Network Security Blog

I’ve been a member of the International Information Systems Security Certification Consortium [(ISC)2] for nearly a decade; I passed my CISSP test in November of 2002 and don’t have to worry much about CPE’s until at least 2011.  So when I was offered an opportunity to talk to Hord Tipton, Executive Director of the (ISC)2, I didn’t hesitate to take them up on the offer.  We started off easy, talking about what’s new at the (ISC)2, and the Safe & Secure Online Program.  Then we moved on to the harder questions, like “What have you done for me lately?” and “What are you doing about people who shouldn’t be CISSP’s in the first place?”  The (ISC)2 is never going to make all of us who are certified happy, and that they are taking some steps to address concerns about unqualified practitioners, but it’d be nice if they were a little more public about it.  Oh, and you’ll hear at the end that the (ISC)2 definitely accepts listening to podcasts for CPE’s.  I forgot to ask about producing them.

NSP-RSAC2010-ISC2.mp3

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering

Comments I made on my ComputerWorld blog were quoted today in an article on SearchSecurity about the Black Frog/Okopipi project.  After talking to one or two members of the project, I think I oversimplified the challenges Okopipi will be facing, but I’m still dubious abou the project.  It’s something that’s going to have to be handled with great care, and I’m not sure an open source project is the way to go.  Every unsubscribe link is going to have to be verified by a real person, not just a program, and I still see several ways spammers could turn this project to evil.  I don’t think this is reason enough not to at least try, but I don’t believe I’ll be participating in a distributed, P2P anti-spam solution any time soon.

Technorati Tags: security, Okopipi, spam

It looks like the spammers have won the battle against Blue Security.  The company is closing down their service, having realized that their solution to spam isn’t going to do much more than create an ever-escalating war with the spammers.  I didn’t think an active, attack-back technology like Blue Security ever had much of a chance of being effective, but I’m still a little saddened to see them have to shut down the service.  On the other hand, give it a year or two and I’m sure some other company will try almost exactly the same thing. 

Technorati Tags: security, spam, Blue Security

Mikko at F-Secure had a good idea for fighting phishing.  A significant amount of phishing sites aren’t hosting the images they use, they’re directing the browser to download the real image from bank they’re imitating.  So what if the banks added some relatively simple code to instruct the web server to send a alternative image if they received a significant number of referals to the original image?  Using Mikko’s idea, the bank’s alternative image would include a stamp that would make it clear that the refering site was illegitimate and give the consumer a phone number to call.  The idea could be circumvented by smart phishers, but it would add one more hoop they’d have to jump through.  Even if it only stops the lazy phishers, that’s a couple more percentages of the total scams that wouldn’t work. 

Technorati Tags: security, phishing

I received an email about this yesterday from a reader, Vick.  There are accusations on the ‘Net that large parts of the Official (ISC)2 Guide to the CISSP Exam were plagiarized.  This isn’t a minor accusation, especially when it’s about a company like the (ISC)2 who subscribes to a code of ethics.  I wanted to see some form of verification before I said anything on the blog.  Well, I just got a link in the mail (Thanks Kevin).  The messageboard post lists a couple of articles that are available online and were lifted wholesale and put in the book.

Strictly speaking, I don’t think the onus for policing the content of the book really lies with the (ISC)2; they probably paid a publisher who commissioned a writer, or several writers, to write the book.   But that’s no excuse for this happening.  Plagarism may not be a crime, but it is a policy and ethics violation that looks bad for the writer, looks bad for the publisher and leaves the (ISC)2 with egg on their face. 

I don’t have a copy of the Guide, and I’m probably not going to go out and purchase one just to verify the accusations of plagiarism.  But if someone else who has a copy of the book would look at the articles mentioned and the pages in the Guide and do a comparison, I’d love to hear what you have to say.  I’m hoping that this is a misunderstanding and that the guide gives credit to the original authors in the bibliography.  If not, the (ISC)2 has some ’splaining to do.

Technorati Tags: security, ISC2, ethics

I wrote about the (ISC)2 dinner and the study they released there.  The most annoying part was they under-ordered the dinner and I ended up having to go out and get my own dinner.  I ended up at some pretty good sushi (Sushi Zen), so it was okay in the end.