An article over at Slicon.com takes a look at that old concept of requiring a license to use the internet.
Just as corporate and university networks have taken steps to implement access control to keep out infected systems so too should ISPs look at banning machines that don’t meet a defined security regime.
The article goes on to draw parallels to drivers licenses, restaurants known to service food that makes you ill, and bad neighbors. If you can call the cops to do something about that why cant you ban bad Internet neighbors!
In the U.S. the vast majority of Internet service providers are trying to make a buck. Why would they refuse service to these cyberslackers who quickly become spam-bots because of their inability to patch. Banks do it all the time. They refuse to open accounts for people known to bounce checks. A few bucks up front for the account isn’t worth the trouble that will come down the pipe. Unfortunately this analogy has been largely lost on ISPs.
Many ISPs have pink-list contracts. Contracts where spammers pay a PREMIUM and may hang around until the anti-spammers complain too much. Historically many ISPs have not been good caretakers of their portion of the network. They are in for the fast buck. They are more than willing to let Ma and Pa Kettle onto the Internet without a personal firewall, without adequate patching and without adequate antivirus. AOL and Earthlink run commercials saying they are different. They are able to sell security to the user by selling usability brought by security devices blocking spam and spyware. But how many of AOLs customers actually have the AOL Security Edition?
Archive for May 2005
ISP apathy causes insecurity
Art of Deception – preface
I’m reading The Art of Deception by Kevin Mitnick. I would suspect that it will be the basis of more than a few blogs going into the future. I really don’t like Mitnick but was convinced to pick up his book. From what I’ve read so far, he defends himself with the classic lines of ‘I didn’t intend to do any harm’, ‘I didnt know what I was doing was wrong’, and ‘I was just curious’.
Oh well. The discussion for the place of criminals as security experts is one for another day. I intended this post to be about preparation. Mitnick reports that he practiced and honed his trade. It reminded me of a Dateline episode I saw where gangs would get together and study war, psychology, law etc. The bad guys is always seeking to perfect his craft. As sysadmins and security professionals we need to be seeking to perfect our craft also. The more we get caught up in the tyranny of the now, the less we develop our own skill set and develop our corporate defenses.
Its new to you
If you haven’t seen it, its new to you. That was an old slogan of NBC for their summer rerun season. Well summer rerun season has started at the antivirus firms as they strive to get press coverage.
First we have Panda Software warning of a new hybrid worm. Get this it spreads like a worm and installs a keystroke logger plus downloading more malware. That doesn’t sound particularly new to me.
IM viruses have caused many vendors to hop on the media circuit. Yet there is really nothing new here either.
Hackers Holding Internet Files Hostage. As Kaspersky points out, nothing really new here.
I swear I saw an AV vendor breathlessly report that viruses are targeting p2p systems by dropping infected files into likely p2p shared directories.
Next they will be telling me about the “new” horror of macro viruses.
User Education of current threats is one thing. But this is cooking up a press release to drive the stock price higher.
SMTP AV: Time to Regroup?
JD comments about Kaspersky Labs forecast that global virus outbreaks are waning. My comments here are a reply to that.
I suspect that mass mailing viruses will be seen in the leet community like denial of service attacks. A pedestrian form of attack not worthy of anyone with skillz. That does mean they will completely disappear? No. There will always be some dope willing to do it.
The big lesson here is dont get caught fighting last years war. If you’re all confident in your smtp antivirus defenses it may be time to reexamine them.
Will attacks targeted at specific companies further reduce the role of definition based antivirus? Actually this is nothing new. I know of a company where the CEO is known to have received two different keystroke loggers by opening a .mdb file sent to him. That kind of targeted virus was tough to stop then by definition based antivirus and it will be a problem in the future unless more and more behavioral and heuristic tests are employed.
Write Down Your Passwords
Write down your passwords. So says Jesper Johansson, senior program manager for security policy at Microsoft.
Password policies that led to using the same bad password across all systems are are foolish. Johansson said. “If I write them down and then protect the piece of paper–or whatever it is I wrote them down on–there is nothing wrong with that. That allows us to remember more passwords and better passwords.”
I think this is good advice. Passwords that are written down on post-it notes and placed under the mousepad are bad. Passwords that are stored in encrypted databases are good. But it must be real encryption. Not the sketchy kind of password protection found in office documents. Passwords put in a sealed signed envelope and stored in a safe good.
Mozilla Engineer Dismissive of Netscape
Ben Goodger lead engineer for Mozilla Firefox lobbed a grenade or two at Netscape 8 insecurity in his latest blog entry from May 19th.
Beware of Education Scams
I’ve been wondering about what the University of Fairfax is. Diploma Mill or what. They’ve been sponsoring some CISSP study sessions locally and some CISSP webcasts that I watched. They offer a PhD in Information Systems concentrating in Information Assurance.
While the website did look like it is a real program rather than a diploma mill program, I was suspicious having not heard of them before. The next item that raised my suspicions was the statement “The University of Fairfax is certified by the State Council of Higher Education for Virginia to operate in the Commonwealth of Virginia.” When I looked at that State website it appeared more to be a registration of higher education programs rather than any endorsement or accreditation of the curriculum.
Next a quick google led to an AP story posted at WTOP. Apparently the guy running this school is banned from heading schools in Maryland because a school he lead shut down abruptly in the 90s leaving students and the government in the lurch. Not only that, but two men listed as faculty on the University of Fairfax web site told reporters they never taught a course there!
I found a Washington Post article that goes into some detail.
Makes me worry now about (ISC)^2. They are currently engaging in joint marketing with the University of Fairfax. Basically they are giving their name and reputation to this guy. What do they say about it. Marc Thompson, VP at (ISC)^2 says Berlin’s “heart is in the right place” in spite of his checkered past. That’s right taking millions to offer education courses and then folding up shop is just a mistake and shouldn’t preclude you from offering more education courses in the future according to (ISC)^2.
I can’t conclude that this is a diploma mill. But it sure seems shady. Whether looking for training or returning to school you need to verify the accreditation of the school and its instructors.
Zero to 3 Bugs in 12 hours
Netscape 8.0 was replaced by 8.0.1 hours after its release as several vulnerabilities were found. The vulnerabilities would reportedly allow a an attacker to attack arbitrary code if the user went to the attackers malicious site. What is really sad is it appears that these are known vulnerabilities in the Gecko engine that Firefox patched on May 6th.
Netscape requires a uninstall to be able to install a non-vulnerable version.
Security Pipeline
Netscape Vulnerabilities
“Good Enough” Security
Two guys are walking in the woods and they come upon a big bear. The bear sees them as food and creeps toward them. the first guy starts to slowly tip-toe away, but the second guy takes off his hiking boots and pulls out his running shows. The first guy says, “You can’t outrun that bear!” The second guys says, “I don’t have to outrun the bear, I just have to outrun you!”
This illustration is often used to show that you don’t have to have perfect security. True, perfect security is an illusion. But what does it matter if my security is better than my neighbors?
Lets think of two common types of attacks. One is the network worm. It doesn’t care whose network its on. It doesn’t know my network is more secure or less secure than my neighbors. If I am vulnerable to the threat, I am hosed.
In another type of attack, I may be specifically targeted. Again, the attacker doesn’t care about my relative security. He is specifically after me.
This isn’t like home security where a bugler will move on to the unattended home. Companies need to take steps to secure their network based on their business impact analysis. The only time being “faster than the bear” will help is when you are trying to prove due diligence.
Cisco Saves the Universe (24)
Apparently I’ve got to start watching 24.
Back in April 24 had hilariously bad dialog involving blowfish.
Now they had a huge product placement for Cisco right in the middle of the show.
Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers.
Buchanan: Could this just be high network load?
Chloe: No, it’s definitely a denial of service attempt. What do you want me to do?
Buchanan: Did it do any damage yet?
Chloe: No, the Cisco system is self defending.
You can go see the clip on cisco’s site.
Personally I think product placements in shows are great when they aren’t horribly out of place. I did have to laugh though at the use of Cisco’s self defending network marketing line. While the concept they espouse is interesting, they may get in trouble one day for a little thing called truth in advertising.
