Security's Everyman

Security's Everyman

Thursday, September 28, 2006

Play Day

 Today I had a lot of "maintenance" things to do so while they are running in the background I'm taking time to "play" and catch up on reading. I've decided to play with a few of the portable web browsers and sandboxie to see how I like them and if I think they would be worth using and reccommending to some of my friends and consulting clients. Here is what I played with today: Firefox portable, torpark, Opera (It's not portable, but I haven't used it before) and Sandboxie

I'll start with firefox portable because it was the one I liked the best. It was easy to install and I was able to import my favorites and other settings with no problem. Even after shutting it down and restarting it all was well. No settings seemed to be lost. Now this may not be the best for pure privacy, but I can tweek it plus it does keep most of my browsing data off the hard drive.

I'm not overly crazy about torpark. It works OK if you disconnect from the tor network, but that kinda defeats the purpose. From the hard drive it ran OK, but even that took a couple of days. At first it rarely connected to a web site and then it was like using a 14.4 modem. I had to try it on 2 USB keys before it would ever connect and it was way too slow. I would have to be fearful of my life and ID to use it when there are other options.

I heard about sandboxie not long ago and decided to try it out. It seems to do a pretty good job of keeping stuff off your system. I ran Firefox, Thunderbird, and Yahoo IM in it and none of them seemed to mind at all. I did have trouble trying to do things like email an article from a web page and copy and paste. It took me a few minutes to figure out what was going on then I remembered sandboxie. Those are slight inconvenienced that I could live with.

I also decided to give opera a try. I've heard lots of good things about it and was not disappointed. I haven't decided to give up firefox for it, but I will keep playing around with it. Two things that I would like to see. If any of you know if this is available I'd love to know. I would like to be able to open multiple tabs at startup like firefox and I would like to be able to have a "no scripts" type of plugin for it.

Tuesday, September 26, 2006

My Mama told me......

I don't always listen to good advice. Especially when it comes to dealing with people or vendors who prove time and again that they are less than trustworthy. That being said I will give credit where credit is due. Microsoft has released a patch for the VML vulnerability. They did it early and out of cycle. So here is a big THANK YOU to Microsoft for getting on this quickly. If I'm gonna bust their chops when they are bad I'll pat them on the back when they are good.

IE Patch

The big talk lately is the IE VML vulnerability that has many shaking in their boots, and rightfully so. IE has huge market share at work and home. What is also worrisome is that porn and gambling sites also have huge market share at work and home. These are the places that lots of malware live. Unfortunately, it seems, that even "trusted sites" are becoming infected at pretty alarming rates. You never know where you will get hit.

Microsoft is dragging it's feet on releasing a patch. The give "workarounds" that most people won't apply because they either don't know about it, don't think they are vulnerable, or are too afraid that they will mess up their computer. My favorite is when Microsoft says that users just need to avoid going to sites that are likely to have the malware on them. Like those who do this are going to wait a month before getting their internet porn fix just so MS can get a patch out.

Now there are at least 2 third party patches out. Zert and eEye both have released a patch that will fix this. I applaud them for being willing to step up and fill in the gap that Microsoft has left, but I have severe reservations about using either of these myself. For one I don't know how the patch will affect my system and if it breaks it will MS support me? What about my apps? How will this patch affect my applications? Especially those that rely on IE functionality. Who will support me if one of these breaks because of the patch? If it was just my personal system at stake I would be a little more willing to try something like this, but when it comes to corporate resources I can't take chances such as this. Now comes the dilemma. What about the chance that we take that someone (or many) will visit a site that has been compromised? I know that I have users who visit porn sites at work and at home with company laptops. How do I know if they have been hit? How do I convince management that this, or something like it is serious and likely to happen? Small company politics and a history of very few problems have made them complacent. I have one user that I'm highly suspicious that he has been hit. Maybe not by the VML issue, but something. His IE history is full of porn sites and he is having some "odd" issues. I can't do anything about it (except waste time trying to fix it) because it's his personal laptop and he has been given permission to use it for work. (Luckily in recent days I have been able to get a new policy in place for new personal laptops that gives me some teeth to growl with. Unfortunately this doesn't apply to previous personal laptops).

All that said I have my own patch and work around for the VML vulnerability. I don't use IE unless I absolutely have to. I'm a FireFox fan and only use IE when the site requires it. Even then I lock it down tight.

Friday, September 22, 2006

Who really should be responsible?

Bruce Schneier and many others are advocating making software vendors liable for buggy code if it can be proven to be the cause of a security breach. The argument is that when it hits them in the pocket book they will start being proactive about security and not reactive. This was espoused by Bruce at Hack in the box this week. Here is a ComputerWorld article that gives the condensed version. He states that we are losing the security war and that technology alone can't win it.

As would be expected I agree with his basic assessment. We are losing and no matter how much technology we throw at the problem we don't seem to be getting ahead. Not to mention that there is the human aspect to the problem. Management that doesn't really see the need to spend more on security, users who don't use basic common sense, mobile/remote users, poorly configured equipment (whether out of the box or by the sys admin). I'll stop here but we all know that I could go on and on. It's going to take more than education and technology to win this war. Bruce says that it will take economic incentives. I think that holding vendors responsible is a great idea, but I see flaws in it also. The legal system is one big flaw that stands out. If we are going to hold vendors responsible economically then we will have to prove beyond a shadow of a doubt that their poor coding and that alone was the reason for the breach. IT departments will have to prove that everything else was configured perfectly or the vendor will use that as part of their defense. "If exhibit A was improperly configured then how do we know that the breach wasn't made because of this."

It going to take holding both vendors and companies responsible and being aggressive in pursuing and prosecuting the bad guys. If this happens then the vendor will be forced to code safely and the companies would be forced to provide training, funding and the best possible IT staff. It would even weed out a lot of low hanging fruit on the IT tree.

Thursday, September 21, 2006

Apple Eating Crow?

Finally, David Maynor and Johnny Cache get some satisfaction. Apple has finally admitted that there is a problem with their wireless driver. Unfortunately they still refuse to admit that this is related to the to the presentation at Black Hat last month. How does Apple expect us to believe that they just happened to find flaws, on their own, shortly after Black Hat? Their integrity and credibility seems to be getting worse and worse. I had considered getting a Mac after I played with one running Paralles and Windows, but then I read about Chris Hurleys experience and now seeing how they have handeled this has changed my mind.

I'm glad that David and Johnny have been vendicated. If not directly by Apple then by their actions anyway. It's just a shame that so many people jumped on Apples bandwagon and tried to drag their names through the mud. Those of us who are Security pros know that they had too much to lose to make up stories just for the shock factor. I don't think anyone who really matters ever doubted them anyway.

Blogging Risks asks the question "Does blogging pose enterprise information security risks?
I think we all know the answer is a resounding, YES! As long as blogs are available to any and everyone (which they should be) then there will be someone who opens the door to the hen house either by mistake or on purpose. People know things that they shouldn't know and can't wait to tell others. Sometimes they don't realize that they are doing harm to their company, sometimes they do. I know myself that there have been times that I have written something and not posted it because after careful consideration I realized that it really wasn't anyones business outside of my company. Not to mention the old CYA kicks in and I realize that it could et me in trouble or cause undue heartache for my company. They have entrusted me with the "Keys to the kingdom" and I don't want to break that trust. I only wish that everyone else had that same frame of mind.

Wednesday, September 20, 2006

New IE Flaw

It looks like the hype has started on the new IE VML Flaw. Many are predicting doom and despair for IE users. I hope they are wrong, but I'm glad that they are out there. Why? Because the louder they scream the more attention they will bring to this. Hopefully that will mean that more people will be careful with their web browsing habits. There needs to be more done though. Microsoft needs to take action long before the Oct. 10th patch Tuesday. It is inexcusable for them to delay on patching issues that have the potential to cause so much trouble. It may be porn sites now, but soon it could be other sites like the issue with Samsung not too long ago. There are too many web servers out there that are poorly maintained and protected for this not to be taken seriously.

My suggestion is that everyone either write, call, or email Microsoft and insist that they fix flaws that are of this magnitude immediately instead of waiting until the next patch cycle. We should also inform them that we have downloaded and installed FireFox and will continue to use it as our web browser until they start responding (of course by then you will like FireFox much better and keep using it).

The more dependent we become on the web to do business and life the more critical it is for ALL software vendors to be VERY responsive to vulnerabilities. It may be a matter of national security one day.

Sorry, Wrong Number

This is really encouraging and makes me feel so good about my privacy. Rich Mogull, of, posted an open letter to a healthcare company that keeps faxing him various medical records. They ranged from insurance records to test results. Again, another example of people just going about their daily job not paying attention (or caring) if they are doing it to the best of their ability or not. I'm sure (at least I hope) that Rich contacted them after the first time or two that this happened and let them know that they had a wrong number. Yet, if he did, they apparently continue to fax someones PRIVATE medical records to anyone who has a fax. I'm sure that HIPAA
(thanks Dr. Chuvakin) would not be very happy to hear this.

This also reminds me about an incident that happened at a former employer of mine. A Upper Management person was going through a nasty divorce and was having an email war with the soon-to-be ex-spouse and decided that they needed to print the emails for safe keeping. They ended up on the printer of a tech in a office over 100 miles away. OOPPS!

OS2, You could have been so much!

I was listening to PaulDotCom Security Weekly this morning (i've been out of town and am playing catchup) and they were talking about the Apple QuickTime patch that was just released. One point they made was that the vulnerability was disclosed to Apple on May 6th of this year and wasn't patched until Sept 12. 4 Months to patch a security hole while working on a new release of iTunes that is full of eye candy and fluff. I liked the older versions better myself. They also commented about how it was all about marketing and money and that is why they work hard on fluff and let other stuff slide. As I mentioned in my "about me" section I started in the world of OS2 when OS2 was already dead for the most part. As I worked w/ it and also on Win 95 machines I alsways wondered why OS2 died and Windows took over the market and it occurred to me that it wasn't due to Windows being a better OS it was all marketing. Bill Gates may be a software genious, but he is also a marketing master (or at least knew enough to get them on his team). IBM, on the other hand, failed miserably at marketing a much superior OS and thus we are stuck in a world of Windows.

Tuesday, September 19, 2006

Insecure Security

I was reading an article on about PCI issues. One of the things it brought up was that credit card readers store the data from your magnetic stripe by default. So if someone can either compromise the reader or just take it they can get your card number, PIN, address and whatever else is stored on the mag stripe.

This is where security is lacking. Companies that put simple default passwords (or no password), making default settings that compromise security or make an otherwise secure device secure, and not implementing plain common sense is just outrageous! We talk about educating the user, implementing security in depth, using the proper countermeasures, etc... but the crux of the problem is vendors that will not do simple things like make their products secure (or at least partially secure) out of the box.

Would it be so hard for them to require the password to be changed on a device before it will operate? Would it be so hard to set the device NOT to keep sensitive data by default? Would it be so hard to include a tutorial for home users on how to secure the device?

This is just common sense and we as Security professionals are fighting one of our biggest fights against the vendors that are supposed to support us. We are never going to convince "joe home user" to secure his wireless, change the password, change the SSID, turn off unneeded services, block unnecessary ports, not to put their PC on the web without a firewall and NAT router, run updates regularly, install and keep current AV software, etc, etc, etc. There are just too many things that can go wrong and the average person is scared that they will mess up something if they do anything but plug it in and push next. This is true for setting up wireless, Internet access, windows, as well as the small business owner that sets up his own network or credit card scanners.

There needs to be a LOUD outcry from the security profession and all of IT to the vendors. MAKE IT SECURE BEFORE YOU SHIP IT!!!!!!!!!!!!!!!

Friday, September 15, 2006

Clever Bad Guys

It took a little longer than I thought it would, but it seems that the bad guys have finally figured out the best way to take advantage of vulnerabilities in Microsofts software. Wait until after patch Tuesday and then release your code. I have to admit having a specific day when patches come out is convenient as an admin. Although I would rather have to patch my systems more than once a month than have to go a whole month with a vulnerable system. I wonder if MS will patch this problem as quickly as they did the WRM flaw?

Please Excuse the Mess

For those of you who check my blog via Web browser. I just made some changes to my template on blogspot and it messed up some things. It may be a while until I get time to fix them.

Thursday, September 14, 2006

This makes sense

Mozilla's new Security Chief has announced that she would like to evaluate the code in Firefox and remove features that are no longer or rarely used. Imagine someone seeking to reduce the size and complexity of code. If more companies did this us security professionals might be out of a job before it gets outsourced.

Excellent Interview

Pauldotcom's Paul and Larry did an interview with Chris Hurley on Wireless issues. This was one of the most interestering and informative interviews that I've heard in a while. I highly reccommend listening to it.

FUD vs. Truth

One of the things that I've noticed as I find new blogs to read is that there is a lot of good natured disagreements between bloggers. One will make a comment on a topic and the other will blast him (but then it's almost as if you can see them going out to get a cup of coffee together later). Alan Shimmel currently has a debate going with most everyone else, but here he is in the ring with Mike Rothman regarding FUD and Vendor honesty.

