The Security Skeptic

USA Today and others reported today that a Muslim woman, Sultaana Freeman, is suing the state of Florida because the state insists she remove her face-covering veil for her driver's license photo.

I'm really torn here. I honestly believe this woman is entitled to her constitutional right to freedom of religion. OTOH, I think a photo where someone's face is nearly entirely covered isn't a very positive form of identification.

Extrapolate this situation to a future where we might rely on facial recognition as a means of authentication one must satisfy to gain entry to the workplace. If courts decide in favor of Sultaana Freeman, we may just have to accept retina scans.

Is there any recognized religion that requires followers wear dark glasses?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID58 by Dave Piscitello  

Morgan Kaufmann has given me permission to post the Foreword I've written for the 2nd Edition of Jim McCabe's book, Network Analysis, Architecture, and Design. You can find the acrobat file here.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID60 by Dave Piscitello  

My friend and colleague, Jim McCabe, has just published an updated version of his excellent book. The second edition is as excellent a resource as the first, with attention paid to technologies that have been developed since the first, and related, new design considerations.

I've written the Foreword to the 2nd Edition, as I had the 1st. The editor complimented me by excerpting from my Foreword on the back cover.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID56 by Dave Piscitello  

The April 14 2003 issue of The New Yorker Magazine concludes with a column, The Back Page, entitled "The Eight Hundred Days: The Quiz".

One of the quiz questions asks the reader to identify whether a quote is from George W. or Donald Rumsfeld - and yes, it is challenging.

The best quote reminds me of a phrase one of my philosophy professors put on a blackboard at the beginning of class:

"that that is is that that is not is not"

and then asked us to add punctuation.

I don't know what the utterance looked like on the notes Donald Rumsfeld's aides drafted, but here's how it aired on TV:

"There are known knowns. These are the things we know. There are known unknowns. These are the things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know."

Imagine if Rumsfeld was of the "ya know" generation:

"Um, ya know, there are known knowns that, ya know, are the things we know, ya know?...

I already have a headache. Do you?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID57 by Dave Piscitello  

My partner, Lisa Phifer, evaluates WLAN products constantly, and keeps track of many aspects of wireless LAN standards, product innovation, and deployment.

Lisa tells me that

"Wi-Fi Protected Access (WPA), a snapshot of 802.11i is firm. The Wi-Fi Alliance has announced WPA will be required for Wi-Fi certified products starting August, 2003.

"The IEEE 802.11i standard is still under development, however, and won't be ratified until mid-2004. WPA takes the stable elements of the 802.11i specification to create a short-term fix for legacy equipment. The elements included are:

• Temporal Keys (TKIP)

• new crypto key derivation

• 802.1x for base key delivery and authentication in enterprise networks, and

• a new preshared secret to serve as a base key in home networks.

"There will no doubt be some bug fixes to this in the final 802.11i standard, but the big difference between next year's standard and WPA will be an entire replacement for WEP that's based on AES instead of RC4. In other words, the final 802.11i standard will support both WPA and AES, intended for legacy and next-generation radio hardware, respectively."

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID55 by Dave Piscitello  

More fuel for the "why I don't trust public IMs for enterprises" community.

A recent BUG-TRAQ posting describes a program, Aimhol, which collects AOL Instant Messenger screen names and "associated data" (postal address, hobbies, nicknames,...) by querying AOL's OSCAR/BOS servers with surnames randomly picked from a list of the most common surnames (helpfully provided by the US Census department). It can also generate random surnames.

What's remarkable about so many of these BUG-TRAQ posts is how many folks who break in and discover munitions-grade plutonium then ask, "what would one do with all these screen names/data?"

How about hijacking an employee's corporate IM identity, asking that a fellow employee open an IM file share, and, well... you fill in the rest.

No matter. Everyone will be making so much money doing business FASTER they won't notice the internal bleeding.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID53 by Dave Piscitello  

The ISP-Planet Daily Newsletter for May 15, 2003 mentions a security advisory,DoS Hole Found in Linux Kernel, which "could potentially bring a Linux system offline with a rate of only 400 packets per second by using carefully chosen source addresses that causes hash collisions in the table,"

IT security services provider, Secunia, describes the vulnerability as "moderately critical".

