Network Security Blog

It’s the start of a long weekend and I, for one, will be trying to spend as little time in my home office as possible this weekend.  It probably won’t work out that way, since the home office is also my lab and my play space, but I can dream.  I hope everyone has a great weekend to kick off the summer, though it’s overcast and grey where I’m at.  Thus starts the summer.

• Fake Russian gas company used as cover-up for cybercrime – The money has to be laundered somewhere, so it might as well be a gas company.  Of course, from what I hear of the Russian gas companies, cybercrime might just be the tip of the iceberg of the things they’re doing.
• Defcon 17!!!! – There aren’t many events I look forward to as much as Black Hat and Defcon.  I’m looking forward to FIRST, since I get to see Kyoto, but Defcon is much higher on the ‘fun and excitement’ scale.  And Defcon’s actually affordable, which is a huge deal when worrying about conferences.
• Urban ‘attack’ on infrastructure – Are our infrastructure elements really this vulnerable?  I knew a guy in high school who hacked the local train crossing signals, which sounded cool until the FBI tracked him down by the materials he’d purchased at Radio Shack. D’ooh!
• Gumblar: The malware that is sweeping the nation – “In short, Gumblar is 100 miles of bad road.” Ouch. 
• Microsoft’s ClickOnce Firefox add-on – Some of the things Microsoft thinks are a good idea leave me scratching my head.  I’m talking about the latest patch for .NET, not Office 2007.  This time.

Have a great weekend everyone!

Rich and I may not have done much for our 150th episode, but Paul and Larry at PaulDotCom hosted a 12-hour podcast and invited both of us to participate in an hour long conversation about PCI.  We were joined by Ron Gula from Tenable Network Security and Mandeep Khera from Cenzic.  If Rich and I had thought about it long enough ahead of time we probably would have done something similar to this ourselves.  Who am I kidding?  I’m sure this was a ton of work for Paul and Larry, something I just don’t have the time for right now.

Rich and I have widely differing points of view on PCI and it shows up in this conversation, as it does in almost every conversation we have on the topic.  But this time there were other voices to hopefully temper both of our opinion.  This was a fun conversation to have and I’m always willing to have a conversation like this and not only turn Rich around to the correct view of PCI but also learn something from others myself.  Hopefully you’ll learn a little something yourself. 

If you’ve been in the security business for an extended length of time, you’ve probably heard the name Lee Kushner at some time or another.  You know someone who’s worked with Lee to find the right person for a job, you know someone who’s gotten a job because of Lee or you know someone who’s gotten career advice from Lee.  There are only a few recruiters in the business who not only have the contacts and understanding of recruiting that Lee does, but also understand the specific challenges of finding the right people and the right positions that the security industry does.  And if you don’t think the security industry has some unique challenges, you’ve never worked with some of the personalities and egos that this career path seems to attract.  Smart, talented people of course, but there seems to be an interesting set of personality traits that go along with everything else.

If you haven’t dealt with Lee directly, here’s your chance to read some of his advice, along with that of my friend, Mike Murray at their new site, Information Security Leaders.  Mike and Lee have been collaborating for some time and have finally decided that they’d start a blog to share their viewpoints with the world at large.  If you’re starting a career, you’ll be able to find hints and tricks about finding the job you want in security.  If you’re already in the field, you’ll find the nuggets of information that may be the key to getting that next position.  And at the very least you’ll find examples of career moves that will either leave you shaking your head or asking “Why didn’t I think of that before?“

Lee’s helped me find a job in the past and I keep in touch with him because he’s a great resource even when you’re not looking for a position.  And if you see him at RSA or one of the other big events, you’ll realize how many other people he’s helped because you can’t have a five minute conversation with him without at least two or three other people he’s helped coming up to say hello.  Mike and Lee give several talks a year about having a security career and the steps you need to take, but if you can’t make one of the events, take the time to read their writing instead.  Better yet, read their thoughts in addition to attending their talks, you’ll be glad you did.

We probably more the doubled the number of stories we talked about this week, but we only added about 8 minutes to the length of the podcast. You can consider this the “death by a thousand cuts” podcasts as we cover a string of shorter stories, ranging from a major IIS vulnerability, through breathalyzer spaghetti code, to how to get started in security.

We also spend a bit of time talking about Black Hat and Defcon, and celebrate hitting 500,000 downloads on episode 150. Someone call a numerologist!

