Network Security Blog

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering

Comments I made on my ComputerWorld blog were quoted today in an article on SearchSecurity about the Black Frog/Okopipi project.  After talking to one or two members of the project, I think I oversimplified the challenges Okopipi will be facing, but I’m still dubious abou the project.  It’s something that’s going to have to be handled with great care, and I’m not sure an open source project is the way to go.  Every unsubscribe link is going to have to be verified by a real person, not just a program, and I still see several ways spammers could turn this project to evil.  I don’t think this is reason enough not to at least try, but I don’t believe I’ll be participating in a distributed, P2P anti-spam solution any time soon.

Technorati Tags: security, Okopipi, spam

It looks like the spammers have won the battle against Blue Security.  The company is closing down their service, having realized that their solution to spam isn’t going to do much more than create an ever-escalating war with the spammers.  I didn’t think an active, attack-back technology like Blue Security ever had much of a chance of being effective, but I’m still a little saddened to see them have to shut down the service.  On the other hand, give it a year or two and I’m sure some other company will try almost exactly the same thing. 

Technorati Tags: security, spam, Blue Security

Mikko at F-Secure had a good idea for fighting phishing.  A significant amount of phishing sites aren’t hosting the images they use, they’re directing the browser to download the real image from bank they’re imitating.  So what if the banks added some relatively simple code to instruct the web server to send a alternative image if they received a significant number of referals to the original image?  Using Mikko’s idea, the bank’s alternative image would include a stamp that would make it clear that the refering site was illegitimate and give the consumer a phone number to call.  The idea could be circumvented by smart phishers, but it would add one more hoop they’d have to jump through.  Even if it only stops the lazy phishers, that’s a couple more percentages of the total scams that wouldn’t work. 

Technorati Tags: security, phishing

One of the hazards of having an SSH server running on the standard port (22 for the less geeky) is the number of brute force attempts seen on a daily basis.  Not too many days go by that I don’t see several hundred attempts from some host or another.  I’ve been worried about this for a while and thanks to the guys at the Cyberspeak podcast, I may finally have my solution:  DenyHosts.  I haven’t installed it yet, but it looks pretty easy to configure.  If you’ve tried it, let me know about any issues you encountered.
 

Technorati Tags: security, SSH

I completely agree with Donald Smith at the Internet Storm Center; it’s better to drop packets at the firewall rather than reject them.  Donald lists three reasons, and I’m not sure if he is prioritizing them or not, but I feel that preventing reverse mapping is the primary reason to drop by default.  Limiting information disclosure to the badguys is one of the first layers of network security.  It’s not quite ‘security through obscurity’ but it is related.

A Proof of Concept (PoC) exploit has been released targeting Microsoft patch MS05-051. This exploit targets the MSDTC service and may enable a remote code execution. So far there doesn’t appear to be a virus or worm taking advantage of this exploit, but I’m sure there will be in the next couple of days.

What I have to wonder is why anyone would have port 3372 open to the outside world? There aren’t any services running on this port that a sane systems administrator would want exposed to the outside world. I guess that once again, it’s going to be the sort of user who hooks their computer directly to the Internet and can barely spell firewall that is going to allow this exploit to be used in the wild. Did you help protect your family’s computers over the weekend like I suggested?

TheKCRAChannel.com – News – South Natomas Home Covered With Sheet Metal

Wow, just wow. Someone needs to take their happy pills.

MOTD Archives (Sonic.net, Inc.)

Once again, I’m glad to be using an ISP that’s willing to take some steps to combat spam and systems abuse. Sonic.net just announced that they will be firewalling any system using high speed DSL. By default, they will be blocking common exploitable ports and port 25. I’ll have to look at the list and see what else qualifies.

Sonic is also offering complete firewalling, which I assume means you have to enable ports on an individual basis, and just firewalling port 25. I think this is tremendous service to offer customers. For the people out there who have the technical skills to run their own mail servers, Sonic offers static IP addresses with no firewalling, which is what I’m opting for. It’s going to take actions like this from ISP’s everywhere to stem the tide of spam.

I’m very glad to see Sonic take these steps to protect their users, and I hope other ISP’s take note. As one of the largest independent (largest?) ISP’s, I hope Sonic is a group the corporate ISP’s are willing to learn from. Are you listening AOL?

Windows Firewall Has A Backdoor

The title of this article is misleading. The author states that the Windows Firewall allows programs to add themselves to the Windows Internet Connection Firewall Exception list without the users knowledge if they are logged in as administrator (been playing with *nix systems a lot lately, almost said ‘root’). This can be done by a program without any interaction from the user.

This is a bad design, and no program should be allowed to add itself to the exception list without user intervention, but I would hardly call this a ‘backdoor’ as the author has. It’s also one of the weaknesses of having a personal firewall that’s integrated with your OS. I’ll go on the record to say that I’d rather have the Windows Firewall on someones system than no firewall at all. But I’d rather see a third-party firewall with a lot more robust security than what Microsoft is currently offering.

The other issue is logging into your Windows machine and running programs as administrator. I do it, most systems administrators do it, but it’s a habit we should try to break. The number of times I really need administrator access is few and far between. It’s a bad habit a lot of us need to break.