The Security Skeptic

During a recent rebroadcast of a West Wing episode, Full Disclosure, C.J. Craig, White House Press Secretary, is caught unprepared by a cable TV reporter who argues that President Bartlett and Leo McGarry are implicated in an attempted cover-up of Vice President Hoyne's affair. The New York Times reporter who interviewed Hoynes drops a floppie disk containing a pre-publication copy of his article of the Vice President in C.J.'s office. As a kid, I used to call this "accidentally on purpose"...

I found myself wondering, "Can visitors really bring removable media into the White House?"

Keyloggers and viruses and zombies, oh my!

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID343 by Dave Piscitello  

The 12/28/2003 23:15:10 headline on Watchguard Wire is Even XP SP2 doesn't make Internet Explorer safe. The post leads with the statement, "Service Pack 2 for Windows XP was supposed to make all your security problems disappear" and describes a flaw in IE that allows remote code execution. The reporting is accurate, but I found myself asking why (and when) Microsoft made such a claim.

I visited Microsoft's About Windows XP SP2 page, where they state, "Windows XP Service Pack 2 (SP2) provides better protection against viruses, hackers, and worms, and includes Windows Firewall, Pop-up Blocker for Internet Explorer, and the new Windows Security Center." Another rant from Dave the Defender of Redmond, right?

No. I don't ever expect Microsoft to produce an OS, or any other software, that will make my security problems disappear. Generally speaking, I don't expect *anyone* can do this.

What Microsoft does claim is that XP SP2 will provide better, not perfect, protection. Firefox, Opera, and DeepNet Explorer make the same claims: google "browser more secure than IE" versus "browser perfect security" and you'll see my point.

Even the Grayhats authors of the security advisory 'Wire describes introduce the flaw by saying, "Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible."

Perfection is impossible. Hundreds of thousands of lines of source code, developed, enhanced, and patched by hundreds of individuals with little or no secure coding expertise or training, over a hundred months, will not produce a perfectly secure OS, whether it be closed or open source.

We burn so many cycles arguing "which is better? which is more secure?", as if we had definitive metrics and quantifiable measures for "secure". Absolute and objective conclusions regarding OS security are unachievable for general purpose operating systems, because in the real and commercial world where they are employed, GPOSs must satisfy nearly irreconcilable requirements.

If you know how to write an operating system that is easy to use, trivial to network and perfectly secure, drop me a line.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID342 by Dave Piscitello  

Matthew Tanase's Security Blog entry about the sentencing of the Lowe's WiFi hackers reminded me that I hadn't commented on this important event. Matthew commented that he was initially surprised at the length of imprisonment, but then realized these were serious crimes that in the real world earn the offenders serious time.

Matt's reaction initial reaction is a pretty common one. I think it's more than partly attributable to how the 4^th Estate popularizes cracking and thus creates an artificial distinction between real and virtual crime. Today, sympathy abounds for the clever computer geek whose adolescent prank went too far, yes?

No sympathy here, folks. These guys were trying to steal credit cards. One (Salcedo) has an earlier conviction. The motive was monetary gain at someone else's expense. Internet, WiFi and lax security practices provided the opportunity . The means, whether sniffing airwaves and phishing today, or dumpster diving for carbon copies some years ago, is relevant only as a matter of how law enforcement gathers evidence.

Rest assured that if more cases like this one are successfully prosecuted, interest in computer crackers will plummet. When was the last time you read about cases involving corner crack dealers? And the difference between the two is ...?

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID340 by Dave Piscitello  

For about three years, my wife and I owned a hole in the ocean into which we threw money. Unnamed, inanimate, underused and expensive to maintain, our 21 foot Grady-White cuddy wasn't too hard to give it up.

We now own a horse, which only has "expensive" in common with the Grady-White. Paddy (officially, Bees My Sugar) is an eight-year old paint, approximately 16 hands, animated and intelligent, visited and ridden nearly daily.

