SecuritySkeptic.COM: Dave Piscitello's Security Journal February 2004

This page uses style sheets created by Ruthsarian Labs

Sat, 28 Feb 2004 00:00:00 00, 209

Death of Passwords

News.com reports that Bill Gates predicts death of the password at the RSA Conference. What will replace it? Two-factor systems. This is newsworthy? Perhaps not, but after all, this was RSA's conference. Can't imagine why anyone would talk about two-factor authentication there...

Blame Bill's PR folks, or lame reporting, but after reading the news piece, I was left with the impression that the whole press conference had been Dilbert-ized...

G: We're going to see the death of passwords...

<>: Tell us more...

G: Everyone will have a token!

<>: So I use a token instead of a password?

G: Yeah! And to make it even more secure, you'll use a second *factor*, a Personal Identification Number

<>: Oh... a token and a PIN?

G: Yeah, that's right!

<>: How do you use this PIN?

G: That's the really kewl part. It can be a number or even letters and numbers and *special characters*

<>: Like a password?

G: Yeah... Well, NO, it's a PIN, you see, and it can be a number or even letters and numbers and *special characters*, and you could call it a password but that wouldn't be exactly correct because I'm prediciting the demise - death if you choose - of passwords at this press conference, today...

<>: How is the PIN different from a password? Isn't it still something you know?

G: You don't understand... passwords are dead. It's a PIN. It can be a number or even letters and numbers and *special characters*...

<>: zzzzzzz... huh? Sorry, yes, I think I understand now, oh, look, there's Osama bin Ladin!

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID209 by Dave Piscitello

Thu, 26 Feb 2004 00:00:00 00, 208

Chance Encounters of the Best Kind

As I left for the San Francisco airport this morning, I met a fellow in the elevator of the Argent hotel, who related his harrowing elevator experience the day prior, when San Francisco had a major rainfall and near-gale wind "incident". We continued to chat, he on his way to the RSA Conference, and me to Starbucks. As we continued to chat, my anonymous companion mentioned he had participated in a session at the conference. He described his presentation, and mentioned his company, NetContinuum.

I only recently invited a fellow from NetContinuum to participate in a session at Networld+Interop, based on a submitted abstract and a background check among my colleagues. I asked my companion, "Do you know Kurt Roemer?"

After a more-than-hesitation-less-than-pregnant pause, he replied, "I *am* Kurt Roemer."

Hoodathunk? After our chance but very pleasant encounter, I'm looking forward to sharing a session with Kurt.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID208 by Dave Piscitello

Thu, 19 Feb 2004 00:00:00 00, 206

First worm to slip past the gateway

The February 18 w32.Netsky.B@mm worm is the first to slip past my ISP's antivirus gateway in over two years. Recently installed definitions for my desktop AV software caught and quarantined the bugger.

This is a real-world corroboration of what I described as the "value proposition of complementary and concentric defenses" in a 2002 TISC Insight column, Server- versus client-based protection?. AV gateway and desktop AV software are a nice combination.

But don't rely exclusively on these. Remember, virus writers and phishers rely on social engineering, specifically, inducing users to open attachments, click on hyperlinks embedded in email messages, or reply to unsolicited mail. Think before you act!

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID206 by Dave Piscitello

Wed, 18 Feb 2004 00:00:00 00, 205

Chapin SC networking consulting

I have no idea who these folks are, and what relationship they imply I have with them, but SC Computer Consulting lists me as a consultant available for consulting in South Carolina.

I bit more googling and I discover that this site is one of a number of sites that Joshua Feinberg's thrown onto the web to promote his Computer Consulting 101 Professional Kit.

Yet another example of how it pays to google your name, your company name, and for authors, titles of published works.

You never know who's using and abusing you.

Bye for now, it's time to contact Mr. Feinberg...

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID205 by Dave Piscitello

Tue, 17 Feb 2004 00:00:00 00, 204

Summary of 2003 Publications

December 2003:

Security and USB Ports: Yet another access to control,
for Loop, The Online Voice of the IT Community

Power Supply... and Mean Times...,
for Loop, The Online Voice of the IT Community

SIP comes to Hilton Head,
for Loop, The Online Voice of the IT Community

Ethical Hacking could be so much more than an oxymoron,
for Loop, The Online Voice of the IT Community

November 2003:

Powerline Ethernet: When WiFi won't and CAT-5 Can't,
for Loop, The Online Voice of the IT Community

Security Policy for... Camera Phones?,
for Loop, The Online Voice of the IT Community

October 2003:

Take The "Sting" Out of XP Performance Issues,
a Watchguard Live Security Editorial

September 2003:

Stepping Up to Windows XP: What to Expect at Your Firewall,
a Watchguard Live Security Editorial

August 2003:

What Broadcast Traffic Reveals,
a Watchguard Live Security Editorial

Enterprise-Grade Solutions for WLAN Integration, WSTA Ticker

July 2003:

A friendly alternative to Registry Editing: Introducing the Local Policy Editor,
a Watchguard Live Security Editorial

June 2003:

Foundations: What Is TCP?,
a Watchguard Live Security Editorial

May 2003:

A business case for IDS?

