The Security Skeptic

WebProNews reporter Jason Lee Miller does an admirable job of characterizing the debate over the existence or non-existence of domain name front running in his article, Domain Frontrunning: A Ghost In The Machine. I like this guy. He did his homework to the point of getting the chronology of events as well as the meat of the matter correct. In particular, he honed in on several of the most important statements from the SSAC report on Domain Name Front Running by emphasizing that the SSAC found no evidence of frontrunning in the 120 complaints submitted and SSAC doesn't say that front running doesn't happen, only that SSAC could find no evidence that it did among those 120 complaints. He accurately reported counter-statements by Jon Nevett that domain name front running does exist, that Network Solutions had evidence to prove it, and that confidentiality agreements with client prevented him from disclosing details. He also obtained some very sharply worded quotes from Jay Daley, author of a Nominet position paper debunking the existence of front running, who challenged Nevett's claims and insisted on seeing the data. Read the article, and expect to read more on this topic here in the future. SSAC didn't find a smoking gun among the 120 claims submitted by Internet users, but as a long-time X-files fan, I'll leave you with, "The truth is out there... somewhere."

Archived at http://www.securityskeptic.com/arc20080201.htm#BlogID674 by Dave Piscitello  

Imagine my amazement when I received a call from a reporter asking for an interview regarding the Internet disruption in Egypt from the New Jersey Star Ledger. In addition to discussing how businesses should react to disruptions of this sort (calmly, they are rare and recoverable events, largely due to the fact that *survivability* was one of the most important, original design objectives for the Internet), I wandered off topic with staff writer Kelly Heyboer about the role her newspaper played in my high school days. "The Ledger" always had great wrestling coverage for most Bergen County High Schools. Kelly was quick to point out that the wrestling blog the Ledger hosts is one of the most active and popular on their site. Kelly's article is a nice piece, balancing local and global interest, with very little F.U.D. Read it here.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID668 by Dave Piscitello  

Broadband local access provides branch offices with more affordable bandwidth today than many organizations' main offices had when they first became Internet-enabled. Bandwidth is not the only resource that's become abundantly available to branch offices. The cost of server hardware has tumbled over the past five years. Remarkably, a platform suitable for Windows 2003 or Linux server costs less than an extreme gaming computer. Many organizations see these as economic windfalls that allow them to host business-critical applications in branch offices. But while advances in telecom and technology create opportunities to enhance business productivity, they expose organizations to new threats.

This Tech Tip explains why branch offices have become green fields of opportunity for attackers, and recommends 10 security measures to reduce many threats. This is part of a series on Securing the Branch Office, available at searchNetworking.com.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID616 by Dave Piscitello  

A MAC (medium access control) address is a 48-bit unique identifier for a LAN or WLAN adapter. The most common format of a MAC address is the universlly administered address, which is composed of a organization identifer (OUI, 24 bits) and a station identifier (24 bits). OUI-composed MAC addresses have long been "hard wired" into adapter cards, but modern operating systems make it possible to change a MAC address.

Many reasons exist to change a MAC address. Some are evil and some good. For example, by changing a MAC address, an attacker can impersonate a "trusted" MAC address to fool intrusion detection systems, evade traffic filters applied to LAN protocol headers, and receive LAN traffic intended for the station legitimately identified by the impersonated MAC address. By impersonating a trusted MAC address, an attacker can also obtain an IP address from a DHCP server that is supposed to be assigned to a different host and this allows the attacker to impersonate not only a host on a LAN but a host in an IP network as well.

Very few users ever encounter situations where they must change a MAC address. Today, I'll offer a scenario where you might, and I'll identify some software you might find helpful.

You register as a guest in a hotel. The hotel offers broadband Ethernet in your room, and wireless Internet service throughout the property. Both services are for fee, and are offered by the same provider. You arrive in your room, register and pay for service using your Ethernet adapter. This particular service provider (and many others) use your MAC address as your customer identity. You work in your room for a while. At 1:30 a.m., you take your laptop to the bar to "work" with others, only to discover that the service provider doesn't recognize you as a customer and wants you to pay another fee. Assume that for this example, the service provider's AUP and the registration page say "unlimited Ethernet *and* wireless service for 24 hours" (typically noon until noon). You explain your circumstance to the front desk, then to the concierge, and eventually, to a help desk operator at a remote NOC who tells you, "there's nothing I can do about this right now but I'll open a ticket and we'll look into it".

If only your WLAN adapter had the same MAC address as your Ethernet adapter, your problem might be solved!

If you have admin privileges on your laptop, you can change your WLAN adapter's MAC address, temporarily - but do remember to change it back! And before you change the address, copy down the MAC address of your Ethernet adapter and disable it. Now, to change the MAC address in Windows XP/2000 and I imagine Vista, you must change the sub key that corresponds to your WLAN adapter under the Registry Key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\

Modifying the Registry is iffy territory for even experienced users, so I recommend that you use one of the following freeware. Technitium MAC Address Changer and KLC Consulting's SMAC are free/shareware MAC address changers with graphical UIs that tell you the existing MAC Address (remember to write this down so you can restore it later), IP configuration, etc. For folks who favor DOS command line utilities, there's Mike Fratto's EtherChange.

If you are a MAC OS X or Linux/BSD type, visit Irongeek.com for a long list ofways to change MAC addresses on these OSs, including how to modify the Windows Registry for those who dare.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID584 by Dave Piscitello  

Bob Johnston, CISSP, questioned my qualifications as well as the qualifications of several colleagues in a recent post to Yahoo's CISSP mailing list. In a post with the subject line: Media "Certified" Security Experts (Gurus), Bob says,

I do not know about the rest of you, but I am quite tired of the media quoting and "certifying" security experts that do not possess a credible certification.

I made this statement based on the fact that the publications do not cite their certifications and when I attempt to identify them few if any possess any of the major certifications worthy of mention.

Bob claims that he cannot locate anything of substance to have use declared as gurus. His attempts to identify me and my colleagues appears to have been limited to a search argument against a database that returns a result of "No match on last name for CISSP/SSCP."

I truly wish Bob had made a more concerted effort to determine our qualifications before impuning our reputations. For example, a basic Google search on my full name returns over 76,000 hits. The top five include citations for books and RFCs I've published and my company home page and resume. Amusingly, a search on Joel M. Snyder will return over 2 million hits, and the result with highest relevance is indeed my colleague and close friend, who will have forgotten more about networking and security by noon today than most professionals might hope to learn in a lifetime.

Neither I nor my colleagues control how an editor chooses to brand or promote us or our works. I've made a pointed effort to explain my personal belief regarding the differences between Security Expert, Professional, or Practitioner. In the linked post I say, "Only a handful of people in the world are qualified and have accomplished enough in the short span where Internet Security has proved meaningful to be labeled experts." I truly believe this and do not place myself in this category. Moreover, I do not believe that satisfying the criteria for any security certification alone puts one in this category.

Later in his post, Bob asks,

"Before I make and a$$ of myself and write a challenging letter to the editor, can any of you say anything great about the others?

For the record, I have worked with Joel Snyder and Brad Johnson, I respect both enormously, and it's relatively simple to search and conclude both are amply qualified security practitioners. Dan Minoli was a colleague at Bellcore. I had the opportunity to serve as consulting editor to several of the dozens of books on telecommunications and enterprise network management he published with Artech House. BTW, Dan describes himself as a network practitioner, not expert. Mandy Andress is blessed by a positive result from the CISSP/SSP search; by Bob's measure, this alone indicates that her qualifications are beyond reproach and need not be amplified here.

I sincerely wish Bob had judged me and my colleagues based on what we wrote for Network World and and have published elsewhere rather than worrying over the presence or absence of a CISSP/SSP appended to our bylines. The email in our bylines is there for a reason. If Bob or others disagree with what I or my colleagues write, contact any of us by email. I suspect such an email exchange will prove to be more positive and enlightening than one that begins by carping at a NWW editor.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID552 by Dave Piscitello  

Source address spoofing - the act of submitting IP packets with a source address other than one you are authorized and expected to use - is high on my list of unforgivable behavior. Failing to validate source addresses is also high on my list of unforgivably poor operating practices. Mostly, I hate the fact that telephone networks do something better than data networks, and every telco service I've ever used and helped design (e.g., SMDS) has source address validation.

Rik Farrow wrote an excellent and timeless article describing ways to spot source address spoofing. You can find this classic TISC Insight column here.

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID497 by Dave Piscitello  

For several years, Core Competence and Mactivity presented The Internet Security Conference (TISC). We also published a bi-weekly newsletter, Insight. At the end of 2005, we retired the domain names of the TISC conference. I am now hosting the 100+ newsletters published between 2000-2003 at a new domain, www.tisc-insight.com.

At the moment, all the articles are rehosted, indexed, and available for viewing. Over time, I will edit the columns and remove the hundreds of broken links and stale email addresses. I'll also (eventually) remove conference information that is no longer relevant. I may even create an RSS feed.

If you authored a column for Insight and find your contact information is incorrect, be patient and contact me with correct information.

During the migration process, I read quite a few of the articles. Many are still quite useful reading. Others have enduring entertainment value. I will periodically include pointers to such articles in my blog.

If time permits, I may resume publication of Insight. Several Insight authors have offered to publish again. Stay tuned for more information.

Enjoy, be safe, and happy reading!

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID492 by Dave Piscitello  

I'm sitting in a Starbucks, enjoying a latte, idling time waiting for the Volvo dealer to complete an annual service. WiFi Internet access isn't available. Without Internet service, my "secure access, anywhere" work style is handicapped. Without Google, my very virtual lifestyle is handicapped. More...

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID279 by Dave Piscitello  

Is Token Authentication the Holy Grail? Token authentication is appealing because it is a familiar technology. Moreover, tokens are not as intrusive and potentially rights-infringing as biometrics. We use keys every day: keys are tokens.

Microsoft, Verisign’s OATH crew, and others may have stumbled on the right authentication method, but all miss the forest among the trees. Their visions fall short of visionary in several respects. Read my analysis at LOOP

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID220 by Dave Piscitello  

Unless your organization is on the bleeding edge and deploying one of the many forms of application protection, the security measures you apply in your web application code is quite possibly all that stands between your sensitive data and attackers. Read the entire article at LOOP.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID221 by Dave Piscitello  

While not quite as newsworthy as the Philadelphia Eagles Cheerleaders visiting for their annual lingerie calendar photo shoot, I've finally found time to install and use IP telephony in my office on Hilton Head Island. Read about my experience here.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID183 by Dave Piscitello  

Several visitors asked if I had opinions about which alternative for home networking is best. Honestly, no single home networking alternative is right for everyone, and in many cases, including mine, you'll find you need more than one.

I wrote an article a while ago comparing "classic Ethernet", Wireless LANs, and Home Phone Networking. I barely mentioned powerline Ethernet (HomePlug), which was in its embryonic stage at the time of publication.

Still you may want to read Home Alternatives for Shared Network Access Service Providers.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID175 by Dave Piscitello  

Camera phones create challenging security and privacy problems. We're already seeing suggestive commercials on television, where voyeuristic lad sends photos of a couple passionately kissing to his camera phone buddies. I'm convinced we will read about security incidents as well as suits claiming privacy violations and sexual harassment as organizations face these problems and identify remedies.

Read my full article here.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID172 by Dave Piscitello  

I recently installed a Powerline backbone network, to extend my home network. Read about this often overlooked alternative here.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID171 by Dave Piscitello  

The Web virtually assures that nothing is ever permanently lost. I discovered an electronic version of a Computer Communications Review article I co-authored with colleagues Jeff Rosenberg and Steve Gruchevsky in 1987. The hopelessly curious among you can now read Adaptive routing in Burroughs network architecture in Acrobat format.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID159 by Dave Piscitello  

Messages broadcast over LANs are useful to you, and a would-be attacker. Some broadcast traffic may not be useful to you at all, and only serves to inhibit network performance. This article illustrates what broadcast Ethernet traffic reveals, and recommends measures eliminate unnecessary traffic to better protect yourself and tweak performance.

This column was originally published as a WatchGuard LiveSecurity Editorial, 14 August 2003.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID146 by Dave Piscitello  

Many users don't know how to harden Windows 2000/XP desktop and laptop computers. In this column for WatchGuard, I explain how to improve your security policy without having to contend with registry editing.

This column was originally published as a WatchGuard LiveSecurity Editorial, 25 July 2003.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID145 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID102 by Dave Piscitello  

I recently wrote a Fundamentals column on Transmission Control Protocol (TCP) for WatchGuard Technologies. Live Security Subscribers can find it at the usual WatchGuard location, and others will find it at CoreCom's LiveSecurity pages some time in August.

I've posted a more detailed paper, with an accompanying packet analysis. This paper investigates TCP at an advanced intermediate level (no more confusing than jumbo shrimp). People who have read the WatchGuard piece and were not challenged may appreciate this paper. Thanks to Lisa Phifer and A. Lyman Chapin for their respective reviews.

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID78 by Dave Piscitello