Deb Shinder's MVP Blog

New Perspective on Airline Security

debshinder — Tue, 10 Aug 2004 04:34:00 GMT

In these post-September 11 days, when we think of airline security, we tend to think about screening passengers for weapons and using technologies such as CAPPS (the Computer Assisted Passenger Pre-screening System) to determine a threat assessment for each passenger. However, on a recent flight to Chicago, as I watched the people around me break out their laptops and plug into their MP3 and DVD players as soon as we reached cruising altitude, it occurred to me that there are many types of security with which the airlines (and those of us who fly on them) should be concerned.

I considered the fact that in the case under my seat, I had a Tablet PC, an iPAQ 4155 and a mobile phone. All duly turned off and stowed away during takeoff and landing, per the flight attendant's instructions. But then, I tend to be pretty compliant regarding laws and regulations. What about all those other electronic devices on the plane?

We're told that the reason we can't use our gadgets and toys until we reach cruising altitude is because they might interfere with the airplane's navigation controls. Now there's a scary thought, if you take a moment to actually think about. If my laptop can interfere with flight controls during takeoff and landing, isn't there a possibility that it could do the same during level flight? I was told by an Australian acquaintance recently that their airlines prohibit use of computers at any time during a flight. If it's not safe for them to turn on the laptop after the seatbelt light goes off, why is it safe for us?

And do you really believe that everybody on the plane remembers to turn off their cell phones and the wireless transmitters on their handhelds (if they even know how) every time during takeoff and landing? Is the fourteen year old listening to the radio through her earphones and not paying any attention to the flight attendant going to cause my plane to crash on approach to the runway?

Makes you wonder if those devices really pose the threat we're told they do. If so, should they even be allowed in the cabin at all?

But things may get even more complicated soon. Some airlines have already begun offering high speed Internet access during flight. Lufthansa was one of the first, at $19.99 to $29.99 per flight, or $9.99 for half an hour. The service will undoubtedly become more common over the next few years (unless, of course, 'Net-connected airplanes start falling out of the sky for no reason). I'm just as excited as the next guy about the prospect of surfing the Web or VPNing back to the home network from 30,000 feet, but I can't help but wonder what new challenges and problems this will bring. Now, in addition to worrying about our seat-mates reading our computer screens from the side, will we need to worry about being hacked by the guy over in 17A?

Technology is advancing quickly - perhaps more quickly than we can keep up with it. It certainly gives you something to think about as you stare out the window at the tops of the clouds.

Security and the Pocket PC

debshinder — Thu, 15 Jul 2004 19:38:00 GMT

I love my Pocket PC. That wasn't always the case. I've always WANTED to love them, always loved the concept of the handheld computer, but for the longest time I just couldn't. I bought a couple, always with high hopes -- but found myself abandoning them after a month or so. I liked the functionality: calendar, contacts, copies of my e-mail, ability to read and work on Word or Excel documents. But the old PPCs reminded me of the problem that police officers had with the sophisticated PR-24 sidehandle baton back when I was a cop. It was a great gadget, but it never seemed to be with me when I really needed it.

That's because, like the sidehandle baton, my old Casio PPC was portable but not portable ENOUGH to be comfortable. It measured 5 x 3 1/4 by 3/4 inches. Tiny for a functional computer, but too big and weighty to really, comfortably carry in a pocket. The other problem was lack of connectivity. It was neat that I could go to a Web site with Pocket IE -- but I had to have the PPC in its cradle to do so. That meant it was sitting right next to my desktop computer. So I might as well use my desktop's Web browser rather than try to surf on the tiny screen. Sure, I could buy an add-on card to give me wi-fi capabilities, but that would add even more to the size and weight of the device. If I wasn't sure I was going to need a computer, I mostly didn't bother to take it with me. And if I WAS sure I was going to need a computer, it was almost as easy to take the laptop and get much more functionality. I admired the little computer, but I wasn't in love.

Then I found the iPAQ 4155 and here I am, head over heels. It's truly tiny -- I can put it in a pocket or on my belt and barely notice it's there. And it has built-in 802.11b wireless that works like a dream and still keeps the SD card slot open for an additional 512MB of memory. I don't leave home without it.

