The Security Skeptic

My friend and colleague David Strom's Web Informant (26 March 2008) is entitled Multiply by Pi. David talks about meeting an IT manager who uses a Rule of π for estimating project durations, i.e., "anytime a consultant or an employee gives you an estimate of what something costs or how long it will take to complete, multiply the estimate by π" which David identifies as "a geometric constant of of 3.14159".

My first reaction was to reply to David and tease him about his definition of Pi. My geometry teacher insisted that Pi is always an infinite decimal but only a constant in Euclidian geometry. (Look it up)

I'm amused by this definition. I can easily imagine most IT projects taking three times as long as predicted. And I began thinking of other analogues that apply to IT project estimation.

Many factors play into IT project planning. Another analogue that applies to IT project estimation is A Perfect Storm which I'll describe as an occurrence of three events which occur together and prove to be extraordinarily more powerful, dangerous and possibly destructive by their coincident occurrence than the obvious factor of three if they occurred independently. In many IT projects, the three events are:

1. Infrastructure change. Here, the introduction of new technology and software introduces a Perfect Storm of of its own:
   • IT and others assess and revise security and other policies as issues associated with this introduction are revealed
   • IT experiences a learning curve while it becomes familiar with new management tools, and
   • IT wrestles with problems that arise from topology changes as well as problems that interoperability and compatibility testing reveal.

2. Configuration change. Here, another Perfect Storm gathers, as IT configures new and old systems and network equipment in a new topology to
   • take maximum advantage of the new technology and software,
   • mitigate or reduce threats exposed during the vulnerability assessments once the new topology is operational, and
   • fine tune the network to meet performance criteria.

3. User change. Yes, a third storm within the storm gathers: users must be informed of the change, the effects the changes have on user interfaces and the effects the changes have on user behavior (interactions with users, systems and the network).

IT is constantly called upon to manage projects have complex problem sets. Some problems in the set are revealed early on, while others are revealed later, and as security practitioners are too well aware, some don't become evident until they are exploited. Is it any wonder why estimating IT project lifetimes is more than a simple matter of multiplying by Pi?

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID681 by Dave Piscitello  

In an opening keynote for a seminar series - The Pros and Cons of Integrating Security into Your Networks - my colleague and friend Joel Snyder compares the task of designing networks to designing a plumbing system for a home or office. As I listened to Joel speak, I realized the analogy is very effective in illustrating just how challenging both tasks can be when users, usage, and measures to prevent abuse exceed the original design objectives.

As security and network architects, we are expected to maintain a plumbing system that is highly available and performs well. Problems arise when we cannot or fail to anticipate future capacity and do not properly assess risks. Both networking or plumbing systems that we design to support 100 can unexpectedly be called upon to accommodate several hundreds of users. Consider the collateral impact in the case of plumbing. An expansion of this scale not only affects current plumbing but other systems in a building as well, possibly extending to structural, electrical, alarm and HVAC systems. The same is often true for networking and is especially true in the case of power and HVAC.

Plumbing and networking maintenance must consider the problems associated with poorly configured systems. Hot water heaters left set to certain manufacturers' defaults can cause severe burns on young children, as can hot water pipes connected to cold water handles on faucets. Failure to properly ventilate toilets has both unpleasant and potentially hazardous consequences.

Both networking and plumbing also must contend with abuse. Network and security admins must provide detection and countermeasures for denial of service attacks, and so must plumbers. DoS threats to plumbing systems include overzealous users of toilet paper, toddlers who fill tubs until they overflow, and teens who block faucets with gum and drop M-80s into commodes. Networking plumbers must worry about information leaks. Plumbers worry about leaks, both ingress and egress :-)

We could extend the analogue considerably beyond these few comparisons. It's a useful one, so *use* it.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID614 by Dave Piscitello  

My apologies for not publishing as often as I usually do. I've been recovering from traveling, traveling once again to teach Network Security, and busy on the home front.

My wife and I have been working sporadically for nearly three months on a painted kitchen floor that we hope even Debbie Travis would be proud to claim her own. We remodeled our kitchen recently, and having exceeded our original budget by a factor of three (3), we decided we could not justify a entirely new floor. The floor was wood veneer and after 15 years of wear, not suited for a refinishing other than paint.

We opted to hand sand the floor to minimize the dust. Nearly everyone thought we were crazy, but this turned out to be rather simple since nearly all the water-based polyurethane had already been stripped from the floor through wear. We had to do some patching since the cabinetry and island layouts were different in the new kitchen. We then applied two coats of latex primer and the Delft-blue base color (again two coats).

It took us nearly an entire weekend to lay out the diagonal checkerboard design. We used chalk-line and painter's tape (rolls and rolls of it). Molly mixed glaze and a darker blue for the second color and painted the 18-inch blocks. I followed her and did touch up.

This weekend, I finally completed the last coats (4) of sealing polyurethane. Paint and hardware stores carry a polyurethane applicator designed specifically for flooring, and it works extremely well. The hardest part of this process is the preparation between each coat: fine sand the finish, dry sponge the dust, and go over the entire surface when dry with a tack cloth. The last step is important and commonly not mentioned by do-it-yourselfers. The entire process, with ample time for drying, took two full days.

We began with a distressed floor and wanted a distressed look, with wood grain, separation lines, and (intentionally) uneven paint. We also wanted a tightly sealed floor that will hold up to typical kitchen and pet traffic. And we wanted to conceal the two unsightly patches. The result is exactly what we'd hoped for.

I now appreciate why painted floors can be more expensive than hardwood replacement flooring, especially if the customer and design are intolerant of the least imperfections:-)

I'll post pictures once we have the furniture in place.

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID522 by Dave Piscitello  

Many places I visit remain WiFi challenged. Recently, while at San Jose airport, I needed to send an email and attachment to a colleague. No wireless service was available. With nothing to lose but time and battery, I experimented with a lighter shade of wireless: my Bluetooth enabled T-Mobile cell phone and an iPass dialup account.

Using the built-in Bluetooth personal area network adapter, I "paired" laptop with my cellular phone, started my iPass client, chose a local number and dialed. After the obligatory modem negotiation, I established a 9600 bps analog connection.

At this baud rate, email works fine (email worked fine at 300 bps in the eighties, and probably works fine at less). When I closed my connection and boarded the plane, I paused a moment to recall the last time I actually relied on 9600 bps: 1988. I had a dialup connection to WorldLink, a service run by Internet provider PSI. I had a Hayes compatible modem, and telnet, ftp, pop and smtp were my killer apps. I think I paid $19.95 per month but it may have been $29.95.

Today, while at one of the several Starbuck's in my neck of the woods that doesn't have WiFi, I again use Bluetooth modem facilitated dialup. This time I needed some information from the Web. It wasn't DREADFUL.

When I purchased my first cup of coffee, I asked the folks in Starbuck's if they knew when T-Mobile might install WiFi and they said they weren't certain but they didn't think it would happen any time soon. So when I booted my laptop, I disabled my WiFi adapter and turned on Bluetooth to extend battery life. As I wrapped up my session, I disabled Bluetooth and enabled WiFi. Windows Zero Configuration immediately notified me that wireless networks were available. Curious, I found a secured WLAN (yes, some small businesses are actually using encryption!) and an open network. Thinking that the Starbuck's staff was mistaken, I connected and was directed via a Colubris AP to a secure login page for public WiFi access.

The irony? The service wasn't T-Mobile, but wireless broadband offered by Hargray Communications, the independent LEC that serves the Low Country SC area.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID470 by Dave Piscitello  

My DSL service is restored.

Six months ago, I investigated an apparent PPPoE interoperability problem between my ISP's router and new firmware release for my firewall. My ISP's IT folks suggested I specify a static IP rather than accept a dynamic IP assignment so that they could see if we could "force" the addition of a frame route to my /28 subnet following PPP negotiation. This unusual configuration worked, and we left the workaround in place in anticipation of a patch from the ISP's router vendor.

Two nights ago, my network dropped off the Internet. Upon investigation, and after the obligatory "forced march" through several levels of customer and technical support, I learned that my ISP had moved my access line to a new switch. The switch, of a different manufacturer, wouldn't complete PPPoE negotiations with the workaround configuration I'd applied to my Firebox.

The Lesson: I lost two days of service because I failed to document a temporary configuration change. That change not only became "permanent", but an eventual liability.

The good (?) news is that while testing the configuration with the "router guys" at Hargray, one of the techs noticed that my bandwidth was only 768 and that I was subscribed to 2 Mbps, so he corrected this as well.

I don't want to think about how long I've been operating at a third of the bandwidth I was entitled to... but if I were to guess, I'd say, "six months?"

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID455 by Dave Piscitello  

I occasionally visit a site and service that performs a reverse DNS lookup as a loose security and auditing measure. The theory is that one should always be able to obtain the domain name corresponding to the IP address of a "legitimately" configured host, even those that are assigned dynamic IP addresses. By insisting on strict reverse DNS configuration, some site operators feel they have an added measure of security against bad actors.

I'm not certain I would sleep any better if I did this for my sites, but this apparently keeps someone happy, or busy.

All my hosts are protected by a firewall that doesn't have a domain name and so my visits to sites so protected are short-lived, and often exasperating. I don't really *want* a domain name for my firewall, but to avoid the occasional "service denied", I decided to do as my partner Lisa suggested and bind a meaningless name to my firewall's IP address using NO-IP's free managed DNS service.

I assigned a name out of the "bounceme.net" domain.

I really wanted "keepyourmittsoffmy.damnedserver.com" but use of that very clever domain name requires an enhanced (for fee) subscription at NO-IP. Of course, $12.95 for a lifetime use of this vanity name isn't really prohibitive, so I might just change the assignment.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID407 by Dave Piscitello  

Multifactor authentication - combining passwords and PINs with biometrics and tokens (something you have) - can dramatically improve your risk profile. Organizationsstill find numerous reasons to delay or reject most two-factor authentication methods. User adoption, cost per client, and lost token replacement costs are common concerns.

Perhaps we need to re-think the token form factor. For years, we have tried to make tokens small and unobtrusive. Keyfobs, for example, are small and convenient, as are credit card time tokens. Obviously, they are not convenient enough. For many users, tokens are one more object to deal with and for IT admins, they are one more object users will lose.

Why not leverage society's ageless attachment to jewelry and marry tokens with bling-bling? Suppose we combine PINs and passwords with something we *wear*? Why can't we marry proximity-sensing and two-factor authentication technology and incorporate these into

rings, earrings, and lapel pins? If these are not manly enough, integrate proximity technology with a watch or ID bracelet. Any jewelry item will do, so long as it invites users to wear it daily, and value highly it enough that they won't lose it. 18K gold rings may sound like an expensive outlay, until you factor the near-zero replacement costs and reduced account administration:-)

Silly? Perhaps. But "something you wear" really isn't that far-fetched. Many organizations require badges. Users historically do a better job of protecting the company IDs than tokens. If you don't want to go the jewelry route, is it so wrong to consider the integrated ID?

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID327 by Dave Piscitello  

Nearly every career statistic in baseball can be broken, but if you look carefully at the statistics, the only unbreakable record(s) in baseball are career stolen bases and career wins.

Rickey Henderson, still active, has 1406 career stolen bases. No active player in baseball has even half. Even if the nearest contenders - Kenny Lofton (age 37), Barry Bonds (age 40), and Roberto Alomar (age 36) - were to steal 90 bases a year for another decade, they can't catch up. None of the younger players have much hope of catching Rickey because baseball is all about the long ball. The glory days of base running are gone, and 50 years from now, fans will probably question the legitimacy of Henderson's record because the numbers will seem unimaginable.

If you don't believe me, go to a sports bar and mention Cy Young's 511 wins. You'll hear, "different era, baseball was different, he wouldn't have achieved 300 wins in modern times". No matter, the record will stand forever. Only a handful of the greatest pitchers of the late 20^th century and new millenium will or can achieve 300 victories. Roger Clemens is a mere 191 wins from catching Cy. Again, baseball has indeed changed. It's almost mathematically impossible for any pitcher to get enough starts, much less wins, in a 15-20 year career: Assume an unrealistic career winning percentage of .667, and assume an equally unrealistic 40 starts per year, a pitcher must win an extraordinary 27 wins per year toll pass Cy Young in his 18^th season. Not likely, huh...

But imagine the salary George Steinbrenner would pay for an arm like this.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID285 by Dave Piscitello  

Deciding it was past time I created an RSS feed for my weblog, I contemplated my options. Blog doesn't support RSS (directly). I don't write scripts. I didn't want to create the XML manually.

Googling, I found several sites that claimed to generate and periodically update RSS for any blog site. First, I tried RSSify. The Voidstar.com and Wytheville Community College support sites for RSSify seemed to be forgotten - you could almost smell the cobwebs among the pages. I did download the RSSify .php and thought, "if there's no alternative, I'll just run this here". A quick look at CERT's fairly long list of php vulnerabilities, convinced me that running this scripting language on my public server was a bad idea.

Next, I visited the user forum for Blog, and asked how folks supported RSS. One user mentioned Blogstreet.com. I tried this, and while the site is well maintained, I could not get the input form to accept my URL - perhaps weblogindex.htm is too long, but the site insisted that my URL was http://www.securityskeptic.com/weblog/ and that my XML file be placed in the non-existent weblog/ directory. Not caring to waste more time, I abandoned Blogstreet.

Exhausting alternatives quickly, I asked Fred Avolio to send me the RSS XML file Blossom auto-generates for his blog. Yes, I actually considered hacking an existing file, and yes, this worked. I'd resigned myself to manual labor, but I returned to the Blog user forum, only to discover that another user had posted a template and process whereby Blog could be tricked (coerced?) into generating XML from blog titles and summaries. Works nicely, so long as I don't use HTML in the first 120 characters of the blog entry, which constitute the summary. I'll have to modify my style sheet, but that's a small price to pay.

I've abbreviated this tale, and I'll admit I'm omitting several bone-headed errors. I'll admit to one before I sign off: I had everything working, but had elected to use the .rss file extension rather than .xml. After several attempts to open this file, I checked my weblogs, and saw that the file was never being returned when requested. I'd forgotten that I'd set URLscan to block all but a short list of file types, and .rss wasn't on the list. .xml was. Problem solved, and I'm slowly slowly rinsing egg off my face.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID234 by Dave Piscitello  

News.com reports that Bill Gates predicts death of the password at the RSA Conference. What will replace it? Two-factor systems. This is newsworthy? Perhaps not, but after all, this was RSA's conference. Can't imagine why anyone would talk about two-factor authentication there...

Blame Bill's PR folks, or lame reporting, but after reading the news piece, I was left with the impression that the whole press conference had been Dilbert-ized...

G: We're going to see the death of passwords...

<>: Tell us more...

G: Everyone will have a token!

<>: So I use a token instead of a password?

G: Yeah! And to make it even more secure, you'll use a second *factor*, a Personal Identification Number

<>: Oh... a token and a PIN?

G: Yeah, that's right!

<>: How do you use this PIN?

G: That's the really kewl part. It can be a number or even letters and numbers and *special characters*

<>: Like a password?

G: Yeah... Well, NO, it's a PIN, you see, and it can be a number or even letters and numbers and *special characters*, and you could call it a password but that wouldn't be exactly correct because I'm prediciting the demise - death if you choose - of passwords at this press conference, today...

<>: How is the PIN different from a password? Isn't it still something you know?

G: You don't understand... passwords are dead. It's a PIN. It can be a number or even letters and numbers and *special characters*...

<>: zzzzzzz... huh? Sorry, yes, I think I understand now, oh, look, there's Osama bin Ladin!

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID209 by Dave Piscitello  

If you are not a recipient of our company newsletter, Cornerstone, you may not know that November 2003 marked our ten year anniversary of providing consulting services. Considering our size, and the tech industry's roller-coaster ride over this same period, we consider this a significant milestone. We have many companies and individuals to thank for our continued success.

Our first clients -- Nortel, British Telecom, NIST, MCI, AT&T Wireless, OSI, and Cisco Systems -- helped us affirm our credibility and competence. We want to thank all who championed our cause, providing our small and then novice company opportunities to perform services traditionally entrusted to larger firms. Special thanks to Dr. Vint Cerf, Christine Hemrick, Jon Shantz, Steve Morrison, and Morgan Littlewood for providing us with long term work to sustain us through our first 3 years.

We also wish to thank the many publications for whom we've had the pleasure of writing product evaluations and articles, including the succession of owners of Networld+Interop, with whom Dave has worked for nearly two decades. We sincerely appreciate the opportunities presented by new clients and the continuing loyalty of our long-term clients during this past year, especially Expertcity, JupiterMedia, OECD, TechTarget, and WatchGuard.

Along the way, we have had the distinct pleasure of working with and for a remarkable group of people, and most of you are Cornerstone readers. We look forward to continuing our business and personal relationships with you as we begin what we hope to be another exciting and rewarding ten years.

Happy New Year to all,

Dave and Lisa

Core Competence, Inc.

www.corecom.com

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID185 by Dave Piscitello  

True story...

My daughter and I were cleaning out my car and accidently threw away my cell phone. 10 days later, my wife left her cell phone in a rental car in Philadelphia. OK, we're idiots (parents, actually, but some would say the terms are tautological).

Go online to SprintPCS. *Zero* phones without camera under $300 (I didn't have the loss insurance of course).

Go to Radio Shack. Again zero.

Go to SprintPCS store 20 miles away, "we have one under $100, but we're all out and aren't getting any more, try Staples".

Go to Staples, buy the LAST TWO LG 1200 flip phones (rather nice, only 3 oz). And they were $99.95.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID179 by Dave Piscitello  

Mitch Kabay spotlighted my blog today in his NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY. His column about my blog is flattering, and I appreciate the attention.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID122 by Dave Piscitello  

I receive a Tech Term of the Week from Alcatel. I consider it an acronym sanity check.

This week's Tech Term is 802.1W, Rapid Reconfiguration of the Spanning Tree.

The proximity of the "w" to the alliterative phrase "Rapid Reconfiguration" reminded me of Gilda Radner's hysterical impersonation of Barbara Walters, Baba Wawa, who would report on the term thusly:

IEEE 802.1w: Wapid Weconfiguration of the Spanning Twee

An Ethernet switch is designed to pass network twaffic from one port to another. Typicawee, a switch learns the addresses of the devices connected to it to be able to direct network twaffic from one port to another. However, when twansmissions are first sent, the switch does not know who is on each port. It sends a single message meant for an unknown destination to aw ports (known as flooding). If the phwysical topology of a network contains a woop, a network device that sends out a message to all of its ports may start a chain reaction that can cause an endless wogical woop...

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID118 by Dave Piscitello  

The April 14 2003 issue of The New Yorker Magazine concludes with a column, The Back Page, entitled "The Eight Hundred Days: The Quiz".

One of the quiz questions asks the reader to identify whether a quote is from George W. or Donald Rumsfeld - and yes, it is challenging.

The best quote reminds me of a phrase one of my philosophy professors put on a blackboard at the beginning of class:

"that that is is that that is not is not"

and then asked us to add punctuation.

I don't know what the utterance looked like on the notes Donald Rumsfeld's aides drafted, but here's how it aired on TV:

"There are known knowns. These are the things we know. There are known unknowns. These are the things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know."

Imagine if Rumsfeld was of the "ya know" generation:

"Um, ya know, there are known knowns that, ya know, are the things we know, ya know?...

I already have a headache. Do you?

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID57 by Dave Piscitello  

Sometimes it seems no telco service change order request goes unpunished...

I called my ILEC this morning at 10:00 a.m. to request that they change my DSL/telephone line to residential, unlisted touchtone service from business touchtone.

By 11:45 a.m., my DSL circuit was not functioning. On examination, I was sending packets but receiving replies. I scan of the log at the firewall that terminates my PPoE revealed the dreaded "WAN IP address changed" entry.

My WAN IP must be static or the routes to my /28 subnet won't be applied.

A call back to "customer service" confirmed my suspicion that the service order I placed was interpreted as "switch the customer to residential DSL". Since the poor customer service woman didn't know what an IP address was, all she could assure me was that they would return my service to operational status as quickly as possible.

Convinced I was hosed for the day, I began hunting for a dialup modem, when I received a call from one of the engineers I'd met and befriended during the time I was Hargray's first pilot customer on ADSL.

M'good 'buddie Danny Saxon was calling me to ask whether I had really changed service. Turns out he has a tag on my circuit - he gets a notification when anything changes in my configuration or connection status :-)

He apologized and said this would never had happened had he not been at lunch.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID51 by Dave Piscitello  

Like most surveys, the answer you get depends on whom you ask, and how you pose the question.

Netcraft collects and collates hostnames offering HTTP service, polls each one with an HTTP request, and determines sites hosted and server software in this manner. Netcraft shows Apache as the runaway web server software leader, with over 62% of the 40 million web sites, Microsoft IIS at 27%. SecuritySpace, who claims a more stringent polling method, shows Apache at about 65%, Microsoft IIS at 25%.

Port80 Software polls the Fortune 1000 only. The results of their poll show Microsoft at 54%, Netscape at 21% and Apache at 17.6%.

It's not really a question of who's results are accurate, but whom the collectors view as the target or interesting market. It's clear from Netcraft's and SecuritySpace's results that Apache gets a disproportionate numbers boost from web hosting companies, who virtual host hundreds of sites per server. It's clear that Port80, which sells IIS related software, by focusing on the Fortune 1000, chose a self-serving market, in all likelihood to emphasize the market opportunity (to themselves, their investors, and potential customers, I suppose).

Port80's results do seem to confirm that F1000 organizations go with commercially supported software

Insert a great, big, "and your point is?" here....

Mention IIS, and security experts and wannabes come out of the woodworks to complain about how insecure it is. Well, folks, if the organizations with the most to invest and the most to lose are using IIS, let's stop telling them it's insecure, with the diminishing hope they'll listen and swap platforms. This is tiresome, and reminds me of the line "you don't spit into the wind" in Jim Croce's "Don't Mess Around with Jim".

A better use of our collective time is to develop practices for securing IIS, sharing them, and impressing upon Microsoft the importance of doing the same.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID46 by Dave Piscitello