12/14/04

History Lost

I’ve lamented the loss of historical memory a few places this year. I grouched about it on the firewall-wizards mailing list yesterday, wherein I corrected a perfectly nice guy who said “This is the classic “eggshell” weakness of network security, hard and crunchy on outside, soft and chewy on the inside.”

I said, that this was an an example of the loss of historical data we experience in network security. I pointed out the the “classic” is Bill Cheswick’s, “crunchy shell around a soft, chewy center. (This is from “The Design of a Secure Internet Gateway,” whose date is not stated in the version I have.”)

At this point, you’re perhaps thinking that I sound like a grouch, I grouched about it because I am a grouch. Well, maybe.

In my defense, please see some previous blog entries. I referred to this as a problem in this blog entry from 20 Sep 2004. That entry references an earlier blog entry Security Redux and a column I wrote.

In response to my firewall-wizards posting, Dr. Tina Bird, e-mailed the following:
2004 compromises look very similar to 1989 compromises: bad passwords, insecure configurations, unpatched software. For example:
“Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems.” – October 17, 1989

So let’s see:
  • the Agobot family of Windows exploits — bad passwords
  • Blaster/Sasser/SQL Slammer — unpatched software
  • hordes of exploits propagating over peer-to-peer apps with insecure configurations…
It’s not an OS insecurity issue, it’s the bloody humans!

References for compromised machines from CERT:
Thanks, Tina. I wish it weren’t so.

Low-tech, High-quality Biometrics

Infoworld reports “EU moves closer to biometric passports.” But, they already use them. It’s biometrics in use when a passport must have a photograph of the user to compare with the observed face of the user by an passport control official.

Even more amazing than we might have thought. slashdot.org points to a news article saying facial recognition “targets 3 areas of the human brain.”

Scarey Security Stories

A few years ago on the firewalls mailing list, someone disclosed management’s lack of security clue in the following plea (dated Mon, 20 Nov 2000 06:22:10 -0600):
Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!
(You can read my reply by searching for this on the Internet — you will find it, or by reading NetSec Letter #15, which refers to it.) I read something scarier yesterday. I’ve anonymized it… a bit.
We are a small software business … located in [a country providing lots of software development outsourcing for government and industry all over the world, but especially in the US]. We have a machine running Linux/Redhat to which all our computers connect for internet access through a DSL/Modem …

For the last 6 months our DSL bills are extremely high. We examined our logs and there is someone using the bandwidth from our host every night. We can turnoff the machine but not sure if this is the right solution.

We have [taken some specific countermeasures]… But we still continue to see the nightly breaks into our host machine. We have no Linux expertise except as developers. We checked out firewall software price and it’s expensive, and there is no expert support available. Can someone suggest a fix for this. Even a policy fix/advice would be helpfull.
So far, no one on the list has expressed horror about this situation. Will software developed ny this company end up in missle guidance systems? What about other companies — in that country or anywhere in the world? How often are companies that develop critical systems audited for security practices and events? Shouldn’t they be?

12/7/04

Spyware/Adware Removal Disables Windows98 Machine

I am writing this brief “incident report” because when I was trying to find information about this problem, searching on the Internet turned up nothing useful. I am hoping to help someone else with this same problem when he or she searches for “Win98” and “TCP/IP problem” or “No TCP/IP” or even “loss of network.” And to the “Why Windows 98 in 2004?” question, is the obvious answer: an old but adequate computer.

The symptoms. IP networking stopped. I mean just stopped. The system was using a wireless NIC for access to our home network and the Internet. When that happened I figured that that was the problem. I pulled out my notebook PC and the wireless worked fine. The wireless software on the W98 machine says it was connecting, but I could not get to the WAP (via web page for administration). This should have been a hint to me. Lower level networking worked, but I could not make a TCP/IP connection.

I moved the computer to where I could use twisted pair Ethernet. I found that I could see systems in the “Network Neighborhood.” I could get to shares on my Linux box. I could print from my XP machine to the printer on the troubled W98 computer. (This met the need of the moment for my wife who needed to use an XP application but print to her printer, a printer that could not be used on my system.) I could PING and TRACERT in an MSDOS window, but could not TELNET or RSH to the system I could PING. The problem persisted. I talked to my friend, Rick, who could lay hands on a computer and heal it (no, really… ask Marcus) but he wasn’t close enough to touch it. He did, of course, put me onto the right path.

What worked.With my Windows 98 SE CD at the ready just in case, I went to the Control Panel, Network, and removed all adapters and all network bindings. (Actually, I removed all adapters except one I wasn’t using anyway. This proved to be a mistake. Remove all of them!) Then I went to the Device Manager in System and made sure the network adapters were removed. You want the system to remove all IP networking from the kernel. Then I rebooted.

It found the first network adapter. I walked through the installation of the newly (re)found hardware. I was able to just say “ignore file” each time it looked for a software module it needed for the network hardware because those files were all still on the computer, but if you are uncertain keep pointing the system to the CD to find the files. It will tell you if the file it already has is newer than the one on the CD. Use the newer one. Reminder: You may have to configure network properties for these devices and reboot.

Success. After rebooting for the first adapter, then the second, the system came all the way up, and the first thing displayed was a notification that there were critical updates to install. BINGO! TCP/IP was working — the system had contacted the Internet.

What made this mess? I think it was “malware” of some sort. Rick said a few times, “It almost sounds like it is a firewall issue. But, I had disabled the PC-firewall for testing, and the network firewall was not coming into play. TCP/IP failed to work from this machine to others on my own network using IP addresses instead of hostnames. But, Rick was right as always. I think — and this is conjecture on my part — some spyware program had shimmed itself in the IP stream to be able to “help” the system’s user. At some point I killed off the process and stopped it from starting up. Since it had modified the IP stack, without it TCP/IP did not work. When I removed all network components and reinstalled them, all of that was rebuilt. After installing all critical updates I installed a malware cleaning program and got rid of a whole bunch of adware and spyware. It is working well now.

12/2/04

Disconnect

In his latest “Web Informant,” my friend and colleague, David Strom wrote:
I have an idea for a new reality TV show: take a dozen families and cut off their Internet access for two weeks. See how long it takes them before they have to use the telephone to talk to their friends, check the local movie listings in the newspaper, and have to go to the mall to do their shopping. … ( check it out.)
I can relate.

Years ago AT&T rolled out those public phones with keyboards you see at many airports. When they first came out in the mid 90s, you could use them as ASCII terminals and I would dial-in to a modem and get a command line prompt. I don’t think this works today, but in the pre-notebook PC days it was a great way to redeem the time at the Denver Airport.

I worked at TIS back then and Steve Crocker was my supervisor. I pointed these out to him and we talked about the desire to be as connected as possible. He looked at me and said, in all honesty, “I can hardly stand to get on an airplane.” (When jets get Internet connection in the air, I am sure that he will be flying in the business or first class cabin and be connected for the duration of the flight.)

Reading David’s article reminded me of how I react today when our ADSL connection goes down. (I’ll not go into it, but it’s not pretty.) I can also relate to the phenomenon of relying on the Internet (and e-mail) to the exclusion of other, sometimes more reliable, communications. Have you ever:
  • Repeatedly e-mailed someone waiting for an important response, but forgot about using the telephone?
  • Forgotten that you can get flight information or make an airline reservation or access your bank via the telephone?
  • Gotten lost because you couldn’t get directions from the Internet and didn’t make a phone call?
Yes, the Internet — maybe more specifically, broadband/always-connected Internet — “has definitely crossed over from oddity to necessity…” But, let’s try not to forget about the obvious alternatives.