Network Security Blog

We’re all busy and the more stories I accumulate in my browser, the less time it seems I have to do anything with them.  So in order to clear out some of the open tabs, here’s some of the stories I’ve been reading lately:

• Express Scritps warns of potential large data breach tied to threat – Extortion, plan and simple.  
• A Crazy idea regarding the Obama administration and security – If you’re abut change, lets make some that might have impact
• Chinese hack into White House Network – No wonder the WH staff can’t manage to keep any email for judges to review
• Wanted:  New Antispam tactics – Aren’t the one’s we’re using working?
• Study shows how spammers cash in – Making money on one fool in 12.5 million
• I can haz TCG IF-MAP support in your security product, please... – Where’s my secret acronym decoder ring when I need it?
• A privacy agenda for the new administration – Hey, maybe the next Prez will be okay with me having some privacy
• DHS Blog Round table – Rocky came up with some of the best questions for DHS Secretary Chertoff.
• Don’t leave a trace:  Private browsing in Firefox 
• Bonehead moves – I’ve never done anything like this, honest.  I’ll share my bonehead story later this week.
• The Security Chef’s ‘Better Bird Turkey’ – Ask a question on twitter and you get answers.  Funny how that works.  Grilled turkey for Thanksgiving!

Is that enough?  I think so.

Michael Chertoff, the Secretary of the Department of Homeland Security, will be here in California tomorrow.  He’s hosting a blogger roundtable on Cybersecurity and I’m one of an unknown number of security bloggers who’ll be attending the event and talking to Mr. Chertoff face to face.  Quite frankly I was surprised that the Department of Homeland Security was even aware of blogs, let alone willing to step out of Washington to talk to us in person.  I probably shouldn’t be, since the TSA has had a blog for months now, even if I rarely agree with what they post there and never take it at face value.

Mr. Chertoff is on his way out due to the change in leadership our country is going through, but he’s held a highly political and thankless job for some time now.  He has a unique view of the security of not only our nation, but every nation in the world.  So what would you ask the man who’s been responsible for ‘homeland security’?  What do you want to know about how we’re doing security at the highest levels?  What burning questions about the TSA and your shoes are eating away at you?  If it was you going to talk to Mr. Chertoff tomorrow, what’s the one question you’ld ask?

I have a number of my own questions, but I know that you can come up with even better.  Leave a comment on this post with the question you’d ask.  Keep it short and concise, make it topical to cybersecurity.  I won’t be asking any ‘attack’ questions, but I’m perfectly willing to ask some of the hard questions.  Personally, I want to know what it’s like to be placed in charge of Homeland Security without any real power to affect change?  Except that most security managers already know what that’s like.

We’re allowed to bring cameras and audio equipment, but no video.  Most of my equipment is for close up interviews, but I’ll do the best I can with what I have.  I’m just hoping the Secret Service doesn’t decide that some of my equipment isn’t acceptable.  Or decide that I’m a security risk at the last minute.

Congratulations to Jason, the winner of the free pass to CSI.  Here’s his story about how a minor change to a script almost caused a major disaster.  I have my own war story about scripts I’ll share later this week.  Here’s a hint:  Always make sure you’re in the proper directory when running your scripts.

This happened when I was first learning to admin UNIX boxes. Another
SysAdmin and I were working on a shell script to lowercase the file
names of 30-40 million image files. They were on an NFS mount that was
used by several servers. These images were part of detail listings of a
relatively busy web site and we were right in the middle of the day.

Now that the background of the mess are fully explained, the story
gets going. We went through several revisions and were testing against
a directory on a desktop system. Nothing destructive happened during
testing and we were getting fairly comfortable with the “safety” of the
script.

We finally thought we had a working script, so we moved it to the
prod server. Then we noticed a “minor” change that needed to be made on
it. We made the change then decided that since this was a such a small,
little tweak we could run it on the live NFS mount without any further
testing. Fire in the hole!

The script took off and we watched it run. All was well. Then my
phone rang from the NOC. A panicked operator was on the phone saying,
“Hey what’s happening with listing images from xyz.com? They are all
coming up as 404s!” I killed the script while thinking some thing like
“oh crap, oh crap, oh crap!” Sure enough the script had wiped out about
50% of the images. Amazing how fast a shell script can delete when it
goes haywire.