Here is my two cents worth. Most vendors that I've talked with, especially if they are with a large company, will try to sell you using FUD until they find out that you didn't just fall off the turnip truck. Then many of them will continue this route because they don't know their own product well enough to debate it's merits with you. They know enough about technology to be dangerous and enough about sales and marketing to be stupid. And as long as they can find the people who will listen to their FUD and then buy based on that they will continue down the same path. I read a quote once the went something like this "As long as there is someone who will buy a cheaper product there will be someone to make it." The same could be said for sales. As long as people buy based on fear the sales people will pitch their product based on fear.

As security professionals, no matter what level you are on in the company, we must continue to fight to be involved in the vendor and product selection process. I've been handed a product too many times that was purchased without IT input and told to make it work. As long as this happens then we are at the mercy of the vendor.

Wednesday, September 13, 2006

IBM Tape Drive

IBM has released a new tape drive that encrypts data as it is written to the tape. Will this breath new life into the dying tape backup market? At a starting price of $35000 I know it won't keep me from migrating to disk based backups. It sounds like they may be on to something for those companies who have the budget and can justify the cost. I am curious to see how much the tapes cost, what kind of read/write speeds they have.

Future of Podcasting

I'm relatively new to podcasting. I don't have one of my own yet and I just discovered them in December of 2005. I knew that they were out there, but I didn't realize just how much really good content there is out there.

Now it appears that there are those who would like to limit or even take away our rights to make our own podcasts. Martin McKeay brought this to my attention a few days ago. He has a link to a petition on his blog that I have already signed. I encourage all of you to do the same.

Elections gone awry

Martin McKeay often talks about the insecurities that are rampant in electronic voting machines. Here is another example of just how big a problem this could become. It wouldn't take much planning on the part of those who wanted to disrupt our elections to really make a mess out of things. And this article focuses on the physical problems not the technology issues. There are those who are just sitting on the sidelines waiting for a reason to scream and complain about what went wrong and why the results of this precinct or that precinct should be thrown out. There are too many problems, both known and unknown, with electronic voting for us to turn to it at this time.

I don't claim to be an expert on the subject by any means. I have to admit that if it wasn't for listening to Martin I probably would not have been aware that there were problems until they slapped us in the face. Expert or not I am a tax paying citizen who is VERY concerned about the very real problems that are waiting on the horizon. These aren't problems that may send unwanted emails or cause pop-ups on your PC. They could very well change the results of elections all the way from your local school board member to who is elected President of the United States. We need to keep on top of this and do all that we can to make sure that these issues are fixed and that we don't let this get out of control any more that it already has.

What can we do? Call your Congressmen and Representatives at both the state and federal level. Read up on the issues surrounding this and what others have to say. They may spark an idea in your head that helps to resolve this.

Monday, September 11, 2006

Is it Monday already?

Where have the days gone? I haven't blogged since last Wednesday and it's 11:00 pm. I'm staying up late just to blog since it's been almost a week. The work week has been full of work stuff and the weekend full of family stuff.

Some of the highlights of the work week.
One of our guys had 3 laptops stolen from his car last weekend. They were all personal, but one of them he used at work and I had just finished building one to replace the one he used at work. On Tuesday he brought me a new MAC w/ Parallels and wanted Windows installed. Then he was unhappy because I wouldn't give him admin rights on the windows side of his machine. He kept saying it was his machine and that he should have admin rights. I kept telling him that it was my network and he shouldn't have them. I was finally able to explain why I wouldn't let him have admin rights.

One day on the way to the office my boss called and told me that he was running late and that I needed to get the communications meeting with our future core platform vendor started. I didn't know that we had a meeting and I was the main player from our company. Can we say "lack of communication"?

I also just finished a full and complete inventory of all 13 offices because over the last couple of years things have come and gone w/o any documentation. I can assure you that won't happen again as long as I'm there.

Such is the life of a small shop IT Pro.

Wednesday, September 06, 2006

MS and Cisco joint NAC

This should prove to be interesting. If both companies put their best foot forward and don't rush this it could be a very good thing. If either or both of them rush it then it could be a nightmare.

