Ahh, the joys of being a parent. My youngest son recently started sprinkling his language with profanity, something both his mother and I were certain he didn’t get from us: she almost never uses profanity and when I do the kids are usually running for cover rather than trying to remember what I said. At first we thought he was getting it from school, but his older brother finally came forward and told us it was from videos he was watching on YouTube. What had looked like a fairly innocuous video of SuperMario and other characters turned out to be profanity laden and more than a little disturbing. He was given a warning and told to turn off any videos that contained profanity, then lost his computer rights for a week when I caught him watching a video with profanity. The third time’s a charm, so I decided it’s time to block YouTube at the entry way, my WRT54G router.
It seemed simple and straight forward. But an hour and several internet searches later, and I still couldn’t get the WRT54G to block YouTube. I created a Policy called YouTube, rather appropriately, I added a list of affected PC’s, set it to everyday, 24 hours a day and entered http://www.youtube.com in the space marked “Website blocking by URL address”. Then hit “Save Settings” and … nothing. I was still able to get to YouTube, the kids could get to YouTube and I was not happy.
Then it suddenly struck me: the folks at Linksys and Cisco were creating the software for the average computer user, someone who doesn’t have the faintest idea what “HTTP” or “URL” mean and probably never types the “http://” at the beginning of the URL. I took that out of the URL and saved the settings and now YouTube is blocked. I’m happy that I now know how to block a site, but I’m frustrated that the developers couldn’t have taken a few more lines of code to either automatically remove the http:// if typed in, or at the very least taken ten seconds to add an example of what they consider a URL. If I’d seen even one example of what they consider a URL, I would have been able to block the site in less than 5 minutes, rather than taking over an hour. And I wonder how many less technical parents have given up in frustration.
As someone put it on Twitter “Sometimes people should check acronym definitions before using them”
The issue of the blogosphere echo chamber has come up a number of times lately, with both journalists and bloggers claiming that we don’t do enough fact checking before taking a story as the truth. I’m willing to give up the point, but I’m not willing to take it as a dig against the blogosphere, instead I think it’s a fact of human nature, which is why we need to double-check what others say, whether it’s in the newspaper, on TV, written in a blog or just word of mouth. We’re security professionals after all, we shouldn’t trust anyone without verifying.
In last night’s podcast, Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google). Neither Rich nor I were very concerned about the issue, since it was stated to be an issue that had been closed. The important part to us was the fact that it shows a weakness in the common practice of sending password reset information to a ‘trusted’ email account. But as this Proof of Concept pointed out, if you can somehow create a filter on someone’s email account, you can create a filter that forwards select emails and removes them from the users in box. Once that filter is in place, it’s childs play to reset a password account and steal a domain or any other account with a similar reset method.
Right after the podcast I ran across a Google Security post stating that the CSRF bug had been fixed long ago and that the domain theft had nothing to do with the vulnerability. I’m willing to give the Google Security team the benefit of the doubt and believe them, however I’m left with a nagging question as to whether they can really make such a statement with certainty. The referenced CSRF did in fact exist, though it was patched very quickly, and I know from clicking on a PoC for the vulnerability that it works (I won’t be doing that again). I don’t see any reason to think that someone couldn’t have gotten any number of domain owners to fall for a link exploiting the CSRF and then waiting 2-3 months to make use of the compromised Gmail accounts.
The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story. No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation. The Google Security team has to deny the report, it’s part of what they do. But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in. It’s not a perfect solution, but it is a step up from what most people are currently doing.
I just got some pictures from Tuesday that were taken by Secretary Chertoff’s photographer. If you look at my Mac Book Pro, you’ll see several stickers rather prominently displayed, but the most obvious one is “Hack Naked” from PauldotCom Security Weekly! I really wasn’t thinking about what I was carrying around, since the bag I was using that day was a Black Hat 2008 bag. I’m glad they knew enough about me not to be worried about my hacking skills.
George Ou has done a good job of writing up his experience from Tuesday. George and I have different priorities, so it was good for him to ask questions I wouldn’t have thought of. We were all impressed by the statistics concerning the no-fly list: there are only approximately 2500 names on the true ‘no-fly’ list and another 20,000 on the extra security list. And of those, only 10% are American citizens according to Secretary Chertoff. For such a small list, it sure has created a big stir.
Added: Of course, minutes after I posted this, I found out that Andrew Storms, the guy pictured to the right of me, wrote up his own experience. I think between the excellent posts by Andrew and and George, I don’t need to feel guilty about not having time to write up my own experience.
When I first got an invitation to attend a roundtable discussion with Department of Homeland Security Secretary Michael Chertoff, I thought thought it was a hoax, as did some of the people I asked about it. A little fact checking revealed that it was the real deal, but the meeting was in Washington, DC. Traveling cross country for an hour meeting isn’t in my budget, so I regretfully passed on the opportunity. Fast forward a month and the invite comes again, but this time it’s happening at Stanford University. There’s no way I could pass that by. Andrew Storms and George Ou expressed interest in going and Secretary Chertoff’s Press Secretary, Caroline Dieker, made the arrangements and we were all invited to attend.
I was impressed by Secretary Chertoff; he speaks plainly, with only a little of the evasion I’d expected from someone in a position like his. I don’t agree with all his arguments and ideas, but he was very open to discussing them publicly. I almost feel bad that he’s going to be gone come January. I tried to tweet the whole thing as much as possible, but it’s easy to get distracted in a situation like this. I captured the entire conversation on my little iRiver 795 and here it is so you can listen for yourself.
Network Security Podcast, Episode 127, November 11, 2008 – Blogger Roundtable with DHS Secretary Michael Chertoff
I’m posting a copy of the live tweets in the comments, along with the replies.