Network Security Blog

If you believe some of the hype that’s been on the wire the last couple of days, the end of the Internet is nigh.  A number of researchers have discovered a vulnerability in the way that MD5 checksums are created for CA certificates and this could allow malicious attackers to create false certs that your browser and mine would accept as authentic.  There are a number of caveats, like the fact they had a bank of 200 PS3′s to play with to create the false checksums, but that wouldn’t be too big of hurdle for a organized group to overcome. 

I won’t even pretend I understand all of the points in this article.  So it’s lucky that I have friends who not only understand this stuff but enjoy dumbing it down so that even people like me can understand it.  Not that JJ would put it that way, but I’m not going to try to cover up my limitations.  So if you’re like me and don’t have the time to read the entire original article, read “A Layman’s Explanation of the CA Certificate Vulnerability”.  You’ll get the gist of what’s going on without getting too lost in the terminology.  And you can pass it on to your manager with a pretty good chance he’ll understand it too.

I need to go out in a few minutes and do some final Christmas shopping before the rest of the crowd wakes up and realizes shops are open.  But before I do I wanted to take a few minutes and share several of the articles I’m reading right now.  If I actually had the time to blog about everything I read, I’d have to get paid for it because I wouldn’t have time to do anything else. 

Now Reading:

• Budgeting for Web Application Security -  You mean just saying “I need more” isn’t a good answer?
• Software [In]security:  Software Security Top 10 Surprises – I think Gary, Brian and Sammy will pull some more information out of the study they’re doing, but even if this article is it, I think it’ll be time well spent.  I like point 9, which states that you’ve actually got to think about the metrics you’re using rather than just throw up some numbers to see what sticks.
• How to Rebuild your Computer and Reinstall Windows Without Headache – I’d personally say it’s impossible to rebuild a computer without any headaches, but this article shows you how to minimize them.  I may be doing this in the not too distant future myself as my wife’s computer ages.
• Why do Undersea cables seem to get severed in bunches? – This article isn’t much by itself, but it points to a really long article that does explain how the undersea cables go in and why they seem to be delicate.  Plan to have an hour or so if you’re going to read the whole story.

3 of 4 cables between Europe and the Middle East were cut this morning.  Or something, no one seems to know yet.  At this point I can’t even see a link that show whether or not these cables have any physical proximity, so I don’t know if it could be one incident or three separate incidents.  This is the second time this year that major cables have been cut between Europe and the Middle East, so even if there is no conspiracy involved, it’s still a major problem.  After all, who ever put these in place needs to explain why they’re so delicate that they could accidentally bet broken en mass.  The SANS Internet Storm Center is trying to keep us up to date, so keep an eye on their site for further updates.

You want to know what’s really causing all the cable breaks?

Department of Homeland Security Secretary Michael Chertoff is going to be looking for a new job soon and he’s brushing up his resume in preparation, sort of.  He’s released a video showing what he’s done as the head of the DHS and what he’s handing off to his successor.  It’s an interesting watch and gives you a little insight into what he sees as important.  Secretary Chertoff has shown that he has a deeper understanding of the 21st century, blogging and social media than most members of the Bush regime by repeatedly reaching out to bloggers and using the tools of Web 2.0 to communicate with the public.  This video is a perfect example of how someone in the blogosphere would go about creating their own resume.

I don’t agree with everything that the DHS does, I sincerely doubt there’s anyone who does, even Chertoff himself.  But they’ve been given an extremely tough mandate and what I do believe is that he’s done the best job he could.  As Janet Napolitano steps in to take over for Secretary Chertoff, it will be extremely interesting to see how the focus shifts and what aspects of national security come to the foreground.  There have already been indications that she’ll concentrate more on imigration issues since that’s her background, but what else will she concentrating on?  I can only hope Govenor, soon to be Secretary, Napolitano continues in Mr. Chertoff’s footsteps and builds on the efforts to communicate with us.

I hope Mr. Chertoff takes a little time to kick of his shoes (get it, an airport pun), relax and let someone else take the heat for a while.

I made two fairly major purchases this week, even though I had to use the credit card to make them, something I hate doing.  Both are aimed at promoting my long term health, one physical, the other career.  The first was to get a small amount of exercise equipment and order the DVD’s for the P90x system.  I’m sure anyone who’s following the security guys in Twitter has heard more than their fair share about P90x lately and Chris Hoff has gone so far as to create a new blog of his own to monitor his progress with the P90x system.  I probably won’t go as far as he has with the blog, but I think I will follow his example and take a ‘Week 0′ picture and occasional pictures after that.  I’m not starting the program until after Christmas myself, mostly because I’ll be heading out for the in-laws for a week and don’t want to start something this hard then stop for a week.

