Don't Force me to Hack You

We all know that weak passwords are bad, and that's why most of the web sites add some code in their registration or sign up page to check if your password is strong enough before allowing you to create a new account there.

But for God's sake, why can't they just warn me if my password is weak and then give me the choice to change my password or leave it if I really insist to use a weak one.

The good news here is that most of the time, they do such checks in their front end, aka JavaScript.

Today one of my friends was creating a new account on StumbleUpon as he wanted to try it. But they refused to let him use his favorite password. So I used Firebug console to create a new function that returns true all the time.

function alwaysTrue(){return true; }

Then replaced their password strength checking function with my new function.

pwCheck = alwaysTrue;

And voila! They accepted my friend's password and stopped bugging us.

The point is, password policies are supposed to be there just for our reference. But people are supposed to be free to use whatever password they want. Or else, they will not be able to remember their passwords and will either choose not to use that annoying service at all, or - even worse - they may write those funky passwords down on a piece of paper or have only one passwords for all the sites and services they use.

Tags: StumbleUpon, Password, JavaScript, FireBug, Gr33n Data

The Pirate Bay is DDoS'ed

It seems that my favorite Torrents Search website has been brought down by Copyrights crackers.

"A few hours ago The Pirate Bay website started to slow down, and eventually it became completely unresponsive. With the trial going on at the moment, the downtime instantly led to all kinds of rumors. However, there is nothing to worry about, the downtime is not related to the trial and people are on their way to bring the site back up", Torrent Freak.

"I just got word that "someone" is currently DDoS'ing the "thepiratebay.org". Even more interesting it may be a hijacked botnet causing the problem. More details as they come in", Cloud Computing Journal.

It's really shameful that those who claim that they are fighting illegal materials, are in fact doing fighting them using illegal methods.

Tags: Torrents, DDoS, Gr33n Data

NAC - IF-MAP

So, what's IF-MAP!?
As, you can see, your NAC is at a certain point of time aware of your credentials, the version of the antivirus installed on your PC, the patching level of your OS, etc. And now we need such date to be available for the other devices in the network in order to be able to deal with you not only based on your IP Address, but also based on your username, and machine health. We need some database - MAP or Meta-data Access Point - where all the previous info are available for our Firewalls, IPS's, DHCP Servers and any other network element to base their policies on them. Any IPS now that supports such protocol will be able to deal with end-points and have dynamic policies for them based on various parameters, and not just their IP Address.

"Trusted network connect - part of the Trusted Computing Group - published its Interface for Metadata Access Point protocol on April 28 to provide a common framework for sharing event metadata. This means there's finally a way for security and network devices from a variety of vendors to communicate, and thus make better assessments on whether to grant or deny access to everything from PCs to switches", InformationWeek

So now, even if someone changes his IP address, the firewall will not be fooled by his new IP address, but it will be able to deal with him based on his role in the organization regardless of his address. The IPS will be able to treat the different users differently based on their machine health, role in the organization, etc.

Related Links:
InteropLabs, Making NAC Secuirty - Aware with IF-MAP.
Got the NAC Blog, IF-MAP: Integrating All Network Security.
Got the NAC Blog, The Adoption Curve for IF-MAP.
StillSecure, After All These Years, Is IF-MAP the spark that will ignite theTCG/TNC and the security industry?
Rational Survivability, I Can Haz TCG IF-MAP Support In Your Security Product, Please.

Tags: IF-MAP, TNC, NAC, Security, Gr33n Data

NAC - TNC

I wrote a post here about Network Access/Admission Control as a way to make sure that only authorized and healthy machines will have access to your network.

It's a solution that can check the various hosts before giving them to the network, and it can also control the switches, access points, and create dynamic rules on your firewalls and IPS's in order to granular control the access given to each host to the various resources in the network based on their identity and security posture.

As you can see, to have a successful NAC solution, we need to make sure of the following:

1- You need your NAC Device (Policy Decision Point) to be able to communicate with the different devices in your network (Switches, Access Points, Firewalls, IPS's, etc), in order to push to them the policies needed to control who has access to whcih resources.
2- You can never guarantee that all the devices installed in your network are from the same vendor.

So, the best solution to solve this is to have a standard NAC solution to facilitate the communication between your PDP and PEP's.
And as far as I know, Trusted Computer Group's "Trusted Network Connect" is the only standard available out there.

As for the Switches and Access Points part, TNC decided to make use of the existing 802.1x standard, and added some extension to it in order to transfer the machines health along with the authentication parameters.

But when it comes to the security devices such as Firewall's and IPS's, unfortunately there was no existing standard to depend on. And that's why they decided to introduce a new standard called "IF-MAP" few months ago.

