Steve Riley on Security : things that make me laugh

Who is "dodacrazy" and what is a "montize buddy"?

Steve Riley — Thu, 11 Sep 2008 22:53:55 GMT

Check this out:

http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx#3122377

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

Normally I delete spam from my comments, and have occasionally deleted mindless ranting criticism (I encourage vigorous discussion of ideas, but won't allow personal attacks). However, this guy's comment is just...weird.

What's a "montize buddy Scott"? I know lots of Scotts, and once even admired a particular "Montgomery Scot." But "montize"? Maybe it's a new kind of malt.
I don't believe I'm perpetuating any data scams, none that I know of, anyway. If any of you, my readers, feel that I'm scamming your data, I guess I haven't concealed that fact well enough. Oops, sorry! We'll have to add another item to the constantly-growing list of data breaches.
While it's true that some of my conference appearances aren't free, no one is certainly forced to buy any of my "educational acts." A lot of my presentations you can download for free!
I never look in tunnels for my supplies, they're too dark and you can never be totally certain of what you're getting.

Thanks, dodacrazy, for a good Thursday morning laugh!

Throw away your digital picture frames

Steve Riley — Tue, 19 Feb 2008 03:36:00 GMT

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.
There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.
Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

Bugged Canadian coin story is...wait for it...BOGUS!

Steve Riley — Tue, 16 Jan 2007 23:39:00 GMT

Surely you've heard, too many times by now, about the radio transmitters "discovered" in some Canadian coins. From the moment I first read about it, the steamy stench of pasture patties loomed large in the air. I watched in amazement as the story grew and the apparent credibility so many "journalists" ascribed to it! Well, the United States Defense Security Service now admits that the statement is "unsubstantiated following an investigation into the matter."

My variation on the rule is this: if something is too stupid to be true, it absolutely is. And, of course, there's a corollary: media attention to silliness is inversely proporational to factuality.

iPods spread disease?

Steve Riley — Tue, 17 Oct 2006 21:57:00 GMT

Well well. Looks like a few new iPod owners are getting infected when they attach their players to their computers. I'll quote the first paragraph from Apple's web site:

We recently discovered that a small number - less than 1% - of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

So Apple has a quality-control problem, and they blame it on Windows? They mention that decent AV software would catch the virus, but then they become oblivious to the irony that they themselves apparently don't run any?

What's even more inaccurate in Apple's claim is that the malware isn't an actual virus. Rather than exploiting a code vulnerability to spread, it relies instead on a common configuration vulnerability -- the gullibility of humans. To encourage spreading, it creates an autorun.inf file, entices the user to execute the worm, and then looks for any mappped drives and drops itself on whatever it finds. I continue to maintain that autorun has no purpose on business computers and you should disable it at the domain level.

Apparently, someone at Apple fell for the dancing pigs and subsequently infected the equipment used in the manufacture of certain iPods. Ignoring their own problems, Apple finds it easier to blame Microsoft. That's right, blame is always preferable over responsibility.

Must be a slow news day: reporter writes 100% crap

Steve Riley — Tue, 03 Oct 2006 18:12:00 GMT

Imagine my surprise to read that Microsoft is removing NAP from Windows Vista! Does this guy actually get paid money to write this drivel? The particular folks quoted in the article all have their own agendas, of course.

News flash: we aren't dropping NAP. It's in the product now, we're actually running it on part of our own corporate network. And soon you'll get to enjoy the benefits of NAP in your own environments, too.

Mythbusters beat "unbreakable" fingerprint door lock

Steve Riley — Thu, 21 Sep 2006 05:15:00 GMT

My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of a fingerprint already present on the reader and creates a latex copy that he adheres to his own thumb. Initial attempts fail, but when Adam licks the latex, the door opens. Next, Jamie tries a ballistics gel copy of the fingerprint. Sure enough, the door opens right away. Adam remarks that some cheap computer fingerprint reader was actually more difficult to hack than the "unbreakable" door lock! Finally, Adam tries the simplest of all attacks: a photocopy of the authorized fingerprint. No warmth, no pulse, only a lick -- and again, the door opens.

Biometrics is identity, not authentication. Authentication requires a secret of some kind, like a PIN or password. Anything you leave behind, like the fingerprint Adam lifted from the reader, can never be used as a secret, and thus can't be considered authentication.

Yes, everyone knows you're a dog

Steve Riley — Thu, 07 Sep 2006 15:17:00 GMT

Amazing how long the legs are on the AOL search debacle. Of course, we in the online community often beat such storeis to death, if only because they deserve it!

