The Security Skeptic

Another resources page? Didn't I just post two others? OK, so I live in my office on weekends and have no life other than to provide helpful insight to others. I've installed Windows XP SP2 and am evaluating it as I type this blog entry (honest, I'm running SuperScan to see what Windows Firewall blocks by default as I type!).

The good news thus far is that the XP SP2 install finished clean but the process was tedious and the download long, even over Etherloop. Consider ordering a CD. The bad news is that so much has been written in anticipation of Windows XP SP2 that it's nearly impossible to get a read on how good or bad it really is without simply installing it - just don't install it on your one and only PC yet...

If you have a small or medium business, I really recommend you take a PC out of production, install XP SP2, and play with it. If you don't know exactly what to play with, cheer up! I've put a resources page together on Windows XP SP2 at Windows XP SP2 resources. I've tried to include the resources I read to prepare myself before installing SP2, and other resources I found while attempting to get a sense of how the Windows as well as Microsoft-bashing communities were faring with their SP2 deployment and testing.

To its credit, Microsoft's put together a lot of useful information. Of course, it's really hard to navigate Microsoft's web site using "XP SP2" as your only search argument, so I've tried to include the "best of" here. If you find other good resources, let me know.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID301 by Dave Piscitello  

My Loop columns on phishing and spoof email are frequently visited. I've replied individually to enough emails about phishing to conclude I really ought to pull my resources together and make them available online. Visit phishing resources.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID300 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse...

Spyware is software - a program file, a browser helper object, or a dynamic link library, for example - installed on your computer, without your knowledge and permission. Sometimes called adware, nastyware, crapware, scumware, and worse, it's all aggravating, and intrusive. It's enough to turn pacifists into violent activists. In some respects, spyware evokes the same kinds of emotional reactions as a Republican National Convention.

I've been investigating spyware for a series of articles I wrote for Watchguard and Loop. Much of the spyware out there is unsolicited advertising: marketing invertebrates monitor your web browsing and direct advertising to you based on the sites you've visited. The former is annoying and maybe embarrassing: you can't begin to imagine what that one innocent visit to hotgirlsofcleveland.com does to your Internet experience.

I mention in all my articles that adware "data mining" also poses a privacy issue to individuals and a vector for sensitive information disclosure for businesses.

Then there's the "And you thought it was YOUR PC" problem. Beyond relentless advertising, spyware and adware often hijack a computer browser, driving users to alternative search sites, or even to competitors of e-merchant sites users are trying to visit. My son's PC was infected with a particularly nasty, blended threat of a spyware/adware package. It seized his browser and hosed his Google toolbar. It took any search he attempted and redirected him to some deceptive practices search site. It also warned him that he had spyware (how kind), and invited him to use Spyware Stormer (which is a rogue antispyware, BTW).

I also explain how spyware can be as malicious as trojans incorporated into a blended threat attack. Keyloggers may be installed as part of the package. Spyware may turn ugly on you. Try to remove it, and spyware may self-destruct and leave your Registry, browser configuration, and DLLs damaged beyond recovery. My son learned a "life lesson" last week, when we reinstalled Win2K Pro on his PC. That life lesson happens to include "Play with P2P, die with P2P"...

Antispyware appears to be abundant. but I'm sorry to say that deceptive practices and crapware taint the antispyware product market. Rogue spyware may offer free scans, but many produce long lists of false positives to frighten you into purchasing the product. Others, as I mentioned above, blast you with popups and other forms of unsolicited and misleading advertising: isn't this what you're trying to eliminate?

I've created a spyware resources page here. Please use it! You'll find dozens of articles explaining spyware and recommending removal and protection strategies. You'll find my personal recommendations for combating spyware here as well.

This page is an active work in progress. I welcome you to comment here or at Loop and contribute to the list of resources I've begun.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID299 by Dave Piscitello  

Like so many technical professionals, I pay my debt to society by helping friends, not-for-profits, and private schools solve computer and networking problems. The most common problems are (1) virus and spyware infections; (2) badly fragmented C:\ drives; and (3) no appreciation for file organization.

Problem (1) usually requires that I make a house call with a bootable Windows XP CD (See BartPE, my blog entry 223) and try to remove the virus or otherwise repair a Windows OS.

For problem (2), I again make house calls, this time with a USB hard drive so I can copy off whatever the PC owner deems valuable, create enough space to defrag the drive and point the owner to my blog entry 286 on Defragmentation 101.

Problem (3) drives me crazy. My experience is that 8 out of 10 home PCs treat the My Documents folder like a 20x20 public storage unit. *Everything* goes there. Of course, My Documents is always on drive C:\ and few PCs come with partitions, so the mechanical saves to this location eventually lead to problem (2), and often leaves PC owners in the lurch: if a virus has rendered their C:\ drive completely useless, it is often the case they will lose some "valuable" files when they perform an OEM recovery.

I'm no doubt identifying the operating environment of your PC, or of someone you know. My remedial actions for this behavior is a three-stage therapy.

1. Remove as many "valuable" files as the owner chooses and defrag the hard drive.

2. Reboot the machine into MS-DOS, run a disk partition program. I generally create an extended partition, and within this partition, I create a partition for applications, and a partition for data (and music).

3. I explain that they should not mechanically install programs to drive C:\ but to the partition called "APPS", and show them how to modify MS Office and music applications to save to folders other than My Documents, on a separate partition I name whatever the PC owner wishes (FAMILY, DATA, STUFF..). In some cases, I create a partition exclusively for MUSIC.

For the unavoidable encounter with a PC owner who insists on having My Documents, I ask for a glass of water, and while he or she is away, I create a new My Documents folder in a partition other than C:\ - sneaky, but it saves a house call.

It's sad that PC manufacturers so rarely partition drives. It would save so many headaches.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID298 by Dave Piscitello  

My colleague and friend, David Strom, has been discussing blogs and self-publishing in his recent Web Informants #382 and #383 .

In WI #383, David permits Deb Radcliff of the Freelance Business and Technology Writers' Association (www.fbtw.org) to comment on self-publishing. Deb presents a dim view of self-publishing, and I'd like to offer a rebuttal to the conclusion that "Self-publishers and blogs are unsafe, abusive, and lack credibility" expressed therein.

I don't dispute that many blogs are unsafe, lack credibility, exhibit poor judgement and dreadful taste. But these sad examples, in general, are hosted blogging sites. They are largely unsupervised playgrounds, and educating folks about the risks and credibility of such venues is A Good Thing.

I do find more and more serious professionals using blog software rather than web publishing tools to produce very credible and valuable content. These folks - and I include myself - run their own secure servers. They moderate and filter comments, and the responsible ones are as fastidious regarding privacy, error and libel as traditional media. Professional self-publishers invest time, talent, and research as seriously in their blog endeavors as they do when they freelance or write white papers for traditional publishers. Such blogs offer professionals to explore other topics than those they typically provide consultation and advice. Some are personal, and they give readers and potential clients valuable insight into the character of the individual they might hire. Some are off the mainstream topics, and perhaps reveal clients other dimensions of the practitioner/consultant.

Some are editorial. There are too few traditional publications to permit broad editorial opportunities for the number of people who are capable of providing credible OpEd, Others are simply pro bono activities. A security professional publishes a brief configuration note for IIS or Windows 2003 server. An HTML professional recommends a utility that generates reports from web log files. These are all valuable activities.

Many such blogs offer RSS feeds. I routinely visit at least a dozen such blogs. I find them to be a marvellous complement to traditional publications. And in a number of cases, I find the stories more accurate and technical than those a beat writer composes.

Self-publishing is easy. Like traditional publishing, GOOD self-publishing is demanding, and the good self-publishers hold themselves accountable. You can get the same protections from responsible self-publishers as you get from traditional media.

It's just as inappropriate to lump all blogs in the "iffy and unreliable" category as it is to claim all newspapers are scandal rags.Don't condemn a technology, castigate instead those who misuse it.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID297 by Dave Piscitello  

The term SSL VPN was adopted in the late 1990s by vendors who needed to distinguish secure access by the authenticating and encrypting protocol they used. Your solution was proprietary, SSH-, SSL-, or IPsec-based, hence SSL VPN. Today the term is dreadfully constraining and is more confusing than helpful in describing what SSL VPNs are and do. More...

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID296 by Dave Piscitello  

Recently, Network World Fusion interviewed the respected antivirus researcher, Mikko Hyppönen. The title of the article and conclusions therein suggest that The Virus Writers Are Winning. I suggest you read Mikko's answers more carefully. When asked, "Who's winning this battle?", he only concedes that virus writers "always have the upper hand because they have access to [security vendors'] products". If the virus writers were winning, we'd be dealing with viruses that couldn't be quarantined or removed at all, leaving you no recourse but to reinstall your OS, and you'd soon be more expert in the process of reinstalling Windows than your neighborhood PC repair folks. More.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID295 by Dave Piscitello  

If you are hesitant to even open the Windows Registry, but are having trouble removing programs, try PUI. This utility displays registry entries and uninstall strings for installed programs and Windows updates. You can also remove programs from the builtin user interface (instead of Add/Remove Programs).

PUI also identifies programs that cannot be uninstalled. Sometimes, programs leave uninstall data in temp folders, and these are deleted. Other programs are installed by the manufacturer or Microsoft and cannot be removed. Badly written software sometimes can't be removed using conventional Add/Remove Program: as the author notes, PUI saves you the trouble of searching all over the net only to learn, "you can't remove it".

PUI claims to detect certain spyware and adware, and these, too, can be deleted from the user interface. This isn't the primary feature and purpose of PUI, but a good complement to an already nice piece of software.

PUI (freeware) is written by Ur I.T. Mate Group and can be found at http://www.it-mate.co.uk.This is also a credible download site for 100% true freeware: no baits, no lures, no registration, no popups, and the software available for download is completely free of charge, fully functional, free of advertising, spyware and malware.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID293 by Dave Piscitello  

A SearchWin2000.com indicates 39% of the respondees plan to dump Internet Explorer, 35% said they would keep using it and 24% favored using IE and some other browser. Do these figures reflect a kneejerk reaction to Scob or a vote of no confidence in Microsoft's browser specifically, and Microsoft wares in general?

However you choose to interpret the results, I'm pretty certain that if your desktop environment consists of IE, Outlook, Messenger, Office, and the Windows operating systems, and you care even a whit about security, you are investing considerable time, brain cycles, and bandwidth patching software, and securing configurations.

It's perfectly reasonable for you to be asking, "Is this as good as it gets?" More...

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID294 by Dave Piscitello  

From the Ethereal-Users mail list...

Subject:

[Ethereal-users] DECRYPTING IPSEC / ESP PACKETS

Message body:

Hi,

does anybody know, how to decrypt ISPEC / ESP Packets to see the real packets ?

Later, someone commented, "Use TCPDUMP -E". Yes, you can use TCPDUMP with this option, if you've compiled with cryptography enabled and you know the shared secret key for ESP. The man page for TCPDUMP also adds, "The option is only for debugging purposes, and the use of this option with truly 'secret' key is discouraged."

Somehow, I don't think this is the answer the original poster wanted to hear...

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID292 by Dave Piscitello  

Pete Finnigan has composed an impressive list of papers on attacking and securing Oracle Databases and servers at PeteFinnigan.com Limited I know Peter by reputation and published one of his papers while editor of TISC Insight. In addition to many fine papers he's authored, Pete's compiled a nice set of intro-to-expert papers on many aspects of Oracle security. This site's worth bookmarking if you are running an Oracle database.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID291 by Dave Piscitello  

I have been using Eudora email clients since my Macintosh SE days, so it's no small deal for me to be changing email clients. Why change after nearly two decades of use?

Things I love to hate about you, dora. I purchased Eudora 4.1 for Windows and subsequent upgrades, yet the program insists on asking me to register over and over again. It periodically asks me to reveal my user behavior. It processes hyperlinks badly (a symptom that has persisted from Windows NT through XP, on five computers). Filters have always been non-intuitive and clunky.

Never can say goodbye? For years, I've found excuses for not trading in or trading up. Version 4.3.2 supports whatever version of PGP I use, and I use the version that works with the folks in my keyring. I have a filter set, clunky and overly long, that mostly works. I know every power key. I know nearly all the files in the Eudora folder, and what I don't know about the .ini file, I can learn quickly from my colleague Fred Avolio or my partner, Lisa. I can resurrect folders from 1994 (if the floppies are still readable), the mail looks as if it's just arrived. I should be sittin' fat and happy, right?

Familiarity breeds contempt. For all that versions 4, 5, and 6 purport to have changed, they haven't really changed. I downloaded the trialware for each major version, and despite new skins and "new" features, it's still pretty much the same Eudora I've launched every day. I'm still using 4.3.2 because trial after trial, I just didn't see anything sexy or edgy enough to make me want to buy the new software, buy the PGP that works with it.

I realize that I still have that "email clients should be free" mentality that first attracted me to Eudora. Somewhere on the Internet, there must be some client that does what Eudora does, and is more secure.

What I found was David Harris' Pegasus Mail (Pmail). I've use it for only 24 hours, but am already very comfortable with it, largely because it's enough like Eudora in ways I find important, and different or better in features I found lacking in Eudora. For "unencumbered and free" it's a very complete piece of software. It installed cleanly, and didn't require a restart (always earns a smiley face). It's got a familiar and intuitive user interface, similar to Eudora in many respects. Filter creation is (for me) more intuitive than Eudora. Spam and content protection are built-in. Pmail has a shared-secret based email security for bulk encryption and digital signing, and it supports PGP. Fancy email editing includes font styles, ttables, picture insert, hyperlink embedding. Pmail client is also an LDAP, Finger, and PH clients. It has distribution list support, and works with Norton AntiVirus. And several folks have gone to the trouble of creating address and Eudora mail folder import utilities. It's also a much smaller executable than Eudora.

Pegasus mail is public service software. It's traditional Internet, with non-official support and FAQ sites, and developers who create plug-ins and interact on mail lists. It's community-ware, like the early versions of Eudora...

Still too early to tell, but pmail looks like a keeper. I'll keep you posted.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID290 by Dave Piscitello  

Authentication is widely regarded as the enabler of all security services and policy enforcement: until you can confirm an identity in a non-repudiable manner, you should not provide that person, computer, data object, or program any privileges (access, network admission, execution,...). Despite the fact that we remain mired in a password-based world, many stronger authentication methods are available. Enumerating authentication systems and their characteristics is a simple task. Identifying the limitations and vulnerabilities inherent to each, and explaining how and where each may be best applied is hard work.

Richard E. Smith tackles both tasks in Authentication: From Passwords to Public Keys. Once the obligatory background material is covered (history, evolution of reusable credentials, the people factor), Smith devotes chapters to token, biometric, challenge-response, and digital certificate systems, and ticket granting services. For each, Smith explains the authentication system, and complements this with a discussion of the common attack spaces and countermeasures (e.g., use of longer keys to resist brute force or trial-and-error attacks).

I've had this book for a while. It's vintage 2002 but with the exception of changes to Windows authentication systems from Server 2000 to 2003, I believe the material remains extremely accurate. If you must bone up on authentication systems, and are happy to forego the cryptoanalysis, you'll find this book a very useful and insightful read.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID289 by Dave Piscitello