As is the case with all our animals, Paddy is a rescue. Molly has nursed him back from a serious hoof ailment and months of isolation that nearly soured him to a point where he behaves well under an experienced rider. She and her trainer/instructor have begun Parelli exercises with him to get him in shape for other riders, including me. Wish us luck and wish Paddy continued health and recovery! I'll post photos soon.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID341 by Dave Piscitello  

My son Matt wrestles varsity for Bluffton High School. I host the Bobcats Wrestling web page at http://www.bobcatswrestling.com.

A photo of Matt pinning his Colleton County opponent made the front sports page of the Hilton Head Island Packet today.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID339 by Dave Piscitello  

Merijn, author of the highly useful helpware, HijackThis, has written another little pearl called BHOList.

BHOList scans your PC for installed Browser Helper Objects and Toolbars, and distinguishes legitimate BHOs from evil ones. For each BHO it discovers, BHOList identifies the ClassID, filename, owner, and a hyperlink to the software producer.

BHOList also provides a simple frontend utility to a list of Browser Helper Objects and Toolbars maintained by Tony Klein, and will download all the known and categorized BHOs maintained at several antispyware activist sites.

Find BHOList at http://www.spywareinfo.com/~merijn/downloads.html, along with HijackThis and a handful of equally helpful software developed by this remarkable young man from the Netherlands.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID338 by Dave Piscitello  

Too many firewalls and access routers allow trusted hosts access to virtually any services outside their firewall without considering the consequences. Organizations should be as concerned with the origins and kinds of Internet-directed or egress traffic as they are with incoming requests. Lax egress traffic filters can cause an organization many headaches, as Nathan Buff and I explain in this article. More...

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID337 by Dave Piscitello  

Kephyr Bazooka is one of the respected free spyware scanners. Using Google sponsored links and carefully contrived META Description and Keyword tags, Vendors of the suspicious XoftSpy spyware remover infringe on and plays off Bazooka's good name and reputation.

I searched "Bazooka spyware" at Google, and the first response to this query is an advertisement page at one of the XoftSpy online shop domains. The page says, "Bazooka spyware scanner just detects spyware and does not remove it. An excellent alternative is ..."

Like most deceptive advertising, there is a half-truth here. Bazooka is indeed only a scanner. But this doesn't mean that Xoftspy is a better scanner. Of course this page doesn't claim that Xoftspy is a better scanner.

Manipulating search query replies is something I expect from porn sites, not security companies. All the genuinely useful work Kephyr Labs invested in Bazooka scanner is undermined by misleading META tagging on a commercial product's page. For the record, the META tags on the offending page are:

META NAME ="description" CONTENT="Bazooka is a spyware and adware scanner that detects spyware and adware on your system. It does not remove it. XoftSpy both detects and removes spyware and adware."

META NAME ="keywords" CONTENT="bazooka spyware, killer,destroyer,remover,eliminator,eraser"

I'm singling out XoftSpy here, but at least a half-dozen other companies pull this same nonsense with Bazooka, AdAware, and SpyBot Search and Destroy.

PLEASE don't support these folks. The degree to which they undermine the trust we place in search engines is a source of embarrassment for the entire security community.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID336 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse. More...

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID335 by Dave Piscitello  

Q:What do peanut butter and isopropyl (rubbing) alcohol have in common?

A:You'll find both in the auto detailers' toolkit.

Peanut butter removes the chalky residue that auto wax leaves on black trim. The composition of the peanut butter is abrasive enough to scrub and buff out the wax. No, you don't need chunky style...

A fellow who details cars for a living told me about rubbing alcohol. Sure enough, it's is the best way I've found to remove pine tree sap from auto paint finishes and (trust me) we have a *lot* of pine sap in the Carolinas. Ironically, you don't have to rub hard at all. All the commercial bug, tar, and sap removal agents I've used require far more rubbing. A bottle of rubbing alcohol is about a 3^rd the cost or less - such a bargain!

After I remove all the wax residue, I apply ArmorAll or an equivalent product. After I remove sap, I generally wax my car(s). Even when I simply remove one or two spots, I will rinse where I've applied alcohol and spot-polish the finish.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID334 by Dave Piscitello