HIPPA Breaches

InformationWeek has an article on Privacy Breaches reported by health care agencies. This isn't surprising at all. HIPPA is so vague, has so many "outs", and affects so many different industries that it's almost impossible to work with. When I was consulting HIPPA was a project of mine. The company I was with was a late comer in the game when we decided to actively pursue clients that needed help with HIPPA compliance. I spoke with people in health care (hospitals, nursing homes, doctors offices), insurance, law firms, and others that were affected and without fail all of them had either an apathetic attitude toward getting compliant, were depending on a software vendor to be compliant, or had no idea that HIPPA could affect them. I know that those I dealt with was a very small sampling but when you bat 100% it really doesn't matter how big your sample is. It still speaks volumes as to the attitudes that companies have towards HIPPA. Many will do the bear minimum to get Uncle Sam off their back.

Tuesday, September 05, 2006

Security by ignorance

I just checked Bruce Schneier's blog and he wrote on something that I heard late last week and meant to comment on and forgot.

California has just passed a law that requires manufactures of wireless components to put a sticker on the device or have a setup warning that tells the end-user that wireless is insecure by default and also include ways to secure wireless. Here is a link to a more in-depth article on the law.

Maybe if we ask the bad guy hackers to leave our networks alone via a banner they will and we will all be happy.

Broken Windows

This can't be good for business. CA eTrust Antivirus mistook a Windows file for a virus and deleted it from the system. This caused some servers to crash and not reboot. I have 2 problems with this.
1.) Why would a file that is vital to the proper operation of the OS be so easy to delete?
2.) Why would CA release an update that would do this?

Do they not review their code and test prior to releasing updates? It seems to me that a mistake of this magnitude is not excusable. Businesses rely on their servers to be up and running in order to make money and the downtime caused by such an oversight on the part of CA could be very costly to businesses.

I've never been much of a fan of eTrust and this does nothing to endear me to them.

Friday, September 01, 2006

Gone Phishing

As I mentioned in an earlier post about not responding to emails that try to sell you something or get you to give up personal information. The AT&T hack is a perfect example of why this is not a good idea. If the bad guys can look like the good guys their job is easier. That's why it's our job to pay attention and use common sense.

Spooky, but not surprising

I hate to say it but the survey conducted by Ponemon Institute LLC is not surprising (see link below). It is disheartening, but not surprising. It’s also a little spooky. How many hacks take place everyday on corporate data that are never caught? It’s hard enough for companies with large, experienced IT staffs to keep on top of things. Imagine what the small shops go through. As I mentioned in a earlier post I work in a small shop and my resources are limited. Many shops are in similar situations or worse. They may have staff but often the staff is inexperienced especially when it comes to security.

I used to be a consultant and almost every client I had relied on the company I worked for to provide ALL of their IT needs. If a breach occurred we may never know about it because we were only there one day a week and in a few cases it was less than that. In the year that I worked there I can only recall one incident where a breach was caught. I discovered the breach while investigating a Active Directory problem. It turns out that the breach caused the AD problem.

As security professionals we know that we can’t stop all attacks and that there may be some small ones that happen that we never find out about, but to think that so many companies are ill equipped to handle attacks is sad.,289142,sid14_gci1213621,00.html

Things I don't understand

I know that being a Security Professional I tend to think differently, hopefully more security conscious, than the average person. I would never buy anything that was offered via spam, I'm very careful about the websites I visit especially if it involves buying something or filling in a form. So therefore I do not understand why spam and phishing is so popular (ok I do because I work with end users all day). I just read about the growing popularity of smishing. Then of course there is the 100 plus emails a day that I get that are spam (thank goodness for spam filters!). All of this happens because it is successful. People spend money on things they don't need and often they end up getting taken for a ride. I don't understand why people STILL fall for this.

I also don't understand people who sell things on w/o first making sure that it's free and clean of personal data. I know that the average person doesn't have the technology or the knowledge of how to really clean a system of their personal data. But that doesn't excuse selling a drive or other device w/o at least erasing files and cleaning cookies and other basic tracks. How hard is it to delete files, empty the recycle bin and then run defrag? I know this won't stop a determined person from finding what they are looking for but the average person who buys something used is looking to use it not scower it looking for data.

Finally there is the ordeal with Sun not cleaning up old vulnerabilities when they fix them.
Java updates leave vulnerabilities
That really doesn't make sense to me. Why fix something if you are going to leave the broken one behind. I read that they do this for forward compatablitiy issues. OK, but why not make a fix that also incorporates forward compatability? Knowing leaving a vulnerability behind is unexcusable for any reason. This is just another reason for full disclosure.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.