The Security Skeptic

The beauty of the web is that the newspaper "delivered to your door" can come from any corner of the globe. You can't appreciate how valuable this is until you live on an island with a small town, small circulation newspaper in a heartland of conservative Republicanism.

Three interesting articles and Op-Eds on Internet Governance appear in the Washington Times, New Zealand Herald, and The Times of India. The Washington Times editorial blasts the U.N. failing to include technology executives and experts onto the 40-member working group on Internet Governance (WGIG). I took a look at the member list and while I would not go so far as to call this "a team of bureaucrats" I agree there are no signs that Silicon Valley is directly represented. If nothing else, this Op-Ed illustrates the "let the Internet govern itself" attitude of tenured Internauts.

The New Zealand Herald column by Peter Griffin offers a somewhat centrist approach. Peter's column appears to say, "I've read all the proposals and alternatives. Some are truly scary and others rather petty. Overall, things aren't frightfully broken so can't we be like Miss Congeniality and focus our attention on more important matters like 'world peace'?"

The Times of India is a good example of the community that feels the U.N. should have oversight. The article claims that India is in favor of models for Internet Governance that exhibit inclusion, inter-governmental and multilateral representation, and broad (multi-) stakeholdership, and identifies two models among the four proposed by the U.N.'s WGIG as "in line with India's thinking". Both models move oversight from the U.S. Department of Commerce and into the U.N. This is pretty much the antithesis of the opinion expressed in the Washington Times.

You rarely find a broad spectrum of perspectives and opinions on any one subject in a small town paper. The Internet offers such a rich opportunity for sharing knowledge, opinions and ideas. Pray that the folks who ultimately decide where and how the Internet is governed don't lose sight of the value of a single international resource.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID435 by Dave Piscitello  

A colleague forwarded me a link to a GNSO mail list thread with the Subject line of "Dave Piscitello". After reading the message, I feel obliged to set the record straight. The message body reads:

So this guy seems really apolitical. Certainly competent and well spoken.

My questions are; Now that he has a staff position how can he possibly avoid a conflict of interest when working for contractors with ICANN and working for ICANN? It almost seems incestual? Are Dave Piscitello and Crocker going to get along?

http://www.securityskeptic.com/weblogindex.htm

http://www.icann.org/

ICANN Announces New Staff Appointment 2 June 2005

First, I'll thank the author for the compliments. I appreciate being perceived as competent and well spoken.

Now, let me speak to the comment that I "seem really apolitical". I hope this was intended as a compliment: Isn't being politically neutral a requirement for my ICANN SSAC position?

On to the most serious concern: conflict of interest. For the record, my arrangement with ICANN is that I will discuss with general counsel before accepting any consulting work, to assure that no conflicts of interest exist. Before I joined ICANN, I disclosed my ongoing business relationships with Watchguard, Aventail, TRA, CMP, BCR, et. al. Everyone was satisfied that no COI existed prior to my hire, and we will all work to see that none arise while I'm employed by ICANN.

The final question, "Are Dave Piscitello and Crocker going to get along?" is actually quite amusing, so much so that I forwarded it to colleagues Marcus Ranum and Fred Avolio, who have worked with Steve at Trusted Information Systems and would appreciate the irony. I've known Steve Crocker for more than fifteen years, and had the good fortune to work with him while TIS was contracted by Bellcore for a secure SNMP project in the early 1990s: since I was the Bellcore project leader, I suppose he worked for *me*:-) I consider Steve a colleague, mentor, and friend.

I am confident that Dave Piscitello and Steve Crocker will continue to get along smashingly well.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID433 by Dave Piscitello  

I received my daily phishing email, which provided an opportunity to check out the fraud detection features of the FraudEliminator plug-in I mentioned in Blog ID #428. For your amusement, here's the URL:

https://www.paypal.com/us/fq/ac=AgXbgHbg5kBErQ6p1CMgR
QA4or1Eydl2FhLW3Ku0wMykpxcu8Ob.kCvAl6K9u3XTCd5.7LaiQxA&t=pr

FraudEliminator flagged the hyperlink as suspicious, explaining why in a popup window. FraudEliminator also provides one-click anonymous fraud reporting. By reporting suspected phishing, you help the FraudEliminator expand its database of fraud sites.