But wireless connectivity -- along with the fact that I take it with me more -- means I have to think about something that was less of a concern with the old Casio: security. That includes physical security (all portable devices are vulnerable to loss or theft), data security and network security. Luckily, there are a number of good software packages that can add multiple layers of security to the PPC. I discuss some of the methods for securing a Pocket PC in my article at http://www.windowsecurity.com/articles/Securing-Pocket-PC.html. Don't leave home without them.

Blaming the Victims of Security Breaches

debshinder — Thu, 24 Jun 2004 04:45:00 GMT

The “blame the victim” mentality is prevalent in many facets of society today. Cities pass ordinances that make it an offense to leave things of value in view inside your vehicle, lest some just-in-time thief be tempted and break in to take it. Victims of motor vehicle burglaries are astonished, when they report the crime, to find themselves receiving a ticket.

Blaming the victim is an attitude that's seeping into the computer security arena, as well, in several different forms. I recently read an article by a fellow security expert that “if you leave something unlocked, you invite crime.” [my emphasis]. That sounds a little like the old (and thankfully, pretty much abandoned) idea that a rape victim whose dress was a little short was “asking for it.” I've heard and read similar statements on numerous occasions, with some going so far as to say that computer users who don't have all the OS patches installed, AV updates and properly configured firewalls installed “deserve what they get.” Ouch!

Sure, we all need to take responsibility for protecting ourselves and doing our parts to protect our networks and The Network. But let's get real about who bears the BLAME for DoS and other attacks, viruses and worms, etc. -- that's the person(s) who launched them.

Another popular variant on the “blame anybody except the person who did it” theme is to bash the software vendor for not creating a perfectly secure OS or application. Well, guess what? There's no such animal, and never will be.

Back in my “previous life,” when I was teaching defense tactics to embryonic cops at the police academy, one important block of instruction was weapon retention. A disturbingly high number of police officers are killed each year with their own guns, and it's essential to know how to defend against an attempt to take yours away from you. However, there were always a couple of kids in each class who knew it all, and discounted weapon retention training because they were going to use so-called “security holsters.” These are holsters designed to make it more difficult to get the gun out, to help thwart just such an incident. The problem was that, when many of these folks got to the range for firearms training, they couldn't draw and fire their weapons in an acceptable amount of time. Oops!

Does that security holsters are useless? No - but it does illustrate an important point that carries over to my current incarnation as a network security author, trainer and consultant: security and accessibility are always on opposite ends of a continuum, and the more you have of one, the less you have of the other. A good security holster can provide an extra measure of protection - if you practice faithfully to burn the moves required to draw your weapon into muscle memory (standard theory is that it takes about 3000 initial reps to do that, plus ongoing, regular practice to maintain it). However, there is no 100% secure holster (just as there is no 100% secure piece of software) and if there were, you (authorized users) wouldn't be able to get to your weapon (data) yourself.

I believe we can educate users on how to make themselves safer from hackers, crackers and network attackers without painting them as being somehow complicit in the crime if they do get victimized. And I think we can encourage software vendors to do all they can to make their code secure without making them out to be bigger villains than the real bad guys.

Computer Security for Kids

debshinder — Fri, 11 Jun 2004 20:03:00 GMT

There seems to be an assumption, at least on the parts of less tech-savvy parents, that all kids are computer whizzes. After all, the parents often have to call on their teenagers or pre-teens to figure out how to operate their own computers. In many cases, it's true that today's youngsters, who literally grew up with computers, are able to pick up on technology faster. But that leads to another assumption: that because the kids know how to use the computers, they also know something about protecting themselves and their systems. And that is not necessarily true.

I think there is a security gap here; schools are teaching computer literacy but they aren't necessarily teaching computer security to the extent and as early as they need to. That leaves a lot of kids out there on the 'Net without the knowledge they need, exposing a lot of systems to viruses, attacks, and more. It's sort of like teaching the kids how to operate a car in driver's ed, but not teaching them anything about driver safety.

We computer book authors, trainers and speakers haven't been paying a lot of attention to the younger set, either. Many of our tech books are a little on the dry side, even for adults. Given the attention spans of members of the MTV generation, many of them aren't going to be interested unless we specifically target them. Recently I got a look at a book that does just that.

