Thursday, July 31, 2008

Information Security Attitude - Jekyll & Hyde

Normally, I'm a laid back, easy going, trusting, fun-loving guy. At least, I like to think I am. However, when it comes to computer/information security I'm sort of a Jekyll and Hyde. I turn into someone who is cynical, paranoid, and sometimes delusional. I almost never plug into an untrusted network for fear that my information is being sniffed. And I don't trust anyone or their networks. While I like the internet and like reading all kinds of blogs/stories/sports scores/etc, there's probably zero chance that I'm going to read those stories in an airport or coffee shop. I just don't know who else is watching/listening.

Andy has a great post on what he's overheard on his commute to work. And it got me thinking about the little pieces of information you can pick up, without trying. Cell phones are probably the greatest enabler.

Sure, I could not trust my home or office internet connection, or EVERY other server that my information traverses, but you have to start trusting somewhere.

Wednesday, July 30, 2008

How many BIG vulnerabilities will there be?

So far in 2008, there has been the Debian vulnerability with SSL Keys and the just recently publicized DNS flaw. There are two major conferences coming up (Black Hat and DefCon.) What's the next major flaw to be released/found? Or, how many flaws/vulnerabilities will pop up before 2008 is through?

In today's news, I see that HD Moore's site became a victim of the attack. I wonder where the responsibility lay? Is it AT&T and their server or an internal issue?

Also, I see that Oracle has released mitigation to a zero-day exploit that addresses a buffer overflow. For a company to release mitigation outside of their regular schedule means the vulnerability is pretty serious.

We're half way through the year. How many more "big ones" are coming? How swamped, as information security warriors, will we be?

Monday, July 28, 2008

New position in Information Assurance

It's been a while since I posted. And there has been at least one major security announcement (the DNS patch.) I've been pretty busy, but I found the time to patch the systems I administer to that they are not susceptible to the DNS vulnerability. I can't do anything about the upstream providers though.

Part of the reason I've been busy is that I've just accepted a position in information assurance. This kind of popped up out of nowhere. I saw the posting for the job on a Friday, I sent my resume, and was called on Monday. I interviewed later in the week, and was made an offer the next day.

Yeah, I'm a little nervous. My specialty has been in incident response and vulnerabilities. Now, I'm going to have switch focus a bit and learn about certifying systems to meet a specific standard. Sure, I'll be putting a lot of my knowledge to use, just not from the same point of view. The benefits are great. And, I'll most likely be getting a security clearance for the position, which to me, is a big intangible benefit.

I'm going to try to keep my company. There certainly isn't any conflict of interest as there is ZERO chance that any of the clients would overlap.

I don't start until the middle of August, so I'm off to really start learning about the governmental information assurance field.

Wednesday, July 16, 2008

Firefox 3 installed

I waited to read about Firefox 3 before installing it; and I never read of any problems. So, today I installed the new version. Firefox appears to run much faster than the 2.x versions I ran in the past. Accordingly, the task manager does not show Firefox using as much memory either.

So far, so good.

Monday, July 14, 2008

203-797-3222 What's up Scholastic?

203-797-3222 calls our phone a couple of times a day. From the research I've done, I gather this is Scholastic Inc. Now, I realize that companies that you have done business with are exempt from the Do Not Call list. And I know we had to call them once regarding one of our kid's book orders.

However, this number calls us at least twice a day. They never leave a message. And, if you pick up before the third ring, there is no answer and the line goes dead. It never seems to ring more than twice.

I've come to the conclusion that I'll just file a complaint with Do Not Call, and note the circumstances.

Who manages a system that way anyway? You would think that they want to talk to someone.

Zone Alarm fix for internet connectivity

This should have gone up yesterday. I took a look at the announcement on Zone Alarm's page. I followed the link for the Zone Alarm Basic firewall, and noticed that the version for download was 7.0.483.0, which was greater than what was installed on my machine. If you have performed one of the other suggestions (lower the slider to medium, or uninstalled the MS patch) you can follow these steps to put everything back to normal.
Download the new version from Zone Alarm's site.
Once downloaded, install.
Click on Upgrade.
Let it finish. Reboot.

When the machine is rebooted and everything is back to running fine, connect to the internet to make sure there are no lingering issues. Then, either move the sensitivity slider back to high, or wait for Automatic Updates to tell you to install the patch (if it's not done in the background.)

Thursday, July 10, 2008

Loss of internet access using XP Pro and Zone Alarm

I woke up this morning and groggily turned on the computer. When I couldn't access the internet I started to really wake up and wonder what was going on. I checked all of the settings in Zone Alarm, and nothing really stood out at me. I hadn't changed anything, so I was puzzled what was amiss.

Then I remembered, I had downloaded and installed two updates from Microsofts auto-update last night. And I remember reading about a potential conflict with Zone Alarm products on computers running XP. Thankfully, I had a linux machine available so that I could surf to the solution.

Here is Zone Alarm's notice on the issue.

The only thing that (really) bothers me about the problem this morning is that I'm a registered customer of Zone Alarm. I really like and heavily endorse their products. When I am at a client's site, and they have no firewall protection, I immediately recommend Zone Alarm because of the things it does. After making the changes and thinking about the situation, I'm surprised that Zone Alarm didn't send a quick email to registered customers who checked off that they want to receive these kinds of notifications. I know I receive these notes.

Anyway, I was able to recover quickly. There are a couple of solutions:
1. Download and run the latests version of the firewall you're using.
2. Move the internet zone slider to Medium.
3. Uninstall the hotfix from Microsoft.

I performed option three, but I'm going upgrade the firewall, then re-install the hotfix.

Monday, July 7, 2008

Incident Response & Forensics & Intrusion Detection

I've been way under the weather the last couple of days. The only good thing is I've had the opportunity to finish reading "Network Intrusion Detection", third edition, by Stephen Northcutt and Judy Novak. I'll post a review soon, probably when the meds are done. The book was great, and it has prompted me to start working with NIDS in order to understand them better; while gaining some insight as to what is traversing the network.

However, as I was resting, I got to thinking. I really enjoy the incident response work. However, when read various security books (or take classes) I notice that there is much crossover between the incident response, intrusion detection and forensics disciplines. I think you can definitely make a career in just one of the disciplines. But, in my opinion, a good incident handler is made better if there is a packet capture available (and can be read and understood by the handler.) Also, forensic analysis may need to be performed once an incident has been declared. Similarly, an intrusion analyst is aided if they are familiar with attack signatures and patterns. Finally, forensic analysts may have to capture the data, which draws on the IR discipline.

This is nothing earth shattering, and is probably a common testament. However, after reading the book, and in the field, the revelation sort of hit me.

Tuesday, July 1, 2008

Who's using my lab?

Fortunately, I don't have anything of value in my lab.

I've mentioned before that the building my office is in is up for sale. My landlord calls me at least a day in advance when he needs to show the office. However, I've gone into my office a couple of times and found my monitor and dsl router powered on.

Understand this. I'm pretty anal about my office. Even when I go down to check mail/pay bills/check messages, I check the lab to make sure everything is off. Even if I didn't turn anything on.

I have no idea who would be turning it on, and supposedly, only the landlord has a key to the office.

Today, when I got down there, everything was ok. But, I adjusted the router's setting to turn off wireless as I don't use it. And, I hardened Vista by ensuring that logging was working properly. It doesn't appear that the Vista machine has been accessed, but now I want to know.

I guess the next step is to get a little camera.

Maybe this is (yet) another sign to get out of the office.

Credit Card scam telephone call

After getting a bunch of calls from The CI Institute, or whatever they go by, I stopped picking up the phone when the number did not display. Usually, these calls are identified by "Unknown Caller." However, for some reason, I picked one up today. Here was the conversation (one-sided, a recording....)

voice: Hello. This is your credit card company calling to let you know you can reduce your interest rate. Press 1 to speak with an operator....
me:

Maybe if I had more guts (or nothing better to do) I would have hit 1, and tried to deduce who it was. I mean, really. If they couldn't tell me my company's name or my account number, then you'd know, right? And if they did, then I would have had a problem. Anyway, I didn't want to go through with it. But, I wonder how many people do?