Network Security Blog

This is not good. Researchers from INSERT found a vulnerability in the Gmail engine that could allow spammers to forward mail through Google, thereby bypassing blacklists and being accepted by whitelists. It works by using the same forwarding features that allow users, myself included, to forward their email through Gmail. The worst part of this is that it also bypasses Gmails 500 recipient limit for any email, though that part should be easy to fix. I hope.

INSERT has been courteous enough to omit a fair amount of the details of the vulnerability, but I think there’s enough general information in the notification that spammers will be able to figure it out soon if Google doesn’t act even faster than the bad guys. Given Google’s track record and the sneaking suspicion that Google was given advance warning of the vulnerability, I’m hoping Gmail can be made secure fairly quickly.

I’ll be interested to see what we hear on this over the next couple of weeks on the Full Disclosure/No Disclosure argument. Did INSERT give Google some warning or did they post this as soon as it was written up? How did Google react? Did Google take the Micorosoft stance of quietly taking the research and fixing the hole before anyone notices? Or did they take the Apple/Cisco approach and threaten to sue INSERT into non-existance? I’m hoping for the former.

Just goes to show you, even the best built, least offensive features in software can be subverted if you put enough brain power into solving the problem.

I love my DirecTivo, my DirecTV receiver with the Tivo built in. Without it I couldn’t find the time to watch half the television shows I do, and I’d have to actually, you know, *watch* the commercials. The DirecTivo is about four years old and I’m dreading the day something in the box dies, which I know can’t be too far off.

One of the features of the DirecTivo is a little advertisement that’s part of the main screen, usually a 3-5 minute infomercial. I often ignore it, but last night something caught my eye; the headline for the advertisement read “Crucial Wifi Security tips”. This was definitely something I had to take a few moments to check out, otherwise what kind of security professional would I be.

It turns out that its an advertisement for Symantec Norton 2008, but I have to give the guys at Symantec some credit, it’s also a pretty good primer on the dangers of using wireless hotspots. The video quality isn’t the highest quality, but that may be intentional (or it may be a factor of budget). It starts off by giving some general advice about security, or lack there of, at hotspots and explains in simple terms that the average user might not want to do any sensitive activities while using these hotspots.

I was impressed that Symantec decided to only explain two terms in the video and explained them in simple yet accurate language. The first term was ‘packet sniffing’ and the video explained in a few seconds how another curious patron or maybe a hacker could be sitting in the booth next to you capturing your passwords as they fly through the air. I immediately thought of Robert Graham and the grief he sometimes gives David Maynor concerning wireless.

The second term was ‘wi-phishing’. I’d never heard the term before, but I guess its easier to remember than man-in-the-middle or evil twin hotspot. The video explained that malicious attackers could set up hotspts that looked just like real hotspots but were just created to capture passwords and other account information or infect systems with malware. From that point on the video was an explanation of how Symantec Norton could protect users from these dangers as well as a host of others, but I’d heard most of this marketing before at RSA.

The video was only three minutes long and did a good job of explaining a few of the dangers of public wifi in the first two minutes. I’m actually pretty impressed with the content of the video and if I could get just the first part to use for educational purposes, I’d take it. This video would make a good starting point for a brown bag lunch or other short format awareness campaign at work. There are a couple more videos from Symantec waiting to be watched on the DirecTivo, which I might get to this weekend to see what they offer. Or maybe not; my tolerance for commercials has been greatly reduced over the last four years.

I’m mildly annoyed, but I find it hard to get too worked up over this issue: Jim Brady from WashingtonPost.com wants to know who the people are who are leaving comments on his site. He wants to know who the real person is making comments, not so he can track them, but so that he can make them accountable for their comments. That’s a laudable goal, but does this guy really have any idea how the Internet works?

Mr. Brady laments the fact that people are as anonymous as they want to be on the Internet and that the people who comment on his site are leaving nasty, bitter, derisive comments. He wants to have some sort of tracking system where he can positively identify everyone who comments on his site and block the problem children. As he sees it, this sort of accountability is the only way to ‘raise the level of discourse’ on his site. As if accountability would somehow accomplish this goal. Does he understand human psychology any better than he understands the Internet?

This isn’t a privacy issue; without major changes to the Internet, Mr. Brady’s wish is never going to become a reality. There are too many built in safeguards and too much complexity on the Internet to make positive identification of his commenters a reality any time soon. The WashingtonPost.com site has already experimented with blocking IP blocks and found that’s a good way to block large chunks of the Internet from his site. They’re experimenting with other technologies, but that’s not enough for him. I wonder if they’re looking at OpenID at all to solve his problems.

Online identity is a huge issue, one that’s not going to be solved because some editor wants track his commenters, even if it is the Washington Post. Mr. Brady has bigger problems though. First, he obviously doesn’t understand the Internet if he thinks there’s much possibility of reliably tracking users on the Internet. Anyone with even a modicum of computer knowledge could probably find a way around any tracking technology the Post puts in place. Even if they can’t, I’d be willing to bet there’d be a Firefox plugin or other application that gets around the technology. Oh, wait, we already have BugMeNot.

