locks keep lawful people out...    

The Security Skeptic

Dave Piscitello's Security Weblog

Skeptic (sceptic): a person inclined to question or doubt accepted opinions.

Web www.corecom.com The Security Skeptic
Tue, 17 Apr 2007 00:00:00 00, 608
Free Security Applications

Rich McIver forwarded a link to IT Security's 103 Free Security Applications, a nice collection of security freeware for Windows, Linux and OS X. The list is conveniently organized by security service - antivirus, antispyware, firewall, network assessment, etc. - and contains many software I've recommended here and on my resources pages.

I found eight or so software applications I'm likely to download and try. I'm always willing to consider ways to improve my security baseline.

You feel confident you have all the security software you need? You're probably overconfident. Visit the hyperlink.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID608 by Dave Piscitello  

Tue, 27 Feb 2007 00:00:00 00, 593
Dave's Weblog has a new domain name!

Today I registered a domain name for my security web log:


Why did I choose skeptic? The Oxford dictionary defines a skeptic (sceptic) as "a person inclined to question or doubt accepted opinions". The etymology of skeptic is either Latin (scepticus) or Greek (skeptikos). Skeptikos means thoughtful, a derivative of skeptesthai (to look, consider). If a skeptic is "one who instinctively or habitually doubts, questions, or disagrees with assertions or generally accepted conclusions" then I am decidedly an Internet security skeptic.

I've sometimes described myself and others who rant about the sad and deplorable state of Internet security as "curmudgeons". Friends and colleagues tell me this is not quite an accurate description of my dominant attitude when discussing security. I'm glad I'm not perceived as being crusty, irascible, ill-tempered, cantankerous and *old*.

So I will soon be publishing my weblog from www.securityskeptic.com.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID593 by Dave Piscitello  

Sun, 21 Jan 2007 00:00:00 00, 586
New Blog Category

I am very fortunate to count a large number of network and security experts and practitioners as friends and colleagues. Since we share interests, we exchange mail regularly. We also frequent the same mail lists, and I often find myself thinking, "gee, everyone should read this!" So I've created a new category at my security blog: Guest Experts. Hereafter, when I find something I feel is worth sharing in a more convenient manner than a mail list archive, I will (with attribution) create a blog entry on behalf of the author.

Tina Bird has graciously agreed to be the pilot contributor. I hope to provide you with many more.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID586 by Dave Piscitello  

Tue, 20 Dec 2005 00:00:00 00, 483
Interesting read - Unplanned work

Gene Kim wrote a nice piece about unplanned work and its adverse affect on productivity. Unplanned work is a euphemism for "the daily dose of IT reality". It includes restoring service following a failure, responding to security incidents and configuration errors, and (my favorite) providing assistance "outside the help desk", also known as drive-by acts of kindness that tech-savvy staff invariably offer fellow employees (especially the attractive ones).

As the name suggests, unplanned work cannot be associated with authorized projects, procedures or change requests but divert staff attention away from planned activities. Gene and colleague Kevin Behr believe that unplanned work is "a remarkably accurate indicator and predictor of IT effectiveness".

Find the full article in the online version of this Tripwire Newsletter.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID483 by Dave Piscitello  

Mon, 10 Oct 2005 00:00:00 00, 465
Network Security Auditor Freeware

The folks at NSASoft, LLC offer a number of auditing tools from their Network Security Audit Software package as individual freeware applications. Several of these are useful tools for exploring your PC and browser for signs of spyware:

  • Registry Auditor scans the Windows Registry and identifies entries that it suspects are adware, malware or spyware. For each suspicious registry entry, Regauditor identifies the Registry Path and value, the location of the file referenced by the entry, and (most importantly), a URL where you can read about the offending item.

  • BHO Scanner enumerates browser helper objects installed on your PC, and again distinguishes useful BHOs from parasites and trojans. One feature that I find unique to this application is the ability to scan remote PCs for which you have remote registry access rights and administrator privileges.

  • IE Cache Explorer displays cookies, history and temporary Internet files and allows you to delete them. True, there's nothing earth shattering about this utility, but the detailed analysis of cookie information (URL, hit rate, use count, etc) can be helpful in identifying ad cookies, and you can use the URL to customize your blocked sites list in IE or at your firewall or content filtering proxy.

