The Security Skeptic

You don't have to invest in expensive automated tools to perform network security assessments. In this searchSecurity.com Tech Tip, l explain how you can use data from freely available tools to produce a comprehensive view of network security. This tipis part of the Advanced Network Workshops: Integrating Networking and Security series, available at searchNetworking.com.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID644 by Dave Piscitello  

The line between networking and security products grows fainter each Moore's cycle, and it seems there is no end in sight. In this searchSecurity podcast, I discuss what to expect in the next 12 to 18 months and how IT professionals specializing in networking or security should prepare themselves to integrate and manage embedded network security devices.

.

This podcast is also part of the Advanced Network Workshops: Integrating Networking and Security series, available at searchNetworking.com.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID643 by Dave Piscitello  

You can use the Date and Time control panels on Windows XP and Vista PCs to synchronize time with public NTP servers, which will give you a more accurate time than you'll get off your PC's local clock. It's simple. Open the Date and Time Properties control panel, choose the Internet Time tab, check "Automatically synchronize with an Internet Time server, and choose a server from the Server pulldown menu. By default, Windows will update your time on a weekly basis thereafter.

On some PCs you want to be fastidious about time. It's particularly important, for example, to have time synchonized among systems where you are centrally collecting and analyzing event logs. In such cases, a week long interval between NTP updates may be too long. Unfortunately, the Date and Time control panel doesn't allow you to change the poll interval. You'll have to edit the Registry (I have to think that somewhere in Microsoft there are developers who are under a Registry compulsion spell that compels them to obfuscate OS configuration).

Open your favorite Registry Editor. If you've never done this before, read MSKB 322756. Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\

and change value of the DWORD SpecialPollInterval to the number of seconds (another indication of a compulsion spell at work) you wish to set your interval. Simple math: an hour is 3600 seconds, a day 86,400 seconds, and a week is 604,800 seconds. If you want to synchronize on a monthly or longer basis, do the multiplication yourself. On second thought, don't do the math. If you really care that little about time, set it manually.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID641 by Dave Piscitello  

Last month, I wrote about the eBay/Paypal adoption of two-factor authentication (BlogID #633). Today, I received an email from E*TRADE promoting enhanced security, the E*TRADE Complete Digital Security ID. E*TRADE will provide the RSA token free of charge for customers who maintain a balance of $50,000 in combined accounts, or who make 30+ transactions per month. If you have a more modest account and are not a power trader, the token will cost you $25.

This is encouraging news. I now have two online accounts with considerably better authentication than the dozens of other e-merchant and e-financial accounts I use. I also have two security tokens. If I do a quick tally of the remaining accounts I'd like to protect using two-factor authentication, I'll have a dozen tokens. My family would have two dozen.

I suspect that current and conventional wisdom of "what is a suitable form factor for a security token?" is about to change.

In all likelihood, the form factor will change (repeatedly) before we see a broad adoption of an authentication infrastructure that would allow individuals to use a common token for all their accounts.

And, no, I would not prefer a software token...

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID640 by Dave Piscitello  

Bruce Schneier's 15 August 2007 issue of Cryptogram offers a very good summary and analysis of the problems plaguing electronic voting machines. This is good reading! To encourage you to read the column, here are a few telling comments:

"Serious flaws were discovered in all machines and, as a result, the machines were all decertified for use in California elections."

"The fact that major security vulnerabilities were found in all machines is a testament to how poorly they were designed"

and the real kicker...

"California Secretary of State Debra Bowen has conditionally recertified the machines for use, as long as the makers fix the discovered vulnerabilities and adhere to a lengthy list of security requirements designed to limit future security breaches and failures."

Bruce does a nice job debunking the propositions that "If there are no known vulnerabilities, the system must be secure." and "If there is a vulnerability, then once it's fixed, the system is again secure." Nicely done.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID639 by Dave Piscitello  

On a bus to boot camp, Forrest Gump meets Bubba. Along the route, Bubba reveals his admiration for low country shrimp,

"Anyway, like I was sayin', shrimp is the fruit of the sea. You can barbecue it, boil it, broil it, bake it, sautee it. Dey's uh, shrimp-kabobs, shrimp creole, shrimp gumbo. Pan fried, deep fried, stir-fried. There's pineapple shrimp, lemon shrimp, coconut shrimp, pepper shrimp, shrimp soup, shrimp stew, shrimp salad, shrimp and potatoes, shrimp burger, shrimp sandwich. That- that's about it."

Along the route to an ICANN meeting, you might overhear any of several conversations that would lead you to conclude that domain names are the fruit of the sea we call the Internet.

"You can taste it, kite it, monetize it, and roll it. Dey's uh, domain hijacking, sniping, domain warehousing, domain cybersquatting and domain typoh-squatting. You can register 'em, auction 'em, put 'em in a portfolio or park 'em. That- that's about it."

Some of these - parking, warehousing, auctioning, and monetization - are (annoying but) acceptable uses. Others are controversial but at this time still acceptable uses of domain names. Take tasting. Folks might argue that test-driving a domain name to see if it's a candidate for monetization is an unanticipated consequence of a 5-day Add Grace Period (AGP) policy that was (ironically) introduced to prevent a different type of unfair domaining practices. On the other hand, some argue that tasting, like secondary marketing, is a an inevitable outcome of a domain market economy. Maybe tasting, like imitation crab, is a fruit of the sea that folks deride in public but turn a blind eye to when they serve it at parties?

ICANN discourages certain abuses of domain names such as sniping and hijacking and has a Redemption Grace Period and a dispute resolution process to assist registrants when a sniper attempts to scoop up a domain name when that was unintentionally allowed to lapse or when some basty nastard up and steals a name. Some (cybersquatting and typosquatting) violate intellectual property and other rights and are illegal in various jurisdictions.

Domain name rolling something worth rolling on the floor laughing over. Rolling is an attempt to keep a name without paying for it, by releasing it before the AGP and quickly registering it again. Smells fishy, but our premise is that domain names are the fruit of the sea, right? All this effort to save a paltry registration fee?

Stupid is as stupid does.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID638 by Dave Piscitello  

I meant to write about the Pwnie Awards *before* they were awarded but real work interfered with blogging.

The Pwnie Awards celebrate the achievements and failures of security community. My favorite awards this year are:

• Most Overhyped Bug, to the MacBook 3^rd party wireless driver vulnerability. I love Apple Computer, but this incident could easily have earned them the

• Lamest Vendor Response Award. Amusingly enough, this award went to the OpenBSD team, who wouldn't admit that a reported bug was indeed a bug. Core Security had to demonstrate how an IPV6 packet processing vulnerability could be remotely exploited before the folks at OpenBSD took a serious look at the problem.

I don't want to steal the Pwnie Award's thunder so visit the page and enjoy reading the rest of the awards. I only wish they'd come up with more awards categories. If we have enough embarrassing code in the wild to devote entire months to Apple, ActiveX, PHP and perhaps MySpace bugs, surely we can concoct additional categories.

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID637 by Dave Piscitello  

Calling to re-book air travel, I'm put on hold. While waiting, the airline plays music so my attention is diverted from the fact that I must wait for an available agent. The airline then promotes its *new look*, which includes a refreshing new set of cocktails and more in-flight entertainment. These amenities seek to divert my attention from the fact that even at 5' 9" my knees touch the back of the seat in front of me, the quality of the air I breathe is questionable, there's roughly a one in five probability of a delay (according to the Bureau of Transportation Statistics, 18.56% of of this airline's flights experienced delays from Jan-May 2007), and the flight attendants are likely to be surly (anecdotal evidence, BTS has no statistics on this metric).

Archived at http://www.securityskeptic.com/arc20070801.htm#BlogID636 by Dave Piscitello