Network Security Blog

It’s been an interesting week and start to the year.  Between the Ruby on Rails vulnerability and the Java zero day released today, we have some serious patching issues on our plates.  And if history is any indicator of future performance, the security technorati are already in the process of patching, which only leaves the other 98% of the population to get patched.  I’ve also had some interesting talks with folks about the idea of honey tokens, honey nets and other detective measures for the network.  On to the stories …

• I’ve been saying for a couple years now that we need to change the way we think about security from the foundations up.  Apparently Art Coviello agrees and says we need to move to an intelligence-driven security model.  A lot of other professionals believe we need to rethink security architecture as well, according to Tim Wilson over at Dark Reading.  Always challenge the assumptions the leaders of the last generation made, especially in a profession as young as security.
• The topic of honey tokens and all other things ‘honey’ started in part due to a lot of discussion around ‘offensive security models’.  The Washington Post has an article on salting databases with fake data, which if done right is exactly what a honey token is.  CSO Online says that deception is better than a counterattack; I don’t know if it’s ‘better’ but it’s something that you should be doing whether you’re considering offensive tactics or not.  And a fun new little tool to do some of this has been released, called HoneyDrive.  It’s a collection of tools on a VM, which is always a good toy to play with.
• Continuing on the them of Monday’s post, Computerworld has an article on how to talk about security to everyone else.  I’m sure we’ll be talking about this again, since it’s one of the basics we seem to have a hard time with.
• And finally, Cyber attack timelines from the second half of December.  There’s a few errors in the dates here, but I only know that because of my day job.  Let’s just say that there have only been two waves of QCF attacks so far, and that they started a little earlier than is being represented.  But overall, this is good data to keep aware of, especially with the recent rise in attacks.

And finally, for something completely different, a Linux-powered sniper rifle.  I’m sorry, ‘hunting rifle’. 

It’s Rich that’s out this holiday week, so Martin and Zach talk turkey (no pun intended) about Skype SNAFUs, LTE going all a-splode-y, and a Linux rootkit that will make you go “That’s…neat…?”

Happy Thanksgiving!

Network Security Podcast, Episode 297, November 20, 2012

Time:  31:00

Show notes:

• Skype password flaw made stealing accounts easy
• Obama signs secret directive to help thwart cyberattacks
• One Simple Trick Could Disable a City’s 4G Phone Network
• FreeBSD.org intrusion announced November 17th 2012
• HTTP iframe Injecting Linux Rootkit
• Tonight’s Music:  Nalts with Ax Chase Turkey

I have two young boys who are addicted to Minecraft.  They wake up in the morning, log onto a Minecraft server, play as long as we’ll let them and then get back onto the servers as soon as we’ll let them.  I was a little concerned at first because I really didn’t know much about the game, but I discovered I had several adult friends in the security community who were also playing the game, so I was willing to let the boys play on a system a friend runs.  I don’t know about you, but it makes me feel a lot better about letting my kids play online when I know I can contact the administrator with a quick phone call or email.

Playing on someone else’s server is fun for the boys, but since Minecraft is a game of mining resources and constructing almost anything you can imagine, an eventual request came to build the boys their own server.  Minecraft isn’t very resource intensive, it’s a Java based program that runs pretty decently on a low end server, at least if you only have two or three people using the server at a time.  Since, like most geeks, I have several computers that are running 24/7 and have some spare memory, I was able to throw up our own home Minecraft server without too many problems.  And as Minecraft has matured and added plugins, I could give the boys additional capabilities and superuser access so they can give themselves whatever resources they want to build anything they want.  This kept them happy for a little while and gave me something to hold over their heads to get their homework done.  It’s a lot easier to deny them access to the server when you can shut it down in a couple of seconds.

The next step came when the boys told their cousin about Minecraft and he started playing as well. It’s a community game and they often play together on public servers, but the lure of having superuser accounts and just having control of their environment with their cousin was strong.  So the continuing plea of ‘Dad, can we make our Minecraft server public?” started.  With the continued reply of “No.” to go with it.  They tried several tactics, such as explaining the white and black listing capabilities of Minecraft, offering their cousin’s server instead if I’d tell them how to make it public, as well as several other plans that only a pre-teen could come up with.  All of which were still denied.