Imagine the captain on board the Titanic expressing this euphemism: "ladies and gentlemen, we've discovered we have too few lifeboats to accommodate all the passengers and crew, a situation we believe to be only moderately critical".

This is a marvellous euphemism.

[We prefer to focus on the positive: While many of you will indeed perish, a fair number of you will survive!]

What interests me most is how the Linux community constantly pounds Microsoft for its poor record on security flaws and vulnerability processing/disclosure. I monitor bug_traq, and the list of flaws and exploits reported for *nix OS's, library addins, and server applications is pretty long...

Sure, MSFT deserves a lot of the criticism, but I find the *nix community to be too often two-faced when they should be shame-faced.

People who live in glass houses...

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID52 by Dave Piscitello  

Sometimes it seems no telco service change order request goes unpunished...

I called my ILEC this morning at 10:00 a.m. to request that they change my DSL/telephone line to residential, unlisted touchtone service from business touchtone.

By 11:45 a.m., my DSL circuit was not functioning. On examination, I was sending packets but receiving replies. I scan of the log at the firewall that terminates my PPoE revealed the dreaded "WAN IP address changed" entry.

My WAN IP must be static or the routes to my /28 subnet won't be applied.

A call back to "customer service" confirmed my suspicion that the service order I placed was interpreted as "switch the customer to residential DSL". Since the poor customer service woman didn't know what an IP address was, all she could assure me was that they would return my service to operational status as quickly as possible.

Convinced I was hosed for the day, I began hunting for a dialup modem, when I received a call from one of the engineers I'd met and befriended during the time I was Hargray's first pilot customer on ADSL.

M'good 'buddie Danny Saxon was calling me to ask whether I had really changed service. Turns out he has a tag on my circuit - he gets a notification when anything changes in my configuration or connection status :-)

He apologized and said this would never had happened had he not been at lunch.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID51 by Dave Piscitello  

Michelle Delio's Wired column,So Many Holes, So Few Hacks, begins by declaring "Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes."

I'm not certain industrious is apropos, but I'm convinced more people are finding exploitable vulnerabilities in code than writing secure code. I can find no better evidence to support my claim than a May 14, 2003 Bug-Traq with the Subject PalmOS ICMP flood DoS. An excerpt from the posting:

"PalmOS is vulnerable to an ICMP DoS attack, when an attacker continuously sends ICMP_ECHO packets to the device. This attack causes 100% CPU usage, and the

device therefore comes to a total lockup. The Pilot is almost instantly rendered unusable, until the attacker stops sending packets, or the device is reset. The DoS attack often forces PalmOS to lose it's network connections (Internet and LAN connects etc...), due to the exhaustion of sending replies to the continuous hoard of ICMP_ECHO packets it is receiving."

How contrived is this? Would anyone devise a large scale attack to DOS a highly unpredictable and doubtless modest number of Internet-connected PalmOS users when there are much easier attacks to launch on servers, with more impact?

Go review some code. Find a buffer overflow. Be useful, not clever.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID50 by Dave Piscitello  

Something I shared with Marcus Ranum earlier today...

If you're a business that knows that the overwhelming majority of your visitors use Windoze... and the majority of your 404 errors emanate from *NIX hosts:

• Incorporate nmap OS fingerprinting into your web service;

• Scan the IP addresses of clients that attempt to access your web site to detect the type of remote operating system making the request; and

• if the client isn't running a windows OS, don't complete the connection!

There's probably a whole host of custom 403 and 404 error messages you could compose. You may not accomplish much more than e-venting your spleen, but hey, isn't that oh-kay?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID48 by Dave Piscitello  

The April 2003 issue of SC Magazine presents an article I wrote on Wireless LAN Security.

