Network Security Blog

I’m not going to weigh in on the whole TSA whine fest that’s going on; I agree that the TSA has gone too far and needs to have their collar yanked on to settle them down.  But a whole bunch of us complaining on Twitter isn’t going to do much, neither are lengthy blog posts.  Quite frankly most of us have too little exposure to be taken seriously on the national stage.  I got my own whining in early, so now I’m trying to gather some information on how to be effective.

But we do have people we can contact who do have some pull, starting with our federal legislators, who are easy enough to find and monitor on the Project Vote Smart site.  I didn’t notice a political slant either way to the site, it appears to just be reporting the facts and is easy to use.  Writing to your Senator (mine is Barbara Boxer) will be slightly more effective than Twitter, at least an intern somewhere will tally your complaint.  Two other places that you can write that I’ve been told will have slightly more impact is your airline and their lobbying firm.  Explain your position in terms of how it impacts your business and how it will impact their bottom line.  The SourceWatch wiki supplied me with contact information for United Airlines and their lobbyist firms.  I’ll let you know if I hear anything back from them.  I had a friend on Twitter explain this, basically you want to start any emails you send by talking about the money, then end with little side notes like ‘protection from unreasonable search and seizure.’  It’s easier for many people to understand money issues than those of Constitutional rights.

The TSA does have a way to report a complaint, though I don’t know of anyone who’s done it so far and what the results have been.  Personally I’d be afraid of getting added to a watch list.  What might be more helpful is to read the official TSA Blog.  For instance, did you know it’s actually allowable by TSA rules to photograph a TSO in pursuit of their duties?  That is if the state and local laws allow it, which they don’t in many states.  So far California appears to.

The current pat downs and back scatter x-ray’s are both issues that need to be addressed.  As is the over-reach of the TSA to grab power at airports.  But observing and talking about them don’t do much good unless we follow up with some sort of action.  If you have some better ideas of who to contact, please leave a comment.

When Gene Kim came to me with the idea to get Mike Dahn and Josh Corman around a table in Orlando, Florida one evening after the annual PCI Community Meeting, I was excited.  Gene wanted to end a minor, pointless feud between two of our friends who’d gotten off on the wrong foot earlier in the year.  In effect, we decided to hit the reset button on the relationship between these two gentlemen.  And Orlando proved to be the perfect time and place to do exactly that.  A good size bottle of Macallum 12 didn’t hurt any either.

PCI Hug It Out-FacetoFace.mp3

To give you a quick recap, this is the third of a three part series (Part 1, Part 2) being sponsored by Tripwire called “PCI Hug It Out”.  In Part One, we heard Mike’s views on PCI and why he’s such a strong proponent of the standard.  In Part Two, we heard Josh state his position and why he is sometimes thought of as being an opponent of PCI.  And here in Part Three we explore the points of commonality between Josh and Mike, and how we can turn these into calls to action from the community as a whole.

There is, of course, the question of The Hug; did Mike and Josh put aside their previous arguments and start a new friendship, did they agree to disagree, or did the night end in fisticuffs?  And how much can we raise for the EFF and Hackers for Charity?  Once again, we ask you to visit the Tripwire blog and let us know if you’ve contributed.

This was a fun project to do with Tripwire and the guys.  I’m sure the four of us will get together again in the future to listen to the sounds of our own voices.  We all hope that people who are interested in PCI and security in general found something worthwhile in our discussion over the tabletop, face to face.  For our part, this was worth doing even if no one ever heard it, so if we’ve given anyone else some things to think about, this was a win.  Thanks for listening.

In a few weeks HacKid will be coming up in Boston at the Microsoft NERD Center.  Flying cross-country to attend with my family didn’t quite work out, but it did get me thinking some about the skills I’d like my two boys to master before they’re too old to learn to learn anything from their father or any adult, which I figure is about 15.  I don’t mean the stuff they learn in school, which while valuable are not necessarily the skills they’re going to need to survive on a daily basis.  I was wondering about the geek skills, both technical and non-technical.  Since I’ve recently started playing with lock picks, I decided that would be one of the first of these skills, but I turned to the wisdom of Twitter to add to the list.  Below is a compilation of the list I started and some of the suggestions I got from Twitter.

Here you go:

• Lock picking (physical security being taught at HacKid)
• How to social engineer a password from someone
• Fix a printer (or at least replace the paper/cartridge and pull out jammed paper)
• Martial arts/Self-defense (also being taught at HacKid)
• Electronics/soldering/circuit boards (I’d have to learn more about this one myself)
• Amateur (Ham) radio
• Fast reading/Critical thinking (they’ve got the first handled, I can barely keep these kids in books)
• Conflict management
• How to build a tree fort
• How to build a home network
• How to build a computer
• How to change a tire (This one will wait until they’re a little older)
• How to repair a consumer device, how to fix a motor
• How to improvise to build what they need (aka Duct tape foo)
• Role playing games (so this one will do more harm than good, it’s still fun)
• Basic self-reliance (which our society seems to want to train out of us) [ireadit]
• Basic carpentry and plumbing skills [ireadit]
• Debate skills [Matt Summers]
• Rope skills: how to make, how to coil without kinks, how to tie knots [Chris J]
• Bike maintenance [Robin]
• Basic navigation, both with and without a compass (my kids have been orienteering since they were in diapers) [Robin]
• Juggling (fun, but essential?) [Robin]
• Coin/close up magic, handy for social engineering [Robin]
• How to swim [Norbert]
• Learn to play an instrument [Robb]
• How to play all major sports [Robb]
• Basic cooking skills [Peter]
• Basic first aid (Like ‘Call 911!’?) [Peter]
• Linux & Windows command-line fu, a programing language (Does Scratch count?) [Chris]
• And?

