Network Security Blog

Come on, we all have them; horror stories of IT and security disasters we’d rather rather forget.  But rather than forget them, I’d like you to share them and tell everyone what you learned from the experience.  And in return, I have a free three day pass to CSI 2008 in Maryland, November 15-21, that I’ll give out on next Friday, November 7th.  If you’re in the same boat I am and don’t have a budget for training, this can go a long way towards getting management approval for the event. 

The rules are going to be pretty simple:

1. Post a comment on this post telling us your horror story and, more importantly, what you learned from it.  If you’ve already written your story on a blog, you can leave a short description and a link to the post. 
2. You must leave a valid email address.
3. The story must be original, no plagiarism please.
4. Stories will be judged on originality, entertainment value and what was learned from the incident.  I’m the sole judge.  

If you’re not the lucky winner, there’s still the CSI 2008 discount code you can use.  There’s already a lot of the Security Twits that planning on attending and I’ve even heard rumblings of a blogger meetup or twitter meetup. 

Good luck!

The chances of me making it to the CSI 2008 conference are so slim as to be non-existent.  Like many companies, mine has told us not to plan on attending any events we’re not speaking at for the foreseeable future.  Which is not to be unexpected in these turbulent financial times.  Plus, I don’t really want to take a cross-country flight at the moment, even if it meant I could see some of my friends who’ll be there.  I’ll have to wait for RSA next year I guess, since Shmoocon is also out right now.

On the other hand, if you’re on the East coast and still have some budget to spend on training, here’s a little something to help you out:  Alan Shimel worked with the folks at CSI and they’ve given the Security Bloggers Network a discount code to get you 25% off the entry fee.  Simply type in ‘BLOG25‘ when it asks for a discount code and you’ll save your company 1/4 of the cost of entry.  I’ve always found my bosses more willing to approve training when they think I’m getting it at a discount.  Of course, press passes have helped a lot in the past too.

I suspect my employer isn’t the only one who’s put the kabosh on training, at least temporarily.  And I would also hazard a guess that a lot of conventions are going to have a hard time filling seats while companies are bracing themselves for the financial impact of a slowing economy.  It’s too bad that so many bosses don’t realize how critical training is to our profession and that training such as CSI can often end up saving the company money in the long run. 

Keep your eyes open, I may have a bit more to say about CSI in the not so distant future. 

I figured that scareware (software that creates pop-ups telling you your computer is infected and can be cleaned for just $49.95) paid, otherwise organized crime wouldn’t be involved.  But I hadn’t realized how well; according to the NYT, Bakasoftware made over $5 million last year selling their own software.  Two things I thought was interesting is that the software uninstalls itself if the owner of the computer is a Russian speaker (Bakasoftware is a Russian company).  The second thing, which may just be coincidence, is that ‘baka’ is Japanese for fool or idiot.  It’d make sense for a scareware company to name itself “Idiot Software”.  And yes, I’ve been watching too much anime lately.

I had to run out the door immediately after recording, but despite technical difficulties, Rich and I recorded a short interview with David Mortman, ‘blogger-in-residence’ for Debix. 

Network Security Podcast, Episode 125, October 28, 2008

Show Notes

Once again, not a ton of time to blog this week.  So instead I’ll post a few of the articles I’ve found this morning.

• Phishing for Yahoo accounts - Looks like a XSS vulnerability at the Yahoo HotJobs site is being exploited to get Yahoo credentials.  
• More on Twitter terrorists - I’m not the only one who finds these scenarios a little ridiculous.  
• Wifi being used more in the city - People in the city have more potential to have their wireless exploited, so I’d hope their security would be a little stronger.

I haven’t had the time to blog much lately, but I still try to keep up on my reading.  Here are a few of the articles that are open in a Firefox tab on my right screen.  Meanwhile Spore is patching on my left screen so I can get back to vital Sunday morning projects like building a civilization.

• MS08-067 - An out of band update is always a big deal.  I’ve read a number of rumors about why this update was pushed, but nothing I’d call 100% reliable yet.
• More on the Sequoia e-voting machines -  No surprise, I’m reading more on direct-recording electronic (DRE) voting machines.  This election has the potential to explode if the vote is close anywhere and DRE’s were involved.   I can already hear the lawyer’s sharpening their claws.
• Speaking of surprises - They found problems with DRE’s already in some precincts during early voting.  This will probably be hushed up by a judge or blown off as human error.
• Be careful what you tweet - A vulnerability has been found in Twitter that may allow your protected tweets to be seen.  Not that you should be tweeting anything that sensitive anyways.
• Oh noes!  The terrorists will use Twitter too! - So what?  Does that mean we should leap to our default stance of bugging all of Twitter on the off chance a terrorists might be using it?
• The big data aggregators agree to a code of conduct - But will they stick to it?  Only time will tell.
• From the “Terminator” files - The Army is looking for someone to develop hunter bots.  Have they read any popular sci-fi in the last 30 years?  This is how the world ends!

Back to relaxing for the weekend. 

I’m sure this list is by no means comprehensive, but even what’s being revealed by Andrew Appel is pretty damning.  And the worst part is that most of the problems found with the Sequoia e-voting machines have been reported in one form or another for years.  Why can’t these companies learn to secure their systems rather than try to cover up their deficiencies? 

It took a little while due to technical difficulties, but the latest episode of the Security Roundtable is available for download.  Michael and I talked to Jennifer Leggio, aka mediaphyter, who writes for ZDNet amongst other things.  We talked about blogging and the responsibility of a blogger.  I don’t think we came to any clear cut conclusions, but one thing we all agree on is that security bloggers have more responsibility than the average blogger, due to our area of expertise.  We have more riding on what we write being factual and true than someone who writes a gossip column does. 

You can find the show notes on the Security Roundable site.  We’ll be recording another live show if I can get the software running on my computer again.  I was recently shutting down some services on the computer and may have gone a little overboard.  On the other hand, I seem to have a lot more free memory than I’ve had in a while.

Want to talk about electronic voting?  We did.  So we invited Jacob West from Fortify
to talk with us about a paper he just published with a couple of
engineers at Fortify.  Guess what, they found electronic voting using
DRE voting machines are the least secure way to vote.  Makes me feel
good going into the election.  It’s a good thing we’re fairly
self-policing when it comes to time, this is a conversation that could
have gone on for a couple of hours.

We had a number of technical issues tonight, so be glad we’ve got a podcast up at all.

Network Security Podcast, Episode 124, October 21, 2008 

Show Notes:

• Dear Mr. President: Let’s talk tech - We desparately need a geek in the Cabinet!
• Miley Cyrus Hacker Raided by FBI - Don’t brag to the press when you’re already in the cross-hairs!
• Flash Suckage:  Eat your cookies - Now you can be tracked through Flash too.  
• VeriSign and ICANN square off over the DNS root - Let’s just give it to Dan K. and let him manage it.
• Judge Suppresses Report on Voting Machine Security - Which brings us to why we’re really here
• Fortify’s paper on e-voting

The New York Times has a decent article about botnets, but I can’t link to it because it’s behind a paywall.  I guess the NYT still doesn’t understand how linking can increase traffic to their own site.  The article is titled “A Robot Network Seeks to Enlist Your Computer” if you happen to have an NYT account.  Or use BugMeNot, if you’re so inclined.