Network Security Blog

I love my DirecTivo, my DirecTV receiver with the Tivo built in. Without it I couldn’t find the time to watch half the television shows I do, and I’d have to actually, you know, *watch* the commercials. The DirecTivo is about four years old and I’m dreading the day something in the box dies, which I know can’t be too far off.

One of the features of the DirecTivo is a little advertisement that’s part of the main screen, usually a 3-5 minute infomercial. I often ignore it, but last night something caught my eye; the headline for the advertisement read “Crucial Wifi Security tips”. This was definitely something I had to take a few moments to check out, otherwise what kind of security professional would I be.

It turns out that its an advertisement for Symantec Norton 2008, but I have to give the guys at Symantec some credit, it’s also a pretty good primer on the dangers of using wireless hotspots. The video quality isn’t the highest quality, but that may be intentional (or it may be a factor of budget). It starts off by giving some general advice about security, or lack there of, at hotspots and explains in simple terms that the average user might not want to do any sensitive activities while using these hotspots.

I was impressed that Symantec decided to only explain two terms in the video and explained them in simple yet accurate language. The first term was ‘packet sniffing’ and the video explained in a few seconds how another curious patron or maybe a hacker could be sitting in the booth next to you capturing your passwords as they fly through the air. I immediately thought of Robert Graham and the grief he sometimes gives David Maynor concerning wireless.

The second term was ‘wi-phishing’. I’d never heard the term before, but I guess its easier to remember than man-in-the-middle or evil twin hotspot. The video explained that malicious attackers could set up hotspts that looked just like real hotspots but were just created to capture passwords and other account information or infect systems with malware. From that point on the video was an explanation of how Symantec Norton could protect users from these dangers as well as a host of others, but I’d heard most of this marketing before at RSA.

The video was only three minutes long and did a good job of explaining a few of the dangers of public wifi in the first two minutes. I’m actually pretty impressed with the content of the video and if I could get just the first part to use for educational purposes, I’d take it. This video would make a good starting point for a brown bag lunch or other short format awareness campaign at work. There are a couple more videos from Symantec waiting to be watched on the DirecTivo, which I might get to this weekend to see what they offer. Or maybe not; my tolerance for commercials has been greatly reduced over the last four years.

Pick up your latest virtual version of the magazine on the [In]Secure site. There’s a few articles I plan to read in my copious amounts of spare time, starting with the Security Policy Considerations Payment Card Data articles.

No one should be surprised that profits are more important to an ISP than the security of their customers. They are a business and the same rules apply to them that apply to any business: if they’re not profitable, they don’t stay in business for long. I don’t approve of the practice, but I am not even slightly surprised to hear that Earthlink is redirecting non-existent domain names to their own search pages in the hope of a small profit. And I’m even less surprised to find that it’s Dan Kaminsky who’s reporting the issue; it is a DNS issue after all. (Side note: IOActive’s web site appears to be down while I’m writing this; I wonder if they’re experiencing heavy traffic or if something else is going on)

The problem with Earthlink and their partner, Barefruit, is that they had a weakness in their code that allowed their servers to be used in a JavaScript attack. They’d been doing this redirection since 2006 and no one had commented on it. But Dan, being the King of DNS Misuse, found the vulnerability and reported it. The worst part of this is the fact that Earthlink is just one of many ISP’s that are providing their customers with this “service”.

The only reason an ISP is going to stop this practice is because the negative publicity outweighs the potential profit. Even though the profits are minuscule, they can make the difference between staying in business or not. More likely, they make the difference between someone in corporate making their numbers and getting a bonus or not. This isn’t a new practice nor is it without it’s own controversy, but as long as there’s a profit to be made by it, non-existent domain name redirection will continue.

Update: IoActive site appears to be back up, don’t know what the issue was. Maybe my ISP was redirecting me to a 404 error?

As Brian Krebs points out, the Groucho Marx comment, “I don’t want to belong to any club that will accept me as a member” captures the spirit of the latest round of the Storm worm emails.  Following the simple rule of “if you didn’t ask for it, don’t open it” applies to these club membership spams just as well as it does to attachments.  I have to give these guys a little credit in saying that this is a new twist of social engineering that will probably get them some good results.  At least for a little while.

The list of clubs or online services these spams refer to is around 30 as of today, but you can be certain that it’ll keep growing as people catch on to the first wave of fake services.  But the problem with these worms is that they’re easy to update, so new face services will be added quickly, I’m sure.  Another annoying aspect of the Storm worm is that it changes it’s binary every 30 minutes, making signature based detection that much harder.

