True Insight

The Internet security community is abuzz with rumors of an attack against the TCP protocol that can DoS almost (if not all) machines.  The attack is against the TCP state machine.  Details are very sketchy, but the rumors suggest that an extremely low-bandwidth attack could effectively kill a machine to the point that it must be rebooted to once again be effective at communicating on the network.

Adding to the hype is the claim that almost all machines running TCP can be attacked, regardless of the vendor.  Windows, Linux, Mac, Solaris, all manner of embedded devices, etc., are all supposedly vulnerable.

It seems like a “vulnerability” like this (that is, one that will completely cripple the Internet) is announced once a year.  A few details[t2.fi] are released to the media that make the vulnerability sound really scary in an effort to hype the conference where the full details are going to be discussed (which, in this case, is “T2 ‘08″ in Helsinki, Finland).

Call me a skeptic, but these usually turn out to be false.  The sallacious details released to the media are mere propaganda items to increase interest.  This particular vulnerability will probably turn out to be a non-issue except on your local network, which should be a (relatively) trustworthy area, anyway.

To sum it up: don’t go jumping out of a window yet.

The Office of Management and Budget (OMB) has issued a memo directing all federal agencies to implement the DNSSEC (see, among others, RFC 4035) extension by January 2009.  Assuming all agencies follow this memo and implement it on all of their public-facing DNS servers, this could finally be the long awaited start to securing the last major flaw in the Internet infrastructure–name resolution.

Unfortunately, the benefits of DNSSEC are still many years in the future, even if the above change happens quickly.  Why?  Because the name resolution chain starts and ends with your operating system, and the next link in the chain from either end is your ISP’s DNS servers.  Neither of these likely support DNSSEC now.  The user can’t verify the authenticity of a DNS responder if the entire resolver chain doesn’t support DNSSEC.

ISPs are unlikley to implement DNSSEC on their servers until end-user OSes support it, and end-user OSes are unlikely to support DNSSEC until ISP DNS servers do.  Chicken, meet Egg.  It might be reasonable to expect the default Linux resolvers to support DNSSEC soon, but Linux is a small part of the end-user market.  Don’t expect Windows to support it very soon, either.

And so the Internet techies yawn…

Here is an hilarious article[timesonline.co.uk] from The (London) Times. Foxnews.com’s title is even more hilarious: “Report: The End of the Internet Is Near”. OMG!!! Gather up the Ponies!!

Messr. Harris at The Times either has no idea what he’s writing about or owns a ton of stock in Cisco or Juniper. Or perhaps both. The following line from the article is particularly ridiculous:

If, for example, Google wants to support IPv6, it will need to build a whole new IPv6 web service, complete with new domain names, servers and bandwidth.

Hogwash, my good chap! The only bloody thing good ol’ Google will need to do is get IPv6 addresses from its ISPs. Its servers undoubtedly already support IPv6 as do almost all recent Un*x and Windows OSes (Linux and Mac OSX included). All Google will have to do is tell its servers what each one’s IPv6 address is and everything will work just the same as it has. No need for a new domain name, new servers, or new bandwidth. And certainly not any new code for their web services.

In fact, what I said above isn’t even necessarily true: Google doesn’t need to get an IPv6 address from its ISPs because there is an IPv6 prefix[wikipedia.com] already reserved for all the old IPv4 addresses. In essence, if you have an IPv4 address, you already have an IPv6 address that will route to all other IPv6 addresses–if only your upstream ISPs supported IPv6.

I tend to believe that Google has already prepared for this. I’m betting that their servers are already configured for IPv6. Their routers are probably configured for IPv6. Google might even have pure IPv6 connections to the Internet already. It’s hard for me to confirm my suspicions, though, because I don’t have a pure IPv6 connection to the Internet although I could setup something like 6to4[wikipedia.com].

Messr. Harris pumps the same old doom-and-gloom line that has been going around since the mid-1990s. Yes, friends, back when IPv6 was started the “experts” were prediciting we would run out of IPv4 addresses within a few years. Over a decade later, the new “experts” are predicting another three years.

Here’s a prediction: NASA will land men on Mars before IPv6 makes its way down to the home user, and I’m talking about his Cable/DSL router, not his actual PC.

According to PC Pro[pcpro.co.uk], Facebook is now larger than MySpace. Thank goodness. MySpace was the worst assault on the eyes since the short striped shorts of the early 80’s. Facebook at least has a somewhat consistent interface from profile to profile, and none of those god-awful tiled backgrounds of kitty cats or what have you.

Still, Facebook is beginning to get cluttered and annoying thanks to the proliferation of extensions with their constant annoying questions. For the last time, I do NOT WANT TO PLAY RISK VIA FACEBOOK!!! Get a life, buy the board game, gather up some friends, and freaking talk to another person tête-à-tête!!

