Network Security Blog

We had a lot of fun with tonight’s episode!  If you happen get be available when Rich or I tweet about a live stream of the podcast, tune in if you can.  We had a couple of back and forth’s before the podcast really started that were worth it.  Rich and I were joined by Robert “Rsnake” Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security to talk about clickjacking.  There aren’t a lot of details they can share with us at this point, but this is looking to be a fairly issue.  We’ll know more around the end of October it sounds like.

Network Security Podcast, Episode 122, September 30, 2008

Show Notes

I really liked Bill Sieglein’s article IT Security:  Can We Be Compliant and Yet Insecure?  Of course we can, it happens all the time.  If you’re just looking at your compliance measures as check boxes, then there’s always going to be the potential for something unique to your environment to be overlooked.  There might be something the assessor/auditor didn’t uderstand.  The list of ways you could be compliant and yet still insecure goes on, but it’s some of the answers that Bill comes up with that are important.   He lays out 5 simple steps towards getting your company compliant through security rather than the other way around.  Of course, if it was that simple, wouldn’t we all be doing this already?

I like to think of PCI as a baseline for security, not the ultimate goal. 

I was interviewed yesterday morning for WNIN 88.3 FM in Evansville to talk about how Sarah Palin’s account got hacked and how it affects the average user.  I thought the interview went well and I didn’t sound like too much of an idiot.  You can listen for yourself, it’s now been published as part of the third episode of Plugged In, the podcast that accompanies the radio show.

Not that it has much to do with security, but I’ve always found the RIAA and mainstream media are using intimidation to prop up a dying market insulting and a waste of energy.  So I find today’s news that their one and only jury awarded reward has been ruled a mistrial by the judge who origally ruled in the trial.  He felt that some of the advice he gave to the jury was prejudicial and unfairly biased the jury against Jamie Thomas.  I’m guessing it’s problably better for a judge to declare the mistrail himself, rather than have a panel of his peers do it when Thomas’ lawyer challenges.

In a related legal note, an industry effort to rope the Department of Justice into doing battle for them has been shot down, in no small part because the DoJ said “We want no part of this!“  This bill would have made the DoJ responsible for suing copyright infringers and turning the money over the the media companies.  In other words, the they would have become the enforcement arm of the RIAA and MPAA.  I’m glad someone was awake enough to get this one shot out of the sky.

File sharing is illegal, moral and ethical arguments aside.  There are laws against it, that’s black and white.  But rather than fight to enforce nearly unenforceable laws and try to prop up a business model that’s past its prime, the media companies should be figuring out how to work in the new world and make money working with the public.

We had a special guest tonight, fellow podcaster T-Rob Wyatt.  T-Rob is a security professional working on WebSphere MQ and recently started his own deep-dive podcast, The Deep Queue.  Of course, we talked about Palin and her email, but we also tried to talk a bit about what that means to the average computer user.  We got everything out of our system on Palin in one episode, so you won’t be hearing about this again.  Until they catch the guy who’s responsible that is.

We tried streaming again tonight, sorry for not giving any advanced notice.   We’ll try to do better next week. 

Network Security Podcast, Episode 121, Septemeber 23, 2008

Show Notes:

• How Sarah got her hack on
• DOJ view on Email privacy may hamper prosecution of Palin hackers
• Proxy server trail leads FBI to Palin email hacker
• Tonight’s music:  NN Music with Email Stole my Female

I’ve avoided using StumpleUpon and most of it’s ilk for a long time.  I’ve preferred to keep up to date on the news by using sites like Techmeme or by reading the long list of RSS feeds I have in Bloglines.  But as of late I have been encouraged to branch out a little and start trying a few sites I wouldn’t normally use, like FriendFeed and StumbleUpon.  I haven’t gotten too far into FriendFeed, but even cursory usage of StumbleUpon has left me with a bad taste in my mouth.

