Network Security Blog

Back to just Rich and I this week. We’re both running around like chickens with out heads cut off, so we were lucky to be able to get a show in this week. Coordinating with a guest would have been more than we could handle. I’m sure we’ll be back to a more normal schedule next week. More ‘hoping’ than ‘sure’, but only one way to find out.

Show Notes:

• Judge scuttles Ameritrade hacking settlement
• OpenOffice Integer overflow vulnerability
• Security Bonuses for Vista Programmers
• Vista’s big problem: 92% of developers ignoring it
• Verizon 2008 Data Breach Report – This is a must read
• Tonight’s Music: My Fathers Son by Jeremy Megert

Network Security Podcast, Episode 108, June 17, 2008

Network Security Podcast, Episode 108 [ 30:49 ] Play Now | Play in Popup | Download

Time: 30:49

I’m doing my part to help Mozilla and I’m downloading Firefox 3.0 onto all of my systems at home today. I haven’t installed it yet, but I’m downloading it. Are you helping Mozilla make it into the Guinness Book of World records for greatest number of downloads in one day?

I’ve only met Jack Daniel face to face a couple of times, but I must have left an impression to elicit the sort of nice stuff he says in his latest post. “…he’s Martin. Which is pretty cool.” You can’t buy compliments like that.

He brings up a good meme though: who’ve you learned a lot from in your career or as a blogger? One of the first people who come to my mind is Richard Bejtlich, partially because Richard was the first security blogger I met face to face. Richard is constantly contributing to the community as a blogger and a teacher and he’s one of the nicest people I’ve ever had the chance to meet. Chris Hoff is on my list as well as Jacks. Chris gives me an idea of what it takes to reach the top tiers of our profession. And a taste of what you can get away with once you’re there. Michael Santarcangelo I see as a true community leader and creator, as well as being a decent co-host for a podcast. And speaking of co-hosts, I can’t forget Rich Mogull, who influences my thinking on a weekly basis.

That’s just the short list; I could come up with a dozen more names to add to it in short order. I try to learn from these people and many more on a daily basis.

Who has been a major influencer in your career? What are you learning from them? Write a post and link back to Jack. I’m interested in seeing who people have been learning from.

At RSA Michael Santarcangelo and I had a chance to attend a seminar on the Jericho Forum briefly.  Neither of us had heard much about the Jericho Forum before so we invited them to participate in a podcast with us.  And since I didn’t know much about Jericho, I found someone who does:  Chris Hoff.  We were joined by one of the founders of the Jericho Forum, Paul Simmonds, and the CEO of Rohati Systems, Shane Buckley.  You can find the full show notes on the Security Roundtable blog.

Security Roundtable, June 2008: Jericho Forum [ 54:21 ] Play Now | Play in Popup | Download

Last night when I hit the airport, it was deserted.  I guess mid-evening flights aren’t all that popular for most people.  The really surprising part was that there was no waiting at the security checkpoint.  I half expected to see a long line despite the sparsity of travelers.  And since I didn’t have to use the buffer I always build into my schedule to deal with security, I decided to have a little fun.  No, I didn’t try to tell them I had forgotten my ID, but I did ask the the TSA agent if she’d heard of the new “No ID” policy and what the current policy was concerning flying without ID.  And no big surprise, she really didn’t know all that much about current or future policy.

To be fair, the TSA agent did say she’d heard ‘something about that’, but she had never had to deal with anyone who refused to show ID.  This tells me that besides being an ineffective security policy, the TSA’s new policy is unnecessary and hollow.  There’s not enough people out there refusing to show ID to make a real impact on flying in the first place, so all the new policy is doing is giving people like me more to write about.  I’m so surprised.

I’m not adventurous enough to be one of the people to challenge the new TSA policy.  I think it’s a useless security measure, something that’s all for show and will have no real impact on our security in airports.  It might create a problem for people who are going to create problems anyways, but it won’t have any effect on any supposed ‘terrorists’ out there.

I just wonder if I ask about the policy after June 21st if I’ll get the same reaction?

The TSA amazes me sometimes. But usually they just leave me shaking my head. Their latest brain storm is to change their policy to state that you can’t fly without showing ID, sort of. Starting June 21st, you can ‘t claim personal or religious reasons for not showing ID at the checkpoint or you’ll be denied passage. On the other hand, if you claim you forgot you’re ID at home, you’ll be more thoroughly searched and let go on your merry way. Huh?

