Network Security Blog

Heise Security has revealed that the chipset for a series of biometric USB sticks is basically useless and can be circumscribed in just a few keystrokes in either Windows or Linux. In Windows, you just need to send the stick a single command to bypass the sticks. The process is slightly more difficult in Linux because you have to compile the tool, PLScsi, yourself. This is obviously something only a “very professional user” could do; either that or any IT professional who’s been on the job for more than a couple of years.

First of all, we know ‘security through obscurity’ doesn’t work. The compiled version of PLScsi is already available for Windows, which means I could go to the local grade school and find any number of kids who could run the program. If you take the compiled version of this program out of the picture, I might have to go to the local high school to find someone capable of it. In either case a few quick Google searches would turn up the tools in short order.

Second of all, this is a bad implementation of technology. There is a chance that this was a purposeful back door, but ‘never attribute to malice what can be more adequately explained by stupidity” (Thanks Shane for reminding me of this quote). Someone was either lazy or stupid when they built this chipset, which I find to be much more likely explanations of the problem than any potential backdoor. I’m not going to entirely rule it out though.

If I’m buying a product that is advertised as adequate protection for my files, I want it to do that. I don’t want the manufacturer to tell me to encrypt my files before I place them on the USB stick, since that’s what I purchased the stick for in the first place. Companies can’t be tested to do this for themselves, which is why we need folks lie Heise security, like David Maynor and Robert Graham to test them out. Even companies with the best intentions make mistakes, and there’s more than enough companies that are just snake oils salesman trying to make a quick buck. Testing their products keeps the manufacturer honest and protects us from trusting a product that’s just not going to protect us as promised.

I’m trying to keep the number of vendor meetings I do to a minimum at RSA this year. I’ve filled up my schedule at previous events and quite frankly it’s more trouble than it’s worth for me. I’m planning on scheduling just two or at most three meetings each day and spending the rest of my time in sessions or wandering the expo floor to see what’s out there. Rich and I will be doing a daily wrap-up from the show room floor, hopefully fifteen minutes or less. Even limiting the number of scheduled meetings, I think I’m going to end up totally exhausted by Friday morning.

Most of the bigger vendors have more than enough media coverage already and I probably can’t add all that much that would be new to it. Many of the smaller vendors have interesting ideas, but I haven’t heard of too many I really want to set aside time for. What I want to know is who I should talk to if I only had one more time slot open for the entire event? If you’re a vendor (or PR for a vendor) this question isn’t aimed at you. I want to know who my readers would be interested in hearing from. With the recent issues concerning full disk encryption, I’m tempted to talk to one of the FDE vendors.

Who would you talk to if you only had thirty minutes to spare at RSA?

According to Inforworld, over 10,000 web pages (That’s pages, not sites) are infected with malicious Javascript (edited: was Java) code aimed at installing password capturing software on as many machines as possible. But their target isn’t your bank account, it’s your online gaming credentials. If you weren’t already aware that most online gaming communities have a real world economy based on buying in-game goods, here’s your proof. I know from the spams I get in City of Heroes that there are a lot of sites that will offer to give you every in-game toy you’d ever want. All you have to do is give them your password and they’ll hook up your account. Umm, no thanks.

Well, despite technical difficulties and an overactive noise removal tool, Episode 97 of the Network Security Podcast is up and available for download. Rich and I are joined tonight by Tim Krabec, who adds his own wit and wisdom to tonights podcast. And now I’m going to bed, since it’s been a very long day.

Show Notes

Network Security Podcast, Episode 97 [ 37:05 ] Play Now | Play in Popup | Download

Network Security Podcast, Episode 97, March 11 2007

Friday evening my oldest son asked me “Dad, can I join Club Penguin?” I’d heard of Club Penguin before, when Jeremiah Owyang had written it up, but I really didn’t give it much thought after that. It’s a social media/virtual world for children ages six to fourteen owned an managed by Disney. So when my son asked if he could join, I clenched my teeth and told him I’d talk to his mother about it. Little did I know at the time that she’d already told him to talk to me. I was tense about it, because I knew I couldn’t let my eight-year-old participate in this social networking tool unless I let my six-year-old play too.

I did some research this morning on Club Penguin, starting with their “Parents of Penguins” page and moving on to a Google Search. I wasn’t able to find any truly negative reviews, though a few borderline examples did exist. What I found out is that Club Penguin is a social media experiment started by three fathers in Canada and then purchased by Disney. They heavily monitor activity on the site, there are language filters in place and I, as the parent, have control over their accounts. As much as I wish I could have found something that would have allowed me to say no to them, it just isn’t there to be found.

