Network Security Blog

A few weeks ago I had a chance to have lunch with Mike Smith,author of the Guerilla CISO, in Washington, DC. Mike’s area of expertise is FISMA and he’s an experienced educator in the area. Mike feels about FISMA much like I do about PCI: it’s not perfect, but it’s a heck of a lot better than what came before.

 

 NetworkSecurity Podcast: Mike Smith, Guerilla CISO [9:00m]: Play Now | Play in Popup | Download

NSP Microcast: Mike Smith, Guerilla CISO

Time: 9:00

This was looking like it could have been a great story for the conspiracy theorists in all of us: Microsoft is helping law enforcement agencies by giving them USB keys with forensics tools to help with cybercrime investigations. It can ‘decrypt passwords and analyze a computer’s internet activity’, something every good law enforcement agent needs. The Computer Online Forensic Evidence Extractor (Cofee) offers up 150 commands (what do they mean by ‘command’? Is that 150 tools or one tool with 150 commands?) and makes it easier for beleaguered cops to perform an investigation.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

I had high hopes for The Evolution of Security when the TSA first started letting their personnel blog. I was hoping they would be able to explain what, if any, impact the policies currently in place at airports have. I expected to see enlightening posts about how taking off our shoes not only represents a tiny inconvenience but makes us measurably more secure. I wanted something other than cute puppies.

Okay, they are cute. And the article does explain little about what the puppies will be used for. But the main thrust of the post is about how cute the puppies are and how you can adopt one if you live in the San Antonio area (or in prison). Definitely makes me feel safer when I’m flying the annoying skies.

I flew to DC and back last week and I’ve learned how to get through the lines in the least amount of time, barring the use of a Clear card. I wear slip on dress shoes, I leave my keys in my carry-on bag and I leave the knives home on the dresser. I never take my toiletry bag out of my luggage, I’ve never used a 1-quart bag for liquids and I’ve accidentally slipped a knife through over a dozen x-ray machines before it was ever found. So tell me how these security measures which I bypass almost every flight make me safer?

I know there’s a fine line between revealing enough to make cynics like me happy and telling so much that the bad guys are able to come up with countermeasures. But the reality is, someone who’s a bad guy is probably taking a lot more time to examine airport security measures than I am and could come up with a dozen other easy to bypass security measures. As a flight attendant told me last week, if a bad guy really wanted to attack planes, the real security weakness is the flight crew and other personnel, not the passengers. They’re the one’s who have nearly unlimited access to the planes.

Don’t even get me started on ‘passenger engagement‘. Everyone flying is stressed, so a process that relies on observing stress factors by the average TSA agent is just ludicrous. How do you tell stressed because they’re carrying a bomb from stressed because the TSA wants them to try their own baby food?

It’s no secret that I’ve never been a big fan of electronic voting machines. The fact that none of the manufacturers have been anything approaching transparent in how these machines can be audited and verified is just one of the many issues with them. Now it appears that the Sequaia machines that were used in the New Jersey primary elections can’t even do simple addition. 1+13+40+3+4=61 as Ed Felten points out. This isn’t higher math, it’s simple addition my six-year-old can do.

And to add insult to injury, Sequoia’s legal council is threatening to sue Professor Felten if he releases any information he gains by looking at Sequoia’s machines. Citing things like trade secrets and licensing agreements, the hope is that the Prof will buckle under rather than show how poorly designed Sequoia’s e-voting machines are. This guy must not have done much research, otherwise he’d know that this tact would never work and will in fact evoke the Streisand Effect as bloggers around the country get the story into their hot little hands.

We can’t let something as important as our voting infrastructure be a ‘trade secret’. It’s not just Sequoia, Diebold and other e-voting machine manufacturers have all had their fair share of mistakes over the years. The whole process these companies go through to create the voting machines is deeply flawed and the security and integrity of the process is an afterthought, if it’s even being thought of at all. No number of lawsuits is going to fix that.

Here’s a humorous little video concerning how insecure these machines really are.

I’ve been staying away from the topic of the abuse of the FISA courts, illegal wiretapping and the Republican cries of “if you don’t pass this law, you’re supporting terrorism”, but this video sums it up so well.  Making the Executive Branch of government answerable to the Judiciary branch isn’t supporting terrorism, it’s supporting our civil liberties, something we haven’t seen much of in the last 6 years.   You owe it to yourself to watch this video, if only for the laughs.

Contenders in both the Republican and Democratic parties are asking for a manual recount of the ballots in the New Hampshire state primary.  While there has been no evidence of foul play at this point, there were discrepancies between districts that originally counted votes by hand and those that used Diebold scanning machines to count the vote.  There’s at least one theory that explains the difference, but this needs to be investigated to preserve confidence in the voting system. 

I’ve never liked Diebold or any of the voting systems, mostly they’ve all been very resistant to allowing testing of their systems.  We have to take the companies word that their systems are secure, going against the basic security tenet of ‘trust but verify’.  At least in the case of New Hampshire, we’re talking about a state where they’ve mandated paper trails, so we have a secondary trail to follow in the recount.  Such a discrepancy will be much harder to audit and prove or disprove when we start moving into counties that allow for a purely digital voting system.  Yes, there’s hashing and other means of digital certification, but if someone can get access to a machine, those are going to be suspect at best.  And it’s been proven multiple times that getting physical access to a evoting machine isn’t all that hard.

On one hand, I don’t want this recount to turn up any major flaws, since we can’t afford that kind of chaos going into a Presidential election.  Proof that a major electronic voting machine line was compromised would put a huge strain on many counties as they had to find another way to hold elections.  But if no errors are found, I also don’t want Diebold holding up this incident as proof that their systems are secure.  All the recount would prove is that Diebold security was good enough this time.  When I used to be licensed to sell mutual funds, we had a phrase we had to tell customers:  “Past performance is no indicator of future value.”  The same could be said of electronic voting machine security.

Susan Landau wrote an article for the Washington Post explaining why Congress giving the NSA right to tap phone conversations without a FISA warrant is such a bad idea.   To boil it down, in order to tap phone conversations between people outside the US and people in the US, the NSA would need to have standing taps in nearly every single phone interchange through out the United States.  And as the Greek government has already learned the hard way, any surveillance technology that can be used by the government can potentially be used against the government. 

Especially after attending Black Hat and Defcon, I’m under no illusions that such a system can’t be compromised.  It may only be for a few minutes at a time, as in several of the examples cited by Susan, or it may go on for years, as happened to the Greek government.   And the potential for the same system to be misused by the NSA and other law enforcement agencies (can you say FBI?) is almost as scary; our democracy only works as well as it does because each of the branches of has oversight from the other branches.  Without even the tenable controls of the Foreign Intellegence Surveillance Act in place, abuses could be rampant in the system and no one would ever know.

I know there’s a good possibility that a certain analyst friend of mine is going to call me “Captain Privacy” again over this post, but this really is a scary proposition.  Such a system will be abused.  The question is, are the risks worth the potential abuse?  I don’t think they are.  I think it’s already been proven that the federal government can’t be trusted to act without oversight.  But Congress seems to think the NSA will act responsibly with their power.  I just don’t want to be part of the group that’s going to have to become an example to prove them wrong. 

By the way, am I the only one who’s noticed that Bruce Schneier usually only writes one or two sentences and includes large blocks of quotes in many of his blog posts lately?  It’s a blog, so that’s okay, but he used to write so much more.

Technorati Tags: security, privacy, FISA, NSA, Congress

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

Do you remember Julie Amero, the substitute teacher who got convicted of felony charges because she couldn’t stop pornographic pop-ups from malware infecting the school desktop?  Today a judge ordered a retrial for her, stating that there was information discovered after the fact that directly impacts her case.  I’ll be very surprised if she gets convicted of anything in her new trial.  It actually looks to me that the State now has the option to not pursue this any farther, which might be in their best interest. 

I’m not a forensics investigator, but it sounds like the initial investigators made almost every mistake in the book during the process and that her first lawyer barely knew enough about the technology to use email.  Everything I’m reading says this case probably shouldn’t have even gone to court.  Little things like your anti-virus and patches help a little in preventing this from ever happening too.  I’m glad people like Alex Eckelberry are helping to straighten this out.

Added:  A good summary and some good links over at Threat Level.

Technorati Tags: Julie Amero