The Security Skeptic

Rich McIver forwarded a link to IT Security's 103 Free Security Applications, a nice collection of security freeware for Windows, Linux and OS X. The list is conveniently organized by security service - antivirus, antispyware, firewall, network assessment, etc. - and contains many software I've recommended here and on my resources pages.

I found eight or so software applications I'm likely to download and try. I'm always willing to consider ways to improve my security baseline.

You feel confident you have all the security software you need? You're probably overconfident. Visit the hyperlink.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID608 by Dave Piscitello  

Today I registered a domain name for my security web log:

securityskeptic.com

Why did I choose skeptic? The Oxford dictionary defines a skeptic (sceptic) as "a person inclined to question or doubt accepted opinions". The etymology of skeptic is either Latin (scepticus) or Greek (skeptikos). Skeptikos means thoughtful, a derivative of skeptesthai (to look, consider). If a skeptic is "one who instinctively or habitually doubts, questions, or disagrees with assertions or generally accepted conclusions" then I am decidedly an Internet security skeptic.

I've sometimes described myself and others who rant about the sad and deplorable state of Internet security as "curmudgeons". Friends and colleagues tell me this is not quite an accurate description of my dominant attitude when discussing security. I'm glad I'm not perceived as being crusty, irascible, ill-tempered, cantankerous and *old*.

So I will soon be publishing my weblog from www.securityskeptic.com.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID593 by Dave Piscitello  

I am very fortunate to count a large number of network and security experts and practitioners as friends and colleagues. Since we share interests, we exchange mail regularly. We also frequent the same mail lists, and I often find myself thinking, "gee, everyone should read this!" So I've created a new category at my security blog: Guest Experts. Hereafter, when I find something I feel is worth sharing in a more convenient manner than a mail list archive, I will (with attribution) create a blog entry on behalf of the author.

Tina Bird has graciously agreed to be the pilot contributor. I hope to provide you with many more.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID586 by Dave Piscitello  

Gene Kim wrote a nice piece about unplanned work and its adverse affect on productivity. Unplanned work is a euphemism for "the daily dose of IT reality". It includes restoring service following a failure, responding to security incidents and configuration errors, and (my favorite) providing assistance "outside the help desk", also known as drive-by acts of kindness that tech-savvy staff invariably offer fellow employees (especially the attractive ones).

As the name suggests, unplanned work cannot be associated with authorized projects, procedures or change requests but divert staff attention away from planned activities. Gene and colleague Kevin Behr believe that unplanned work is "a remarkably accurate indicator and predictor of IT effectiveness".

Find the full article in the online version of this Tripwire Newsletter.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID483 by Dave Piscitello  

The folks at NSASoft, LLC offer a number of auditing tools from their Network Security Audit Software package as individual freeware applications. Several of these are useful tools for exploring your PC and browser for signs of spyware:

• Registry Auditor scans the Windows Registry and identifies entries that it suspects are adware, malware or spyware. For each suspicious registry entry, Regauditor identifies the Registry Path and value, the location of the file referenced by the entry, and (most importantly), a URL where you can read about the offending item.

• BHO Scanner enumerates browser helper objects installed on your PC, and again distinguishes useful BHOs from parasites and trojans. One feature that I find unique to this application is the ability to scan remote PCs for which you have remote registry access rights and administrator privileges.

• IE Cache Explorer displays cookies, history and temporary Internet files and allows you to delete them. True, there's nothing earth shattering about this utility, but the detailed analysis of cookie information (URL, hit rate, use count, etc) can be helpful in identifying ad cookies, and you can use the URL to customize your blocked sites list in IE or at your firewall or content filtering proxy.

