12/14/04

History Lost

I’ve lamented the loss of historical memory a few places this year. I grouched about it on the firewall-wizards mailing list yesterday, wherein I corrected a perfectly nice guy who said “This is the classic “eggshell” weakness of network security, hard and crunchy on outside, soft and chewy on the inside.”

I said, that this was an an example of the loss of historical data we experience in network security. I pointed out the the “classic” is Bill Cheswick’s, “crunchy shell around a soft, chewy center. (This is from “The Design of a Secure Internet Gateway,” whose date is not stated in the version I have.”)

At this point, you’re perhaps thinking that I sound like a grouch, I grouched about it because I am a grouch. Well, maybe.

In my defense, please see some previous blog entries. I referred to this as a problem in this blog entry from 20 Sep 2004. That entry references an earlier blog entry Security Redux and a column I wrote.

In response to my firewall-wizards posting, Dr. Tina Bird, e-mailed the following:
2004 compromises look very similar to 1989 compromises: bad passwords, insecure configurations, unpatched software. For example:
“Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems.” – October 17, 1989

So let’s see:
  • the Agobot family of Windows exploits — bad passwords
  • Blaster/Sasser/SQL Slammer — unpatched software
  • hordes of exploits propagating over peer-to-peer apps with insecure configurations…
It’s not an OS insecurity issue, it’s the bloody humans!

References for compromised machines from CERT:
Thanks, Tina. I wish it weren’t so.

Low-tech, High-quality Biometrics

Infoworld reports “EU moves closer to biometric passports.” But, they already use them. It’s biometrics in use when a passport must have a photograph of the user to compare with the observed face of the user by an passport control official.

Even more amazing than we might have thought. slashdot.org points to a news article saying facial recognition “targets 3 areas of the human brain.”

Scarey Security Stories

A few years ago on the firewalls mailing list, someone disclosed management’s lack of security clue in the following plea (dated Mon, 20 Nov 2000 06:22:10 -0600):
Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!
(You can read my reply by searching for this on the Internet — you will find it, or by reading NetSec Letter #15, which refers to it.) I read something scarier yesterday. I’ve anonymized it… a bit.
We are a small software business … located in [a country providing lots of software development outsourcing for government and industry all over the world, but especially in the US]. We have a machine running Linux/Redhat to which all our computers connect for internet access through a DSL/Modem …

For the last 6 months our DSL bills are extremely high. We examined our logs and there is someone using the bandwidth from our host every night. We can turnoff the machine but not sure if this is the right solution.

We have [taken some specific countermeasures]… But we still continue to see the nightly breaks into our host machine. We have no Linux expertise except as developers. We checked out firewall software price and it’s expensive, and there is no expert support available. Can someone suggest a fix for this. Even a policy fix/advice would be helpfull.
So far, no one on the list has expressed horror about this situation. Will software developed ny this company end up in missle guidance systems? What about other companies — in that country or anywhere in the world? How often are companies that develop critical systems audited for security practices and events? Shouldn’t they be?

12/7/04

Spyware/Adware Removal Disables Windows98 Machine

I am writing this brief “incident report” because when I was trying to find information about this problem, searching on the Internet turned up nothing useful. I am hoping to help someone else with this same problem when he or she searches for “Win98” and “TCP/IP problem” or “No TCP/IP” or even “loss of network.” And to the “Why Windows 98 in 2004?” question, is the obvious answer: an old but adequate computer.

The symptoms. IP networking stopped. I mean just stopped. The system was using a wireless NIC for access to our home network and the Internet. When that happened I figured that that was the problem. I pulled out my notebook PC and the wireless worked fine. The wireless software on the W98 machine says it was connecting, but I could not get to the WAP (via web page for administration). This should have been a hint to me. Lower level networking worked, but I could not make a TCP/IP connection.

I moved the computer to where I could use twisted pair Ethernet. I found that I could see systems in the “Network Neighborhood.” I could get to shares on my Linux box. I could print from my XP machine to the printer on the troubled W98 computer. (This met the need of the moment for my wife who needed to use an XP application but print to her printer, a printer that could not be used on my system.) I could PING and TRACERT in an MSDOS window, but could not TELNET or RSH to the system I could PING. The problem persisted. I talked to my friend, Rick, who could lay hands on a computer and heal it (no, really… ask Marcus) but he wasn’t close enough to touch it. He did, of course, put me onto the right path.

What worked.With my Windows 98 SE CD at the ready just in case, I went to the Control Panel, Network, and removed all adapters and all network bindings. (Actually, I removed all adapters except one I wasn’t using anyway. This proved to be a mistake. Remove all of them!) Then I went to the Device Manager in System and made sure the network adapters were removed. You want the system to remove all IP networking from the kernel. Then I rebooted.

It found the first network adapter. I walked through the installation of the newly (re)found hardware. I was able to just say “ignore file” each time it looked for a software module it needed for the network hardware because those files were all still on the computer, but if you are uncertain keep pointing the system to the CD to find the files. It will tell you if the file it already has is newer than the one on the CD. Use the newer one. Reminder: You may have to configure network properties for these devices and reboot.

Success. After rebooting for the first adapter, then the second, the system came all the way up, and the first thing displayed was a notification that there were critical updates to install. BINGO! TCP/IP was working — the system had contacted the Internet.

What made this mess? I think it was “malware” of some sort. Rick said a few times, “It almost sounds like it is a firewall issue. But, I had disabled the PC-firewall for testing, and the network firewall was not coming into play. TCP/IP failed to work from this machine to others on my own network using IP addresses instead of hostnames. But, Rick was right as always. I think — and this is conjecture on my part — some spyware program had shimmed itself in the IP stream to be able to “help” the system’s user. At some point I killed off the process and stopped it from starting up. Since it had modified the IP stack, without it TCP/IP did not work. When I removed all network components and reinstalled them, all of that was rebuilt. After installing all critical updates I installed a malware cleaning program and got rid of a whole bunch of adware and spyware. It is working well now.

12/2/04

Disconnect

In his latest “Web Informant,” my friend and colleague, David Strom wrote:
I have an idea for a new reality TV show: take a dozen families and cut off their Internet access for two weeks. See how long it takes them before they have to use the telephone to talk to their friends, check the local movie listings in the newspaper, and have to go to the mall to do their shopping. … ( check it out.)
I can relate.

Years ago AT&T rolled out those public phones with keyboards you see at many airports. When they first came out in the mid 90s, you could use them as ASCII terminals and I would dial-in to a modem and get a command line prompt. I don’t think this works today, but in the pre-notebook PC days it was a great way to redeem the time at the Denver Airport.

I worked at TIS back then and Steve Crocker was my supervisor. I pointed these out to him and we talked about the desire to be as connected as possible. He looked at me and said, in all honesty, “I can hardly stand to get on an airplane.” (When jets get Internet connection in the air, I am sure that he will be flying in the business or first class cabin and be connected for the duration of the flight.)

Reading David’s article reminded me of how I react today when our ADSL connection goes down. (I’ll not go into it, but it’s not pretty.) I can also relate to the phenomenon of relying on the Internet (and e-mail) to the exclusion of other, sometimes more reliable, communications. Have you ever:
  • Repeatedly e-mailed someone waiting for an important response, but forgot about using the telephone?
  • Forgotten that you can get flight information or make an airline reservation or access your bank via the telephone?
  • Gotten lost because you couldn’t get directions from the Internet and didn’t make a phone call?
Yes, the Internet — maybe more specifically, broadband/always-connected Internet — “has definitely crossed over from oddity to necessity…” But, let’s try not to forget about the obvious alternatives.