Tags: NAC, TNC, Gr33n Data

No More Blog Rushing

As you may have noticed, I've just removed the BlogRush widget few days ago. In fact I was not satisfied with the quality ... ehm ... the quantity of traffic it brings to my blog. And now, it cam to my knowledge that BlogRush team have decided to shut their service down. It seems that they were listening to me :)

"After careful consideration, we have decided to shutdown the BlogRush service. If you have the widget code on your blog you will need to remove it", BlogRush.

Tags: BlogRush, Blogs, Gr33n Data

FPS - Facebook Prevention System

I received a message in my Facebook account today from one of my contacts, with a malicious URL in it. The messages title is, "Youu're the wwhole shhow! i'm admirred wiith you" by the way. So take care.

I am not pretty sure how those Facebook worms normally work. One possible scenario is that there are some bots which try to guess people's Facebook passwords, and then start hacking into their accounts and send malicious messages on behalf of them. One other scenario is that attackers were able to guess the Facebook's users temporary Session Keys, and make use of the Facebook platform and API's to send malicious messages on behalf of the users. In fact, the second scenario is really scary, as users cannot protect themselves by choosing stronger passwords, or making sure they have no malicious applications installed on their PC's that can steal their passwords. But the good news here, is that facebook didn't announce any vulnerabilities in their system yet, so most probably it's the first scenario rather than the second one.

Anyway, I am writing this article to tell you, since Facebook has gained such huge momentum and almost everyone is using it. Why don't security companies start inventing new security applications on top of it.

We've got AntiSpam and Mail Gateway Security Solution for Email. So, may be some day we may see Facebook Applications that are able to check the content of your Inbox and decide whether the messages you receive are Spam, or not. We may see applications monitoring your Status Updates, sent Messages, and Friends Requests, and inform you when it notices any anomalies in such activities and warn you or even stop those anomalies.

But the point is, emails now are essential to business, so the business model for building security applications for emails is justified. But when it comes to Facebook, it's just users like you and me, who refuses to pay money for their desktop antiviruses, and either get cracked versions of them, or wait for their companies to purchase one and deploy it on their company-owned laptops. Also securing Facebook accounts is mainly the responsibility of Facebook Inc, and those guy are forced to protect people's accounts, or else people will find an alternative social network application and start using it instead.

Anyway, all those dreams and business model theories depends on the following:
How essential is Facebook in people's daily life, and may be to business as well (some may claim that they use it for networking and maintaining relations with their customers and business partners)? Are people really willing to pay money in order to protect their accounts? Will Facebook team deploy some extra security measures and charge people for those solutions (Security as a Service)? Will they just deploy those methods for free in order to make sure they do not loose customers? Is there someone really is willing to build such FPS - or let's better call it Facebook Intrusion Prevention System (FIPS) - and sell it to people?

But finally, away from all that crap I've just written above, please, please, please, I do not want to see more torturing and annoying CAPTCHA's, as some people believe they are the only way to fight spam and bots. While for me CAPTCHA's are an AntiUser solution more than an AntiSpam one.

Tags: Facebook, Spam, Gr33n Data

Arista Networks

Every now and then, some companies grab bloggers attentions. Sometimes it is because they are offering new technologies or setting new standards, but some other times it's because people behind them are buzz-magnets.

A former head of Cisco's switch business, and Sun co-founder, started a new switching startup called Arista Networks. Their motto is "Extensible Operation System for Cloud Networking".

As you can see, "Sun", "Cisco", and "Cloud Networking", are all enough buzz words to grap people's attention, and start writing about the new company.

So, I decided to pay their site a visit in order to see what new technology are these guys offering to the market.

First of all, they have a very limited portfolio, 24 and 48 edge-switches with 10 GbE interfaces. They do not have any modulat chassis-based switches yet, but may be this is because they are just starting up.

They are focusing on their modular OS, but once again Juniper's JunOS for example is modular too, so what is really new in Arista's switches compared to Juniper's EX-Series?!

ISSU (In-service-software-upgrades), which is new for an edge-switch. Many modular switches with redundant Management Modules (Foundry Switches for example), can be upgraded without interruption. I also don't think this is the killing feature people are really looking for in an edge switch.

To tell you the truth, I think the main competitive value for Arista Networks, is their prices. I do not know their actual pricing, but it's said that their prices are much lower than the equivalent switches for Cisco for example. But what about HP ProCurve for example, are they cheaper too?

Anyway, it's still good to have more competing companies in the switches market which is dominated by one vendor so far. And analysts usually like to call it, "Cisco and the Seven Dwarfs" market.

Tags: Arista Networks, Cisco, Junipe, HP ProCurve, Foundry Networks, Switches, Gr33n Data

McAfee to buy Secure Computing

I'm used to make fun of McAfee when they present themselves as a Network Security Vendor especially that they don't even have their own Firewall product. So, now it seems that the people at McAfee decided to spend about $465M to stop me from making fun of them.

