Network Security Blog

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I mentioned some rumors going around on Monday that the Xbox Live servers had been hacked, but it now looks like it’s a case of social engineering instead of hacking.  Clans are calling into the Xbox Live support staff and even though they might not get everything they need on an account the first time, they just call back, get another tech support person and get a little more information.  After enough support calls they have enough information to completely steal the account and do whatever they want with it.

It doesn’t surprise me that this happened, what surprises me is that it’s taken this long for it to happen.  This sounds a lot like the MO that Kevin Mitnick used to get information from the telcos over a decade ago, so anyone who wants to read his book, or just do a little research into social engineering, could have done this long ago.  I’m also surprised that the folks in charge of the Xbox Live support don’t have something in place that allows them to detect this type of social engineering and raise flags to stop it.  I can think of a number of ways this might be stopped, but it all comes down to giving people the right tools and training to detect social engineering attempts.  I have to assume that they haven’t put such measures in place because it might interfere with too many legitimate users who are less tech savvy and confused.

Any community of a competitive nature is going to have people who bend the rules and cheat.  If you’ve ever been a member of any of the MMORPG’s, you’ve probably experienced this first hand.  The same distance, both physical and logical that leads a person to become a troll in forums or mailing lists creates ‘griefers’ in game.  So it’s no surprise to me that someone figured out how to take griefing beyond denying you fun in the game and start denying you access to the game at all.

Microsoft had better get on this, fast.  Griefing in-game can ruin it pretty quickly for the majority of players, but having you account stolen and your credit cards run up is guaranteed to drive away users away even quicker. 

Technorati Tags: security, mckeay, Xbox Live, Microsoft,

I just got my invitation to the Windows Home Server Beta test.  Now I just have to find some hardware and time to play with it.  Mostly the time, since I started my new job today.  Maybe I’ll set it up as a VMware image on my main desktop at home, when I finally get home.

The last few days have been a little crazy, so I haven’t had much time to blog.  I’ve noticed that I tend to put most of my longer commentaries on my Computerworld blog, and probably will continue to do so.  Somehow, the structure of setting aside 30-45 minutes every morning specifically for writing there leads me to longer posts, while the 5-10 minutes I can find here and there throughout the day lead to much lighter comments here.  Maybe I’ll get into the habit of spending a similar amount of time in the evenings posting here, it might help get me in the habit of making longer, better thought out posts, rather than quick links with short bits added to them.

Either way, today’s post, “Allchin would let his son surf without AV, so what?” is a decent post, if I do say so myself.  What do you think?

Technorati Tags: security, McKeay, Computerworld

Wow, Jeremiah did a heck of a job creating show notes for the inteviews we did at the IE7 Release party Wednesday night.  I couldn’t have made it that clear if I’d wanted to!  And he even added in another cool picture of my podcasting setup.  If you don’t have the time to listen to the interviews, at least take a few minutes to read through the notes.  One key thing to recognize is that even though IE7 is barely out the door, the team at Microsoft is already concentrating on the challenge of creating IE Next, since they don’t know what number it will be.  And they want community input to develop it.

So here it is!  Jeremiah and I interviewed members of the Internet Explorer 7 Development team to find out what they’re thinking, what they’ve got planned next and what went into the making of IE7.  We also talked to the Yahoo Liason to find out how they managed to release IE7 before Microsoft did, and got the opinions of a couple of the other bloggers that were invited to the party.   Thanks again to everyone who we talked to.

Internet Explorer Release Party, October 18, 2006

From the IE7 team
    Gary Schare
    Chris Wilson
    Dean Hachamovitch

Yahoo
    Gerald Si (I forgot to get a card, so tell me how to spell your name, Gerald)

Bloggers
    John Obeto II
    Niall Kennedy

Once again, thanks to the the folks out there who sent Jeremiah and I questions.   I didn’t get to half of the questions I’d have liked to.  And you know what, the audio turned out pretty good for having been in the middle of a crowded bar.  Yay for free drinks!

Technorati Tags: security, McKeay, Owyang, Internet Explorer 7

I’ve been pretty excited about this event since I recieved the email last week, especially since my friend Jeremiah Owyang got one too.  We were both invited to the IE7 Beta party in April, and got to rub shoulders with a small but prominent group of blogger, including folks like Steve Gillmor and Michael Arrington.  I was pretty certain from the begining this was more than just a chance to meet the folks who wrote and designed Internet Explorer 7, it was the coming out party for IE7. 

Last time I wasn’t prepared for the event and hadn’t tried IE7 yet.  This time I’ve used it, maybe not extensively, but enough to get more than a little familiar with the interface and some of it’s foibles.  More important, I had a chance to ask you, the readers, to help me formulate questions to pose to the developers.  And you’ve come up with some incredible questions: CD-Man wants to know why so many of the really important security features in IE7 are only going to be available to Vista users.  Jeff asks why the big changes in how icons are laid out.  More than one person wanted to know what safeguards are in place to prevent malicious RSS feeds and when IE8 is going to be out.  Thanks to everyone who sent in questions and apologies to the people who’s questions I didn’t get to ask.

I’ve got answers to most of these questions last night, but there were a couple the IE7 team was a little coy about.  The audio of the turned out very well and should be up tonight.  But I don’t guarantee it, since it was a late night last night and a very early morning tomorrow.

I’d take it with a grain of salt, but Paul Thurrott’s write up of the Windows Vista licensing seems well thought out.  However, it also seems very pro-Microsoft, discounting the concerns of people who build their computers from scratch as well as several other concerns.  I haven’t owned a computer I haven’t built from scratch since I had a 386.  The excuse that ‘Fewer of 5% of PC users ever open a PC case …” doesn’t matter to me, since I’m one of the 5% that gets’ into my system regularly.  If I purchased a license for my home use, I feel that I should be able to transfer that license as many times as I need to, provided I have at least one license per instance of the installed OS.  What this is telling me is that I am only leasing a copy of the OS instead of actually purchasing it, something that has been an ongoing trend in software for some time.  Wait until the next version of Windows (in 5 years) when we won’t even have a lease, we’ll be renting month to month.

On the other hand, I do see their point with VMWare; it counts as an installation of the OS, whether we like it or not.  I guess as an ‘enthusiast’ I’ll have to pony up the extra money to get Vista Ultimate.  If I don’t just switch to a Mac, that is.  And if Vista Ultimate costs more than half of what a Mac Mini does, that’s exactly what I’ll do.

Edited to add:  Ed Bott’s reply to Paul’s column

I’m going to the “Dinner with the IE7 Team” next Wednesday night, and I’m looking for questions to ask the IE7 developers and managers.  And since I said just yesterday that you should learn from those smarter than yourself, I’m going to take my own advice:  Tell me what questions I should ask the IE7 developers, especially the security questions!

I went to the IE7 Beta party in April, and they release IE7 Beta 2 as we were eating dinner.  As past performance is not an indicator of future expectations (I used to sell mutual funds, bet you didn’t know that), so they might not repeat that experience.  But they have to be releasing it soon, or they wouldn’t have the dinner. 

I’ve got some questions, and I’m doing my research to figure out a few more, but I figure you guys can come up with a lot harder questions than I can.  Leave a comment on the site, send an email to nsp@mckeay.net or leave me a voicemail at 916-231-9479.  I’ll use any voicemails in the podcast I record next Wednesday.