It’s not that I don’t want my sons to have their own Minecraft server, it’s just that the security of my home network is more important to me than them playing a game that necessitates poking a hole in my network to the outside world.  I’m a security professional and I know that despite that, I don’t know enough to lock down any program with 100% certainty once I’ve opened it up to the Internet.  I do not currently allow any services to be served to the Internet from my home network and I have no intentions of changing that in the near future.  I’ve also had several discussions that lead me to believe that while Minecraft doesn’t have any currently know publicly exploitable vulnerabilities, security is not a major concern of the developers and it’s only a matter of time before someone turns their full attention to rectifying the lack of exploits.  Especially considering how popular Minecraft has become.

I’m the kind of father who wants to give their kids as many geek toys as he can, first to test my own abilities and second to give them something to stretch their own capabilities.  Or perhaps it’s the other way around.  In either case, I wanted to give my kids what they wanted, a publicly accessible Minecraft server that was not part of my home network and did not put any of my resources at risk, however minor.  Which is when I realized I had a technology I’ve been meaning to learn more about and was just looking for an excuse to play with:  the Cloud!  I’ve been remiss in my duties as a geek and security professional in that I’d been reading about Cloud technologies, I’ve been listening to what others have to say and I’ve even given a talk about PCI in the Cloud, but I’d never actually signed up for a cloud service and created my own server because I didn’t have a real use for one.  Setting up a Minecraft server on Amazon’s EC2 this weekend became the perfect solution to both issues, giving the boys a Minecraft server that I didn’t care who connected to and giving me a chance to stretch a little and learn more about the technology that is on everyone’s lips this year (and probably the next several)

I’ll be honest, one of the things that made this easy is that I found a step by step guide to creating a Minecraft server on the Minecraft forums.  I’m including a copy of the guide in the extended post because I don’t want to take the chance of losing the information if something happens on the forums, an old habit of mine.  I’ll add a few of my own notes to it as well.  This was a huge help and probably cut my installation time by 3/4.

Signing up for all the Amazon Web Services was easy and only took about 30 minutes.  I needed to sign up for these in any case for another project, but that’s someone else’s tale to tell when he’s ready.  From that point on, the guide was spot on.  I don’t think it was more than 30 minutes later that I had the boys personal Minecraft server up and running.  As suggested, I chose a small, spot request instance of the default Linux installation, reserved an Elastic IP address, associated it and the server was up and running.  I performed a few additional steps, like installing Bukkit and half a dozen plugins that the boys requested.  Most of it was as easy as using wget to pull first bukkit and then the plugins and restarting server.  I did have one minor problem in that one of the plugins was being hosted on a server using HTTPS and I had to modify the wget parameters, but that’s relatively minor to overcome.

I’ve been running our Minecraft server on Amazon’s EC2 for about 24 hours now.  I made it clear to the boys that this server is only going to be up when evenings and weekends, which turns out to be a good thing.  It’s not a huge cost, but in the past day this installation of Minecraft has cost me approximately $1.50 to run at a fairly low load, which could quickly add up to $40-50 or more per month.  If there were more people using it, if their cousin actually had a full Minecraft account and could play with them, and if I didn’t already have a Minecraft server running on the home network, I might be willing to pay that, but for the most part they’re going to have to live with the server only being available when I say it is.  I’m not an authoritarian … wait, no scratch that.  When it comes to my kids, yes, I am the authorities and my wife lets me say so.

All in all, this was a worthwhile project; it gave me some experience with the Cloud and specifically AWS.  I walked the kids through some sections of the installation, which taught us all a few lessons.  They get a Minecraft server they can share with their cousin and friends, without my having to open my network or pay an arm and a leg.  But I am realizing that it’s important to watch your Cloud instances or you’re going to end up paying a lot more than you thought very quickly.

Continue Reading »

I’ve had this article flagged on Lifehacker for over 4 months, waiting for the right time to use it. When a friend brought over his computer for repair, I took one look at the running system and realized it needs to be rebuilt from scratch. His hardware’s good, but the OS is infected beyond trusting. I’m hoping I can save a few pictures for him, but that’s about it. In the mean time, I decided his computer would make a good guinea pig for playing with a few LiveCD’s and the Fedora 9 Live USB Creator.

