Archive for November, 2008

Nov 29 2008

Rich’s Safe Shopping post

There’s nothing really surprising about the steps you need to make it through the holiday shopping season without getting your computer infected.  In fact, it’s so unsurprising that Rich has posted the same basic article three years in a row with advice on how to stay safe while you’re shopping online.  You can read the whole thing on Securosis, but here’s a quick synopsis:

1.  Only use one credit card for your online shopping
2.  Only use your credit card at major retailers online, otherwise use Paypal or a temporary credit card
3.  Don’t click on any link you receive in an email.  Ever!
4.  Update your browser.  And your OS while you’re at it.
5.  Use NoScript.
6.  Keep your AV, firewall and other security tools up to date.

Even that might not be enough, but it’ll give you a decent chance of staying safe.  I think we forgot step 0:  Use your common sense.  If it feels fishy, there’s a good chance it is. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Rich’s Safe Shopping post

Nov 26 2008

Blocking YouTube with a WRT54G

Published by under Family,Firewall,Simple Security

Ahh, the joys of being a parent.  My youngest son recently started sprinkling his language with profanity, something both his mother and I were certain he didn’t get from us:  she almost never uses profanity and when I do the kids are usually running for cover rather than trying to remember what I said.  At first we thought he was getting it from school, but his older brother finally came forward and told us it was from videos he was watching on YouTube.  What had looked like a fairly innocuous video of SuperMario and other characters turned out to be profanity laden and more than a little disturbing.  He was given a warning and told to turn off any videos that contained profanity, then lost his computer rights for a week when I caught him watching a video with profanity.  The third time’s a charm, so I decided it’s time to block YouTube at the entry way, my WRT54G router.

It seemed simple and straight forward.  But an hour and several internet searches later, and I still couldn’t get the WRT54G to block YouTube.  I created a Policy called YouTube, rather appropriately, I added a list of affected PC’s, set it to everyday, 24 hours a day and entered in the space marked “Website blocking by URL address”.  Then hit “Save Settings” and … nothing.  I was still able to get to YouTube, the kids could get to YouTube and I was not happy.

Then it suddenly struck me: the folks at Linksys and Cisco were creating the software for the average computer user, someone who doesn’t have the faintest idea what “HTTP” or “URL” mean and probably never types the “http://” at the beginning of the URL.  I took that out of the URL and saved the settings and now YouTube is blocked.  I’m happy that I now know how to block a site, but I’m frustrated that the developers couldn’t have taken a few more lines of code to either automatically remove the http:// if typed in, or at the very least taken ten seconds to add an example of what they consider a URL.  If I’d seen even one example of what they consider a URL, I would have been able to block the site in less than 5 minutes, rather than taking over an hour.  And I wonder how many less technical parents have given up in frustration.

As someone put it on Twitter “Sometimes people should check acronym definitions before using them”

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

Nov 26 2008

Google security denies XSRF reports

The issue of the blogosphere echo chamber has come up a number of times lately, with both journalists and bloggers claiming that we don’t do enough fact checking before taking a story as the truth.  I’m willing to give up the point, but I’m not willing to take it as a dig against the blogosphere, instead I think it’s a fact of human nature, which is why we need to double-check what others say, whether it’s in the newspaper, on TV, written in a blog or just word of mouth.  We’re security professionals after all, we shouldn’t trust anyone without verifying.

In last night’s podcast, Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google).  Neither Rich nor I were very concerned about the issue, since it was stated to be an issue that had been closed.  The important part to us was the fact that it shows a weakness in the common practice of sending password reset information to a ‘trusted’ email account.  But as this Proof of Concept pointed out, if you can somehow create a filter on someone’s email account, you can create a filter that forwards select emails and removes them from the users in box.  Once that filter is in place, it’s childs play to reset a password account and steal a domain or any other account with a similar reset method. 

Right after the podcast I ran across a Google Security post stating that the CSRF bug had been fixed long ago and that the domain theft had nothing to do with the vulnerability.  I’m willing to give the Google Security team the benefit of the doubt and believe them, however I’m left with a nagging question as to whether they can really make such a statement with certainty.  The referenced CSRF did in fact exist, though it was patched very quickly, and I know from clicking on a PoC for the vulnerability that it works (I won’t be doing that again).  I don’t see any reason to think that someone couldn’t have gotten any number of domain owners to fall for a link exploiting the CSRF and then waiting 2-3 months to make use of the compromised Gmail accounts. 

The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story.   No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation.  The Google Security team has to deny the report, it’s part of what they do.  But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in.  It’s not a perfect solution, but it is a step up from what most people are currently doing.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Google security denies XSRF reports

Nov 25 2008

Network Security Podcast, Episode 129

Published by under Podcast

Rich and I are preparing for Thanksgiving, just like everyone else in America right now.  I don’t know about you, but that primarily means I have five days of work to accomplish in three days of the week.  So we didn’t organize a guest this week, we sat down together (1000 miles apart) and talked about some of the stories that caught our attention over the last couple of weeks.  It’s a good show, and we’re out of here until after Turkey Day.

Have a great Thanksgiving!

