Network Security Blog

Not to be outdone by Dilbert, xkcd has it’s own Debian related humor today. Who ever thought that the words “encryption” and “humor” would apply to the same blog post.

I don’t care if you’re a security blogger or just plain vanilla blogger, you owe it to yourself to check out WP Security Scan. This plugin will scan your WordPress installation and give you suggestions on how to make it more more secure. It found a number of permissions on my blog that had been set incorrectly (now fixed) and gave me other suggestions such as changing the names of the directories from the easily guessed defaults. I know that a lot of people have a hard enough time just keeping their blogs up to date, but given the rash of WordPress compromises I’ve heard of recently, this is something everyone running a WP installation needs to do.

Another plugin in the same vein worth checking out is WordPress Automatic Upgrade. No more waiting for your service provider to get around to the upgrade or mess with all the funky files yourself. The only problem I have with it is re-enabling the plugins after an upgrade, which is a relatively minor issue. I run the plugin occasionally just to get a backup of the blog. See, I do learn from my mistakes occasionally.

Just got an email update from SearchSecurity.com: Bill Brenner has announced that he’s leaving the company to ‘pursue a new challenge’. That usually means he got a better offer somewhere else, which bodes well for Bill. I’ve talked to Bill a few times for different articles he was writing and he seems like a pretty nice guy, so I wish him the best of luck in his new adventure. Hopefully he tells us all what it is sooner rather than later. For some odd reason I couldn’t find the update on the SearchSecurity site yet.

Rich and I review some of the events that went on at RSA, including Rich’s Analyst panel and Thursday morning’s ‘Avoiding the Security Groundhog Day’ panel. Neither of us were all that impressed with the showroom floor or the keynote speeches given at RSA, but we both enjoyed getting reacquainted with the security professionals we tend to only catch up with at events like this. Finally we talked about what events we’d go to in pursuit of furthering a burgeoning security career. And just in case you’re wondering where Episode 100 is, it was the live video we took last week at the Security Bloggers Meetup. Not that anyone could have missed it, given the amount we’ve been talking about it lately.

 

 Network Security Podcast, Episode 101 [42:26m]: Play Now | Play in Popup | Download

Tonight’s Music: Pride by Paula Toledo

Network Security Podcast, Episode 101, April 15th, 2008

Time: 42:26

Martin is flying solo on the podcast tonight, sort of.  Rich is at Macworld this week and phoned in a two segments, one on Steve Jobs keynote address and one on security vendors at the show.  Add to that one Mac-related security item and we’ve got a pretty Apple heavy show this week.  Everyone else in anything related to tech is covering Macworld, so why not us?

 

 Network Security Podcast, Episode 90: Play Now | Play in Popup | Download

Show notes:

• Rich’s Macworld Keynote Impressions
• Congressional report slams TSA for security breach.
• Banking in Silence - And remember, these things are only going to get smarter and better
• First Rogue Cleaning tool for the Mac
• Tonight’s song:  Amy B with Brainwashing Machine

Network Security Podcast, Episode 90

Time:  27:41

I woke up this morning with a long list of things to do, but the Gods of Computing had other ideas. One of the first things I noticed when I logged into email was a lack of new emails, which is odd considering I usually get several hundred spams a night if nothing else. My brain was still fuzzy from lack of caffeine, but this set up some alarm bells in my head. A quick surf to the web site showed that my server was down, and a few pings got now response, and SSH wasn’t responding either. After a few words I was glad my children weren’t awake to hear, I got a cup of coffee and started troubleshooting.

Turns out that somewhere in the middle of the night, the PCI bus on the server’s motherboards decided to bite the dust. It shows memory errors where there were none before. The system comes up, and even though the NIC responds, it’s not allowing connectivity in any way shape or form. I can get on the server locally, but no network connections are being established.

Taking this as a sign from above that maybe it’s time to switch from hosting the site and my email at my house, I’ve switched all of my DNS, email and web services over to BlueHost. And since I have to rebuild everything anyways, I’ve switched from Movable Type to WordPress, something I’ve been thinking about doing for over a year now. And despite an earlier resolution to backup the entire database on a regular basis, the latest backup I have is from the end of August, so I’ll be losing a number of posts and comments until I take the time to recover them from the now defunct server. Luckily I’ve hardly been posting the last few months, so it’s probably no more than a couple of dozen posts lost.