The second problem is that Mr. Brady is trying to solve a social issue with technology. This is the same trap we often fall into as security practitioners, trying to solve a people problem with more applications. And he’ll probably find out the same thing we keep finding over and over: technology fixes for people problems don’t work. People are going to find ways around the technology if it’s stopping them from doing what they want, period. If someone wants to be anonymous, they’ll find a way. We’ve found that with almost every technology that’s ever been used to secure a corporation. You put a block on a website, your users find a proxy. You try to keep users from installing software, they find a friend in IT to help them. They will find a way around technology if it gets between them and what they need/want to do. The technology is just a speed bump, and its an annoying one at that.

The real problem for WashingtonPost.com is that it takes people engaged with their readers to deal with this problem. It requires having someone monitoring the comments, deleting inappropriate posts and replying to the ones that are appropriate. He’s not going to get his tracking mechanism any time soon and rather than lament the lack of accountability, he needs to understand the real problem and deal with it as a human issue. People have been commenting anonymously to newspapers for as long as they’ve existed. How many of the letters the Post gets on a weekly basis have no return address and no indication of who sent them? The difference between the real world and the virtual one is that the editor has to consciously pick which comments get printed in the paper. That same power exists in the virtual world, it just takes human interaction in the form of comment moderation. Funny to think that the more things change, the more they stay the same.

It’s pretty certain that WashingtonPost.com is spending a fair amount of money on technologies to combat aggressive, insulting commenters on their site. They’re probably spending more on technologies and the people managing them then it would cost to hire one or more people to be responsible for moderating the comments. It’s easier to ask for the money to purchase a magic technology that will solve a problem than it is to ask for more people to get actively engaged. After all, technologies have a very clear cut reason for existing where as people have all these nasty issues that come with them, like personalities and mistakes. But if you want to solve a people problem, only people can deal with it.

By the way, does anyone really believe the Washington Post and other sites wouldn’t use all the identity information they collect for marketing if Jim Brady had his way? Me neither.

I’m sick and Rich is preparing for some anniversary celebration over the next couple of days. My family graciously shared a chest cold they’ve been fighting off with me and I’ve spent a good part of the last two days in bed. Rich is flying in, with his wife, from Arizona to spend the better part of a week wine tasting and whatever else you do to celebrate your wedding anniversary. They’ll be less than 30 miles from my home and they won’t be spending any time with me or my family. You gotta wonder about a guy who puts his wife (or his health) before his podcast.

We’ll return to our regularly scheduled dose of chaos next week. Honest.

I’ve attended my fair share of conventions, but this is a first: CTST 2008 is offering up a free night’s stay if you’ll attend their conference. Their event is next week and I’m pretty sure the offer isn’t transferable, but I find it very interesting that they feel like they need attendees badly enough that they’re willing to make this offer at all. Add this to the fact that my name showed up on the list of last year’s attendees and I think we have a convention that’s truly suffering and may not make the 2009 season.

I receive a lot of phone calls from vendors, but in general only from vendors who have access to the lists of events I’ve actually attended. This year I’m showing up on the list of people who attended CTST, despite the fact that I’ve never attended and have never been to Florida, where the event is held. It makes me wonder how much of the list of attendees is based on people who actually attended last year or if it’s based on the people who were invited. I may be a statistical outrider, but from what I know of the convention biz, I also won’t be surprised if I find out I’m not the only one.

CTST looks like a convention I’d be interested in; it’s all about payment cards and the ways in which different credit and debit cards can be secured. It’s a natural fit for just about anyone in the PCI arena. But right now I don’t have the time to attend, nor the energy to fly cross country even if I did. But listing me as an attendee for something I never showed up at is annoying, and if it happens again this year, I’m going to be more than annoyed; I might have to blog about it in an snarky, sarcastic manner.

Something is going on with Feedburner; yesterday my stats showed the highest number they’d ever shown, today they’re less than half that. I expect them to fluctuate some, but over the last month I’ve seen drops of over 1000 subscribers in a day, to be back up to their normal levels the next day. Today’s drop was nearly 2000 subscribers overnight.

Paperghost claims it’s got something to do with Netvibes, but I’m not sold. This has been happening to me a lot and for over a month, so it’s not too likely to be a single point causing this much fluctuation, unless that point happens to be part of Feedburner. There’s been very little written on this so far, so I’ll be very interested in seeing if Feedburner addresses the problem on their own. I suspect it has more to do with the integration with Google than anything else.

Anyone else seeing this type of fluctuation in your Feedburner stats? Or are you a little less stats obsessed than I am and only look at your subscriber numbers when there’s a reason? Hopefully there’s someone from Feedburner looking for posts like this who can answer my questions about stats fluctuations. Or maybe I need to tweet about it and hope they’re looking at Twitter too.