Network Security Blog

A systems administrator is in jail after trying to take sole control over the San Francisco FiberWAN network. According to the story, he was trying to gain control over the network so that the city couldn’t fire him after a poor review.

There aren’t a lot of details yet, but Mr. Childs does appear to have the City of SF by the short hairs, with control over most of the network. Next time your boss comes looking for answers about why we have to have separation of duty, this incident should be his suggested reading.

What was it about the city’s network that allowed this to happen? What sort of authentication schema are they working with that he locked it down so hard that security experts with physical access can’t break it? Are they just waiting to take some downtime to replace or reset equipment? Why aren’t they letting the system crash and restoring from backup? I guess the average reader wouldn’t care about those details, but I am curious why this ends up being such a big deal, resetting the password in most systems should be a fairly task.

Another aspect I’m curious about is the concern over a possible backdoor data bomb; is this something that ‘officials’ are concerned with, did Childs make a threat or did the idea come from someplace else? If they didn’t find a remote contol device in his home, chances are there’s nothing, since most people who commit this sort of crime don’t hide it that well. He might always be the exception though. Again, why can’t the city let the bomb hit and restore from backup?

I don’t think this is having quite the outcome Mr. Childs predicted. He’s going to end up out of a job and in jail for a while. I hope he cooperates soon and minimizes his own pain, not to mention the city’s.

Tonight Rich and I are joined by Andrew Storms, Director of Security Operations at nCircle and fellow blogger. We continue talking about Dan Kaminsky’s DNS vulnerability and the role Rich continues to play. We also talk about lost laptops and new iPhones.

Show Notes:

Network Security Podcast, Episode 112, July 15, 2008

Time: 50:00

Well, thanks to the WordPress Automatic Upgrade plugin I was able to upgrade my WordPress blog in less than 5 minutes and create a backup of the entire database in the process. So far everything came up fine, the exception being that I had to re-enable most of my plugins. Since this has always been a problem for me with WAU, it was the first thing I checked after the upgrace. I’m now running on WordPress 2.6.

There don’t seem to be a lot of (read any) security updates related to this upgrade, though there are a lot of usability updates. I’ll have to check out ‘gears’ when I have some extra time to spare.

I’ve never liked my MotoQ, other than maybe a couple of hours when I first got it. The battery life has always sucked and I was never happy with the form factor. I hoarded all the money family sent me for my recent birthday, waited about 1.25 hours between line and activation, now I’m home with my very own 8 gig iPhone. I just started syncing it up with my iTunes, played with the GPS a little on the way home and plan to get it hooked into my home wireless system as soon as possible. Happy Birthday me.

Even if the iPhone hadn’t come out, the MotoQ had to go. After 16 months, the extended battery took a dump. I hope the iPhone batteries last more than 16 months, I know my iPod has so far.

Michael Santarcangelo has posted this month’s Security Roundtable, Battling Botnets with Botnets. We had a lot of fun recording this episode, even though we barely talked about the main subject at all. I took away a lot to think about, especially the law of unintended consequences: there’s what you meant it to do, what it does, and what effects a system has on other systems around it. Phalanx is a great example of that.

This is a long one, by the way. That always seems to happen when Michael and I get together to talk.

Security Roundtable [ 1:08:41 ] Play Now | Play in Popup | Download

• Colin Dixon | http://www.cs.washington.edu/homes/ckd/
• Andrew Hay | http://www.andrewhay.ca/
• Martin McKeay | www.mckeay.net
• Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

Marcus Sachs over at the Internet Storm Center suggests that a vulnerability in Windows XP DNS resolver found 3 years ago is the same vulnerability Dan Kaminsky found and multiple companies patched yesterday. While it might be related, it’s not the same thing. First of all, Dan’s vulnerability isn’t just in resolvers, it affects any system using DNS, either as a resolver or as a name server. Second, this outlines a Man in the Middle Attack and Dan specifically stated that his vulnerability is a remotey executable attack, meaning there doesn’t need a MITM.