Network Security Podcast, Episode 151, May 19, 2009
Time:  42:24

Show Notes:

• Breathalyzer source code released as part of a DUI defense… and it’s a mess.
• A DHS system was hacked, but only a little information made it out.
• Secret questions for password resets are often weaker than passwords, and easy to guess.
• Does tokenization solve anything? Yep.
• Kaspersky finds malware installed on a brand new netbook.
• Malware inserts malicious links into Google searchers.
• Google Chrome was vulnerable to Safari Pwn2Own bug. Both are WebKit-based, so we shouldn’t be too surprised.
• Information on the IIS 6 vulnerability/0day.
• How to get started in information security by Paul Asadoorian.
• Tonight’s Music:  Liberate Your Mind by The Ginger Ninjas

I haven’t had much time or energy to write lately, so I thought I’d get back into the groove with something light (or is that lite?) to start with.

Lawyers for Alaska Governor and ex Vice-Presidential candidate Sarah Palin have taken exception with the owner of the domain name crackho.com for redirecting her domain to the Governor’s own web site.  Apparently they have a) little or no sense of humor and b) absolutely no understanding of how DNS works.  And they’re really slow to catch on to this since the site’s been redirected to their site since some time last year.  The lawyers have sent a cease-and-desist order, claiming that the redirection was a copyright violation.  The reality that this was redirecting traffic to the Governors site and all content was being hosted by the official site seems to have escaped the lawyer’s notice. 

Sometimes it’s easier to walk away from the issue when lawyers get involved, which is apparently what the owner of crackho.com decided to do.  Of course, she left a nice picture of  Governor Palin with some interesting commentary.

Continuing education is an important part of being a security professional and a required part of the different certifications we acquire to support our careers.  For this year’s FIRST conference in Kyoto, the organizers have worked with a number of certification institutions and coordinated continuing education credits for most of the major certifications.  This week I have a conversation with Traci Wei, one of the organizers of this years FIRST conference to talk about the benefits of attending in completing your collection of CPE’s for the year.

FIRST Podcast, Episode 4:  Traci Wei on the importance of continuing education credits

This is one of those good news/bad news weeks. On the bad side, Rich messed up and now has to retake an EMT refresher course, despite almost 20 years of experience. Yes, it’s important, but boy does it hurt to lose 2 full weekends learning things you already know. On the upside, this is, as you probably noticed from the title of the post, episode 150! No, we aren’t doing a 12 hour podcast like Paul and Larry did (of PaulDotCom Security Weekly), but we do have the usual collection of interesting security stories.

Network Security Podcast, Episode 15, May 12, 2009

Time:  38:18

Show Notes:

• UC Berkeley loses 160K healthcare records.
• Most people think they will be hacked. Duh.
• Heartland spends $12.6M on breach response. Possibly half going to MasterCard fines.
• Rich debuts the Data Breach Triangle, which Martin improves.
• Tonight’s Music:  Neko Case with People Got a Lotta Nerve.  Who knew Neko case had a podsafe MP3 available?

It’s been a bit of a strange week on the security front, with good guys hacking a botnet, a major security vendor called to the carpet for some vulnerabilities, and yet another set of Adobe 0days. But being Cinco de Mayo, we can just margarita our worries away.

In this episode we review some of the bigger stories of the week, and spend a smidge of time pimping for a (relatively) new site started by some of our security friends, and a new project Rich is involved with.

Network Security Podcast, Episode 149, May 5, 2009

Time:  34:08

Show Notes:

• The Social Security Awards video is up!
• Yet more Adobe zero day exploits. Now it’s just annoying.
• McAfee afflicted with XSS and CSRF vulnerabilities.
• Torpig botnet hijacked by researchers.
• New School of Information Security blog launched.
• Project Quant patch management project seeking feedback.
• Tonight’s Music: Wound up Tight by Hal Newman & the Mystics of Time

That’s right, the video recorded at the 2009 Security Bloggers Meetup is available for your viewing pleasure.  You can watch Alan Shimel present the Social Security Awards, with a little help from Rich and myself.  This was the highlight of the night and the culmination of a lot of work by the people who put the event together.  I got to put Alan in his place (literally) several times during the ceremony and Mike Rothman was as close to speechless as he’s ever likely to be.

In this week’s episode of the FIRST Podcast, I interviewed Gib Sorebo, who will be presenting “Content: The Next Generation of Incident Response” at the FIRST convention in Kyoto this summer.  Gib Sorebo is the Chief Security Engineer and Assistant Vice President for Technology at SAIC.  We talk about his presentation at the conference, DLP and extrustion detection.  I suspect Gib and Rich Mogull would have a lot to talk about in the DLP arena.  This was a little bit longer talk than previous interviews and I think it was time well spent.

FIRST Podcast, Episode 3:  Gib Sorebo, Chief Security Engineer for SAIC