Spire Security News and Views

Sun, 08 Feb 2004 02:22:04 GMT

Email Notices

I consider myself fairly well-versed when it comes to security, but I must confess that I am completely baffled by the notices at the end of email messages. Here's one I saw recently:

"Important Notice: This email is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender."

Does anyone actually read these things? A couple of interesting points:

1) This particular notice was at the end of a message sent to a mailing list. A mailing list. So apparently the mailing list was prohibited from distributing the email to the rest of the mailing list. Although perhaps since the list was the intended recipient, that is okay. But is it confidential? This particular list has an archive on the web. Hmmm, they got past the first hurdle on the technicality, but this next one is a bit tougher.

2) How on earth would I know if I obtained it in error - it was addressed to me. They sent it. Ok, I'll admit that sometimes I know things are sent by mistake, but still... just doesn't seem right.

3) I like the whole "reliance" angle - so if Bill Gates had this notice at the end of his emails, he could have told the courts they were committing a criminal offense by relying on all of those emails.

4) Doesn't the whole deletion thing mean something like "I made a mistake, now you have to fix it for me, or you may be criminally liable"?

Who can tell me with a straight face that any of this would hold up in court?

Sat, 07 Feb 2004 01:23:33 GMT

Bandwidth-based Web DDOS Attacks

This article: Mydoom lesson: Take proactive steps to prevent DDoS attacks discusses the problem of bandwidth DDOS attacks that are difficult to defend against. Distributing the servers is the key - a la Akamai.

Sat, 07 Feb 2004 00:46:09 GMT

VMyths current target: Mi2G and MyDoom Estimates

An interesting attack from VMyths' Rob Rosenberger:

I am interested because I, too, would like to estimate damage done and am currently investigating ways to do this. Of course, if you subscribe to VMyths' philosophy, this virus didn't cost anyone anything... I tend to differ slightly - comments inline below.

Vmyths.com Virus Hysteria Alert
{2 February 2004, 22:05 CT}

In our previous Hysteria Alert, we predicted "someone will soon
declare a 'guesstimate' damage value for the MyDoom virus/worm,
strictly for its PR value." Vmyths named mi2g as one of the more
dubious candidates.

It is always fun when somebody "predicts" something so obvious that it is hard to be wrong. Some folks do it with caveats and percentages, while still others just state the obvious. Virus damage estimation has been going on for at least three years now. (Full disclosure: I may very well do this sometime in the future as well.) So here is my prediction: sometime in the future, VMyths will blast someone for "fearmongering" strictly for its PR value. (Gosh, I feel like John Edward must when he is speaking with the dead).

mi2g played its PR card with a wag of $38.5 billion in global damages.
We dismiss it as completely absurd. mi2g's guesstimate is:
   * 1.6% of the U.S. federal budget proposed for the next fiscal year;
   * 40% of the damage to New York City on 9/11/01; and
   * more than double the cost of Hurricane Andrew in 1992.

These numbers he is using is the first indication of error. Each of these examples deal with real dollars, not economic dollars - certainly for the first one, though there is a chance that it is not true for the other two, but I can only assume that if VMyths doesn't like the mi2g estimates, they won't like estimates used anywhere.

There is something else going on here as well. I call it the "world wide rash" syndrome. It is the difference in the way we feel about one person losing a million dollars (must really be awful) versus two million people each losing a dollar (at least each person only lost a dollar). Of course, the net result is "double the cost of the guy who lost a million dollars..."

Btw, this report estimates the losses due to Hurricane Andrew at $63.9 billion. Not to worry, we don't pay much attention to the U.S. Bureau of Economic Analysis anyway. They were probably just in it for the PR.

mi2g has pulled PR stunts since 1999 on an almost regular basis.
See http://Vmyths.com/resource.cfm?id=64&;page=1 for a critical look at
the firm's shenanigans.

Unfortunately, gullible reporters have already started to latch onto
this latest PR stunt. The Web Host Industry Review, for example,
published it in breathless tones. Vmyths believes major media outlets
will fall like dominoes -- mi2g's declaration is simply too large for
them to ignore.

It sounds incredible to say it, but mi2g now demands money if you want
to read press releases associated with their PR stunts. You'll pay
"£29.38 (including taxes)" just to read their "$38.5 billion" press
release, for example.

Visit http://www.mi2g.com/cgi/mi2g/press/010204.php if you don't
believe us.

This is actually pretty funny.

We asked it before and we'll ask it again. Why do British fearmongers
so often give guesstimates in U.S. dollars?

A cute distraction, intended to "warm" you up to the wit of VMyths. And since I am an American, I would look too proud if I answered this honestly.

mi2g has threatened to sue Vmyths for libel
(see http://Vmyths.com/rant.cfm?id=497&;page=4 for details) and this
Hysteria Alert may lead to a renewed effort to crush us. For the
record: we stand by our criticisms of mi2g. However, Vmyths prides
itself for an industry-leading "corrections & clarifications" page.
Anyone may write to VeaCulpa_at_Vmyths.com to contest our claims &
accusations.

One can only hope that someone will care enough to pursue legal action. It is even better PR than estimating the damage done by viruses and worms.

Anyone may visit http://Vmyths.com/rant.cfm?id=470&;page=4 to rebut our
opinions & criticisms.

Do the math. Stay calm. Stay reasoned. And stay tuned to Vmyths.

So here is the place I have the biggest problem. "Do the math"..."do the math"..."do the math"... has there been anything but the laziest of "math" done here? Come on - comparing random whole numbers.... it is absolutely silly. What would be interesting is if somebody actually did "do the math." I happen to think the number is pretty big as well, but in economic terms, productivity costs money. I like to think that an hour of my time is worth something. Big 5/Final 4 terms think an hour of their time is worth a bit more than something. So comparing the real dollars in a budget to economic dollars that are measuring productivity, among other things, is ridiculous. Of course, these numbers can always be challenged with alternative methods (VMyths chose not to, I suppose).

Rob Rosenberger, editor
http://Vmyths.com
(319) 646-2800

Acknowledgements:
Mary Landesman, http://antivirus.about.com

Fri, 06 Feb 2004 17:33:33 GMT

Expert's Guide to Effective Patch Management

I will be giving a webcast on patch management for searchsecurity.com. This coincides with the article I've written on patch management for Information Security Magazine (in February's issue, which should eventually show up at www.infosecuritymag.com).

Note: check out www.patchmanagement.org for a great mailing list on patch management.

Fri, 06 Feb 2004 06:09:42 GMT

People seem to like this MadLib I wrote poking fun at whatever the latest and greatest virus or worm is... try it out, it actually still works fairly well:

Spire ViewPoint

last updated: February 3, 2003
File under Spire Discipline: Threat Management

Author: Pete Lindstrom

[Adjective] Computer Worm [verb] Internet

In the wee hours of [date], a [adjective] computer worm spread [adverb] throughout the Internet. Dubbed [silly name] because [ridiculous reason that doesn't explain anything about how it works], and also known as [another random name] and [another random name], the worm has infected an estimated [number] systems within [length of time]. Experts are calling this worm the most [adjective] since [date in the past].

The worm exploits a hole in [Microsoft product name] that was first identified [number] months ago by [security company name]. In an attempt to secure the planet, and for our own good, [same company, or name of parents] released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently [noun] listened. Coincidentally, the worm that exploited this hole was also first identified by [same company]. Not coincidentally, they make a product to protect against [noun].

"Actually, it's not really a [noun], it's a [noun]," said [Pete Lindstrom, or some other person seeking publicity]. " A true [noun] works by [random filler that nobody will read]."

The worm's payload [verb] every system by [verb ending in -ing] the [noun]. Comparatively speaking, this is much worse than [another worm] but not as bad as [another worm]. The computers of [place] were hit the hardest. Current damage is estimated at [dollar figure more than the GNP of two-thirds of the world's nations]. " This worm has the potential to [something or other]," said [Pete Lindstrom, or some other person trying hard to come up with something interesting to say ;-)]. " It just goes to show you that [another something or other]."

Though there is no way to protect against this particular bug, experts recommend trying [longshot one] or [longshot two], neither of which matter, since nobody will do it anyway.

Fri, 06 Feb 2004 05:50:50 GMT

Paying for e-mail: An idea whose time has come?. CNET News.com's Charles Cooper writes that charging for e-mail may not be so crazy an idea, after all.

Another approach to stop spam. Interesting that it, too, is a story about efforts from Microsoft. Paying for email is interesting, though we'd have to be pretty careful about ensuring against spoofed addresses (as the article points out).

Fri, 06 Feb 2004 05:38:11 GMT

ISS warns of holes in Check Point firewall, VPN server

"Internet Security System Inc. warned of critical vulnerabilities in Check Point Software Technologies Ltd.'s Check Point Firewall-1, Check Point VPN-1 Server, and SecuRemote and SecureClient VPN clients."

Is it just me or does ISS tend to find a lot of security holes with its competitors?

Fri, 06 Feb 2004 05:10:17 GMT

Microsoft project aims to make spammers pay for spam

This is a pretty interesting problem. Email scales so incredibly well that it costs the same to send 1 message as it does a million (sort of). So they are going to make email work harder to send one message. So the goal is to consciously cripple our systems. I am not sure this is a great direction to head. I would rather continue down the path of more trust in those we exchange email with... Sure, there are weaknesses with that, but I'd rather have a system based on trust than one that purposely reduces capabilities.

Thu, 05 Feb 2004 01:33:20 GMT

Spire Security Website

I am considering modifying my current homepage at www.spiresecurity.com to become a blog. I think it will be easier to update and syndicate, or should I say upd8 and syndic8?