The Security Skeptic

Routine examination of firewall logging activity is an important task, even for small business firewall admins. Look at your firewall log over the past several weeks, and compare what you're seeing to what I'm observing as the most common probes.

This week I see the DENY IN events for Microsoft RPC/LSA and Active Directly Login exploits (TCP/1025-1026) are again tops on the my "most frequent denies" list, followed closely by DNS requests (UDP/53).

Frequent DENY IN events for TCP/4899 reveals that copies of the W32.Rahack worm are scanning my ISP's IP address space (begins with 64) for hosts running the Win32 Remote administration program, Radmin.

I'm also seeing the occasional, single DENY IN events for TCP/15118, the Dipnet/Oddbob worm.

Another occasional, unusual DENY IN event appearing recently is TCP/6129, a probe for the Dameware remote admin tool.

I rarely see brute-force port scans these days. I don't see SQL scans, either. Three of my top probes are hunting for exploitable RATs or bots. If I factor how many web application probes I block daily (about 20% of my traffic), attack patterns at my site are representative of attack patterns and trends: a majority of attacks focus on exploitable or exploited applications.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID358 by Dave Piscitello  

Colleague Scott Pinzon referred me to an excellent post describing one frustrated dad's attempt to trace a spyware infestation back to the folks who make money in this nasty business. Read Follow the Money; or, why does my computer keep getting infested with spyware?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID357 by Dave Piscitello  

After two weeks of using the Firefox browser and a variety of extensions and themes, I'm ready to join the ranks of those convinced that IE has a legitimate contender. Firefox appears to render pages faster, occupies a modest amount of memory, and has a ton of features you will quickly find you're unable to do without.

Tabbed windows are a singularly convenient feature. Several themes and extensions make the interface even simpler and more intuitive than the "comes with" version, (itself simple enough for anyone who understands CTL-T). The customizable, multi-engine search box is better than most of those you'd plug-in to IE, and you won't run the risk of spyware infestation when doing so. All the common plug-ins (Flash, music players, Acrobat) work with Firefox as well.

The developer community has come up with several excellent extensions. The Sage RSS reader is just plain slick; it's presentation is crisp, and the interface is way better than the (IMO) klunky Live Bookmarks. FireFTP is a promising FTP client. Qute is a really nice (my PC browser looks like a Mac) theme. My time at my computer is better because they exist:-)

Don't expect an entirely bump-free ride. A number of sites running IIS do enough Microsoft-specific web programming that sites just don't present well under Firefox. I've visited sites to do online banking where a single javascript among dozens won't work (and of course, it's the "pay bill now" script). On an intranet site, a flash presentation presents in an entirely different frame size and orientation than it does with IE. FireFTP doesn't recognize a Windows folder shortcut so I can't drag and drop a file onto a shortcut on a web server. Over time, I expect these minor inconveniences to disappear, and I expect Firefox to be very successful.

Firefox isn't susceptible to BHO-based attacks, so will reduce spyware infestations. Remember, though, that BHOs are but one of many spyware infestation vectors, so (a) don't conclude you can forego antispyware software, and (b) don't imagine for a second that the ad- and spyware developers won't seek alternative ways to infest your computer if you're a Firefox user. Like spammers, spyware developers will continue to annoy us because there's a profit to be had in doing so.

Much of the attention Firefox is receiving comes from the growing community who are frustrated by IE's many security vulnerabilities. I'm looking forward to seeing how Firefox compares to IE as its user population grows to a number worthy of the attention IE receives from code crackers. I'm not demeaning Firefox in any way here, merely pointing out that exploiting code running on tens of millions of PCs running IE is currently the greater glory. I earnestly hope Firefox remains as successful and (within reason) free of exploitable code when its user base rivals IE's.

Quite honestly, I don't care who wins the browser war; I just want to browse more safely and efficiently. For now, Firefox looks like it meets these criteria.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID356 by Dave Piscitello  

My partner, Lisa Phifer, has written an excellent article for SearchMobileComputing.com describing how wireless clients can travel from WLAN cell to WLAN cell. Moving freely between WLAN access points discusses transparent 802.11 reassociation, problems you may encounter, and how complex network topologies can throw even more challenges at net admins than you might expect.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID355 by Dave Piscitello  

Microsoft began offering free downloads of the beta version of the antispyware software they recently acquired (Giant). I'm a bit late to the review gate, but here's my anecdotal assessment.

The beta only runs on licensed systems. You must run the Microsoft validation agent, which ironically means you must allow ActiveX controls in your IE settings. Frankly, since this is a beta, I question whether Microsoft would have earned more mileage offering the product without qualification. Spyware's a huge problem, and I think they not only missed a major marketing and distribution opportunity but an opportunity to serve the Internet community as well.

Giant had a reputable product before Microsoft acquired it, and while Microsoft may have standardized the look and feel, they seem to have adopted an "ain't broke, don't fix it" approach. The product has the features you should expect from quality antispyware software, and some interesting features I hadn't seen before. Realtime protection monitors dialup, messenger and WiFi activities; changes to Internet safe site lists, winsock lsps, windows services, critical .ini files, as well as shell, scheduler, and TCP/IP changes. Protection from directory trojans, startup, BHO, registry, IE settings, installed component spyware is also present. You can create restore points and schedule full or custom scans.

Microsoft's default security settings are all over the map. Auto-protection against spyware is enabled following installation and reboot. You must run a Setup assistant to enable auto-updates, and you must choose Real-time Security Protection. I would like to see these run by the default.

Memory footprint is modest: two processes, gcasserv.exe and gcasDtserv.exe, are only 12 Megabytes. The UI is clean and intuitive. I like the results reports, which complement the customary threat enumeration, recommended action, and threat level with a sidebar containing the initial paragraphs of a detailed description of any threat detected; an assessment of the risk, and a link for more information.

I configured an infected PC to run a daily autoscan. The initial, full scan of three partitions totalling 20 MB took 20 minutes, about par for other products I've tried (some were faster, others slower).I ran the antispyware beta on a PC with XP SP2 that had been "protected" by the freeware tandem, SpywareGuard and SpywareBlocker for about 2 months. The beta detected two threats (whenusavenow, and the brodcast/DSSagent). This result neither convinces me that Microsoft's product is excellent or that SG and SB are lame, but only reaffirms my conviction that no single antispyware product is up to the task. New spyware seems to be appearing at a pace rivaling spam, not worms, and even Microsoft will have a hard time employing enough software engineers to level the playing field.

Like many antispyware products, Microsoft's beta provides a means for users to upload suspected spyware for analysis. Microsoft offers an opt-out for its Spynet Community. I'm a committed opt-in kinda guy so this annoys me. Probing further, the link to Microsoft's privacy policy regarding Spynet Community explains that Microsoft will explicitly ask for and not disclose personal identifying information to 3rd parties except those who will perform services on Microsoft's behalf (good), but it also indicates that Microsoft will use such information to contact individuals with surveys, product notifications, etc. The policy doesn't identify exactly what information it collects: if only privacy policies from Microsoft were as detailed as its EULA.

Overall, this is a good start for Microsoft. Microsoft claims it intends to provide its customers "with new tools to help protect them from the threat of spyware and other deceptive software" but I am not clear how Microsoft plans to make the tools available. Will this will be a separately priced product, integrated with antivirus (what's the deal there, anyway?) and the Service Pack 2 Security Center?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID354 by Dave Piscitello  

I had a conversation this morning with a colleague who can't understand why I'd bother blogging and maintaining a web presence. His claim is that the time is unproductive. Comments like these, and the ensuing thread, make blogging more productive than many activities...

In Blog #342, Make all your security problems disappear?, asked, ""If you know how to write an operating system that is easy to use, trivial to network and perfectly secure, drop me a line."

