Network Security Blog

Between Defcon and Linux World, I’m too tired to record a podcast tonight.  I got home yesterday at 5:00 pm and had to leave the house to go to San Francisco at 6:00 am, then I got home tonight at 8:00 pm.  Is it any wonder I’m tired and grouchy?

I talked to several people about the lack of security topics at Linux World after the earlier blog post and I think I’ve discovered at least one of the reasons.  The first time I attended LW was either 2003 or 2004, and security was a big thing at the time.  Everyone was talking about Linux and how secure it was as an operating system.  At that time the Linux community was having a big battle to prove that they were every bit as secure as Microsoft, and it showed.  Every vendor wanted to prove that they had figured out how to secure Linux and that they were better at it than anyone else.

Fast forward to today: it’s fairly well accepted that Linux is at least as secure as Windows out of the box, and with similar amounts of effort, Linux is generally more secure than Windows.  There are always exceptions, and with an infinite amount of effort, both OS’s can be made completely secure, but overall it’s easier to dig into the internals of Linux and secure it.

So right now, Linux users and Linux enterprises are feeling pretty good about their security.  But this business is highly cyclical.  Some time in the next few years the security of Linux will be called into question again, either due to Microsoft, a major compromise of the OS or something else unforeseen.  And when it happens, security will once again be in the forefront of the minds of the people attending the event.  Until then, I guess I’ll have to be satisfied with the few fringe vendors who are directly working in security, rather than the majority who list security as just another feature.

When I signed up for a press pass for Linux World and started talking to the PR folks about who to talk to at the event, I kept stressing the fact that I’m a security professional.  I told them I only wanted to talk to people who know security and can talk on the subject intelligently.  But most of the vendors I’ve talked to so far have no one who can.  I don’t blame the vendors themselves, I blame the PR people who promised me that someone knowledgeable would be available.  Of course, like most PR people, they’ve been more interested in just getting their principles in front of a press person rather than getting them in front of the right press.

The other thing I found to be a little interesting is that even amongst the vendors on the floor, security seems to be very sparse.  There are a few companies that specialize in security products, but they’re few and far between.  Where a few years ago Linux was trying to establish itself as being more secure than Windows, they seem to have reached an uneasy equilibrium, at least in the eyes of the people attending.  Every one is concentrating on virtualization and power consumption and ignoring security all together.  Even some of the companies that have no impact on power seem to find some way to tie themselves into it somehow.  Reminds me of NAC at RSA earlier this year.

After coming from Defcon, I feel more than a little let down by Linux World.  There are a ton of interesting things going on, but none of them are all that interesting to me.  Maybe I’ll feel a little better after a good night’s sleep.  The good news is, I’m willing to use the wireless network here!

Technorati Tags: security, linux, Linux World

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I attended and spoke at Linuxfest Northwest a couple of weeks ago to talk about Cobia.  I wrote what is, for me, a fairly lengthy post on some of the people I met at the event and a little about who hired the booth babe at LFNW.  Sorry, no new pictures.

I haven’t taken a look at the BackTrack LiveCD in a while, but now that version 2.0 of the CD is out, I’m going to give it another try.  They’ve got a glowing review of the distro over at Darknet.org.uk, which is always a good reason for me to check out any product.  I’m hoping the download finishes soon, cause I’ve got a laptop I’d like to play with this on, especially if it’s as good as recognizing the wireless cards as the review says.  I haven’t done any war driving in quite a while and I’d like to see what’s changed in my neighborhood in the last little while.

Technorati Tags: security, mckeay, BackTrack

I went to the NBLUG Installfest this morning for Cobia and had a good time.  I got to go to an event I normally would have felt guilty for leaving my family to attend, I got to give out shwag and I got to see some interesting hardware I wouldn’t have scene otherwise.  Check out this cool old Macintosh someone brought.  I don’t remember the exact model, but several people there recognized it.  They could get it to boot, but no one could quite figure out how to get it boot from a NetBSD image. And I think the tools used by Arron to sniff my bluetooth at the event were BTScanner and BlueZ.  I don’t think either one would allow him to do more than realize the blue tooth was there, he never told me any different.

Technorati Tags: security, mckeay, linux, nblug

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

I’ve been playing with the Nokia 770 for almost 2 weeks now, and while I’m impressed, it does leave a bit to be desired.  One issue I’ve run into is that the system gets unstable when you surf to sites with a lot of graphics.  Another issue is that the wireless connectivity is a little weak.  I like it the size, a lot, and I’m hoping to be able to get the system running several wireless testing tools, but one of the tools I’d really like to use, Kismet, is still not ready for prime time.  I will admit I’ve realy enjoyed using the 770 to wander around the house listening to Radio Paradise. 

Linux.com has a more comprehensive review of the 770 that pretty much paralles my own experiences.  I’m interested to hear if anyone else out there has had much of a chance to play with the Nokia 770.

Technorati Tags: security, McKeay, Nokia 770, Linux

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering