Network Security Blog

Ouch! That hurts, and I don’t even run Debian. Thanks, Stepto.

I sometimes tell people I was one of the first four or five security bloggers, which to the best of my knowledge is true. Richard Bejtlich, Dana Epp and Bruce Schneier all predate me, though Bruce Schneier didn’t start calling his writing a blog until later. If there are others who started before August 2003, I’d like to know about them, especially if they’re still blogging. In any case, after my post this morning, I did something I hadn’t done in quite a while, a Google ego search; you know, when you type in your own name to see what comes up. I was more than a little surprised when a page I last updated in November of 2002 came up. I’d actually created the page by hand coding the HTML close to a year before that. And yes, I’ve been using the same ISP for nearly a decade and still have files from my CCNA courses on the server, though that’ll be a post for some other day.

I have since let my CCNA lapse, I never did get my OCA, I’m going on six years as a CISSP and you can still reach me at martin_at_mckeay.net. The Windows 2000 services: Disabling Non-Essential Services paper is no longer there, but I think I have a copy floating around somewhere. I don’t know yet how many of the links on that page still work, be careful clicking on them since some now lead to placeholders. There’s some script on the site that I should probably disable, since it led to a basic RSS reader and I don’t think the company that hosted it is even in existance any more. I’m still not a web designer; I freely admit to using someone else’s templates since they’re much more appealing than anything I could come up with on my own. And I’m still paranoid; some things don’t change no matter how much time passes.

Update: We have a winner! Augusto Paes de Barros has been blogging since January 27th, 2003. Though it’s in Portuguese and I can’t understand more than one word in ten. Augusto is now writing in English as well as Portuguese, so he definitely has me beat.

As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.

At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.

That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.

That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.

The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a Wordpress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?

I’ve been staying away from the topic of the abuse of the FISA courts, illegal wiretapping and the Republican cries of “if you don’t pass this law, you’re supporting terrorism”, but this video sums it up so well.  Making the Executive Branch of government answerable to the Judiciary branch isn’t supporting terrorism, it’s supporting our civil liberties, something we haven’t seen much of in the last 6 years.   You owe it to yourself to watch this video, if only for the laughs.

I’ll have to show my friend John this one and hope he doesn’t bring the Google car back around for a more in depth picture taking experience.  Of course, the post linking to pictures of John with the Googlemobile was one of those I lost , so here are the pictures  (1, 2, 3).  If this doesn’t make you think twice about your privacy, nothing will.

I don’t know if this is fact or fiction, but haven’t we all wanted to sick some hacker’s mother on him?  “Wait until your father get’s home!”

Okay, that might be a slight fib.  I think at one point or another we’ve all sent some sensitive piece of information to the wrong list from our email client of choice.  Or seen our senior management do something like send salary information to the whole company.  No, that never happens.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

In May, when I took the kids to the Maker Faire, one of the weirdest things we saw and wanted to share with you was a giant, kid-powered nose-picking contraption. The kids climbed into a giant hamster wheel of doom that powers the hand of the giant. I realize this has nothing to do with security, but it sure was cool in a kind of disgusting way. And it’s amazing to see what people will make when they have a little spare time.

Both of the boys loved this thing, and I think they may have loved watching the video of them on this nearly as much as they did playing on it originally.