Network Security Blog

This was looking like it could have been a great story for the conspiracy theorists in all of us: Microsoft is helping law enforcement agencies by giving them USB keys with forensics tools to help with cybercrime investigations. It can ‘decrypt passwords and analyze a computer’s internet activity’, something every good law enforcement agent needs. The Computer Online Forensic Evidence Extractor (Cofee) offers up 150 commands (what do they mean by ‘command’? Is that 150 tools or one tool with 150 commands?) and makes it easier for beleaguered cops to perform an investigation.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

I’m starting a collection of Windows error messages I see in odd screens around the country. I thought it was funny to see a windows third party DLL error message on a screen talking about airport security. I hope the airport’s physical security is better than it’s patching and updating practices are. Is there a site out there that already tracks these things?

Jeff Jones has just released a pdf, Windows Vista One Year Vulnerability Report.  I’m still digging into the report, but I like how he’s shown a side by side comparison between the number of vulnerabilities XP had at one year versus the number Vista has had at one year.  A number that would be more revealing, but that we’re not going to see, would be the number of open, unpatched vulnerabilities in each system today.  That would tell us a lot more about how secure we are, which is really what we really want to know.  I think Jeff does a very good job of comparing apples to apples in the report, but it doesn’t do much to prove that as of today, Windows Vista is the most secure OS available. 

I’m still not upgrading to Vista until I can make sure the 64-bit drivers exist for all of my hardware.  Even if Vista is as secure as Jeff asserts, it’s not enough to make the upgrade worthwhile to me.

Stephen Toulouse has been one of the most visible security people at Microsoft since 2002.  If you go to any major convention, there’s a good chance Stephen would be the one organizing the meetings with bloggers.  Or at least thats how I met him.  I was talking to Richard Bejtlich at RSA 2006, the first time I’d actually talked to Richard one on one, and he mentioned he was heading to a lunch put on by Sunbelt Software and Microsoft.  I tagged along and Stephen immediately made me feel welcome at the lunch and a great conversation was had by all.  Unluckily, I didn’t get a chance to meet Stephen again until RSA this year, and now it appears I won’t be seeing him at any Microsoft lunches any time in the foreseeable future.

Stephen is still working for Microsoft, he just won’t be with the security team any longer.  If there’s one thing that’s geekier than being a Microsoft security guru, it’s becoming an X-box Live guru. I’m not a console gamer, but from what I’ve read on his site, that really is Stephen’s passion.  And if you can get a job doing your passion, I say go for it!  I know from recent personal experience, it may not always work out as planned.  But it’s better to have tried and failed than to live your life regretting the chances that slipped through your fingers.

Congratulations Stephen.  The security teams loss is Xbox Live’s gain.  Of course, this means you’re off the list for RSA 2008’s Security Bloggers Meetup, but there has to be a price to pay for your dream job.

Technorati Tags: Microsoft, Stephen Toulouse, Xbox Live

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I mentioned some rumors going around on Monday that the Xbox Live servers had been hacked, but it now looks like it’s a case of social engineering instead of hacking.  Clans are calling into the Xbox Live support staff and even though they might not get everything they need on an account the first time, they just call back, get another tech support person and get a little more information.  After enough support calls they have enough information to completely steal the account and do whatever they want with it.

It doesn’t surprise me that this happened, what surprises me is that it’s taken this long for it to happen.  This sounds a lot like the MO that Kevin Mitnick used to get information from the telcos over a decade ago, so anyone who wants to read his book, or just do a little research into social engineering, could have done this long ago.  I’m also surprised that the folks in charge of the Xbox Live support don’t have something in place that allows them to detect this type of social engineering and raise flags to stop it.  I can think of a number of ways this might be stopped, but it all comes down to giving people the right tools and training to detect social engineering attempts.  I have to assume that they haven’t put such measures in place because it might interfere with too many legitimate users who are less tech savvy and confused.

Any community of a competitive nature is going to have people who bend the rules and cheat.  If you’ve ever been a member of any of the MMORPG’s, you’ve probably experienced this first hand.  The same distance, both physical and logical that leads a person to become a troll in forums or mailing lists creates ‘griefers’ in game.  So it’s no surprise to me that someone figured out how to take griefing beyond denying you fun in the game and start denying you access to the game at all.

Microsoft had better get on this, fast.  Griefing in-game can ruin it pretty quickly for the majority of players, but having you account stolen and your credit cards run up is guaranteed to drive away users away even quicker. 

Technorati Tags: security, mckeay, Xbox Live, Microsoft,

I just got my invitation to the Windows Home Server Beta test.  Now I just have to find some hardware and time to play with it.  Mostly the time, since I started my new job today.  Maybe I’ll set it up as a VMware image on my main desktop at home, when I finally get home.

The last few days have been a little crazy, so I haven’t had much time to blog.  I’ve noticed that I tend to put most of my longer commentaries on my Computerworld blog, and probably will continue to do so.  Somehow, the structure of setting aside 30-45 minutes every morning specifically for writing there leads me to longer posts, while the 5-10 minutes I can find here and there throughout the day lead to much lighter comments here.  Maybe I’ll get into the habit of spending a similar amount of time in the evenings posting here, it might help get me in the habit of making longer, better thought out posts, rather than quick links with short bits added to them.

Either way, today’s post, “Allchin would let his son surf without AV, so what?” is a decent post, if I do say so myself.  What do you think?

Technorati Tags: security, McKeay, Computerworld

Wow, Jeremiah did a heck of a job creating show notes for the inteviews we did at the IE7 Release party Wednesday night.  I couldn’t have made it that clear if I’d wanted to!  And he even added in another cool picture of my podcasting setup.  If you don’t have the time to listen to the interviews, at least take a few minutes to read through the notes.  One key thing to recognize is that even though IE7 is barely out the door, the team at Microsoft is already concentrating on the challenge of creating IE Next, since they don’t know what number it will be.  And they want community input to develop it.