Friday, December 5, 2008

Home Content Filtering

If your family is like many others these days, you may have home network instead of just a home computer. And if you do, it's probable that your kids have a computer to use or even their own, and you're concerned about all the dark places they might venture into, whether intentionally or accidentally.

I'm going to address home content filtering from a network security professional’s standpoint. In network security, a foundational concept is security in-depth. That simply means you protect your network assets in layers, so if a malicious attack is launched at you, it has to defeat multiple technologies to succeed. This might be access lists on your edge router, then a firewall, an IDS/IPS, an application firewall, a host based intrusion detection and all the hardening and limiting of access you did on your server. You still might get popped if the attacker is good, but you should at least be alerted it's happening so you can shut it down, even if only after the attack has occurred.

Applying this concept to home content filtering (blocking access to objectionable material), we can stop the traffic at multiple places, in multiple ways. This isn't a silver bullet that can ensure your kids (especially older ones) will never circumvent your controls, but it's a strong deterrent for all but the most determined teenager hacker, and will certainly stop most accidental and unintentional misclicking.

By the way, if you have a teen who's rigidly set on surfing porn or visiting anarchist or hate sites, you have to know he/she will just go elsewhere to do their surfing (like the local library, a friend’s house or an Internet cafe). You have bigger problems than can be addressed here and need a different kind of help. Consult your pastor or rabbi or a counselor you trust.

On to the steps...
1) Internet filtering software. This is the one most folks know about, the typical "Net Nanny" software you install directly on the computer that looks at URL's and keywords and blocks access to sites. Be aware that even though it's a layer of security, it's a pretty weak one, especially if you don't block access to anonymizer sites (Web sites you log onto that proxy your surfing and actually pull down the Web pages for you and send them back to your machine). Kids as young third and fourth graders trade tips on the playground on how to evade net filtering. It's still a layer, though, and will keep very young children from accidentally clicking on the wrong link.

2) Your home cable/DSL router. Most modern home routers have some sort of filtering technology built into them that allow you to block sites by keyword, or add your own URL's or IP's to block. You can get some false positives with this, like anything, but newer ones will allow you to override the block with a password. (By the way, DON’T have Internet Explorer remember your password to your router. Make it a good password, and if you must write it down, store in a place you know no one else should ever find, or you defeat the purpose of using the filters.

3) OpenDNS. Instead of using your ISP's DNS servers to resolve names to IP addresses (the whole Internet depends on this function to surf by human friendly names instead of having to know the IP address of every site you want to visit), you can use OpenDNS. This is a (free) DNS service you can point your PC or router at to provide this service. There are several advantages to this. One, OpenDNS can block phishing sites you may be enticed to go to that have been set up to steal your login info or credit card information. Secondly, OpenDNS can keep track of stats and logs of your surfing, if you have need of or are interested in that type of data. And finally the third reason, and the one that applies to content filtering, is that OpenDNS allows you to choose levels of filtering (and customize those levels) by categories of sites you don't want to allow through. If for example you have chosen to block Playboy and someone tries to go to that site, they will get a nice block page instead. If the person believes they should be able to access a page, they can flag the site for review or send an email to the administrator (you) accessing to be allowed.

All of these are layers, and are mostly effective to keep the accidental access from happening, or to keep a younger but increasingly curious child from making bad decisions.

Who knows, though, if you have a problem teen and he sees all the trouble you’ve gone to to try and protect him from himself, it just might make a difference.

Wednesday, November 26, 2008

ISC Redeux

Got some feedback on the SANS Alumni list that the Storm Center has been up and down all morning, mostly down. Hope it's nothing more than a technical issue.


The Internet Storm Center appears to be down. The SANS main site is up and running; may be just maintenance. Hopefully it will be back up soon. I haven't had my daily browse to see what's going on in NetSec this morning. Off to Security Focus or my news reader, I guess. Talisker is a good place to get an overall view too, a dashboard found at
It has sections on news, latest vulns, tools, signatures and some snappy maps. =-)
Looks especially good to have up when clients are walking through and you get introduced as "the security guy". Does this mean I get a gun and a badge too?

Thursday, November 13, 2008


This will be old news to many, I presume, but I came across a very nifty tool called Malzilla in a security list today. Turns out it's just what I've been looking for. Doing IDS analysis, you come across a lot of obfuscated code in various formats: Jscript, Hex encoded, Base64, shellcode and the like. I'd never found one tool to help me quickly work though this until I found Malzilla. Primarily a malware analysis tool, it deobfuscates all of the above as well as having a hex viewer, a Pscript tool, and a URL deobfuscater. Very nice, free, and open source. If interested, you can grab the W32 binaries package at . Sweet! Many thanks to the author, Boban Spasic, as well as the other contributors to the project, found in the About tab of the tool.

Tuesday, November 11, 2008

WPA Cracked

As reported now everywhere, WPA has been cracked. 12-15 minutes according to one article. Rather than rehash all the info there, just go to the Storm Center articles and get all the links and the latest info. They really do a great job staying on top of this stuff.

Oh, and move to WPA2 if you haven't already. it's not affected, and unless your AP/Wireless Router is older, it's probably already supported.

Friday, October 24, 2008


Microsoft released an out-of-cycle patch for a vulnerability in Microsoft Windows RPC service. XP and 2003 are vulnerable to anonymous attack while it's reported attacks against Vista and 2008 and pre-beta release Windows 7 would require authentication. The bug has to do with how Windows RPC handles specially crafted requests. Attacks are already being detected in the wild, AV coverage so far is low. Simply being behind a hardware firewall doesn't mitigate the risk, as the vuln is being leveraged in drive-by, client-side browser attacks. Even a personal firewall is not a mitigation if file and print sharing is turned on, as that are the ports (139 and 445) used in the attack. Patching as quickly as possible is your best option. Also disabling the Server and Computer Browser services would help. If you don't share files or printers on a home network, this is a possibility as well.

More info here:

Tuesday, September 30, 2008

In Limbo

RSA Consumer Solutions released information on a banking Trojan called Limbo. Evidently the Trojan is not new, but has become increasingly affordable on the underground malware market (US $350.00, down from US $5,000.00 two years ago.) What makes this piece of malware so insidious is that it uses HTML injection to add fields to your legitimately established on-line banking session. Criminals use this to ask for information such as your PIN, bank card number or other sensitive data. Because the actual connection is to your banks Web site, you would have no idea you were being phished except that the session is now asking you for information it didn't previously.
If you have family members and friends who do on-line banking (and who doesn't), I'd relay this information to them. Simply tell them there is a new "hack" circulating that could affect them doing online banking, even if they manually type in the address to the bank and get no SSL warnings. Tell them if their bank form asks them for information it didn't in the past, especially if it's their card number or PIN, close their browser and get technical help.

Details are here:

Tuesday, August 19, 2008

Hype or Preparedness?

We're now past all the hype and reams of speculation about the DNS Cache Poisoning vulnerability released by Dan Kaminsky. First, we had the massive coordinated patch release by vendors across the board. Then other researchers made intuitive guesses and released, then in one case, retracted their findings. Then we had webcasts by Dan with more hints, and then finally the BlackHat presentation. To date, as far as I know, there's only been one public finding of a poisoned server (AT&T's DNS server in Austin, Texas), even though a module was written for the exploit for Metasploit. The poisoned server was noticed by folks working at H.D. Moores company, who ironically, co-wrote the module for his Metasploit project.
Was this all a case of massive hype? Or did the fact that the details were kept under wraps for so long and patches made available across the board avert disaster? If so, it would be reminiscent of Y2K, where predictions of global doom were rampant, movies were made, and folks stocked up water and food in basement shelters. And IT departments world-wide rolled up their sleeves and worked huge volumes of overtime and got the job done and the issue fixed.
Did we have a national day of appreciation or celebration for those fine folks and their incredible achievement? For the most part all we heard was how over hyped the problem had been and a bunch of late-to-the-party pundits came out saying how they had told us all along everything would be fine.
Hype or IT getting it right again? Jury's still out, but I vote for the latter.

Wednesday, June 25, 2008

Bad Networks... really baaaaad. relased a new study showing almost 50% of the Web sites pushing malware are registered to 10 domains, 6 of them in China.

Think how much less identity theft, credit card theft, and cleaning up after infections we've have if we could globally block these networks. Not as easy as it sounds, but blacklisting even part of these networks at your ingress points would have to be bonus round material anyway you look at it...

Friday, June 6, 2008

SSL Thoughts

How will we ever effectively educate users not to click through SSL warning boxes while our own systems have expired or invalid certificates? I've come across SSL certificate warnings on a federal agency site that liaisons with the private sector on security. I've seen them on vendors sites selling security products and services. And of course I come across them regularly on retail sites on the Internet. When they become pervasive and common, coupled with the fact we do a really poor job educating users what those warning boxes really mean, we've in essence trained them to click through and ignore them.
Misinformation from well meaning sources is another issue. I've seen articles that said to look for the golden padlock at the bottom of your web browswer, and if you see it, you're safe.
We know that's not the case, but the average end user reads that and takes it as accurate information and makes their on-line experience less secure through false assurance.
I appreciate the effort to try and educate; I just wish they had consulted someone knowledgable in security before writing the article.
Put that one right next to the tip about how hiding the SSID on your access point makes your wireless more secure.

Thursday, May 15, 2008


Anyone planning or already registered to attend SANSFIRE this year? I'm hopefully working out a hurdle that would have prevented me from attending. This will be my fourth year in a row for D.C. I've attended conferences at other venues (New York City, San Francisco) but definitely prefer this one. There is an eclectic group of attendees of business, academia, government and military, like all SANS conferences, but with more than the usual share of defense folks and three letter agencies represented. And of course D.C. is the major network security hub with all the government and military contracts, so there's always a huge vendor expo and lot's of NetSec notables walking around. I can't imagine doing SANS at Orlando, or Virginia Beach or Vegas. There's so much extra to take advantage of with SANS At Night, Bird of a Feather sessions, special presentations by groups like the ISC Handlers... I try to schedule something every night to get more knowledge while I'm there.

Thursday, April 24, 2008

Too Common

The recent mass exploitation of web sites via a blind SQL injection attack ( , ) is disturbing in the fact that it's nothing remarkable any more. The amount of sites presenting themselves as targets due to vulnerabilities that we've known about for years is astounding. Buffer overflows, string format attacks, cross-site scripting, SQL injection attacks are all things that could be prevented with secure coding practices. Makes one wonder how much of the multiplied billions spent on network security each year could be redistributed back to the business or at least spent taking the security posture to the next level. That is, if businesses were to ever aggressively enforce secure coding practices and make it not a priority, but a mandate, it might happen. Far too much of network security is spent trying to detect, prevent or clean up after attacks that shouldn't be a major issue anymore, if security were applied at the application development level consistently.

Friday, February 15, 2008

2008 Sophos Threat Report

The 2008 Sophos Threat Report is out, found here:

A few highlights...

  1. One new malicious Web page discovered every 14 seconds, or 6,000 a day
  2. 4 out 5 of these pages are hacked, legitimate sites
  3. 51.4% of malware-hosting sites are found in China, the new top country
  4. More infected web sites are running Apache (48.7%) than IIS 6 (40.6%)
  5. 1 in 909 emails contain malicious attachments, down from 1 in 44 in 2005
  6. 50,000 variants of Storm Worm were recorded in 2007
  7. 21 % of malware is written in China
  8. Symantec detected just 66% of new malware in independent testing, a poor 5th best
  9. The U.S. is still the top spam relaying country, with 22.5%
  10. 95% of all email is spam
Lots more to digest, and the outlook is darker with each new report. But take heart, if you work in NetSec, it all adds up to: job security!

Friday, January 25, 2008

The China Syndrome

SC Magazine is reporting that according to experts like Alan Paller of SANS, there is empirical evidence that China has already succeeded in penetrating key government and industry databases. The issue now is no longer keeping them out, but getting them out. U.S. Director of National Intelligence Mike McDonnell reported in the New Yorker that the Defense Department is seeing about three MILLION unauthorized probes per day against it's networks. And Ed Giorgio, a security consultant who worked for McDonnell, says China has 40,000 hackers collecting info off of U.S. systems and those of it's allies.

More info here

China, predictably, continues to deny these allegations, calling them "preposterous". The question is what to do now? China is a major trading partner (we import 5 to 1 more than we export) and a bank roller of huge amounts of Federal debt (about a trillion dollars or about 20% of the total). Yet from what we are seeing, their actions in cyberwarfare are about the equivalent of what we should expect from a nation openly hostile to us, like Iran or North Korea.

Finding a workable solution for this situation is going to be sticky, and the longer we wait the more at risk we become.

Friday, January 11, 2008

SANS Management 512 Course in the Windy City

Stephen Northcutt is bringing the Management 512 course, Security Leadership Essentials for Managers with Knowledge Compression, to Chicago this March. Course dates for the 5 day course are March 3rd through the 7th.

If you're interested, full info available here:

Friday, January 4, 2008

GIAC Hits Twenty Thousand Mark

GIAC, (, the certifying body of SANS ( recently hit the 20,000 mark for certified security practitioners. Congratulations, SANS! GIAC also recently completed their requirements and received ISO\ANSI 17024 accredidation.

Please visit the GIAC or SANS site for more information. SANS not only provides what I believe to be the industry best training you can obtain, it's also a fantastic resource for network/information security information.

GIAC stands for Global Information Assurance Certification.
SANS stands for SysAdmin, Audit, Network, Security.

Blog Archive