I have no basis for comparison (and no time to build one). This plug-in is worth a try. I'm heartened that these folks have a companion plug-in for IE.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID430 by Dave Piscitello  

The Domain Name System is based on the design assumption of a single root. This is one of the fundamental principles you learn in Internet 101. Some people aren't happy with this design assumption. Others are unhappy that they aren't in a position to profit by root server operation. Some want to forego convention and roll out Top Level Domains however they please. Still others object to the US DoC retaining oversight. These constituencies all conclude that the Internet needs alternative roots.

None of these are valid reasons to deploy alternate roots. If you want to experiment with a new name service architecture, fine, but you don't ignore a fundamental design assumption and expect the system to scale and remain stable.

If you think there's a pot of gold in alternate roots and non-standard TLDs, submit your business model to an investment firm. Pray they don't engage a consultant to investigate your technology and service as part of their due diligence. Even if they don't hire a consultant, all they'll need to do is read the tutorial page on using alternate roots at the Simple DNS Plus. (I imagine they added this information to reduce helpdesk calls from administrators who use their software to support non-standard DNS operating environments.) Even the least technical investor group will recognize a pig in a poke when they read:

"Alternate root" domain names are not recognized by ICANN, which means that the majority of Internet users will not have access to any site you host under one of these domain names.

"If you register a domain name with an alternate root operator there is a risk that ICANN will eventually commission the same top level name, and you may have to register the domain again or lose it to someone else."

Whine until you're hoarse about oversight, but not to me: I think there are only a handful of folks who understand all the fine points and issues, and I won't pretend to be one of them.

"Alternate roots" is not merely A Very Bad Idea, but a broken one. If you want more enteraining and insightful perspectives on why, read Paul Vixie CircleID article entitled Putting Multiple Root Nameserver Issue to Rest.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID431 by Dave Piscitello  

A recent thread on the pen-test mail list raised the question of whether service providers should detect and block port scans emanating from subscriber hosts and networks. The question actually has many dimensions, and I'd like to discuss these:

• Who benefits from this service, and who is harmed?

• What characterizes the service, can it be truly effective or is it too easily evaded?

• Should the service be opt-in or opt-out?

The service benefits benefits the provider and backbone at large by filtering at Internet ingress points. If my firewall logs are reflective of the volume of scan traffic congesting the 'net, blocking port scans has to be A Useful Thing. Under normal operating conditions, the service also benefits every subscriber by lowering the noise to signal ratio of traffic delivered to individual hosts, Internet firewalls and packet-filtering routers.

The service interferes with organizations who want to observe incoming traffic and who routinely audit their security policy and use penetration-testing techniques. Penetration-testers of course, are hampered by the service, as it interferes with their ability probe network clients engage them to test for vulnerabilities.

A few examples of port scan blocking services were discussed on the pen-test list, and they appear to employ the same techniques many commercial firewalls now offer under the overused term "intrusion prevention". ICMP echo, UDP and TCP SYN/RST/FIN traffic exceeding certain thresholds is characterized as a scan and blocked by the ISP. It's unlikely that these services can detect all forms of stealthy scaning so one can argue that they slow rather than eliminate scanning entirely. Slowing the scan doesn't prevent an attacker from gathering information and acquiring targets, and it's relatively easy to to automate scans. Since the majority of scans are automated, what are these ISPs really accomplishing other than reclaiming bandwidth? Well, they *are* interfering with pen-testing.

Once again, we encounter an "opt-out or opt-in" issue. The service has merit for a large population of Internet users. I don't mind having less noise on the 'net. I'm certain millions of PC users worldwide won't mind as well. I do object to being denied the ability to test my network perimeter defenses, and I sympathize with pen-testers whose practices and methodologies are disrupted. If ISPs want to invest in this kind of service, why can't they simply explain the service to subscribers, and allow them to choose? Well, one reason is probably, "it's htechnically harder to do this than just impose what we think is best for the majority of our customers".

Accepting this argument, let's suppose then that the default is opt-in (not my favorite choice). ISPs should still offer some means of temporarily disabling the feature to facilitate pen-testing.

