Network Security Blog

It’s been a little while since Captain Privacy donned his uniform, and now it’s got a star instead of two gold bars; he’s been promoted to General Privacy by his friends in the Security Catalysts Community. Seriously though, I’d stopped writing about privacy issues as much since I was getting a little bit of a reputation for being a privacy nut. Maybe it was deserved, maybe not, I’ll let you be the judge of that.

One thing I’ve said many times in my writing and podcasting is that I don’t have a problem with the police, the FBI or even the White House getting access to my personal information. I believe that law enforcement has a vital, legitimate need to access personal information and to sometimes snoop on our conversations. My conversations usually happen pretty publicly, so they won’t learn much; the bad guys aren’t nearly as accommodating as I am, so the cops need to resort to wiretaps. And I’m okay with that, there’s just one thing I want to see as part of the process and that’s judicial oversight. And apparently I’m not the only one, since the New Jersey Supreme Court unanimously ruled that NJ cops need a subpoena and need to notify the target when they go after private electronic information.

Why am I such a strident defender of oversight? I’m a paid paranoid, I spend my days trying to think of how the bad guys are going to abuse the systems to get a little bit of profit. I hear about, read about, talk about people who abuse the system regularly to get profit, revenge, curiosity or plain stupidity. Some times it’s really as easy as greed, but sometimes there are more complex emotions in play. The end result is that systems get abused and we end up paying as a society in the form of lost money, lost credit cards or lost personal information. Oversight is one way to prevent these sorts of abuses from happening; a person who knows they’re being watched is less likely to commit the crime in the first place.

If you think cops are any better than the greater population, think again. They’re human, they make mistakes, they succumb to temptation. I’ve read several times that the personality profiles of cops and robbers are only separated by a few degrees, and it’s a law enforcement officer’s respect for the law that separates him from the criminals. If law enforcement officers didn’t occasionally step over the line, there’d be no need for Internal Affairs departments, would there?

We need to have judicial oversight of the police, the FBI and the CIA to make sure that members of our law enforcement agencies don’t abuse their powers. Whether by design or by mistake, people will succumb to the temptation to abuse the power of their position. I don’t believe the judiciary is there to punish law enforcement agent when they do step over the line, it’s there to draw boundaries around what is and is not acceptable use of the power to look at personal information. The judiciary is the branch of government that exists to create the lines so that we can live in a free and open society. It’s one of the paradoxes of a free and open society that you need rules and boundaries to be free and open.

We’ve drifted into a societal attitude over the last seven years where it’s more important to catch the ‘terrorists’, who ever they are, than to respect the rights of the average citizen. Never mind that the idea of ‘terrorist’ is so ill defined that almost anyone who harbors any ill will towards a group could be branded as such. It’s the fact that the goal, perfect safety for everyone, has become more important than the means, which right now is often spying on American citizens. I think it’s time for the pendulum to start swinging the other way; we need to realize that the trade off for safety has been some of our fundamental freedoms. We can’t let law enforcement of any stripe just spy on anyone and everyone in the name of catching ‘terrorists’ or ‘criminals’.

New Jersey is one of the first states in quite some time to realize that the laws we have currently don’t have direct correlations when you try to apply them to cyberspace. A law that talks about reading someone’s snail mail doesn’t exactly translate well when you’re talking about email. And since it’s open to interpretation, it’s often been interpreted to be in favor of law enforcement. After all, it’s not really your email when it’s sitting on your ISP’s servers, is it? And it’s for law enforcement to help them catch crooks, so it’s okay, isn’t it? It depends on so many circumstances and that’s why we need the judiciary to draw boundaries for law enforcement and for citizens.

I guess my inner privacy geek has been wanting to get out a little more than I realized. All I really want is a little balance, but if you’ve got law enforcement or the Executive Branch calling all the shots without judicial oversight, it’s one-sided, there is no balance. In the computer security arena, the balance is between security and usability or business need in most cases. It’s great to be secure, but if you can’t use your systems or make a profit, it’s of absolutely no use. In a society it’s a balance between security and being able to live a enjoyable, prosperous (profitable?) life; if you can’t live that life because the cost of security is too high, it’s not worth the trade off. You need to be secure, but you also need to be able to live your own life.

Rich and I tried to make up for last week’s podcast by keeping
things a little shorter tonight. The operative term of course is
‘tried’; we managed to shave a couple of minutes off the podcast, but
that’s about it. Tonight’s theme was vulnerabilities in web sites,
ranging from the Obama site being hacked to Dan Kaminsky’s latest DNS
issues and on to PCI requirement 6.6. There was a lot going on tonight
and we could have almost made a show from any one of these topics.

Show Notes

Network Security Podcast, Episode 102 [ 27:21 ] Play Now | Play in Popup | Download

Network Security Podast, Episode 102, April 22, 2008

If you use Twitter as much as I do, you’re bound to learn something from “Tweeting for Companies 101“. I don’t twitter for my company, but I still learned about a couple of features that I hadn’t known twitter had. I know this has nothing to do with security, but I want to be able to find it in a couple of months. You did know the blog is really my back up memory, didn’t you?

If your CEO received an email stating that you’re company was being sued in Federal court and that he had to install software to view the court documents properly, what are the chances that he’d do it without thinking? They’re probably pretty good, since the fear of a lawsuit would outweigh any concern over malware, if yours is a CEO who’s prone to even think about security when it comes to their computer. Network World is stating that this may be one of the biggest examples of spear phishing so far. And the reason it works is because it does such a good job of playing on one of the biggest fears many CEO’s have, getting sued.

I’ll be honest, even as a security professional, I might have fallen for this one. It’s scary the amount of detail that went into crafting these emails. The name, address, phone number and other corporate information is correct, eliminating one of the easiest ways to determine if an email is spam or a phishing attack. The same group is suspected of being responsible for a similar attack last month. Given that Verisign says that over 1800 CEO’s have been compromised, that’s a lot of corporate information that’s now in the hands of criminals, even if only a small fraction of those result in data leakage. To make matters even better, the major AV vendors can’t even catch the malware used on this one; this backs up a comment I heard on PauldotCom recently stating that even the best AV vendors are missing 20-30% of all viruses out there today.

This is a really good argument for egress filtering on the firewalls. That’s not enough by a long shot, but it’s a start. We can’t prevent our CEO’s from installing software and we can’t blame them if our anti-virus/anti-malware manufacturers can’t catch this stuff. The best we can hope to do is limit the impact of a compromise such as this. Next time your CEO wants access to the company databases, point him to this article as a valid reason to just say no.

No one should be surprised that profits are more important to an ISP than the security of their customers. They are a business and the same rules apply to them that apply to any business: if they’re not profitable, they don’t stay in business for long. I don’t approve of the practice, but I am not even slightly surprised to hear that Earthlink is redirecting non-existent domain names to their own search pages in the hope of a small profit. And I’m even less surprised to find that it’s Dan Kaminsky who’s reporting the issue; it is a DNS issue after all. (Side note: IOActive’s web site appears to be down while I’m writing this; I wonder if they’re experiencing heavy traffic or if something else is going on)

The problem with Earthlink and their partner, Barefruit, is that they had a weakness in their code that allowed their servers to be used in a JavaScript attack. They’d been doing this redirection since 2006 and no one had commented on it. But Dan, being the King of DNS Misuse, found the vulnerability and reported it. The worst part of this is the fact that Earthlink is just one of many ISP’s that are providing their customers with this “service”.

The only reason an ISP is going to stop this practice is because the negative publicity outweighs the potential profit. Even though the profits are minuscule, they can make the difference between staying in business or not. More likely, they make the difference between someone in corporate making their numbers and getting a bonus or not. This isn’t a new practice nor is it without it’s own controversy, but as long as there’s a profit to be made by it, non-existent domain name redirection will continue.

Update: IoActive site appears to be back up, don’t know what the issue was. Maybe my ISP was redirecting me to a 404 error?

I’m starting a collection of Windows error messages I see in odd screens around the country. I thought it was funny to see a windows third party DLL error message on a screen talking about airport security. I hope the airport’s physical security is better than it’s patching and updating practices are. Is there a site out there that already tracks these things?

Ever wanted to be on a podcast but don’t have the time or energy to start one of your own? Are you already producing your own podcast but want to bring in a bigger audience? Or do you just want to take some time to express your own opinions? If any of those apply to you, take a couple of minutes to contact your favorite blogger or podcaster and ask if you can have a guest spot on their show/blog. It really is that easy, especially if your asking directly and not having your PR department doing the contacting.

What brought this on? After a couple of weeks on the road I finally got a chance to catch up a little on some of my RSS feeds. With about 150 feeds and a two and a half week backlog, this can take a while. So I skim a lot of articles and frankly just ignore the majority of them. But one that caught my eye was “6 Ways That Bloggers are Like Rappers“. I’ve never wanted to be a rapper, and don’t ever ask me to sing if you value your ears, but there’s a lot in this article that resonated with me. I’m prolific, my blog is my personal brand, I’m a member of the Security Catalyst Community as well as several others and I’ve definitely got a style all my own. Rich and I often do interviews, but one thing we only do rarely is have guests on the podcast as participants. There have been a couple notable exceptions lately, with Mike Murray and Tim Krabec most recently.

I’ve been a guest on a number of different podcast, especially Pauldotcom Security Weekly (why do I always want to spell it ‘weakly’?). Every time I do this it introduces me to a new potential audience and makes me think a little differently about how I do the show and security. I learn something, which is the biggest reason I started doing blogging and podcasting in the first place. I enjoy being on someone else’s show nearly as much as I do my own. And all it’s ever taken to be a guest is reaching out to the host and asking if they would mind me being a guest for a show.

