Network Security Blog

We’re a day late, but we still managed to get this week’s show recorded! Rich is soaking up sun (or “teaching”, as he claims) in Cancún, Mexico, so we decided to rope in the illustrious Mike “Rybolov” Smith to discuss, surprise-surprise, privacy and monitoring.

Network Security Podcast, Episode 266, February 1, 2012

Time:  42:36

Show Notes:

• Google announces privacy changes across products; users can’t opt out
• On The Google Privacy Policy Controversy And The Fantasy Of Opting Out
• FBI to monitor Facebook, Twitter, Myspace
• 6 things you need to know about the new EU privacy framework
• What Europe’s ‘Right to Be Forgotten’ Has in Common with SOPA
• Symantec tells customers to disable pcAnywhere software
• Tonight’s Music:  Boggie with Holy Ghost Blues

Still feels a little funny to be putting the ’12′ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012″ so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

• Lax security exposes voice mail to hacking, study says – Yes, using an easily spoofed phone # as your single method of authentication sucks.
• Kuwait wants to put an end to anonymous accounts on twitter – So they can put dissenting voices in prison.  I wonder if our politicians will follow?
• 440,783 “Silent SMS” used to track German suspect in 2010 – There may be a common thread to what I find interesting lately.
• Boot Hezbollah from Twitter or we sue, group says - Wha??  It would be censorship if it was the government asking for this.
• Stuxnet weapon has at least 4 cousins: Researchers – Who would have suspected that Stuxnet was only the first wave? (Hint: think everyone)
• No warrant needed for GPS monitoring, judge rules – This one worries me a lot.  You’re home may still be your castle, but your car definitely isn’t.
• Why Twitter’s “verified account” failure matters – Because, no matter what they do, identity is malleable and hard to prove.
• Defensive search-and-destroy ‘virus’ delivered to Japanese government – Maybe not directly related to Stuxnet, but the same general idea.
• Lilupophilupop SQL injections attack top 1 million infected URLs – Don’t try to pronounce the name of this attack.
• Symantec confirms hackers accessed source code of two enterprise security products – Two older products, but still in use in some locations, I’m sure.

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

• Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
• LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
• The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
• How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
• The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
• Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
• Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
• Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

Usually I try to find the time to blog first thing in the morning, but today was way too busy to allow for anything nearly as relaxing as blogging.  I spent two days traveling to and from a client site last week and then two more days at the BayThreat conference, with only Sunday at home to relax and play Skyrim … I mean spend with the family.  BayThreat was a ton of fun; my co-worker Mike Smith gave a presentation called “Zerging is for Chumps” and another friend, Gillis Jones gave his first talk, “Show me the Money”, just to name a few.  It’s interesting to go to a convention where you can almost talk to every attendee if you put your mind to it.  And you know I gave it a pretty good try.  Anyway, I’m off for more flying around the country again this week and have a ton to do in the mean time, so this may be the only chance I get to post this week, other than the podcast.  Presuming I can get that done with Zach this week.

Open tabs, 12/12/11:

• The iPhone is about to become the FBI’s newest crime-fighting partner – To check fingerprints faster, not to look at phone logs. For now at least.
• Kaspersky Lab quits Business Software Alliance to protest SOPA – Way to go, Kaspersky!  Glad someone in the community is doing something solid about this horrible idea.
• My keynote talk at BSides DFW – I can’t watch!
• Senator wants answers from DHS over domain name seizures – We’re no longer the land of the free when the DHS is charged with treating potential piracy as if it was an act of terrorism.  They have way too much power to grab and forget without judicial oversight!
• MPAA Boss:  If the Chinese censor the Internet without a problem, why can’t the US? – People like this are why the DHS needs oversight.  And shouldn’t be involved in copyright enforcement to begin with.  
• The Infosec Naughty List & the Twelve Charlatans of Christmas – I’m just glad I didn’t make the list.  Or did I, by inclusion?
• Who knows what Youhavedownloaded.com – I’m of mixed feelings about this site.  Not surprised they can track you that easily, though.

There’s this game called Skyrim that’s been taking up all my ‘free’ time.  The only thing that’s kept me from being completely sucked in is the fact that my eldest son keeps asking, “When is it my turn to play?”  That and the fact that my other half keeps bringing up Christmas and my commitments as far as decorating and present shopping go.  Tis the season to avoid the malls and spend time online shopping instead.  Speaking of which, my coworkers have a thing or two to say about the holiday shopping season, which is once again morphing into something bigger, yet different, than it was ten years ago.  I love working at a place that has so much access to data about what’s really happening on the Internet.  Hopefully you’ll hear more on that early next year.