First off, there’s the whole dependence on the StumbleUpon toolbar.  When I created the account, I told them I didn’t want the toolbar.  The first time I logged in, I had to tell them again, no, I don’t want the toolbar.  A couple of days later, I got an email, once again encouraging me to download and install the toolbar.  I still wouldn’t have installed the toolbar if not for one simple thing:  I wanted to change my password from the default they gave me.  And guess what, the only way to change your password in StumbleUpon is through the toolbar.  I thought that I was just being obtuse, but upon doing a Google search I found that the toolbar really is the only way to change your password.  Dumb, StumbleUpon, really, really dumb.  I should be able to change my password without installing the toolbar, even if you won’t let me use the majority of your features without the toolbar. 

Then there’s the password itself:  the password that was originally created for me by StumbleUpon was only five characters long, and they were all alphas.  No numbers, no symbols, nothing.  And given that there’s already big news about social engineering passwords and cracking accounts in the news this week, it shouldn’t surprise me to find one more site with a really poor password policy.  And guess what, when I finally did install the toolbar and change my password, it only let’s me use letters and numbers, no symbols or special characters.  And I have to wonder if it’s not changing all the letters to lowercase behind the scenes.  Strike two, StumbleUpon.

I’m going to give the toolbar a week, just to find out what the draw is for StumbleUpon.  It’s brought be a lot of traffic in the last couple of weeks, so I figured I needed to at least know about the tool.  But I’m not happy and one more strike is all it’s going to take to make me change my password to something 20 characters long and uninstall the toolbar.  But I did give the Wassup Blog the thumbs up for telling me how to change my password.

Bill O’Reilly doesn’t understand hackers.  Nor does he understand the law.  In retaliation for comments made on Fox News, Bill O’Reilly’s web site was hacked and information about some of the people who use his site were posted to Wikileaks, along with screen shots of the administrative interface of his site.

On air, Bill O’Reilly had called for the heads of the people responsible for hacking Sarah Palin’s Yahoo account.  He’d gone on to claim that the people at Wikileaks who posted the screenshots of Palin’s email were dispicable and should be arrested.  The hack was in direct retaliation for these comments.

What O’Reilly doesn’t understand is that Wikileaks did absolutely nothing illegal under our federal laws.  In May of 2001, the Supreme Court issued a decision in Bartnicki vs. Vopper that clearly states that even if information is gained using illegal means, publishing, broadcasting or otherwise making available the information is legal.  The basic thought behind this decision was that the person or organization publishing the data did nothing wrong and had every right to publish.  The person who got the information in the first place is still 100% liable, but publishing the information isn’t a crime.

As a reporter, I’m surprised O’Reilly wasn’t aware of this interpretation of the law.  It’s there to protect reporters and to enable them (and bloggers too) to report on incidents were the original information might be obtained illegally.  Say, maybe tapes that get stolen and prove Presidential wrong doing, ala Watergate.  I hope Bill gets his site secured soon.  And I hope he learned a little from the experience.

One of the problems with being a public figure is that so much of your information is out there ready to be picked up by anyone.  Well, it turns out that the person claiming to have hacked Sarah Palin’s Yahoo account basically did a little bit of Google-foo and was able to figure out everything he needed to reset her password and pwn the account.  This is good example of why “Where did you go to high school” and “Where did you meet your spouse?” are poor choices for password reset questions. 

Thanks to PortcullisChain for pointing me to the article.  And providing some good comments on the subject.

This seems to be my week to talk about privacy vs. disclosure issues.  Between declaring that “social networks will be the downfall of civilization” and Vice-Presidential candidate Sarah Palin’s Yahoo email showing up on Wikileaks, I have more ammo and motivation and subject matter than I’ve had to write on for quite a while.  So here goes some of my thoughts on Palin and her right to privacy vs. public disclosure.

Let’s get something clear from the start:  The person or group calling themselves Anonymous have committed a crime when they cracked Sarah Palin’s Yahoo account.  They committed a crime that will garner them national attention and if the FBI and other law enforcement agencies aren’t already hot on their trail, you can bet they will be soon.  And if the crackers aren’t at least a little bit worried about that, then these guys are just plain stupid.

