ve made thanks to the blog.  Looking forward to several more years of blogging to come.  Unless someone decides to pay me a large amount of money to stop blogging that is.  Tonight is my wrap up of Black Hat, Defcon and Linux World, all of which were interesting for various reasons.  Thanks again to Tinfoil for making it possible for me to attend!

Show Notes:

• The Hacker Tool Law in Effect – Hacker tools are now illegal in Germany
• Dan Rather investigates Voting Machines – And I thought I what I knew about electronic voting machines was scary before!
• Microsoft Fixes 14 Software Security Flaws – Yeah, it’s Patch Tuesday!
• Only at Defcon:  Dateline NBC nailed – I still hope Madigan escapes this without lasting harm.
• Tonight’s music:  Super Powers Theme Tune by <DualCore> Nerdcore is fun stuff

Network Security Podcast, Episode 72

Time:  33:22

A friend of mine, Jeremiah Owyang, finally managed to bully me into signing up for Facebook.  Some of the privacy concerns I would express to the average Internet user don’t really apply to me, since so much of my life is already on the blog for everyone to see, so I figured something like Facebook couldn’t be that much more of an invasion of privacy.  I’ve made about 20 people my friends in Facebook, mostly by looking at some of their profiles and adding people I already know, but I’ve had a couple people add me as friends who I barely know. 

Of course, since I signed up on Wednesday, the source code for Facebook was leaked by the weekend.  It looks like it was a simple case of human error, but if your an intensive Facebook user, this might be enough to give you a little pause.  As I said, I’m not putting anything there that I haven’t already put somewhere else, but if you’re like a lot of users, you put your whole life up for your friends to see.  And if Facebook has another human error incident, it could be your home address or embarrassing posts that are exposed next time.

Always assume that everything you put online is viewable by everyone, not just your friends, and act accordingly.  It’s better to have your friends have to IM you to ask for your phone number than to put it out where every crackpot in the world could see it, despite the best policies and intentions. 

If you think I’m a paranoid, privacy nut, then you won’t want to watch this flash animation by Mark Fiore.  But if you think that there’s even a possibility that the federal government may have gone over the edge with recent legislative acts giving the NSA and White House expanded domestic spying rights, you’ll think this is hilarious in a scary sort of way. 

I’m a pretty good security professional, but when it comes to hacking, I’m not so great.  I understand the tools, I’ve played with a lot of them, but my skills at actually hacking a site aren’t much above the “script kiddy” level.  So when I hear that the web site for the United Nations was hacked with a simple SQL injection attack, I’m more than a little surprised and annoyed.  This is the sort of attack even I could perform, and one that should have been closed on such a high profile sight a long time ago.

I have to agree with Robert Graham, in that it’s surprising this doesn’t happen more often to sites on the Internet.  Given the ingredients of bored computer people, teenage and otherwise, the number of sites vulnerable to a SQL attack and the ease of finding vulnerable sites in Google, you’d think we’d see a lot more sites defaced.  The only thing I can think of is that the majority of the sites compromised are so low profile they never capture the attention of media and the blogosphere.

A friend of mine, Dan Kuykendall, recorded a podcast that will walk you through your own attempt at a SQL injection attack.  He’s even got a server set up for you to hack, though it’s a bit deceiving in that he’s got a lot of security built into the back end to keep you from getting too evil on the site.  Take an hour or so to walk through it and see how easy it is for yourself.  And you’ll be wondering why this isn’t happening more often too.

Technorati Tags: security, UN, United Nations, SQL Injection

I’ve always been a big fan of the Consumer Reports magazine, but the September issue has to be my favorite one ever!  In nice big letters, the headline is “Stop ID thieves”.  They’ve got several articles on staying safe online and avoiding phishing scams, but I think one of the best pieces of advice they give is for people to turn on the protection they already have on their systems.  They also review many of the anti-virus programs and security suites, with a view towards the consumer who might not have a lot of experience in these things, and they rate Trend Micro at the top in all of the categories.  I’m not sure if I agree with their scoring and ranking, but at least it gives the average end user something they can easily understand.  I think I’m going to see if I can purchase 4 or 5 copies to give away.

I’ve been friends with Don Weber for some time now and we were even roomies at Defcon (thanks to another friend, Mike).  He’s teaching the Security 401:  Sans Security Essentials course in Corpus Christi, Texas beginning in September, and I can almost guarantee it’ll be worth attending.  He’ll be bringing a lot of real world experience to the table and he’s not afraid to share.  By itself, the Security Essentials course is worth taking, but with a straight shooter like Don teaching it, there will be no sugar coating or misdirection involved.

It’s fun to watch my friends grow in their careers to the point where I can feel confident endorsing projects like this.  My own experience with SANS training has been great, and the weight SANS gives the feedback students provide is extraordinary.  If you’re a SANS instructor and you get some bad reviews, you know about it and they’ll do there best to help you, but they’re not going to keep an instructor who doesn’t meet with their high standards around.

One of the good things about taking a class like this from Don is making good contacts in the industry that can last long beyond the end of the course.  And I think I like the idea of taking a SANS course in two hour chunks rather than a week of highly intensive training.  It gives you a chance to think about what you’ve learned and develop questions to ask during the next class.  And you can ask anyone who’s ever been one of my instructors, I’m not shy about asking questions and giving feedback, whether they want it or not.

Susan Landau wrote an article for the Washington Post explaining why Congress giving the NSA right to tap phone conversations without a FISA warrant is such a bad idea.   To boil it down, in order to tap phone conversations between people outside the US and people in the US, the NSA would need to have standing taps in nearly every single phone interchange through out the United States.  And as the Greek government has already learned the hard way, any surveillance technology that can be used by the government can potentially be used against the government. 

Especially after attending Black Hat and Defcon, I’m under no illusions that such a system can’t be compromised.  It may only be for a few minutes at a time, as in several of the examples cited by Susan, or it may go on for years, as happened to the Greek government.   And the potential for the same system to be misused by the NSA and other law enforcement agencies (can you say FBI?) is almost as scary; our democracy only works as well as it does because each of the branches of has oversight from the other branches.  Without even the tenable controls of the Foreign Intellegence Surveillance Act in place, abuses could be rampant in the system and no one would ever know.

I know there’s a good possibility that a certain analyst friend of mine is going to call me “Captain Privacy” again over this post, but this really is a scary proposition.  Such a system will be abused.  The question is, are the risks worth the potential abuse?  I don’t think they are.  I think it’s already been proven that the federal government can’t be trusted to act without oversight.  But Congress seems to think the NSA will act responsibly with their power.  I just don’t want to be part of the group that’s going to have to become an example to prove them wrong. 

By the way, am I the only one who’s noticed that Bruce Schneier usually only writes one or two sentences and includes large blocks of quotes in many of his blog posts lately?  It’s a blog, so that’s okay, but he used to write so much more.

Technorati Tags: security, privacy, FISA, NSA, Congress

Whurley just sat down next to me in the press room, totally excited about Bar Camp ESM.  He and several of the other writers and bloggers here have gotten together and are planning a Bar Camp or un-conference in Austin some time in the near future to talk about all things enterprise systems management.  Not much of a chance I’ll be making the event myself, but I know of several people in the area who might want to take the time to attend. 

Just in case you’ve never attended, or even heard of, a bar camp or unconference, think of it of a large gathering of like minded individuals coming together talk about a subject without a set schedule or a set topic.  Conversations flow from what the attendees want to talk about and constant direct feedback is not only expected, it’s encouraged.  When was the last time you went to a conference and it was made better by the audience shouting back at the presenter?

The exciting stuff never happens on the show room floor.  It’s always the stuff that happens in the hallways and back rooms that’s really important.