I’ve been friends with Don Weber for some time now and we were even roomies at Defcon (thanks to another friend, Mike).  He’s teaching the Security 401:  Sans Security Essentials course in Corpus Christi, Texas beginning in September, and I can almost guarantee it’ll be worth attending.  He’ll be bringing a lot of real world experience to the table and he’s not afraid to share.  By itself, the Security Essentials course is worth taking, but with a straight shooter like Don teaching it, there will be no sugar coating or misdirection involved.

It’s fun to watch my friends grow in their careers to the point where I can feel confident endorsing projects like this.  My own experience with SANS training has been great, and the weight SANS gives the feedback students provide is extraordinary.  If you’re a SANS instructor and you get some bad reviews, you know about it and they’ll do there best to help you, but they’re not going to keep an instructor who doesn’t meet with their high standards around.

One of the good things about taking a class like this from Don is making good contacts in the industry that can last long beyond the end of the course.  And I think I like the idea of taking a SANS course in two hour chunks rather than a week of highly intensive training.  It gives you a chance to think about what you’ve learned and develop questions to ask during the next class.  And you can ask anyone who’s ever been one of my instructors, I’m not shy about asking questions and giving feedback, whether they want it or not.

Wow, it’s not a good day in security.  First Paul from PaulDotCom IM’d me this morning to let me know about a vulnerability that is known to affect VMWare and may affect all virtual machines and now there’s news of a timing attack that could be used against any database to reveal sensitive information to an attacker.  This attack affects an algorithm that’s common to most commercial database systems. 

I’m headed to Black Hat and Defcon Thursday, but I really wish I’d been able to get there earlier.  It sounds like there’s going to be a lot of very interesting vulnerabilities discussed, which is standard for Black Hat.  I just hope the patches for these vulnerabilities are as quick to come out as the vulnerabilities are.  And I’m hoping the different security researchers are practicing ‘responsible disclosure’.  I wonder if David Maynor will be revealing anything at the event?

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

Back in the late 80’s I joined the US Army as a Radio Repairman(31v10).  I’d been out of high school for a couple of years and was going nowhere.  Worse, I’d fallen in with a bad crowd and I had just enough self awareness left to realize if I didn’t make major changes, I was going to end up in trouble.  So I joined the Army, rationalizing it by telling myself that even if the Army wasn’t something for me, the discipline would do me good and I’d know at least one thing I didn’t want to do with my life.  I proved to be right on both accounts:  the discipline helped, and I knew that the Army wasn’t the right place for me.  I’ve never regretted joining the Army and I never regretted leaving.

As I’m sure many of you know, in February Mitchell Ashley and StillSecure offered me the position of Cobia Product Evangelist.  I had previously blogged that I thought the position of Security Evangelist would be my idea of a perfect job and jumped at the chance.  The thought of traveling to events and meeting people, being paid to blog and podcast, and generally being the public face of a product like Cobia sounded fun and exciting.  Basically, I thought this would be THE job for me.  Boy was I wrong.

Mitchell Ashley, Alan Shimel and the whole crew at StillSecure did everything they could to help me, but it turns out I’m just not built right to be in marketing.  Obviously, I love spouting off my own opinions, but when it comes to representing a company and speaking on their behalf, my own instincts are my own worst enemy.  I like to tell the whole, direct truth, and that’s not what marketing is about; it’s about shading the truth to put your company and your product in the most positive light possible.  Not that marketing is a bad thing, it’s just not how my thought processes work.

I still believe StillSecure is a great company; Mitchell, Alan the whole Cobia team are good people to work with.  But I’m not a marketing person, I’m not a recruiter and I’m just not a good fit for the position.  Effective yesterday, July 3rd, I have resigned from as the Cobia Product Evangelist and I’m on the lookout for a new position, preferably something more on the technical side of security.  I’m parting on good terms with the company and people involved and I will continue to support them in any way I can, but I’m just not the person to be the Cobia Product Evangelist. 

The folks at StillSecure have been great, but I’m just not built right to be a Product Evangelist.  It’s been great to explore the possibility with Mitchell and the folks at StillSecure, and I’m very appreciative of the opportunity, but I’ve left the company while my overall impact is still positive.  I made a lot of friends at StillSecure and was able to attend events I never could have attended on my own.  I really feel honored to have had the opportunity, but it’s not for me.  And now I know one more thing I don’t want to do with my life.

So now I’m back to being Martin McKeay, the Network Security blogger, not Martin McKeay, the Cobia Product Evangelist.  I don’t think the vendor side of the aisle is for me, unless it’s in a technical role rather than a marketing role.  If you happen to be looking for a Sr. Security Analyst with a experience in policy, PCI and IDS, drop me a line.  I think I know a former manager who might be willing to give me a positive endorsement.

The guys over at Errata Security found a memory corruption error in the new Windows beta of Safari before (to quote a friend) “the ink was even cold on the press release”.  And all using publicly available tools. Ouch.