The Verizon Business RISK Team released a very interesting study early in June with detailed results and analysis from more than 500 forensic investigations it conducted over a four-year period (2004 to 2007). It claims that this study represents one-fourth of all publicly disclosed data breaches in that time frame. The report is chock full of statistics and percentages. The study examines the age-old question of IT risk-management: who is the largest threat source, insiders or outsiders?

The study weighs the impact of breaches (number of data records compromised) along with the frequency of threat source causing the breach. It also adds a third threat source to the mix: business partners, a sort of blended insider/outsider. One of the interesting results is that, using the classic risk equation (risk = likelihood * impact), business partners represent the greatest threat, followed closely by insiders.

The paper presents statistics but makes no blanket-conclusions on what to do about the problems, instead leaving that up to the individual organization (as it should). Everyone knows that monitoring the insider threat is difficult and time-consuming. It is somewhat easier to monitor business partners since they (should) have limited access via well-defined conduits. Given the results of this study, monitoring business partner interaction with the corporate network data sources may become the new fad in IT risk-management.

With yesterday’s introduction[reuters.com] of Google Health, we can now add personal health records and related information to the types of data Google is storing. This service includes connections to pharmacies, like Walgreen Co. and CVS Caremark, and other health groups. It will “allow patients to schedule appointments, refill prescriptions, receive diagnostic results online, and instantly add their doctors’ email addresses to a list of contacts.”

This service sounds very useful and is likely to be used by many people. My concern is that as the diversity and sensitivity of data Google is storing increases, so does it’s attractiveness as a target for those with malicious intent. According to Marissa Mayer, Google’s vice president for search services and user experience, the service involves an additional layer of security and the data is stored separately from Google’s other data. Mayer stated that, “We certainly have put in place the foremost privacy policy[google.com] that we could construct.” We all hope so!

Slashdot has posted an item[slashdot.org] about the upcoming results of a survey by Symantec and Applied Research-West describing the threat to IT from the so-called ‘Millenials’ generation–those born after 1980. The IT threat apparently comes from the willingness of this young crowd to connect almost any device or social networking software to the corporate network. There is a positive in the report: Millenials are more likely to be aware of the security implications of what they are installing or connecting.

Whew…for a second there I thought my generation was going to be banned from working! It’s not like that would make that many of us angry…just don’t take away our Internets!!! You don’t want us to get angry!

Reuters is reporting[reuters.com] that Canadian soldiers have been ordered not to post personal information to social networking sites like MySpace[myspace.com] and Facebook[facebook.com]. The apparent motive is safety - “Al Qaeda operatives are monitoring Facebook and other social networking sites.”

Many have heard of the potential effects that sharing the wrong information online can have on our careers and social lives, but few would view death as one of those potential effects.  “This may seem over dramatic … (but) the information can be used to target members for further exploitation. It also opens the door for your families and friends to become potential targets as well.”

Are these soldiers and their families really in danger or is this an exaggeration or a command with a hidden motive?

Brian Granier with the Internet Storm Center[sans.org] compiled some interesting security findings[sans.org] from feedback sent by people working for and with Small to Medium Businesses. I have combined his analysis with some of my own in the pro’s and con’s to each finding.

1. All-in-one security products increasingly available at SMB prices
Pro’s: security needs being addressed
Con’s: over-emphasis on perimeter security, false sense of security provided by a device that is turned on and “left to do its job”

2. Commonly no full-time IT staff
Pro’s: IT and security needs can be outsourced to specialized companies (this can also be a ‘con’, if not managed well)
Con’s: IT and security needs addressed in a reactionary manner

3. Some cases of successful security integration, mostly motivated by external business pressures (i.e., regulations, customer demands)
Pro’s: security needs are being addressed, increasing understanding and support from management for security
Con’s: implementing security strictly to meet regulatory demands can often lead to tunnel-vision - addressing only what is regulated while potentially ignoring higher security risks

4. SMBs often ignore the insider threat
Pro’s: employee privacy, sense of trust
Con’s: insiders are more likely to cause security incidents and outsiders are often just one step away[truedigitalsecurity.com] from being an insider

Last week, in a surprise move, Microsoft announced Open Access to Protocol Documentation[microsoft.com]. Microsoft is releasing their protocol technical specifications for interoperability with Windows Vista, Windows Server 2008, Exchange, and others. This means third party and open source software will be able to “talk” directly with Windows components that had previously been closed to them. This is quite a change for Microsoft, who until now kept their protocols propriety, forcing vendors to reverse-engineer the protocols. This should result in greater support between open source products and Windows. I hope other companies follow Microsoft’s lead.