Network Security Blog

I’m pretty careful about who follows me in Twitter.  I get the email saying who’s following me every time I get a new follower, and without fail I click on the link to see who’s following me.  Most of the time I think “Cool, another follower” and move on.  If it’s an obvious bot (following 100’s to 1000’s but almost no followers) or if it’s someone who’s a marketing person who has nothing to do with security, I block them.  I’ve probably made a couple of mistakes and blocked some very good, legitimate people, but I’d rather lose a few good people than have the bots and spam twits following me.

Today I got something a little different, a twit who’s only purpose is to spam people with links to pr0n videos.  Or at least I strongly suspect they were, given the names of the videos; I wasn’t willing to risk the malware infestation I believe were probably behind the links to find out.  I immediately blocked that account, but got to thinking about other people who might not be quite as reluctant to follow the links as I am.  Which brought up an interesting question: how do you report spam accounts to Twitter?

I went to the main help page and could find information about how to report spam and didn’t see anything.  So I did what any good twit will do and sent out a tweet to see if anyone else knew how to report spam.  Turns out I’m not the only one who had little or no idea of how to report Twitter spam.  So I did the only thing I could think of and sent an email to support let it go at that.

I received back several replies asking me to let people know how to report spam, so I decided to take another look at the support page.  Lo and behold, there were instructions on the page right in front of me, I just hadn’t scrolled down the page far enough to find them.  Under the heading “Contact Twitter was the following information:

Contacting Twitter

More information about Twitter

*@spam: follow our spam profile and report Twitter spam via direct message

*Status Blog: check Twitter’s current system status.

*Twitter Blog: what’s new with Twitter

*Developer Blog: a technical blog from the Twitter engineering team

*Developer Group: if you’re a developer, join our mailing list

And there you have it.  If you receive a follower that is a spam bot, all you have to do is send a direct message to ’spam’ at twitter.  Could they make it any easier?  Probably not.  Do your part, let the folks at Twitter know when you get a follower who’s a bot.  It’s not only good to kick those accounts off and stop the spam, it lowers the chances of seeing a fail whale.  And no one likes the fail whale.

Update:  Minor problem with the process.  To report spam, you have to follow @spam.  You’d think the guys at Twitter would make an exception for that account. 

I made two fairly major purchases this week, even though I had to use the credit card to make them, something I hate doing.  Both are aimed at promoting my long term health, one physical, the other career.  The first was to get a small amount of exercise equipment and order the DVD’s for the P90x system.  I’m sure anyone who’s following the security guys in Twitter has heard more than their fair share about P90x lately and Chris Hoff has gone so far as to create a new blog of his own to monitor his progress with the P90x system.  I probably won’t go as far as he has with the blog, but I think I will follow his example and take a ‘Week 0′ picture and occasional pictures after that.  I’m not starting the program until after Christmas myself, mostly because I’ll be heading out for the in-laws for a week and don’t want to start something this hard then stop for a week.

The second purchase I made was to get myself a membership in Microsoft’s Technet Plus.  I’ve had access to TN+ several times before through employers and I’d used it a lot to build and rebuild servers, test out new programs and generally learn aspects of Microsoft programs I wouldn’t normally have access to.  Unluckily the last time I had access to TN+ was just after XP came out and when Vista came out the only reason I got to try it at all was that I happened to recieve a copy of Vista Ultimate at an event I attended.  Not that I ever successful upgraded a system to Vista, but at least I got to try.

The truth is, TN+ is also a tax writeoff for me.  I haven’t earned much from Google Ads this year, but it’s more than the cost of the TN+ subscription and this will help me conteract what little tax burden there is.  But more importantly, this is an investment in my own continuing education for security and technology.  I work from home and while I get a chance to see different networks and OS’s with every new client, it’s not the same as getting your hands into the guts of a server and administering it yourself. 

So I’m viewing the purchase of TN+ as in investment in my technical skills for the future.  And that’s how I’m selling it to my wife as well.  I put a lot of time in to reading blogs, writing my own blog and creating the podcast, but the amount of money I’ve put into furthering my skills has been minimal the last few years.  My training comes through going to events like RSA, Black Hat and Defcon.  I don’t have a lot of time and energy to read security books, but several of the publishers occasionally send me those to read and review.  I often think about investing in a Masters Degree.  It’d be expensive and time consuming, but it’s a piece of paper that helps you go a lot further in life than a BS will.  But until my wife finishes her own college courses and gets a job, any further courses for me will have to wait.

What other venues should I be spending money on to further my career as
a security professional?  Is there something I’m neglecting that might
eventually catch up to me?  How are you investing in your career?  Are you investing in your career monetarily or are you making your investments in time and energy instead?  I know there are a lot of people out there who are beginning their careers who are curious about how to get into security, but I’m wondering how the people who’ve been in the field for years are continuing to improve their skills and preparing for that next step up or making themselves as ‘recession proof’ as possible.  I don’t think anyone in this field can afford to say they’re resting on their laurels.

