The Security Skeptic

I am now the webmaster for the South Carolina Chapter of the ISSA.

I have posted a new library of online security related resources on behalf of the South Carolina Chapter of the ISSA. You may recognize this list: it is the child of the TISC Security Links pages.

The library identifies more than 500 hyperlinks to security articles, portals, advisory centers, and more. I've visited and read nearly all these resources and can attest to their quality.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID127 by Dave Piscitello  

In a Wired article, Just Say No to Viruses and Worms, Kim Zetter reports that at a technology subcommittee hearing of the House Committee on Government Reform, Symantec's COO John Schwarz "called for legislation to criminalize the sharing of information and tools online that can be used by malicious hackers and virus writers". Schwarz's logic is apparently this: make it a crime to share and exchange code that can be used to attack networks, and you'll reduce the number of attacks.

Schwarz didn't suggest how one might distinguish malicious code from useful code. I suppose we can use criteria such as a company listing in the OSCAR database or NASDAQ to distinguish an ISS or SPI Dynamics' vulnerability scanner from nmap and whisker. Or maybe price. Let's brush aside the matter of a company that offers free downloads: free simply won't be an option.

Aside from adding a good number of legitimate vulnerability assessment companies and consultants to the ranks of the unemployed or incarcerated, think of the precedent this sets as a theorem:

If X can be used in a crime, then X should be illegal.

It's pretty simple to compose a list of good things that can be used for bad purposes:

• Cell phones

• Automobiles

• Nylon stockings

• Kitchen cutlery

• GUNS!

How quickly we arrive at "Never Mind." At least one lobby's influential enough to assure Schwarz's Law will never be enacted.

Take heart. At least one voice of reason attended the hearing. Chris Wysopal from @stake suggested we put pressure on software manufacturers to write secure code. Where have I heard that before?

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID126 by Dave Piscitello  

Following Mitch Kabay's newsletter, I received a fair number of comments. I'm pleased that all sorts of folks are visiting my blog, including people in senior, influencing, positions.

A comment from Jon Callas, CTO/CSO at PGP Software, is particularly satisfying. It convinces me that threads can stem from blog entries, and that astute visitors can add value and perspective to what I post.

Here's Jon's comment. Email Jon with your comments.

Jon Callas writes:

I read your blog, and think it's nice. Here's some comments on insider attacks.

Many people who think about insider attacks aren't thinking about it the right way.

I give various talks about computer security and in one of my standard speeches I used to give when I worked at Counterpane, I talked about how the information we have about security is frequently presented in such a way that it's hard to make useful commentary on it, and people who draw conclusions from things are frequently not looking at the right way.

The example I gave was statistics that (this was in 1999-2000) showed variously insider attacks being 60-90% of all the attacks there are. And usually they would wrongly assume that this actually means that there are lots of them.

Here's why:

Imagine if you will that you go out and you by God's Firewall. God's Firewall is the ultimate in perimeter security. It lets every good guy do everything they are entitled to do (but not what they aren't entitled to do). And it stops every bad guy from anything. How does it work? Well, it's God's Firewall.

Before you install God's Firewall, the insider attacks you see are 60%, 80%, or something like that, according to these expert numbers. After you install God's Firewall, what will the rate of insider attacks be?

The answer is 100%. God's Firewall stops all the external attacks, and the only ones left are internal attacks. If you plotted a graph of percentage, you'd see a huge spike in percentage of internal attacks. If you are careless, you will think that there's a huge increase in them.

But this is exactly what happens if you cure cancer. If you cure cancer, then it will no longer be the #1 cause of death, heart attacks will be.

You see, if you look at this correctly, a 60% figure for rate of internal attacks is not telling you that you have criminals working for you you. It's telling you that your perimeter defenses stink!

Banks are really good at perimeter defenses. Almost every successful bank robbery is an inside job. Why? Not because banks hire untrustworthy people, but because they all but eliminate the external threat.

This is one of the problems that we have in computer security -- we are looking at the numbers and metrics we have for our problem space the wrong way.

"If you go to someone who designs museum security and you tell them: install my security and all your attacks will be inside jobs, and they will say, "Tell me more."

If you go to someone who does network security and tell them the same thing and they'll chase you out of their office.

This is part of why computer security is so screwed up.

Jon Callas

CTO, CSO

PGP Corporation

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID125 by Dave Piscitello  

We've all heard the sound bite length explanations of stock market movement over the course of a day. National Public Radio's All Things Considered on Friday September 12th ran a semi-humorous report about how analysts attempt to distill millions of trading decisions down into the single factor reporters can explain in a single sound bite, e.g., the familiar down on profit-taking, up on optimism, reaction to news of a new Bin Laden tape, and the ubiquitous "trading patterns" of technicals.

The most interesting comment to me was from Lou Dobbs, who said there's not enough time on broadcast radio and TV to thoroughly analyze the situation, and that most people aren't really interested in a complex explanation so analysts and reporters alike resort to single factor analysis. Dobbs admits, "it's wrong, but it's expedient".

Since I categorized this under Security, I won't keep you waiting for the tie-in.

How many practices persist with regard to Internet Security despite the fact that we know they are wrong, and how often do we acknowledge that they we do them because they expedient?

• We use passwords for authentication.

• We program without regard to secure code review.

• We configure firewalls with ANY permissions on egress traffic.

• We allow Anti-Virus subscriptions to expire.

• We ship equipment and software with default settings that accommodate ease of use rather than assure secure operation.

• We put equipment and software into production environments with the dopey default settings the vendor configured.

• We patch as patch can.

• We budget for security in a vaccuum.

• We audit annually, or when it is demanded.

Feel free to email me with your pet "wrong but expedient" security practice.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID123 by Dave Piscitello  

You can download David Wheeler's Secure Programming for Linux and Unix HOWTO without fee. This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. This document includes specific guidance for a number of languages, including C, C++, Java, Perl, Python, and Ada95.

Another free ebook available for download is Jason Coombs' IIS Security and Programming Countermeasures. Jason published/pushed his announcement with the following sentiment:

"It is my hope that those administrators and programmers who are presently at-risk due to the use of IIS will learn something valuable from this manuscript."

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID121 by Dave Piscitello  

Mitch Kabay spotlighted my blog today in his NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY. His column about my blog is flattering, and I appreciate the attention.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID122 by Dave Piscitello  

Having the opportunity to use Windows XP Professional on my new work PC, I decided that my conclusion that, "XP was terrible" was overblown.

XP Professional is very good. It's XP Home Edition that IMO bites.

So just as I scrapped Windows ME in favor of Windows 2000 Professional two years ago, I decided to scrap XP HE for XP PRO.

Good intentions oft go awry. Microsoft claims that an upgrade saves your settings and installed programs.

Not exactly.

The PC I upgraded uses a USB connected WiFi adapter for wireless networking. Windows dutifully saved the TCP/IP information from my XP HE network connection settings, but it didn't save my WiFi settings: ESSID, Channel, Encryption, ...

Now this is not all that troublesome, except for the tiny matter of completing registration online during Windows XP installation. No WiFi, no Internet. No Internet, no registration.

With the increasing number of home WiFi networks, and given Microsoft's campaign to eliminate "casual copying", you'd think they would get this right.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID120 by Dave Piscitello  

The 2003 Computer Crime and Security Survey is now available. Visit CSI to register and download the .pdf.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID119 by Dave Piscitello  

I receive a Tech Term of the Week from Alcatel. I consider it an acronym sanity check.

This week's Tech Term is 802.1W, Rapid Reconfiguration of the Spanning Tree.

The proximity of the "w" to the alliterative phrase "Rapid Reconfiguration" reminded me of Gilda Radner's hysterical impersonation of Barbara Walters, Baba Wawa, who would report on the term thusly:

IEEE 802.1w: Wapid Weconfiguration of the Spanning Twee

An Ethernet switch is designed to pass network twaffic from one port to another. Typicawee, a switch learns the addresses of the devices connected to it to be able to direct network twaffic from one port to another. However, when twansmissions are first sent, the switch does not know who is on each port. It sends a single message meant for an unknown destination to aw ports (known as flooding). If the phwysical topology of a network contains a woop, a network device that sends out a message to all of its ports may start a chain reaction that can cause an endless wogical woop...

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID118 by Dave Piscitello  

Everyone knows the drill. Your PC ages and gets slow, or you discover you have 37 Kilobytes left on your c:\ partition, after defragging the disk. Perhaps you've installed - or are preparing to install - a new version of Windows, which invariably accelerates the aging process, and then a new Office suite, which throws your PC into a coma.

Cheap fixes include adding RAM or an additional disk drive. A more ambitious fix is to replace the PC. Whichever you choose, it pays to audit your PC hardware, software, and file store.

Auditing PC hardware and software is helpful in both cases. A good PC audit tool will tell you how much memory you have, and how many memory slots the installed memory occupies. You'll need the latter to determine what you order; for example, if you have 128 MB RAM installed as two 64 MB DIMMs and only two slots, you'll have to remove one or both to upgrade (sell what you remove on eBay but don't expect a lot). Audit tools will also tell you how your disk(s) are partitioned, what space remains, etc.

I've found the free Belarc Advisor really useful. In addition to telling me about PC hardware, it also tells me about the Windows OS (build, service packs, and hotfixes) and software licenses and versions. These are extremely helpful to me when I buy a new PC and want to create the same "production environment" before I retire the old one.

The hardest task is backing up or copying your file store. I try to faithfully keep all business and personal files on a separate partition, and burn a CD of this partition. I also keep a partition of the dozens upon dozens of software tool downloads, and I glean the ones I no longer use before I burn a CD of these.

No matter how faithfully you organize files, there's bound to be critical bits and pieces of configuration information lying in your primary partition: anything from .ini and other program and user configuration and database files, etc/ hosts, IE favorites and cookies, address books, updated hardware drivers, software license keys, e-mail folders, PGP key rings, and more. If you've installed applications on drives other than your primary, this kind of information may be on other partitions as well. Belarc's audit tool helps you by providing a list of installed applications so you can at least ferret around the install folders and at worst, guess what you ought to backup or copy.

I hate upgrades and replacement. Both are tedious processes, both fraught with peril: I'm convinced that when people estimate of the annual cost of PC maintenance at 5-6 times the actual purchase cost, they are including 8-20 hours associated with some upgrade or replacement.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID116 by Dave Piscitello  

Mark Rogers offers an Op/Ed at the CERIAS web site, Computer Forensics: Science or Fad.

I'll cite several statements Rogers makes that I'm willing to debate:

• "The private sectors' push to jump on the computer forensics bandwagon threatens to turn an evolving scientific discipline into a mere fad; a lack of standards and training can result in bad case law, guilty parties escaping prosecution and innocent parties being "railroaded" into incarceration."

  
  I don't have an axe to grind about forensic software: the haste-to-market mentality will inflict damage here as it has elsewhere. Moreover, I concede that software intended to collect and preserve the integrity of evidence ought to be designed according to standards, to assure that what is collected will indeed satisfy chain of custody, rules of evidence, and law enforcement guidelines. And I concede the obvious: some forensics software will be lousy, and the poor souls who use it will taint evidence. But I find Rogers' implicit conclusion disturbing (don't let them develop software), so ask:

  Should we abandon research and development, albeit in a market economy rather than academic setting, and wait for standards?

  I concede as well that even excellent forensic software, in the hands of someone who is not a forensics expert, can result in sorry outcomes. I suspect the frequency of incidents of tainted evidence will be no different from the real world, where chains of custody and rules of evidence are subjected to human error, non-standard or inadequate tools and poorly designed or executed processes.

  We're in a sorry state, and government and law enforcement agencies are wholly unprepared to deal with the volume of computer incidents. I don't believe it's in the best interest of our connected society to handcuff the private sector.

• "...there is no recognized professional body over-seeing any designations, no nationally or internationally recognized standards, curricula, common body of knowledge or training."

  And of course we need one. But, recognition (and certification) of forensic investigative skills by professional bodies isn't a panacea, and doesn't implicitly imply quality. Many outstanding security practitioners don't have formal recognition, yet these folks are routinely called upon by government agencies to assist in incident intervention. And I imagine that some certified investigators don't meet the expectations of those who employ them.

  I agree we need better criteria and more (private and public) funding for research. And who can argue against a common body of knowledge? But I think the notion of a unified approach rather than a community-engaged approach to education and training can easily stilt rather than enhance progress and improve competencies in this field. Judge for yourself: Internet research and innovation increased dramatically once Uncle Sugar turned the NFS infrastructure over to the private sector.

• "Historically, computer forensics was restricted to law enforcement, the military or other government agencies."

  I hope the conclusion here isn't, "leave forensics in these competent hands". Even if they were supremely competent, I don't believe that forensic investigation should be limited to government and law enforcement agencies, any more than I believe that governments should escrow private keys.

  I confess that I have not spent time investigating the quality of tools and forensics investigators of a large number of government and law enforcement agencies, but I can't imagine every crime lab has the technology we see on CSI. I'm willing to bet that the Beaufort County, SC crime lab is a bit different from the agencies in Washington DC best known by their TLAs (three letter acronyms). But again, I'm disturbed by Rogers' implicit conclusion (don't let them practice), even when tempered by Rogers' plea that, "We need to increase our efforts to develop, a unified approach to education and training in computer forensics, a common body of knowledge, and increase empirical research. "

  I'm also curious whether computer forensics has truly been the dominion of government and law enforcement agencies. Surely, private computer forensics investigators have been around for a while?

• "To continue to allow the field to "naturally" progress without the appropriate scientific rigor is a mistake..." and later, "Failure to do so will result in computer forensics being relegated to a "fad" conducted by amateurs, resulting in contaminated or lost evidence.

  It's not a mistake. It's a journey..

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID115 by Dave Piscitello  

I look forward to receiving Bruce Schneier's Crypto-Gram newsletter. I don't necessarily enjoy or agree with everything Bruce writes about but I almost always find something interesting, amusing, and educational (maybe that should be OR...)

In the August 15 2003 Issue, Bruce writes about the dangers inherent in using WYSIWYG word processors like Microsoft Word, which incorporate all sorts of information in the documents users generate, and the fact that most users are entirely unaware of this behavior.

What kind of information? In a paper entitled Scalable Exploitation of, and Responses to Information Leakage Through Hidden Data in Published Documents, Simon Byers explains that individual names, email, organizational affiliations, collaborators, information about the creator's file system and printers... open Word and view Tools | Options and see for yourself. Simon explains how this information can be misused (identity theft) and also points out that it might be used to combat plagiarism.

Bruce cites three interesting/embarrassing incidents involving recovery of hidden text in his August 15, 2003, all embarrassing circumstances. I won't share them here: read Bruce's newsletter!

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID114 by Dave Piscitello  

When I publish an article about a security technology, I'm sometimes contacted by capital investment firms. They all ask the same questions, and it's obvious they are data mining in hopes of identifying a technology segment where they have the best chance of making a killing on an early investment, with of course, the lowest risk.

I recently was asked about SSL VPNs, having written a BCR column in April 2003 on this subject. I won't identify the investor, but I'm happy to share the exchange with you:

1. Is an SSL VPN a "point product" that can/should be sourced separately, or

   Yes, I think SSL VPN appliances, as they are shipped today, are point products. Vendors in this space have to incorporate other functionality - load balancing, transaction acceleration, perhaps application protection - to survive and grow a market share. It's pretty certain that the big firewall and switch/router players will incorporate SSL as yet another protocol for remote access. F5 just bought uRoam. Nokia will probably integrate ssl and firewall product lines. Cisco will buy *someone*.

2. Should it be part of IDS, Firewall, or other network security applications?

   I think there will always be a tension between incorporating everything into one appliance/system and having multiple security systems. It's hard to do IDS in one place - intrusion and DDOS prevention might become part of most firewalls, but then, isn't that what firewalls are supposed to do?

   Here's an example of the "integrated vs. standalone" conundrum. My opinion (you asked) is that remote access is something you may *concentrate* in a large organization or outsource to a managed service provider, so an VPN RA concentrator has a market on which to survive/thrive as a separate product. Look at Nortel's Contivity switch for IPsec RA. In my opinion, I wouldn't use it as my Internet firewall, and doesn't do IDS or intrusion prevention, but it will garner a good share of the market because it does one thing very well. OTOH, CheckPoint will maintain a big chunk of the market for everyone who thinks "one box is all I should need". Folks will run IPsec RA on CheckPoint firewalls (and hence use an integrated solution).

   IMO, the question isn't "should SSL VPN be incorporated into firewalls", but "when will..."

3. Who would be considered SSL market leaders? The up-and-coming players in the market? Of the dozen or so SSL players you name, which do you think can thrive independently?

   I'm not a big fan of Gartner, but here's their widely heralded and criticized Magic Quadrant. Let me be clear that I don't put much stock in this kind of analysis.

   I think Aventail has the experience to do well in this market, however, I must tell you that I've worked with and for Aventail for many years, so my insight into what they do (well) is considerable compared to other SSL VPN players. I designed an SSL VPN with their software for DuPont 4 years ago and it supports tens of thousands of users today. And that was with a software-based product, not their appliance. Neoteris is supposed to be very good but I haven't tinkered with it. SafeWeb seems savvy,and a lot like Neoteris. Rainbow has a good integrated two-factor authentication and SSL product. Whale is a very top end enterprise (expensive and powerful) solution. Lots of others are "who knows?"

4. Likewise, of the dozen SSL players you name, who do you think will likely be consolidated? Who do you see as likely consolidators?

   I honestly can't say. I spend time looking at technology not quarterly reports and SEC filings. You might want to talk with Michael Suby at Stratecast Partners.

   Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID113 by Dave Piscitello