The Security Skeptic

Colleague, friend, and fellow consultant Rik Farrow had this important insight to add to my comments regarding the adoption of two factor authentication by PayPal/eBay and eTrade:

Hi Dave:

I read a couple of your blog entries, and had a couple of comments for you (and hi!). My attention was caught by

http://www.securityskeptic.com/arc20070801.htm#BlogID640

The proliferation of tokens certainly is a big deal. But tokens are not a complete solution in themselves.

Take e*trade, as an example. They posted about a 12% loss last year to trades made via stolen authentication credentials, surely enough to give everyone who is willing tokens. But just using hard tokens doesn't necessarily fix the problem. Bruce Schneier suggested, first during an RSA luncheon, and later in his blog, that tokens are not a complete solution, as authenticated connections can still be hijacked via malware that operates within the browser, or at the OS level (a rootkit).

Most of e*trades problem is pumping-and-dumping of penny stocks. The people running these scams use compromised e*trade accounts to buy the penny stocks, pumping up the prices and encouraging others to buy in, before selling off. I've heard that it is possible to make 5% profit IN ONE DAY using these schemes...

Rik's of course entirely correct: two-factor authentication still requires that the user/client communicate both elements of the challenge to the server, and if the sending application (browser) or the channel is compromised, you are screwed. For Joe Average User, the lesson to learn is to use token authentication *and* the best possible defenses against malware (or buy a Mac).

Archived at http://www.securityskeptic.com/arc20070901.htm#BlogID648 by Dave Piscitello  

I received an email from a visitor to my blog asking about data breaches. Robert writes:

Since the Veteran's Administration (VA) laptop incident, there have been numerous other data breaches. However, I can not seem to construct a singular definition of what a data breach encompasses. In addition, I am in the process of writing a policy on the protection of Personally Identifiable Information (PII) and would like to include a clear definition of data breach.

Thanks for any assistance or pointers you any be able to provide.

I decided to post my email reply in my blog.

There are many ways to define "data breach". I hesitate to claim my own interpretation is *definitive* but I consider any act (malicious or unintentional) that discloses information to an unauthorized party a data breach.

I think we begin to complicate the basic definition when we try to sort out "sensitive" from "private" from "whatever". So you tell me which of these you consider a data breach:

• User behavior returned in an ad serving cookie
• A document delivered to the wrong email recipient because the sender used autocompletion but paid no attention to the pulldown
• user account and password transmitted by a keylogger to an attacker
• Medical records, identity information, financial information obtained by an attacker following a successful buffer overflow attack in a web server script
• Instant messages and IP telephony traffic captured off an open WLAN AP

I say "all of em". Which disclose sensitive information? Private information? What's the difference?

Perhaps if you have a working definition of PII in mind, you could extrapolate from my definition of data breach. Of course there are perhaps more definitions of PII than of data breach.

Opinions?

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID566 by Dave Piscitello  

Yesterday, I published my last Live Security Service Editorial. To close this chapter in my writing history, I added the following author's note:

My tenure as a LiveSecurity columnist is coming to an end. For nearly six years, WatchGuard Technologies has provided me with enormous editorial latitude so that I could explore a multitude of security issues and take you, my audience, beyond firewalls.I've had the distinct pleasure of working with a very fine technical staff, an outstanding editor, and an appreciative audience. I cannot thank you enough for your positive feedback on so many of my columns, and wish you all great success in your future security endeavors.

I received several comments from LSS subscribers, but none made me feel more appreciated than this one from Jon Chorney, a systems administrator at Master, Sidlow & Associates:

Dave,

Over the last few years, the Watchguard bulletins have grown from useful to vital and remarkably literate. Yours will be an extremely hard act to follow and I, like countless others of your readers, will be hoping that whoever comes after you will make every effort to match what you have done so consistently well.

Should you find yourself producing another bulletin or blog, I do hope you’ll feel free to let me know so that I can keep learning from you.

I wish you the very best in all that lies ahead for you.

Jon.

Jon's added to my digest recipients list. I hope he finds my blog as rewarding as I found his compliment.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID561 by Dave Piscitello  

I received dozens of comments to my BlogID 552, Media "Certified" Security Experts (Gurus), many from CISSPs. Here's a sample of from the best of the lot:

As a CISSP, I am embarrassed by the behavior so many exhibit; the pious attitude is nothing short of elitism...Unfortunately, too many are hung up on certification – which is why I completed the CISSP – to silence the masses. My apologies for the elitist CISSPs that judge by acronyms after one’s name." - CS

I think the idea of only needing a CISSP appended to your name means you are an "expert" is ridiculous. I am glad you decided to post on your blog about this...it is alarming to me that people think having a CISSP automatically means you are an "expert". After all it is a test, to be honest, not a very hard test. I could train my fish to pass a test. - JR

and my personal favorite...

Richard Mitchell, brilliant essayist and commentator on the education biz, two decades ago foresaw all the assorted testing people now use as "litmus tests" of various kinds. He was commenting specifically on testing likes of which we now have with the current administration's education reforms, but it applies elsewhere, too. "Minimum competency testing will ensure precisely that." Richard Mitchell, "The Graves of Academe" - MO

Colleague and friend Joel Snyder gave me the biggest laughs, commenting

I guess that whole "look up a PhD" database doesn't seem to be linked to the "look up someone who can pass a dorky test" database.

For the record, I also received email from Bob Johnson, in which he explained his position regarding what he calls Editorial Malpractice, and added, "At no time did I intend to impugn the authors. If you are offended I do apologize."

In my response to Bob, I took the opportunity to comment on Bob's issue with editorial malpractice, as follows:

Editors have broad license. I have worked with dozens of editors in refereed, trade, and for fee journals and publications. Most editors are diligent and investigate the credentials of authors who freelance for them. Many editors are sensitive to the fact that practitioners who have 20-30 years' tenure in networking and security do not pursue certifications and have (in my opinion) appropriately concluded that it is best to use a collegial style of byline. I am certain you worked hard for your CISSP. Joel Snyder worked considerably harder for his PhD, and he is not listed as Dr. Joel Snyder.

Time to move on. After a few email exchanges, I'm comfortable that Bob and I can agree to disagree. I also think he's probably a decent guy and I'll look forward to meeting and chatting with him some day.

Archived at http://www.securityskeptic.com/arc20060901.htm#BlogID553 by Dave Piscitello  

In my Blogs 453 and 462 I rant about my frustrations with Adobe Acrobat. I received a comment recently that shows that not only does misery love company, but sometimes the mere existence of company is deemed a blessed event. Stephanie writes:

Dave

Bless you. I found your blog while searching for acrostan.msi on the internet I don't feel so badly about my frustrations with Adobe Acrobat Standard or Reader now that I've seen your rant. Word for word, I've lived it...and again today. This has happened to me too often.

Thanks,

Stef

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID521 by Dave Piscitello  

In my blog ID#516 I rquestioned the accuracy of Network World's claim that Shlomo Kramer, et. al. deserve credit for inventing the firewall. While I did not actually call for a vote, balloting has indeed begun!

Dear Dave

I vote for DEC as a company. along with Marcus Ranum you may add Fred Avolio while being at DEC for crafting the SEAL, then the FWTK at TIS. Ask either Marcus or Fred. They'll tell you the truth as these are not the type of guys that boast themselves.

My own background: I installed the first ones in France around 1992 or 1993, then the first Gauntlet.

Best regards,

Olivier CALEFF, Consultant Sécurité Sénior

Thanks, Olivier. FWIW, my interest in firewalls was kindled from Marcus' "Thinking about Firewalls", which is a classic work and must reading for any would-be security expert. I tinkered with the Firewall ToolKit in 1993, and Fred Avolio was responsible for shipping me my first commercial firewall, a TIS Gauntlet, in 1994.

Is it any wonder that I have steadfastly endorsed proxy-based security all these years?

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID519 by Dave Piscitello  

I received a very kind email complimenting my IP Telephony: Threats & Countermeasures series of articles. The message body reads:

Dear Sir

This is Vimal from India. I read your article about IP Telephony (VOIP) Security Part 1 and Part 2. It is well researched and nicely written article and gives lot of insight. I am waiting for the Part 3 of the same.

I hope I get to read that soon.

Sincere Regards

Vimal

Vimal reminded me that my original plan for this series was to conclude with a third article that would discuss security measures for IPT endpoint devices and servers, and discusses deployment considerations for converged (voice and data) networks. I never wrote Part 3, but have incorporated this discussion into a workshop I teach at VoiceCon. Alan Johnston and I also devote chapters in our forthcoming book on these topics. When I find time, I'll post the concluding article, or I'll ask Artech if I can post an excerpt from our book.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID502 by Dave Piscitello  

Upon reading my blog entry 478, Harry Potter and the Group Password, Richard Cleaver of Access Manager contacted me with this comment:

Dave,

If you can let me have Albus Dumbledore's email, I'll send him our free password manager (www.AccessManager.co.uk).

:)

Thanks for a great blog.

Best wishes

Richard Cleaver

Well, Richard, I've tried to locate Albus' email but have failed.

