The Security Skeptic

Colleague Anton Chuvakin posted a solid and up to date article on spyware on O'Reilly's WindowsDevCenter website. In the article, Anton offers a good taxonomy of spyware and an equally good explanation of countermeasures and recovery procedures. Anton reiterates one piece of advice I routinely see in antispyware articles:

"As far as responding to a spyware infection, the only guaranteed 100 percent effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system."

Home users are most accustomed to rebuilding a system from scratch from the OEM recovery disks. This method has the unfortunate consequence of providing you with a clean, default installation. Users must then reinstall applications and reconfigure security settings. In some cases, users may lose configuration data they haven't stored elsewhere, including Internet access settings and (woefully) all those passwords they may have stored using password management software or (yikes!) Notepad.

I recommend that users, home and professional, invest in disk imaging software. When you purchase a new computer, and before you connect it to the Internet and browse the web, install all the software you most commonly use - Office, security software, etc. Configure the security settings you will rely upon as your security baseline. Now make a complete image of your C:\ drive using the imaging software. If you ever have to recover your Windows OS following a spyware or virus infection, reinstall the "recovery image* you created.

In BlogID #298, "Beyond my documents", I recommend disk partitioning. Follow the recommendations in this item, make certain that you back up configuration data and your recovery image on a partition other than C:\, and you'll be able to recover your PC to a more complete and secure state from a spyware infestation. You may have to reinstall some applications you installed after you created your recovery image, but in my experience, you will reduce your effort from several hours to 30-40 minutes. Remember: if you want a clean recovery image, you can't surf the web, read email, transfer files, IM, or use any application that my store or upload cookies, files, scripts or executables on your computer.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID507 by Dave Piscitello  

If you've ever wondered how independent top tech research firms are in their analysis of technology and trends, you'll find a February 6^th article by Information Week's Larry Greenemeier and Paul McDougall interesting and troubling. Larry and Paul get right to the heart of the issue and begin with this challenge:

"Forrester, Gartner, IDC, and others insist their output is squeaky clean, yet they also rake in millions providing services to the very same companies they monitor, heavyweights like Cisco, IBM, Microsoft, and Oracle. Which leads to a question that continues to dog the research firms: How much influence do technology vendors have over their work?"

Larry and Paul ask the major players tough questions including, " Are analyst reports expert advice based on scientific, independent research, or does money talk?" (One question I've secretly wanted to ask for years is, "If you really believe you can accurately predict markets, why are you unwilling to disclose your predictions five years later and let the industry judge your track record?")

Larry and Paul also investigated funding and ownership of the top firms and claim some top analyst firms are partly owned by investors that hold "significant stakes" in the companies they cover. As an example, they describe Gartner's relationship with SI Ventures. Gartner invests in hedge funds, including SI Venture Fund II. SI funded Authentor Systems. Gartner analysts provided supportive quotes on Authentor Systems in the company's press releases. "I buy your fund. You invest in a company. I say nice things about the companies you invest in." Did I get that right?

I've always found it disturbing that companies with products in hot sectors say they have no choice but to pay to be placed into mystical quadrilaterals. When I've asked why, they respond as ProofPoint's Sandra Vaughan did in the IW article: "This [magic quadrant] matters more than you want it to matter..." Is Sandra saying "To do otherwise is economic suicide"?

I always thought the whole practice sound vaguely similar to the insurance street gangs offer corner grocery store owners in NYC and LA. Larry and Paul lead me to conclude it's much more ORGANIZED than this.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID506 by Dave Piscitello  

One of the statistics my web log reporting software provides is a list of operating systems that access my web pages. The report shows about 7500 requests have been made over the past 6 months from Windows Server 2003 hosts.

I appreciate the traffic, but I've got to ask, "Why on earth are you visiting blog sites from your server!" True, browsing with IE on Windows 2003 Server is more secure than before. True, my site is entirely benign (you should of course verify this yourself. Have you listed my site in your trusted sites zone? What a compliment!). But the potential for encountering spyware as you "drive by" blogs and other public web sites is just too high to justify the risk. I found a lovely quote by Deb Shinder in an article on web browser vulnerabilities: "If there is sensitive data on your computer, don’t browse the Web." (I only wish Deb would correct the grammar: data requires a plural verb...)

Chances are that if you have a server, you have some clients. Please continue to visit my blog, but do so from a client.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID505 by Dave Piscitello  

Ask ten security administrators to identify their biggest security concern today. The majority will identify worms, spam and application-level (Web) attacks. A smaller number will respond that user and access management trouble them. Chances are the administrators in the minority are managing the largest, most diverse organizations. More...

This article was originally posted at Interop Loop. I've finally resurrected it from the ashes of that info portal.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID504 by Dave Piscitello  

Since the 1984 Apple commercial introducing the Macintosh, Super Bowl commercials have been a huge marketing event. This year, my vote for best commercial goes to Budweiser for the Cyldesdale American Dream. The commercial is a heartwarming depiction of a young Clydesdale who takes up the halter of the Budweiser wagon and tries to pull it himself. Two full-grown Clydesdales observe him and quietly slip behind the wagon to offer a friendly push. The colt, believing he's pulled the wagon all by himself, whinnies excitedly. If you are a romantic at heart, love horses, or have watched children (especially your own) fulfill a fantasy, you can't help but love this commercial.

Budweiser offers download-and-play versions of the commercial from its web site. Find links for QuickTime, Windows Media and Real Player formats here.. There is also a big screen, which requires that you use IE and install Maven. Checking Maven's pedigree, Maven Networks is the software company that operates the AETN digital screener system. AETN claims that "Maven is not spyware, and doesn’t track a users’ computer behavior outside of the AETN application. Usage (playback of the video, shares and interactions) within the AETN experience is monitored by A&E Networks only and is kept confidential". If you're not comfortable with this claim, then use a player you trust.

If you want to read about Apple's 1984 commercial, visit The 1984 Macintosh Ad by Sarah R. Stein. If you want to view it in its entirety, open this link with QuickTime

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID503 by Dave Piscitello  

I received a very kind email complimenting my IP Telephony: Threats & Countermeasures series of articles. The message body reads:

Dear Sir

This is Vimal from India. I read your article about IP Telephony (VOIP) Security Part 1 and Part 2. It is well researched and nicely written article and gives lot of insight. I am waiting for the Part 3 of the same.

I hope I get to read that soon.

Sincere Regards

Vimal

Vimal reminded me that my original plan for this series was to conclude with a third article that would discuss security measures for IPT endpoint devices and servers, and discusses deployment considerations for converged (voice and data) networks. I never wrote Part 3, but have incorporated this discussion into a workshop I teach at VoiceCon. Alan Johnston and I also devote chapters in our forthcoming book on these topics. When I find time, I'll post the concluding article, or I'll ask Artech if I can post an excerpt from our book.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID502 by Dave Piscitello  

Despite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world.

Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. A short list of some of these follows...

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID501 by Dave Piscitello  

Beat down. Man up. True dat.

These are but a sample of monosyllabic phrases you'll invariably hear if you tune into radio and television stations other than NPR for more than five minutes. When did using complete sentences and rich vocabulary become passé? More importantly, why? What makes flaunting an inability to couple adjectives, nouns, verbs, prepositions, and adverbs together in a meaningful, insightful, entertaining and grammatically correct manner so appealing?

Wat up wit dat?

What distinguishes street talk from baby jibberish? When he was but a toddler, my son repeatedly uttered "boo huck" from his perch in the back seat of my Saab. My wife and I finally deciphered this to mean "big truck". Why are monosyllabic phrases like "true dat" widely understood and desirable while "boo huck" remains known by and comprehensible to only one married couple? What stimulates the adoption rate?

At least alliteration is not entirely dead. We may not enjoy such rich and poetic lyrics as "helplessly hoping her harlequin hovers nearby, awaiting a word..." today, but hey, we have "bling bling" and "my hump hump".

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID500 by Dave Piscitello  

I've been complaining about the desperate state of user account and identity management for some time. To date, the single and reduced sign-on solutions I've had the opportunity to evaluate have proven wholly unsuited for medium businesses of between 500-2500 users. The IdM solutions SMBs can afford are lame, and the products that can actually solve the problem target the large enterprises that are suffering in Dante's identity inferno and willing to pay six figures or more for relief. This is a dreadful situation because many companies might be able to avoid some of the growing pains related to Quad-A (admission control, authentication, authorization, accounting) and control the proliferation of user accounts if they could only find a unified identity management solution that was affordable, deployable, and scalable.

In December, I joined the advisory board of A10 Networks. Before joining, I shared my not-so-favorable opinions of the current state of IdM with some of the company's principals. A10 piqued my curiosity by flatly stating that they had considered all my complaints - well, at least the ones that technology can attempt to solve - in the design objectives for their IDSentrie identity appliance. In fact, they insisted I test drive an IDSentrie 1000 and sent me an appliance shortly after our first board meeting and a box was literally waiting for me when I arrived home.

