fred avolio's musings

Any of us who drive the Interstate Highway System in the US have probably seen centrally-controlled highway information signs. In Maryland, these “Variable Message Signs” (VMS) are overseen by CHART, the Coordinated Highways Action Response Team. Usually, the signs report traffic conditions or warn about accidents ahead. Often, it seems, when they have nothing else to do, they say something along the lines of, “REPORT SUSPICIOUS ACTIVITY — CALL 800 492 TIPS.”


As I drove by this the other morning, I thought, “Yeah, right. What’s ‘suspicious’? If the traffic was moving a bit faster… now that would be suspicious.”

Then I realized, I was mistaken to be so derisive. Because, while we cannot define suspicious activity, I think we often know it when we see it. I mean, by definition, it is activity that arouses uncertainty or seems strangely out of place. It is directly linked to feelings. Suspicion is subjective. It is not easily measurable. And that is just fine.

This is why user education is still a viable part of a network security defense. Surely, security mechanisms such as firewalls, antivirus protection, etc. don’t forget and so are more reliable that just educating the user — whose main task usually has nothing to do with security — to avoid doing bad things. But, users are very good at recognizing when — as Miss Clavel, of the Ludwig Bemelmans’ classic Madeline children’s books, noted — “Something is not right!” So, we remind our users that they should report suspicious activity. Such as people with masks over their heads approaching the building? I suppose so. But, in our realm we’re more interested in the network seeming to run slower than usual, the desktop computer crashing (more than it usually does, perhaps), “phishing” attempts, increased disk activity when nothing seems to be happening, or computer performance degradation.

Foolproof? No. Cost-effective? It depends. (A very important security answer.) It depends on how much it costs. In user education, a small amount of money goes a long way. It’s like those highway signs. Will they hinder a terrorist attack? Maybe not. But… maybe. When securing your network, someone will probably notice when something is amiss. It doesn’t cost very much to help them remember what to do.

Fred Wamsley, CISSP and principal with Beryllium Sphere LLC, commented, “A CERT study backs up your argument. They recently released a study of insider attacks, and looked into how they were detected. Mostly it was not security personnel who spotted the fraud/sabotage/whatever. Usually a customer or another employee noticed something out of the ordinary.”

Ira Winkler, in a searchSecurity column, says more of the same old stuff. Of course, as I mentioned in my blog “Same Old Simple Things,” that’s just what we need to hear … and apply! One thing that Ira says stands out: “Therefore, in terms of traditional risk, your organization is exponentially more likely to suffer regular losses due to completely preventable computer problems than to be hit by cyberattacks.”

See his complete column at this really long and ugly URL.

We’ve heard (or made) recommendations to scrap MS products. Recently, I shared The Things I Hate About Outlook. This morning my Slashdot newsfeed served up Time to Kill Microsoft Word? I’ll just let you read it, but it pointed to an ABC News commentary by John Dvorak, Kill Microsoft Word. (If the long and ugly URL disappears, an Internet search for the author and title should turn it up.) Basically, Dvorak lists the things he hates about Word.

The Slashdot posting points to openoffice.org. I’ve gone through this exercise before. How important is compatibility? Will Openoffice allow me to create “portable” documents (word processor and presentations)? More importante for my world, will it allow me to receive and use documents from others?

I’ll find out, but I am interested in hearing from others in the same boat, who need compatibility of sorts with MS Office, and who have made the switch — successfully or not.

Maybe I am just cynical. The headline is “Revolutionary Spam Firewall.” I saw it on slashdot. It pointed to the PhysOrg.com article. My bogosity filter started right off.

“a groundbreaking firewall…” “The new technology is the only true spam firewall in existence.” Matthew Sullicvan, one of the developers explains, “Existing anti-spam software filters out spam whereas ours puts up a firewall, stopping all email traffic and only allowing real mail through.” Sort of like filtering. “It is The only anti-spam software that analyses emails as a whole picture, rather than based solely on components such as key words or phrases.”

Well, the only one … not counting Bayesian filtering, for example. Let me know if you know if this is really different. It doesn’t sound like it to me. My filter pegged this as a bogon.

These are some of the features I hate about Outlook.

