Network Security Blog

As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.

At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.

That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.

That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.

The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a WordPress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?

Last week’s server crash is turning into quite a positive incident.  Yes, most of the incoming links to the site are broken due to differences between Movable Type and WordPress, but I’ve managed to redirect all of the RSS feeds so readers should continue to get updates as I write new posts.  Using FeedBurner to manage the feeds has turned out to be as close to painless as humanly possible.  It’s been a lot of work and there’s still more to go, but overall I’d call this a positive experience, especially since the site looks so much better than it ever has before.

What I hadn’t really thought about until today was what this would mean to my home network; I often told people that my home network was more complex than the average small business.  And it was true, complete with a DMZ, two wireless networks and two wired networks, each with it’s own purpose.  Now that I’m no longer hosting my own web, email and DNS services, the DMZ is no longer needed, nor is one of the internal wired networks.  In one fell swoop, I was able to remove four pieces of network equipment, four wall warts and innumerable cables.  My office almost looks like a human works here, rather than a robotic rat in a mood to nest.

My wife’s already commented on how much faster internet access is.  My office is a good 10 degrees cooler and 10 decibels quieter than it’s been in years.  I may be looking at a savings around $100 on my electric bill next month.  My home office will no longer be a fire hazard.  I even have all of my systems backing up to external hard drives for a change.  There are times when you quietly say to yourself, “Why didn’t I do this before?”

I’ve been taking this opportunity to add some functionality to the blog, especially since adding plug-ins is so easy with WordPress.  So far I’ve installed FeedBurner FeedSmith, SimpleTwitter, Slashdigglicious and WordPress.com Stats.  I’ve also installed my friend Dan Kuykendall’s plug-in podPress, which was one of the things that originally got me thinking about switching to WordPress.

The site will obviously be undergoing additional changes over the next couple of days as I experiment with WordPress some.  Are there any absolute ‘must have’ plug-ins I should install?  Are there any I should absolutely stay away from?  I have to imagine someone will make a malicious plug-in for WP some day, though I haven’t heard of one yet. 

The weather report says its going to be raining all weekend here in Northern California, my wife’s recovering from minor eye surgery (PRK touch up) and the kids have a friend coming over this afternoon.  Sounds like a good time to sit at the computer and play with the blog configuration.

I still have to get about 3 months worth of blog posts back from the now defunct server, but I have high hopes that this will not be all that painful of a process. Not extremely high hopes, but some hope none the less. The old system is still running, it’s just not connecting to the network and I’ll have to find a way to get the backups straight out of the database. I’m all but certain that I won’t be the only person who’s ever had to do this, so I may be able to find a couple of ‘how-tos’ in Google.

Once more, this proves to me the importance of regular backups. I spend part of New Years Day backing up all of my podcasts and pictures to DVD, I just wish I’d remembered to do the same with the podcast. Oh well.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

I’ve been a fan of my local ISP, Sonic.net, for a long time, and one of the reasons is the fact that they give good intelligence about their own outages.  Here’s an example of a post on the Sonic.net sitefrom earlier today, when I noticed incredibly slow Internet access.  I did about half a dozen tests on my network before contacting them, so
I was relatively certain the problem was on their end this time.

Tue May 8 10:57:02 PDT 2007 — A hardware failure in
one of our DSL gateway routers has caused packet loss and slow
performance for a percentage of our DSL customers. We have identified
the problem and expect service to be fully restored in 30 minutes.
-Eli, Operations

This is more information than the average user might want or need, but it’s exactly the sort of thing a power user is going to want to know.  They treat their users as knowledgeable until proven otherwise, which has greatly helped me the few times I’ve had to call in with support issues. 

They appear to have fixed the issue, which means I can stop using my cell phone for connectivity and go back to the wireless. 

Technorati Tags: Sonic.net, ISP, DSL

Marcin asked, “How do I transfer my domain name?”  I realized I’ve never had the need to transfer a domain name from one registrar to another, so I did a little searching through Google to find an answer.  Most of the instructions I found were registrars telling you how to transfer to their service, but I found a couple of links that might be useful.

First of all, you have the right to transfer your domain name, don’t let any registrar say differently.  The ‘losing registrar’ can hold up the process, but unless they have a specific reason not to, they have to comply.  One of the nice things ICANN has done is to institute a 5-day default approval to the process; if the losing registrar doesn’t respond to the gaining registrar in 5 days, you’re domain will be automatically transfered.

The actual transfer process appears pretty easy; find a new registrar, fill out a Standardized Form of Authorization and within 5 days, you’re domain will be transfered to the gaining registrar.  There’s even a nice flow chart of the process (.pdf) for you to follow.

If you’re using GoDaddy, now you know how to transfer your domain.  And if you don’t want your domain taken down without notice, you might want to do exactly that. 

Technorati Tags: security, mckeay, registrar, transfer

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing