The Security Skeptic

If you are reading my ISSA article, "Firewall Best Practices--Egress Traffic Filtering, you may want to also read The Enemy Within: Firewalls and Backdoors, by by Bob Rudis and Phil Kostenbader. This paper discusses backdoors: in the section, A Ready Defense, the authors cite some of the same best practices Nathan Buff and I mention in our column. Corroboration is always comforting.

And while you're reading both of these, if you want to know more about backdoors, read Detecting Backdoors, by Vern Paxson and Yin Zhang. This paper is from 1999 (a millennium ago!) but the general algorithms for detecting backdoors based on keystroke characteristics is interesting nonetheless.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID224 by Dave Piscitello  

Your c:\ drive crashes. You don't know the cause. You are desperate to retrieve files from this machine, with a capital D. If you could only boot from another medium (if you only partitioned that 120 Gig drive!).

Trouble is, your new PC doesn't have a floppy drive.

Before you reach for that OEM Recovery CD or call the drive recovery folks, consider Bart's Preinstalled Environment (BartPE) bootable live Windows CD (BartPE). BartPE lets you create a CD with a scaled down Windows OS (2000 Server or XP Professional), including network connection support, GUI, and file system support for FAT and NTFS (a much-needed improvement over DOS boot disks). It has a clean, simple user interface, and custom explorer.

Use BartPE to rescue files from a hard drive to a network share. Perhaps you need to perform a virus scan and can't find that Installation CD. Not a problem: you can add an antivirus plugin (McAfee Avert Stinger) to the ISO image of the CD you create with BarPE software. In fact, author Bart Lagerweij has amassed lots of plugins for his "donateware", from RAM disk to a remote desktop.

Remember I said, "Before...?" I really mean before: find 15-20 minutes out of your busy schedule to download PEbuilder.exe and create a rescue CD now. Then PayPal Bart some cash.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID223 by Dave Piscitello  

I've published an article on egress packet filtering in the March issue of the ISSA Journal. In the article, Nathan Buff and I explain that many organizations expose themselves to a number of risks by assigning lax egress (outgoing) traffic policies. We make a case to corroborate our claim that, "what you allow out can be as damaging as what you allow in", and then offer a list of egress traffic configuration considerations that can improve your security risk profile.

Find the full article here. Membership is required, but you can apply for a trial membership.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID222 by Dave Piscitello  

Is Token Authentication the Holy Grail? Token authentication is appealing because it is a familiar technology. Moreover, tokens are not as intrusive and potentially rights-infringing as biometrics. We use keys every day: keys are tokens.

Microsoft, Verisign’s OATH crew, and others may have stumbled on the right authentication method, but all miss the forest among the trees. Their visions fall short of visionary in several respects. Read my analysis at LOOP

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID220 by Dave Piscitello  

Unless your organization is on the bleeding edge and deploying one of the many forms of application protection, the security measures you apply in your web application code is quite possibly all that stands between your sensitive data and attackers. Read the entire article at LOOP.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID221 by Dave Piscitello  

Scott Pinzon - colleague, editor and friend - sent an email to me in response to one of my blog digests. His comment:

"I am convinced you read other cool books besides security tomes. I, for one, would be interested in seeing you blog reviews of your favorite off-topic reads."

I enjoy science fiction and fantasy. I have recently been enjoying Stephen Lawhead, who writes historical fiction. His trilogy, The Celtic Crusades, describes the quests of three generations of a Scottish family to recover Holy Relics:

The Iron Lance, used by a Roman soldier to verify that Christ had died on the cross,

The Black Rood, a piece of the cross itself, and

The Mystic Rose, the Holy Grail, the cup used by Christ at the Last Supper.

If you enjoy rich vocabulary and descriptive narrative, you'll really enjoy Lawhead. Being an Anglophile, I also love the clever way Lawhead manages to relate the events of the Crusades.

Not satisfied with this trilogy, I also read Lawhead's Avalon, an amusing story about the reincarnation of King Arthur in modern day England. Perhaps the most enjoyable of all Lawhead's books is Byzantium. Byzantium is another fictional quest, this time relating a pilgrimage to present the Book of Kells to the Emperor of Byzantium. The plot is a familiar one in literature: a young man of faith suffers a succession of misfortunes, pain, and misery; feeling abandoned by God, he abandons God, but ultimately regains his faith through a remarkable sequence of events. I imagine Lawhead's story board for Byzantium was the most intricate of all his novels.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID219 by Dave Piscitello  

News.com reports that Symbiot intends to release a product that will allow companies to retaliate against attackers. My first reaction to News.com's report on Symbiot's "defense system" was sheer puzzlement.

Is this a throwback to the Nuclear Arms Race, or what? Even the rhetoric in the quotes was reminiscent of the Fifties:

We're done with passive detection and blocking. You attack us, we'll strike back. Hard. Our response will be *proportionate* to the ferocity of the instigating attack.

Proportionate response? What's in the Koolaid in Texas these days?

Like the analysts and consultants who offered sound bites for the news piece, I asked, "Exactly what kind of response is proportionate to a denial of service? Who, exactly, do you retaliate against?"

Symbiot's web site is designed to garner all the attention the company obviously seeks. They claim to be ready to launch "the first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures - effectively fighting fire with fire."

I'm speculating this is your basic "Drama queens in Austin" attempt to get as much media attention for a product launch as possible. Pray these folks don't take more pages from Reality TV and stage a proportionate incident response. Imagine the headlines...

Newco.com thwarts DDOS, takes China's power grid offline.

In response to last week's web defacement, Azmoston.com hacks into process control system near Maduria: ensuing chemical explosion destroys Meenakshi Temple.

NASQUAC.com detects trading fraud, initiates massive SQL injection attacks against major Euro and Asian market traders.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID218 by Dave Piscitello  

If you live in the Washington, D.C. area and can find time, attend the FTC sponsored workshop, Monitoring Software on Your PC: Spyware, Adware, and Other Software, on April 19, 2004, from 8:30 a.m. until 5:30 p.m.

One of the stated focus areas of the FTC's conference is to consider possible responses to spyware concerns; specifically, What have consumers, government, and industry been doing and intend to do, by themselves or together, to address the harms associated with spyware?

To date, we've done little more than capitulate Despite all the attention SPAM attracts, it is not nearly as insidious as spy- and tracking technology. Privacy drew considerably more attention five years ago, and it's almost as if we have surrendered the cause in the face of substantial investment in this questionable marketing methodology.

Consider this: if SPAM were to receive as much support from legitimate business as tracking technology, you'd never empty your in box.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID217 by Dave Piscitello  

A recent posting to firewall wizards illustrates two fundamental problems we absolutely must overcome before we can hope to improve security.

The post is a simple inquiry:

Im working on ... trying to connect to someone on ... using iChat AV to AIM...they get an error that says is probably caused by a firewall. If this firewall is put in by their network, is there anyway around it?

Problem #1. If we only think of security as an inconvenience and seek to circumvent it, no amount of technology and process can help us. The corollary to this axiom: If, in addition to playing network cat-and-mouse with attackers, we are forced to do so with legitimate users, we are truly hosed.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID216 by Dave Piscitello  

I subscribed to Virtual Press Office years ago so that I could get press passes for trade shows. I write freelance for trade pubs so I do in fact qualify. I never cancelled the subscription and VPO pushes email summaries of press releases.

Today was a slow press release day for security and wireless, so I glanced through release in the other categories VPO includes in the mail the send me.

This release caught my eye...

Mar 04, 2004 14:29

PartyBingo.com to Co-Sponsor the 16th Annual World Championship Bingo Tournament and

Gaming Cruise

CURACAO, Netherlands Antilles --(Business Wire)-- March 4, 2004 PartyBingo.com

(www.PartyBingo.com), one of the leading online bingo sites -- in association with Bingo

Bugle and Special Events Cruises -- will be the official co-sponsor of the 16th World

Championship Bingo Tournament and Gaming Cruise in 2004, along with Bingo Bugle. Bingo

Bugle has staged the cruise for the last 16 years.

This conjures images of a huge boatload of senior citizens arrayed along long rows of tables playing bingo 24x7 while the Carnival cruise ship, Conquest, makes its way to Curacao.

Of course, when everyone tires of Bingo, they can head to the slot machines. Aging gamblers in Paradise.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID215 by Dave Piscitello  

Today, Gartner issued a press release: Gartner Says Camera Phones Can Pose a Security Risk to Enterprises, but An Outright Ban by Companies is Shortsighted. In the release, they say that "businesses are concerned that camera phones can compromise their security and employees' privacy".

This is about late-breaking and newsworthy today as "It rained in San Francisco, February 25^th".

Where have Gartner's analysts been the past 4 months? Aren't analysts supposed to be spearheading trends and issues? I led a COMDEX panel in November 2003 that discussed handheld and smart phone security issues. I wrote an editorial a week later that's now posted at COMDEX/Networld+Interop LOOP. If you Google "camera phone security", you are deluged with information, emerging products, ... sheesh.

In the same release, Gartner sez, "there are a flood of high-tech consumer devices, not just camera phones, entering the workplace that could pose a security risk." Insightful. There are a flood of high-tech consumer devices that can electrocute you if dropped into your bathtub.

Continuing, Garnter sezzz, "There are Universal Serial Bus 'key ring' drives, some of which will soon feature built-in cameras that can quickly connect to almost any recent PC and take large amounts of information off the premises."

It snowed in Denver last January.

Perhaps someone should think about access controls for USB devices? It so happens I wrote about this three months ago for LOOP. An entire industry segment is well-funded and manufacturing all manner of USB security measures. Sheesh-squared.

I recall worrying at the time that my LOOP piece might be a bit stale. I suppose if I were an analyst, I wouldn't worry quite so much about this.

Then again, I'm not trying to fill seats in an Upcoming Mobile and Wireless Summit:-O

Trying to close on a pleasant thought, perhaps Gartner felt obliged to do some research, and found my columns...

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID213 by Dave Piscitello  

The W32 NETSKY.B worm is all over the news. It's rated a high threat because of its propagation characteristics and IMO small potential for destructive behavior. Some experts suspect NETSKY may be a retaliation worm because it attempts to remove AUTORUN registry entries of several worms already unleashed. Trend Micro has one of the more comprehensive overviews and technical descriptions of the worm.

Many of you will receive dozens if not hundreds of well-intentioned notifications warning you that NETSKY is now "in the wild". (This is the term A/V experts term apply to a worm that has been unleashed to wreak havoc on us all, to the apparent delight of its creator.)

eMail notifications have become a second-order propagation effect of worms. Your desktop antivirus vendor sends them. The antivirus gateway my ISP runs for its customers sends me an email for every infected message it detects. I've received 132 notices from this A/V gateway since February 29th. Tthe morning's just begun here on the U.S. East Coast. By midday, I'll receive an equal or larger number of email messages from antivirus gateways all over the world, claiming I've sent an infected file to the organization the gateway protects.

My machine is clean of this and other viruses, so I haven't really sent infected messages anywhere, but since we refuse to implement non-repudiation of origin in our email systems, I can't prove this.

I've also received 11 messages from individuals who are horrified to discover their systems have been infected, or their email addresses have been used in the mail originator (From:) field of infected email. They all read like this one:

If you received a message from me with a strange

attachment and you don't know what it is, please delete it. It is a virus.

Thanks.

Thanks? Think a minute about the irony of this closing remark. Thank you for accepting my original and possibly infected email message. Thank you for understanding that if you are like me and have failed to properly protect your system against viruses, your system is now infected. Thank you for reading Yet Another Pointless email from me. If you're going to send such messages, at the very least include a hyperlink to a removal tool!

Well-intentioned as this and A/V gateway notification efforts may be, such behavior only serves to prolong the effects of a worm. Call it Chicken-Little Syndrome.

OmiGod a worm is coming a worm is coming a worm is here I had a worm you sent a worm...

Worms succeed in part because otherwise reasonably intelligent people don't think before they open mail messages and attachments.

Demonstrate you've learned a lesson: resist the temptation of trying to correct a problem well out of your hands. If we leave notifications to the antivirus and mail servers, the dust will settle and business will resume normal operation faster. And if A/V administrators will spend some time thinking about the questionable efficacy of sending notifications everywhere in the email universe during a worm event, the dust will settle even faster.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID212 by Dave Piscitello  

A fellow bug-traqr posted a hyperlink of a Vancouver Sun article describing how students at Simon Fraser University had invented a device to deter laptop theft. The device combines a laptop lock with a radio transmitter. Users can leave their laptop unattended and be notified via a companion palm-held device if the laptop is moved.

This is in concept similar to proximity identification cards gaining popularity among HIPAA-regulated organizations. It's clever, but I'm not that convinced it is all that helpful. Straying even 10-15 feet from your laptop is a lot like leaving your purse to reserve a table at Starbucks.

A more interesting product would be something like a LoJack, a radio device in the laptop that law enforcement can use to track the laptop down. The problem is that a laptop isn't expensive enough (maybe the data are). While it might sound like something straight out of the original Mission Impossible television series, I could envision a value-added feature to the "LapJack": the radio device is a 2-way communicator, and the user can signal the laptop to boot, or secure erase the hard drive. After all, in many cases, the data on the laptop are more valuable than the laptop itself!

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID210 by Dave Piscitello