The sign up process is fairly simple and Club Penguin has a pretty good privacy policy. There are two types of accounts you can sign up for, one free and the other for $5.95 a month. I’m not currently willing to spend $12 a month between the two boys for something they may or may not still be playing in a month, so I signed them both up for free accounts. The main differences seem to be the ability to have more pets and accumulate more coins to buy in-game clothes and decorations. If they get good grades this semester, signing up for the pay-for version may be in the cards, but I think the wife and I will have to talk about that in greater detail.

The sign up process was fairly simple and basically just required a valid email address to send the account activation code to. I think this is a weak point of the system because there’s no verification that the email account belongs to an adult, but in my kids case, they don’t have email yet. There are a number of good, common sense hints on the Player Safety page, such as “Don’t use your real name for your account name.” As part of the account creation process you’re asked if you want to allow your children to use Standard Safe Chat or Ultimate Safe Chat. I allowed my older son to have the standard while I placed my youngest son in the Ultimate category. Using the Ultimate Safe Chat, the parent has a password that must be typed in to change to Standard Safe Chat. Both of these have decent filters, but several articles state they can be gotten around using some of the standard schemes, like putting spaces between the letters. I haven’t tested this yet.

Each of the boys got their own accounts with names they made up with a little help and they got to choose their own penguins. They each have a password that exceeds the site’s minimum requirements and I made each brother leave the room when we were typing in the other boy’s password. We sat down and discussed what is appropriate behavior online and what is not. I guess I’ve talked about it enough in the past because they both knew that telling anyone their real name, phone number or address is a no-no, which makes me feel I’m doing my job. We then came up with three rules for using Club Penguin and added a fourth while they were playing. We wrote out the rules, posted them on the wall next to their computer and let them go at it for an hour. I let my youngest play on my Mac Book Pro and they finally found each other and started to throw snowballs at each other online. Everything in Club Penguin is Flash-based, happens in the browser and works fine on the MBP in Firefox, after I approved it in No-Script.

My boys are growing up and I’m sure this is only the first social media/virtual reality tool they’ll want to use. They already play a version of Pokemon online using the Wii, which is why the know the rule about not telling anyone their real name. But the Pokemon game is just battling other Pokemon masters (Why, oh why do I actually know what they’re called?) where as Club Penguin was created from the start up to be a social space. The tools to do this are only going to get more complex, easier to use and, I assume, more integrated with standard web pages, making it harder to distinguish when you’re in the social space. I hope I’m giving them the right grounding to be able to understand what’s acceptable and what’s not online.

As much as I’m cautious about Club Penguin, I know it’s safer than letting them go to the park at the end of the street. There are more automated safeguards in Club Penguin than there ever be at the park. But as Bruce Schneier sometimes points out, we tend to place more weight on the dangers we don’t understand than the ones we know and deal with on a daily basis.

Our four rules for Club Penguin, posted on the wall next to the computer:

1. Club Penguin is a privilege, not a right
2. The door to your room has to be open or you have to play Club Penguin on a computer in the common area
3. Tell Mommy or Daddy immediately if anyone asks you for your real name, address or phone number.
4. No logging into your brother’s account!!

Have I missed anything major? I’ll be sure to post if there are any major updates.

Technorati Tags: Club penguin, father, online safety, Disney

I’ve been blogging for over four years now and been employed by four different companies during that time. When I started blogging my employer at the time didn’t even know what a blog was and my co-workers thought I was weird for wanting to publish my thoughts on security (actually, they didn’t think I had many thoughts, but that’s a different matter). The next employer knew I blogged, I brought it up in my interview, but didn’t care if I blogged as long as it didn’t interfere with work. When I was hired at StillSecure last year, my blogging was a part of the decision to hire me. My current employer, Trustwave, knows I blog, knows I get press passes because of it, but largely doesn’t worry about it as long as I don’t say anything that will impact them. All in all, I’ve been very careful to make my employers aware of my activity and keep blogging separate from the jobs that pay the bills. This blog is mine and I won’t work for a company that tries to take it over or tell me what I can write about!

But it’s a very fine line I have to walk sometimes; I’ve been getting a lot of invitations to talk to companies who will be at RSA, which isn’t surprising given that I have a press pass for the third year in a row. The majority of these companies have products that aren’t related to my day job or are only tangentially related. If their products or services interest me, which is the minority, I’ll talk to them. There’s another group who make products and have services that are PCI-related; many of these are direct competitors of Trustwave, either because they also do PCI assessments or because they offer tools that are similar to what Trustwave offers. After one such offer, I consulted with my friend Mediaphyter to get a second opinion on the tack I should take with competitors. And being the good blogger she is, she immediately turned it into a blog post.