“Always Use Protection: A Teen's Guide to Safe Computing” by Dan Appleman (published by Apress) impressed me as much by the author's writing style as anything else. All the information in the book is available elsewhere, but his presentation is such that I think kids just might read it. I don't know how old the author is, but it's obvious that he is actually involved with teenagers and knows their language and what they're doing on their computers. He neither talks down to them nor over their heads.

He covers many of the most common scams, explains concepts such as computer forensics and identity theft without getting bogged down in technical jargon or legalese, and describes both the dangers (malicious code, viruses, email scams and attacks) and preventative technologies (firewalls, anti-virus, security updates, good password practices) in a straightforward manner. The book is divided into logical sections: Protecting Your Machine, Protecting Your Privacy, and Protecting Yourself. It's actually a good introduction to computer security at a very high level for new computer users of any age.

Stormy Weather and The Cost of Security

debshinder — Fri, 04 Jun 2004 09:50:00 GMT

It's been a crazy couple of weeks, first last week with Tom off to TechEd (representing us both this time -- to all those I missed out on seeing, my regrets and hopes that next year I'll get a chance to be there too) me holding down the fort here. Then this week we've been battling Mother Nature, with the Dallas-Ft. Worth area being pounded by storms almost every night. We spent one evening couped up in our “safe room,” a small bathroom in the middle of the house downstairs, with tornado sirens going off around us and two very confused cats wondering what was going on. The next night, high winds had a live power line on our street dancing and sparking, and we lost our electricity. We were lucky, though -- there were over 200,000 people in the area who were without power for days instead of hours.

All of this started me thinking about how most of us, even we “security experts,” tend to take chances in at least some areas of our lives. I have my service packs installed on my computer, anti-virus running, an ISA server on the perimeter of the network -- but we haven't ever gotten around to having that underground tornado shelter put in or installing that generator. Why not? Well, we've had some close calls (like Tuesday night) but we've never been devastated by a twister. It's not so much the cost in money as the cost in time that's the problem -- we have work to do, and storm shelters and generators aren't our field of expertise.

The experience made me stop and think with a bit more sympathy toward all those net admins and individual computer users out there who just haven't gotten around to taking the steps that they need to take to protect their networks or systems. After all, they have jobs to do too, without adding security to the mix.

And that's why we need to work to build security into the operating systems and applications -- even if it causes some access problems, even if some people get upset about the inconvenience those built-in security measures can cause. If our house had come with a tornado shelter, we certainly would have used it this week. If a generator had been included when we bought the house, we might have grumbled about the inconvenience of buying fuel for it and having to learn how to use it, but we certainly would have appreciated it yesterday when our air conditioning, refrigerator, even [shudder] our computers were all rendered temporarily useless by the power outage.

Security comes with a price tag that's measured in more than dollars, and it just doesn't seem like a very high priority when you have “more important” things to do -- until you need it, that is. In that moment, the cost seems pretty minimal.

Securing the Vote

debshinder — Thu, 13 May 2004 16:55:00 GMT

The push has been on in the U.S. since the 2000 elections to replace old paper and punchcard ballots with electronic voting systems, but as the 2004 elections draw closer, serious questions are being raised about the security of the new systems, many of which include no paper trail and no way for voters to verify that their votes were recorded correctly.

It's interesting that, in many cases, it's those who make their livings working with computers who are most worried about the idea of voting by computer. On the other hand, maybe that's not strange at all. We've seen, time after time, just how easily electronic systems of all types can be compromised and how easily things can go wrong and results can be skewed even when there is no intentional breach of security.

http://www.computerworld.com/governmenttopics/government/story/0,10801,92995,00.html

Somebody Missing in the Builders and Titans Report?

debshinder — Wed, 12 May 2004 18:36:00 GMT

Today on CNN.com, I clicked the link to read Time Magazine's “Builders and Titans” report, which purports to be a list of those business people who have created successful businesses and/or championed established ones and have had a significant influence on shaping society.

In going down the list of 20, I saw a number of names that are familiar to those in our field: Michael Dell, Steve Jobs, Carly Fiorina. What I didn't see was any mention of Bill Gates. Oh, well, I guess the World's Largest Software Company doesn't quality as “successful,” having only made him a multi-billionaire.