11/7/04

Tightening XP Security

I taught at NASA Ames recently. Someone in the class, Jack, asked for resources
for tightening XP security. There are probably hundreds or thousands, but the ones
that came to mind were written by my friend Dave Piscitello of
Core Competence.
These are the ones to which I referred:
  • How to Harden Your Microsoft Web Server
  • Stepping Up to Windows XP: What to Expect at Your Firewall
  • Take the “Sting” Out of XP Performance Issues
  • Securing XP Desktops: Account and Auditing Policies
  • Securing XP Desktops: Controlling Local Use and Network Access
If you like them, tell Dave he should create a “collection” page, like my
Secure E-mail Collection
.

11/5/04

Producing Your Network Security Policy

My editor at WatchGuard Technologies, Scott Pinzon, said in part, “Producing Your Corporate Security Policy” has drawn a phenomenal response. In its first few days, it has generated a 95% click-through rate … the highest rate in the shortest number of days [the marketing rep] has ever seen.”

Here is the executive summary: Network security experts agree that well-run corporations need a written security policy. The policy sets appropriate expectations regarding the use and administration of corporate IT assets. However, the conventional wisdom holds that composing and maintaining these documents bogs down in a morass of bureaucratic inefficiency and pointless wrangling, which never ends and produces nothing useful.

This paper lays out a common-sense approach to writing corporate security policies that makes them easier to draft, maintain, and enforce. Our “question and answer” approach requires no outside consultants. Instead, you can use your in-house knowledge and resources to yield a brief, usable, and — most importantly — understandable policy document, in a reasonable amount of time. To help you generate such a policy, this paper clears away some misconceptions about the purpose of network security; details the process of writing the policy; then explains how to keep refining the drafted policy.
Find the complete 15 page paper at www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf.

It is aimed at small- to medium-sized enterprises. And I just realized, it says, “requires no outside consultants.” Steve Fallin, my collaborator, must have snuck that by me.

10/23/04

Scary words

I just got this week’s issue of “Web Informant” (http://strom.com/awards/347.html) from David Strom. Its title is “Coming to an office near you,” which reports on the Microsoft Office System 2003 launch show.

I read the whole column with interest, and found that certain phrases jumped out at me:
came on over a dozen CDs … many of the bravest souls using this software actually put it into production … the sheer complexity surrounding the number of different versions of Office a … Microsoft is extending the notion of what desktop software is, and with Office 2003 we have applications that can reach out across the Internet for online help, for data via Web services, for document repositories and collaboration via SharePoint, for project management and scheduling information via Project Server, for workflow information via BizTalk, and for automatically filling out forms via InfoPath. Office 2003 is a huge collection of stuff …
Cool. New, exciting features. Things that every one of our users will want. Seamlessly — it doesn’t say that, but what else is there with Microsoft? — connecting your desktop to all sorts of network.

Yes, I exaggerate. But, in the security/feature wars, Microsoft is on the side of our users, not on the side of security. Newer, bigger, better. How well has it been tested? As I’ve mentioned in a blog (here) before, I use Windows software too. But I also got an e-mail from Microsoft today, starting off, “Included in this advisory are updates for five recently discovered vulnerabilities in Microsoft Windows.” So, perhaps I am in a less than hopeful mood.

Lax Security Will Catch Up With You

Sometimes we can get away with lax computer security for a time. Some might call it luck (or dumb luck), others call it divine favor (Matthew 5:44, 45; Luke 6:35, 36). Eventually, there is judgement day. Let me illustrate by pointing to a recent traffic catastrophe in my home state.

On October 18 in the late afternoon, “Dozens of vehicles crashed Saturday in separate accidents on Interstate 95 as a storm blew through a Baltimore suburb, injuring at least 49 people and forcing authorities to shut down the highway.” (See a news story at here (or search for “49 Hurt As Storm Triggers Md. Accidents”). Two people involved commented, that “the road wasn’t slippery but the glare was unusually strong from sleet on the road, even while wearing sunglasses,” and “Everybody stopped because of the glare and the sleet.”

You see, on the highways in Maryland, traffic typically moves at the posted speed limit or above. In addition, the cars and trucks — moving at 60 to 75 MPH do not maintain what the driving books all call “a safe stopping distance.” When I drive the highways during morning rush hour the speeds average 10 MPH over the limit (for example, 65 on US 29, which has a 55 MPH limit) with a car length or less between vehicles. And that works just fine … usually. But when one or more drivers have to lay on the brakes, this starts a chain reaction. Still, sometimes we get away with it. Other times we get what is depicted in the WBAL-TV11 photo, below.

What is your network going to look like?

Photo of pile-up on I95

9/30/04

Router and DMZ Best Practices

An Institute for Applied Network Security member recently e-mailed and asked me:
What are the best practices for securing your Internet router and also securing your servers on a DMZ?
These are my suggestions:
  1. Lock down administration of the router so that you can only administer it via SSH, and only from inside network.
  2. Know what your servers do.
  3. Based on #2, limit what kinds of packets can come from the Internet to your DMZ-based servers. E.g., e-mail servers should only receive e-mail-related packets (SMTP, TLS perhaps, POP3 if you allow retrievals from the Internet, etc.), web servers, web traffic (HTTP, SSL, TLS, etc.).
  4. Limit what kinds of packets can come from the DMZ-based servers to the Internet. It’s a web server… it should not originate SMTP. It should not originate anything to the Internet. It should not have any TELNET packets coming out of it to the Internet, etc.
  5. Configure your firewall to likewise be unforgiving about what comes out of the servers on the DMZ destined for the inside network.
Also, see my January 4, 2002 column Basic IP Router Security.

9/22/04

Another reason to think twice about MS Windows

I’m thinking the folks in Redmond just never want to see the words “Microsoft server crash” and “causes 800-plane pile-up” in the same sentence. The word “nearly” helps, but not much. I read this in techworld.com, which was referred by slashdot.

9/20/04

Who’s fooling whom?

We believe what we read on-line, even when we know it is false. Months ago, I blogged The Dilution of Truth on the Internet. I pointed out that people tend to trust what they read on a computer — sometimes without much thought. Today, I found that the problem goes deeper.

In reading the Slashdot RSS feed today, I read an entry entitled Human-Powered Spam Filtering. The article pointed to this brilliant web site. Read it. It is lovely. It is also a joke. No, I mean a real joke.

It is not so interesting that it is a well done spoof. What interests me is that even after someone pointed out that it was a joke, people just ignore that, and continued to ignore that fact. (I won’t spoil your fun. Read the web site.) Do we just not read? Or is the debate more important than the truth? As I write this there are 297 comments, posted.

I was going to end this with the line. “I think we’re all Bozos on this bus.” It is from “The Firesign Theater.” Or is it? I decided to ask the Internet. A search for “We are all bozos on this bus” turned up someone who claims it is from a “Cheech and Chong … record.” — search for that phrase and “chong” and you will turn up that erroneous reference. Checking www.firesigntheatre.com not only shows that indeed the quote is from them, but there is a picture of the album cover and an MP3 snippet with the phrase.

Nevertheless… sometimes I think we are.

Appreciating the Importance of History in Network Security

The Institute for Applied Network Security posted a column I wrote. Find it at here. I based it on my March 2004 blog entry, Security Redux, in which I discussed the danger in rehashing the same old questions without remembering the same old answers.

I am an Institute faculty member and wrote about our regional forums in a November 2003 blog entry.

9/6/04

The Connected Generation

This generation is more “connected” than any other in our history. That statement deserves a “Well, duh!” Or at least a big, “Yes, so what’s your point?” I mean, it is obvious. But, I thought about this as we sent our 3rd child off to college.

First, mobile phone plans make it so easy to stay in touch by telephone. “Long distance” rates are meaningless to those who have a bunch of “anytime minutes” and “unlimited” long distance phoning at nights and on weekends. In addition to that is text messaging and phone-to-Internet e-mail.

Next, we have live Internet chat, complete with voice and video. It doesn’t replace an “in person” visit, but when I was in college (here it comes, reminiscences from an old guy), we didn’t have e-mail, except to others users … on the same mainframe. To connect with parents and friends we used postal mail and long distance phone calls, when we could afford them.

Another example… as I was writing this, a friend came on line. She’s a missionary in Africa. Postal mail works most of the time. But, message turn-around is slow. (Another friend is a missionary in Ukraine. Postal mail works half the time. It is not very efficient.) But, Internet with voice and video work just fine, and when it doesn’t work you immediately know about it.

A small world gets smaller.

9/2/04

Arrrrrg.

“Firewall vendors such as Check Point Software Technologies and Juniper Netscreen are touting new application-layer filtering capabilities, and these are important advances.”

This was in an InfoWorld analysis by Roger A. Grimes, titled Security landscape shifts as technologies combine. The analysis may be terrific. I cannot get past this statement. The advances were new in 1992. Not today. And we continue to forget our history.

Tim Kramer commented:
“This is a facet of the recurring argument: Layer 7 vs. Layer 3/4. Now they’ve added pseudo Layer 7 inspection to Layer 3/4 devices and they’re calling it “better”. The improvement is a few milliseconds in speed, the tradeoff is security as Layer 7 proxies are still better at limiting/logging content passed thru a firewall.”
Thanks, Tim. I agree, of course.

8/29/04

Report Suspicious Activity

Any of us who drive the Interstate Highway System in the US have probably seen centrally-controlled highway information signs. In Maryland, these “Variable Message Signs” (VMS) are overseen by CHART, the Coordinated Highways Action Response Team. Usually, the signs report traffic conditions or warn about accidents ahead. Often, it seems, when they have nothing else to do, they say something along the lines of, “REPORT SUSPICIOUS ACTIVITY — CALL 800 492 TIPS.”
Picture of HW Sign


As I drove by this the other morning, I thought, “Yeah, right. What’s ‘suspicious’? If the traffic was moving a bit faster… now that would be suspicious.”

Then I realized, I was mistaken to be so derisive. Because, while we cannot define suspicious activity, I think we often know it when we see it. I mean, by definition, it is activity that arouses uncertainty or seems strangely out of place. It is directly linked to feelings. Suspicion is subjective. It is not easily measurable. And that is just fine.

This is why user education is still a viable part of a network security defense. Surely, security mechanisms such as firewalls, antivirus protection, etc. don’t forget and so are more reliable that just educating the user — whose main task usually has nothing to do with security — to avoid doing bad things. But, users are very good at recognizing when — as Miss Clavel, of the Ludwig Bemelmans’ classic Madeline children’s books, noted — “Something is not right!” So, we remind our users that they should report suspicious activity. Such as people with masks over their heads approaching the building? I suppose so. But, in our realm we’re more interested in the network seeming to run slower than usual, the desktop computer crashing (more than it usually does, perhaps), “phishing” attempts, increased disk activity when nothing seems to be happening, or computer performance degradation.

Foolproof? No. Cost-effective? It depends. (A very important security answer.) It depends on how much it costs. In user education, a small amount of money goes a long way. It’s like those highway signs. Will they hinder a terrorist attack? Maybe not. But… maybe. When securing your network, someone will probably notice when something is amiss. It doesn’t cost very much to help them remember what to do.

Fred Wamsley, CISSP and principal with Beryllium Sphere LLC, commented, “A CERT study backs up your argument. They recently released a study of insider attacks, and looked into how they were detected. Mostly it was not security personnel who spotted the fraud/sabotage/whatever. Usually a customer or another employee noticed something out of the ordinary.”

8/26/04

More Same Old Stuff

Ira Winkler, in a searchSecurity column, says more of the same old stuff. Of course, as I mentioned in my blog “Same Old Simple Things,” that’s just what we need to hear … and apply! One thing that Ira says stands out: “Therefore, in terms of traditional risk, your organization is exponentially more likely to suffer regular losses due to completely preventable computer problems than to be hit by cyberattacks.”

See his complete column at this really long and ugly URL.

8/25/04

Scrap MS Word?

We’ve heard (or made) recommendations to scrap MS products. Recently, I shared The Things I Hate About Outlook. This morning my Slashdot newsfeed served up Time to Kill Microsoft Word? I’ll just let you read it, but it pointed to an ABC News commentary by John Dvorak, Kill Microsoft Word. (If the long and ugly URL disappears, an Internet search for the author and title should turn it up.) Basically, Dvorak lists the things he hates about Word.

The Slashdot posting points to openoffice.org. I’ve gone through this exercise before. How important is compatibility? Will Openoffice allow me to create “portable” documents (word processor and presentations)? More importante for my world, will it allow me to receive and use documents from others?

I’ll find out, but I am interested in hearing from others in the same boat, who need compatibility of sorts with MS Office, and who have made the switch — successfully or not.

8/24/04

Spam Firewall Bogon Alert

Maybe I am just cynical. The headline is “Revolutionary Spam Firewall.” I saw it on slashdot. It pointed to the PhysOrg.com article. My bogosity filter started right off.

“a groundbreaking firewall…” “The new technology is the only true spam firewall in existence.” Matthew Sullicvan, one of the developers explains, “Existing anti-spam software filters out spam whereas ours puts up a firewall, stopping all email traffic and only allowing real mail through.” Sort of like filtering. “It is The only anti-spam software that analyses emails as a whole picture, rather than based solely on components such as key words or phrases.”

Well, the only one … not counting Bayesian filtering, for example. Let me know if you know if this is really different. It doesn’t sound like it to me. My filter pegged this as a bogon.

The Things I Hate About Outlook

These are some of the features I hate about Outlook.
  • I believe it is getting better, but by default it puts features (usability and presentation) over security. I had to turn off the automatic formatting in Outlook (I want to send only plain text messages, not HTML, not RTF). Still, if I forward or reply to a message that has been formatted, I have to explicitly tell it to send it plain.
  • Outlook with Exchange acts as if the whole world can access “The Address Book.”
    Your message
    To: zzzz@avolio.com
    Subject: security truisms
    Sent: Thu, 12 Aug 2004 06:24:51 -0700
    did not reach the following recipient(s):

    Schmidt, John Jacob Jingleheimer on Thu, 12 Aug 2004 06:50:56 -0700
    The recipient was unavailable to take delivery of the message
    Okay, quick. What’s missing? Right, Mr. Schmidt’s e-mail address. If e-mail to him is bouncing I’d like to contact him or remove him. If his e-mail address is something obvious — oh say, jjj.schmit@someplace.dom — I can deal with it. If it is an address unrelated to his name, I’m out of luck. Also missing is why he was “unavailable.” Step out for coffee, did he? Moved and left no forwarding address? Disk write error?