The lead time for publishing is sometimes maddening. In the 8-10 weeks since I submitted copy for editing, WLAN switches have emerged, with features that are enterprise-class. Ironically, I just submitted copy to the Wall Street Ticker Association on WLAN switches, where I explain that they "identify, bound, and manage APs and WLAN radio frequencies (RF) in the same way they structure and create hierarchy to LAN hubs, switches and cabling today. Input floor, building, and campus plans, describe the WLAN coverage you desire, and certain WLAN switches will automatically perform a site survey, recommend access point placement, and generate work orders for installation. Nearly all WLAN switches will detect rogue APs, nearby APs operating in channels you've selected, and track users as they roam your WLAN infrastructure."

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID47 by Dave Piscitello  

The 5/13/03 issue of NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY

presents the first in a series on honeypots (definition).

It's largely accurate, with IMO one serious and worrisome omission. The newsletter did not mention that honeypots must be deployed in highly controlled environments, where the appearance of compromising a system(s) is maintained, but the actual damage and propagation is carefully contained. This is especially important in production honeypot deployment, and will become increasingly important to research as litigation is directed not solely at the attacker but at the organizations who facilitate attacks through their negligence and failure to meet "best practices".

If you're interested in honeypots, you might want to read thecolumn I wrote on honeypots for Watchguard a while back.

You should also investigate some of the extensive honeypot materials at the honeynets project.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID49 by Dave Piscitello  

Like most surveys, the answer you get depends on whom you ask, and how you pose the question.

Netcraft collects and collates hostnames offering HTTP service, polls each one with an HTTP request, and determines sites hosted and server software in this manner. Netcraft shows Apache as the runaway web server software leader, with over 62% of the 40 million web sites, Microsoft IIS at 27%. SecuritySpace, who claims a more stringent polling method, shows Apache at about 65%, Microsoft IIS at 25%.

Port80 Software polls the Fortune 1000 only. The results of their poll show Microsoft at 54%, Netscape at 21% and Apache at 17.6%.

It's not really a question of who's results are accurate, but whom the collectors view as the target or interesting market. It's clear from Netcraft's and SecuritySpace's results that Apache gets a disproportionate numbers boost from web hosting companies, who virtual host hundreds of sites per server. It's clear that Port80, which sells IIS related software, by focusing on the Fortune 1000, chose a self-serving market, in all likelihood to emphasize the market opportunity (to themselves, their investors, and potential customers, I suppose).

Port80's results do seem to confirm that F1000 organizations go with commercially supported software

Insert a great, big, "and your point is?" here....

Mention IIS, and security experts and wannabes come out of the woodworks to complain about how insecure it is. Well, folks, if the organizations with the most to invest and the most to lose are using IIS, let's stop telling them it's insecure, with the diminishing hope they'll listen and swap platforms. This is tiresome, and reminds me of the line "you don't spit into the wind" in Jim Croce's "Don't Mess Around with Jim".

A better use of our collective time is to develop practices for securing IIS, sharing them, and impressing upon Microsoft the importance of doing the same.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID46 by Dave Piscitello  

I wrote a BCR column a while back about the vulnerabilities, risks and liabilities, known exploits and limited countermeasures you can currently take to protect your organization against abuse through peer to peer applications, including the instant messengers that go beyond text messaging. I also wrote a column on Blocking IMs, so you can safely assume I'm not one of the folks on the recent bandwagon to leverage these for business purposes.

A colleague, Johna Til Johnson, gave an evangelistic presentation in favor of IMs at Networld+Interop. Johna made many compelling statements, but I'm still skeptical, and here's why...

Like any application that begins life as general consumptionsoftware, security provisions - a well-conceived authentication and authorization models,secure coding, and more - are, well, absent. All the retrofit attempts to make P2P apps, from the IMs to the music, er, file-sharing P2Ps (pick one...) enterprise ready are well-intentioned, but ultimately, they make the enterprise the center of an administrative domain. This is, of course, fine, if you only want to solve an intra-enterprise problem, or if you want to be the root P2P administrator for all file sharing across a multi-enterprise domain (and I bet dozens of F100 IT departments are just begging for this opportunity, just as soon as they complete their multi-organizational PKI rollout).

Then there's the minor issue of weaning your employees off public IMs and P2P apps.