Open Tabs 12/5/11:

• 9 Reasons Wired readers should wear tinfoil hats – Except tinfoil actually improves reception for the mind altering rays!  Try a grounded wire mesh instead.
• Carrier IQ’s own marketing claims undercut its defense – Hard to say “We don’t invade users’ privacy” when all your marketing slicks say otherwise.
• Carrier IQ admits holding ‘treasure trove’ of consumer data, but no keystrokes – Yes, we invade your privacy, but only a little.
• Measure twice, cut once – Accuvant Labs is starting to do some fun stuff with vulnerability research.
• Spammers act just like HIV virus in avoiding filters – Why specific to HIV?  Because it was being given at on World AIDS Day.
• Feds seize domains of Korean movie portals – Why is DHS in charge of copyright infringement policing?  Don’t they have better things to do, like protecting us from terrorists?
• The impact of cloud computing on IT jobs – Why yes, a disruptive technology like the Cloud is going to cause some people to lose jobs.  And some people to get jobs.

Google got in a lot of trouble last year for capturing private data from wireless networks when they were driving the googlemobiles around to get video shots for StreetView.  Basically, rather than just capturing the SSID for the access points, in a lot of cases they captured data streams from the AP’s, which violated all sorts of European privacy laws.  And in reply to this, Google came up with a solution:  users can opt-out of Google’s wireless access point mapping solution by simply adding “_nomap” to the end of their SSID!  So simple it’s stupid.  No, I mean it’s so simple it’s absolutely idiotic and a waste of the digital ink that was used to express the idea!

I think MG Siegler expresses it best when he said, “The solution is a joke.“  Siegler thought of the same things I did when he saw this so-called solution.  First, only a fraction of a percent of people are even going to understand that Google is mapping their access points and even a smaller segment of the population is going to understand what that means.  And of that small group, only a much smaller percentage are going to make the changes to SSID names necessary to opt-out of the Google mapping.  I thnk that his .01% of the 10% of the people who actually read the article is a bit generous; only the truly paranoid will opt out using this method, and they probably weren’t advertising their SSID to begin with.

Let’s think about the pain in the arse it is to change a SSID to include ‘_nomap’.  My house is probably not normal, but it’s what I have to use as an example.  I have two wireless networks, two access points, three desktops, half a dozen laptops and a server that all would have to be changed to include the ‘_nomap’ SSID.  Plus there are a few more systems to worry about when you include the gaming systems the kids use.  The average household probably doesn’t have nearly that much equipment, but they also don’t know enough about wifi to set it up with proper encryption in the first place, so why would Google assume the average home user would know enough to change the SSID on all these systems once they finally got them running on their home network?

Let’s be honest; all Google is doing is waving their hands over StreetView in an effort to claim they’re doing something in front of governmental bodies who wouldn’t know the difference between an SSID and Sid Vicious.  In most cases, they’d probably recognize Sid Vicious before they’d have a clue what an SSID was or what it’s used for!  Siegler nails it when he states that Google might as well ask for people to solve calculus problems.  And I’d be willing to guess there are a number of people would have an easier time solving advance mathmatical equations than they would changing their SSID.

I want a solution that doesn’t require me to change my SSID to opt-out of Google’s mapping.  It’s a stupid solution and I’m not changing my SSID to include the ‘_nomap’ modifier.  My last thoguht is two-fold:  What effect will this have on the all the data that Google has already collected (Answer: none) and will Google actually honor their own ‘_nomap’ identifier and drop the data at collection or will they simply not display the access points using ‘_nomap’ but keep the data in their database?  I think you and I both know the answer to the second one as well.

I had a great time at BSides DFW this weekend!  Michelle Klinger, Joseph Sokoly and the whole crew of volunteers who made the event happen did such an awesome job of putting it together and the Microsoft tech center was the perfect place to have it.  Not that Jayson Street didn’t make a few of the security guards nervous from time to time.  And the rest of us nervous when he thought no one was watching where he was thinking of getting into.  I gave the closing key note speech, which went well despite the fact I was as nervous as I think it’s possible for me to be.  It’s worth giving the talk again some time, after I’ve tightened it up and loosened up a bit myself.  Just remember to challenge all our current security wisdom.

Saturday was November 5th, Guy Faulkes day, and despite it being a high holiday for Anonymous, nothing much seems to have happened.  They did pop Adidas last week, but that was supposedly a prequel to their main event this weekend.  On a more positive note, Brad Smith is doing slightly better, though he is still comatose and has pnemonia.  If you can, spare a few dollars to help Brad and his wife pay for medical bills; if you can’t, keep him in your prayers.  Brad has helped a lot of people in the security community and it’s time to help him in return.

Open Tabs 11/08/11

• Pictures from BSidesDFW – I’m the big guy in the green BSides SF shirt.  I know I don’t look like I sound.
• It pays to be the face of Anonymous – “Now my weed dealer won’t come by….” You can’t make this stuff up!
• Hackers worming way into utilities – No surprise to us, but maybe the idea will worm it’s way into the mind of someone who can do something about it.
• Feds try to prevent War of the Worlds-style panic over national emergency alert – This is a test.  This is only a test.  Please don’t panic!
• Ex-U.S. general urges frank talk on cyber weapons – We’re behind the curve and maybe behind the eight ball.
• De-lousing E-PARASITE – More on this moronic legislation
• Down the Rabbithole Episode 5 – I love Brian Stiekes thinking.  We both think information security is fundamentally broken.
• iPhone security bug lets innocent-looking apps go bad – And Apple shoots Charlie Miller (or at least his developer account) for being the messenger.

I’m not much of a programmer.  I’ve written a few thousand lines of code in my life, but that’s just enough to make me familiar with the generalities of programming.  One of the things I learned early is that I could either learn to program and sacrifice a large amount of my social skills in the process, or I could learn to pretend to be relatively normal instead.  But one thing I did learn about programming is that you always start any array at 0, not 1.  Though Andy Ellis did have to remind me of this a couple years ago when I started tweeting about my family occasionally.

If you follow me on twitter (@mckeay) you’ll know that I occasionally write about some of the things my family do and/or say.  Even if they sometimes only do and/or say the things I attribute to them in my head.  And whenever I mention their actions, real and imagined, I refer to them as “Wife0″, “Spawn0″ and “Spawn1″.  Which causes me to get a lot of questions about why I call them that.  As well as the occasional joke about “Does that mean you plan on instantiating Wife1?”  To which I reply, “No, since instantiation of Wife1 would require the utter destruction of the Martin parent process”  Oh, geek humor.

Why don’t I just refer to them by name?  Partially because it’s become a running joke in the family and it amuses me.  But mostly because the names of my family are none of the business with 99% of the people who follow me on twitter and of 99.99% of the people on the Internet!  If you know me well enough that I feel like telling you or if I know you well enough that I’ve actually introduced you to my family, then you have a right and need to know what their names really are.  But if you’re an ‘internet friend’, someone I meet every few months at a conference or simply someone who’s decided to follow me because I’m sometimes entertaining on twitter, there’s no need or reason for you to know what I call my family at home.  I always refer to Wife0 as Wife0, Spawn0 as Spawn0 and Spawn1 as Trouble… er, Spawn1. 

Seriously though, there’s enough information leakage that I knowingly let out on twitter and the blog.  And I leak a fair amount of information about my wife and children just by talking about them from time to time.  If someone really wanted to, it wouldn’t be that hard to look them up and find out who they are, where we live and any number of other facts about my family.  But I see no need to make that any easier by spewing out their names every time I want to share an amusing anecdote with my friends and followers on the Internet.  I give them some small manner of anonymity by not referring to them by name and by making no guarantees that anything I’ve ever said about them was based on reality.  And there’s a fair portion of what I say about them on twitter really does only happen in my mind.  But that doesn’t mean it amuses me any less.

I spent the week at the Hacker Halted conference in Miami and had a great time.  Except for the part where my iPad gave me an error message stating it needed to be restored from back up and commenced a reboot cycle.  Which lasted until Wednesday afternoon.  Nothing like being at a security convention and having mysterious issues with your electronics.  Talk about having your paranoia spike off the chart!  My talk with Mike Dahn on Compliance in the Cloud (it really is about more than just PCI) was well received and we should see our interview with Tony from InfoSec Island within the next couple of days online.  I’m glad to be home with the family for a little while before hitting the road next week to speak at BSides DFW.  I actually get to give the closing presentation.  No pressure there.  But in the mean time, I have an appointment to keep with my coworker Josh Corman and Rapid 7′s HD Moore to talk about Josh’s idea, “HD Moore’s Law”. 

Open Tabs 10/28/11

• Op-ed:  The shocking strangeness of our 25yo digital privacy law – Why can’t we write laws that are broadly applicable?
• Who else was hit by the RSA attackers – One hell of a list.  And one hell of a wake up call for the industry as a whole.
• #SecBiz or the better answer to Martin’s question – I’m glad the Down the Security Rabbithole podcast I’ve been doing with Rafal Los has sparked some thought.
• First Circuit finds that fraud mitigation costs … – Long title to say that at least one court believes you should be able to sue to recoup your personal mitigation costs after a breach.
• Where is your Chaos Monkey? – It’s an interesting idea to purposely fail some of your infrastructure at random intervals to make sure your stuff works.
• Disastrous IP legislation is back … and it’s worse than ever – I got to speak to Kevin Bankston from the EFF at Hacker Halted.  When an EFF lawyer tells you something is the worst piece of legislation he’s ever seen, you know it has to be a steaming pile of crud.  Please, please, please contact your legislators and let them know this can’t be allowed to pass!
• Looks like Congress has declared war on the Internet – A lot more information on this atrocious legislation

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)