I am not a happy camper, especially since I already had a full days worth of work ahead of me. I’ll probably take some more time this morning to at least get a better looking page up, but most of the real work is going to have to wait until another time. And since I have a report dues Monday, it looks like I’ll be working all weekend. And to top it all off, I managed to spill coffee on my sound board while trying to reach around to the back of the dying server. It seems to be okay so far, but I said more words the kids shouldn’t hear when that happened.

At least mail is working and the site is back up, even though it’ll take a day or two to have the DNS changes to propagate throughout the Internet. If you haven’t already changed over to the Feedburner feed, now would be a good time. As soon as I get that pointed to the new RSS feed that is. Speaking of which, I’ll be back once I’ve fixed that too

Edit: The FeedBurner feed is http://feeds.feedburner.com/MartinMcKeaysNetworkSecurityBlog

Michael Dahn started an interesting conversation with his post, “Putting an end to compliance via continuous security“.  He wonders why he and other auditors come back to companies and find the same problems year after year.  Why can’t a company stay compliant over the course of a year?  The reason, or at least a reason is because the technologies might be changing, but the mentality that created the problem in the first case is still there. 

I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA.  She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again.  Policy might change the perception of security measures, education works better and sometimes people have to be replaced.  But until you can instill a proper security mindset in your users, problems will continue.

I always thought of PCI and compliance in general as a lever to promote change in the corporation.  People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets.  But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’.  There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.

I also view becoming complaint as a secondary goal to becoming secure.  If you keep your priorities in that order, it should make doing both much easier in the long run.  I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do.  Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure. 

There are a lot of good comments on this thread.  I like the idea of a continuous approach to security, but it will be a change to the way people think.  If PCI or some other compliance framework is the tool you need to effect that change, use it.  But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.

Unluckily, given what’s been happening in Florida the last couple of months, I think Greg Dean of the Real Life cartoon is wrong and the premise of “Man of the Year” is closer to reality than the thinks.

Mirko from (In)Secure Magazine and Help Net Security sent me a link to a video they recently published from Black Hat Europe.  Two researchers presented a paper there on how to hack Cisco NAC.  I think many people already realized that client side controls for NAC are circumventable, but this is the first time I’ve heard of that someone actually created an exploit.  The two researchers had just given a talk and while they haven’t posted the exploit code yet, it probably won’t be too long before it becomes available.

Technorati Tags: security, mckeay, black hat europe, Cisco, NAC

I’m more than a little sad Shmoocon ‘07 is over.  I haven’t had this much fun at an event in quite a while, excluding the Security Blogger Meetup at RSA.  Then again, the meetup was one night of fun, while this was 2.5 very full days of learning, meeting people and just hanging out.  There was a little partying too, but the fact that I’m from California helped a lot, since my body is still on Pacific time.  The fact I’m also old enough to know how to drink in moderation also placed me in a far better position than many of my fellow attendees both Saturday and Sunday mornings.  The fact that I was there representing Cobia and StillSecure also helped keep me out of trouble.

I have a lot to learn about traveling.  I hadn’t realized that Shmoocon started at 15:30 Friday afternoon and I traveled on Friday rather than Thursday night.  I missed most of Friday’s events, and almost missed Avi Rubin’s keynote address.  I have a lot of respect for Avi and the work he’s done, so I made up for arriving late by getting to meet him in person.  I’m not at all shy about just walking up to someone and introducing myself, which is exactly what I did.  With just a little luck, I’ll get a chance to get him on the podcast some day in the near future.

After the talk, I happened to run into Simple Nomad and tagged along to the hotel bar to meet a large contingent of attendees.  It’s a darn good thing I did, because after we’d been there for about 30 minutes, he asked me when we were going to the bloggers meetup.  I’d missed the timing on that and thought it was Saturday night.  I would have been in deep trouble if I hadn’t shown up, since as StillSecure’s representative I was picking up part of the bill for the event.  With a little help from Simple Nomad, I found the place it was being held in time and was able to uphold my part of the bargain.  I don’t know the exact number of bloggers, podcasters and readers/listeners, but I’d say a conservative estimate was 30-40 people.  Mubix did an excellent job of organizing the meetup, though once the majority of the folks left to go to a not-so-nearby bar, things got a lot more chaotic.  I finally got to meet Paul and Larry from PaulDotCom, the entire crew from Hak.5, Gene from SecThis, Obie and Brent from Cyberspeak as well as a whole host of readers/listeners.  Thanks again, Mubix.