• I believe it is getting better, but by default it puts features (usability and presentation) over security. I had to turn off the automatic formatting in Outlook (I want to send only plain text messages, not HTML, not RTF). Still, if I forward or reply to a message that has been formatted, I have to explicitly tell it to send it plain.
• Outlook with Exchange acts as if the whole world can access “The Address Book.”

  Your message
  To: zzzz@avolio.com
  Subject: security truisms
  Sent: Thu, 12 Aug 2004 06:24:51 -0700
  did not reach the following recipient(s):
  
  Schmidt, John Jacob Jingleheimer on Thu, 12 Aug 2004 06:50:56 -0700
  The recipient was unavailable to take delivery of the message

  Okay, quick. What’s missing? Right, Mr. Schmidt’s e-mail address. If e-mail to him is bouncing I’d like to contact him or remove him. If his e-mail address is something obvious — oh say, jjj.schmit@someplace.dom — I can deal with it. If it is an address unrelated to his name, I’m out of luck. Also missing is why he was “unavailable.” Step out for coffee, did he? Moved and left no forwarding address? Disk write error?
  
  In addition, if you forward a message, the e-mail addresses are lost — just the full names remain. In other words, potentially important information is lost.
• In fact, Outlook discards all e-mail headers it doesn’t care about, but which are required for debugging. It doesn’t just hide them, it removes them.
• It tries to be too smart. When you enter text in your address book (Contacts manager), instead of filling in fields, it tries to guess what is what. All those “smarts” would make things easier for the user, if it did not also make things slower for the user. Fast and simple beats slow and complex.
• There’s too much reliance on “point and click.” I want to set up a distribution list by 1) giving it a name and 2) typing in all the e-mail addresses separated by commas. (I could live with semi-colons — see next item.) I don’t want to have to enter them separately, one at a time.
• It insists on rewriting (breaking) nice, standard, RFC822 (okay, I am showing my age — RFC2822) addresses. What is wrong with the following?
  Joe E Smith <joe@avolio.com>, (Mary Jones) mary@avolio.com
  
  Nothing, But Outlook will insist on making it
  “Joe E Smith” [joe@avolio.com]; “(Mary Jones)” [mary@avolio.com]

Outlook. It has been said before: Lookout.

Tim Kramer, via e-mail, adds the following: even though you’ve turned off HTML in an attempt to author flat text e-mails, Outlook still feels the need to add its own encoding so that the author’s word-wraps get encoded into the email along with some really odd handling for quotation marks.

Slashdot reports that the South Pole Research Station Hacked Twice. In E-mail Postage Due, I said, “On the Internet, every call is a local call.” Of course, it is deeper than that. On the Internet, everyone is potentially your network neighbor. And it is not Mr. Rogers’ Neighborhood.

One of the most recognizable US Senators — perhaps recognizable throughout much of the world, Senator Edward Kennedy, had trouble boarding his flight from DC to Boston, and then when he tried to return. He was on the “no fly” list (“in error,” the AP report indicates).

Homeland secuity is important. But we don’t want to leave our brains at the door. True, the Senator might be a terrorist. But, if I’m a ticket agent in Washington, I think maybe I’d have read about it or seen it reported, at least on Fox News or CNN. Do you agree? Or do we toss out common sense for the sake of security?

See the report at Yahoo. (If the link is broken, search for the headline: Error Puts Kennedy on Airline No-Fly List.)

“Refusing to join the modern world [in not] implementing Microsoft Outlook”

I will have more to say in another blog entry. But, for now I wanted to share an e-mail I received and my comment.

Mr. Avolio,

I recently read an article you co-wrote that was published in Information Security Magazine. I hope you can answer a quick question for me…

I work for a local community college in Canada and our IT department is refusing to join the modern world by implementing Microsoft Outlook. Currently all users are forced to use the mail feature of Netscape Communicator 4.79. We are using the IMAP protocol.

We are told that Outlook is less ‘safe’ and not as ‘secure’ as Netscape when it comes to preventing the spread of viruses throughout the system.

Does this make any sense?

This was my reply:

It makes complete sense and they are 100% correct. You should praise whoever had the guts to say no to Outlook as an email client.

I have to use Outlook in a new day job. I’ll talk about what I hate about it. Some has to do with basic e-mail functionality. Others have to do with security. More anon.

Business has been a little slow, so the mailer caught my eye. “Certification, Training, and Continuing Education in HOMELAND SECURITY” was emblazed across the “Stars and stripes.” Cool. Maybe that’s just the ticket to increase the knocks on my electronic door.

The first thing I would have to do, of course, is become a member in good standing of the American College of Forensic Examiners Institute. CHA-CHING. That’s $130 for the first year or $1,750 membership for life. I don’t know. “member for life” is attractive if I live another 45 years, I’m saving over $100 a year! But, will I want to be doing this into my 90s? Oh, an additional $350 for the “Homeland Security Program” add-on to this. Total, $480. I’ll have to think about this. But, would I even qualify?

The questionnaire is next. “Application for Immediate Granted Certification in Homeland Security,” presumably with all the rights, honors, and groupies associated with same. Under experience, I start to get nervous. Military experience? Nope. Law enforcement? No, unless you count being a parent. Private security experience. Ah, good. I was CSO at TIS for a year. (Maybe less than a year, but I’ll round up.) That’s good for 15 points. You get an additional 5 points for each year of “overall private security service.” This sounds like double-counting, but I’ll grab that additional 5. I have 20 points, so far.

I was not a firefighter. Nor was I ever in the medical or health fields. But, oh boy! Under “Other Homeland Security Related Experience,” we have “cyber security.” Right there out in the open like that’s a real field. Well, I suppose in 18 or so years in computer and network security, I’ve secured some cybers. The kicker is I get to pick the number of points that should be worth. Being a modest guy, I’m saying 25 points.

I get 35 points for my masters degree, 15 points for my TICSA certification, Under training, I get nothing because I am not a “Diplomat” in the “America College of Forensic Examiners Institute. (And does it bother you that both “College” and “Institute” are used in that?) Nor have I taken or taught any “Homeland Security-related courses. But under “Knowledge” they have that phrase “or related.” I get 10 points for each presentation on “Homeland Security or related topics.” Heck, I don’t know, I bet it’s around 40 over the past 4 years. 400 points. 15 points for professional article (related topics), so let’s call it 20, for 300 points. Finally, 5 points for every conference I’ve attended on Homeland Security (none) or related topics (10-20) — 50 points. My grand total is 845 points! Wow. An “Immediate Granted Certification in Homeland Security” Level 1 only needs 100 points. For 200 or more I could get a Level 2. And 300 or more is a Level 3. Heck, I’m clearly a Level 3 then. But with 845 points I think I want another level added.

Oh, but wait. I still have to pay $480. Never mind.

The headline caught my eye: “Spammers Can Be Beaten in Two Years.”

I cannot wait!

I was re-reading one of Marcus Ranum’s posts to the firewall wizards mailing list. (Tue, 20 Jul 2004 23:49:40 -0400). It was terrific. Jump to it and read it.

Plain and simple stuff that — if people do them — will reduce risk.

I had a similar list in an Advanced Firewalls class I taught for N+I and a “Tools and Techniques” class for CSI. I got bad reviews in the Advanced Firewalls class. Maybe I am a crummy teacher, but of course I don’t believe that. I think the students really want some really neat-o, cool devices to run, hand-held thingies to try, and something that was wireless as well. But few of those things help as much as sticking to the basics. And they don’t like to hear it.

I just saw an article via Security Wire perspective. If this ugly URL isn’t broken, you’ll again find a whole bunch of brilliant stuff that a very few of us keep pounding on. See this ugly URL. So, I wondered how do we ever get people to listen when they really, really do want magic or priest-craft?

Marcus pointed out that “‘my words, like silent raindrops fell…’ – nobody wants to hear it.”

A few days later, I was looking for somethings to help an IT manager to start looking at security policies. I found a number of old articles on my site, for example:

• Security on the Internet.
• Best Practices in Network Security.

What is the matter with the industry? Those old papers are still accurate. They are still useful. They are 5 years old. Should I be concerned that we’re not growing up and moving on? The old, simple, basic things still work and are still needed and are still ignored.