    In addition, if you forward a message, the e-mail addresses are lost — just the full names remain. In other words, potentially important information is lost.
  • In fact, Outlook discards all e-mail headers it doesn’t care about, but which are required for debugging. It doesn’t just hide them, it removes them.
  • It tries to be too smart. When you enter text in your address book (Contacts manager), instead of filling in fields, it tries to guess what is what. All those “smarts” would make things easier for the user, if it did not also make things slower for the user. Fast and simple beats slow and complex.
  • There’s too much reliance on “point and click.” I want to set up a distribution list by 1) giving it a name and 2) typing in all the e-mail addresses separated by commas. (I could live with semi-colons — see next item.) I don’t want to have to enter them separately, one at a time.
  • It insists on rewriting (breaking) nice, standard, RFC822 (okay, I am showing my age — RFC2822) addresses. What is wrong with the following?
    Joe E Smith <joe@avolio.com>, (Mary Jones) mary@avolio.com

    Nothing, But Outlook will insist on making it
    “Joe E Smith” [joe@avolio.com]; “(Mary Jones)” [mary@avolio.com]
Outlook. It has been said before: Lookout.

Tim Kramer, via e-mail, adds the following:
even though you’ve turned off HTML in an attempt to author flat text e-mails, Outlook still feels the need to add its own encoding so that the author’s word-wraps get encoded into the email along with some really odd handling for quotation marks.

8/20/04

No place is too far removed

Slashdot reports that the South Pole Research Station Hacked Twice. In E-mail Postage Due, I said, “On the Internet, every call is a local call.” Of course, it is deeper than that. On the Internet, everyone is potentially your network neighbor. And it is not Mr. Rogers’ Neighborhood.

8/19/04

Kennedy Can’t Fly

One of the most recognizable US Senators — perhaps recognizable throughout much of the world, Senator Edward Kennedy, had trouble boarding his flight from DC to Boston, and then when he tried to return. He was on the “no fly” list (“in error,” the AP report indicates).

Homeland secuity is important. But we don’t want to leave our brains at the door. True, the Senator might be a terrorist. But, if I’m a ticket agent in Washington, I think maybe I’d have read about it or seen it reported, at least on Fox News or CNN. Do you agree? Or do we toss out common sense for the sake of security?

See the report at Yahoo. (If the link is broken, search for the headline: Error Puts Kennedy on Airline No-Fly List.)

8/17/04

Outlook – Just say “no”.

“Refusing to join the modern world [in not] implementing Microsoft Outlook”

I will have more to say in another blog entry. But, for now I wanted to share an e-mail I received and my comment.
Mr. Avolio,

I recently read an article you co-wrote that was published in Information Security Magazine. I hope you can answer a quick question for me…

I work for a local community college in Canada and our IT department is refusing to join the modern world by implementing Microsoft Outlook. Currently all users are forced to use the mail feature of Netscape Communicator 4.79. We are using the IMAP protocol.

We are told that Outlook is less ‘safe’ and not as ‘secure’ as Netscape when it comes to preventing the spread of viruses throughout the system.

Does this make any sense?
This was my reply:
It makes complete sense and they are 100% correct. You should praise whoever had the guts to say no to Outlook as an email client.
I have to use Outlook in a new day job. I’ll talk about what I hate about it. Some has to do with basic e-mail functionality. Others have to do with security. More anon.

Homeland Security Certification

Business has been a little slow, so the mailer caught my eye. “Certification, Training, and Continuing Education in HOMELAND SECURITY” was emblazed across the “Stars and stripes.” Cool. Maybe that’s just the ticket to increase the knocks on my electronic door.

The first thing I would have to do, of course, is become a member in good standing of the American College of Forensic Examiners Institute. CHA-CHING. That’s $130 for the first year or $1,750 membership for life. I don’t know. “member for life” is attractive if I live another 45 years, I’m saving over $100 a year! But, will I want to be doing this into my 90s? Oh, an additional $350 for the “Homeland Security Program” add-on to this. Total, $480. I’ll have to think about this. But, would I even qualify?

The questionnaire is next. “Application for Immediate Granted Certification in Homeland Security,” presumably with all the rights, honors, and groupies associated with same. Under experience, I start to get nervous. Military experience? Nope. Law enforcement? No, unless you count being a parent. Private security experience. Ah, good. I was CSO at TIS for a year. (Maybe less than a year, but I’ll round up.) That’s good for 15 points. You get an additional 5 points for each year of “overall private security service.” This sounds like double-counting, but I’ll grab that additional 5. I have 20 points, so far.

I was not a firefighter. Nor was I ever in the medical or health fields. But, oh boy! Under “Other Homeland Security Related Experience,” we have “cyber security.” Right there out in the open like that’s a real field. Well, I suppose in 18 or so years in computer and network security, I’ve secured some cybers. The kicker is I get to pick the number of points that should be worth. Being a modest guy, I’m saying 25 points.

I get 35 points for my masters degree, 15 points for my TICSA certification, Under training, I get nothing because I am not a “Diplomat” in the “America College of Forensic Examiners Institute. (And does it bother you that both “College” and “Institute” are used in that?) Nor have I taken or taught any “Homeland Security-related courses. But under “Knowledge” they have that phrase “or related.” I get 10 points for each presentation on “Homeland Security or related topics.” Heck, I don’t know, I bet it’s around 40 over the past 4 years. 400 points. 15 points for professional article (related topics), so let’s call it 20, for 300 points. Finally, 5 points for every conference I’ve attended on Homeland Security (none) or related topics (10-20) — 50 points. My grand total is 845 points! Wow. An “Immediate Granted Certification in Homeland Security” Level 1 only needs 100 points. For 200 or more I could get a Level 2. And 300 or more is a Level 3. Heck, I’m clearly a Level 3 then. But with 845 points I think I want another level added.

Oh, but wait. I still have to pay $480. Never mind.

8/12/04

8/7/04

Same Old Simple Things

I was re-reading one of Marcus Ranum’s posts to the firewall wizards mailing list. (Tue, 20 Jul 2004 23:49:40 -0400). It was terrific. Jump to it and read it.

Plain and simple stuff that — if people do them — will reduce risk.

I had a similar list in an Advanced Firewalls class I taught for N+I and a “Tools and Techniques” class for CSI. I got bad reviews in the Advanced Firewalls class. Maybe I am a crummy teacher, but of course I don’t believe that. I think the students really want some really neat-o, cool devices to run, hand-held thingies to try, and something that was wireless as well. But few of those things help as much as sticking to the basics. And they don’t like to hear it.

I just saw an article via Security Wire perspective. If this ugly URL isn’t broken, you’ll again find a whole bunch of brilliant stuff that a very few of us keep pounding on. See this ugly URL. So, I wondered how do we ever get people to listen when they really, really do want magic or priest-craft?

Marcus pointed out that “‘my words, like silent raindrops fell…’ – nobody wants to hear it.”

A few days later, I was looking for somethings to help an IT manager to start looking at security policies. I found a number of old articles on my site, for example: What is the matter with the industry? Those old papers are still accurate. They are still useful. They are 5 years old. Should I be concerned that we’re not growing up and moving on? The old, simple, basic things still work and are still needed and are still ignored.

7/24/04

Book Review: The Day the World Came to Town, 9/11 in Gander, Newfoundland

Yes, I’ve got a thing for remembering 9/11/2001 (see the picture on the bottom of my home page). And I have always been intrigued by the closing of the US airspace that day and the days following. (See this photo from Gander International Airport.)

In NetSec Letter #13 from 23 October 2001 entitled “Afterthoughts and Lessons to Learn,” I said, How do we know the good guys from the bad? … Get the good guys out of the sky. The principle demonstrated is important. The fewer potential attack agents, the fewer avenues of attack, the easier your task of protection and detection can be.”

I got this book for my birthday from my darling wife. It is a book of wonderful stories of individual’s stories describing the affects of that day on stranded travelers and the locals, and how a 10,000-person town doubled in size for a few days. Because of the subject matter, it cannot help invoke tears in some (like me). Over and over again, my heart was touched with the stories of simple caring, one for another. This was a great birthday gift.

“… for I was hungry and you gave Me food; I was thirsty and you gave Me drink; I was a stranger and you took Me in; I was naked and you clothed Me … Assuredly … in as much as you did it to one of the least of these you did it to Me.”
Matthew 25:35-40


7/19/04

Push to talk — what to do?

Recently, I ranted about PTT technology on mobile phones. (Find it here.) Someone named Saso called me to task:
… it seems to me that you left a bit too much as an exercise for the reader. What am I talking about? The Push to talk service provides people with a perfect eavesdropping device. TSCM industry will love this one. All mobiles should be already banned from meeting rooms, but since they’re not, often they get used as one party’s way to let more people in to the discussion as there’s physically present parties. For that to work in the old days, you’d need an accomplice on the inside or a physical access to the room. Now, all you need is the name of the one of the parties attending a strictly confidential meeting and their direct call number. And you don’t even have to be anywhere near the meeting place, like in the old times. Is the handset beeping loud enough when you establish a connection? Loud enough not to be drowned in the average office noise? Street noise?
(As a funny coincidence, someone just walked by the office I am sitting in today, talking on this annoying walkie-talkie mobile phone. 🙂 Or maybe they are really ubiquitous.)

These are all good points, and yes I should have made some observations and recommendations instead of just grumping. First, the open questions to answer:
  • Is it possible to turn off this feature? Almost certainly, “yes.”
  • Can someone else connect with you without your knowledge? “Yes,” if you miss the BEEP.
  • Can someone else listen in without your (you are the owner of the phone) knowing it? “No,” you have to hold a button down when talking just like a real walkie-talkie.
  • But, can an insider broadcast a meeting to an outsider without anyone else knowing it? Sure. But, this is the case with all mobile phones. This is one reason they are prohibited in certain secure facilities. (That and the cameras that come with them. See Dave Piscitello’s comments here.)
So, probably this feature on mobile phones is more of an annoyance than a security risk. But, there is a similar feature in some office telephone systems: the intercom.

To my left is a “COMDIAL Impact” telephone set connected to the office phone system where I sit today as I type this. Anyone here can “Intercom” to my phone set. There is a beep and they are expected to speak, such as, “Fred? Call from your wife.” Or, “Fred? Would you stop by?” Now, the important part is the notification BEEP. What if someone does this when I am out getting a cup of coffee? What if a bad guy did something to my phone so that it did not beep? Would I know someone was listening? There is a visual indication that the phone is connected to someone else’s, but would I notice it? (No, I would not.) In an office environment, that would concern me more than Push to Talk. But, PTT is still more annoying.

7/17/04

How Much is Too Much?

We in computer and network security, and those who claim to be, find ourselves talking about paranoia. Now, the definition we are talking about is the second one we find on dictionary.reference.com, “Extreme, irrational distrust of others.” In computer and network security, the “extreme” part is alright, as is the “distrust of others.” Of course, it is the “irrational” part that doesn’t belong.

Rational distrust versus irrational is often what seperates the grownups from the youngsters (darn, that is the second time I wrote that word on this blog today, and it is still a year before I turn 50!) — in Internet parlance, the wizards from the newbies. It does not seperate those who have certifications from those who do not have them (not in the direction you might think, anyway). It takes experience and it takes risk assessment taking into account all controls too know what to be afraid of and what not to.
Yeah I might be a little bit loco
But it keeps me from losin’ my mind
Oh but half insane that’s ok
Babe a little bit crazy’s alright.
— From “Loco,” by David Lee Murphy

4/22/04

Useless Warnings

Some large corporate network has been targeted for attack by “the hacking community.” Reports show that they have been conspiring on numerous chat rooms across the Internet. The encoded discussions have not been deciphered, but the traffic analysis points to something rather big. It could be a network-based attack. It could be a physical or an inside attack against some particular, but as yet unknown, large corporation. Your company is a large corporation. What will you do?

This ran through my mind as I was listening to the “9/11 Commission” last week, and the questions posed to Dr. Rice. I also thought about it as I read Technical Cyber Security Alert TA-04-11A, telling us TCP is broken, so we should run for the hills. (Okay, it doesn’t really say that, but as reported by InfoWorld it sounds like it.)

Just like when the Department of Homeland Security raises or lowers the Threat Advisory (it is “yellow” as I type this), your best bet is to stay the course and continue to make sure you seem to be on the right course. You also need to be able to distinguish between useful and useless information. Or, in Dr. Rice’s parlance, recognize what is “actionable.”

For an interesting “alternative history,” see the April 9. 2004 Easterblog

4/20/04

Spam — a brief historical perspective

I noticed InfoWorld’s online special report E-mail is broken. While there is nothing new in the suggested solutions, I welcomed the reminder of Jon Postel’s RFC 706, “On the Junk Mail Problem.”

4/16/04

My Current Spam Barrier

Almost a year ago, I wrote a column entitled Spam Control. I thought I would give a brief update. I am assuming you have read the previous column.

First, I am very happy with the results. Almost no spam gets through to me. By “almost” I mean 1 in 200 or better. Those that do get through are often borderline spam. For example, because I occasionally write for Information Security, my e-mail address there receives a bunch of unsolicited press releases. I also sometimes get really short e-mail addresses that looks to me like someone wasn’t really sure how to use his bulk e-mail software. But mostly, I get no spam.

Since that column, I’ve made the following changes:
  • I’ve taught SpamAssassin with a bunch of “spam” and “ham.” I’ve cut back dramatically on the number of regular expresses I use for spam-blocking in PostFix tables. In other words, I am depending on SpamAssassin more. (The long regular expressions caused my e-mail server to sink into an abyss of stalled processes once or twice.)
  • I’ve set PostFix to remove anything with a very large spam value, and to hold anything marked as spam, but with a lower value.
  • Occasionally, I use IMAP to pull down the headers on all the “held” e-mail. Usually, it is a less-than-a-minute process to pull down and visually scan the headers.
As you can see, you’d not need to know anything about me or my “ham” to quickly scan these, mark and delete them, and update the server. As I said, a minute or less a day.


In the example, there is one e-mail message that was from someone I knew. Was it spam? It had all the characteristics. And it was forwarded a bunch of times. So, I did notice it and I read it. But, it was one of those “pass this on to everyone you know” sort of e-mails. So, well-done, SpamAssassin.

I don’t use any (to speak of) anti-spam processing on my desktop. And my set-up will scale. I am not doing anything that you could not do in a very large organization.

4/13/04

This about sums it up

This was on an ISP’s newsgroup. This captures the spirit that many people have when implementing security solutions. It brightened my morning in a strange sort of way.
I don’t know what kind of protection I’m getting, but at least it’s not interfering with anything I want to do.
Chicka Boom, Chicka Boom….don’tcha just love it?

4/12/04

God does not promise…

  • To never embarrass me.
  • To follow my agenda.
  • To abide by my definition of what is right and just.
  • To follow my schedule.
  • That I will triumph in this world.
He does promise…
  • To glorify the Son (through me or in spite of me).
  • To be with me always, even to the end of the age.
  • That I already stand before Him as a righteous son,
    because of someone else’s payment and someone else’s righteousness.
  • That all things work for good for those who love God
    (not that all things are good).
  • That He will triumph.

4/8/04

Terror Attack Using Livestock?

The Fox News Network headline said, “US Prepares for Possible Terror Attack Using Livestock.” Now, anything having to do with terrorism demands some attention. But, I admit that what first came to mind was the scenes from Monty Python and the Holy Grail with the French catapulting livestock—cows, chickens, etc.—down on King Arthur and his knights.

Then I got to thinking… If livestock was some how infected, would that really be considered terrorism? Terrorism, by definition, is meant to cause terror. Infected bovine in the UK caused problems in that segment of the economy, as people who didn’t understand “mad cow disease” avoided beef. Given all of the sources of food the US has, I don’t think such an attack would cause terror. But, then people do talk about cyber-terrorism.

4/6/04

Is Security a Black Art?

In his logoff column in Information Security magazine, Andy Briney opines that “As long as it remains a black art, security will be the enterprise’s black eye.” He writes, “Twenty years after Cohen wrote these words [“Current systems offer little or no protection from viral attack — the only provably ‘safe’ policy as of this time is isolationism,” in Computer Viruses: Theory and Experiment], we still haven’t got a clue how to stop viruses …” He then goes on to state a number of other things that I also believe fairly miss the mark.

Read his column (note, SearchSecure doesn’t maintain old archives; this takes you to iranscience.net). My letter to him:
I’m having a hard time matching your observations with the real world. For example, it seems to me, AV is the one thing we can do fairly well. You say “we still haven’t got a clue how to stop viruses…” Really? No clue? I think you are overboard on the exaggeration scale.

I don’t think our profession is “struggling to gain respect, credibility and funding.” There are solutions — old solutions — for current problems. Our jobs might be frustrating because enterprises focus on what I’ve called the Primordial Security Policy (in NetSec Letter #17), namely “Allow anyone ‘in here’ to get out, for anything, but keep people ‘out there’ from getting ‘in.'” They forget that securing the business is shorthand for maximizing the business while minimizing the risks. And this is always a compromise. They want it all, or — since you were in a cliche mood — they want to have their cake and eat it, too.

Is that a problem? A huge one. Is it fixable? I don’t know. Is it because we lack technology or process? Not at all. Funding will always be an issue, because it is a business decision requiring comparing cost vs. benefit. But the security practitioner remembers that it is not about *security*. It is about securing *business*. That, too, requires compromise.

National Cyber Security Day

So, how did you observe National Cyber Security Day? Or, like me, did you not even know about it? It was April 4. 2004. I noticed this article while browsing the latest news at InfoWorld. The article quotes Alan Pallar of the SANS Institute as saying, “I didn’t even know. I’m embarrassed. … It is so ineffective at anything other than having meetings. … It’s hard to even guess what’s going on.”

4/1/04

Security Across the Software Development Life Cycle

The National Cyber Security Partnership Task Force today issued a report on applying security across the software development lifecycle. They probably had a deadline to get it out, but was no one wary about issuing the report on what is—in the Unites States, anyway—April Fool’s Day?

It does not seem to be a prank. The report is here.

Quoting from that page, the task force met to discuss “how to achieve meaningful and measurable vulnerability reductions through collaborative standards, tools and measures for software; new tools and methods for rapid patch deployment; and best-practice adoption across the entire critical infrastructure.”

Now, granted that reads as if created by a random phrase generator. But there are some very bright folks on the task force, including my old boss, Steve Lipner of Microsoft. So, I think it is worth a read. Which I will do today.

3/22/04

Rethinking Network Security

Lisa Phipher, vice president of Core Competence, Inc., a network security consulting firm, has written an article for the February 2004 Business Communications Review entitled “Rethinking Network Security.” I an quoted in it, only one of the many reasons you should check it out (:-)) here.

3/20/04

Microsoft adding security applications

Remember when you needed a 3rd-party disk-defragmenter for … for what? I forget. Oh, yes. To improve disk performance. (Now-a-days, who could tell?) And then Microsoft bundled “Disk Defragmenter” and stole all of Norton’s business. Remember when Microsoft stole all of Symantec’s business when they provided an antivirus program (back with Windows 3.1)? And there went ZoneAlarm’s business (and Symantec’s and McAfee’s) with XP’s Internet Connection Firewall! No, having those things on Windows did not make third-party products go away. Neither will the proposed duplication of 3rd party security applications in LONGHORN (their next OS due out in 2006).

In the “Security Wire Perspectives” (an e-mail newsletter of Information Security magazine) in my mailbox today, Edmund X. DeJesus discusses this news. (See here.) He writes, “These built-in features will make it tough for administrators to decide whether to buy the extra software or simply rely on Windows alone.”

I don’t think so. Not for security applications. Microsoft is not lean and fast enough to address requirements of enterprise users. Home users will probably be just fine using Microsoft software. For example, even though I run XP on my desktop, I rely on a SoHo firewall and ZoneAlarm on my system. Why? As Internet Connection Firewall’s help file says:
You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network. For a similar reason, the Network Setup Wizard does not allow ICF to be enabled on the ICS host private connection, the connection that connects the ICS host computer with the ICS client computers, because enabling a firewall in this location would completely prohibit network communications.
Yes, well, ZoneAlarm —even the free version&mdashallows; me to tune the configuration so that I can control what I share on the home (trusted) net, while still protecting to and from the Internet. And even though for years (since 3.1 or before) Windows has come with a back-up and restore program, I use a 3rd party product for reasons stated in Save your sanity — Backup that PC!

Some of the features sound excellent… for the home user. I am not sure that enterprise users will want to trust Microsoft to do “dynamic system protection.” For home users, it might be a terrific addition. But, Microsoft will not be able to keep up with the demands of corporate users.

XP supports ZIP files, but I still prefer WinZip (it allows one to specify the name of the resulting file — built-in zip does not). Fax support from Microsoft? I use WinFax. Windows has MediaPlayer. RealPlayer is still around. IE does great stuff. You all use IE and Netscape and Opera and Mozilla/Firefox. The only area I can think of in which Microsoft killed off 3rd party applications is in TCP/IP integration.

So, should desktop security vendors be worried? Only if their primary business is retail.

3/19/04

E-mail Postage Due — Eweek editorial

Ed Bride, an editor with Computerworld puts forward a dreadful idea in an eweek guest editorial. I do not know why I noticed this. I get eweek through no fault of my own; I never subscribed and cannot see how to unsubscribe. I usually just recycle it at the post office. For some reason I saw this issue and this editorial.

Bride proposes, “Suppose every addressee cost the sender, say, 1 cent. Would legitimate businesses be willing to pay this fee to increase the likelihood that recipients would read their missives? I believe the answer is yes. The ISP could collect the fee, keep a small portion for its accounting service and remit the remainder to Uncle Sam.”

I have no idea why “Uncle Sam,” is mentioned, but I believe the answer is “no.” I don’t suppose Mr. Bride is new to the Internet. Perhaps he doesn’t get or send much e-mail. The problem is not, of course, with legitimate e-mail. It is not even a problem with unsolicited e-mail. It s with unsolicited commercial e-mail or junk e-mail. And whether he can imagine it or not, $.01 per e-mail message will negatively affect one of its greatest strengths.

What we have, and what I pay for with my monthly fee, is essentially the same as the “Unlimited local calling” on my phone line. This is very common in the U.S., though not so common elsewhere. For my $25 a month, I can call as many local numbers as often as I want. For my ISP’s fee, I expect the same.

On the Internet, every call is a local call.

Authenticated E-mail as Anti-spam

Jon Udell caught my eye with an interesting Infoworld at article. Since I am tired of saying “We all need digital signatures, and the spam problem will lessen,” I’ll just let him say it.

3/16/04

Security Redux

Something is going on in the network security world. It seems that we keep talking about the same old stuff. Let me give you some examples.
  • Certification. Are certifications important? When and why or why not? Which ones?
  • Viruses. Email- and other-carried worms and viruses.
  • Buffer overflows and secure programming. Also, the execution of arbitrary code. (Well, not arbitrary — code that the “attacker” wants you to execute.)
  • Usability versus security.
  • Importance of security policies.
  • Strong user authentication in lieu of reusable passwords (for goodness sake).
  • Log analysis tools (and the need for common {firewall, IDS, whatever} log formats.
  • The need for vulnerability analysis scanning.
  • Proxy versus filtering firewalls.
  • And what is this Intrusion Prevention stuff?
Are all (or most) of these things important? Sure. Is there anything new to say about them? Well… not really. Okay, maybe. Let’s take a closer look.

Recently, on the firewall-wizards mailing list was a discussion with the subject “Evolution of Firewalls.” (You can find the archive here/.) It was short and started innocently, but disclosed the amount of knowledge that is lost over time, and the willingness of people to press on, even without that historical knowledge. This particular thread started with comparing “Stateful Deep Inspection firewall” technology and application proxy technology, as if there was a significant difference. Marketers — and some security experts — talk about “deep packet inspection” and “application intelligence” as if they are new ideas. (See my column “Debunking the Firewall Hype” here.)

The March 2004 Information Security Magazine has a lead article called “Proxy vs. Packet Filter.” (See this url.) It is written by IP, VPN, and now firewall expert Joel Snyder. There is also a bake-off between firewall vendors in the same issue. Joel is an excellent writer and tester (and teacher). Also an all-around nice-guy. (This isn’t a problem with Joel.) But this article, and the firewall-wizards list thread, might give clues to the problem: we lack a technological memory, or the one we have is faulty.

For example, the tension was never between proxy firewalls and filtering firewalls. No one ever doubted that proxies were better than packet filters. No one doubted — after the Morris Worm — that static packetfiltering was insufficient. (And this is an example of this loss of history thing — some reading this do not remember the Morris Worm.) The argument was between “Stateful Inspection” (a Check Point invention) and application proxy firewalls (a Marcus Ranum invention… and yes, yes it was). Is this “memory” important? Of course it is. No one suggests that Stateful Inspection was not a significant improvement. But it is not, the same thing as “dynamic packet filtering,” the correct name for the technology that “is built into $99 SOHO devices.” Like a game of telephone (if you don’t know this game, look up “game of telephone” in a search engine), information is lost, but we continue the game unaware or unperturbed.

So, let’s settle all these burning issues now, once and for all. (That statement is tongue-in-cheek. I’m not that arrogant. Really.)
  • Certifications. They are great, especially if you do not have the opportunity to expose your knowledge at conferences and in print. But, they are no substitutes for experience. I know someone who has a CISSP but zero practical experience. It doesn’t make this individual a bad or useless person. But it certainly does show.
  • Viruses and worms. Yes, bad. Do something about it forgoodnessakes. Run A/V software. All security gateways should screen for them. (Firewalls, e-mail gateways, on corporate and agency networks and ISPs.) Of course, on desktop systems, too.
  • Buffer overflows. They can be checked. They can be fixed. (See here.) And technology exists (and has for years) to take away their sting. (Search for “Mandatory Access Control” in your favorite search engine.)
  • Usability versus security. Yes, indeed, you do actually have to chose. Stop talking about it as if it is going to go away. Over time, details will change, but they will always be in tension, this side of Heaven.
  • Importance of security policies. No one has ever doubted this. We still talk about it. Maybe it needs some new PR. Like a name change. (Kind of like calling “application firewalling” “deep packet inspection.” But enough on that already!)
  • Log analysis and common log formats. We’ve been talking about this one for 15 years. Every time I teach a class and the question comes up I ask, “What are you using for log analysis and reduction?” Someone would say, “Webtrends.” “And do you recommend it?” “Well, it’s okay.” How about if we started demanding a common log format from vendors?
  • Vulnerability analysis scanning. Yes, you should do this. But, do recognize their limitations. (See 26-BeyondVA.html.)
  • Application level firewalls. Of course. And really, it doesn’t matter to me what you call it. Application-specific firewalls are great. (Like the “new” http firewalls.) For example, this SecurityFocus article describes “Deep packet inspection” and —watch out now—”next generation firewalls.” You can read it yourself. But, you will find similar things discussed in firewall papers from the early 1993. (See fwtk.html and isoc.html for two examples.)
  • Intrusion Prevention. Like a firewall, this prevents intrusion (or tries to), doing more than just intrusion detection. Yes, but application gateway firewalls did this already. For that matter, all firewalls do some of this. The magic is bundling firewalling and intrusion detection. Or, as Network Associates called it in 1999, “active security.” (See this article.) If they would have called it “Intrusion Prevention…” No, it would not have made a difference. You’re right.
So, there you have it. Now, can we move on to new discussions?

[Comments from Paul Robertson, keeper of the firewall-wizards list, are at compuwar.net]

3/15/04

Significant Security Answers

There are some general answers that are verys significant if asked in a security context. In no special order:
  • I don’t know.
  • I’m not sure.
  • I am absolutely sure.
  • That can never happen.
  • It depends.
Can you think of others? I am collecting submissions. See SigAns.txt

2/24/04

Martinis, #2

Order a martini in Ukraine at your own risk. I’ve not been everywhere, but the places I’ve been don’t seem to get it. This was confirmed by a friend who lives in Odessa. He said to me, “Hey, you like martinis! I had one the other day when visiting a prison. The director insisted I join her in a martini. I thought, ‘Ugh.’ But it was very good. I was surprised. She showed me the bottle. It said ‘Martini’ right on it.”

Ummm. Yeah. I had to tell my friend he still didn’t like martinis. He had a drink, in a cocktail glass, of dry vermouth. What’s strange — but not that strange — is that the prison director thought it was a martini. I suppose it was false sophistication.

2/21/04

Basis for Salvation

In his weblog cataloging his thoughts and growth in the Orthodox Faith at http://confessio.blogspot.com/ my friend Steve Fallin muses on the question, “Are we even looking at the right thing?” This is a short response to that. Most excellent Theophilus,

Well, the question that separates the men from the boys, as they say — and in this context, I really mean denominations from each other — is the answer to the question “What is the basis for our justification.” This is shorthand, of course, for 1) how and when are we saved from hell, 2) on what basis are we saved, 3) what is our standing now before God, and a bunch of others. Whose righteousness is this anyway?

The Reformed world (ah, how I am speaking for the whole of the Reformed faith… Not) is comfortable with the apparent tension between Paul and James. Both of them are canonical and the true word of God. The tension is in our minds, I think, because we like things neat and tidy. We want to be able to say, “Oh, okay — gotcha. All I have to do is this, that, and a lot of the other.” But it is not like that. We say, “I don’t understand. How can salvation be ‘sola fide’, ‘sola gracia,’ and still have James’s epistle in the mix?” But what is the problem? There is no contradiction. God says, through Paul, “this not of yourself, it is the work of God so that no man can boast.” And through James, “faith without works is dead.” Where’s the tension?