Ok, let's get serious now. I think this is a good move from McAfee anyway. Secure Computing security portfolio will sure fill some missing gaps in McAfee's product line. They have their own firewalls (Sidewinder), and Content Security (Webwasher). But on the other hand people may argue that Secure Computing products are not highly ranked compared to other vendors in the market. And to tell you the truth, I always believed that McAfee was going to acquire a Firewall vendor someday, and I thought that Fortinet is their best option. It's not only the best buy for McAfee, but if I were in Fortinet's guys shoes I'd have asked McAfee to acquire us too. Fortinet have good products and they sure were going to fill the missing gaps in McAfee's Network Security portfolio, and McAfee's guys would have been more proud to put their logo on Fortinet's products than Secure Computing ones. And on the other hand Fortinet is that kind of vendor that is there to be acquired. Come on, they may have good products, but they are small company and it is really hard for companies with similar size are narrow line of products nowadays to last for a long while before getting acquired or quitting the market..

Anyway, congratulations to McAfee guys, and I believe the Network Security market will benefit from one strong vendor which is getting even stronger.

Tags: McAfee, Secure+Computing, Gr33n Data

Google Believes I'm a Virus

I received the following Error Message today when I tried to access Google homepage.

But what makes Google believe that my request is coming from a Virus or Spyware application? Has any of you received a similar message too?

Ok, according to Google Help Center, "This message appears when Google detects automated querying coming from your IP Address, thus causing a quick spike in traffic on http://www.google.com".

But wait a minute, this can also happen if you are behind a NAT'ing device, and another device in your network is sending automated queries to Google.

It's likely that a user or a computer in your network is running automated querying. Sending automated queries of any sort to Google is against our Terms of Service. This includes, among other things, the following activities:
* Using any software that sends queries to Google to determine how a website or webpage ranks on Google for various queries
* 'Meta-searching' Google
* Performing 'offline' searches on Google

Now, what's the next step? If you have suitable privileges on that network, I think you have to deploy or gather the logs from existing IDS/IPS Sensors and Traffic Anomaly Detection Systems. Such softwares can detect Traffic Peaks and other Traffic Patterns that violates the normal Behavior on your Network, and can then detect the offending host(s). Another solution for those who do not own an IPS is to gather the traffic logs from their Gateway Firewall or Router and analyze those logs manually.

The problem here is that there is no IPS installed, or may be there is one but I have no access to it. So I am forced to do it the hard way, to analyze the firewall logs. As far as I can see the nember of sessions from the internal network to Google IP Address are not that huge or even big enough to be suspected by their system. So it seems that it's as they said in their Help Center. May be it's something in the content of the traffic and not it's volume. May be they get alerted when they see someone using their search engine for example and the User-Agent parameter in his/her get request in not equal to any web browser they are aware of.

Anyway, is seems that with the tools available to me now, it is really hard to know the real reason for Google's error message, and how to detect the violating host and stop it if possible. So you may consider this post as some kind of rant or chit-chat.

Error Message URL: http://sorry.google.com/sorry/Captcha?continue=http://www.google.com

Tags: Google, Security, Gr33n Data

Handling Rogue Access Points

Michael Gregg of Search Networking wrote an article there about the best methods for handling rogue access points.

He first wrote about the potential problems of allowing end users to add wireless devices to the company network without approval.

There are several potential problems with allowing end users to add wireless or other devices to the company network without approval. One big one is they may not employ the proper security measures. There is also the issue of maintaining control of the organizations infrastructure.

Then he gave some suggestions for handling those rogue access points.

All employees should know the rules regarding wireless and what can and cannot be plugged into the network. Policy enforcement will be easier if you have managed switches. You can disable unused ports and start restricting down active ones by MAC address filtering.

Ok! Warning your employees and having some written policies is fine, but it's not enough at all. How are you going to be sure that your employees will adhere to such policy!?

Now, with respect to disabling and enabling ports on demand, and writing MAC filters. Come on, we are in the twenty first century now. Such manual controls as enabling and disabling ports on demand is something from the past, and they are not effective as well. An employee can simply connect the access point to his already activated port. And maintaining those MAC filters on the switches will be a real pain in the butt for the IT administrators, especially in a dynamic environment where users move a lot.

I believe an appropriate solution for this instead of those pre-historic ones is doing some authentication on your switch ports. IEEE 802.1x is a decent solution that will ensure that only those devices with valid credentials are given access to your network. And if you've got a NAC solution, then most probably you can use it in order to apply some network access control.

He finally suggested using tools to detect rouge access points such as AirMagnet and Air Defense.

Next, find some tools that will let you scan for rogue access points. There are commercial tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you might want to try an open source tools such as RogueScanner.

Fine, monitoring your network is a good practice, but you have to apply your controls first. Such scanning tools can hardly take actions against those rogue access point, they will just warn you, and the intruders will have enough time to traverse your network till you receive such event and take action.

Tags: WiFi, Security, Gr33n Data