Many other network auditing utilities - finger, dns and whois clients, port and network scanners, traffic generators - are also available. The for-purchase NSAuditor incorporates all these utilities into a convenient single UI with more advanced features. Kudos to these folks for offering truly free and useful utilities to complement a useful and nicely priced commercial product.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID465 by Dave Piscitello  

My colleague and ICANN co-worker, Steve Conte, recently called my attention to the fact that I'd neglected to add my mobile phones to the national Do Not Call Registry. Steve pointed out that telemarketing calls to mobile phones is increasing, in all likelihood because many folks overlook this number when registering at https://www.DoNotCall.gov. Steve also points out that telemarketing calls to mobile phones aren't just annoying, but potentially costly. Depending on your service plans, you may be charged for the call. This can be especially expensive if you are roaming internationally.

I imagine the next numbers I'll be registering at DoNoCall.gov are SIP numbers.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID422 by Dave Piscitello  

AskSam.com has posted a free browse-and-search version of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Downloadable versions available as well, in viewer and database formats. If you are involved in any HIPAA-related projects, http://www.asksam.com/ebooks/HIPAA/ is a handy link to add to your favorites.

Several other federal regs are available as well:

• Sarbanes-Oxley
• Patriot Act
• Intelligence Reform and Terrorism Prevention Act

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID420 by Dave Piscitello  

Proofpoint and Forrester Research recently polled 300+ US-based enterprises of 1000 or more employees, to gauge the extent that outgoing email is viewed as a security risk by companies of this size. Some of the interesting statistics I gathered from this survey include:

• Over a third of the companies employ staff to analyze outbound email;

• On average, these companies estimate that one quarter of all outgoing email contains material that poses a legal, financial, or regulatory risk;

• Confidential business information surpasses offensive content as the most common form of inappropriately transmitted content;

• More than half of the companies surveyed disciplined employees for email abuse in the past 12 months, and one quarter of companies terminated an employee for email policy violations.

In addition to survey results, this report offers an interesting consideration of email security policies. If your organization doesn't have such policies, you can learn quite a bit about "The email Policy Environment in Today's Enterprise".

I'm usually unimpressed with vendor reports. This one is worth a look. It's available at http://www.proofpoint.com/outbound/

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID416 by Dave Piscitello  

There's always something to learn about HTML, and I learn best when I can see an example. The HTML Code Tutorial site is chock full of examples and is clearly written to be easily searched using an engine like Google. Kudos to the operators...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID348 by Dave Piscitello  

Pete Finnigan has composed an impressive list of papers on attacking and securing Oracle Databases and servers at PeteFinnigan.com Limited I know Peter by reputation and published one of his papers while editor of TISC Insight. In addition to many fine papers he's authored, Pete's compiled a nice set of intro-to-expert papers on many aspects of Oracle security. This site's worth bookmarking if you are running an Oracle database.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID291 by Dave Piscitello  

There are times when authors who wish to make original works available online want to protect the integrity of the work and also mark the work with some permanent form of attribution. I began paying more attention to work integrity when I discovered copies of Powerpoint presentations I'd given at conferences at multiple web sites. In one case, a rogue publisher had converted my presentation to HTML, but substituted his name and organization in place of mine, and had actually given the presentation without my knowledge or consent. Other times, I receive requests from attendees for the original Powerpoint. I ask the purpose, and I'm often told that the requester wants to incorporate my material into a presentation he will give to his organization or clients. I ask if any attribution will be applied to my work, but I what assurance do I really have that the requester will honor the claim?

I haven't found a perfect and inexpensive way to do this, but am experimenting with watermarked Adobe Acrobat files. One inexpensive way to create these is to use the Kinati 2PDF Converter Website. Kinati provides the ability to distill Powerpoint (and other) files to PDF with a watermark, password, and with Adobe's print, user copy, and change protection. Simply submit the filename, choose the distilling "features", and Kinati will send a hyperlink where you retrieve the converted document via email. Kinati's privacy policy indicates they do not resell your email address.