Re-Emergence of SSL VPNs

April 2003:

How to Harden Your Microsoft Web Server,
a Watchguard Live Security Editorial

Simplifying Secure Remote Access: SSL VPNs, a BCR Magazine article

Locking Down the Airwaves, an SC Magazine article

March 2003:

Server Load Balancing Concepts (and the Vclass),
a Watchguard Live Security Editorial

February 2003:

The Sad And Increasingly Deplorable State Of Internet Security,
a Watchguard Live Security Editorial

Tools and Tactics for Safer WLAN Deployment,
a Watchguard Live Security Editorial

January 2003:

Quality of Service (QOS) and the Vclass Firewall

Blocking Public Instant Messaging,
a Watchguard Live Security Editorial

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID204 by Dave Piscitello

Sun, 15 Feb 2004 00:00:00 00, 201

Inquiry regarding site survey comment in Powerline Ethernet article

Alex Gordy of Tornado Marketing, Inc. read my article on Powerline Ethernet and asks,

"you mention that "Many organizations conduct a site survey prior to deploying Wireless LANs in a facility, and often discover the most appropriate access point placement is a location where they cannot provide power. Do you have any specific sources of info you can point to for this? It would be very helpful to know."

This is part anecdotal evidence, part accumulated lore/experience. A Cisco Systems white paper does a commendable job describing POE. Companies often occupy large, unwalled, high-ceilinged, office or industrial spaces with the intention to create bullpen arrangements of cubicles (reminiscent of Dilbert cartoons). The canonical office space of this sort is a single story building, 20 foot ceilings, shaped rectangularly. Draw circles with a broadcast radius and fit them into the rectangle in such a fashion that you have minimum overlap and (theoretical) exterior leakage but maximum coverage. Now, where do you mount the access points? Look up.

Ceilings are excellent places to arrange access points. You often have to run CAT-5 to the APs to connect them to the wired elements of your network, but why run electrical to such locations solely for the sake of the access points if you can deliver power over CAT-5?

Mount your APs, then survey with the most powerful antennae you can find or build, and reposition as necessary (adjust power on APs or choose alternative antennae if you have the ability to do this.)

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID201 by Dave Piscitello

Fingerprinting Foreigners

Bruce Schneier has written a sobering look at the U.S. policy of fingerprinting foreigners in his January 15, 2004 issue of CRYTPO-GRAM. In his editorial, Bruce considers the expense of this undertaking, collateral costs such as retaliation, and the folly of presuming that fingerprinting is an effective way to combat terrorism.

I quote an outstanding remark amid many outstanding remarks in this column, which gives me hope that Americans will tire of this neo-McCarthyism and insist on changes in November:

America's security comes from our freedoms and our liberty. For over two centuries we have maintained a delicate balance between freedom and the opportunity for crime. We deliberately put laws in place that hamper police investigations, because we know we are a more secure because of them. We know that laws regulating wiretapping, search and seizure, and interrogation make us all safer, even if they make it harder to convict criminals."

If you don't receive CRYPTO-GRAM, visit this link.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID202 by Dave Piscitello

Tue, 10 Feb 2004 00:00:00 00, 200

Miniature Breeds

Way off topic. I won't even pretend there's a security angle here.

Looking for yet another re-run of Law and Order: Whatever, I channel-surfed to USA Network, only to find the AKC championships. This particular evening's event was the miniature breeds. I learned that many miniatures are cross-breeds of noble hunting dogs (including poodles), bred down from as much as 30 pounds to the 7 pound maximum for this class.

Seeing how we have historically manipulated what we know about genetics in dog breeding, I'm convinced me that, along with incredible advances in regenerative and reparative medicine, humans will find all the wrong applications of cloning and stem cell research. It make me sad... and scared.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID200 by Dave Piscitello

Sat, 07 Feb 2004 00:00:00 00, 199

Intelligence failure or stupidity success?

No, it's not a quote from Dilbert, but one from this morning's NPR Hourly News, regarding the fact-finding panel gathered to investigate the intelligence gathering and reports that the Bush administration "relied" on to obtain support for the war on Iraq.

Irrespective of your politics, can you at least agree that the only thing that's not amusing about a stupidity success is how frequent they occur in real life...

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID199 by Dave Piscitello

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, LOOP, ISSA Journal, and Information Security Magazine. Dave maintains a security infoblog at http://www.securityskeptic.com/weblogindex.htm

The Security Skeptic