Leave comments and I’ll add to the list

Last week I joined Chris Hoff, aka Beaker, and Team Squirrel down in Palo Alto to play v0dgeball for the evening.  I can’t say I was of much use, but it was awesome to watch Kim shimmy and twist her way out of almost every ball thrown at her.  And when it came down to the final game, Trey Ford did an awesome job of taking on the other team by himself.  Truly an epic performance.  For more video and pictures, you can visit Virtual Geek.  In the mean time, here’s a small sample of what we went through.  Great game guys!

Well, not quite; I have a few more hours of getting packed and work before I head to the airport, but close enough.  But around lunch, I’ll be throwing all my stuff in the trunk of the car and heading for Las Vegas, Black Hat, Defcon and BSides!  I find this trio of events to be my favorite get together of security professionals.  Black Hat has the slightly more serious, business oriented presentations, Defcon tends to be a bit outrages and inflammatory, while BSides is the new kid who’s experimenting with different formats and venues.  If you’re a security professional of almost any stripe and you’re not at least petitioning to attend these events, you need to start.  The networking opportunities alone are worth the cost and when you throw what you learn about current threats, it’s not that difficult to justify, especially BSides and Defcon.  Tell your boss you heard about an amazing panel going on Sunday at noon called PCI, Compromising Controls and Compromising Security.

Whether you’re going or not, Rob McMillan over at IDG has done a good job of summarizing some of the key stories you should be watching come out  of Vegas this week.  I should be able to get interviews with at least a few of the people giving these talks, so keep an eye out here and the podcast page for this year’s series of microcasts.  Or if you hate those, you might just want to unsubscribe until next week.  In fact, if you don’t want to hear about the events going on in Vegas this week, you just might want to stop reading most security blogs, Twitter, Facebook, blogs and most other social media outlets security folks use for a little while. 

Following the twitter stream, it’s easy to see that there are a lot of security professionals eager to get to Las Vegas, meet with old friends, make new ones and get the party started.  And the parties really are an integral part of the the whole experience.  If nothing else, try making it to the IOActive Freakshow Saturday night; if last year is any example of what they have planned for this year, it’ll be worth it if only so you can say you saw it.  Just be careful how much you drink and what you say, you don’t want to be this year’s example of someone who ignored that cardinal rule.

So much for seeing eight hours of sleep a night for at least a week.

Like many people in the security blogger community, Tyler Reguly pays for his blog and other community efforts out of his own pocket.  For the most part, that’s not a big issue, since there are many options for blogs that are free or cheap.  But Tyler does more than just blog, he also hosts Damn Vulnerable Linux on his servers.  Again, usually not a problem, except he got SlashDotted and now has a bill of several thousand dollars to pay!  You can read the whole story and help by donating a few dollars to his cause.  I’ve had a few brushes with the same experience myself, so I can fully understand the panic he’s probably going through.  And on the off chance that he get’s more than the bill costs, he’ll be donating the overage to Hackers for Charity.

Once again, it is time for BaySec in San Francisco!  I haven’t had the chance to make it to a BaySec in a few months, but this is usually one of my favorite local events to attend.  There are no sponsors (buy your own drinks, dang it!), no agenda, and no hassle.  The security folks range from QSA’s to sys admins to hackers.  We even allow in an occasional sales guy.  It’s a purely social event, but given how many people work security in the SF bay area, it can be a really big social event.  More importantly it’s fun.  Starts around 7:00.  I just have to make sure I get a podcast recorded, edited and posted before I head for BaySec tonight.

The Irish Bank
10 Mark Lane
San Francisco, CA
415.788.7152
http://www.theirishbank.com/

The horror! These guys should never be allowed to show their faces! Teasing aside, Rich, Adrian and Mike do a great job of laying out the three basic themes you should expect to see at RSA this year.  Cloud computing, Advanced Persistent Threat and Compliance are going to rule the floor at RSA.  Cloud computing and APT are this year’s big buzzwords that are poorly understood by the majority of the industry, therefore vendors and their marketing departments hop on the bandwagon in an attempt to define these new terms in their favor.  And compliance is going to be big because it’s what everyone has to do, whether they want to or not.

Given what I do by day, don’t be surprised that most of the podcasts coming out at RSA are going to be about compliance.  But I hope to step outside my little box at least a little and bring you some other interesting interviews.  I may even get a chance to catch up with Rich for a few moments or at least grab one of his Securosis cronies for next week’s podcast (I’ll probably hear it for calling them that).  Zach can’t make it, he muttered something about finances and his birthday. 

Micheal Arrington sure knows how to stir up a crap storm.  Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace.  I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes.  I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace.  Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do.  I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?

Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out.  He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition.  I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward.  And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.

One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source.  Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu.  Which has been one of the things that Facebook has been the leader of providing since it’s inception.  Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’.  Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.

It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads.  Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement.  The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards.  In other words, they don’t actually buy things that ads are selling.  But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number.  Toolbars are egregious because they are often nothing more than conduits for spyware.  An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook.  The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone.  After all, how many people actually check their phone bills that often?

The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made.  They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening.  But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run.  Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads.  Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools. 

I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites.  The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites.  Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes.  The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites.  I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.

It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data.  Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%.  So why the big difference between the three browsers running off of the same information?  NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.

What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours.  None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits.  The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live. 

I’d be curious to see how Firefox 3.5 changes this mix.  Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter.  I’m also wondering what affect the FF plugin NoScript would have on the results.  Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.

Now to go back and read the Socially Engineered Malware report.