In its simplest deployment (which also proved to be a useful introduction to the product), IDSentrie proxies authentication requests from access server devices (firewalls, remote access/VPN servers, WLAN access points, web portals, etc.) to 3^rd party authentication data stores using common authentication protocols (e.g., RADIUS, EAP) and popular auth methods (passwords, digital certificates, SecurID hardware tokens). Using the IDSentrie web GUI, I began by configuring two firewalls as network access devices. So I could test one communications path at a time, I configured users and groups in a local database at the IDSentrie. When configuring groups, I identified the access server, auth method, and access control elements that comprise the AAA policy I intended to enforce. I then configured the firewalls to forward authentication requests to IDSentrie using the RADIUS protocol. My firewalls had previously been configured with a number of user-based access policies, so I attempted to visit a web site that hosted restricted content This forced me to authenticate to the firewall, which passed my credentials to the IDSentrie using RADIUS. I repeated the process to test the RADIUS exchange with my second firewall.

This wasn't much of a test; after all, I could do this with many RADIUS servers. I next attempted to enable IEEE 802.1X authentication and WPA/AES encryption through a Linksys WAP55AG access point. IDSentrie has a built-in SSL server certificate and supports several EAP types, including EAP-TTLS and PEAP and auth methods (MD5, MSCHAPv2, SIM). I chose PEAPv0/EAP-MSCHAPv2 authentication against a local IDSentrie database; again, while I could do this with other products, I wanted to keep it simple, early.

Configuring the Linksys AP as a network access server, creating a group and policies for 802.1x authentication and enabling the Linksys AP to forward authentication to the IDSentrie took about as long as configuring the Windows XP clients. I fired up a laptop, connected to my preferred wireless network, accepted the IDSentrie certificate (first encounter), and logged on using IDSentrie database credentials.

These are relatively simple scenarios, but I am juggling my IDSentrie play time with my day job(s). Still, I'm impressed at how intuitive and easy IDSentrie's made tasks that are quite a bit more complex. My next step is to introduce an Active Directory and a RADIUS authentication server into the mix. I've gone through the long and harrowing experience of configuring Secure IEEE 802.11 networks using Microsoft Windows, which requires a certificate infrastructure, Active Directory (for accounts, groups,and 802.11 group policy settings); and IAS services, so I hope to compare that experience with IDSentrie. Eventually, I will eliminate the IDSentrie local database from my environment so I can better emulate medium to large organizations where authentication data stores and servers seem to multiply like rabbits.

This is the first in what should prove to be a series of IdM-related posts. Since I disclosed my relationship with A10 Networks at the outset, I won't apologize for any evangelical comments, but I will try to keep them to a minimum:-)

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID499 by Dave Piscitello  

An assistant publisher contacted me recently, asking how I keep pace with technology change; specifically, she asked:

When you want to learn a major new technical topic (new language, new operating system, new feature of a language, a new security threat, etc) where do you first go to learn (ask a colleague, do a web search, post your question to a newsgroup, go to an elearning environment you/your employer subscribes to, buy a book, .....)?

Why do you choose your first path of learning?

I've already blogged and written about how invaluable searches in general and Googling in particular serve my needs. By searching with successively fine-grained filters, I usually discover dozens of articles, reports and white papers. Gathering these in a separate folder of favorites, I next apply some speed learning techniques I acquired long ago while working at Unisys to coarsely filter the credible resources from the not-so-credible-how-could-anyone-think-to-publish-this material. I then read the articles. If they are good, I print or save a local copy, and highlight or e-comment the important facts. If they are really good, I add them to the Security Resource Library I maintain or mention them in my blog.

I also learn quite a bit by commenting and debating a subject via email with respected colleagues, either directly or by posting to private mail lists. These invariably prove to be the most informed and accurate sources. The lists are populated with technology grey beards who are familiar with a broad range of topics. Everyone is basically invited or vetted by other members. Most are industry pundits of one sort or another, an eclectic mix of engineers, scientists, tech attorneys, and independently wealthy folks who thrived beyond the dot bomb.

I lurk and post to some well-moderated mailing lists including Bug Traq, Pen-Test, and Firewall-Wizards. I also follow RSS feeds of security bloggers like myself (Adam Shostack, Bruce Schneier, Anton Chuvakin, Jiri's Notepad, Jaime Lewis, Mark O'Neill).

I'm fortunate to be on the courtesy copy lists of many publishers, and receive at least one book per week. I thumb through these and bookmark chapters I know I'll find useful later.

In parallel with my reading and bookmarking, I routinely compose outlines when I'm doing research for an article. In some cases, the outline evolves into a presentation rather than an article. If it's polished enough, I'll try to present it at a conference. Sometimes, if the interest is high, I'll accumulate enough related presentations and articles to build a day-long workshop. In the case of IP telephony (VOIP) security, a fair amount of this material found its way into the VOIP Security book I've co-authored with Alan Johnston.

I can't honestly say I chose this path for learning. It evolved over time.

Perhaps it chose me:-)

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID498 by Dave Piscitello