Kinati affords me some flexibility in how I satisfy requests for documents. They are not the only site offering this service, but they are quick, the quality is good, and they appear to be responsible.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID267 by Dave Piscitello  

Site Valet offers a web site monitoring service with automated reporting and online tools. One of the free tools, Link Valet, spiders your site and checks the validity of the hyperlinks in web pages. Other free tools include Validator, which syntax checks your HTML, and cg-eye, which helps you diagnose script problems. While I still favor TIDY for HTML code checking, Link Valet is convenient and simple. I won't embarrass myself by telling you how many broken and deprecated links I found...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID257 by Dave Piscitello  

Every so often, I'm reminded of the excellent list of security axioms Fred Avolio hosts at his web site. This time, Fred reminded me;-)

Myths, perceptions , and mythperceptions (Baba Wawa's in the building!) abound in security. Fred's gathered them all, visit this link.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID242 by Dave Piscitello  

I've found a definitive source for advice on prolonging battery lifetime, at the Battery University.

Briefly, Lithium-ion batteries provide 300-500 discharge-and-charge cycles. Partial discharges work best, and the batteries are memory-free. The referenced URL goes into considerable detail, and provides a table comparing capacity loss and retention when you recharge at the recommended 40% level versus the typical 100%.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID190 by Dave Piscitello  

Mike Penacchi posted a good column about measuring (LAN) performance using a freely available tool, Iperf, at Comdex Loop.

Iperf is available from NLANR/DAST.

Happy reading... and measuring!

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID182 by Dave Piscitello  

I use Windows Terminal Services to manage my web servers. Yes, the service is blocked from the outside, the server is hardened, and I have ACLs to minimize unauthorized connections (I find it increasingly difficult to say *mitigate* these days). My blog software automatically updates blog pages and archives, but posting articles and shuttling images to the server from my desktop was a cumbersome FTP process, made even more so because I still use lame old FTP from the DOS command line.

I found this clever little utility at AnalogX called TSDropCopy. You install TSDropCopy on both your server and client, enter some rudimentary configurations, and you're ready to drag and drop files between your client to your server. You can even create path mappings across the two machines.

TSDropCopy is one of a handful of very useful AnalogX applications I've found nearly indispensible, ranging from web log analyzers to script- and cookie- blockers.

The software is free. The Windows clients have simple, uncluttered interfaces. It's all surprisingly small (no bloatware here). AnalogX are the kind of folks who give me hope that some people still engage in hacking as it was intended.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID181 by Dave Piscitello  

I've been spending more blog time writing for Comdex Loop than here. It promises to be an interesting site. Some of what I've written for Loop I've mirrored here, but you should visit Loop just in case I've overlooked something.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID180 by Dave Piscitello  

My Powerline Ethernet article attracted several comments, and inspired me to Google a bit. A Broadband Home Labs evaluation of Homeplug draws an interesting set of conclusions regarding HomePlug deployment. The most intriguing and in my opinion most helpful for troubleshooting were the conclusions in the section , "What Makes Outlets Good or Bad?" Visit the link to learn about finding a "good" outlet for your Master adapter.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID173 by Dave Piscitello  

I have trouble remembering how to format special characters in HTML. The free webmaster resources at WebAnalysis include a page of HTML special characters unicode.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID158 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID133 by Dave Piscitello  

I am now the webmaster for the South Carolina Chapter of the ISSA.

I have posted a new library of online security related resources on behalf of the South Carolina Chapter of the ISSA. You may recognize this list: it is the child of the TISC Security Links pages.

The library identifies more than 500 hyperlinks to security articles, portals, advisory centers, and more. I've visited and read nearly all these resources and can attest to their quality.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID127 by Dave Piscitello  

You can download David Wheeler's Secure Programming for Linux and Unix HOWTO without fee. This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. This document includes specific guidance for a number of languages, including C, C++, Java, Perl, Python, and Ada95.

Another free ebook available for download is Jason Coombs' IIS Security and Programming Countermeasures. Jason published/pushed his announcement with the following sentiment:

"It is my hope that those administrators and programmers who are presently at-risk due to the use of IIS will learn something valuable from this manuscript."

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID121 by Dave Piscitello  

The 2003 Computer Crime and Security Survey is now available. Visit CSI to register and download the .pdf.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID119 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID111 by Dave Piscitello  

What's the most appropriate course of action when one discovers a software flaw that makes an operating system, client or server application vulnerable to an attack?

The answer to this question is the heart of the Disclosure Debate that continues within the security community. One constituency believes that full and immediate public disclosure of the flaw is necessary: I call this the *stick* approach (e.g., carrot or stick) because in theory, it embarrasses the software company into a response. The problem with this approach is that it often broadcasts an exploitable flaw that may be present in hundreds if not thousands of production hosts before> a patch or recommended way to circumvent the problem is prescribed. These systems become targets of a broader base of attackers than they might otherwise attract.

A second constituency believes that the flaw should be disclosed to software vendors first, who ought to be afforded some opportunity to provide a patch or recommended workaround. If the vendor is unresponsive after 30 days, for example, information about the flaw may be released to the public. This is the *carrot* approach.

Whether you believe in the stick or the carrot, you should take time to review and comment on the Draft Security Vulnerability Reporting and Response Process by Organization for Internet Safety (OIS).

How vulnerabilities are reported affects all netizens.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID97 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID80 by Dave Piscitello  

Finally, a service from the FTC to reduce unsolicited telephone calls!

Visit The National Do Not Call Registry, register your phone number(s), visit the hyperlink the FTC emails you, and most telemarketers must abide by Federal Trade Commission "Do Not Call" provisions of the Telemarketing Sales Act, and cease calling anyone who has registered phone numbers with the FTC.

Some of the teeth of this legislation are missing. Organizations with - you bet, considerable lobby influence - can still call you. So who might these be? Long distance phone companies, airlines, banks and credit unions, insurance businesses, political organizations, and telephone surveyors.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID75 by Dave Piscitello  

The Security Vulnerability Reporting and Response Guide is available for free download via the OIS.

This is a draft report prepared by the Organization for Internet Safety. OIS is a consortia of security companies (@stake, BindView Corp., The SCO Group, Foundstone, Guardent, Internet Security Systems, Inc., Microsoft Corp., Network Associates, Oracle Corporation, SGI and Symantec) They hope to help organizations improve security through the adoption of a formal process for reporting (disclosing) vulnerabilities to vendors and garnering timely vendor response.

The report is out for public comment, so download and RTFR!

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID70 by Dave Piscitello  

Fyodor, author of the nmap scanning and OS fingerprinting utility, compiled a list of the most popular and well-regarded penetration test and security auditing tools. You can find it at Insecure.Org.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID39 by Dave Piscitello  

The immediate conclusion folks make about a utility that allows you to change the MAC address of an Ethernet NIC is that you'd only do so to spoof a MAC address, and of course, who but an attacker would do this?

Well, there are many valid testing, auditing, and even production scenarios where you might want to change the MAC address:

• You are building high availability or cold standby "clone" systems and you want them to have the exact MAC addresses
• Your old Ethernet NIC fries (in my house, my daughter rolls a chair over a USB Ethernet dongle) and your WLAN access point or Ethernet switch or maybe even your cable modem provider filters MAC addresses; yes, you could go through the administrative change process, but it's Friday night (look at this weblog entry - it's not that rare).
• When you are doing a security audit (pen-test) it's often useful to have your test machine run with alter-and multiple identities

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID24 by Dave Piscitello  

Why is it that folks who write software, particularly operating systems, can't invest some time providing meaningful error messages? It's bad enough when you get some cryptic broken-English sentence fragment that is incomprehensible blather, but those event and error messages that give you some arbitrary integer "40966" with little else are really irritating.

At the very least, operating systems like Windows should come with an list of the error message numbers and their definition.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID22 by Dave Piscitello  

I recommend the Ethereal LAN analyzer when I teach and speak about security and VPNs. For the price (free) it's about as comprehensive as you could ask, as good as many products that cost $1000+, and supported about as well.