We can’t live without anti virus on our computers in this day and age.  I guess we really can, strictly speaking, but the non-techies in my household don’t have the understanding of the Internet to know which behaviors to avoid and what might get them in trouble.  So I put AV on their computers, because it’s easier than trying to educate them.  And as vital as AV is in these situations, I refuse to pay for it.  Why?  Because there are so many free options available, and I think most of the for-pay AV’s are too expensive for offering few features that I can’t get in the free versions.  I suspect the free AV solutions use the home AV market as a loss leader to get themselves market share and awareness, giving them a toehold in the corporate AV market, which is where the real money is in any case.

For years I’ve been using AVG Anti Virus free edition, but recently I’ve been less than happy with it.  It’s been fine on my computer, a decent XP desktop, but on my wife’s slightly older Win2K system, it’s been more than a little unstable and recently started complaining at startup that it was missing a .bin file.  I tried to update it several times and scanned the hard drive several times, but I lack the confidence in it’s ability to find malware if it’s acting this flaky.  So this morning I uninstalled AVG and now I’m in the process of installing Avast Home Edition.  The initial installation was as painless as expected, the system rebooted and before it fully loaded into Windows it’s doing a full system scan for malware.  It hadn’t found anything when I started writing this, but given the amount of storage space on her computer, a full scan could take a little while.

So my question to you is what free AV program do you use at home and install on your family’s computers?  Or do you pay for AV from one of the big names?  Or do you skip AV all together, since the I’ve read numbers stating that AV is only between 60% and 80% effective in any case?  And most importantly why did you make the decision you did?

Update:  Here’s a link to an entire list of AV products out there at Checkvir.com and a really good report by Anti-malware Test Lab, showing exactly how ineffective AV is.  According to this report, only Avira (who?) Kaspersky and F-Secure AV even hit the 90% mark for finding viruses.  The big players, Symantec and McAfee only hit the mid-60’s.  Ouch!

There’s nothing really surprising about the steps you need to make it through the holiday shopping season without getting your computer infected.  In fact, it’s so unsurprising that Rich has posted the same basic article three years in a row with advice on how to stay safe while you’re shopping online.  You can read the whole thing on Securosis, but here’s a quick synopsis:

1.  Only use one credit card for your online shopping
2.  Only use your credit card at major retailers online, otherwise use Paypal or a temporary credit card
3.  Don’t click on any link you receive in an email.  Ever!
4.  Update your browser.  And your OS while you’re at it.
5.  Use NoScript.
6.  Keep your AV, firewall and other security tools up to date.

Even that might not be enough, but it’ll give you a decent chance of staying safe.  I think we forgot step 0:  Use your common sense.  If it feels fishy, there’s a good chance it is. 

Ahh, the joys of being a parent.  My youngest son recently started sprinkling his language with profanity, something both his mother and I were certain he didn’t get from us:  she almost never uses profanity and when I do the kids are usually running for cover rather than trying to remember what I said.  At first we thought he was getting it from school, but his older brother finally came forward and told us it was from videos he was watching on YouTube.  What had looked like a fairly innocuous video of SuperMario and other characters turned out to be profanity laden and more than a little disturbing.  He was given a warning and told to turn off any videos that contained profanity, then lost his computer rights for a week when I caught him watching a video with profanity.  The third time’s a charm, so I decided it’s time to block YouTube at the entry way, my WRT54G router.

It seemed simple and straight forward.  But an hour and several internet searches later, and I still couldn’t get the WRT54G to block YouTube.  I created a Policy called YouTube, rather appropriately, I added a list of affected PC’s, set it to everyday, 24 hours a day and entered http://www.youtube.com in the space marked “Website blocking by URL address”.  Then hit “Save Settings” and … nothing.  I was still able to get to YouTube, the kids could get to YouTube and I was not happy.

Then it suddenly struck me: the folks at Linksys and Cisco were creating the software for the average computer user, someone who doesn’t have the faintest idea what “HTTP” or “URL” mean and probably never types the “http://” at the beginning of the URL.  I took that out of the URL and saved the settings and now YouTube is blocked.  I’m happy that I now know how to block a site, but I’m frustrated that the developers couldn’t have taken a few more lines of code to either automatically remove the http:// if typed in, or at the very least taken ten seconds to add an example of what they consider a URL.  If I’d seen even one example of what they consider a URL, I would have been able to block the site in less than 5 minutes, rather than taking over an hour.  And I wonder how many less technical parents have given up in frustration.

As someone put it on Twitter “Sometimes people should check acronym definitions before using them”

I know I’m not the only security professional who get’s the question “How do I get started in Information Security?”  It’s not a simple question to answer; you don’t simply go get a degree in security then get a job.  Every one I know has taken their own, unique path to get into information security and the number of folks who are like me and actually have a degree in IT are few.  And even I’d been working in IT for several years before I decided to take my career to the next step and pursue my Bachelor Degree. 

Security Catalyst Kees Leune regularly teaches aspiring security professionals and probably hears this question more than the most of us do.  And being a blogger he’s written a short guide on steps you can take towards becoming a security professional.  I have to warn you, there’s a good chance you’ve heard many of the suggestions before.  But that’s because he’s listing out what it really takes to become a security pro; there is no silver bullet, no degree or certification that makes you a security professional. It’s a career path, not a destination.  You have to be prepared to spend a lifetime learning and have a passion for security if you’re going to be successful.  Being cynical and paranoid helps too, but those are skills that can be acquired. 