I should have said client operating system. Given the oversight, I anticipated some nasty flames, and instead received a nicely articulated consideration of OpenBSD from Brian Keefer, Sr. Systems Engineer, Tumbleweed Communications:

Sounds like you just described OpenBSD to the tee. While no OS is "perfectly secure", there *are* some useful metrics to determine the relative security of an OS. One would be how many remotely exploitable vulnerabilities have existed in the default configuration that allow complete take-over of a machine. In that category OpenBSD is far and away the leader with only 1 remote hole in eight years!

If you talk about what is *possible* with an OS, any OS could be made nearly secure, given enough research, time, and effort. Likewise, given enough carelessness any OS can be completely insecure. What matters most is the default state of the OS when it's installed, because most users will leave it that way. OpenBSD has excelled in that nearly since inception, and it's a concept that other OSs (including Microsoft) only caught on to very recently.

The other primary concerns are the overall number of remotely exploitable vulnerabilities, and the time taken to fix them. In the first category, OpenBSD leads, and in the second category OpenBSD has a similar track record to other Open Source projects. Of note, the OpenBSD project has submitted many security patches to other projects, some of which were unfortunately never implemented (such as in Apache). This made OpenBSD implementations of OSS more secure than the vanilla version everyone else uses.

Any way, my point is that OpenBSD is easy to use (and extremely well documented), trivial to network (including firewall, VPN, and network services) , and it's as secure as you can get in a readily available OS.

My response to Brian was, " I've used many Linux-variants, but have not used OpenBSD and should find time to do so. I have no reason to doubt whether your statistics are correct, so OpenBSD certainly merits attention for server needs at the very least. The questions I'd still have to consider are whether OpenBSD could satisfy consumer level ease of use criteria for client computing, and how one could recreate the typical application suite enterprises and consumers rely nearly entirely on Windows developers to provide. I simply don't know. His reply...

I didn't realize your rhetorical question was more geared to client computing (a misunderstanding on my part). OpenBSD would definitely not be my recommendation there. I was answering in the theoretical sense that, yes, OpenBSD meets your criteria. For a server platform, I think it's difficult to beat OpenBSD for out-of-the-box, low maintenance network services.

For a client, I would agree with you entirely that it's a pipe dream (at least at this point). Apple's OS X comes close, as it's certainly "easy to use" and and very close to "trivial to network". Unfortunately security has a lot of room for improvement. I would say OS X is better than any other client OS I've seen for security, but there are far too many glaring oversights to give it the stamp of approval. That said, because of the first two criteria it's what I use for day-to-day computing. OpenBSD stays at the servers, where it excels.

I've added "install OpenBSD somewhere" to my wishlist of activities to fill my *unproductive* time.

By the way, if you want an amusing perspective on Linux, visit http://www.big-boys.com/articles/switchlinux.html.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID353 by Dave Piscitello  

My son bought me a CD for Christmas, an anthology of Neil Young's greatest hits. I finally had an opportunity to listen to it while driving. My vehicle has excellent sound insulation and, by my modest metrics, an equally excellent stereo with god knows how many speakers.

Is that really Neil Young?

Something's wrong. That's "Cowgirl in the Sand"? It sounds so sanitized. Without the scratching and hissing from my worn stylus, lame speakers, and poorly terminated copper wiring, I hardly recognize Neil's voice. The guitar licks are so exacting; they have a synthetic character. I don't remember those 3 notes at the beginning; I imagine they were worn away after the first hundred plays of my beloved vinyl LP.

It's more than this. My memory insists that, if this is really Neil Young, he *must* be played loudly; in my various dorm rooms, crammed and shared apartments; all night and through the wee hours of the morning; with candles and incense and traces if not clouds of smoke of the "not cigarette" kind; while cuddling with a coed on a lumpy sofa with a Mexican blanket in a time before anyone knew to call it shabby chic. Not, as I find myself, driving to the grocery store in mid-afternoon; in a smoke-free, leather-upholstered-and-heated seat vehicle that cost more than my entire four years of tuition, room and board; with my 12-year old daughter asking why we're listening to this CD and can't we listen to Avril Levine instead.

My reaction to digital re-mastered music is pretty much the same as "colorizing Casablanca". Ingrid Bergman was breathtaking in black and white. B&W movies had an ethereal quality that I've always felt stimulated my imagination and were closer to dreams than reality.

I don't know if you really distinguish dreams from memories (real and imagined) as you get older. I do know there are some cuts I'd rather listen to in their original, analog rendition than digitized.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID352 by Dave Piscitello  

I am always pleased when a reader takes the time to email me a comment, especially if it's a compliment. But this is a first. Ramon Fernando encountered a misdirected link on my VOIP Security resources page and wrote:

“IP Telephony Security, Part II: Threats to Operators” -- this is the article I wanted to read after enjoying and learning the previous section. However, I ended up getting the article on “Life Before Google” instead which was also a good read.

Is there a way I can read the article on “… Threats to Operators”?

Thanks Ramon. I've fixed the incorrect URL.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID351 by Dave Piscitello  

Spyware is challenging spam and viruses for the top spot on IT worry lists. Spyware poses considerable threats and risks to enterprise networks and remediation and countermeasures are now being regarded as critical to network security. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID350 by Dave Piscitello  

Data Source Object (DSO) exploit is one of the removal-resistant spyware that I've mentioned in several articles. Despite running Spybot Search and Destroy version 1.3, my son's computer was infected by this because he (OK, I) did not have the correct advanced settings. SupportCave has a page that explains how to remove DSO Exploit with a small executable, DSOstop2, and how to set Spybot Search and Destroy correctly deal with this spyware.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID349 by Dave Piscitello  

There's always something to learn about HTML, and I learn best when I can see an example. The HTML Code Tutorial site is chock full of examples and is clearly written to be easily searched using an engine like Google. Kudos to the operators...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID348 by Dave Piscitello  

Our VOIP Security Resources is recommended by TechTarget as one of the top five Enterprise Voice Web Links.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID347 by Dave Piscitello  

The average Internet user has difficulty distinguishing viruses from spyware. SecurityPipeline launched a series on spyware with my article by this title. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID346 by Dave Piscitello  

Consumers are spending nearly $300M/year on cellular phone ringtones.

Before the Tsunami, I thought, "Can't folks throw their money away on something more interesting than ringtones?"

If there's ever been something more interesting - and worthwhile - at which to redirect some of that $300M, it's got to be the victims of the Tsunami. CNN devotes an entire page to legitimate organizations who are providing aid to victims in South Asia and East Africa.

Before you visit qtones, katazo, or planetringtone, visit CNN

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID345 by Dave Piscitello  

The folks at Microsoft, DeepNet Explorer and Mozilla/Firefox have a countermeasure that compares a web server certificate against the domain name to help defeat attempted server identity fraud.

Nice idea in principle, but in practice, the measure causes many "false positives".

I and others minimize keystrokes by visiting sites without prepending the wuh-wuh-wuh to many domain names. Why bother? It's mostly gratuitous these days, and many sites resolve the name correctly without the prefix. For example, whether I submit a hyperlink "http://google.com/adsense" or "http://www.google.com/adsense", I am directed to the same SSL-secured page.

Unfortunately, the aforementioned browsers overzealously apply the countermeasure, and pop up a Security Alert such as "The name on the security certificate is invalid or does not match the name of the site, do you want to proceed?" when I forego wuh-wuh-wuh.

You can argue that the measure is correctly applied, and you are formally correct. But this is an example of a security measure that becomes intrusive, and begs users to seek out a method to circumvent it. It's also an example of a security measure implemented without a broad understanding of the consequences and complementary actions required for it to be effective and non-intrusive. Web site administrators go through all this effort to make certain web users can resolve "fuzzy" names, but overlook the mismatch between certificates and the names they bind to the identity to which the certificate is assigned.

I can't be certain that browser developers did an adequate job of investigating the impact of this security measure, nor can I be certain they provided sufficient documentation for web administrators, but it really doesn't matter. The measure, as implemented, falls short of my expectations.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID344 by Dave Piscitello