Sunday, November 30, 2008

The two-headed serpent of SLAs

We all know we should read EULAs (End User License Agreements) more carefully than we usually do, and we feel a little guilty every time we blindly click through one without reading it carefully.  Even with patience and tools like the EULAlyzer on our side, we don't always realize what we are getting ourselves into (or what rights we are giving up) when we break the seal, click, or do whatever signifies our acceptance of the EULA.  But we know we should worry about them, and that's a start.


But SLAs (Service Level Agreements) are different, right?  We use SLAs to hold our vendors and service providers accountable to us, what could possibly be lurking in them to bite us?  Some things are obvious, like the phone company needs access to the premises to fix some problems- and if we don't give them access we can't hold them to their SLA.  But what if the phone company (or anyone else) needs access to an area where confidential data is stored? That could be a problem, but you have a policy for that.  Well, at least you have thought about it.  OK, you should think about it.  What about support for hardware, network systems, operating systems, and application software?  There are potential problems in the SLAs associated with these, too.  Need service on a bit of hardware?  What information is exposed when you send it out or a tech comes in?  Some network gear acting up and the vendor needs traffic captures to diagnose the problem- what will they see in that traffic?  Problems in software and the vendor requires access to the systems for troubleshooting- there's another exposure problem.  Don't want to give the vendor access or information?  Or you can't give access due to policy or compliance issues?  You may be violating your responsibility as defined in the SLA, relieving the vendor of their responsibilities you thought the SLA guaranteed.  And really, the requirements usually make sense- how good are you at diagnosing and repairing systems you can't access? 

Sounds like we need to read the fine print, identify potential problems, and come up with a plan for resolving conflicts before we get bitten by the other end of the SLA serpent.



Friday, November 21, 2008

Julie Amero case finally over, justice is not served

The infamous Julie Amero case is finally over.  She deserves better, but she didn't get it.  The school district, police, prosecutors and many others deserve another round of public humiliation for gross incompetence.

You remember, the poor substitute teacher who allegedly exposed her students to pornography- on a school PC which did not have up to date anti-virus software on a network without web filtering- and has spent years battling a felony conviction over the incident.

The story is here, and more from Rick Green on Julie Amero's case here.  Alex Eckelberry at Sunbelt has been involved, here is his take on it.  Amrit Williams summed it up well in this post.

It is simply not right.  If you don't know about this case, please take some time to learn about it.  As Alex Eckelberry said, "We can’t have another Julie."



NAISG Presentation online

Slides and video of my presentation to the Boston Chapter of NAISG on 201CMR17.00, the new Massachusetts data protection law, are now online at the NAISG presentation archive page.



Career tips from the Massachusetts State Police

I have noticed something interesting on my ridiculously long commute lately- there are Massachusetts State Police on the roadsides performing traffic enforcement regularly, especially in high-traffic (and thus high-visibility) areas.  In case you aren't familiar with Massachusetts roadways, State Police on traffic duty are not a common sight except on certain roads and at certain times.  Why now?  You don't have to be a cynic to think the looming state budget cuts might be forcing the State Police into more visible duties to justify their positions- it is just a logical conclusion.

I am not suggesting that the State Police have been sitting around doing nothing.. Given the condition of state and local budgets, the State Police have plenty to do- it just isn't all as visible as traffic enforcement tasks.  Nor am I suggesting the officers in the cars make the deployment decisions- those are management decisions, and management must feel it is time to make a display.  [Of course, the bizarre Massachusetts practice of requiring police to secure construction sites is sadly the highest-profile work police agencies in Massachusetts have- but that is a no-win rant and not directly relevant to this post.]

If you think about it one way, the better job law enforcement does, the less visible they are.  Sure, you see them around, but there isn't much drama- and if something bad does happen, they swoop in and get things under control quickly.  Hey, wait, that sounds a lot like a well-run IT or security department.  Does that mean IT and security could be targeted for cutbacks because of our frequent low profile?  Yes, it does.

If you have to "look busy' when cutbacks are looming, it is too late.  You need to regularly make your contributions known to management, not just at crunch time.  Don't overdo it or play the martyr, but make sure people know the contributions you make, especially when you step up to added work or accomplish something noteworthy.



Tuesday, November 18, 2008

References for Mass 201 CMR 17.00

Here is a list of references for my discussion of the new data protection law (and for insomniacs everywhere):



Monday, November 17, 2008

Finding an audience

Do you have some knowledge you want to share? Maybe you just discovered a tool which makes your life easier, or maybe you just discovered something ugly and want to warn others before they face the same thing.  Possibly you want to share a success story, or maybe a failure story.  Someone wants to hear it.

But where do you find an audience? There are plenty of venues in search of content, it is a matter of matching your information to the audience.

Technology and security groups are everywhere and most are frequently seeking presenters.  For security issues, local NAISG chapters around the world are a good option.  Depending on the specifics, Linux user groups are a good audience for talks on Linux and other Open Source projects, including integrating them into production environments.  You may also be able to find a group through Culminis.  Join the mail lists of prospective groups and contact the leaders, many will work with you to help you get your message heard.

Is it something that would work well in print?  Think about the print and online resources you read, if there is one where you would expect to see an article like yours- ask them about submissions.

Want a bigger audience?  Everyone knows about the big conferences like BlackHat and DefCon- and most are intimidated by the thought of presenting at them.  There are plenty of smaller events which are more likely to work with you in tuning your presentation and proposal- Shmoocon and SOURCE Boston to name two.



Discussion of new Mass. data protection law at Boston NAISG meeting

I will deliver a presentation and then lead a discussion on the new Massachusetts data protection law, 201 CMR 17.00, at this month's meeting of NAISG's Boston chapter.  The presentation and discussion will explore the new law, its impact on businesses, and approaches to compliance.  Details of the meeting are at the NAISG Boston website.

Massachusetts "201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth" is one of the most far-reaching and specific state laws governing the protection of personal information.  It is important to note that the law applies to

"persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts"

So- you do not have to be in Massachusetts for this law to apply to you.

NAISG Boston meets at Microsoft's offices in Waltham, MA, directions here.  Please join us if you are in the area.  Meetings are free and open to the public, but we would appreciate an RSVP so that we have enough pizza for everyone.

Some of us will be heading over to the local Uno's for "refreshments" after the meeting to continue the conversation. Or something...


Sunday, November 16, 2008

Not so private "private browsing"

The "Incognito" mode of Google's Chrome browser and Microsoft Internet Explorer 8 beta's "InPrivate" mode can leave significant footprints in the system. It has always been the case that disk forensics (or even simple undelete tools) could dig up information on these private-mode browsing sessions, but in some circumstances it is a lot easier than that.

Under the right (or more likely wrong) circumstances, entering "http" in the Start > Run dialog box will offer a list of visited web media URLs.  The key is that when the browser launches Windows Media Player, it pushes the URL into Windows history (even if the Media Player is set to not store history).  Interestingly, to clear this you need to clear history in Internet Explorer, even if the Media Player session was initiated by Chrome.

Remember, "do it yourself" forensics are almost always a bad idea for any situation where there is a chance of ending up in court- but if you are just looking for information, don't overlook the easy stuff.


Friday, November 14, 2008

Security Bloggers Network

Missing your Security Bloggers Network feed this morning?  Blame Google's assimilation of FeedBurner and abandonment of blog networks.

Alan Shimel has the story here. Don't worry, it will reappear.

Here's a copy of the full SBN OPML file in case you need a fix or are looking for a specific blog.


Wednesday, November 12, 2008

SC World Congress

I'll be attending the SC World Congress in NYC on December 9-10.  I know it is fairly late notice, but if you are interested in attending- they are offering a discount to readers of the Security Blogger Network and affiliated  blogs. (Yes, I know- I should move my feed over to Feedburner be all "official" and stuff).

If you are interested in a 35% discount , just register at and use the discount code BLOG1 for a one day pass or BLOG2, for, well, you know- two days.



Tuesday, November 4, 2008

A Short Reflection on Voting Security

I am pleased to present the following guest post, authored by a friend and coworker:

We all know about the darker side of voting: voter fraud, vulnerable electronic voting systems, social engineering among others.  There is one topic that is very often overlooked in the United States - Personal Security.

My wife and I left for the polling station mid-morning toting my one year old son.  The biggest things that we were thinking about were "where is the carton of Fishies[tm]" and "we need a copy of the lease to register, where is it?"  We left the polling station after 15 minutes, successfully registering and voting.  I dropped my small family off and headed for work.  On the way to work, while listening to a history lesson on NPR, I began to reflect on what I had just done. 

In less secure and stable parts of the world, people have to vote in makeshift bunkers for fear of bombings.  People are shot, maimed or worse for voicing their opinion.  This is not even a second thought in the US.  The worst thing that I was looking forward to was finding a parking space. 

My reflection: Among all of the normal topics of discussion, I would like to add a congratulations to the people that make the process safe for US voters.  I would Also like to reflect on the fact that as a security buff, I know that this has not been, nor will it always be the case - Vote with pride and care.

Please take a moment to reflect on this and other issues for a moment if you are frustrated with the banter on the major networks.

-Voter 1749, Ward 8 Nashua, NH.

Your civic duty...

For those in the US, there are bake sales being held in schools, churches and town halls throughout the land today.  Please do the right thing, step up and buy something from the bake sale table, the money goes directly into making a difference in a lot of little ways.

And, while you are there you should vote.  Rumor has it that can make a difference, too.



Monday, November 3, 2008

The dangers of short URLs

It is a minor thing, but it vexes me so...

It isn't news to anyone that clicking random links in email or on web pages can lead to Bad ThingsTM- malware infestation, launching various scripting attacks, or even the dreaded Rick Roll.  But what about things you want to click, but can't see where they lead due to the ubiquitous URL shortening utilities?  The tools are great, especially in platforms like Twitter where you are limited to 140 characters- but you don't know where you are going until you get there, and by then Rick Astley is already singing.  There is a simple answer, enable previews- but every utility doesn't offer the option.  TinyURL offers the options to both create preview URLs and set your preferences to  always show a preview of the full URL.  Their approach isn't perfect, the preview URLs are considerably longer than their regular URLs because they add "preview." to the beginning of the URL, but it is something.  There are some other utilities ( and among others) which allow you to request previews, but you have to do it for every utility and on each computer you use.

There is an experimental add-on for FireFox, PreviewLink, which will allow you to preview links from most shortening utilities, but it is still experimental and therefore requires registering for an AddOn account before you can install it.  I just started using PreviewLink, and it seems promising.

I guess the best bet is to only click obfuscated links on someone else's computer (with the speakers off) until we come up with a better way to solve the problem.



Sunday, November 2, 2008

Hackers for Charity and The Academy

Want an easy way to give a buck to Hackers for Charity without taking it out of your own pocket?  The Academy is donating a dollar to HfC for every registration (registration is free).  This post has the details.

[Yes, the nice folks who regularly give me a paycheck have a relationship with The Academy.  No, this has nothing to do with that.]