Hogwarts must consider the Internet a "muggle thing". The domain name Hogwarts.edu does not resolve, nor does hogwartsschoolofmagic.edu. The second-level label "Hogwarts" is registered under .com, .net, .org, .biz, .info, .us, and .tv and all these domain names are parked, meaning someone has registered the names and is speculating on their value.

As of December 9^th 2005, Domain name speculators have not yet registered the second-level label "Hogwartsschoolofmagic" under all the popular gTLDs, so if you're looking for a clever web site name...

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID479 by Dave Piscitello  

Kenny Patterson observed that I had failed to mention an important vulnerability when I commented on the NISCC announcement of IPsec ESP vulnerabilities in my blog entry #400.

Hi Dave,

Just read your excellent blog at http://www.securityskeptic.com/catVPNs.htm, and especially enjoyed reading the latest article on the recent NISCC annoucement on IPsec vulnerabilities.

I think it would be a valuable service to your readers to make it clear in your blog that the attacks don't just result in bit flipping of selected header fields: that could be interesting - for example packets could get sent to the wrong upper layer protocol - but wouldn't be particularly serious as an attack (in my opinion).

In fact, the attacks described in the NISCC announcement achieve something more: they result in the complete decryption of ESP-protected packets. Thus they defeat the objective of ESP in providing a confidentiality service. Sorry if this seems a bit nit-picking, but I think the attack is a potentially a good deal more serious than your article tends to convey.

I very much liked the seatbelts and airbags analogy.

Cheers,

Kenny

Color me embarrassed for failing to include the most troublesome threat this vulnerability poses. Thanks, Kenny, I've corrected the blog entry.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID403 by Dave Piscitello  

I received a comment from a visitor complaining about cookies and Java executable code at my site, in violation of my stated privacy policy:

I was looking for antivirus program reviews and found http://www.securityskeptic.com/antivirus.htm through Google. When I opened the page I got a message from Mozilla asking whether to allow a cookie. I wasn't paying close attention to the source but the name included "trendmicro". I denied the cookie. I'm using Mozilla 1.7.3 on XP Pro.

The Java console window also opened, indicating execution of code at http://wtc.trendmicro.com/common/.

Your site looks unbiased but anything involving any antivirus company would raise doubts. Your privacy policy claims no cookies. Perhaps you overlooked something.

For the record, I don't ask for cookies, ever.

The cookie is from Trend Micro, a trusted antivirus company. I suppose I could change my privacy policy to say that sites referred to by my site may use cookies, but that it seemed implied for a site that acts as a referrer site. Still, I apologize if you feel deceived. Perhaps I should investigate exactly why Trend Micro needs a cookie.

The applet depicts a world map and the infection rates and distribution of the current most prevalent viruses. It's freely offered by Trend for sites like mine.

I do try to be unbiased. I don't earn money from Trend for the use of this applet. I just thought it was very informative.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID359 by Dave Piscitello  

I had a conversation this morning with a colleague who can't understand why I'd bother blogging and maintaining a web presence. His claim is that the time is unproductive. Comments like these, and the ensuing thread, make blogging more productive than many activities...

In Blog #342, Make all your security problems disappear?, asked, ""If you know how to write an operating system that is easy to use, trivial to network and perfectly secure, drop me a line."

I should have said client operating system. Given the oversight, I anticipated some nasty flames, and instead received a nicely articulated consideration of OpenBSD from Brian Keefer, Sr. Systems Engineer, Tumbleweed Communications:

Sounds like you just described OpenBSD to the tee. While no OS is "perfectly secure", there *are* some useful metrics to determine the relative security of an OS. One would be how many remotely exploitable vulnerabilities have existed in the default configuration that allow complete take-over of a machine. In that category OpenBSD is far and away the leader with only 1 remote hole in eight years!

If you talk about what is *possible* with an OS, any OS could be made nearly secure, given enough research, time, and effort. Likewise, given enough carelessness any OS can be completely insecure. What matters most is the default state of the OS when it's installed, because most users will leave it that way. OpenBSD has excelled in that nearly since inception, and it's a concept that other OSs (including Microsoft) only caught on to very recently.

The other primary concerns are the overall number of remotely exploitable vulnerabilities, and the time taken to fix them. In the first category, OpenBSD leads, and in the second category OpenBSD has a similar track record to other Open Source projects. Of note, the OpenBSD project has submitted many security patches to other projects, some of which were unfortunately never implemented (such as in Apache). This made OpenBSD implementations of OSS more secure than the vanilla version everyone else uses.

Any way, my point is that OpenBSD is easy to use (and extremely well documented), trivial to network (including firewall, VPN, and network services) , and it's as secure as you can get in a readily available OS.

My response to Brian was, " I've used many Linux-variants, but have not used OpenBSD and should find time to do so. I have no reason to doubt whether your statistics are correct, so OpenBSD certainly merits attention for server needs at the very least. The questions I'd still have to consider are whether OpenBSD could satisfy consumer level ease of use criteria for client computing, and how one could recreate the typical application suite enterprises and consumers rely nearly entirely on Windows developers to provide. I simply don't know. His reply...

I didn't realize your rhetorical question was more geared to client computing (a misunderstanding on my part). OpenBSD would definitely not be my recommendation there. I was answering in the theoretical sense that, yes, OpenBSD meets your criteria. For a server platform, I think it's difficult to beat OpenBSD for out-of-the-box, low maintenance network services.

For a client, I would agree with you entirely that it's a pipe dream (at least at this point). Apple's OS X comes close, as it's certainly "easy to use" and and very close to "trivial to network". Unfortunately security has a lot of room for improvement. I would say OS X is better than any other client OS I've seen for security, but there are far too many glaring oversights to give it the stamp of approval. That said, because of the first two criteria it's what I use for day-to-day computing. OpenBSD stays at the servers, where it excels.

I've added "install OpenBSD somewhere" to my wishlist of activities to fill my *unproductive* time.

By the way, if you want an amusing perspective on Linux, visit http://www.big-boys.com/articles/switchlinux.html.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID353 by Dave Piscitello  

I am always pleased when a reader takes the time to email me a comment, especially if it's a compliment. But this is a first. Ramon Fernando encountered a misdirected link on my VOIP Security resources page and wrote:

“IP Telephony Security, Part II: Threats to Operators” -- this is the article I wanted to read after enjoying and learning the previous section. However, I ended up getting the article on “Life Before Google” instead which was also a good read.

Is there a way I can read the article on “… Threats to Operators”?

Thanks Ramon. I've fixed the incorrect URL.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID351 by Dave Piscitello  

In response to this blog entry (#283), Pete Herzog, Managing Director, ISECOM, writes

Dave,

One thing that we have been able to do, based on perspective of configurations and architecture, is measure security and loss controls. Originally written as a way to measure security of military bases and other areas for physical security, it was written broadly enough to allow for measuring IT systems. With two large company, IT infrastructure measurements behind us in our beta test, we have released the schema for peer-review and are set to release it publicly.

The Risk Assessment Values (RAVs) allows for anyone to use security tests and to some degree, risk assessments, to calculate security defenses and loss controls in a non-biased way. This gives us the Operational Security level. Later we calculate Actual Security which includes deductions due to known vulnerabilities, weaknesses, information leaks, etc.

While we are finalizing the write-up on it for inclusion in the OSSTMM (www.osstmm.org) I thought it might be of interest to you based on what you wrote here. Since now, we can do a baseline measurement and any changes, improvements, or additions to security or loss controls can be reflected by an increase or decrease in the new measurement. This percentage can then be gauged against the number of interactions for any time period the infrastructure has to find what percentage of loss occurs.

Obviously, to find loss occurring and figuring out how much loss in terms of money requires asset management and risk assessment. For this, the calculations also let you test as small as one application or a whole network so you can find if your most valuable assets have the best security and loss control measures.

Thanks, Pete, and I'll encourage my readerst to visit http://www.OSSTMM.org

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID288 by Dave Piscitello  

Paul Hoffman reminded me that I spend too much time in a Windows monoculture when he commented:

All my external USB2 or FireWire hard drives are FAT. Why? Because it is the only format that will read and write equally well on XP and Mac OSX (and FreeBSD). That's good enough for me."

Paul's absolutely right. If you are sharing files across platforms, FAT is the only format that works. I concede the point.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID261 by Dave Piscitello  

Commenting on the topic "laptop theft and countermeasures", Paul Schumacher writes:

Subject: blog - laptop LoJack alternative

To: dave@corecom.com

Hi, Dave

When I was working as a digital design engineer, I did some work with GPS. These receiver 'engines' were the size of business cards, and about 5 mm thick, and cost $150 in single quantities (no interface). Probably much smaller today.

If instead of squealing an RF signal for the police to triangulate on, the lojack were to give a continuously updated GPS location of the stolen item, it would make the police's job quite simple. This could be easily built into a laptop, or any other high value item. It could also be a PCMCIA card to retrofit a laptop. An added benefit is the user could access his GPS location.

The police would be more interested in recovering lower priced equipment than high value cars if all they had to do was read a display saying that the missing or stolen item was at the corner of 5th & Main than if they had to triangulate on the car or item by driving around town.

Sincerely yours,

Paul Schumacher

Your image of a laptops squealing for the police notwithstanding, I like it!

I think this is how my Sprint PCS phone "locates" me. So it's doable using commodity hardware. Now all we need is a business plan for running the monitoring operation, some working capital, and we're in business...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID259 by Dave Piscitello  

Scott Pinzon is an excellent editor. I've written perhaps three dozen articles for WatchGuard Technologies under Scott's educated eye and gentle editing pen. So when I receive a compliment from him, I get excited. Scott's email regarding my LOOP article, Recognizing and responding to spoof email messages, was high praise indeed:

Damn! Your article on spoofed emails/phishing, on the Loop site, is terrific.

I'm jealous that we didn't get to publish it -- the highest compliment I can offer.

Scott Pinzon

LiveSecurity Lead Editor

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID245 by Dave Piscitello  

In response to my post describing my recent antispam study, Scott Pinzon offered the following alternative to the antispam desktop clients I'd been evaluating:

If you're using Outlook as your email client, no discussion of desktop anti-spam is complete without trying SpamBayes.

It requires some "training" in order to understand what is spam to YOU, but this is simple and my dad could do it. After two weeks, it is phenomenally smart about what to keep and what to discard.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID233 by Dave Piscitello  

Alex Gordy of Tornado Marketing, Inc. read my article on Powerline Ethernet and asks,

"you mention that "Many organizations conduct a site survey prior to deploying Wireless LANs in a facility, and often discover the most appropriate access point placement is a location where they cannot provide power. Do you have any specific sources of info you can point to for this? It would be very helpful to know."

This is part anecdotal evidence, part accumulated lore/experience. A Cisco Systems white paper does a commendable job describing POE. Companies often occupy large, unwalled, high-ceilinged, office or industrial spaces with the intention to create bullpen arrangements of cubicles (reminiscent of Dilbert cartoons). The canonical office space of this sort is a single story building, 20 foot ceilings, shaped rectangularly. Draw circles with a broadcast radius and fit them into the rectangle in such a fashion that you have minimum overlap and (theoretical) exterior leakage but maximum coverage. Now, where do you mount the access points? Look up.

Ceilings are excellent places to arrange access points. You often have to run CAT-5 to the APs to connect them to the wired elements of your network, but why run electrical to such locations solely for the sake of the access points if you can deliver power over CAT-5?

Mount your APs, then survey with the most powerful antennae you can find or build, and reposition as necessary (adjust power on APs or choose alternative antennae if you have the ability to do this.)

the column, New Life for FSO, at Light Reading, quite interesting.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID184 by Dave Piscitello  

I received a surprising number of comments on my Powerline Ethernet (HomePlug) post and article. Henry Lewis writes:

"This reminds me of the old intercom over AC power line devices which were subject to crosstalk between homes which were on the same side of a given transformer, (although they also had RF interference from fluorescent lighting which I presume does not happen here). How far down the block does this go? Although driveby's would be eliminated, is it better or worse than WiFi interception between homes?"

Good question. My understanding is that "how far" depends on how utilities deploy power lines. Conceptually, it's "whatever arbitrary network of outlets receives power from the same source" - like any other tree topology, the branches must stem from the same trunk or root. What's interesting about this is that depending on the country and power company infrastructure, this may be a piece of your home (all the circuits connected to the same meter), several apartments in your building, even multiple homes in a neighborhood).

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID176 by Dave Piscitello  

Professor Diablique responded to my blog, Criminalize tool sharing?

Talk of nonsense! Twenty years ago, while a SFC (E-7) in the Army, one of the classes I taught with two other NCO's was how to take everyday items and use them to make very advanced and powerful explosives, incendiaries and weapons.

All of the ingredients for making military grade plastic explosive (Comp C, Astrolite, ) and the detonators (blasting caps - mercury fulminate, TACC, nitrogen sulfide, etc.) to set it off are to be found in grocery, drug and camping stores. Does this mean that ammonia, bleach, nail polish remover and the like are to be made illegal?

Worse, do we outlaw lead acid batteries (automobiles - sulfuric acid) and ethanol (the drinking stuff) because they can be used to make a very nasty chemical warfare agent?

We can go all the way back to the stone age, but then stones can be used to bash in someone's skull, or worse, make flint knives and spear heads.

A better idea would be to outlaw intelligence and knowledge. That way we would be reduced to tooth and nail fighting.

Outlaw teeth and nails?