The Security Skeptic

The ACLJ and Bush administration are no doubt less encouraged by recent Supreme Court decisions than I am. Mind you, I'm no fan of child pornography and terrorism, but I am a great fan of the U.S. Constitution. As loathsome as I find child porn, I have to agree that the Child Porn Prevention Act of 1996 is overly broad and vaguely worded. The CPPA needs better language to be effective. In its current form, it's easily manipulated by law enforcement and equally easy for porn mongers to elude. Write an enforceable law, then enforce it.

I abhor violence and terrorism, but I also have to agree that terrorist suspects held by the military, both foreign nationals and American, have the right to challenge their detention in the U.S. court system. I'm not comfortable claiming the United States is a democratic society when we can arbitrarily call someone an enemy combatant, detain that individual, and deny the right to challenge that detention in a U.S court. Detention of this sort was wrong in the 1770s, the 1930s and 40s, and it remains wrong today. By including foreign nationals, the Supreme Court's clearly tells the international community something the current administration has failed again and again to convey. We aren't exclusionary in our definitions of democracy and equality. The life of an American citizen is not more valuable than the life of any other world citizen.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID276 by Dave Piscitello  

I receive requests to review or trial security software all the time. In the past, I've done so informally, and have included sentences or paragraphs recommending auditing, scanning, and other security tools and products I've found interesting and useful.

I've revised my review process and guidelines. I now spend more time evaluating "enterprise" class software than shareware, and will write formal reviews of security products. These will be posted at www.securityskeptic.com. An example is this month's review of Syhunt's Sandcat Vulnerability Assessment Tools.

I intend to perform these reviews as a community service. Vendors are free to solicit a review, with the following caveats:

• These are independent reviews. The views expressed in this article will be expressly mine. I will give vendors the opportunity to read what I publish for technical accuracy.

• I will not review any product where I have an advisory relationship or financial interest in the company.

• I will only review fully licensed, non-expiring versions of products. Since I may review a product over the course of several months before writing the review, I won't be bothered dealing with license renewals, trial versions with limited features, etc. Vendors with products requiring operating system environments other than those I can create here may have to ship equipment needed to perform the review.

• I will not accept any form of compensation for reviewing a product other than the continued, licensed use of the product.

• I will not publish reviews of products that I find entirely unacceptable. I'm not interested in killing companies. I will identify the show-stopping problems to the vendor with the expectation that my comments will help the company correct course and ultimately deliver something of use to the community.

• Vendors are welcomed to publish the review at their own web site, without alteration, with full attribution and a hyperlink back to my site and Core Competence. See Syhunt.com for an example.

I have limited time to do this sort of community service, so expect at most one review per calendar month. If you have any questions, please contact me.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID277 by Dave Piscitello  

When our part-Siamese kitten, Cookie, isn't ridding our lawn of moles and our attic of critters, he chills out in a "made-to-fit" oval sink in our master bathroom. Cookie is a Garfield wannabe: eat, sleep, eat, catch a critter, whack the dog... repeat...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID275 by Dave Piscitello  

I wrote earlier that I thoroughly enjoyed and recommended Stephen Lawhead's Celtic Crusades series - The Iron Lance, The Black Rood, and The Mystic Rose. I found several other Lawhead books fascinating, and recommend these as well:

• Avalon is a curious story of the return of Arthur Pendragon, in the modern millenium. Lawhead uses a Welsh prophesy - that Arthur will return to battle evil and that Avalon will rise again - as the basis for this tale. A The story switches millenia frequently, as the modern day Arthur recalls his loves and wars and wizardry. Merlin's in the modern day as well. Very different Arturian tale.

• Byzantium tells a tale of an Irish monk sent on a pilgrimage to present the Emperor of Byzantium with the Book of Kells. Like the Celtic Crusades, this book is weaves history, myth, and religion. In the narrative, the young monk relates his numerous adventures, misfortunes and unexpected encounters, a fall from grace and faith, and ultimately, his epiphany. Lawhead's always entertaining, but I think this book in particular is an outstanding accomplishment.

I've ordered the first three books of Lawhead's Pendragon Cycle, and hope to read these while camping later this month.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID274 by Dave Piscitello  

Everyone who hates spam has to be delighted over the conviction and sentencing of Howard Carmack, the Buffalo Spammer. An Erie County, NY judge sentenced this low-life to 3.5-7 years for identity theft. How do I know he's a low-life? Well, the judge whacked him with a maximum sentence because he had prior felony convictions (fraud, money order forgery). Howard will keep busy in prison working to pay part of the $16 million judgment awarded to Earthlink in an earlier civil suit.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID273 by Dave Piscitello  

A recent post to a firewall mailing list asked, "I want to compare two firewalls... what aspects do we need to compare?" A seemingly simple question, right? Download the spec sheets from the vendor, compare the hardware and security features each offers. Try to get an eval unit from each vendor, test drive the units, stress it a bit, get a feel for the the configuration console...

Taking this approach, it will be difficult to conclude anything other than, "this one handles well, the entertainment system is way cool, and check out the color!" More...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID272 by Dave Piscitello  

I lurk on a number of security email lists. Several cover penetration testing and "ethical hacking". I've searched the hosting sites for these lists for Codes of Conduct - you know, "I promise to exchange and use information posted here in an ethical manner and not for malicious purposes" - but can only find privacy statements.

Let's assume, then, that some lurkers and posters on some of these lists are legitimately trawling for information while others are trolling. According to the geeksnet glossary, trolling is "deliberately posting false information in order to elicit responses from people who really want to help".

Trolling can be a useful form of social engineering or information gathering. Consider a thread with the following exchanges:

This troller's hit a home run. Assuming the victim's using his company email, he can use the information the victim disclosed trying to be helpful: operating system and server type, configuration of one of the security measures, and best of all, not current with patches.

Don't laugh. I see this all the time. It's amazing how much information otherwise responsible and intelligent people disclose if they feel they are in a comfort zone. Many technical professionals have as strong allegiances to their mailing lists as septuagenarians have to golf foursomes at their country clubs.

This is yet another example of why maintaining good net security is more a social than technology problem.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID271 by Dave Piscitello  

Endpoint security. Admission control. Scan on connect. Is endpoint security some hitherto unknown problem for which there are no known countermeasures? Do the only practical solutions involve new hardware? Read the full article here.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID270 by Dave Piscitello  

I'm not a big "... for Dummies" book fan. Perhaps if they were "... for the self-deprecating but actually reasonably intelligent" I would feel better. The primary definition of "dummy" is actually silent or mute, so the titles offend me and are not PC. One last criticism about the title before I tell you why I recommend the book. The title ought to be Ethical Hacking for Dummies, since the author states at the outset that the book's not a training guide for mischief and malice.

On to the positive. The author, Kevin Beaver, takes a very broad and misunderstood topic and does a commendable job providing a training guide for testing networks for vulnerabilities. He covers the fundamentals of assessing networks, and computer systems for misconfigurations, missing patches, and flawed designs. He tackles the unenviable task of assessing multi-operating system security, covering Windows, Linux, and Novell NetWare. Kevin covers Wireless LANs and application security, two areas that deserve additional coverage. If you were to simply read the summary sections of each chapter and apply the recommended measures, you would undoubtedly improve your network security.

Kevin sets the bar for prior knowledge lower than I believe readers actually need in his *Foolish Assumptions*. He fails to mention that anyone who sets out to assess a network needs to know a good deal about Internet protocols. While it's true you can learn quite a bit by simply running some scanning tools and reading LAN analyzer output, this book isn't for the same audience that would purchase "World Wide Web for Dummies" or "Microsoft Office for Dummies". If you are keen on becoming an Ethical Hacker, become a protocol guru first. I still recommend Richard Stevens' TCP/IP Illustrated, a 1993 work of art that still in print and a living testimony to a special man who is sorely missed.

This is a good introductory book on Ethical Hacking published in a misleading genre. I suggest you buy the book, cover it with brown paper as we did in elementary school, and write "My First Book of Ethical Hacking".

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID269 by Dave Piscitello  

The daily dose of hate, anger, evil, malice and destruction just keeps growing and my faith in mankind is withering. I'm certain Tim Berners-Lee and all those who helped invent the web never imagined it would host the horrifying content posted today by suspected al-Qaeda terrorists. My family will pray for Paul Johnson Jr.'s family and friends. Please take a moment and do the same.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID268 by Dave Piscitello  

There are times when authors who wish to make original works available online want to protect the integrity of the work and also mark the work with some permanent form of attribution. I began paying more attention to work integrity when I discovered copies of Powerpoint presentations I'd given at conferences at multiple web sites. In one case, a rogue publisher had converted my presentation to HTML, but substituted his name and organization in place of mine, and had actually given the presentation without my knowledge or consent. Other times, I receive requests from attendees for the original Powerpoint. I ask the purpose, and I'm often told that the requester wants to incorporate my material into a presentation he will give to his organization or clients. I ask if any attribution will be applied to my work, but I what assurance do I really have that the requester will honor the claim?

I haven't found a perfect and inexpensive way to do this, but am experimenting with watermarked Adobe Acrobat files. One inexpensive way to create these is to use the Kinati 2PDF Converter Website. Kinati provides the ability to distill Powerpoint (and other) files to PDF with a watermark, password, and with Adobe's print, user copy, and change protection. Simply submit the filename, choose the distilling "features", and Kinati will send a hyperlink where you retrieve the converted document via email. Kinati's privacy policy indicates they do not resell your email address.

Kinati affords me some flexibility in how I satisfy requests for documents. They are not the only site offering this service, but they are quick, the quality is good, and they appear to be responsible.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID267 by Dave Piscitello  

I've made a copy of my Networld+Interop presentation, VOIP Security Threats available here.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID266 by Dave Piscitello  

As I idle away time repairing an XP Professional install, my mind wanders to the inconsistent way Microsoft manages copyrights. For a company that is committed to digital copyrights management, they overlook trivial matters...

Boot your Windows PC, and ask yourself, "if I were Microsoft, why would I continue to permit Windows 2000 to boot with a © spanning from 1985 through 1999 and Windows XP Professional © spanning from 1985 through 2001? Are they no longer copyrighted? Fat chance. But given that Microsoft patches often seem part of my daily regimen, can't they include a patch that extends the copyright claim when you boot?

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID265 by Dave Piscitello  

IP networks are now used to handle an increasing number of voice calls. The marriage of voice and IP offers many benefits, but there's a dark side of this union. The combined attack targets and vectors present a formidable threat to users and IPT operators (private and public). Read the complete LOOP column here

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID263 by Dave Piscitello  

Secure web site administration has become increasingly challenging and labor intensive. IT organizations rarely have adequate time to review web application code and server configuration changes before they are put into production. The result is predictable: web sites are vulnerable to numerous attacks. But being proactive is a tricky proposition for many organizations. Web application protection and vulnerability assessment technologies are enterprise-grade and typically come with a hefty price tag.

I've written articles before describing how small and medium businesses can build a web server vulnerability assessment toolkit. After completing an evaluation and running a number of tests, I recommend you consider Syhunt's Sandcat Suite of web application security tools. Read my evaluation here.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID264 by Dave Piscitello  

Virtual Private Networking is passè. More accurately, what we considered when we began designing and deploying VPNs nearly a decade ago - protocols enabling authenticated, encrypted tunnels to transport authenticated data - has become less important, a mere part of the picture instead of the whole. Questions like "Which protocol is best?" and "Which encryption should I use?", are now less relevant than, "How can I satisfy my application access and security requirements?", and "Do I really want this device connected to my network?"

This is A Good Thing, and typically the consequence of practical deployment experience. Watching The History Channel's 10 Days to D-Day, I pondered how little has changed with regard to how technology evolves, and how often we can do better with small adjustments instead of wholesale re-engineering.

Consider the ingenuity demonstrated by the Allies when they encountered hedgerows in the Bocage, France. The first waves of tanks were easily destroyed by German anti-tank weapons as they exposed their thinly armored undercarriages while attempting to climb over the hedgerows. Several strategies were considered:

1. Attempt to modify undercarriage armor on thousands of Shermans in the field;

2. blast through the hedgerows using explosives;

3. use bulldozers.

(1), a classic standards body approach, involves all sorts of recalculations to minimize the impact of the added weight to the tank's overall performance. It fails to consider the impact of delay on the installed base. It reminds me of IKEv2.

(2), a brute-force or administrative fiat approach, overlooks the small matter of how noisy explosions tend to disclose troop locations, and reminds me of policy definitionwithout an impact analysis. I could be cruel here and say it also fails to consider an exit strategy, but I won't...

(3) is very practical, but the Allied war machine was implemented to crank out many more Shermans than bulldozers. Re-tooling the war machine makes less sense here than (1) since ultimately, we'd need a lot more tanks than bulldozers.

The solution? The Allies turned Shermans in the field into bulldozers using railroad tracks. This field modification was refined so that the "rhinoceros" Shermans mowed through the hedgerows with an improvised cutter.

I'm tempted to draw an analogy between rhinoceros Shermans and the evolution and adoption of SSL for secure remote access. SSL was in the field. It was readily available. It could be easily adapted to satisfy secure access in a much shorter timeframe than an IKE redesign and field upgrade. Folks in the field who understood the problems and needs jury-rigged a secure access alternative that could get the job done quickly.

Someone could make the argument that improving IKE is the appropriate long-term solution since an IP level VPN protects application and transport payloads. Improving the undercarriage armor of a Sherman in 1944 could arguably have been the right, long-term course as well.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID262 by Dave Piscitello  

Paul Hoffman reminded me that I spend too much time in a Windows monoculture when he commented:

All my external USB2 or FireWire hard drives are FAT. Why? Because it is the only format that will read and write equally well on XP and Mac OSX (and FreeBSD). That's good enough for me."

Paul's absolutely right. If you are sharing files across platforms, FAT is the only format that works. I concede the point.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID261 by Dave Piscitello  

Windows FAT file system offers no encryption and file access controls (user and group level permissions on files). Why is anyone still using it?

Windows experts say the only reasons to use FAT are to provide dual boot capabilities, and to boot from a diskette. But precious few folks actually dual boot - even if their are a million of you, you represent at most two percent - and diskettes are on the deprecation trail. So if you fall into either of these categories, don't read any further.

Still with me? I thought so. Eliminating FAT from your PC or laptop is easy, right? Choose NTFS during setup. But what if your PC or laptop manufacturer shipped your OEM version of Windows NT/2000/XP on a FAT volume? In this case, you can use convert.exe. This command line utility will reformat a FAT volume to NTFS, but if you want to format the volume or partition on which your OS resides, you'll have to schedule the conversion following a restart.

Why am I writing about this, still? It turns out that certain OEM recovery disks rebuild your C:\ drive to be FAT. My partner, Lisa Phifer, and I monkey with all sorts of applications and drivers, (some in beta), and our laptop file systems and registries turn to sludge much faster than the average user. Lisa takes the path of least resistance, builds a restorable drive image, and reinstalls this each time instead of the OEM recovery disk.

I am finally doing the same. Following my recent laptop purchase, I used Partition Magic to create a primary partition for a "clean" install of Windows 2000 operating system from the OEM disk. I created an Extended Partition with three logical partitions: one for virtual memory (swap); one for applications; and one for data files. I installed Win2k, MS Office and the CIS Security Scoring Tool. I hardened the laptop according to the Win2kProGold_R1.2.4.inf template, which included all the Windows 2000 updates and service packs. Finally (hours later) I created a drive image (we use PowerQuest Drive Image) and burned this to a CD. I didn't install drivers for the several network adapters I use because these change frequently as well, and driver bloat is one of the things Lisa's helped me appreciate I should avoid. I think this will save me a fair bit of time, over time.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID260 by Dave Piscitello  

Commenting on the topic "laptop theft and countermeasures", Paul Schumacher writes:

Subject: blog - laptop LoJack alternative

To: dave@corecom.com

Hi, Dave

When I was working as a digital design engineer, I did some work with GPS. These receiver 'engines' were the size of business cards, and about 5 mm thick, and cost $150 in single quantities (no interface). Probably much smaller today.

If instead of squealing an RF signal for the police to triangulate on, the lojack were to give a continuously updated GPS location of the stolen item, it would make the police's job quite simple. This could be easily built into a laptop, or any other high value item. It could also be a PCMCIA card to retrofit a laptop. An added benefit is the user could access his GPS location.

The police would be more interested in recovering lower priced equipment than high value cars if all they had to do was read a display saying that the missing or stolen item was at the corner of 5th & Main than if they had to triangulate on the car or item by driving around town.

Sincerely yours,

Paul Schumacher

Your image of a laptops squealing for the police notwithstanding, I like it!

I think this is how my Sprint PCS phone "locates" me. So it's doable using commodity hardware. Now all we need is a business plan for running the monitoring operation, some working capital, and we're in business...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID259 by Dave Piscitello