Alex Scoble's IT Notes - An Information Technology Blog

A lot of people go through their daily lives with the misconception that you can't packet sniff (eavesdrop) in a switched network or encrypted wireless (wifi) environment. Sadly, this is hardly the case.

They think this because a switch is a point to point device, which is to say that your computer only talks to the specific endpoint on the switch that it needs to and doesn't ordinarily have access to all traffic on the switch.

Unfortunately, in the real world, there are hacking/penetration tools such as Cain that allow someone running the tools to do what is called ARP (address resolution protocol) poisoning. Basically, it works by fooling the network switch in to thinking that all traffic going through the switch needs to go through the hacker's computer almost as if that computer were the gateway router for the switched segment.

This allows anyone running these tools to sniff all traffic going through a switch or to even change traffic that they are seeing (perform a man-in-the-middle attack).

Pretty scary stuff, eh?

But there are ways to mitigate this sort of risk. Many modern managed switch makers such as Cisco, Extreme, Dlink and others include a feature called DHCP snooping with their switches that allows switches to monitor MAC addresses and sense if DHCP enabled clients change their MAC addresses. Of course, since it can only monitor DHCP enabled systems, there may be workarounds to this solution by simply giving an attacking system a static IP address.

There are other solutions out there, but they can be costly (ArpDefender) or allow for monitoring only (ArpWatch).

At the end of the day, people put too much trust in the security of their systems by default when most of the systems and protocols that we use on a daily basis on the internet were designed not for security, but rather for ease of use and interoperability.

This isn't just important for those of us who might be managing IT security for corporations, but also for individuals who use public wifi hotspots on a regular basis.

I believe that THE linchpin to a corporation's IT security posture is monitoring. If you can't verify that ALL systems are appropriately hardened and working as they are supposed to on a regular basis, it's not a question of if you will be breached, but how much a breach is going to cost you when it happens.

I can't believe it! I just got the results for the Certified Information Systems Security Professional (CISSP) exam that I took on Oct 27th and I freakin' passed!

I passed! I passed! That test is such a meat grinder that I had no idea how well I did until just now!

Woooooo!

Woooooooo!

Yeah! Baby! YEAH!

OK, I'm a little more calm now. Now back to your regularly scheduled web browsing activities.

If you do one thing with your time in the near future, start a blog. And don't just start it and do nothing with it, start it and keep blogging.

I know from personal and observed experience that it really does pay off.

For example, my brother got his job largely based on his blogging work. He has met many interesting people because of his blogging.

I now know what my nephew is doing in school because he blogs about it where you can't get him to say more than two or three words about how he's doing in school when you ask him in person.

Based on my blogging, I now get paid to blog by Computerworld and that extra money comes in handy. I've gotten back in touch with friends that I hadn't spoken to in a long time because of my blog.

But more recently, and more importantly, I got a job because of my blogging, or depending on how you look at it, because of cat litter.

Way back in May of 2005, Greg Hughes wrote this piece on Fresh Step Crystals cat litter.

We had a bit of a conversation because of that and also from his post the next day which had a picture of the back of his RIM Blackberry 7290. That started a conversation about reception and cell phones and ways to overcome poor reception in buildings and residences.

Those conversations blossomed into still more conversations on our blogs and through MSN Instant Messenger which eventually led to me interviewing for a Security Operations Engineer position at Corillian, the company where he works. Well, I landed the job and start on December 5th. Already have a rental house lined up and everything.

I can't think of many reasons for blogging more rewarding than friendship, but a more advanced position at higher pay in a lower cost area sure comes close.

So the next time you think you are too busy to give up an hour or two a week to blog, think of all the opportunities, both financial and social, that you are missing because you didn't find the time.

People play the lottery with zero chance of winning for those moments of hope at having a better life.

You can start a blog with the same investment in time and money and be guaranteed to get back returns many times that of what you put in.

See also this post on why you should blog.

Another example of the power of blogs. Based on conversations Greg Hughes and I have had on issues from each other's blogs, we have been talking on IM as well.

Yesterday, we started talking about VPN solutions. Problems we have had with Netscreen Remote, what Greg's company uses and why, etc.

The big thing that I learned was that Cisco's VPN client allows you to reroute IPSEC traffic over multiple ports as you see fit. This is important as a lot of places now block the methods that IPSEC usually uses to create a tunnel. However, these same places don't block port 80 (HTTP - how systems connect to web sites & web apps) and port 443 (HTTPS - used to communicate with secure web sites & apps). So a VPN client that can reroute IPSEC traffic over port 80 or 443 has a great advantage over those that can't.