The second purchase I made was to get myself a membership in Microsoft’s Technet Plus.  I’ve had access to TN+ several times before through employers and I’d used it a lot to build and rebuild servers, test out new programs and generally learn aspects of Microsoft programs I wouldn’t normally have access to.  Unluckily the last time I had access to TN+ was just after XP came out and when Vista came out the only reason I got to try it at all was that I happened to recieve a copy of Vista Ultimate at an event I attended.  Not that I ever successful upgraded a system to Vista, but at least I got to try.

The truth is, TN+ is also a tax writeoff for me.  I haven’t earned much from Google Ads this year, but it’s more than the cost of the TN+ subscription and this will help me conteract what little tax burden there is.  But more importantly, this is an investment in my own continuing education for security and technology.  I work from home and while I get a chance to see different networks and OS’s with every new client, it’s not the same as getting your hands into the guts of a server and administering it yourself. 

So I’m viewing the purchase of TN+ as in investment in my technical skills for the future.  And that’s how I’m selling it to my wife as well.  I put a lot of time in to reading blogs, writing my own blog and creating the podcast, but the amount of money I’ve put into furthering my skills has been minimal the last few years.  My training comes through going to events like RSA, Black Hat and Defcon.  I don’t have a lot of time and energy to read security books, but several of the publishers occasionally send me those to read and review.  I often think about investing in a Masters Degree.  It’d be expensive and time consuming, but it’s a piece of paper that helps you go a lot further in life than a BS will.  But until my wife finishes her own college courses and gets a job, any further courses for me will have to wait.

What other venues should I be spending money on to further my career as
a security professional?  Is there something I’m neglecting that might
eventually catch up to me?  How are you investing in your career?  Are you investing in your career monetarily or are you making your investments in time and energy instead?  I know there are a lot of people out there who are beginning their careers who are curious about how to get into security, but I’m wondering how the people who’ve been in the field for years are continuing to improve their skills and preparing for that next step up or making themselves as ‘recession proof’ as possible.  I don’t think anyone in this field can afford to say they’re resting on their laurels.

Rich and I would like to apologize for the sound quality issues with the last podcast.  This is a problem that’s been getting gradually worse the last month or so and while we’d tried to figure out the problem, we didn’t find it in time for last night’s show.  We would usually have used Rich’s recording or redone the show, but neither was an option last night.  So we published it as is.

We did manage to do more troubleshooting today and it turns out the sound card on my computer was going out.  I was using the internal sound card along with a Phonic firewire mixer to create a ‘mix-minus’ configuration which basically enabled us to get decent sound without causing an echo to be routed back to the person on the other end of the phone.  At least as long as my sound card was working properly that is.

I had an M-Audio MobilePre USB sitting in a drawer and we’ve put that in the sound loop and taken out the dying sound card all together.  We tested today and it sounds clear and let’s me add some additional sound conditioning on Rich’s sound.  He’s working on improving the sound on his end as well and we may shift to a ‘double-ender’ recording format.  That’d mean he records his sound at his end, I record my sound on my end and we mix it together after the fact.  This takes a fair amount more work, but it may end up being what’s required.

Sorry for ending the year on a sour note and we hope you’ll stick with us despite the audio problems.  Thanks for listening.

Welcome to the last Network Security Podcast of 2008.  Rich and Martin are taking some well deserved time off and will be back on January 6th, 2009.  We kept it short and would like to wish everyone a very happy holiday season.  But don’t think we’ll be resting on our laurels while we’re off, we’ve got some exciting plans for 2009!  Among other things we’ll be working on the sound quality, updating the site and have some other interesting changes in store for you.  Unless one of us get’s blindsided by reality that is.

Until next year, thanks for listening and we both wish you and your families the best for the holiday season!

Network Security Podcast, Episode 132, December 16, 2009

Show Notes:

• Microsoft zero-day attacks target all versions of IE
• Microsoft updates code analysis tool, SQL injection XSS Library
• Used BlackBerrys sold for $20 at McCain-Palin blowout, contacts and email included
• Sandboxie – If you try this out, let us know how you like it.
• Tonight’s music:  I’d rather be naughty by A Don’t Hug Me Christmas Carol

If you’re a security blogger or podcaster, keep an eye on your email inbox, the invites for the 2009 Security Bloggers Meetup at the RSA Conference for 2009 in San Francisco have been sent.  There’ll be bloggers, podcasters, alcohol and awards all night long!  This year marks the first ever Social Security Awards for Best Security Podcast, Best Technical Security Blog, Best Corporate Security Blog, Best Non-Technical Security Blog and Most Entertaining Security Blog.  Nominate your favorite blogs and podcasts at http://www.socialsecurityawards.com.

Find out more over at the RSA Conference 365 Security Blogger Meetup site!

My only regret in doing this event is that members of the planning committe aren’t eligible for the awards.  I think Rich and would sweep the awards if we were allowed to compete.  Oh well.

Thanks to Alan Shimel for letting me steal his graphic

We can’t live without anti virus on our computers in this day and age.  I guess we really can, strictly speaking, but the non-techies in my household don’t have the understanding of the Internet to know which behaviors to avoid and what might get them in trouble.  So I put AV on their computers, because it’s easier than trying to educate them.  And as vital as AV is in these situations, I refuse to pay for it.  Why?  Because there are so many free options available, and I think most of the for-pay AV’s are too expensive for offering few features that I can’t get in the free versions.  I suspect the free AV solutions use the home AV market as a loss leader to get themselves market share and awareness, giving them a toehold in the corporate AV market, which is where the real money is in any case.

For years I’ve been using AVG Anti Virus free edition, but recently I’ve been less than happy with it.  It’s been fine on my computer, a decent XP desktop, but on my wife’s slightly older Win2K system, it’s been more than a little unstable and recently started complaining at startup that it was missing a .bin file.  I tried to update it several times and scanned the hard drive several times, but I lack the confidence in it’s ability to find malware if it’s acting this flaky.  So this morning I uninstalled AVG and now I’m in the process of installing Avast Home Edition.  The initial installation was as painless as expected, the system rebooted and before it fully loaded into Windows it’s doing a full system scan for malware.  It hadn’t found anything when I started writing this, but given the amount of storage space on her computer, a full scan could take a little while.

So my question to you is what free AV program do you use at home and install on your family’s computers?  Or do you pay for AV from one of the big names?  Or do you skip AV all together, since the I’ve read numbers stating that AV is only between 60% and 80% effective in any case?  And most importantly why did you make the decision you did?

Update:  Here’s a link to an entire list of AV products out there at Checkvir.com and a really good report by Anti-malware Test Lab, showing exactly how ineffective AV is.  According to this report, only Avira (who?) Kaspersky and F-Secure AV even hit the 90% mark for finding viruses.  The big players, Symantec and McAfee only hit the mid-60′s.  Ouch!

I’m back from the far reaches of Canada (Montreal), I’ve almost recovered from the 20+ hours of flying in the last 10 days and other things I picked up along the way.  My mind says I could still use another 6-8 hours of sleep, but my body and my kids don’t quite agree with it.  So instead I’m up early playing my MMORPG, reading my twitter stream and blogging.  Sounds like a pretty typical Saturday morning to me.  Except I’m heading down to SF in a couple of hours to record more video discussions with several other security professionals, some face to face, some via the miracles of the Internet.  I’ve already professed to the group that I’m the least likely to be considered an ‘expert’ in most of the subjects we’ll be talking about, but that’s never stopped me from voicing an opinion before, so why let it start now.

Saturday morning reading: 

• Just a little forewarning:  There’s some big news coming to the Security Blogger Meetup page in the next couple of days.  I can’t tell you more until I get permission, but keep an eye out on the page and your email if you’re a security blogger, podcaster or writer.
• Wave Bubble:  Build your own self-tuning RF jammer.  Which is probably illegal in several states, especially if you use it against cell phones.  But hey, it’d be worth taking in the theater with you to block those annoying jerks in the row behind you who insist on taking calls in the middle of the show.  Thanks to John McCash for showing me this one.
• I found out this week that the CEO of my ISP blogs and twitters, and is now following me.  Sonic.net is one of, if not the, biggest privately owned ISP in the US.  After the holidays are over, I’m hoping to get an interview with him and several of his engineers to discuss the security concerns of running a large ISP.
• ‘Dirty Dozen’ of vulnerable apps – I’m not sure if this is a valid list or just another attempt to garner attention, but I’m putting in my reading list to figure out later.
• Review of “Schneier on Security” – I like Bruce Schneier, but I’ve most likely read almost every article in this book when it originally came out.  So why would I spend money to read them again in paper form?  YMMV
• It’s not a good time to be using IE7.  Or IE6 or IE8 or MS SQL Server or … well, you get the picture.  Switch to Firefox already!
• And speaking of Firefox, Window Snyder is leaving Mozilla for an undisclosed startup.  Good luck Window!
• There was a lot of stuff on the ZDNet site to read this week.  I wonder how long it’s going to take Chris Hoff to tear into this article on Cloud Computing. 
• If you’ve been blogging for long, you’ve probably had an “Oh shit, people actually read my drek!” moment.  Hopefully yours wasn’t right after you got /.’d for tearing into someone for being ignorant.
• I saved the stupidest for last:  The McCain campaign was selling off some of the equipment they no longer needed and forgot to wipe the memory of their Blackberries.  There were a number of private politician phone numbers still on the phones, even some emails and text messages.  And there’s a call out to see if other people who bought the stuff found sensitive information as well.  Who needs to hack your email account when you’ll just sell it for $20?