Many other network auditing utilities - finger, dns and whois clients, port and network scanners, traffic generators - are also available. The for-purchase NSAuditor incorporates all these utilities into a convenient single UI with more advanced features. Kudos to these folks for offering truly free and useful utilities to complement a useful and nicely priced commercial product.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID465 by Dave Piscitello  

Wed, 29 Jun 2005 00:00:00 00, 422
Add your mobile numbers to the DoNotCall registry

My colleague and ICANN co-worker, Steve Conte, recently called my attention to the fact that I'd neglected to add my mobile phones to the national Do Not Call Registry. Steve pointed out that telemarketing calls to mobile phones is increasing, in all likelihood because many folks overlook this number when registering at https://www.DoNotCall.gov. Steve also points out that telemarketing calls to mobile phones aren't just annoying, but potentially costly. Depending on your service plans, you may be charged for the call. This can be especially expensive if you are roaming internationally.

I imagine the next numbers I'll be registering at DoNoCall.gov are SIP numbers.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID422 by Dave Piscitello  

Wed, 22 Jun 2005 00:00:00 00, 420
Searchable version of federal regs online

AskSam.com has posted a free browse-and-search version of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Downloadable versions available as well, in viewer and database formats. If you are involved in any HIPAA-related projects, http://www.asksam.com/ebooks/HIPAA/ is a handy link to add to your favorites.

Several other federal regs are available as well:

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID420 by Dave Piscitello  

Tue, 14 Jun 2005 00:00:00 00, 416
Outbound email threats

Proofpoint and Forrester Research recently polled 300+ US-based enterprises of 1000 or more employees, to gauge the extent that outgoing email is viewed as a security risk by companies of this size. Some of the interesting statistics I gathered from this survey include:

  • Over a third of the companies employ staff to analyze outbound email;

  • On average, these companies estimate that one quarter of all outgoing email contains material that poses a legal, financial, or regulatory risk;

  • Confidential business information surpasses offensive content as the most common form of inappropriately transmitted content;

  • More than half of the companies surveyed disciplined employees for email abuse in the past 12 months, and one quarter of companies terminated an employee for email policy violations.

In addition to survey results, this report offers an interesting consideration of email security policies. If your organization doesn't have such policies, you can learn quite a bit about "The email Policy Environment in Today's Enterprise".

I'm usually unimpressed with vendor reports. This one is worth a look. It's available at http://www.proofpoint.com/outbound/

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID416 by Dave Piscitello  

Sat, 08 Jan 2005 00:00:00 00, 348
Useful tutorial on HTML Style

There's always something to learn about HTML, and I learn best when I can see an example. The HTML Code Tutorial site is chock full of examples and is clearly written to be easily searched using an engine like Google. Kudos to the operators...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID348 by Dave Piscitello  

Fri, 06 Aug 2004 00:00:00 00, 291
Oracle Security resource

Pete Finnigan has composed an impressive list of papers on attacking and securing Oracle Databases and servers at PeteFinnigan.com Limited I know Peter by reputation and published one of his papers while editor of TISC Insight. In addition to many fine papers he's authored, Pete's compiled a nice set of intro-to-expert papers on many aspects of Oracle security. This site's worth bookmarking if you are running an Oracle database.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID291 by Dave Piscitello  

Sun, 13 Jun 2004 00:00:00 00, 267
Kinati 2PDF Converter Website

There are times when authors who wish to make original works available online want to protect the integrity of the work and also mark the work with some permanent form of attribution. I began paying more attention to work integrity when I discovered copies of Powerpoint presentations I'd given at conferences at multiple web sites. In one case, a rogue publisher had converted my presentation to HTML, but substituted his name and organization in place of mine, and had actually given the presentation without my knowledge or consent. Other times, I receive requests from attendees for the original Powerpoint. I ask the purpose, and I'm often told that the requester wants to incorporate my material into a presentation he will give to his organization or clients. I ask if any attribution will be applied to my work, but I what assurance do I really have that the requester will honor the claim?

I haven't found a perfect and inexpensive way to do this, but am experimenting with watermarked Adobe Acrobat files. One inexpensive way to create these is to use the Kinati 2PDF Converter Website. Kinati provides the ability to distill Powerpoint (and other) files to PDF with a watermark, password, and with Adobe's print, user copy, and change protection. Simply submit the filename, choose the distilling "features", and Kinati will send a hyperlink where you retrieve the converted document via email. Kinati's privacy policy indicates they do not resell your email address.