I know this isn’t about security, but one of the things I’ve been giving a lot of thought lately is how we reach a wider audience. Not just Rich and I, but security professionals in general. For the most part, we’re preaching to the choir; the people who read our writing and listen to our rants are other security professionals. This is a great audience and what makes me come back to the microphone week after week, but it’s not the group that’s going to make changes to the larger world. In order to reach the wider world, we need to talk to people who are outside of our comfort zone, people who don’t have the same mind set but might be able to teach us something and learn something in return.

So if you’re new to blogging or podcasting and want to build an audience, ask one of the people who inspired you if you can be on their show. If you’re an established blogger or podcaster who wants to reach a bigger audience, ask one of our peers, or better yet, ask someone outside the security sphere. If you want to be a guest on the Network Security Blog or Podcast … you guessed it .. just ask. The worst thing that could possibly happen is you get back a ‘no’. But in all likelihood, the answer will be closer to “When are you available?”

Update: This post was republished on the RSA “Developing with Security” blog. This site is being contributed to by fellow security bloggers who continue to contribute to the security community even when there’s not a Meetup coming up.

I sometimes tell people I was one of the first four or five security bloggers, which to the best of my knowledge is true. Richard Bejtlich, Dana Epp and Bruce Schneier all predate me, though Bruce Schneier didn’t start calling his writing a blog until later. If there are others who started before August 2003, I’d like to know about them, especially if they’re still blogging. In any case, after my post this morning, I did something I hadn’t done in quite a while, a Google ego search; you know, when you type in your own name to see what comes up. I was more than a little surprised when a page I last updated in November of 2002 came up. I’d actually created the page by hand coding the HTML close to a year before that. And yes, I’ve been using the same ISP for nearly a decade and still have files from my CCNA courses on the server, though that’ll be a post for some other day.

I have since let my CCNA lapse, I never did get my OCA, I’m going on six years as a CISSP and you can still reach me at martin_at_mckeay.net. The Windows 2000 services: Disabling Non-Essential Services paper is no longer there, but I think I have a copy floating around somewhere. I don’t know yet how many of the links on that page still work, be careful clicking on them since some now lead to placeholders. There’s some script on the site that I should probably disable, since it led to a basic RSS reader and I don’t think the company that hosted it is even in existance any more. I’m still not a web designer; I freely admit to using someone else’s templates since they’re much more appealing than anything I could come up with on my own. And I’m still paranoid; some things don’t change no matter how much time passes.

Update: We have a winner! Augusto Paes de Barros has been blogging since January 27th, 2003. Though it’s in Portuguese and I can’t understand more than one word in ten. Augusto is now writing in English as well as Portuguese, so he definitely has me beat.

I’m on a large number of mailing lists. Before there were blogs, mailing lists were one of the primary ways I received my security-related news and got questions answered. I participated in a fair number of forums too, but preferred mailing lists because the news would come to me rather than needing to go back to a site to see if anyone had responded to me. I still find my forum posts listed in Google from time to time when I do an ego search (I know I’m not the only one who types their own name into Google from time to time just to see what comes up).

One of the things that I find again and again on mailing lists is the one or two line post to a list asking such a general question that almost any answer you give will apply. You know, the sort of thing like “What should I do next in my security career?” or “What’s the next big thing in security?”. Questions that are so vague and pointless that they either get ignored on the list or get answers that have nothing to do with what the person posing the question really wanted to know. This leads to on list arguments about stupid answers or general comments on how useless and clogged up the mailing list is. The more traffic a mailing list sees, the more likely this is to happen. A prime example of this is the CISSP mailing list, which often degenerates into discussions of poutine and the relative merits of Tim Hortons vs Dunkin’ Donuts. It’s a closed list, so I hope I’m not putting my ethical standing as a CISSP at risk by revealing how immature a group of security professionals can be from time to time.

I don’t think it’s bad for a list to get silly or flame up once in a while, but I do think the value of the discussion is directly related to the questions posed on the list. The energy someone puts into explaining the question they’re asking, the time they take to pose it in the clearest possible way is directly linked to the clarity and energy someone will put into answer. If your question is about the next step in your career, take a couple of paragraphs to explain how you got where you are and what it is you want to do next. If you want to know what the next hot technology is, explain what your industry is and what you mind find useful. In addition to giving the other members of the list a specific topic to respond to, it might help you understand your own question better. I’ve always been amazed at how much taking the time to write our my thoughts clarifies my own understanding of a topic.

I like mailing lists as a way to get information and see how a group or industry is thinking. But the worth of a list is directly influenced by the amount of energy people are willing to put into it. When people take the time to formulate the real question they’re asking rather than throwing a general inquiry, the signal to noise ratio of the answers comes way up. Most of the responses on any mailing list come from a small minority of the members, so taking the time to understand who those people are and how they think will directly influence the response.

I’m not writing this in response to a single person or incident on a particular list; vague questions seem to be endemic to mailing lists everywhere, and I know my rant won’t do much to change that. But now I have someplace I can point people to next time they ask a question like “How do I improve the security of my enterprise?”. If you take the time to formulate the question and really specify what it is you hope to get out of the answer, you might be surprised at the quality of the answers you get in response.