You can read more on Greg's blog here or on my Computerworld blog here.

My boss handed me this article on "Safeguarding Corporate Information". It talks about how new laws require companies that store data about individuals to have adequate security procedures and practices in place to not only protect the data but to also allow for prompt alerting when attacks and intrusions take place.

She asked me to look at it and see if our network meets the standards set forth in the article. After reading it, I'd have to say that it does not.

While we take reasonable measures to protect private data, we do not have systems in place that alert us if an intrusion takes place.

Which means that now I should probably start looking at Intrusion Detection Systems and other means to prevent intrusions and to collect the data necessary to meet the requirements of these laws.

Anyone know of any good IDS systems that are relatively easy to set up, that work well and don't cost an arm and a leg? I'd say anything above $5000 is right out, with $2500-$3000 being a good goal for a business this size.

Also, I was talking to some colleagues today about their plans for security of their network and they were told that Microsoft's ISA is a rock solid security solution. I don't particularly like application firewalls like that or Checkpoint because they are expensive and run ontop of a multipurpose OS (Windows). These tend to crash more often than the OS on a Netscreen for instance, are more complicated to set up and keep patched and are just plain harder to manage because if you have a problem, you have 3 vendors you need to call: the firewall vendor, the OS vendor and the hardware vendor. Whereas, with a firewall like a Cisco Pix, Netscreen or SonicWall, you have a single point of contact.

Anyhow, if anyone knows of any good IDS solutions that meet the requirements that I outlined above, please let me know.

The following is an excerpt of a recent email that I sent to users at my firm regarding phishing. I'm posting it here mainly because of the pertinent links at the bottom and also in case I need to use it again:

I'm sure most of you have gotten at least one email like the following:   

Below is the result of your feedback form.  It was submitted by
    ([email protected]) on Wednesday, March 9, 2005 at 07:12:59
    ---------------------------------------------------------------------------

    : Dear eBay Member,
    We at eBay are sorry to inform you that we are having problems with the
    billing information of your account. We would appreciate it if you would
    visit our website *Link removed* and fill out the proper information that we are needing to keep you       as an eBay member.
    If you think you have received this email as an error, please visit our
    website  *Link removed* and fill out the neccesary information. That way we can make
    sure that everything is up to date! Again here is the link to
    our website. *Link removed* Joe Watson
    eBay Billing Center
    Rep ID. 32A
    X9F8QA

This type of email is sent out by individuals attempting to get you to divulge your personal information. This type of scam is called "Phishing".

Phishing is the newest wave in identity theft. This method uses various online techniques to fool you into providing financial and personal information to people waiting to take advantage of you.
Phishing uses spam, email or pop-up messages to deceive Internet users into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information.

These e-mails appear to come from a legitimate company, usually a financial institution or credit card issuer, urging you to immediately reply with personal information so your account is not deactivated.

To increase the chances of people falling for this type of scam, they'll even use the company's logo, colors, and standard disclosure text. The e-mail usually will contain a link that takes you to a fake site made to look like the company's legitimate Web site.

Here are some clues that an email is part of a phishing scam:

    * Look for misspellings and poor grammar;
    * The Web site often does not have ''http://'' in the address bar at the top.
    * There generally is an urgent tone or call to action. Phishing e-mails will allude to dire consequences, such as ''your account will be deactivated if you do not respond within 24 hours...''

The following websites have more good information on what phishing is and how to avoid these scams:

http://www.antiphishing.org/consumer_recs.html

https://www.plantersbank.net/onlineFraud.asp

Your personal banking institution's website will most likely also have information for you on how to avoid these sorts of scams as well as their policies/procedures of how they contact you in the event of problems.

Well, it looks like Symantec added protection for the strain that I reported here on Friday. The Dat file that protection was added appears to be the 18 Feb 2005 Dat file. Actual name of the strain found was W32.Mydoom.AZ@mm (Symantec's naming) or W32/Mydoom.bd@mm!zip (McAfee's naming). Protection must have been added after I went home. I notice that Postini (which uses McAfee's AV) started catching emails with the virus around 5:21 PM PST.

So this is just another reminder how even the best antivirus protection is not absolute. This virus made it through 2 zones of protection by 2 different AV vendors on Friday. And to boot, because the message looked like an email failure, it got me to open and activate the payload. Not the smartest thing I've ever done, but luckily the damage that this particular virus does is minimal.

Next time I don't expect to be so lucky and will have to be a bit more vigilant.