Friday, June 27, 2008

XSS: it's a feature, not a bug?

 Thomas H. Ptacek pointed out this thread over at 37signals, begging the question "which of the 37 signals it the one for FAIL?".

Leaving your products open to abuse and exposing your users to attack is not being a good net citizen.  I am not one of those people who detests the Web 2.0 world- I actively embrace it, I just think fundamental security awareness and responsiveness need to be a part of the system.  And maybe have some concern and respect for your customers.

These posts at the Matasano blog dig deeper into the underlying issues:



Wednesday, June 25, 2008

Monday, June 23, 2008

New Fortinet Patents

Chris Hoff has an interesting post on several new patents Fortinet has been granted.  The original article is at, but Hoff's "New Fortinet Patents May Spell Nasty Trouble For UTM Vendors, Virtualization Vendors, App. Deliver Vendors, Routing/Switching Vendors... " adds some insight to the topic.

These patents cover things like:

Systems and Methods for Passing Network Traffic Data

System and Method for Controlling Routing in a Virtual Router System

Distributed Virtual System to Support Managed, Network-based Services

I think much of this is probably covered by prior art or obvious technology exemptions, but the US Patent office is not noted for doing a great job lately, especially in the IP and software patent arena.  Maybe they feel bad for IP and patent attorneys and feel that bogus patents destined for litigation will help the starving lawyers find their next meal- or maybe this stuff can be tricky and they just can't handle it (I prefer the snarky answer, facts be damned).

I have a hunch some of the big guys may have something to say about patents which appear to encroach on their territory- Microsoft, EMC/VMWare, and Cisco to name a few that I would hate to challenge to a patent fight.

Oh, yeah, the disclosure bit again: I work for Astaro, one of Fortinet's competitors- but you knew that.



Welcome, we're glad you could join us.

Welcome, we're glad you could join us. Thanks for coming, let us know if you have any questions.

This is the way we should greet people joining us in almost any activity; but sadly it is not the greeting many get from some in the security community. If you don't have the same scrap of paper on the wall that they do, or don't have the same level or area of expertise, or dare to challenge their sacred truths, you don't belong with them- at least according to some "security professionals". That attitude is stupid, egotistical and counterproductive. In case you hadn't noticed, the other team found out that there is money to be made in attacking our systems and we need all the help we can get.

I am not saying every group or gathering is the ideal venue for everyone, but that usually becomes obvious quickly and doesn't need to be pointed out to new folks- let them decide what is right for themselves. Nor am I suggesting that groups can't have prerequisites or expect some level of expertise, but that should be clear up front and the requirements should be logical. (For example, InfraGard's background checks make sense, the private CISSP forum should be able to limit membership to CISSPs, etc.)

What should not happen is for someone to show up for a publicly advertised meeting or event and be ignored or dismissed for being curious enough to show up and see what is happening.

Rather than name the offenders, I will say that the groups and events I frequently discuss appeal to me in part because of their openness- NAISG, BeanSec!, SNENUG, SOURCE Boston, and Shmoocon to name a few.

By the way, if I ever to forget this myself, please call me on it.


Sunday, June 22, 2008

Thursday, June 19, 2008

Backscatter (or bounce) Spam, didn't we already solve this?

Today I heard yet another email administrator complaining about waves of backscatter spam frustrating him and his users- and his complaint was that users were complaining about it instead of just deleting it.

I have two problems with the situation-

First, as IT personnel, it is our job to deliver results so the business or organization can do its job.  Complaining about users complaining about something which annoys and distracts them (and is potentially malicious) is a sign of forgetting why IT exists.

Second, this is yet another issue which was largely solved years ago, and yet still exists.  Those users are complaining about about something annoying, distracting, potentially malicious and preventable.

A little background for those unfamiliar with backscatter:

Suppose "Bob" (it is always Bob, isn't it?) wants to spam Dave and improve his chances of successfully getting his message delivered- if he could make his message both appear legitimate and appear to be coming from a known, trusted mail server, Bob would have a good chance at getting the spam delivered.  If Bob sends his spam message to an invalid email address at a known and reliable email domain and spoofs the sender address to be Dave's email address:

  • the message is sent to the legitimate mail server
  • the email is rejected by the mail server
  • a bounce message is sent to the address in the "sender" field
  • Dave gets the email, which appears valid because
    • it is an real bounce message
    • it is coming from a valid mail server

How to stop it? The first mail server can reject mail (without a bounce message) from mail that fails SPF, reverse DNS, and blacklist checks.  And the real answer- the receiving mail server (or mail gateway) can implement Bounce Address Tag Validation (BATV).  Mail servers and gateways which have implemented BATV "tag" all outbound email with a timestamp and token identifying the message as coming from that server.  When bounce messages are received, they are checked for the appropriate tag, if there is no tag the message is dropped.

BATV works very well and rarely causes problems when exchanging email with properly configured, RFC-compliant mail servers.  Problem solved (at least mostly solved).

Full disclosure: my employer's products implement BATV.  But, many Open Source and some competing commercial systems also implement BATV- click here for here a list.

So now can focus on solving problems not already solved?