The answer of course is the same as above. It's technically harder to do this than impose what is best for the majority of our customers.

If port scan blocking becomes widely accepted practice among ISPs, I see a business opportunity for "hosted 3rd party scanning". I wonder if hosted3rdpartyscanning.com is available...

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID429 by Dave Piscitello  

I find I'm using Whois service more frequently in my new position at ICANN. Paul Smith has written a Whois Lookup plug-in for Firefox that displays Whois information for the current URL in a new tab. The only shortcoming of the current version (Whois Lookup .01) is that the author chose a hotkey (W) that Firefox uses to close the current active tab window.

The FraudEliminator Toolbar, freeware version, also displays Whois responses when hover over an icon. I'm investigating the anti-phishing features of this toolbar. This toolbar is also available for IE.

Yes, I shudder when I use the word "toolbar" these days, but FraudEliminator LLC assures visitors they are spyware-free and both the privacy policy and EULA emphasize they do not collect information or popup advertising. The exception to their advertising claim is that they encourage you to purchase the professional version, which is forgivable. I just wish they didn't do it at the top of the whois response pane.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID428 by Dave Piscitello  

During my first weeks at ICANN, I have been investigating domain hijacking with the Security and Stability Advisory Committee (SSAC). Formally, domain hijacking is the wrongful transfer of a domain name from a rightful name holder ("registrant"), but many incidents involving attacks on DNS configurations and registrant impersonation are labeled domain hijacks as well.

I've prepared a report on behalf of and with the extensive input and support from SSAC and ICANN staff. The Domain Name Hijacking Report was commissioned in response to both highly publicized hijacking events and a number of lesser publicized events. The SSAC found that domain name hijacking incidents are commonly the result of flaws in registration and related processes, failure to comply with the transfer policy and poor administration of domain names. The report recommends ten key actions including implementation of improved auditing and compliance measures, and additional measures to protect registration information from misuse by would-be hijackers, as well as implementation of emergency procedures to assist in the urgent restoration of a domain name.

You can find the report at ICANN at http://www.icann.org/announcements/hijacking-report-12jul05.pdf.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID427 by Dave Piscitello  

In a WatchGuard Wire post, Scott Pinzon labels my colleague and friend Marcus Ranum "a devoted disciple of incorruptible practicality" - damn! I wish I could have come up with as Jeffersonian a phrase as that one to describe MJR.

The label is spot on. Marcus views security issues through black-and-white lenses: you do what you know is the right thing to do, or you are wasting everyone's time and money, and putting your organization at risk. What distinguishes Marcus from so many other preachers is that his advice and insights are correct way more often than not.

Why? Well, he's pretty damned smart. But lots of folks involved directly or tangentially in security are smart. He's also intensely skeptical. Again, lots of other folks are intensely skeptical. He's principled. Lots of folks are principled - until someone higher in the organization points at the door and says, "my way or the highway..."

Marcus chooses the highway, or high way, if you prefer.

Too many practitioners in the security field concede to administrative bullyism. (This is less an indictment of security practitioners than it is of society at large.) The reason many of us admire Marcus is exactly because he chooses the lesser road traveled when issued an ultimatum. Most others will acquiesce and whine later on mailing lists or among colleagues over a beer. I've taken both paths in my career, and regret that I didn't always choose wisely.

I'm not advocating blind disciplism. The world according to Marcus is quite possibly too constricting. I'm suggesting that security would improve measurably if all who practiced it were more curmudgeonly. It's quite possible that we have a critical mass of security practitioners to say "ENOUGH" and pull us out of the security tailspin. The trick is getting those who form the critical mass to say it with Jeffersonian conviction and style.

"When in the Course of human events it becomes necessary for one people to dissolve the political band...more"

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID426 by Dave Piscitello  

I've written a white paper for Aluria Software that explains the threats and issues spyware poses to businesses small and large. The white paper also identifies ten requirements that businesses should consider when evaluating business-suitable antispyware solutions. The paper concludes with an assessment of how Aluria Software's Paladin product meets the requirements I identify.

You can download the white paper in pdf format from Aluria Software.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID424 by Dave Piscitello