Network Security Podcast, Episode 129, November 25 2008

Show notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 129

Nov 18 2008

Network Security Podcast, Episode 128

Published by under Podcast

We’re joined today by Glenn Fleishman to talk about our own recent past and the recent cracks in the WPA armor.  Rich recently got to visit Russia to participate in a talk on Data Leak Prevention, while Martin got his own sit down with DHS Secretary Michael Chertoff.  Glenn had a little excitement of his own, with a detailed article on the recently revealed vulnerabilities in WPA using TKIP.  It’s a small vulnerabilty, but both Rich and Glenn suspect it’s just a precursor to bigger, badder things to come. And somewhere in there, a three year anniversary for the podcast slipped by.

Network Security Podcast, Episode 128, November 18, 2008

Show Notes:

No time for any music or fancy stuff like that. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Nov 15 2008

Congratulations to April and Jason

Published by under Blogging

I spent the last day helping my friends Jason and April get hitched.  I think there’s some work to be done on it, but you can see some of the video on their site.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Nov 13 2008

Pictures and George Ou’s comments

Published by under Blogging,Government

I just got some pictures from Tuesday that were taken by Secretary Chertoff’s photographer.  If you look at my Mac Book Pro, you’ll see several stickers rather prominently displayed, but the most obvious one is “Hack Naked” from PauldotCom Security Weekly!  I really wasn’t thinking about what I was carrying around, since the bag I was using that day was a Black Hat 2008 bag.  I’m glad they knew enough about me not to be worried about my hacking skills. 


George Ou has done a good job of writing up his experience from Tuesday.  George and I have different priorities, so it was good for him to ask questions I wouldn’t have thought of.  We were all impressed by the statistics concerning the no-fly list:  there are only approximately 2500 names on the true ‘no-fly’ list and another 20,000 on the extra security list.  And of those, only 10% are American citizens according to Secretary Chertoff.  For such a small list, it sure has created a big stir.

Added:  Of course, minutes after I posted this, I found out that Andrew Storms, the guy pictured to the right of me, wrote up his own experience.  I think between the excellent posts by Andrew and and George, I don’t need to feel guilty about not having time to write up my own experience. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Nov 12 2008

Double-check your QSA

Published by under PCI

I’m not sure if this is something I’d missed before, but you can look up you’re Qualified Security Assessor (QSA) and see if they’re in good standing.  All you need is their last name and the name of their company and you can know for certain that they’re on the up and up and have had their annual training.  This is something you should take the five minutes to do to check out the QSA’s who’ll be working with you.  I don’t have specific examples, but I’ve heard rumors that there are some folks out there representing themselves to Level 3 and level 4 merchants as QSA’s when they’re not.  Take the 5 minutes to verify your assessor, you owe it too yourself.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Nov 12 2008

Talking to Michael Chertoff

Published by under Blogging,Government,Podcast

I’m still digesting yesterday’s talk with DHS Secretary Michael Chertoff.  Thanks to Mr. Chertoff and his press folks for inviting me to the event.  I never thought I’d invited to talk to one of the highest level security professionals in the country, it wasn’t even something I had as a ‘some day, possibly’ goal.  I don’t agree with everything Mr. Chertoff said, but I still enjoyed talking to him and learning about his point of view.  You can listen to the audio in the latest podcast.

Deborah Gage at SFGate wrote up her impression of the conversation, which captured most of the points of the conversation rather well.  I’m just disappointed she referred to us as ‘Silicon Valley bloggers’ instead of mentioning names and blogs.  Plus, technically, only George Ou is a Silicon Valley blogger, I’m over 100 miles away in the North Bay and Andrew Storms isn’t much closer.  Still a good write up.  I have to wonder if has something against linking out to bloggers since we’re sometimes direct competition. 

I only took a couple of pictures as I was much more interested in taking part in the conversation and live tweeting it.  Luckily Andrew Storms caught a number of good shots of Secretary Chertoff.  And the back of my head, definitely not my most photogenic parts.  I hope to see Andrew’s take on the conversation soon.  Here are a couple of the photo’s I took of Mr. Chertoff, Andrew Storms and George Ou.  I’ll post a bit more on the meeting as time allows.  Which probably means not today.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Nov 11 2008

Network Security Podcast, Episode 127: DHS Secretary Michael Chertoff

Published by under Government,Podcast

When I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it.  A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC.  Traveling cross country for an hour meeting isn’t in my budget, so I regretfully passed on the opportunity.  Fast forward a month and the invite comes again, but this time it’s happening at Stanford University.  There’s no way I could pass that by.  Andrew Storms and George Ou expressed interest in going and Secretary Chertoff’s Press Secretary, Caroline Dieker, made the arrangements and we were all invited to attend.

I was impressed by Secretary Chertoff; he speaks plainly, with only a little of the evasion I’d expected from someone in a position like his.  I don’t agree with all his arguments and ideas, but he was very open to discussing them publicly.  I almost feel bad that he’s going to be gone come January.  I tried to tweet the whole thing as much as possible, but it’s easy to get distracted in a situation like this.  I captured the entire conversation on my little iRiver 795 and here it is so you can listen for yourself. 

Network Security Podcast, Episode 127, November 11, 2008 – Blogger Roundtable with DHS Secretary Michael Chertoff

I’m posting a copy of the live tweets in the comments, along with the replies.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Next »