The Security Skeptic

If you develop a rash or an insect bites you, and the site begins to itch, you'll most likely scratch it. If the itch is relentless, you will exercise one of several choices. You may visit dermatologists, allergists, and internists to diagnose whether the itch is symptomatic of a skin disease, allergy, or more serious disorder. Once diagnosed, the health care give will recommend that you mitigate the problem by using antibiotics or steriods, or by introducing changes in your dietary habits, or by some other treatments.

This path is often expensive and time-consuming. Many of us often choose to apply non-prescription topical creams and oral antihistamines that offer temporary relief and hope the itch goes away.

Internet security is largely practiced by applying topical creams, swallowing antihistamines and using steriods. We are too busy and think our budgets are better spent elsewhere than security so we apply inexpensive, quick fixes and pray. Here's a popular example. We'll interpose a $300 firewall appliance between a small office server and our broadband access but will configure it to allow ANY traffic outbound from ANY address behind that firewall including servers. We often don't think overly carefully of the implications of that configuration.

Many will argue that this course provides many organizations and individuals temporary and tolerable relief in "surface symptom" areas like spam and malware. I'd be curious to compare the total cost of deploying antispam measures over the past decade against the cost of deploying email system that allowed us to reject bogus mail senders. 500+ weeks' worth of cortisone cream and Benedryl, folks!

Symptomatic treatment versus early diagnosis and mitigation of the root cause. Are you happy with temporary relief?

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID610 by Dave Piscitello  

In an article entitled Security Hats: Black and White, No Grayscale, I list reasons why organizations should avoid hiring crackers (convicted or admitted). Some readers feel this is an unforgiving attitude that fails to consider that individuals can make mistakes, but if they are contrite, serve jail time and reform, they should be forgiven. I'm entirely comfortable with being forgiving. But that's not the issue here.

A physician who performs illegal surgeries or violates the canons of medical ethics will lose his license and may serve jail time. He may regret his actions and pledge to reform. When he returns to society, he can try new careers, but he should never be allowed to practice medicine again.

Similarly, an attorney who breaks the law, breaches an attorney-client privilege, or violates other legal canons of ethics will lose his license and may serve jail time. He, too, may regret his actions and pledge to reform. When the attorney returns to society, he can try new careers, but he should never be allowed to practice law again.

Why should we treat information technologists differently? An information technologist who engages in *cracking*, breaks computer crime laws, or who does not conduct himself ethically, lawfully and professionally should lose any certifications he has accrued and serve jail time. He may regret his actions and claim to reform, but when he returns to society, he can do many things, but he should never be permitted to work in the field of information technology again.

Serving time and paying fines are appropriate consequences for committing crimes, but should not the only ones. Some consequences should to be more enduring and the consequences of violating a trust should be more severe. It's unlikely that a disbarred attorney would be invited to speak at a law conference on ways to exploit privileged information. A physician barred from medical practice would not be invited to demonstrate surgical techniques at a teaching hospital. But I note with considerable disgust that we invite convicted hackers to present keynotes and *worse* teach for hacker academies.

If learning how to social engineer and hack networks from an ex-con is what it takes to earn a certification from your academy, you can keep it.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID609 by Dave Piscitello  

Rich McIver forwarded a link to IT Security's 103 Free Security Applications, a nice collection of security freeware for Windows, Linux and OS X. The list is conveniently organized by security service - antivirus, antispyware, firewall, network assessment, etc. - and contains many software I've recommended here and on my resources pages.

I found eight or so software applications I'm likely to download and try. I'm always willing to consider ways to improve my security baseline.

You feel confident you have all the security software you need? You're probably overconfident. Visit the hyperlink.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID608 by Dave Piscitello  

I received an email from a malware analyst who disagreed with my written and podcasted criticisms of "ethical hacking". For the record, I've said on many occasions that Ethical hacking is the perceived high road of cracking, an organized and sanctioned practice of identifying vulnerabilities in software. In practice, "open community" ethical hacking is a train wreck, widely practiced outside these parameters, by people with ambiguous motives, using few if any formal methodologies and acceptance criteria (note how I carefully qualified my claim).

I've tried to create the illusion of a verbal debate in a podcast.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID607 by Dave Piscitello  

At Fred Avolio's suggestion, I tested VODcaster, a program that automates the process of creating a syndication feed for videos and podcasts that is iTunes compatible. VODcaster is a wonderful example of focused software development. It does one thing and does it intuitively and well. To create your podcast feed, you create a channel by naming an XML file for the feed and identifying the web site URL and the directory at the site where you'll store the feed and media files. Drag a media file (e.g., podcast MP3s) to the VODcast table and fill in descriptive information (Podcast Title, Description, Author, Date), then click PUBLISH. Upload the files to the directory you identified on your web server. Done!

VODcaster does have some frills. You can preview the media files from VODcaster, and record videos directly into VODcaster from any camera attached to your Mac.

My VODcaster created podcast feed is http://www.securityskeptic.com/podcasts/podcastfeed.xml.

Visit Two Canoes to download VODcaster.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID606 by Dave Piscitello  

To complete the transformation of my blog personna from yodave to the Security Skeptic, I've replaced a stale photograph of Dave wearing a tie with a caricature by one of the fine artists at The Caricature Shop. After visiting many sites in search of quality, fair price, and unencumbered ownership of the product, I was delighted to find David Whorf and company.

A caricature is an exaggerated and often comic representation of a person, group, or event. Some friends have commented that this particular caricature depicts me as more sinister than skeptical. My wife assures me that neither the caricature nor I am the least bit sinister, and voted to keep this one. As is frequently the case in matters involving art and design, my wife casts the deciding vote.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID605 by Dave Piscitello  

The netstat program is available on every OS I own. Several options are unique to operating systems. A post to a recent thread on the firewall-wizards mailing list reminded me of several options that can be useful in isolating spyware components.

netstat -o displays the process that "owns" a network connection. For example:

c:\netstat -on
Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:1025         127.0.0.1:1026         ESTABLISHED     1992
  TCP    127.0.0.1:1026         127.0.0.1:1025         ESTABLISHED     1992
  TCP    127.0.0.1:1340         127.0.0.1:1341         ESTABLISHED     5000
  TCP    127.0.0.1:1341         127.0.0.1:1340         ESTABLISHED     5000
  TCP    127.0.0.1:3522         127.0.0.1:43958        ESTABLISHED     4864
  TCP    127.0.0.1:4940         127.0.0.1:4941         ESTABLISHED     5136
  TCP    127.0.0.1:4941         127.0.0.1:4940         ESTABLISHED     5136
  TCP    127.0.0.1:43958        127.0.0.1:3522         ESTABLISHED     3708
  TCP    172.17.1.50:3501       66.93.106.226:7446     ESTABLISHED     3372
  TCP    172.17.1.50:4061       172.17.0.7:3389        ESTABLISHED     2732
  TCP    172.17.1.50:4224       4.79.142.202:80        ESTABLISHED     232

The first column identifies the protocol: TCP, UDP, ...

The next columns identify the host names and ports of the connection endpoints. Microsoft chooses to label these Local Address and Foreign Address, respectlvey. The next column displays the (TCP) connection state (LISTEN, ESTABLISHED, etc., see MSKB 137984 for complete details). The final column, PID, is the process identifier for the executable. Process are the programs executing in your PC's RAM and consuming CPU. All applications and Windows services and many forms of spyware run as processes. Spyware programs are basically processes you didn't choose to install.

netstat -b goes a step further than -o and identifies the executable program (and program components) that created a connection; for example,

Active Connections
  Proto  Local Address          Foreign Address        State           PID
  TCP    spike:1025             localhost:1026         ESTABLISHED     1992
  [controld.exe]
  TCP    spike:1026             localhost:1025         ESTABLISHED     1992
  [controld.exe]
  TCP    spike:1340             localhost:1341         ESTABLISHED     5000
  [thunderbird.exe]
  TCP    spike:1341             localhost:1340         ESTABLISHED     5000
  [thunderbird.exe]
  TCP    spike:3522             localhost:43958        ESTABLISHED     4864
  [ServUAdmin.exe]
  TCP    spike:4940             localhost:4941         ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4941             localhost:4940         ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:43958            localhost:3522         ESTABLISHED     3708
  [ServUDaemon.exe]
  TCP    spike:3501             dsl093-106-226.wdc2.dsl.speakeasy.net:7446  ESTABLISHED     3372
  [Shinkuro.exe]
  TCP    spike:4061             hhi.corecom.com:3389   ESTABLISHED     2732
  [mstsc.exe]
  TCP    spike:4170             bf-in-f99.google.com:http  ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4196             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4198             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4199             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4200             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4201             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4207             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4208             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4226             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4227             209.221.47.167:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4228             209.221.47.168:http    ESTABLISHED     5136
  [firefox.exe]
  TCP    spike:4232             c17-b2b-itp-tags-lb.cnet.com:http  ESTABLISHED     232
  [GoogleDesktopIndex.exe]
  TCP    spike:10110            localhost:4241         TIME_WAIT       0
  TCP    spike:4234             c17-b2b-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4235             c18-btg-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4236             c18-news-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4237             c18-btg-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4238             c18-dw-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4240             c18-dw-xw-lb.cnet.com:http  TIME_WAIT       0
  TCP    spike:4242             mail.hargray.com:pop3  TIME_WAIT       0

Note that in this example, I did not use the -n option, so netstat attempted to resolve the domain names for local and foreign addresses. All the information available via the -o option is present, but an additional output line identifies the name of the executable or executable component. Many of the processes in my example output are familiar applications. How do you distinguish a useful process from spyware? As I mention in my article, Identifying Spyware Processes on a Windows PC, many web sites provide lists and descriptions of legitimate and undesirable Windows processes.

I should have mentioned these uses of netstat in my article. They are not as information rich as some of the process hunting software I mention in my article, but they "come with" MS-DOS and should be available on any machine you may be asked to inspect.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID604 by Dave Piscitello