Monday, June 16, 2008

Lessons Learned, and those to thank (or blame)

Many things have changed for me in the past couple of years, much of it because of lessons I have learned from others. Below are a few folks I have learned from and want to thank for their enlightenment. Note that I won't mention what I learned from each, or even when (a few lessons may not have been intentional) because that doesn't really matter, I just want to say "Thank You" to them. In no particular order:

Chris Brogan- people will tell you that Chris is intelligent, articulate, friendly, helpful, insightful, sharing, and on and on. All the gushing over this guy might be a bit much- if it weren't all true.

Jennifer Leggio, aka Mediaphyter- I've only known Jennifer for about six months, and watching her work is amazing. Her ability to "connect the dots" on a dizzying array of levels is amazing and eye-opening.

Critt Jarvis- I have never "clicked" with someone at work the way I did while working with Critt. We often handed each other pieces of a puzzle before the other knew they needed it. Amazing, actually. Thanks, and get out of my head.

Martin McKeay- Content, Community, Identity. I could say a lot more about Martin, but I'll leave it at: he creates content and builds community, and he's Martin. Which is pretty cool.

Chris Hoff- Is really smart. "Stop it now, Hoff, my head's gonna explode" kind of smart. You can't help but learn from him, and he's a great guy to be around- but I can't imagine trying to keep up with him for any length of time.

The list is far from comprehensive, there are certainly others I have learned from and should thank- and many more I should have learned from, but didn't.

Maybe you can learn something from these folks, too. Or you can find your own people to learn from. Maybe you could even learn from my mistakes, there's plenty of material there.


Saturday, June 14, 2008

NAISG expansion, and a question answered


I have gotten a lot out of my involvement with the National Information Security Group- as a member, presenter, chapter chair and board member. Since making the decision to move from a single regional group to a chapter-based organization, NAISG has grown to five chapters and is continuing to expand. Brad Dinerman, (the founder, President and all-around great guy) has recently launched an effort to continue the expansion, asking the members of the NAISG mail lists and Linkedin group to consider starting a chapter in their area. It is a great idea, if you are interested please visit the Start a Chapter page of the NAISG site and feel free to contact me with any questions you may have.

I think NAISG a great organization which fills a unique space in the IT security world, and that leads to a question which occasionally comes up: do we really need more NAISG chapters when there are already a proliferation of other security groups and associations- ISACA, ISSA, InfraGard, and many more?

Yes, we do. The other security groups are outstanding organizations, but they are not NAISG- they tend to cater to security professionals and focus on the enterprise. NAISG is an open and approachable group, with no membership fees or pre-requisites except for an interest in security. NAISG encourages anyone with an interest in security to join, regardless of their experience. We present a variety of topics of varying technical levels throughout the year so that members at all skill and experience levels will be rewarded for their involvement. And, we focus on the technology and ideas, not the products- there are plenty of places to hear a vendor's sales pitch, but NAISG is not one of them. (We do offer vendors the opportunity to gain exposure through technology and concept-centric presentations and, of course, through sponsorships).

So, yes, we do need more NAISG chapters...


Tuesday, June 10, 2008

Playing with Fire

One of the things I've done lately (instead of blogging) was attend the New England Blacksmith's 30th annual Spring Meet.  It was a little over a week ago, and it was a great event with a great bunch of folks.

What happens when you get about 100 Blacksmiths of all skill levels together for the weekend?  Check out this Flickr photo set. Be sure to take a look at the short videos at the end of the set (I'll be adding more video to this set later).


There will be a large regional blacksmith event in early September, the Atlantic Coast Blacksmiths Conference in Olivebridge, NY.  I can't wait.



Thursday, June 5, 2008

I'm not lazy, just busy- and things are changing

Yep, the blog is feeling a bit neglected. I am working on a solution to that, and sometime in the next few weeks my content output should jump. I don't know exactly where or when it will jump, but it will jump. It may involve moving this feed to FeedBurner and possibly a new URL. Details to follow, film at eleven, etc.

For now, a couple of stray thoughts.

When I was a one-man IT shop and I was this busy I cut corners. Not small-time, but chainsaw-style corner cutting. It happens to everyone on some level, and that is a bigger problem for security than any zero-day, virus, bot, trojan or cracker. Manage everything from anywhere, with telnet? Sure, if it saves time. Buy a sub-standard "solution" from a vendor when you know you can build better yourself? Of course- because as hard as it is to get money, time is even harder to find. Note: When I hear people advocate spending the time to learn a program and deploy a "do it yourself" solution, I hear people who haven't battled the 70 to 100-hour workweek (these are real, and I can assure you that you are tired at the end of them, and I'm glad I am not that busy anymore). One of the many great things about my current position with Astaro is that I can usually turn off the BlackBerry when I'm not at work (OK, only one of the BlackBerries gets turned off- but it is a start).

Sometimes you need to unwind, and I really enjoy putting things in the fire and then hitting them with a hammer. Last weekend was the 30th annual New England Blacksmith's Spring Meet, and it was a great time. Over 100 blacksmiths of all experience and skill levels attended and worked together on a set of community service projects for the recreational area of Brentwood, NH. This fall we are working with several other groups to present the first Atlantic Coast Blacksmiths Conference in Olivebridge, NY. If you are interested in the craft and will be anywhere in the area, stop by, check out the demonstrations, and say hello.