Beau convinces himself Fry's is the best place to find a SCSI card. Hilarity ensues.

There is an interesting book coming out next month called "At the Abyss: An Insider's History of the Cold War", by Ballantine Books.  It's written by Thomas Reed, who worked at varying levels of government, including a stint as Ronald Reagan's Secretary of the Air Force. What does a book about the cold war offer to interest my readers?  I'm so glad you asked! Indulge me for a moment, while I give you a little history lesson: In 1981 the CIA discovered that the Soviet Union was pillaging American (and other Western) technology at an alarming rate, starting way back in 1970.  They were...

I've been holding this in for a couple weeks, but now it's official:  I'm leaving AT&T Wireless after 2 years with the company.  My last day is March 5th.  I have accepted a position managing the security and network infrastructure of a medium-sized company in Bellevue.  While I have always been responsible for managing the security of the networks under my immediate control, this marks the first time the word “Security” actually appears in my title. I'm excited as hell :)

I'm a frequent reader of Wil Wheaton's blog.  You know Wil Wheaton, he played Wesley Crusher on Star Trek: The Next Generation.  Now he's an author, having largely given up on his acting career. I read his blog because it's generally entertaining.  He's got a writing style that I enjoy, and his stories of fatherhood are touching and inspiring (even though my wife and I have no kids). But he posted something yesterday which made me fume.  It wasn't what he posted really, since he and I actually agree on the core issue at hand, but the way he posted it. If you...

A new version of Snort IDS is also now available.

Fyodor announced today, on the BugTraq mailing list, the immediate availability of NMap v3.50. As most of you know, NMap is the defacto standard in the security realm for vulnerability scanning and host fingerprinting.  It also would have ranked #1 on Fyodor's 75 Top Security Tools had he not disqualified his own utility from being voted on and appearing on the list. The changelog for NMap can be viewed here. Thanks Fyodor, and everyone who contributes to the NMap project, for such a fantastic piece of software. Edit:  NMap was the utility used in the movie Matrix Reloaded to scan the power station network...

A new virus broke on Tuesday, and quickly infected between 50,000 and 100,000 systems in the 4 hours prior to its source being quenched.  The virus has been dubbed Bizex. Bizex was well-crafted.  In fact, so well-crafted that some think it's the product of a professional virus writer.  It exploits a myriad of vulnerabilities, including a combination of ICQ and Internet Explorer attacks that remains exploitable.  It uses various attack vectors, including email and ICQ messages with embedded links.  It uses some techniques that had only been made public a few days prior, proving once again that the black hats are...

A new exploit has been found that will circumvent Pepsi's process for giving away free iTunes music downloads. The advisory for the exploit includes Snort rules to detect this attack. No word from Pepsi on a patch. Heh.

I think it's funny that I find out more about Microsoft vulnerabilities on sites proclaiming to be focused on UNIX and LINUX.  And the reverse is true with Linux vulnerabilities.  I generally find out about Linux vulnerabilities sooner on web sites focused on Microsoft problems. That's why a good portion of my links are Unix/Linux security sites, though the focus of this blog is on Microsoft security.  That's where the news I care most about seems to hit first. Just an observation.

Microsoft has finally released a Windows Security Update CD in consideration of all the modem users who find their systems have been hacked before they can download and install the necessary updates over the Internet.  (Have I mentioned that most new systems are probed for weaknesses within 15 minutes of being attached to the Internet?). It's free.  Go get one.

In late January, the FTC released a report entitled “National And State Trends in Internet Fraud and Identity Theft” (73 pages, PDF format). I was reading through this report today and some of the numbers are sobering: In 2003, Identity Theft was by a long shot the favorite crime of Internet hucksters, accounting for 42% of reported incidents.  The next most popular type of Internet Crime was Auction Fraud, at 15%.  Internet fraud now accounts for 55% of all fraud reporting in the United States, up from 45% in 2002. Seattle is 2nd only to Washington DC in incidents of fraud, per capita A whopping 81%...

According to a recent press release by antiphishing.org and Tumbleweed Communications Group, phishing incidents increased by nearly 50% in January compared to the previous month. I made a quick graph of the number of phishing incidents reported to antiphishing.org over the past 3 months, and the trend is disturbing: As you can see, scammers are really taking a liking to phishing as a means to bilk money from unsuspecting victims. It's interesting to note that 32% of the phishing attacks monitored during this period relied upon the recently-addressed IE feature that allowed web addresses to include user credentials in the URL.  Recent patches to Internet Explorer...

I struggled with that tax return offshoring story.  It's crap.  You don't have to tell me, I know it's crap.  I totally left out everything about how SurePrep puts the tax information up on a web site in a California data center, so that the tax folks in India can access them to fill out the forms.  And I didn't even bother to put the teaser quote from the night before into the story, to give it context.  I was so fired up about it last night after my initial research, but when I sat down to write it the next...

Cyberguard recently published an article by Gideon Rasmussen detailing the network traffic that is generated by a normal HTTP request. It's a great example of common traffic if you are just getting your feet wet with network analysis. (Thanks JOAT)

As tax time approaches, one of the issues that has come up recently is the effect offshoring is having on financial sectors, like the tax preparation business. According to a recent report on 60 Minutes, roughly 200,000 U.S. tax returns will will be prepared by Indian tax preparers, nearly a 10-fold increase over last year.  In many cases, without the client even realizing it. In fact, entire businesses are springing up to handle the offshore tax return preparation business.  Take, for instance, SurePrep, a company based in Bombay and soliciting US accounting firms to send them their tax return business.  “What if...

I'm heading to bed because the new offshoring article I have in mind will take me an hour to write, and I promised my wife I'd be in bed an hour ago.  But it will blow your socks off, I promise! Here's a teaser quote for you: "The type of security you see in this facility is generally much more so than you would see in any U.S. accounting firm. Everything is paperless.  You'll notice in the facility there's no pens or papers on the desk. There's no printers in the work room. Everything's done on screen." That's a quote from a...

This Canadian site has a bunch of useful log analysis and IDS-related tools that are open source.  The website is horrid and slow, but the tools seem to be worth the trip.

If you need to find out the regulations for exporting an encrypting VPN device to Lithuania, this is where you can get a brief overview of the cryptography laws in about 70 different countries. A guy I know once told a German customs agent that a small VPN device was a “hub” because he wasn't sure if he was breaking the law or not by carrying it into the country.  Don't be that guy.

Hey Beau, you should check out this Microsoft whitepaper on NAT-T when you get home.  Maybe get off your butt and implement it so “working from home” isn't restricted to sending email from your Blackberry?

As most of my readers probably know, because it's been all over the news, the source code for Windows NT4 and Windows 2000 was leaked to the Internet late last week. The first of probably many bugs resulting from this exposure has been identified and published. The bug involves a buffer overflow in the way Internet Explorer v5 (subsequently fixed in v6) handles gif images.  IE5 is the browser version that ships with Win2k. This bug is a non-issue if the machine is properly patched (which will likely be the case for 99% of the bugs that are found in this obsolete source...

You can see a little bit about some advisories eEye is sitting on by going here.  A couple of these are over 5 months old.  I wonder what would prompt a company like eEye to sit on an advisory for so long?  They must be doozies, if the last bug they concealed for so long is any indication.

There is a new article on SecurityFocus that includes a handy checklist for securing your Windows computer(s) at home.  I haven't gone through the entire thing for accuracy, but I think it should prove useful to a lot of my readers.  Go get it. And actually, I have to admit to never running RegClean on any of my home systems.  You learn something new every day.

A-Rod isn't missed here in Seattle.  Actually, he's nigh on despised, truth be told.  When The People built the Mariners a new $400M stadium that was the apple of Baseball's eye, all A-Rod could do was bitch about how his personal home run numbers would decline due to the new stadium's pitcher-friendly dimensions.  Not only did he abandon the Mariners shortly thereafter in pursuit of a World Series (and a bigger paycheck), but then he went on to woo Seattle's biggest employer to come with him.  "I moved to Dallas-Fort Worth to improve my future. So should you", said A-Rod...

So an 18-year-old British hacker cracks his way into 17 servers at a government-run nuclear research facility outside of Chicago so he can use them to store warez and other pirated material.  The DOE had to shut down the network for 3 days as a result of the breach, costing US taxpayers nearly $30,000.  The kid was recently found guilty of Computer Misuse by the British courts, a crime which carries a maximum penalty of 5 years jail time. The punishment in this case?  Jail time?  Nope.  Fines?  Huh uh.  Surely he had to pay some restitution?  Zilch.  Did they take away his computer...

If you run Sophos as your virus protection, run don't walk to their site and get your software patched. There are 2 major holes in the product that will cause either a virus to slip past the scanner undetected, or cause the virus protection engine to keel over under an infinite loop condition.

Paul at E2K Security notes that the Microsoft Exchange Team is now doing a blog with a terribly clever name: “You Had Me at EHLO”. Only a few post up so far, but it really looks great so far.  Let's hope they continue shining some light on the dark places within Exchange.

Bless those canucks, they went and proved that beer is just as good as water when considering the daily intake of liquids. “The belief that beer or coffee draw fluid from the body is mostly a myth, according to University of Alberta physiology Prof. Susan Jacobs-Kaufman. “ She goes on to say that the ideal intake of liquids for an average male is about 3.7 liters, and 2.7 liters for women. I think I have the final justification I need to get that Kegerator I've been wanting.  3.7 liters is a lot of bottles of beer!

I forgot to mention: Microsoft also has recently released a cumulative patch for Internet Explorer, fixing a number of issues. Most interesting, at least for my readers, is the fix of a certain flaw that made phishing a bit easier.  Now, when clicking on the malicious Citibank link in my previous article IE delivers a “Syntax Error” and does not take you to either the spoofed site or the real one. I guess that's ok.  But hovering over the link still shows the wrong information.  That needs to get fixed too, I think. I'm still not using Internet Explorer, by the way.  MyIE is...

You have all been blessed with my fantastic theories about the real reasons the power went out in the Northeast last August, so I won't repeat them again. I have always found it curious though, how the primary alarm system and its backup both failed within 14 minutes of each other at the most critical time.  This was one of the primary factors of the blackout, as operators were not alerted to a catastrophic overload condition brewing until the failed alarm systems were discovered offline nearly an hour later.  Well, it turns out there was a bug in the software that runs those alarm systems.  (That...

SecurityFocus posted an interesting article about the increasingly complicated incident of Republicans stumbling over a host of unsecured Democrat memos that discussed the methods the Dems planned to use to thwart Republican judicial appointments.  The incident is being called “CyberGate”. The interesting thing though, is that there is some argument over whether or not the Republican intruders actually broke the law.  Technically, they were authorized to go where the documents were being stored, because their network access privledges allowed it.  Of course, nobody is saying what they did with the access to those documents was right (but let's also not forget that...

I completely stumbled across Anil's new site by accident and couldn't be happier.  His topics are always really interesting. Back to the Blogroll with you Anil!

Patch day came and went, and Santa delivered us some very critical patches this time around. First, a disastrous buffer overflow in a key security algorithm was discovered about 6 months ago by eEye, who graciously kept it to themselves while a patch was developed.  Microsoft has finally worked out a fix and has published it.  There are no words to adequately communicate how critical this patch is.  If you haven't run Windows Update since before Tuesday, stop reading this and go do it now. Also, 2 other patches were released, tagged Important: MS04-005 addresses an issue with the VirtualPC product on Macs. MS04-006...

I can't let go of this gay marriage issue.  It consumes me, and I'm not even gay.  Honestly, the impact of this issue, one way or the other, has no direct bearing on my life.  I have gay friends who plan on getting married, such as they can in Oregon, whether the government endorses their union or not. What bothers me is that this represents the forceful application of a religious belief onto the people by the government.  Which is basically what this boils down to.  A bunch of religious zealots aren't kosher (no pun intended) with same-sex marriages, and they are trying...

Thanks for obliging my long-overdue Politics Day here on bmonday(dot)com.  I really needed to get some things off my chest.  We'll be back to the regular programming tomorrow.  Some interesting things have happened today in the security world.

I think Baldilocks sums up the issue of Reservists taking extended leaves of absences quite well in her post on the matter.  Teaser quote:  “I know this, because I did it. Yes, little bald-headed black chicks can take a break from the Reserves if they want to, just like rich white guys. And I kept my money--and my virtue, such as it is--in my pocket when I did it.” I can't really add anything to that.  Wait.  Yes I can. It's great that the military has dredged up Bush' pay records to exonerate him.  I doubt I could prove where I was...

I know I promised an all-politics assault on the blog today, but I wanted to mention this briefly, because it's so very important (way more important than stinky politics). According to this article on DVDFile.com, George Lucas has finally agreed to release the original Star Wars Trilogy on DVD.  Amazingly, up until now the 3 original movies that practically launched the SciFi genre have only been available on archaic VHS.  I always thought it was ridiculous that I could get Plan 9 From Outer Space (a movie so egregiously bad it's gained a cult following) on DVD, but not Star Wars. The...

I've decided to celebrate the stupidity that is politics today on the blog.  I just can't hold it in any longer.  If this scares you, you best come back tomorrow.  You've been warned. By the way, now is a good time to mention (again) that RSS feeds are available for each specific category of posts here at bmonday(dot)com.  So if you were interested only in my brilliant commentary on network security issues, you can subscribe to just that feed and skip all the rest.  The feeds are linked in the menu on the left if you visit the site with a...

Just when you think mainstream media has nowhere to go but up: Nice deceptive headline, CNN.  How do you people sleep at night? (Thanks Glenn at InstaPundit for snapping this screenshot before CNN changed the headline to the more accurate "Operative Sought al-Qaida's Help in Iraq.") By the way, in case you missed the real story:  A leader of a terrorist cell (who isn't even Iraqi, he's Jordanian!) wrote a letter to Al-Qaida asking for help inciting a civil war between religious factions in Iraq. From that, CNN gives you the headline “Iraqis Want Al-Qaida to Drive US Out”.

CNET's News.com is reporting on a flaw in Nokia's bluetooth implementation that was made public today by security research firm AL Digital.  They claim that certain handsets from rival Sony-Ericsson are also vulnerable to this type of attack. The vulnerability allows an attacker to attach to a victim's device via Bluetooth, and access sensitive data, including address book and calendar information.  The attacker can not only read data (we've known about that one), but also write new information and delete entries.  There is also the possibility that the attacker can actually utilize the phone's connection to send SMS messages and browse the web...

So after visiting every electronics dealer on the Eastside, and not finding any that carry the JVC line of receivers, I dropped by Definitive Audio to discuss my sick Rotel and see what was the current state of the art. Big mistake. Definitive Audio, for those who haven't been there, is a very dangerous place for a geek like myself.  Lots of big plasma screens, booming sound systems, and worst of all, lots of blue flashing lights.  These guys sell hardware that wouldn't be caught dead in a Circuit City.  If you want to spend $100k on a home theater, these guys...

Well, my Rotel RSX-965 gave up the ghost this weekend, and will no longer accept digital audio input from my DVD player.  Crap.  I was really hoping it was my $80 DVD player instead of my $1200 receiver, but no such luck. However, I was pleasantly surprised that the price of receivers has gone way down since I bought my Rotel about 5 years back.  I can now find $300 units with the same or better performance specs.  I have awesome B&W speakers, and I hope a mid-range receiver do them justice because unless another IPO comes along I can't justify another $1200 receiver.  Perhaps a true...

The concept of “port knocking“ has recently been discussed in places like Slashdot and LinuxSecurity.  I think it has merit, and should not be dismissed so readily. The basic concept is that a firewall has ports for a particular service closed until it receives a sequence of connection attempts on a pre-defined set of unrelated (and closed) ports.  If the sequence is correct, the firewall dynamically opens up the designated service and allows the client to connect to it normally.  One advantage of this kind of security method is that attackers have no idea what services are running on the target system because the...

Just a quick note for those of you who haven't already heard. BSQUARE alums Steve and Liz Makofsky had their first child a couple days ago.  A healthy baby boy dubbed “Steve 2.0”.  OK, not really.  Tyler Jacob is the name of the new addition.  I never pegged Steve and Liz as closet Aerosmith fans, but the evidence is starting to pile up here... Also, Sam and Katrina Decker (some knew her as Carpenter) had their first child in January.  The baby girl is named Maia Sunshine Decker.  Maia came in just shy of 7 pounds, which is amazing seeing as how Katrina...

There is a fascinating article on Aerasec's web site about a fairly unexplored attack vector dubbed “decompression bombs”.  It's not all that new, decompression bombs were seen in the early 90s during DoS attacks on FidoNet sites. The basic concept is that malformed (not really malformed, but just really really big) files are compressed (using gzip or whatever), and then sent to the target system.  When the target system attempts to unzip the files, the application will often crash, and in some cases, render the entire system unusable. Where this really has a high impact is corporate virus gateways that scan files for viruses. ...

Wow, that was one exciting Super Bowl, eh?  I was on the edge of my seat there at the end.  Vinitieri had missed one field goal, and had another blocked earlier in the game.  You knew he would have to keep it low in order to make the distance, so the chance of another block was high indeed.  I think the play of the game was the previous kickoff that went out of bounds after the Panthers scored that last touchdown.  That gave the Pats another 20 yards they didn't have to earn in that last minute. Everything outside of the...

I can't tell you how discouraged I am that MyDoom is having the effect it is on the Internet.  This is not a virus that exploited a vulnerability in some technology.  This is a virus that exploited the seemingly uncontrollable urge that humans have to open anything received via email.  The virus author relied upon the email recipient's gullibility, folks.  No, this is not the first virus to do so.  And until we prove to virus authors that we're not all brain dead, it certainly won't be the last. Think about what had to happen here in order to become infected by...