Kinati affords me some flexibility in how I satisfy requests for documents. They are not the only site offering this service, but they are quick, the quality is good, and they appear to be responsible.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID267 by Dave Piscitello  

Thu, 27 May 2004 00:00:00 00, 257
Validating Web Links

Site Valet offers a web site monitoring service with automated reporting and online tools. One of the free tools, Link Valet, spiders your site and checks the validity of the hyperlinks in web pages. Other free tools include Validator, which syntax checks your HTML, and cg-eye, which helps you diagnose script problems. While I still favor TIDY for HTML code checking, Link Valet is convenient and simple. I won't embarrass myself by telling you how many broken and deprecated links I found...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID257 by Dave Piscitello  

Fri, 30 Apr 2004 00:00:00 00, 242
Security Axioms

Every so often, I'm reminded of the excellent list of security axioms Fred Avolio hosts at his web site. This time, Fred reminded me;-)

Myths, perceptions , and mythperceptions (Baba Wawa's in the building!) abound in security. Fred's gathered them all, visit this link.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID242 by Dave Piscitello  

Fri, 09 Jan 2004 00:00:00 00, 190
How to prolong lithium battery lifetime

I've found a definitive source for advice on prolonging battery lifetime, at the Battery University.

Briefly, Lithium-ion batteries provide 300-500 discharge-and-charge cycles. Partial discharges work best, and the batteries are memory-free. The referenced URL goes into considerable detail, and provides a table comparing capacity loss and retention when you recharge at the recommended 40% level versus the typical 100%.

Battery University also recommends against buying Lithium-ion batteries and storing them; apparently, shelf- and operating timeare factored into the anticipated 2-3 year life span of laptop batteries.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID190 by Dave Piscitello  

Wed, 17 Dec 2003 00:00:00 00, 182
Measuring Network Performance

Mike Penacchi posted a good column about measuring (LAN) performance using a freely available tool, Iperf, at Comdex Loop.

Iperf is available from NLANR/DAST.

Happy reading... and measuring!

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID182 by Dave Piscitello  

File Transfer Utility for Windows Terminal Server Users

I use Windows Terminal Services to manage my web servers. Yes, the service is blocked from the outside, the server is hardened, and I have ACLs to minimize unauthorized connections (I find it increasingly difficult to say *mitigate* these days). My blog software automatically updates blog pages and archives, but posting articles and shuttling images to the server from my desktop was a cumbersome FTP process, made even more so because I still use lame old FTP from the DOS command line.

I found this clever little utility at AnalogX called TSDropCopy. You install TSDropCopy on both your server and client, enter some rudimentary configurations, and you're ready to drag and drop files between your client to your server. You can even create path mappings across the two machines.

TSDropCopy is one of a handful of very useful AnalogX applications I've found nearly indispensible, ranging from web log analyzers to script- and cookie- blockers.

The software is free. The Windows clients have simple, uncluttered interfaces. It's all surprisingly small (no bloatware here). AnalogX are the kind of folks who give me hope that some people still engage in hacking as it was intended.


Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID181 by Dave Piscitello  

Tue, 16 Dec 2003 00:00:00 00, 180
Comdex Loop

I've been spending more blog time writing for Comdex Loop than here. It promises to be an interesting site. Some of what I've written for Loop I've mirrored here, but you should visit Loop just in case I've overlooked something.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID180 by Dave Piscitello  

Tue, 02 Dec 2003 00:00:00 00, 173
Homeplug Evaluation: Useful info for Powerline Ethernet Deployment

My Powerline Ethernet article attracted several comments, and inspired me to Google a bit. A Broadband Home Labs evaluation of Homeplug draws an interesting set of conclusions regarding HomePlug deployment. The most intriguing and in my opinion most helpful for troubleshooting were the conclusions in the section , "What Makes Outlets Good or Bad?" Visit the link to learn about finding a "good" outlet for your Master adapter.

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID173 by Dave Piscitello  

Tue, 11 Nov 2003 00:00:00 00, 158
Special Characters in HTML

I have trouble remembering how to format special characters in HTML. The free webmaster resources at WebAnalysis include a page of HTML special characters unicode.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID158 by Dave Piscitello  

Sat, 27 Sep 2003 00:00:00 00, 133
Seven Tenets of Good Security: Timely then, remains so now...

My colleague Fred Avolio posted a web version of a paper he and Marcus Ranum wrote in 1993, entitled Seven Tenets of Good Security. It's sound advice, and still largely overlooked. Read it!

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID133 by Dave Piscitello  

Wed, 17 Sep 2003 00:00:00 00, 127
New Security Resources Library

I am now the webmaster for the South Carolina Chapter of the ISSA.

I have posted a new library of online security related resources on behalf of the South Carolina Chapter of the ISSA. You may recognize this list: it is the child of the TISC Security Links pages.

The library identifies more than 500 hyperlinks to security articles, portals, advisory centers, and more. I've visited and read nearly all these resources and can attest to their quality.

Reach the library page from the ISSA SC web site, or directly from here.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID127 by Dave Piscitello  

Fri, 12 Sep 2003 00:00:00 00, 121
Online Security Books

You can download David Wheeler's Secure Programming for Linux and Unix HOWTO without fee. This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. This document includes specific guidance for a number of languages, including C, C++, Java, Perl, Python, and Ada95.

Another free ebook available for download is Jason Coombs' IIS Security and Programming Countermeasures. Jason published/pushed his announcement with the following sentiment:

"It is my hope that those administrators and programmers who are presently at-risk due to the use of IIS will learn something valuable from this manuscript."

Well done.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID121 by Dave Piscitello  

Wed, 10 Sep 2003 00:00:00 00, 119
2003 CSI/FBI Computer Crime and Security Survey

The 2003 Computer Crime and Security Survey is now available. Visit CSI to register and download the .pdf.

The hyperlink to the 2002 report is 404'ed and CSI didn't have the web-sense to forward link the reference to the new report.

Archived at http://www.securityskeptic.com/arc20030901.htm#BlogID119 by Dave Piscitello  

Tue, 26 Aug 2003 00:00:00 00, 111
NIPC Cybernotes The National Infrastructure Protection Center (NIPC) hosts a very useful publication: CYBERNOTES. Published twice monthly, this publication provides a running summary of bugs, holes, and patches; viruses, worms and trojans. While the publication doesn't give exhausting detail about every bug, worm, etc., the summaries are useful, and hyperlinks to details are present in the PDFs.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID111 by Dave Piscitello  

Mon, 11 Aug 2003 00:00:00 00, 97
Vulnerability Reporting

What's the most appropriate course of action when one discovers a software flaw that makes an operating system, client or server application vulnerable to an attack?

The answer to this question is the heart of the Disclosure Debate that continues within the security community. One constituency believes that full and immediate public disclosure of the flaw is necessary: I call this the *stick* approach (e.g., carrot or stick) because in theory, it embarrasses the software company into a response. The problem with this approach is that it often broadcasts an exploitable flaw that may be present in hundreds if not thousands of production hosts before> a patch or recommended way to circumvent the problem is prescribed. These systems become targets of a broader base of attackers than they might otherwise attract.

A second constituency believes that the flaw should be disclosed to software vendors first, who ought to be afforded some opportunity to provide a patch or recommended workaround. If the vendor is unresponsive after 30 days, for example, information about the flaw may be released to the public. This is the *carrot* approach.

Whether you believe in the stick or the carrot, you should take time to review and comment on the Draft Security Vulnerability Reporting and Response Process by Organization for Internet Safety (OIS).

How vulnerabilities are reported affects all netizens.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID97 by Dave Piscitello  

Tue, 08 Jul 2003 00:00:00 00, 80
Client Side Security - W3C's perspective still valuable

The FAQ on client side security maintained by the World Wide Web Consortium is a pretty good place to go if you are trying to understand the fuss SSL VPN vendors make about maintaining security policy for users who access extranets and intranets from non-work computers at such locations as Internet cafes and airport kiosks.

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID80 by Dave Piscitello  

Sat, 28 Jun 2003 00:00:00 00, 75
National Do Not Call Registry

Finally, a service from the FTC to reduce unsolicited telephone calls!

Visit The National Do Not Call Registry, register your phone number(s), visit the hyperlink the FTC emails you, and most telemarketers must abide by Federal Trade Commission "Do Not Call" provisions of the Telemarketing Sales Act, and cease calling anyone who has registered phone numbers with the FTC.

Some of the teeth of this legislation are missing. Organizations with - you bet, considerable lobby influence - can still call you. So who might these be? Long distance phone companies, airlines, banks and credit unions, insurance businesses, political organizations, and telephone surveyors.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID75 by Dave Piscitello  

Tue, 10 Jun 2003 00:00:00 00, 70
Security Vulnerability Reporting and Response Guide - DISCLOSURE Guidelines at last?

The Security Vulnerability Reporting and Response Guide is available for free download via the OIS.

This is a draft report prepared by the Organization for Internet Safety. OIS is a consortia of security companies (@stake, BindView Corp., The SCO Group, Foundstone, Guardent, Internet Security Systems, Inc., Microsoft Corp., Network Associates, Oracle Corporation, SGI and Symantec) They hope to help organizations improve security through the adoption of a formal process for reporting (disclosing) vulnerabilities to vendors and garnering timely vendor response.

The report is out for public comment, so download and RTFR!