We pointed the web servers to a backup copy of the images, then
started to recover to the production mount. The backup was a couple
days old, so our image processing guys had to re-upload the missing
work. I was lucky that the online backup was there. I had taken it for
reasons unrelated to this event. The next day I got to explain to the
CIO what had happened.

The moral of the story was backup first and test your script until
it is golden before going live. Then test it again and again and again.
Make sure you are doing at the proper time, then go to production. We
didn’t have change control, so I’d add get all the approvals now too.
Cover your butt.

It was a good lesson. I’ve never done anything like that again in the last 7 years.

If you’re already using Nessus and you need an internal scanning engine for PCI compliance, then you need to be checking out the three new PCI-DSS plugins that the folks over at Tenable have created.  These are still beta and should not be treated as proof of compliance yet, but they’ll still give you a very good idea of what your current status is.  They’re lookin for your feedback, so play with the plugins a little and let them know what you’re experience is like.

If you haven’t seen anything from me lately, it’s not me, it’s not you, it’s Feedburner.  About two weeks ago my Feedburner stats dropped by a little over 1/3 of my total readership.  This has happened before, but usually a day or two later they all come back.  Not this time though, they’ve remained stubbornly gone.  If you’re one of the folks who was unsubscribed without knowing it, please resubscribe using the link below.  And if Feedburner drops a huge number of readers like this again, I’m going to have to find an alternative.

Network Security Blog RSS Feed

I know I’m cynical, but when I start seeing headlines about this encryption technology or that wireless technology being broken, I have to wonder if it really is or if just a small portion of it was cracked. After all, it was reported a few weeks ago that Elcomsoft had broken WPA, but when George Ou did the math, it didn’t really affect anyone in the real world.  So when I read this morning that WPA has been broken, I have to take it with a grain of salt until the actual research is released.  Did they really break it or did they break WPA under a special set of circumstances?  Will this be usable in the real world?  Do I even care (by which I mean, will it affect me)?

The good news is, even if this is a real crack of WPA, the researchers are stating that WPA2 is still secure.  Until someone figures out how to work around that encryption scheme as well.

I know I’m not the only security professional who get’s the question “How do I get started in Information Security?”  It’s not a simple question to answer; you don’t simply go get a degree in security then get a job.  Every one I know has taken their own, unique path to get into information security and the number of folks who are like me and actually have a degree in IT are few.  And even I’d been working in IT for several years before I decided to take my career to the next step and pursue my Bachelor Degree. 

Security Catalyst Kees Leune regularly teaches aspiring security professionals and probably hears this question more than the most of us do.  And being a blogger he’s written a short guide on steps you can take towards becoming a security professional.  I have to warn you, there’s a good chance you’ve heard many of the suggestions before.  But that’s because he’s listing out what it really takes to become a security pro; there is no silver bullet, no degree or certification that makes you a security professional. It’s a career path, not a destination.  You have to be prepared to spend a lifetime learning and have a passion for security if you’re going to be successful.  Being cynical and paranoid helps too, but those are skills that can be acquired. 

His final point, Plan, can’t be overstated.  Know why you want to be in security and what you want to be doing in 5 or 10 years then trace back the steps that it’ll take to get there.  The path you take probably won’t resemble your plan in any but the vaguest outline, but the only way to reach your goal is to have one in the first place.  Saying to yourself “I want to be a security professional” is a good start though.

I had to leave a client site early today to vote, but they understood.  I hope you didn’t let anything stand in the way of you voting today.

If you’re wondering what some of the acronyms around electronic voting mean, here’s a glossary of terms for you.  I know I learned a couple of new terms by reading it.

Thanks to digiphile on Twitter.

This is a special Get Out and Vote episode.  Rich is in Russia of all places and Martin is on the road most of today, so this episode was recorded on October 31, 2008, Halloween.  And there isn’t much scarier today than Direct Recording Electronic (DRE) voting machines.  That might make a good costume next year.  In any case, exercise your right and responsibility to vote today!

Network Security Podcast, Episode 126, November 4, 2008

Show Notes:

• Voting machine lab de-certified
• Voting problems in Texas
• Warning sent out about Diebold (Premier) DRE’s
• Going back to paper … cause it works
• Video the vote – But check your local laws first!

PS.  We took great pains to make sure the audio quality was a lot better this week.  Thanks for listening