The Security Skeptic

My SSAC colleagues and I have published an advisory that describes incidents where, by choice or oversight, registrants allowed a domain name registration to expire, anticipating that no harm would come from allowing the registration to lapse. In these and other incidents, a different party registered the domain name, and the activities of the new registrant proved harmful to the interests of the previous registrant.

The purpose of this Advisory is to explain ways in which a domain name may accrue reputational and commercial value. The Advisory uses reported incidents to illustrate that registrants should consider the potential for damage to reputation, material loss, and lost recurring revenue opportunities before allowing a name registration to expire. The Advisory, Renewal Considerations for Domain Name Registrants is available as a PDF download.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID538 by Dave Piscitello  

Users expect search engine results to lead them directly to relevant content. PPC landing pages - pages hosted by domain name monetization entrepreneurs that contain only PPC advertising - detract from the anticipated user experience in several ways. First, they introduce a level of indirection: if you submit a search query for "firewalls", you expect content relevant to firewalls and not a page containing only referral links to sites that sell firewall-related products and services. Second, they create opportunities to obfuscate and deceive. Aggressive PPC entrepreneurs are not above "gaming" search relevance and ranking systems, so you can submit a search query for "health and fitness" and be directed to a landing page full of ED advertisements.

I find it difficult to distinguish these forms of search result manipulation, especially the second case, from search engine hijacking. Search engine users are not finding the content they expect, nor able to visit there directly and conveniently. These are conditions that should cause search engine providers to assess whether monetization landing pages pose threats to their businesses. While monetization landing pages generate revenue for search engines, they are increasingly eroding consumer confidence in search engine efficacy and utility.

My first reaction to this growing problem was to consider whether an HTTP proxy or Firefox plug-in might intercept search results, visit and analyze pages, block pages that contained more than a user settable number of PPC advertisements, and add this to a blocked list. This is probably a non-trivial but doable URL filtering script. This is also exactly the kind of wrong-ended security measure I hate. I'd rather see Google, et. al., come to the conclusion that relevant, accurate and impartial responses are the core competencies of search engine providers. IMO, adding logic that relegates pages with little or no content relevant to the query to the bottom of the list of results is a better long term business strategy.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID537 by Dave Piscitello  

My presentations from the ICANN Marrakech public SSAC meeting are now posted at the ICANN SSAC web. My first presentation describes incidents where registrants did not renew a domain name registration, anticipating that no harm would come from allowing the registration to lapse. In these and similiar incidents, a different party registered the domain name, and the activities of the new registrant proved harmful to the interests of the previous registrant. How harmful? In several cases, the new registrant used the domain as a referral site for pornography web sites. The presentation offers recommendations to registrants on how to safeguard against accidental non-renewal and ways to determine whether continued registration of a domain name might prove useful or profitable.

The second presentation describes scenarios where a registrant, e.g., Jane Doe, arranges for out-of-bailiwick DNS name service, e.g., from Fred ISP, Fred ISP allows its domain name registration to expire, and Jane Doe's name service is interrupted. I also explained how an attacker can exploit this scenario by registering Fred ISP's domain name, operating a name service with altered DNS information for Jane Doe's domain, and redirecting traffic from Jane Doe's domain for phishing, email and other nasty attacks. The presentation offers measures registrants can take to safeguard against such name service interruption and traffic hijacking incidents.

Pending approval this week by ICANN's board, SSAC will publish Advisories on both these topics.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID536 by Dave Piscitello  

In a thread discussing Integrated IDS/IPS/Firewalls, Chris Blask made the following claim that I can't help but believe is more accurate than any made by security vendors today:

Good firewalls managed badly suck, "weak" firewalls managed diligently and used with the right collateral don't."

What more can one say about the impact "clue" has on implementing effective security?

For similar insights, visit Blask Works.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID535 by Dave Piscitello  

Everyone knows about and receives spam. Many folks also receive spam on instant messaging (SPIM), IP Telephony (SPIT), and even short messaging services (SPASMS). Now, even the chat channels of popular online games like World of Warcraft are attracting spammers.

So from the original coiner of the acronym SPASMS, I give you SPOG - spam on online games.

I play WoW with my colleagues and my son. It's a nice break from the real world; in WoW, I encounter a much higher percentage of pleasant and generous characters than the real world. I get to whack the heck out of something with impunity. I learn crafts and trades. And until recently, I had a high signal-to-noise ratio on the chat channels. Unsolicited advertising is now invading my leisure world! This is NGAT (not good at all) and I am definitely not ROFL (rolling on the floor laughing).

One way to measure whether something is acknowledged as A Problem is to search to see if someone's invented A Solution. Sure enough, if you Google "World Warcraft spam" you'll find antispam plugins like Spam-Guard Plus, which "monitors say, yell, tell and numbered chat channels for spam and automatically ignores spammers for the rest of the session". (Source squelch - I love it)

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID534 by Dave Piscitello  

I recently installed Parallels Desktop for Mac on my MacBook. Parallels offers a VM (Virtual Machine) alternative to installing Apple's Boot Camp and running Windows XP natively. Both are in beta, but I read enough positive comments about the Parallels product that I decided I'd try this for two reasons. First, Parallels desktop promised to run Windows XP in a window while I was running MacOS and OSX so I would have access to three operating systems when I boot up. The second was more pragmatic: it looked to be a simpler "uninstall" if I did not like it.

Parallels Desktop is downloadable, and you must get a beta license to use it. When you first launch Parallels Desktop, you set up the VM working environment (RAM, CPU, disk startup sequence, etc.) for your Windows OS (you can also install other Linux-based OSs as well). Then you install your fully licensed copy of XP. The installation sequence is identical to installing XP on an Intel PC. Add five minutes to the time it customarily takes for you to install XP. It took me a few minutes to grow accustomed to the keyboard switch that controls whether you are mousing in the XP window or on the Mac desktop (maybe that's just me...)

If you are a longtime XP user, and have licensed copies of XP and Office, you can save hundreds of dollars by installing these on your Intel-powered Mac (providing you are removing the copies off an Intel PC that will presumably become another boat anchor and environmental hazard). I also have several security applications that are Win32 that are not available for other OSs and routinely use these. My son is contemplating a MacBook for college in the fall, and like most teens, he has a number of games that only run on Windows.

So far, the experience is a positive one. When the beta concludes I'll purchase the licensed software. I'll keep you posted as I try new applications.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID533 by Dave Piscitello  

In previous blogs, I've described numerous painful experiences with versions 4 through 6 of Acrobat. I've been using Acrobat 7.0 for only a short while, but so far, the application and browser plug-ins load faster and most importantly, I haven't had a frozen browser or hung machine incident. Your mileage may vary, but Acrobat 7.0 seems to be a worthwhile upgrade. For the record, my upgrade process for Adobe products involves completely uninstalling the currently installed version, rebooting my machine, installing the new version, and rebooting again.

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID531 by Dave Piscitello  

I attended and spoke at TechnoSecurity 2006 in nearby Myrtle Beach, SC. This conference is very forensics-oriented and attracts many accomplished and renowned security experts as well as law enforcement agents and other professional investigators. Some presentations and speakers I found particularly interesting were:

• Mary Ann Davidson, CSO, Oracle. Mary Ann spoke on improving IT Security using purchasing power, which is a deceptive and sleep-suggesting title for what was a very educational session. Mary Ann suggests that we have a better chance of pulling out of today's security tailspin if buyers become more demanding, if vendors pay closer attention to the hidden costs of patching exploited software and begin to develop more demanding secure coding practices, and if security analysts spend less time drawing magic objects and tell us more about real security issues. If you find a program where Mary Ann is speaking, I strongly recommend you attend that conference.

• Johnny Long and Cynthia Hetherington demonstrated how investigators and forensics staff can use Google and dozens of other web portals to public databases to identify and build leads for criminal and civil investigations, identifying along the way exactly how little privacy we all have. Cynthia's presentation, while very upbeat and humorous, was also very sobering. From information in a local newspaper article, Cynthia demonstrated how she and other investigators can in many cases use electronic "leads" to build a profile and collect evidence for defense attorneys and prosecutors without requiring a subpoena.

• The Expert panel on Tuesday afternoon included Johnny Long, Eric Cole, Marcus Ranum, Richard Bejlich, Ron Gula, et. al. The Q & A quickly digressed to a no-holds-barred, broad-reaching indictment of the myriad ways users, vendors, IT staff, and the press have contributed to the lamentable state of security. I laughed, I cried, it became a part of me.

I participated in an expert panel on Wednesday. I gave a short speech on "Impersonation" as the single most worrisome problem facing the Internet today. Later, during Q & A, I talked quite a bit about *accountability* and how society must play a role in reversing the downward trend in security. Forensics is out of my bailiwick so I worried that I would be perceived as some evangelical maniac but was quite pleased when a number of attendees spoke with me at the conclusion of the session and agreed that we really have to reverse popular thinking that includes such misconceptions as "hacking is glamorous" and "the security of my company's network isn't my responsibility", and begin to nurture ethical behavior and self-accountability. Wouldn't it be refreshing to read "ethical hacking is an oxymoron" and "hacking is a criminal activity" in tech editorials? Wouldn't you love to see a generation of employees who believe "working for my company is a privilege and I should show my appreciation by doing everything I can to protect my company's electronic assets" or think "it's my responsibility to make the best possible effort to assure that the code I write is secure before it's released"? And how about, "employees in my company are rewarded for helping us reduce our risk"?

I told you it sounded evangelical...

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID532 by Dave Piscitello