You bring up predestination, and write, “Some time ago, I discovered that this basic back and forth has been going on since Geneva and Wittenburg.” Brother, try since the beginning of time. The underlying statement is, “it is not my fault!” See Adam’s accusation of Eve. See Cain’s reaction to God’s challenge. Paul addresses this question, as I am sure you know, in Romans 9. People will always ask this question. (Talk about a straw man! :-)) And — I am not sure that the Luther and Reformed view on this is as different as you imply, but I could be mistaken, not being a Lutheran. But your view if Calvinism is certainly wrong. I think you misunderstand irresistible grace. (I taught a class wherein we examined some of these from a Reformed perspective. ( http://www.avolio.com/~fred/ss/ddf/index.html). I only wish we had recorded them.)

Does the view of irresistible grace mean God forces a person — “rapist to the elect” is the word you used? Well, no. But we have to make a step back. What is the state of man according to Scripture? Old and New Testament alike affirms what Paul says. Outside of Christ we are dead in our sins. We were spiritually dead. Not sick. Not misguided. Dead.

What can a dead person do to save himself? Nothing. Even if we think about someone who is nearly but not completely physically dead, the analogy still holds up. What can the comatose person do? Nothing. What can the unconscious person lying at the bottom of a pond do? Nothing. Someone who is able must resuscitate, if anyone is going to. Someone other than the person must do it. And that is what God does to those the Father chooses to give to the Son. Why? For His own glory. (See Ephesians 1.)

So, those God foreknew (Rom 8:29) he chose before creation to be given as a gift to the Son (Eph 1:4-5). He established that point in time when that person would be called by the gospel (Rom 8:28-30). In order to respond to that outside call, the person must be regenerated — he who is spiritually dead is made alive (Titus 3:5, Eph 2:4-5). The Holy Spirit gives that person a new nature, one that sees his true condition and sees his need of a Savior. The Spirit gives the gifts of faith and repentance (Eph 2:8-9, Acts 20:21, HEB 6:1). The believer is justified (declared just or righteous) forensically (legally) on the basis of Christ’s righteousness (Rom 3:24-26). Christ’s payment saves us from the penalty of hell. He also took God’s righteous wrath — the Father’s anger towards us — on the cross, so we need no longer fear that. God gives us a righteousness not of ourselves. So, we can stand before God without fear. But wait, as the say. There’s more.

Not satisfied with that, God adopts the believer into His family (Eph 1:5 Rom 8:15)! Not only as children, but given the full rights of the first born Son. He doesn’t leave it at that. He puts His Holy Spirit inside of us, and the Spirit sanctifies us throughout the believers life (Phil 2:12-13, Heb 12:14, Thes 4:7). (That’s the process in all of this, in the Reformed view). Our position is guaranteed by the Holy Spirit — with the Holy Spirit Himself (Phil 1:6, Heb 12:2). We will not be cast aside. We were bought with the Blood of Christ. And some day, God promises, we will be with the Lord and we will be like the Lord (Rom 8:30, 9:23).

What about those He does not save, the objects of wrath Paul speaks of? They get what they deserve. And I write that with sadness. But the Bible clearly teaches this. And those who reject Christ, are doing exactly what they want to do.

So, how should we then live? In communion with each other and with Father, through the Son, in the power of the Spirit. Amen.

2/20/04

Secure Security Products?

Quick — What was the first commercial firewall product with an announced serious (as in, one could “get root”) security vulnerability? No, not Check Point. It was Gauntlet. (Disclaimer: it was after NAI took over, and after I left. I.e., someone else’s watch. :-)) That was a few years ago. This latest vulnerability is current. SearchSecurity’s write up is at here. The US CERT’s Alert — sorry, the Technical Cyber Security Alert (is this stuff great, or what?) — number TA04036A is at TA04-036A.html. The sobering and predictable overview states, “Several versions of Check Point Firewall-1 contain a vulnerability that allows remote attackers to execute arbitrary code with administrative privileges. This allows the attacker to take control of the firewall and the server it runs on.” Oh, this vulnerability is in the new Application Intelligence component of Firewall-1. (“Application Intelligence” is a marketing term for their application gateway technology, the stuff they called old technology in the late 90s. See my column “Debunking the Firewall Hype” at here.)

I am not (anymore) going to kick Check Point when they are down. This is for two reasons. First, they are not down (though their stock is not tracking the market growth… opps, sorry… really now). Second, the problem is one shared by many other vendors: the lack of an overarching and pervasive security architecture. “Security architecture,” as in how the product itself is developed and secured. “Security architecture,” that is not a buzzword in a press release, naming an API, but is documented and periocically checked. Just as enterprises must have a network security policy that implements a security architecture — with both periodically reviewed and validated, security products must have a security architecture used with similar regularity. It is not Check Point. All security vendors have to be much more careful. And what about you? When was the last time you asked a security vendor to describe its security architecture?

Secure Coding? Of Course.

Andy Briney, in his February Information Security Magazine [NOTE: Searchsecurity no longer keeps old archives. This takes you to iranscience.net.] column, called “Secure Coding? Bah!”, makes the claim that while we may ask for secure software, it is “Not gonna happen.” He sees pursuing secure programming as “totally impractical.”

Of course, he’s wrong, though not completely. He correctly talks about incentives. But then makes a jump to suggest that there is no money to research how to accomplish this. Also, he says, this is a very complex and specialized problem.

Research is not needed. Use of proper tools and programming languages is. Tools exist to tighten up code and find possible problems. Also, it is not specialized. Poorly written software crashes all the time. We are used to it. But, it is not unique to security. Sometimes a buffer overflow results in a system hang. Other times it allows an exploit.

While I disagree with his claim that “Secure coding is yet another silver bullet,” I agree that “Risk reduction is all about reducing vulnerabilities, mitigating threats and lowering event costs.” Andy doesn’t believe that secure coding is part of the solution, except theoretically. I believe it can be.

Check out his column at the above-cited URL and look for discussions elsewhere on it at seclists.org, or by using your favorite search engine and looking for the title of his column.

Getting Rid of the Last Click for Secure E-mail

Check out a paper by Jon Callas. In it, Jon talks about solutions that he has proposed for making encryption more widely used. Download the PDF file.

I’ve written on this subject before. (See my “Secure E-mail collection” at here.) The technology and related software to easily use encryption has been around for 15 years. Aside from our apparent lack of belief in the need for it, the use of cryptography and the need for some level of ubiquity have been speedbumps for its use. Rather than go through the details, I suggest you listen to the webcast. Also, you can see my review of PGP Universal by clicking on Painless PGP.

You Tried to Send a Virus… Or Did You?

In recent months I, probably along with many of you, received e-mail from an MX server informing me that the e-mail message I sent to someone (someone I did not know) contained a virus. In some cases the helpful mail server bounced the infected attachment back to me. And in all cases, the errors were in response to e-mail claiming to be from me, but not from me.

Brian Martin of Attrrition.org discusses this and makes the charge that these anti-virus companies are commiting spam. His interesting discussion is at attrition.org. There is only one statement in this article I must protest against (see if you can guess), but found the discussion compelling. At the very least we should carefully consider how we set up our mail gateway antivirus systems.