Recently Kim Cameron posted the search history of user 16006693, which flits "from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food, and finally to heartburn." Why is it interesting? Probably because each and every one of us can find a bit of ourselves in user 16006693 (well, OK, not all of us; I know I'm not anywhere close!).

Check it out; don't hurt yourself too much from laughing:

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i’ll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

File under: "You've got to be kidding!"

Steve Riley — Sun, 12 Mar 2006 01:15:00 GMT

Today I upgraded the brain on my i-mate K-JAM. Which, of course, requires a hard reset, meaning that I get to spend a relaxing day re-installing and configuring all my applications. Usually when I do this (too frequently, it seems) I browse around for new and improved software.

While perusing www.pocketgear.com for updated travel-related software, I stumbled across something that's incredibly funny and woefully tragic at the same time. You gotta check this out, if only for comic relief!

2004 Terrorism Survival Bundle 3.0
Don't be caught unprepared in the case of another terrorism attack. The 2004 Terrorism Survival Bundle includes:

Terrorism travel planner - international
Terrorism travel planner - USA
Terrorism survival plan database
Terrorism survival response database

I especially enjoyed the list of less common international threats: children, driving, food, kidnappings, landmines, missiles, piracy, soft targets, and vehicle explosions! How are children threatening?

A CEO who should be fired

Steve Riley — Fri, 10 Mar 2006 20:51:00 GMT

So the CEO of an important customer of ours (no, I won't tell you who it is) claims to be, um, "very technical" and therefore keeps his own Windows domain and refuses to be part of the corporate forest. Go ahead, take a moment to express your astonishment; it took me about a full minute to recover my composure, too! Well, their IT is re-engineering part of the network and now has to, yet once again, figure out how to incorporate the non-standard and unmanaged "personal network" of this particular maverick.

This is a load of nonsense, as I'm sure you'll agree. No matter how I spin it mentally, I simply can't envision even a single business justification for this CEO to exempt himself from policies that everyone else is required to follow. He apparently fails to realize that his choice sends a clear message saying, in effect, "The policies suck and I know it." His behavior probably demoralizes the entire IT staff and communicates to them that he doesn't trust them and that they have no value.

Also, and probably even more important, his stance arguably increases costs to the organization. Just consider the ongoing extra (costly) work required for building the additional design, testing, troubleshooting, and support necessary to accomodate his silly whims. No worthy CEO -- one concerned with shareholder value and organizational performance -- would willingly do this. I know one company whose products I now will never buy.

New site at the top of my favorites list

Steve Riley — Wed, 16 Nov 2005 09:46:00 GMT

You know, stupid security abounds. I just discovered this site today, and I plan to become a regular visitor -- and probably a contributor, too! I encourage you to explore it and enjoy. Oh, some advice: it probably would be unwise to read an offline archived version of this site on an airplane. :)

Stupid Security: Exposing fake security since 2003
http://www.stupidsecurity.com

Cluelessness abounds

Steve Riley — Wed, 14 Sep 2005 16:08:00 GMT

So yesterday I received a rather interesting email. Subject: "INFOSEC Scholarships & Fellowships for PhD or MS + Free CISSP Exam Prep Events." Hm, I didn't know that "information security" suddenly became an all-caps acronym. How come no one asks me first about these things? Anyway, it purports to come from the University of Fairfax, who seems to be outsourcing their spam to IQMailer.net. I suppose if you're gonna set up an outsourcing business, spam is as good as anything. There's no paperclip icon next to the message, so I open it. Sure enough, it's an ad enticing me to "advance my INFOSEC career to the next level" (the next time I hear "to the next level" I'm gonna throttle whoever says it) because "the federal information security budget will grow to $20B+ by 2008, will your INFOSEC career grow as fast?" I'm so happy that the University of Fairfax and Aladdin Knowledge Systems care so much about me! I'm honored! Yeah right.

Here's the clueless, somewhat frightening, and hugely ironic part. This message -- sent to me because I'm a subscriber at SearchSecurity.com, advertising a way to learn more about security through courses and exam prep, had an ActiveX control attached! You'd think that people teaching security would know better, and you'd also think that SearchSecurity.com would know better too and at least make sure the email abides by standard security practices. I guess not. Shame on you SearchSecurity.com, and shame on you University of Fairfax. You're doing exactly the wrong things to appeal to your intended audience.

New column - debunking security myths

Steve Riley — Tue, 12 Apr 2005 19:58:00 GMT

There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance with some security configuration or hardening guide to be compliant with security policy. In other environments security configuration guidance is strongly encouraged. Before you start making security tweaks, however, we feel that it is very important that you understand some of the fundamental problems with them. These are what we call the myths.

Part 1: http://www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx

Part 2: http://www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx