The Security Skeptic

Sasser and Netsky worm creator Sven Jaschan is now an employee of SecurePoint, a security appliance company in Germany.

Everyone in the security community should be disappointed and opposed to SecurePoint's decision. Jaschan should be in jail, making license plates or clothespins, and contemplating the error of his ways. Instead, Securepoint is providing him a comfortable living and a fast track to repay the nearly $160,000 he owes for acts of computer sabotage.

My opinion regarding hiring and glamorizing crackers is long-documented in Security Hats: Black and White, no Grayscale. In this column, I identify five reason why you should not hire crackers. I only wish Securepoint had read it.

It absolutely astonishes me that Securepoint would make such a moronic move when viruses and worms are sapping IT dollars faster than OPEC is producing oil.

Ask yourself: do you want Jaschan anywhere close to the source code for your firewall?

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID311 by Dave Piscitello  

Every network client must have antivirus software. We've been told so for years, and the message is finally sinking in. Network admission and integrity control are poised to enforce it today in enterrprise networks and hopefully soon for public Internet access as well. Concern over spyware is increasing so rapidly that I fully expect that antispyware, too, will be a prerequisite for network logon. The problem I foresee is that, if we instrument poorly, network admission will end up like the queues at customs and immigration services: long, slow, tedious, and frustrating. More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID309 by Dave Piscitello  

CoolWebSearch is one of the more insidious and treacherous browser hijacking nuisance-ware you will ever have the misfortune to experience. The miscreants behind this crudware have created a truly nasty beast. PestPatrol's Spyware Encyclopedia identifies over 70 CWS variants. They are resistant to detection and removal, and while present, they turn your "web experience" into a visit to hell.

The CoolWebSearch Chronicles offers a fascinating chronology of CWS through April 2004 (39 variants). It's an entertaining and valuable read for anyone who is trying to understand spyware.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID310 by Dave Piscitello  

For the past two years, I've hosted the SC chapter web site of the ISSA. I maintained a security library of hundreds of security articles worth reading. Unfortunately, we could not muster sufficient numbers to meet ISSA chapter criteria. Last month, I retired http://www.issa-sc.org.

I have relocated the security library to http://www.securityskeptic.com/library.htm. I am also in the process of adding more articles and resources. The library has approximately 500 resources listed, and my goal is to double this by 2005.

If you have read a security article worth recommending to your peers, please email the hyperlink to me and I'll add it.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID308 by Dave Piscitello  

After two weeks of whining about how woeful XP SP2 is and how lamentable Windows security is, I can't help but be amused at the recent barrage of MacOS X vulnerabilities and the concomitant patching frenzy.

In case you've missed the advisories:

Apple fixes 15 flaws in Mac OS X. (see the entire list at List of 15 Flaws)

Mac OS X CoreFoundation Buffer Overflow and Library Loading Bugs Let Local Users Gain Elevated Privileges

Apple QuickTime Streaming Server State Error Lets Remote Users Deny Service

Apple Safari Frame Boundary Flaw Lets Remote Users Render HTML in an Arbitrary Site's Domain

I bring these to your attention for two reasons. The first is to silence the Linux lambs, or

at least pause the annoying bleating for an afternoon. According to the article, "Many of the problems are flaws in the [Mac OS X] operating system's underlying open-source software". Sorry, your open source code is as flawed and exploitable as Redmond's. Spend the afternoon checking your code for buffer overflows instead of ranting about the poor quality of someone else's code.

The second is to corroborate a claim I share with many of my colleagues: general-purpose, commercial operating systems all have their share of security flaws and exploitable code. The bickering and dirt-slinging is as bad as any you'll see from the Democrats and Republicans between now and November.

Sadder still, it serves the same purpose: distract the public's attention from the fact that your party's just as incapable of publicly confronting and solving the real problems as your antagonist.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID307 by Dave Piscitello  

You visit a web site. You complete a form, providing name, address, phone number, job title, and more. How familiar is this? But do you know what the site operator does with your personal data? If you're not checking site privacy policies before you submit personal data, you may be implicitly permitting sites to share what you submit to the *third parties*, a web uphemism for anyone who'll buy and abuse it.

What you need is P3P. More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID306 by Dave Piscitello  

The response to my spyware resource page has been remarkable. I've received many inquiries about antivirus resources. This surprised me because there are so many on the 'net already. I've tried to complement what already exists by providing direct links to Virus, trojan and hoax encyclopedia and lists; online virus scanners; virus removal tools, and most importantly, fully-functional and resident antivirus programs that are free for personal use. Visit Antivirus Resources.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID305 by Dave Piscitello  

"De-perimeterization" is popular among the VPN, application protection, and web services communities. It's another in the never-ending stream of labels that marketing wonks invent to distinguish what they are trying to sell from what everyone else is selling. It's a dumb and inaccurate term that only serves to confuse buyers, which ultimately causes them to buy badly, or not buy at all. De-perimeterization is a testimony to the shortcomings of a society that operates on ten-word sound bites.

De-perimeterization is "a worldwide push toward a more porous corporate shell yet more secure collaborations in our increasingly interconnected online world"¹. De-perimeterization is yet another forecast of the demise of the corporate perimeter, the traditional network firewall, in this case due to the increased employment of web services in collaborative networking: simply put, not only people but executable code (services) move across enterprises, mostly over web, and hence through ports that network firewalls allow inbound and outbound.

What the term tries to convey can't easily be done in one word. What the term and the hype woefully misrepresent spreads the F.U.D.

De perimeter exists. You've misappropriated the prefix de.

There are many perimeters in the present and future enterprise. The perimeter that that de-perimeterization tries to deprecate is maintained through network layer firewalls. It's not going away. It's now decentralized through the use of personal, teleworker, and small office firewalls as complements to enterprise Internet-facing and compartmental firewalls.

Further complementing the network layer perimeter is a perimeter of application protection. This additional layer of security will be responsible for assuring that application connections are authenticated and that the data conveyed over them is authentic and (where appropriate) confidential. And by this, I don't mean "VPN".

The column I cited earlier casts skepticism on de-perimeterization's ultimate goal: "worldwide use of system-, data- and connection-level authentication". While I hate the term, I love the objective. What is often misunderstood when we use the word data is that data includes identities, information web services process and and the executable code (services) organizations exchange, as well as the channels over which this data are communicated. This is not de-perimeterization at all, but the addition of federated identities to our existing layers of security.

We don't need a new term. We need people to RTFM and use the terms we have appropriately.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID303 by Dave Piscitello  

Central Command's latest monthly report of the Top 12 computer viruses arrived via email August 2004. First, I decided I'd compare prevalence numbers across AV vendors. Then, I snooped around for what I thought might be a a more interesting comparison: how do prevalence statistics compare over time? More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID302 by Dave Piscitello