Network Security Blog

If you’re using Debian or Ubuntu, it looks like you need to generate a new set of keys immediately, if not sooner! The SSH keys on those systems used the PID of the process as a seed for generating the old keys, which severely limits the randomness of the keys and has made it possible for a rainbow table of all possible keys to be generated.

There’s some debate about whether this vulnerability is related to an increase in SSH scanning on the Internet, but that’s really immaterial; it will cause a rise in SSH scans soon. Better to secure your system now and stay ahead of the curve than be one of the people unlucky enough to get compromised. As always, the real danger is not what’s happening today, but what happens in a few months when the awareness dies down and people who didn’t get the alerts leave their vulnerable machines on the Internet.

The Internet Storm Center thinks this is really important, so you probably should too.

As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.

At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.

That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.

That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.

The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a Wordpress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?

Heise Security has revealed that the chipset for a series of biometric USB sticks is basically useless and can be circumscribed in just a few keystrokes in either Windows or Linux. In Windows, you just need to send the stick a single command to bypass the sticks. The process is slightly more difficult in Linux because you have to compile the tool, PLScsi, yourself. This is obviously something only a “very professional user” could do; either that or any IT professional who’s been on the job for more than a couple of years.

First of all, we know ’security through obscurity’ doesn’t work. The compiled version of PLScsi is already available for Windows, which means I could go to the local grade school and find any number of kids who could run the program. If you take the compiled version of this program out of the picture, I might have to go to the local high school to find someone capable of it. In either case a few quick Google searches would turn up the tools in short order.

Second of all, this is a bad implementation of technology. There is a chance that this was a purposeful back door, but ‘never attribute to malice what can be more adequately explained by stupidity” (Thanks Shane for reminding me of this quote). Someone was either lazy or stupid when they built this chipset, which I find to be much more likely explanations of the problem than any potential backdoor. I’m not going to entirely rule it out though.

If I’m buying a product that is advertised as adequate protection for my files, I want it to do that. I don’t want the manufacturer to tell me to encrypt my files before I place them on the USB stick, since that’s what I purchased the stick for in the first place. Companies can’t be tested to do this for themselves, which is why we need folks lie Heise security, like David Maynor and Robert Graham to test them out. Even companies with the best intentions make mistakes, and there’s more than enough companies that are just snake oils salesman trying to make a quick buck. Testing their products keeps the manufacturer honest and protects us from trusting a product that’s just not going to protect us as promised.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I made a mistake when I purchased a laptop last year.  I went for a desktop replacement when I should have gone for a much smaller system.  Or maybe even a Mac Book Pro.  In any case, my 10 lbs. monstrosity is too much to carry around casually, like at the first day of RSA.

I’m seeing Richard Stiennon of Fortinet for lunch, have an afternoon appointment with Commtouch and will be meeting Autumn Haynes, the official RSA web programs manager, after that.  We’ll see if anything pops up for tonight.  I’ll record what I can for the podcast.

And RSA doesn’t really start getting going until tomorrow. 

Technorati Tags: mckeay, security, RSA

I’m still getting used to working with Web Scarab, but Odyssesus and Telemachus sound like they may be better tools to use when you’re dealing with SSL traffic.  I’m no expert when it comes to using web proxies, so I’d be interested in hearing from someone who’s used these tools.

Technorati Tags: security, mckeay, proxies

Richard Stiennon really hits the nail on the head with his post suggesting we build the use of encryption into our contracts with auditors.  Too many of the breaches that have happened this year were not the fault of the business in question, but were caused by an auditor who needed data but was to ignorant or lazy to protect the data properly. 

Obviously, businesses can’t directly protect data that they’re required to share auditors.  Once it leaves the businesses control, they have no guarantees that the data will be properly managed.  But by including the necessary controls in a contract, along with penalties for breaching the controls, businesses can make certain auditors understand how important the data is.  And make sure auditors understand the consequences if the data is not safeguarded.  And putting your laptop in the trunk of your car is not a proper safeguard.

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

I’m off at training today (yes, this SANS training course starts on a Sunday) and I saw this entry on Freenigma for Firefox.  I can’t play with it right now myself, but I want to in the near future.  If you’ve used it, give me some feedback.  They also mention one or two other options for encrypting your webmail, whick I’m going to check out to.

Technorati Tags: security, privacy, mckeay