Saturday morning I went to see Simple Nomad speak.  He’d apparently got a few hours of sleep after the night’s festivities and looked a lot more alert than most of his audience.  His talk was on a laundry list of topics, including some references to a talk he’d given last year on wireless cards in ad hoc mode at airports.  I think this was in the press again earlier this year, talking about how Windows systems will try to connect to an ad hoc network that has the same name as a legit network.  Let’s just say you’re probably better off connecting with EVDO or waiting until you get where you’re going rather than trusting any of the networks at the airport. 

Next I went to G. Mark Hardy’s talk, A Hacker Looks at 50.  Mark talked about his long and exciting career, from high school in the early 70’s through starting his own business.  The room was packed, and I think this was probably one of the talks most of the hackers at the event really needed to hear.  His point was that he’d never seen a group with such a disparity between IQ and income has he’d seen in hackers, and most of it was due to having vision and goals.  He encouraged everyone in the room to figure out what their own goals are, write them down and start working towards them.  I met Shava Narad from Tor (remember the interview?) face to face at Mark’s talk, but unluckily wasn’t able to catch up to her again during the show.

I felt a little guilty for following Simple Nomad again, but I ended up having lunch with him, G. Mark Hardy, Jason Scott, Mubix and, of all people, Kevin Mitnick, as well as a few others I don’t know.  I had meant to go to Richard Bejtlich’s talk after lunch, but when I weighed his presentation against talking with these folks, I have to say Richard unluckily came in second and I stuck around to talk.  I barely got to say more than “Hello” to Kevin, but the conversation between Mark, Jason, Mubix, Simple and I more than made up for it.  I wanted to ask Kevin for a interview for the podcast or for Podtech, but he was already being harassed at the event and I didn’t want to add to it. 

The rest of Saturday is a little bit of a blur, since I spent it talking on Cyberspeak, doing a video interview with Brent and Obie, and then participating in the PaulDotCom podcast.  I had a blast, but I would highly suggest no one ever sit next to Nick (aka Twitchy) after he’s started sipping Mountain Dew.  There was also a few interesting games of dodge ball with Shmooballs on the showroom floor, but the blood shed and property damage was kept to a minimum.  I didn’t do to bad for being at least 5 years older than anyone else playing, but I was hot and sweaty at the end.

This morning I went to a talk on home grown and badly implemented crypto, which was interesting, but not really my specialty.  Afterwards I stuck around for Major Malfunctions talk on cloning RFID tages and ended up being part of the talk.  If you watch the video, when it comes out, you can see my back while I hold the wires on a 9 volt battery since the leads had broken.  I also helped by holding a webcam to a RFID reader so the audience could see the readout.  Oh yeah, I’m technical.

The last talk I went to was about the One Laptop Per Child project, with Ivan Krstic, Sean Coyne, Jason Scott and Scott Roberts.  Ivan talked Bitfrost and the steps OLPC is taking to prevent the misuse of the laptops, while the other three talked about all of the possible disaster scenarios it could lead to.  I should have a short video interview with Jason and Sean up later this week.

The closing remarks were a lot of fun, with Shmooballs flying all over the place and a lot of giveaways.  I managed to pick up a couple more balls, a titanium fork and small tripod, though the tripod was the only thing I really ‘needed’.  My wife will probably make me throw everything but the tripod away fairly quickly after I get home.

Shmoocon is no where near as serious an event as things like RSA.  Everyone I met was happy to be there and really seemed to enjoy being with other people.  If I can make it next year, I will and you can be sure I’ll do my best to make sure I can.  I met more fun, interesting, exciting people at Shmoocon than I thought possible.  Now I have to go sleep, in order to make my 6:30 flight for Boston.  I hope I’ll get a chance to catch up with a listener, Jack Daniels, while there.  And yes, that is his real name, not a nickname.

Technorati Tags: security, McKeay, Shmoocon