Sure, we know how popular it is to hate B.G. and bash Microsoft, but regardless of whether or not you like him and/or the company, how can you deny that it's a successful business or that its software has not had a significant influence on society? After all, Time is the magazine that once named Adolf Hitler as Man of the Year. Personal popularity is obviously not (supposed to be) an issue.

Biometrics Conference

debshinder — Wed, 12 May 2004 18:25:00 GMT

Biometric security has been a source of contention on many levels. On the surface, it sounds like the perfect solution to the problem of identity theft. After all, there are a number of physiological traits that are more or less unique to individual human beings. And those prone to forgetting passwords or leaving their smart cards at home aren't apt to leave the house without their fingerprints or forget their retinal patterns.

However (there's always a “however”), nothing is perfect and biometrics is no exception. Privacy advocates object to the somewhat invasion nature of some biometric scanning technology and, even more troubling, some security experts warn that biometric identification is not nearly as fool-proof as it's hyped to be (especially by the makers of biometric security devices).

It has been demonstrated (most popularly by Japanese engineering professor Matsumoto a couple of years ago at the University of Yokohama) that most fingerprint scanners can be fooled by fake fingers made of gelatin. Facial recognition software has a high rate of false negatives and false positives. Iris scanners' results can be skewed by tears or even long eyelashes.

Nonetheless, the push for biometric identification moves forward. In many states in the U.S., fingerprints are required for driver's licensing, and the U.K. is developing new standards for passports and other identification documents that will include biometrics. The question no longer seems to be whether biometrics will be used for confirming our identities, but how biometric technology can be made more accurate.

If you're interested in the field of biometrics and what's being done to perfect this imperfect technology, you might want to attend the Biometric Consortium's September conference in Arlington, VA. It's open to the public, and likely to include some eye-opening information about the future of biometrics. See http://www.biometrics.org/bc2004/index.htm for more info.

802.11i: Its time is coming

debshinder — Sat, 08 May 2004 16:36:00 GMT

It looks as if this summer the IEEE will finally approve the standards for 802.11i. That's the wireless security standard that is based on RSN, which uses AES (the protocol formerly known as Rinjdael) and a 128 bit encryption key to provide better security. WPA, another new wireless security standard adopted by the Wi-Fi Alliance, can be implemented by upgrading the client software for many current wireless devices. Deploying RSN is a bit more complicated, since it will require hardware devices with significantly more processing power.

It's been a long time coming, but we look forward to the demise of WEP - with its well-documented security flaws - and new, more secure technologies to replace it. Wireless security has to be a number one priority as wireless networking becomes more and more popular, and thus, securing wireless transmissions becomes more and more of a problem.

Next month, I'll have an article on Windowsecurity.com about 802.11i, how WPA2 and RSN work, and what it all means for existing wi-fi networks.

ALF article

debshinder — Thu, 06 May 2004 15:02:00 GMT

The article on Application Layer Filtering (ALF) that I wrote for Windowsecurity.com has just been reprinted by SecurityProNews over at http://securitypronews.com/2004/0505.html. There is a lot of interest in ALF these days, and no wonder -- the ability to filter at the application layer not only helps prevent attacks that exploit application layer protocols, but is also a key element in filtering for spam at the firewall, which takes some of the load off your mail server or spam filtering server (of course, you have to be very careful about how you configure content filtering for spam at the firewall, to reduce the possibility of false positives. The most effective spam filtering methods use a multi-layered approach).

Securing Server 2003 Domain Controllers

debshinder — Wed, 05 May 2004 18:26:00 GMT

I have a new article up on the Windowsecurity.com Web site that contains some tips on how to make your Windows Server 2003 domain controllers more secure. As home networks become more and more sophisticated, I run into a lot of people who are “doing Windows domains” at home, often hosting their own Web sites and Exchange servers.

DCs present some special security problems, because they contain information that is not only security sensitive (such as user account passwords) but also critical to the operation of your network. It's important to give special attention to protecting them from intrusion or attack. Luckily, Server 2003 comes out of the box with many built-in security features, expanding on the security initiative that Microsoft began in earnest with Windows 2000.

The article addresses just a few of the important issues related to DC security, starting with (often overlooked) physical security measures. It also details how to move the Active Directory database and how to protect password information with the Syskey utility.

To read the full article, see http://www.windowsecurity.com/articles/Securing_Server_2003_Domain_Controllers.html.

Service Pack 2 Blues

debshinder — Wed, 05 May 2004 18:04:00 GMT

In the April 27 issue of WinXPNews, I wrote a short piece on some of the experiences that our readers have reported with the installation of the technical preview release of Service Pack 2 for Windows XP. As noted in the article, those ranged from “smooth sailing, no problems at all” to complete system crashes with an inability to restart even in Safe Mode. I detailed the problems my husband had with wireless network connectivity after installing SP2. I also emphasized that readers should remember that as with any pre-release version of software, the service pack should only be installed on test machines, and I went on to point out that many readers were delighted with one of the new features, the pop-up blocker added to Internet Explorer.

The article brought a huge number of reader responses, most of them contributing their own “sometimes it's heaven and sometimes it's hell” stories about SP2. What surprised me, though, was that I received several messages accusing me of being part of the Microsoft-bashing media cabal because of the article. Actually, it was a bit of a refreshing change, since I'm more often accused of being a “shill” for MS (presumably because I don't sing the praises of Linux in the -- note this name, now -- WinXPNews).

In truth, I'm neither. I get very tired of the real Microsoft bashing that occurs on some of the IT and computer book mailing lists to which I belong. Some days it seems everywhere I turn, some open source advocate is slamming MSFT for having the audacity to make a profit for their shareholders instead of giving everything away for free (of course, if they did that, those same people would then slam them for “unfairly undercutting the competition” or some such). The constant refrain of “Microsoft products don't work, Microsoft products aren't secure, and Bill Gates is just too damn rich” seem ubiquitous at times. So I suppose I can understand a little oversensitivity.

But really, people -- reporting on some problems that have been encountered with a pre-release piece of software is in no way meant to cast a bad light on the company that made it. The whole point of making betas and release candidates available to the public is to broaden the base of people to discover any problems in the software, so those problems can be fixed in the final release version. It's part of the process of making software better. Microsoft is to be commended for taking this extra step and (contrary to the opinions of those who bash the company for missed release dates) for delaying finalization of their products so as many bugs as possible can be worked out.

Secure Computing for the Younger Set

debshinder — Fri, 30 Apr 2004 15:50:00 GMT

Today's teenagers and preteens grew up with computers around them, and consequently many of them are far more skilled than their parents in making the machines do their bidding. The teen hacker is legend, and we often take it for granted that the kids are masters of the Internet.

When it comes to security, though, youthful illusions of invulnerability, impatience and recklessness frequently take over. Just as many members of their parents' generation put themselves at risk in the 60s and 70s with their “if it feels good, do it” attitude, many of today's young people put their computers (and the LANs to which they're attached) at risk with their “if it looks good, download it” philosophy.

Now someone has come along and written a book on computer security directed specifically at teens. My own children were teenagers not so long ago (my youngest turns 21 this summer), so I was glad to see that Dan Appleman and Apress Publishing were addressing this relatively neglected topic. The name of the book, Always Use Protection: A Teen's Guide to Safe Computing, might make us fortysomethings cringe a little, but it's just the sort of double meaning that will get the attention of those in the target audience. I haven't had a chance to read the book yet, but the easy, conversational tone of the Introduction (online at http://www.alwaysuseprotection.com/book/intro/Intro.htm) shows promise. I have a copy on the way, and hope to review it here soon.

Followup on Internet Taxes

debshinder — Fri, 30 Apr 2004 15:24:00 GMT

The Senate has spoken, voting by a huge majority for the McCain bill that only extends the Internet tax moratorium for 4 years, rather than permanently as proposed by Senators Allen and Wyden. Another difference between the two is that the McCain bill allows states that were already taxing Internet access to continue to do so, while Allen/Wyden's would have changed that.

The bill passed by the House of Representatives last September imposed a permanent ban on such taxes and ended the grandfather clause. Now we'll see what happens as the two branches of Congress attempt to come to a compromise.

Taxing the Internet

debshinder — Mon, 26 Apr 2004 20:40:00 GMT

The U.S. tax moratorium on Internet access services that expired last November is back in the news again, as Congress prepares to vote this week on whether and how to reinstate the moratorium. What does that mean to the average Internet user? The original moratorium prohibited states and localities from taxing ISP fees - well, at least some states were prohibited.

What? You say you've been paying taxes on your ISP bills all along? Maybe you live in a state that was “grandfathered in.“ Those states that were already taxing Internet access before the moratorium was passed were exempt from the law; the exempt states include Texas, Colorado, South Dakota, Ohio, Washington and Wisconsin.

The purpose of that original Internet Tax Freedom Act, which was enacted in 1998, was to encourage the growth of the Internet. Apparently it did its job! :) Of course, that law only applied to dialup services, since broadband was only a glint in the telcos' and cable companies' eyes back then.

One of the new bills that Congress is considering, sponsored by Senator George Allen (R-VA) and Senator Ron Wyden (D-OR), makes the moratorium permanent. It prohibits taxation on DSL and “future telecommunications” services, and requires that states with Internet taxes already in place have to phase them out.

As you can imagine, state governments are not in favor of the moratorium, as they see a nice chunk of potential revenue slipping out of their grasp. A “compromise” bill is also under consideration, which only extends the moratorium for two years and allows states that are already taxing Internet access to continue doing so. The new bill also allows taxes that would be paid by the ISP rather than the consumer -- although of course the consumer will indirectly pay when the ISPs raise their rates in order to pay the taxes.

What does all this have to do with security? Not a lot, at least directly. On the other hand, the security of the “Home LAN” - as well as the business LAN - becomes a bit of a moot point if we can't afford to connect our networks to the Internet in the first place. Granted, we would see far fewer intrusions, attacks and viruses that way.

As always when lawmakers decide to try to take the Internet into their own hands, we'll be watching this one with interest, from deep in the heart of Taxes - er, Texas.

Introduction

debshinder — Sun, 25 Apr 2004 19:39:00 GMT

Although I've been involved with computers since the 70s and have been “living online” (where I met my husband, Tom Shinder, in 1994) for well over a decade, until recently I resisted the blogging trend. Too much to do, too little time. I wasn't convinced it was the best format for disseminating professional information, and the last thing I needed was another addictive time-waster, a la Internet chat and some mailing lists with which I've carried on love-hate relationships over the years.

Obviously (based on the fact that you're reading this), I've changed - or at least opened - my mind. In part, that's because of the many professional blogs on the msmvps.com site.

I intend to post here at least weekly. Although I'll address all sorts of issues related to Microsoft networking, networking in general, and technology as a whole, I expect to focus on Windows security issues and especially the growing subcategory of “home LAN security.” More and more users are setting up sophisticated home networks that rival those of many businesses, going way beyond the typical two or three computer peer-to-peer network to implement Windows domains, edge (rather than host-based) firewalls, their own Web and FTP servers, and server products such as SQL, SPS and the like usually thought of only in connection with business networks. Many of those users are not sure what they need in terms of security.

The blog will consist of personal experiences, links to articles, reviews of security-related books, articles and events and random thoughts about the evolution of network security.

Who am I? Setting the philosophical implications of the question aside, it's always good to know a little bit about the person who's writing what you're reading. I'm a former police officer and college criminal justice instructor/computer hobbyist turned professional IT consultant, author and speaker. I'm married to a former neurologist/computer hobbyist turned (you guessed it) professional IT consultant, author and speaker. We did the mid-life career change shuffle together in the mid-90s, earned our MCSEs, started our business, and created a new, technology-centric life. I've written two books on my own, Scene of the Cybercrime (published by Syngress Publishing) and Computer Networking Essentials (published by Cisco Press). I've co-authored, contributed to and/or edited over twenty more books, published hundreds of articles and whitepapers, done contract product documentation and marketing material for Microsoft and other software companies, spoken at conferences such as BlackHat U.S.A., and edited several technology newsletters. I currently edit WinXPNews at www.winxpnews.com. If you want to know even more about me, see my Web sites at www.shinder.net and www.debshinder.com.

I look forward to sharing a few insights and, I hope, helping a few readers make their networks more secure in these high-risk times. Thanks for reading!