Essential Computer Security

The TSA have been the butt of jokes and the bane of airline passengers’ existence since the infamous Al Qaeda attack on 9/11 of 2001. I will admit that I don’t hold them in high regard. Actually, I am sure they think they’re doing a good thing, and I don’t have any hard feelings toward the individual TSA agents per se. I just tend to side with Bruce Schneier about the logic of the TSA rules. I understand that the terrorists used airplanes in the 9/11 attack. However, their success in commandeering the aircraft was more a function of a flaw in the standard operating procedured for dealing with hijack attempts than it was related to screening passengers.

So, now we all shuffle like cattle through airport checkpoints, bare foot and carrying a ziplock bag with cute little travel-sized versions of all of our personal hygiene products, and we’re supposed to feel more secure? First of all, Al Qaeda already ran this play. There are a million other methods of attack and potential targets. I don’t think we’re giving them proper credit for creativity or initative if we think they’re going to use the same plan again. Second, how do the TSA rules and security screening make us more secure? I can’t take a box cutter (works for me- I wasn’t planning on breaking down any packing materials on board the plane), but I can take a pen or pencil and stab someone with that. Nail clippers are a no-no, but I could file down or sharpen a credit card that could potentially cut someone and not raise any suspicions at the checkpoint. The items being banned and allowed seem arbitrary and capricious and do nothing to make me feel safer.

Add to that all of the stories of fake bombs or bomb materials making it through screening points when they are being tested and it doesn’t make me any happier about wasting an extra hour getting screened. For what? Coming through LAX on a trip, I was actually detained as a part of the random searches. They checked my passport, and went through my bags. I made it through just in time to catch my plane. Once on board, I realized that they had actually *missed* the dangerous ziplock of mini-toothpaste and trial-size shampoo. I had it in the ziplock, but forgot to take it out and “claim” it. Well, I sure am glad they stopped and took the extra 15 minutes to go through my stuff only to miss what they were looking for and let me through. Thankfully for them, and everyone on board my flight, my toothpaste really was toothpaste and my shampoo really was shampoo and I did not sneak through illicit chemicals that could be combined to blow a hole in the plane. Actually- I’m not a chemist and my name is not MacGyver. For all I know, you *can* blow up a plane by mixing toothpaste and shampoo- as long it is whitening toothpaste and dandruff-control shampoo. But the point is, I didn’t. And thankfully the fact that the TSA couldn’t even enforce their own screening rules did not result in an attack. I am sure my experience is not all that isolated. On any given day, how many banned items do you guess make it through a checkpoint?

Well, the TSA doesn’t like the negative feelings or bad reputation, so they have started a new blog site. They want our feedback and they want to work *with* us as partners in safe air travel. They had the audacity to name the blog Evolution of Security, somehow implying that what they do is evolving security in some way. The blog allows comments on the posts, and they are getting plenty of them. To be fair, they are asking for the good, the bad, and the ugly. They want to hear your gripes and complaints. The problem for me is the idea that they are going to address the gripes and complaints and fix things. For me, the whole thing is smoke and mirrors with no real security substance- “Security Theater” as coined by Bruce Schneier. The “solution” is to give up the illusion of security instilled by a lengthy and tedious screening process and devote our DHS and TSA resources to more legitimate security concerns.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

Metasploit 3.1 was unleashed on the world today. According to the press release posted on the metasploit.com site, this “latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits.”

The legitimate value of the Metasploit Framework has been debated. Some security experts feel it is little more than a tool for script-kiddies and wannabe hackers to use to wreak havoc on unsuspecting targets. On the other hand, tools such as Canvas, or Core Impact, do essentially the same thing and are considered valuable tools for security researchers. The main difference between the products is that Canvas and Core Impact cost a lot of money, and Metasploit is free.

I was originally of the opinion that it was simply an attack tool cleverly disguised as a security tool, but I have since jumped the fence and consider Metasploit to be one of the best tools available. Security administrators can use it to to test the strength of their computer and network security. Security researchers can use it to try and poke holes in software applications and services. In the most recent Top 100 Security Tools survey, Metasploit came in at #5 behind such well-known category-dominating products as Nessus, Wireshark, and Snort.

You can download the latest version for free from the Metasploit.com site.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

Microsoft’s Director of Security, Jeff Jones, published the One Year Vulnerability Report for Windows Vista, in which he demonstrates that Vista is the most secure OS ever measured (based on the criteria used to calculate the first year vulnerability report).

Granted, the declaration came from Microsoft, so many will take it with the proverbial ‘grain of salt’, or discredit it entirely. For example, Eric Shultze, the CTO of patch management company Shavlik Technologies, was quoted in an InfoWeek article stating “When you start counting vulnerabilities, it’s a matter of defining vulnerabilities. For example, if a bulletin is released for Internet Explorer, that’s one patch for IE. Microsoft may have broken it out to say there are five distinct issues fixed in this patch. Is that five vulnerabilities or is that one vulnerability because it’s one patch?”

Of course, any time Microsft claims that their software is secure, particularly if they claim it is more secure than anything else, it is going to generate a fair amount of controversy. Some of the accusations have been that Microsoft bent or invented statistics that make them look good, or that the picture they painted is only true of a narrow configuration of Windows Vista and not the operating system as a whole.

Well, my fellow Microsoft MVP, Jesper Johansson, takes an in-depth look at the various claims and backs them up with hard data on his blog. As co-author of Windows Vista Security, I think Jesper is more than qualified to analyze the issue. Check out Do Vista User’s Need Fewer Security Patches Than XP Users? for a fairly detailed breakdown of the data.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

While the debate rages on about whether Vista is worthy of being Microsoft’s flagship operating system, development marches on to replace it. It is still very early in the process. The screenshots that were leaked by ThinkNext reveal an interface that is strikingly similar to Windows Vista. The version shown in the leaked screenshots is Windows 7 Ultimate version 6.1 (Build 6519.1.x86fre.winmain.071220-1525). This is version M1. There will supposedly be an M2 by this summer, and an M3 before the end of 2008. Assuming that schedule is maintained, the product would still need to go through various stages of Beta testing, Release Candidate reviews, and then finally the RTM (released to manufacturers) version before it hits the shelves. My guess is that we won’t see this next generation Windows operating system until late 2009 at best. It is so early in the process, I am not even aware if this product has a codename beyond ‘Windows 7′. I don’t know about codename, but I think that the final release should be Microsoft Windows Horizon. It seems to flow well as a follow-up to ‘Vista’. By definition, ‘horizon‘ means “range of perception or experience, or something that might be attained”. Microsoft hasn’t asked my opinion (yet), but if when they do I will recommend they go with Microsoft Windows Horizon. When it hits the streets, you will remember this post and think “hey! that is the name that Tony Bradley guy said they should use” and reminisce about how “you knew me when…”

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

I think I know what Superman, Batman, and all those other superheroes feel like while masquerading around as their alternate identities. Maybe not. First of all, I am not a superhero (just so we clear that right up). Secondly, they chose to have a mild-mannered alternate identity. I did not.

Here is the issue. I lead 2 lives. There is my ‘day job life’, where I am just another security consultant in a consulting firm. My managers within the company are aware of my ’superhero life’, but it doesn’t seem to hold any actual weight with regard to anything in my ‘day job life’. I get assigned to mundane projects like everyone else. I go work for clients who don’t know about my ’superhero life’. You wouldn’t know I even had a ’superhero life’ by watching me in my cubicle all week.

Ironically, I sometimes find that people follow my ’superhero life’, but don’t put 2 + 2 together to realize I am the same person. Its sort of like Lois Lane lusting for Superman and talking about Superman all day…with Clark Kent, while having lunch with Clark Kent. They may read my blogs and articles, or may even have a book I have written or co-authored sitting on their desk, but fail to realize that I am THAT Tony Bradley.

For the most part, it works out OK. ‘Day job life’ pays the bills and provides benefits. ‘Superhero life’ is fairly lucrative. It does get a little frustrating at times though. It seems to me that my notoriety, never mind my knowledge and skills, could be put to better use in ‘day job life’ if they would embrace my role in ’superhero life’ and leverage that. How popular do you think The Daily Planet would have been if everyone would have known that the 2nd-string reporter hanging out with Lois Lane was actually Superman? I’m guessing it would have boosted sales a tad.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

Remember the IT apocalypse commonly referred to as ‘Y2K’? That was when every computer system in the world was going to shut down or fail in some way because the internal date would not be able to comprehend that the year ‘00′ was the year 2000 rather than 1900. Of course, the troops were mobilized and the crisis was averted.

Then there was last year’s Daylight Savings Time apocalypse. This one was going to wreak havoc around the world as a result of the change in the beginning and ending of Daylight Savings Time in the United States. Computer systems and software applications would be confused about what time it really was in the United States and all kinds of chaos would ensue. This crisis did not quite live up to the hype either.

Let’s hope the latest and greatest “sky is falling” apocalypse is as anticlimactic as the first two. The new one is the Y2K38 bug. As of 2038, [Read more →]

Tags: Blog by Tony Bradley
Comments Off

Microsoft recently created a new blog site designed to provide insight on emerging vulnerabilities. The blog, titled Security Vulnerability Research & Defense, provides detailed information about newly discovered vulnerabilites- including screen shots, network traffic captures and other evidence to help demonstrate the flaw or a potential fix. The blog will also address workarounds for vulnerabilities. Take a look at the new blog if you would like to know the nitty-gritty details behind the flaws and fixes behind the latest vulnerabilites.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off