Sarah Palin has a right to privacy.  I don’t care that she’s campaigning hard to become the second highest politician in America and possibly the world, she has every right to expect that what goes on in her home, behind closed doors, should be her business and not ours.  That includes her phone calls, her voice mail and her email.  She has every expectation that the aspects of her personal life that she wants to keep private should be kept private. However, and this is a big ‘however’, the moment that she crosses the line from private citizen to public figure, most of that expectation goes out the window.

There are a number of disclosure laws affecting public officials that mandate that all email and other communication relating to their public office are the property of the government and the public.  This starts with the Freedom of Information Act and works it’s way out from there.  I wasn’t able to find the laws specific to Alaska, and I’d appreciate any links other people have, but I know there are a number of explicit laws at the national level supporting this.  Public business has to be conducted using public resources and we, as the public, have a right to review the email our government is sending.  That’s in theory, of course, since in reality getting a FOIA request pushed through the system is much more than most of us have the time and energy to do.

Politicians know this, and in response often try to avoid email and voice mail, having many sensitive conversations face to face or via other, un-monitored means, just so the public won’t be able to review the information later.  Palin might not have been using her personal email in an effort to remain un-monitored, but the evidence is definitely shows that she was conducting state business using non-state resources.  Something that, as the Governor of Alaska, she had to know she shouldn’t be doing.  Either that, or she was incompetent and shouldn’t have been Governor to start with, but I’m willing to give her the benefit of the doubt.

Politicians and celebrities walk an interesting and difficult path.  On one hand, they have a right to expect to have private lives.  On the other hand, they’ve made a conscious decision to place themselves in the public eye, removing many of the expectations of privacy that most of us take for granted.  They knowingly enter a career that requires giving up their privacy in order to gain notoriety, power and exposure.   In other words, they’ve traded a certain portion of their privacy for all the fame and fortune that goes along with being in the public eye.

This doesn’t mean that they give up everything.  They can still have privacy at home, they still can have private phone calls and they can still private, personal email.  But it’s imperative that they respect that privacy and the separation of their private and public lives, or they give up that expectation of privacy.  If this was about Sarah Palin and the emails she sent to friends and family, I’d say acknowledge that a breach had happened, stuff the email back in the box somewhere and move on.  But Governor Palin, as opposed to Sarah Palin, was conducting state business via her personal email, and that takes everything she could have kept personal and makes it a matter for the public eye.  Given the choice between preserving a public figure’s privacy and safeguarding the public by exposing any communication that might be related to governance, the rights of the public have to win out every time, without exception. 

I feel bad for Governor Palin.  The emails she sent from her personal account might be completely innocent and only occasionally impinge on her position as Governor.  But the fact that she’s sending government related email from her personal account places that account squarely in the public domain and may even mean she’s broken the law in doing so.  One defense is that this is something everyone does, but that’s a defense my six year old would use, not something a potential Vice President should use.  Another is that the hackers did something illegal and that this some how absolves Governor Palin of any wrong doing.  But this isn’t the way the law works.  Neither is a valid defense.

This should play out in a lot of fun ways over the next couple of days.  I don’t often dip my toe into politics, so I fully expect to get some interesting and possibly vehement comments.  But for me this is less about politics and more about taking the step from being a private citizen into the arena of serving the public.  There’s a trade off that I’m sure not all public officials realize until it’s too late.  I wonder if Sarah Palin thought about the privacy she’d be giving up when she became Governor Palin.

I don’t expect a Governor to be internet-savvy, but this is ridiculous:  Palin’s Yahoo inbox was compromised and the entire contents were uploaded to Wikileaks.org. There’s accusations that she was using this email address to bypass transparency laws included in the Wikileaks story and the sample email given is a good example of this.  If this really is Governor Palin’s mailbox that is.   

So we’ve got a Presidential candidate who admits to not knowing enough about computers to send an email, and a Vice-Presidential candidate who doesn’t know enough about security to keep her own mailbox safe.  This does not bode well for the future of computing in the US.  If this is real, the Democrats are going to be all over it.

Update:  Wired has verified at least one of the emails on the Wikileaks site.