As an interesting side note, Thomas Ptacek points out that Dan could have made a lot of money by selling this to Tipping Point or someone else. He didn’t and he put his reputation on the line to organize the vendors to patch this issue in a coordinated manner. Kudo’s to Dan and his team for taking the high road. Now we just have to wait until Black Hat to find out the real details of the vulnerability. I bet that’ll be a crowded talk.

If you’re using DNS, and we all are, prepare to patch every system you have. Not just your name servers, but any and all systems using DNS, which means virtually everything! This is a flaw discovered by Dan Kaminsky that affects the basic technology underlying DNS and effects all vendors. Dan took the road of responsible disclosure and worked with a large group of vendors to coordinate this patch. This may be one of the first successful examples of a large multivendor patch, and if ever there was a need for it, this is it.

Rich was able to get an interview in anticipation of today’s announcement and you can hear about it straight from Dan himself. There are not a lot of technical details concerning the vulnerability in the interview and every effort is being made to give us as much time to patch before reverse engineering gives the bad guys the secret sauce to make this a weaponized vulnerability.

Check the show notes for the CERT advisory and additional information.

Network Security Podcasdt, Episode 111, July 8, 2008

Network Security Podcast, Episode 111 [ 36:46 ] Play Now | Play in Popup | Download

If you’re sitting on the fence about going to Black Hat and Defcon, here’s another good reason to go: Podcasters meetup. Mubix has once again taken the initiative on this and is working on organizing a meetup one night at Defcon. It looks like he has a skybox lined up, it’s just the exact timing that still has to be worked out. This isn’t going to be invitation only like the meetup at RSA, it’s open to anyone who wants to attend. On the other hand, it also doesn’t have much in the way of sponsors at the moment either, so if you want to contribute to the delinquency of podcasters and bloggers, let me know and I’ll get you in touch with Mubix.

I’ve helped organize both of the RSA Bloggers meetups, paid for a round of drinks at the first Shmoocon meetup and will quite likely be producing either streaming audio or video (with audio of course) from Defcon this year. It’s going to be a fun event and will have a very different feel from the meetup at RSA. There will be some of the same characters of course, but the crowd at Defcon is younger, more energetic and a little less … refined might be a good word for it. But not any less intellegent or knowledgable, for certain.

I’ll post more information as it becomes available. If you’re already planning on going, contact Mubix to let him get an accurate headcount. If you can offer up some of your company’s money to help buy drinks, contact him even sooner!

Mike Rothman dubbed me Captain Privacy some time ago, his way of recognizing my fervor for all things privacy related. I finally found some time this weekend to sit down with Hero Machine 2.5 and create my idea of what the good Captain would look like. Just so we’re all on the same sheet of paper, Captain Privacy will not be making an appearance at Black Hat, Defcon or any other security event in the future. You’d more likely find me wearing a kilt than spandex, and my wife’s been trying to get me to don a kilt for over a decade. However, if Security Mike wants to dress up as Dumpster Diver, I’ll make sure to post the pictures here!

I upgraded my secondary computers, the Mac Book Pro and the wife’s desktop, to Firefox 3 the day it came out last month, but I put off upgrading my primary system until this weekend. Why? Because I dislike a number of the default tab behaviors Firefox displays by default; they’re fine for lite browsing, but for my more serious browsing, it got to be annoying. Trying to organize show notes and organize articles for blog posts is just easier when tabs behave the way I want them too, not the way Mozilla wants them to. So I waited for Tab Mix Plus to catch up with Firefox 3. Which they’ve done, even though it’s still a ‘development’ version.

There are a few features that TMP offers that I really need. The first is opening up URL’s I type in in a new tab rather than in the current window by default. There’s probably a way to get FF3 to exhibit this behavior without TMP, but I’ve never been able to work right. Another feature is the ability to automatically reload a particular tab on a regular basis. I have a couple of stats windows I keep open that I want to reload every 15 minutes, like my blog stat and podcast stat pages. Neither of these features is absolutely necessary, but it makes my browsing experience more enjoyable.

Now to upgrade the kids computer and the other household laptop. It’s a bit scary that we’ve got more computers than people in our household. But I guess that’s part of what happens when you’re a computer geek.