His final point, Plan, can’t be overstated.  Know why you want to be in security and what you want to be doing in 5 or 10 years then trace back the steps that it’ll take to get there.  The path you take probably won’t resemble your plan in any but the vaguest outline, but the only way to reach your goal is to have one in the first place.  Saying to yourself “I want to be a security professional” is a good start though.

Want to talk about electronic voting?  We did.  So we invited Jacob West from Fortify
to talk with us about a paper he just published with a couple of
engineers at Fortify.  Guess what, they found electronic voting using
DRE voting machines are the least secure way to vote.  Makes me feel
good going into the election.  It’s a good thing we’re fairly
self-policing when it comes to time, this is a conversation that could
have gone on for a couple of hours.

We had a number of technical issues tonight, so be glad we’ve got a podcast up at all.

Network Security Podcast, Episode 124, October 21, 2008 

Show Notes:

• Dear Mr. President: Let’s talk tech - We desparately need a geek in the Cabinet!
• Miley Cyrus Hacker Raided by FBI - Don’t brag to the press when you’re already in the cross-hairs!
• Flash Suckage:  Eat your cookies - Now you can be tracked through Flash too.  
• VeriSign and ICANN square off over the DNS root - Let’s just give it to Dan K. and let him manage it.
• Judge Suppresses Report on Voting Machine Security - Which brings us to why we’re really here
• Fortify’s paper on e-voting

I really liked Bill Sieglein’s article IT Security:  Can We Be Compliant and Yet Insecure?  Of course we can, it happens all the time.  If you’re just looking at your compliance measures as check boxes, then there’s always going to be the potential for something unique to your environment to be overlooked.  There might be something the assessor/auditor didn’t uderstand.  The list of ways you could be compliant and yet still insecure goes on, but it’s some of the answers that Bill comes up with that are important.   He lays out 5 simple steps towards getting your company compliant through security rather than the other way around.  Of course, if it was that simple, wouldn’t we all be doing this already?

I like to think of PCI as a baseline for security, not the ultimate goal. 

I’ve avoided using StumpleUpon and most of it’s ilk for a long time.  I’ve preferred to keep up to date on the news by using sites like Techmeme or by reading the long list of RSS feeds I have in Bloglines.  But as of late I have been encouraged to branch out a little and start trying a few sites I wouldn’t normally use, like FriendFeed and StumbleUpon.  I haven’t gotten too far into FriendFeed, but even cursory usage of StumbleUpon has left me with a bad taste in my mouth.

First off, there’s the whole dependence on the StumbleUpon toolbar.  When I created the account, I told them I didn’t want the toolbar.  The first time I logged in, I had to tell them again, no, I don’t want the toolbar.  A couple of days later, I got an email, once again encouraging me to download and install the toolbar.  I still wouldn’t have installed the toolbar if not for one simple thing:  I wanted to change my password from the default they gave me.  And guess what, the only way to change your password in StumbleUpon is through the toolbar.  I thought that I was just being obtuse, but upon doing a Google search I found that the toolbar really is the only way to change your password.  Dumb, StumbleUpon, really, really dumb.  I should be able to change my password without installing the toolbar, even if you won’t let me use the majority of your features without the toolbar. 

Then there’s the password itself:  the password that was originally created for me by StumbleUpon was only five characters long, and they were all alphas.  No numbers, no symbols, nothing.  And given that there’s already big news about social engineering passwords and cracking accounts in the news this week, it shouldn’t surprise me to find one more site with a really poor password policy.  And guess what, when I finally did install the toolbar and change my password, it only let’s me use letters and numbers, no symbols or special characters.  And I have to wonder if it’s not changing all the letters to lowercase behind the scenes.  Strike two, StumbleUpon.

I’m going to give the toolbar a week, just to find out what the draw is for StumbleUpon.  It’s brought be a lot of traffic in the last couple of weeks, so I figured I needed to at least know about the tool.  But I’m not happy and one more strike is all it’s going to take to make me change my password to something 20 characters long and uninstall the toolbar.  But I did give the Wassup Blog the thumbs up for telling me how to change my password.

It’s funny, I overheard the students who were researching the MBTA vulnerabilities say this at Defcon: By placing the initial report in the court documents, the MBTA was releasing more information than would have been shown in the presentation itself. They’d planned on keeping some of the information that had been in the report to keep people from making their own passes, or at least slowing down the effort. What I hadn’t realized at the time was that Jennifer Granick from the EFF has warned the MBTA of this and they went ahead with it anyways. They ignored her warnings and published the final keys needed to take the talk from theoretical to possible.

Not that this temporary restraining order was all that effective in any case. The presentation slides had already been distributed to more than 7000 attendees with the Defcon DVD. Rumor has it that the entire preso with the missing checksum information had alreay been sent to the Full Disclosure list. And a presentation that would have been well attended suddenly became important news for weeks to come. I think they call that the “Streisand Effect”.

Some people never learn.