I’ve been good about notifying competitors about my employer, even though this is information they should have known before contacting me, something Mediaphyter points out. But I make a point of not mentioning my employer on the blog or in the podcast, simply because I want to keep as much distance as possible between the two different aspects of my life. A few companies have said they’d rather not meet after finding out who I work for, a couple have been more interested, and in two cases, I’ve decided to turn down meetings with competitors because of possible conflicts of interest. It’s not worth it to me to even have the potential for conflict here, since I like having an independent blog and I’d rather not call undue conflict or drama down upon myself.

It should be no surprise to anyone who reads the blog that I’m giving preference to vendors who deal with privacy issues. I’m also looking to talk to people who have cool ‘toys’ that might be outside my normal areas of expertise, but are still interesting to me. Lastly, I’m interested in talking to PCI-related companies, as long as they’re not direct competitors. I won’t be talking to anyone who does PCI assessments, PABP code review or PCI-related managed services. I will talk to vendors who offer up products that promise to be silver bullets and make you PCI compliant by just buying their product. I’ll be nice about it, but I’m planning on asking the hard questions that many marketing folks won’t be prepared to answer. So think twice if you’re approaching me to talk to your company about PCI.

I’ll be honest, some of the meetings I’m planning on having are looking for competitive intelligence; I want to know what the other guys are doing out there. But it’s for my own education, not to take back to my employer so I can say ‘look what XYZ corp is doing’. If they want to know what XYZ is planning, they can read the blog or listen to the podcast, just like anyone else.

Bloggers are harder for PR folks to get a handle on than traditional press. I only know of a few of bloggers who do it full time, and they’re all traditional media when you get down to it; blogging just happens to be their media. The rest of us have day jobs that may or may not be influential in our writing. Some of us represent a company when we blog and when we go to events, but I think the majority of us go to events like RSA representing ourselves and our blogs instead of our employer. That doesn’t mean who we work for doesn’t affect our blogging, it just means we think our blogging is more the more important factor. The PR representatives might be annoyed because the spreadsheet they get from RSA doesn’t reflect who we work for, but that’s not RSA’s responsibility; it’s up to the PR reps to do their research and make sure they’re not inviting a competitor in to find out about the products they’ll be offering 6 months from now. A Google search and looking at a LinkedIn profile doesn’t take more than a few minutes.

One last thought: I have never signed a non-disclosure agreement before I talked to a company about their product. If you bring out an NDA, I’ll walk out the door.

Technorati Tags: RSA, blogging, security conferences, Mediaphyter, PCI

Well, if you listen to the first thirty seconds of the podcast you’ll realize I wasn’t firing on all cylinders tonight, though Rich was pretty coherent. Actually, we had a fun time with tonight’s podcast, so hopefully you’ll have a fun time listening to it. Rich will be in Boston next week at SOURCE and I’ll be on the road, so we’ll be recording early and posting it on Tuesday. I’m actually going to be on the road a lot in the near future, so expect Rich to get a chance to stretch his audio editing muscles in the near future. That’s why I have a co-host: so someone else can do the heavy lifting while I’m on the road.

Show Notes

Network Security Podcast, Episode 96, March 4, 2006 .. er … 2008

Network Security Podcast, Episode 96 [ 34:24 ] Play Now | Play in Popup | Download

I’ve been a member of the Security Catalyst Community from the beginning and a friend of it’s founder, Micheal Santarcangelo, for a couple of years now. It’s true I only rarely post to the forums and I’ve only met Michael face to face once, but it still counts. By being involved in the community I’ve been able to get involved with some very interesting projects and meet a large variety of security professionals from around the nation. Whether your just getting involved in security or your a seasoned professional, the Security Catalyst Community represents a great place to ask questions, bounce ideas of the wall and just get an idea of what other like-minded professionals are thinking about in the world of security. Take a moment to sign up and poke around, but be aware that real names are required and the forums are moderated to keep the conversations on track.

Here are a few of the more interesting recent topics:

• Where is the line? If you are looking at a site and they put the user name and password in the scripts, is it hacking to enter the site and then tell the site owners about the problem?
• How has the SCC benefited you? Pretty relevant to this posting I’d say.
• New Security-oriented instructional video website. Andrew Hay brought up a new series of videos. I’ve had mixed results with using videos for training, but I still view it as another tool in my arsenal.
• BayouSec II – My friend Michael Farnum is helping organize a security meetup in Houston tomorrow night. If you’re in the area, you’ll want to take an hour or two to attend the event and meet some of the other professionals in your area.
• Andy in the real world – AndyITGuy has an interesting story of normal people (as opposed to security geeks) becoming aware of some of the courtesies of email.

There’s a good chance that there will be a breakfast meeting of the Security Catalysts Community one morning at RSA this year. If we can manage to get out of bed early enough to still be able to make it to presentations. And if we’re not too hung over from the parties the night before. Join the community and join us for breakfast.