I have a 2 gig USB thumb drive I picked up at RSA this year courtesy of Secunia, which is more then enough room for a Linux installation. It took about 20 minutes to create the intial Fedora 9 Desktop installation on the thumb drive, but most of that time was the downloading of the ISO file. The boot up on the target system went well, but Fedora 9 doesn’t recognize the Linksys wireless card in the system and I don’t have the inclination to fight with an installation that much. I tried older versions of Knoppix and a Damn Small Linux I had lying around, but they didn’t like a lot of what they saw on the system, mainly the video and the wireless.

As an experiment I hit the “Use existing Live CD” button and pointed the Live USB at an ISO of Ubuntu 8.0.4.1 LTS (Hardy Heron), and it worked flawlessly. USB Creator had verified the Fedora 9 ISO, but it simply trusted the Ubuntu ISO and 4 minutes later I had an Ubuntu Live USB. Ubuntu at least recognizes the wireless card is there and even suggests some drivers, but I’ll have to hook it up in my office wired LAN to get the system on the Internet. Not an insurmountable problem, just one I’m too lazy to do yet.

I’ll probably wimp out and put Windows 2000 back on the system along with some additional safeguards. This is because I doubt my friend can adjust to Linux, even if all he does is surf the Web. In the mean time, I’ve got a decent little test system. Next up for a quick test run is Helix. Anyone have suggestions for a *nix live distro that I can test out fairly quickly to place on an non-computer savvy friends system?

PS. I hate being desktop support.

The servers at Fedora were attacked and compromised recently. The folks at Redhat are confident that none of the Fedora packages were compromised, but I’d be cautious for a while until the whole story is known.

Between Defcon and Linux World, I’m too tired to record a podcast tonight.  I got home yesterday at 5:00 pm and had to leave the house to go to San Francisco at 6:00 am, then I got home tonight at 8:00 pm.  Is it any wonder I’m tired and grouchy?

I talked to several people about the lack of security topics at Linux World after the earlier blog post and I think I’ve discovered at least one of the reasons.  The first time I attended LW was either 2003 or 2004, and security was a big thing at the time.  Everyone was talking about Linux and how secure it was as an operating system.  At that time the Linux community was having a big battle to prove that they were every bit as secure as Microsoft, and it showed.  Every vendor wanted to prove that they had figured out how to secure Linux and that they were better at it than anyone else.

Fast forward to today: it’s fairly well accepted that Linux is at least as secure as Windows out of the box, and with similar amounts of effort, Linux is generally more secure than Windows.  There are always exceptions, and with an infinite amount of effort, both OS’s can be made completely secure, but overall it’s easier to dig into the internals of Linux and secure it.

So right now, Linux users and Linux enterprises are feeling pretty good about their security.  But this business is highly cyclical.  Some time in the next few years the security of Linux will be called into question again, either due to Microsoft, a major compromise of the OS or something else unforeseen.  And when it happens, security will once again be in the forefront of the minds of the people attending the event.  Until then, I guess I’ll have to be satisfied with the few fringe vendors who are directly working in security, rather than the majority who list security as just another feature.

When I signed up for a press pass for Linux World and started talking to the PR folks about who to talk to at the event, I kept stressing the fact that I’m a security professional.  I told them I only wanted to talk to people who know security and can talk on the subject intelligently.  But most of the vendors I’ve talked to so far have no one who can.  I don’t blame the vendors themselves, I blame the PR people who promised me that someone knowledgeable would be available.  Of course, like most PR people, they’ve been more interested in just getting their principles in front of a press person rather than getting them in front of the right press.

The other thing I found to be a little interesting is that even amongst the vendors on the floor, security seems to be very sparse.  There are a few companies that specialize in security products, but they’re few and far between.  Where a few years ago Linux was trying to establish itself as being more secure than Windows, they seem to have reached an uneasy equilibrium, at least in the eyes of the people attending.  Every one is concentrating on virtualization and power consumption and ignoring security all together.  Even some of the companies that have no impact on power seem to find some way to tie themselves into it somehow.  Reminds me of NAC at RSA earlier this year.

After coming from Defcon, I feel more than a little let down by Linux World.  There are a ton of interesting things going on, but none of them are all that interesting to me.  Maybe I’ll feel a little better after a good night’s sleep.  The good news is, I’m willing to use the wireless network here!

Technorati Tags: security, linux, Linux World

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I attended and spoke at Linuxfest Northwest a couple of weeks ago to talk about Cobia.  I wrote what is, for me, a fairly lengthy post on some of the people I met at the event and a little about who hired the booth babe at LFNW.  Sorry, no new pictures.