My personal computer has a lot of stuff on it, but nothing I’d be worried about someone else seeing, but my work laptop is a different beast all together. I have a lot of sensitive information about clients on it, including screen shots of their software configuration, firewall configurations, policies, not to mention all the contact information and correspondence with said clients. I doubt there’s anything I have that would shut down a business, but in the wrong hands the information I have could cause more than a few companies some late night sessions resetting passwords and changing configurations. That’s why the drive is encrypted and I have a passphrase that’s more than 30 characters long.

So what happens if I’m stopped at the border and asked to type in my password? If it’s my personal computer, I’ll probably say go for it and give type in the password. But if it’s my work computer, where do I draw the line? I’ll be coming back later in the week, I’ll be tired and want to get back to my family. Do I say no, call my corporate council and prepare to be detained for however long it takes things to get worked out? Do I bend my own morals and let them have what they want? Or is there another alternative?

Seriously, I have absolutely no expectation of something like this happening. On the other hand, it won’t hurt to have the company lawyer’s card handy as well as contact information for the Electronic Freedom Frontier. You never know what’ll happen if I’m sleep deprived enough to get really beligerant on my way home. Can I tell the border agent I’ve met their supreme leader, Secretary Chertoff?

Sunday morning Reading:

• FBI: Criminals auto-dialing with hacked VoIP Systems: This doesn’t sound like a huge problem if folks are properly protecting their Asterisk installations, but how many un-protected installations are there out there?
• OpenWRT on an Asus WL-500g Premieum: I had to give up on this for now due to time and energy constraints, but I’m going to circle around with the WRT54G I freed up in the process.
• Cloud computing and PCI compliance: I’m not sure if I want to listen to this podcast to learn from Michael Dahn or so I can argue with him next time we talk. Nor am I sure there’s much of a difference between the two.
• Gmail Backup: Nearly 2 gigs of email is going to take me a long time to download at 10 KB/s. But I haven’t backed up my email in … well, ever.
• Online shops stave off cybercrooks: We’re more secure thanks to PCI, a Gartner analyst says so. And we know exactly what the opinions of Gartner analysts are worth, don’t we?
• Google’s Chrome team mulls local file restrictions: I still haven’t played with Chrome much but it appears they’re taking some serious steps to secure our surfing experience

On a more personal note, Chris Hoff is trying to get me to invest some time and money in checking out the P90X system. This is not a chip with a floating point error from a couple of decades ago, it’s a exercise and diet system that’s pretty hot at the moment. There are almost a dozen other security professionals that are using this system and I’m giving serious consideration to joining that number. I need something like this that can be done with weights while I’m at home and using exercise bands while I’m on the road. Add ripping the DVD’s to my iPod or Macbook and there’s a lot to recommend it. I’m trying to maintain through the holiday season the lose 20 lbs between January 1st and April 20th, the first day of the RSA Conference. I want to look good for all the photo ops and whatever Chris has cooked up. Something to do with sumo suits, and I’ve been told there’s a special ’surprise’ for me.

I apologize to everyone who’s getting multiple copies of certain posts, I have no idea how to stop it. I’m sticking with Feedburner for a little while longer in the hopes they can get their stuff together, but I draw the line at the point where they start driving people away from the blog.

Update: I have ‘unpublished’ the WRT54G post, it was causing too many people problems due to the continuous republishing in the RSS feeds. I will try reposting it this weekend and see if the problem returns.

We have a number of rules concerning this event and Jennifer Leggio lays them out pretty clearly on the RSA Conference blog for the event. Blogging types only, no marketing, no one gets the list and the details of when and where are confidential. If you want to get on the list or know what it takes to get on the list, contact Jennifer and ask. Don’t contact me or any of the other people involved, Jennifer is the official mistress of the list and the only one who really knows who’s on it.

I originally thought we were starting too early in the planning of this event, but it became obvious quickly that there’s no such thing as ‘too early’ when you’re talking about an event as big as the RSA Conference. The great thing is that this has given us a chance to put in place many of the things we wish we could have done last year and were only a vague dream the year before. We have big plans for this year’s event and it promises to make the first two look like they were put on by amateurs. Which they were, but that’s beside the point.

Subscribe to the RSA Security Blogger Meetup RSS feed or follow it in Twitter, @RSABloggers2009. There’s almost nothing that would keep me from the event next year and I know a lot of other people who feel the same way.

Network Security Podcast, Episode 130, December 2, 2008

Show Notes:

• PCI Compliance Services FAQ
• The End of Online Anonymity - It’s not the end, it’s a change in how we look at it.
• EFF to fight against telecom immunity in Tuesday hearing - I hope everything went well for Jennifer Granick and friends
• Cybercrime servers selling billions of dollars worth of stolen information, illicit services
• Canadian IT exec accused of stealing customer database
• There is always a back story … - Richard dig’s into the Canadian IT story

The Maxtor drive is very nice, sleek and small. It comes with a fairly short USB cable, pretty standard for these drives, and has a bright blue LED on the front to indicate activity. And when I say bright, I mean it; the drive light’s up my office late at night and I really wish it had a way to dim or turn off the light, but that’s a minor quible. When I plugged in the drive and started the software installation, it asked for the Security ID code from the back of the drive and a password, then acted just like any other drive on my computer. Except none of my other drives are encrypted using AES-128 and require their own password before they’ll allow access.

I’ve been running an older Maxtor Shared Storage drive on my network for several years now and love it. It sits on the shelf and every night my files and my wife’s files get backed up over the network and I feel a bit more secure. About every 3-4 months I take the whole backup and copy it to a second external drive hooked to the MSS drive via UPS, and once a year I copy those backups to a second external drive. I’ve had drives fail on me before and I’m not willing to take a chance that my data would be lost in case of a drive failure. Yes, I’m paranoid, but I’m a security professional and I’m supposed to be paranoid. The MSS runs a small program called Maxtor Quick Start that ran at startup and backed up everything, or at least it did until I installed the latest version of Maxtor’s software, Maxtor Manager.

I like the new Maxtor Manager, it works seamlessly, it backs up everything I want it to at Midnight every day, and my test restores have worked well so far. The one issue I have with it is that it disabled Maxtor Quick Start from starting automatically upon bootup and doesn’t recognize my Maxtor Shared Storage Drive. I can still start Quick Start manually and do backups to the networked drive by hand, but it doesn’t give me quite the same feeling of security I had before. It is slightly redundant, I admit, since the BlackArmor drive is backing up the same drives nightly, but I’ve already stated that I’m a paranoid who only feels safe when I’ve got multiple copies of my data on backup.

Other than the minor issues around my network and the bright blue LED, I love the Maxtor Black Armor drive. I’m seriously considering purchasing one for a family member who’s in need of an external drive, especially since they aren’t any more expensive than your average external drive ($108 on Amazon for a 320Gb version). The added security of having the encryption on the drive might not matter to many home users, but for folks like me who regularly work on sensitive documents, it’s a huge blessing and let’s me sleep a little better at night. My issues with the software won’t affect most users and the backup software is easy enough to use that my luddite of a brother could install it and run it without any help from me. Which is good, since I don’t do tech support, even for family.

1. Only use one credit card for your online shopping
2. Only use your credit card at major retailers online, otherwise use Paypal or a temporary credit card
3. Don’t click on any link you receive in an email. Ever!
4. Update your browser. And your OS while you’re at it.
5. Use NoScript.
6. Keep your AV, firewall and other security tools up to date.

Even that might not be enough, but it’ll give you a decent chance of staying safe. I think we forgot step 0: Use your common sense. If it feels fishy, there’s a good chance it is.

In last night’s podcast, Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google). Neither Rich nor I were very concerned about the issue, since it was stated to be an issue that had been closed. The important part to us was the fact that it shows a weakness in the common practice of sending password reset information to a ‘trusted’ email account. But as this Proof of Concept pointed out, if you can somehow create a filter on someone’s email account, you can create a filter that forwards select emails and removes them from the users in box. Once that filter is in place, it’s childs play to reset a password account and steal a domain or any other account with a similar reset method.

Right after the podcast I ran across a Google Security post stating that the CSRF bug had been fixed long ago and that the domain theft had nothing to do with the vulnerability. I’m willing to give the Google Security team the benefit of the doubt and believe them, however I’m left with a nagging question as to whether they can really make such a statement with certainty. The referenced CSRF did in fact exist, though it was patched very quickly, and I know from clicking on a PoC for the vulnerability that it works (I won’t be doing that again). I don’t see any reason to think that someone couldn’t have gotten any number of domain owners to fall for a link exploiting the CSRF and then waiting 2-3 months to make use of the compromised Gmail accounts.

The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story. No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation. The Google Security team has to deny the report, it’s part of what they do. But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in. It’s not a perfect solution, but it is a step up from what most people are currently doing.

Have a great Thanksgiving!

Network Security Podcast, Episode 129, November 25 2008

Show notes: