The Security Skeptic

What is a blended threat?

In every Hollywood action movie, the action hero is a formidable adversary: adept in martial arts, an expert with explosives, a brilliant hit-and-run tactician, adept with every weapon imaginable. The action hero is an irresistible force.

Imagine if Chuck, Arnold, Jean-Claude, and the rest were drawn to The Dark Side. Now imagine that they are executable code on your computer. It’s not your imagination; it’s a blended threat. more...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID258 by Dave Piscitello  

Validating Web Links

Site Valet offers a web site monitoring service with automated reporting and online tools. One of the free tools, Link Valet, spiders your site and checks the validity of the hyperlinks in web pages. Other free tools include Validator, which syntax checks your HTML, and cg-eye, which helps you diagnose script problems. While I still favor TIDY for HTML code checking, Link Valet is convenient and simple. I won't embarrass myself by telling you how many broken and deprecated links I found...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID257 by Dave Piscitello  

Legislation and spyware

Before legislators (e.g., the FTC) can issue a regulation prohibiting a behavior or act, they must define that behavior and act. Many security professionals and attorneys worry that defining the behaviors and acts that constitute spam and spyware will provide "operating space" for spammers, trackers, pests, and spies. Specifically, if we define what constitutes inappropriate (sneaky) commercial applications of software delivery; secret information collection (tracking); and what Steve DelBianco aptly calls resisting removal behavior in software, we also define a sandbox in which developers can create intrusive applications that look and feel like spyware, and cookies that track user behavior, but operate within the definition of the law.

As DelBianco correctly asserts in his column, spyware is the quintessential 21^st century bad business practice. He speculates, and I concur, that additional legislation may do more harm, where enforcement of existing laws prohibiting unfair and deceptive business practices may do more good. Bad business behavior is bad whether in the virtual or real world.

In the real world, we invite and consent to the installation of satellite dishes, cable TV and telephone connections and wiring in our homes and offices. We consent to security monitoring by a certified alarm company. Most of us would be outraged to find that surveillance cameras, recording devices, and microphones to collect information regarding our lifestyles would accompany the installation of any of these services. We expect to maintain control over who comes and goes in our homes and offices, and what they do while they are present on our property. It's not unreasonable for us to seek the same control over our computers, handhelds, and mobile phones. Spyware strips us of such controls.

The issue runs deeper than whether a cookie or music player application records the web pages I've visited and music I choose. It's a matter of trust versus violation of trust. Distinguishing spyware from adware from acceptable cookie and tracking ware isn't nearly so much a matter of technology as it is of trust.

I believe that legitimate adware, supportware, cookie, and tracking technology should provide:

• notice of installation;

• a description of all the activities it will perform and anticipated resource utilization;

• a description of the kinds of advertisements it will display, and manner of display;

• full disclosure of any information it will collect, the purpose of collection, and the parties to whom the information will be disclosed;

• a local log function that provides the user with the means to corroborate these claims; and

• a clean, non-resistant removal procedure.

Most importantly, all software should have opt-in installation and features selection facilities.

For example, a good business offers a free version of a media player with the following conditions stated during installation: (1) the user accepts entertainment-oriented ads; (2) the user agrees to the company gathering information limited to music titles and artists, movie titles, directors, producers, and actors, and play frequency; and (3) the company is permitted to sell this information, along with the user's name and address, to entertainment companies for the purpose of direct advertising. If the user declines (opts out), the media player will not install unless the user pays for and registers the product. The company gets something from you, and you get a media player from the company.

Notice that the music player is not "free"; it's using your CPU, memory, and bandwidth to profit by information it collects and ads it presents to you. Consider this real world analogy, illustrating a bad business practice. You purchase aspirin at Jocko's drug store, and have it delivered. Jocko's delivery van arrives, and three workers mount a neon "End Erectile Dysfunction now: buy vi@gr@ at Jocko's Drugstore" sign on your bedroom window, then use your electricity to power the darn thing. Meanwhile, Jocko's delivery boy rifles through your medicine cabinet, recording all your prescriptions. This is an unacceptable business practice. Many spywarez operate in exactly this manner. In the real world, we'd contact the Better Business Bureau or perhaps the police, and haul Jocko to court. We'd take advantage of existing laws and similar codes of practice enforced in countries throughout the world to hold Jocko accountable for unfair and deceptive business practices.

Before we begin writing new laws for spyware, let's see how much of the spyware cesspool we can clean up applying the laws we already have.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID256 by Dave Piscitello  

A Case for Identity Management

Ask ten security administrators to identify their biggest security concern today. The majority will identify worms, spam and application-level (Web) attacks. A smaller number will respond that user and access management trouble them. Chances are the administrators in the minority are managing the largest, most diverse organizations. more...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID254 by Dave Piscitello  

ReplayTV added to my network

I've always been a late adopter of technology. I love disruptive technologies but hate the "first with the boy toy" premium. When Amazon.com reduced the price of the 80-hour model 5500 to $226 including shipping, I figured, "it's time..."

To connect my ReplayTV to the Internet, I expanded my HomePlug network to three power line bridges. Since I'd just encountered wiring *issues* earlier this month, I verified my network expansion by connecting this third HomePlug directly to a laptop (rule of thumb when networking: never introduce more than one new variable - cabling, adapter, device, topology change, protocol, OS, application - at a time!). The physical path between the ReplayTV and office bridge provides 4.6 Mbps so here's an example of how HomePlug bandwidth vary depending on line quality.

ReplayTV does TCP/IP about as plug-and-play as you can imagine, using DHCP out of the box, but failing over to manual configuration if no DHCP server is discovered. My pool of DHCP served addresses is intentionally small, and I forgot to increase it before I added my 5500 to my network, so I manually configured Internet settings. I wanted to get a feel for the intended user experience, so I reset the device to factory defaults (remarkably, it's documented in the manual!) and the rest proceeds automagically.

Fifteen minutes after ReplayTV is installed, I am thinking, "how did I live without this?" The value add of ReplayTV for me and my wife is a simple proposition: 90% of TV programming on our 70+ channels is dreadful, and 5% of what remains is Law and Order. We figure we can program ReplayTV to record the 5% or less of what we would love to watch and play it when we manage to find an hour to relax before we crash.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID253 by Dave Piscitello  

Defense in depth: crunchy on the outside?

The theme for SearchSecurity.com: This Week May 17, 2004, is Defense-in-depth. The promo for this Joel Snyder webcast explains that, "Perimeter defense leads to a network that is crunchy on the outside but soft on the inside."

I'm pretty certain that the phrase, "defense in depth" originated in the DoD. I'm also certain that the D0D didn't intend defenses to ever be crunchy, but rather, hard. Crunchy conjures images of World War II G.I.'s being overrun by German Panzers in the Ardennes forest. Knowing Joel, I don't think he'd have chosen crunchy if given a choice.

Fried chicken, various breads and candies are crunchy on the outside. Defenses shouldn't be crunchy. This is a case of marketing copy gone awry. Googling, I find that others have used crunchy to describe security for SANS and WLANs. The phrase draws a bad analogy, please don't use it.

Defense in depth means strong perimeter *and* interior defenses. Phil Carden wrote a column in 1997 titled Stored File Encryption: Boiled Eggs and Scrambled Data, in which he explained that security architectures that store data in plain text are like soft-boiled eggs, whereas those that utilize stored data encryption are like hard-boiled eggs.

Dr. Bill Hancock coined and frequently used the Twinkie analogy. In TISC and SANS presentations during 1999, Bill claimed that, "Security is like a Twinkie: it's what's inside that counts".

Today, the Twinkie analogy is accurate for a different reason than Dr. Bill intended. Most perimeters are not hard. We alternatively describe security perimeters as extended, inverted, collapsed, and fluid. In a word, they're soft.

The latest buzzword among the endpoint and web services security wonks is de-perimeterized. I loathe when nouns are used as verbs, so I can't in good conscience bless the term without de-intelligencing or stupidating myself. Let me simply say that the term "perimeter" is no longer applicable when used in the singular for a given organization. If you use perimeter, use the plural, perimeters.

Every mobile client - perhaps every client - should have its own a perimeter defense (in the form of a personal firewall software or an OS hardened against network attacks). Every broadband connection - generally, every network segment where a security policy describes a trusted versus untrusted interface - should have a perimeter (firewall). Every application server farm should have a perimeter (application and network firewall).

Joel will almost certainly tell you to secure the interior of your network. I wholeheartedly agree. Remember, however, that defense in depth implies layers of security, and one of the layers consists of many, strong perimeters.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID252 by Dave Piscitello  

Isolating a home office network dead spot

After installing a WiFi card on a laptop I recently purchased, I discovered I could not roam in my home. Confirming my SSID and TCP/IP settings were correct, I monitored AP signal. Both APs in my home were working correctly, on separate channels with a common SSID.

My home APs are bridged using HomePlug Ethernet (see blog 171). I first confirmed that my problem wasn't a simple matter of uplinking the HomePlug adapter in my office to the wrong network. I then plugged a laptop directly into one of the HomePlug adapters. I discovered that my signal over power line was weak, a modest 2.95 Mbps. This was a noticeable drop from the 9.2 Mbps I'd experienced when I installed this network, so I returned to my office and recalled that I'd moved the HomePlug adapter from one outlet to another when juggling to add yet another piece of equipment to my office. Moving the HomePlug adapter in my office to the original outlet restored my home network. When I have an electrician install an additional, dedicated circuit to my office this summer, I'll make certain to have him test all my outlets for proper grounding and termination.

The morale of this story: WLANs aren't always the culprit when network connections fail.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID251 by Dave Piscitello  

Google AdSense

I am experimenting with Google AdSense. Google places ads of vendors and services that are relevant to the types of things I write about. If you choose to visit one of the ads, I receive a micro-payment. I hope to recover some of the time and thought I put into my blog through AdSense.

Google frowns on click-thru abuse, and I am a bit nervous about ad abuse and fraud. If you see an ad of a white paper you might find interesting, by all means visit it. Don't visit ads thinking you'll help Dave earn a Ferrari or pay for college tuitions: I don't need the ad revenue that badly.

During the first week of running AdSense, I've tried to confirm that the ads placed by Google are relevant to the content I've created. You'll find ads for firewalls on the firewalls category page, antispam products on the SPAM page, etc. One place where oddball ads may appear is my Rant page. I have the option of blocking ads I deem inappropriate, so if you encounter one, please email me the URL and I will blacklist that site.

By adding AdSense, I've now introduced a (Google) cookie into the equation. I realize some security people despise cookies. I believe the cookie is only created if you click through a link and will confirm this with a LAN analyzer shortly. I'm sorry the presence of a cookie if this prevents you from visiting my blog. Google explains their privacy policy at https://www.google.com/adsense/faq#privacy1, so I encourage you to read it if you're uncomfortable.

Do visit my AdSense links if it the ad and intrigue you. Some of the ads intrigue me. I'm careful to copy the URL and visit without the AdSense cookie so that Google has no reason to suspect abuse on my part (I suspect they filter my requests and will investigate.

Last point. I won't be modifying my content or restraining myself from expressing an opinion simply because I now have "sponsors". If a company complains about something I write, I'll add them to my AdSense blacklist (and tell you!).

Thanks in advance for your support and appropriate use:-)

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID250 by Dave Piscitello  

Insider error

The 2003 CSI/FBI Computer Crime survey has lots of folks worrying that it's difficult to detect insider initiated attacks. I actually worry more about insider error.

Insider errors are more prolific than attacks. They may be root causes of attacks. They include:

• The employee who creates unprotected shares;

• runs unauthorized services;

• has no use for personal firewall software;

• fails to patch and hot fix operating systems and applications;

• falls prey to spoof email or phishing;

• fails to maintain virus definitions;

• keeps accounts and passwords in text files created in NotePad, and caches passwords to save keystrokes;

• installs software of unverified origin, without approval.

Such employees fall victim to spyware, keyloggers, worms, trojans, and combinations thereof (also known as blended threats).

Blame the employee? Perhaps. Blame the policies and processes that make non-technical employees responsible for client security and administration?

Better.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID249 by Dave Piscitello  

Anatomy of a Phishing Expedition

Phishing must be a hot topic. Gartner says it is so it must be so: you know how much stock I put in what Gartner says.

No matter. Phishing is a pretty serious problem, but it really is an ailment we can manage with education rather than technology. I've written a complementary article to the Recognizing and responding to spoof email messages I wrote for LOOP earlier this week. Read Anatomy of a Phishing Expedition.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID247 by Dave Piscitello  

Compliment on Phishing article at LOOP

Scott Pinzon is an excellent editor. I've written perhaps three dozen articles for WatchGuard Technologies under Scott's educated eye and gentle editing pen. So when I receive a compliment from him, I get excited. Scott's email regarding my LOOP article, Recognizing and responding to spoof email messages, was high praise indeed:

Damn! Your article on spoofed emails/phishing, on the Loop site, is terrific.

I'm jealous that we didn't get to publish it -- the highest compliment I can offer.

Scott Pinzon

LiveSecurity Lead Editor

WatchGuard Technologies, Inc.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID245 by Dave Piscitello  

Networld+Interop Las Vegas 2004

I will be moderating sessions and delivering presentations next week at Networld+Interop, on a wide range of security topics, including wireless security, Identity Management, Blended Threats, Security for IP Telephony, and Application Security.

When I put a security conference together, I try to write about as many of the topics in my program as possible. This serves four purposes. I am forced to bone up on the subject. Subject matter experts I invite to participate in a panel can read my columns to get an idea of how I feel about a particular topic. Attendees can read about a topic and decide whether they'd like to sit in on a session. And people who can't attend the conference get something for nothing.

I've written about many of these topics for Interop Loop. Find my IP Telephony security articles here; Blended Threats here and Application Security here.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID246 by Dave Piscitello  

Recognizing and responding to spoof email messages

I recently received a suspicious email, purportedly from eBay, requesting that I log into a web page to verify my account information. If you're curious how I and my partner, Lisa Phifer, examine email messages to determine if they are valid or bogus, read my Loop column, Recognizing and responding to spoof email messages.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID244 by Dave Piscitello  

It pays to certify...

Network World is running a trailer ad for certification programs in one of their many e-newsletters. The ad touched a raw nerve, for more reasons than one.

This ad begins, "Not sure if you should spend the time and money pursuing IT certifications? And, if you do, whether or not your efforts will translate into a 'beefed-up' paycheck or open the doors to advancement opportunities? In this NW Special Report: It Pays to Certify - we take a look at what certification may or may not bring to the table."

The ad reinforces the (growing?) opinion that certification is all about money and advancement for the individual. The ad doesn't encourage IT departments to "beef up" expertise. It doesn't give enterprises any ROI or other evidence that certified practitioners will help improve operations and security.

It doesn't give me a warm feeling that certification programs are what they ought to be, and appreciated for what they ought to produce.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID243 by Dave Piscitello