As Lori MacVittie pointed out to me on Twitter, if you tell the truth and stand up for your personal rights, you’ll be denied entry to the airport proper. However, if you lie through your teeth and just leave your ID in your wallet or purse, you’ll be able to walk on through the security process with minimal problems. You get rewarded for lying and punished for standing up for your rights??! Yet again the TSA comes up with a policy that does absolutely nothing to strengthen the security of airports and does everything to slow down travel and interfere with legitimate travelers.

I can’t wait to see what Bruce Schneier has to say about this one. I just hope it’s more than a couple sentences and a large quote from the article this time. If this move isn’t something that meets Bruce’s definition of ‘security theater’ I don’t know what will. This strikes me as nothing more than an attempt to punish people who want to exercise a constitutional right. The people who’ve complained the loudest about TSA’s security practices and challenged them the most are now basically being told “Shut up and get back in line”.

This change in policy doesn’t do anything to make us safer. Bad guys will lie through their teeth and everyone else will just keep plodding through the lines and hoping they’ll make their flights on time. And overall, there will be no changes to the security of the airports, just another really small hurdle the bad guys will have to overcome.

I wonder sometimes if the TSA doesn’t throw out policies like this just to get some attention. Maybe they’re really a bunch of comedians and this is their way of keeping us entertained. In any case, I hope they read Mr. Schneier’s reaction to this and ignore the rest of us. After all, I have to fly tonight and I’d hate to have someone at the TSA read this before then. I’ll show my ID, but I’m sure they could find a reason to search me if they set their minds to it.

Long podcast today, but worth every moment of it. Author, blogger, podcaster and CTO of Cigital Software Security, Gary McGraw joined us on the podcast this week. This is the second time Gary has been on the podcast and in another 100 or so podcasts I’m sure we’ll be inviting him back. I’m releasing this week’s podcast early mostly because it was done early. And I’ll be on a plane tonight when I normally release the podcast. Portland, here I come.

Gary McGrew on the Network Security Podcast [ 58:55 ] Play Now | Play in Popup | Download

Show notes:

• Report: Data breach disclosure laws don’t slow down identity theft – Because that’s not their purpose.
• Identity Theft: The aftermath 2007
• Rootkits are top of mind, bottom of pile, only they really aren’t
• Surprise ARP attack draws attention
• The inexact science behind DMCA Takedown notices
• Security firm asks for help cracking ransomware key – They should ask the NSA
• Tonight’s Music: Calvin Owens – The House is Burnin

Network Security Podcast, Episode 107, June 10, 2008

Time: 58:55

Do any of the items on this list apply to you? I know there was more than one of them that made me chuckle.

My personal favorites are:

“You lock your screensaver with twice as much insistence when security friends are around than when strangers are, because you’re not nearly as worried about a stranger’s intentions.”

Strangers aren’t going to mess with your computer just so they can make fun of you later!

“You suspect that every banner and Flash ad on every Web site is hosting malicious JavaScript.”

They aren’t?

“You loath government interference with the Internet because you know they will only mess it up more and not fix the problem (see CAN-SPAM Act).”

This one speaks for itself.

“You can’t prevent yourself from laughing out loud when someone announces they think that computer viruses, buffer overflows, or whatever will be solved in five years.”

Which strikes me as a good one to end my review of the list on.

WordPress installations are being hacked and having all their searches directed to anyresults.net. I’ve checked for the offending code in my WordPress install and it’s not there, so that’s one more thing I can rule out as the source of my latest feed problems. I didn’t see what vulnerability is being used to get this hack into web pages, so it may just be running against older, unpatched installations of WP. Make sure you’re running 2.5.1

PS. Thanks to Eric Irvin for pointing this out to me

I’ve received three separate notifications that my post about Twitter earlier this week is showing up again and again in people’s RSS feeds. I’ve done nothing, honest! I haven’t made any changes to the blog, I’ve only made one short post since then and the only other admin stuff I’ve done is approve comments and delete spam. It’s not my fault and I apologize to anyone this is causing heartburn for.

I blame Feedburner.