While someone tries to solve this problem, I'll continue to separate my work computers from my family computers, where IM thrives, with interdepartmental firewalls.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID45 by Dave Piscitello  

TISC Insight, Volume 5, Issue 4 tools that automate web auditing by injecting malicious and malformed strings as URLs into your web server.

It is reprinted here, courtesy of Watchguard Technologies, for whom I originally wrote the column.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID44 by Dave Piscitello  

Inspired by a column by C. David Gammel on Custom 404 Error Pages, I have created one for this web site. Hopefully, helpful visitors will eventually help me eliminate bogus referral URLs...

You can also find Windows 2000-specific instructions for customizing error pages in IIS

here.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID43 by Dave Piscitello  

Fyodor, author of the nmap scanning and OS fingerprinting utility, compiled a list of the most popular and well-regarded penetration test and security auditing tools. You can find it at Insecure.Org.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID39 by Dave Piscitello  

DRLs are more than a distraction. What puzzles me:

• Some auto manufacturers use high beam head lamps, so how do you know when someone is flashing high beams at you?

• DRLs are hard to distinguish from, um, head lamps. How can you distinguish cars in a funeral procession from heavy traffic?

• Why is it that DRLs are on whenever the car is running but you have to turn tail and other (e.g., fog) lights on manually at night?

• Did you know DRLs increase gasoline consumption?

Googling led me to the Assocation of Driver's Against DRLs. It's remarkable that a sufficient groundswell of people who hate DRLs have gathered to express their disdain. The real kicker to the story is that they have a page devoted to explaining how to disable DRLs!

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID38 by Dave Piscitello  

Many school districts encourage laptop purchases for middle and high school students. Some federally funding is available to assist those who can't afford $1000 or more for a suitable system.

On the surface, this sounds like a terrific idea - our children are immersed in the Technology and Internet Ages. But dig deeper and you find several disturbing trends. Many educators haven't fully leveraged computers as the means of providing information access and as teaching and learning aids. As a result, the laptops are under-utilized. Worse, the children are saddled with the burden of carrying 10 pounds or more of laptop and equipment (power supplies and peripherals) as well as their text books and notebooks.

Some students are carrying infantry payloads to school and back. Pity the band members and athletes, who carry second and even third packs. While opinions differ on the extent to which children are injured carrying or wielding backpacks, common sense should tell us that there must be an alternative to sending our kids to school hauling 20%-40% of their body weight.

eBooks - or handhelds (Palm, Pocket PC, a.k.a. personal digital assistants, or PDAs) with equivalent readers applications - seem to be one answer. They are a fraction of the weight and expense of laptops (and books). Very good quality handhelds can be had for under $200, a fraction of the cost of a laptop. And they solve the weight issue nicely. A compact flash card can hold dozens of text books, and weigh about an ounce.

Many handhelds can be connected to school LANs and used for downloading text and lesson books. Handhelds can also be used to exchange email, messaging, scheduling and calendaring, and mostly text web access. They can be synchronized with the desktop computer that most families already own. Families with limited budgets can own both a handheld (or two, or three!) and a home PC for the same price as the average laptop (do the math). The emerging generation of handhelds also support cellular phone services.

The stumbling block is all in the processes, not the technologies:

• Educators must be willing to invest time and talent into migrating curricula from a primarily text book to ebook orientation

• Publishers must establish reasonable pricing models for ebooks of text books.

• Handheld manufacturers must consider the value of offering some "ruggedized for school age" models, at competitive pricing.

The immediate reaction of publishers to proposals such as these is how they protect of (digital) copyrights. This is such an annoying, debilitating posture. Establish reasonable per student licensing models that take into consideration the dramatic reduction in cost to deliver ebooks versus printed books, and also take into consideration the "amortization" schools would typically leverage by using the same printed text books over several years.

Cost models that yield a profit model for publishers, save school districts money, offer an enhanced learning experience, and allow students to walk erect can certainly be derived by folks who do such things for a living.

I would be delighted to see my children carry a one pound device to school instead of a thirty pound back pack. I'd be even more delighted to see their learning experiences enhanced.