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID70 by Dave Piscitello  

Thu, 08 May 2003 00:00:00 00, 39
Top 75 Security Tools

Fyodor, author of the nmap scanning and OS fingerprinting utility, compiled a list of the most popular and well-regarded penetration test and security auditing tools. You can find it at Insecure.Org.

Each tool is conveniently categorized by the operating systems on which it runs, and whether it is free or costs money.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID39 by Dave Piscitello  

Sat, 26 Apr 2003 00:00:00 00, 24
Utility for Spoofing...um, changing MAC addresses - Try SMAC

The immediate conclusion folks make about a utility that allows you to change the MAC address of an Ethernet NIC is that you'd only do so to spoof a MAC address, and of course, who but an attacker would do this?

Well, there are many valid testing, auditing, and even production scenarios where you might want to change the MAC address:

  • You are building high availability or cold standby "clone" systems and you want them to have the exact MAC addresses
  • Your old Ethernet NIC fries (in my house, my daughter rolls a chair over a USB Ethernet dongle) and your WLAN access point or Ethernet switch or maybe even your cable modem provider filters MAC addresses; yes, you could go through the administrative change process, but it's Friday night (look at this weblog entry - it's not that rare).
  • When you are doing a security audit (pen-test) it's often useful to have your test machine run with alter-and multiple identities

SMAC changes the software encoded MAC address on most any operating system.

Use it wisely and appropriately.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID24 by Dave Piscitello  

Deciphering Windows 2000 Error and Event Messages

Why is it that folks who write software, particularly operating systems, can't invest some time providing meaningful error messages? It's bad enough when you get some cryptic broken-English sentence fragment that is incomprehensible blather, but those event and error messages that give you some arbitrary integer "40966" with little else are really irritating.

At the very least, operating systems like Windows should come with an list of the error message numbers and their definition.

Although this resource offers only marginally more information about what caused an event in Windows 2000, you may find this URL helpful, but don't expect it to be comprehensive.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID22 by Dave Piscitello  

Fri, 25 Apr 2003 00:00:00 00, 21
Ethereal 0.9.11 is available

I recommend the Ethereal LAN analyzer when I teach and speak about security and VPNs. For the price (free) it's about as comprehensive as you could ask, as good as many products that cost $1000+, and supported about as well.

Ethereal release 0.9.11 includes many enhancements to the interface, and remedies two vulnerabilities in earlier versions.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID21 by Dave Piscitello  

Security Guides for Microsoft Windows Server 2003 and Windows XP

Windows Server 2003 Security Guide includes steps to harden Domain Controllers, Infrastructure servers, File servers, Print servers, IIS servers, IAS servers.

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP contains detailed information about relevant security settings that can be configured on Microsoft Windows Server 2003 and Windows XP.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID20 by Dave Piscitello  

Tue, 01 Apr 2003 00:00:00 00, 15
CSI/FBI Computer Crime and Security Survey URL

I have been asked for the URL for this report many times.

Try http://www.gocsi.com/pdfs/fbi/FBI2002.pdf

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID15 by Dave Piscitello  

Tue, 31 Dec 2002 00:00:00 00, 6
Summary of 2002 Publications and Presentations

November 2002:

Security Out of Thin Air: Layered Security Practices for Incorporating Wireless LANs into Intranets,
a WatchGuard Technologies White Paper

Introducing Quality of Service,
a Watchguard Live Security Editorial

October 2002:

Affordable Web Server Scanning, a WatchGuard LiveSecurity Editorial

The Sad and Increasingly Deplorable State of Internet Security, a Next Generation Networks presentation

Security and Peer-to-Peer Applications, BCR Magazine

September 2002:

When Perimeters Dissolve, a Networld+Interop presentation

August 2002:

How to Use Certificates with MUVPN, a Watchguard Live Security Editorial

How and When to use 1:1 NAT, a Watchguard Live Security Editorial

July 2002:

WLAN Security - Nipping the Problem in the Bud, a WSTA Ticker Article

Anatomy of a Cross-Site Scripting Attack, a Watchguard Live Security Editorial

June 2002:

Isolate your Wireless Network on External, a Watchguard Live Security Editorial

May 2002
Intrusion Detection...or Prevention? , a BCR article
(The print version of this article is missing the final paragraphs).

March 2002:

Understanding Certificates and PKI, a Watchguard Live Security Editorial

Febraruy 2002:

Intrusion Detection and DDOS Prevention, Interop This Week

Routing and Your Firewall (Part 2), a Watchguard Live Security Editorial

Jan 2002:

Routing and Your Firewall (Part 1), a Watchguard Live Security Editorial

Archived at http://www.securityskeptic.com/arc20021201.htm#BlogID6 by Dave Piscitello