April, 2009

Google has published a browser security handbook for developers

If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their code.google.com website. The Browser Security Handbook currently has three sections:

Part 1: Basic concepts behind web browsers

• Uniform Resource Locators
  • Unicode in URLs
• True URL schemes
• Pseudo URL schemes
• Hypertext Transfer Protocol
• Hypertext Markup Language
  • HTML entity encoding
• Document Object Model
• Browser-side Javascript
  • Javascript character encoding
• Other document scripting languages
• Cascading stylesheets
  • CSS character encoding
• Other built-in document formats
• Plugin-supported content

Part 2: Standard browser security features

• Same-origin policy
  • Same-origin policy for DOM access
  • Same-origin policy for XMLHttpRequest
  • Same-origin policy for cookies
  • Same-origin policy for Flash
  • Same-origin policy for Java
  • Same-origin policy for Silverlight
  • Same-origin policy for Gears
  • Origin inheritance rules
  • Cross-site scripting and same-origin policies
• Life outside same-origin rules
  • Navigation and content inclusion across domains
  • Arbitrary page mashups (UI redressing)
  • Gaps in DOM access control
  • Privacy-related side channels
• Various network-related restrictions
  • Local network / remote network divide
  • Port access restrictions
  • URL scheme access rules
  • Redirection restrictions
  • International Domain Name checks
  • Simultaneous connection limits
• Third-party cookie rules
• Content handling mechanisms
  • Survey of content sniffing behaviors
  • Downloads and Content-Disposition
  • Character set handling and detection
  • Document caching
• Defenses against disruptive scripts
  • Popup and dialog filtering logic
  • Window appearance restrictions
  • Execution timeouts and memory limits
  • Page transition logic
• Protocol-level encryption facilities

Part 3: Experimental and legacy security mechanisms

• HTTP authentication
• Name look-ahead and content prefetching
• Password managers
• Microsoft Internet Explorer zone model
• Microsoft Internet Explorer frame restrictions
• Mozilla and Safari HTML5 storage experiments
• Microsoft Internet Explorer XSS filtering
• Script restriction frameworks
• Origin headers
• Mozilla content security policies

This is a good resource for developers and administrators to understand browser & web security considerations.

Thanks for reading and let’s continue to be good network citizens.

Training users? Do they still do what you tell them NOT to do?

Here’s a story that might help you think of a creative method to train users to NOT do what they continue to do even after you have instructed them in proper use of computer systems.

Lipstick in School (You’ve got to love this Principal)

According to a news report, a certain private school in Washington
was recently faced with a unique problem. A number of 12-yr-old girls
were beginning to use lipstick and would put it on in the bathroom.
That was fine, but after they put on their lipstick they would press
their lips to the mirror, leaving dozens of little lip prints. Every
night the maintenance man would remove them and the next day the
girls would put them back. Finally, the principal decided that
something had to be done.

She called all the girls to the bathroom and met them there with the
maintenance man. She explained that all these lip prints were causing
a major problem for the custodian who had to clean the mirrors every
night (you can just imagine the yawns from the little princesses.)

To demonstrate how difficult it had been to clean the mirrors, she
asked the maintenance man to show the girls how much effort was
required. He took out a long-handled squeegee, dipped it in the
toilet, and cleaned the mirror with it.

Since then, there have been no lip prints on the mirror.
There are teachers…and then there are educators.

Thanks for reading and let’s continue to be good network citizens!

Did you see this? - Free Wireless LAN planning, deployment and management tools

Xirrus is a WLAN equipment manufacturer. They have some very cool products and if you have not checked them out and are looking for installing, adding or replacing any WLAN network gear, then I suggest you take a look at their offerings before making a decision.

Xirrus has a page on their website where they offer some cool free tools for planning, deploying and managing wireless networks. The tools will work on any 802.11 wireless network as well as on wired networks. Some of the tools available include:

Xirrus Wi-Fi Inspector
The Xirrus Wi-Fi Inspector is a powerful tool for managing and troubleshooting the Wi-Fi on a Windows XP or Vista laptop. Built in tests enable you to characterize the integrity and performance of your Wi-Fi connection.

Xirrus Wi-Fi Monitor Gadgets/Widgets
The Xirrus Wi-Fi Monitor allows you to monitor your Wi-Fi environment and connection in real time from your desktop in an easy-to-use mini-application. Nine different color skins allow you customize the Wi-Fi Monitor to your desktop

Iperf
Iperf is an easy to use and very popular tool that every IT professional should have that measures maximum throughput. Iperf provides you the data to tune TCP and UDP characteristics. Iperf reports throughput, delay jitter, and datagram loss in easy to understand tables and graphs. You can run Iperf from and command line or a GUI interface.

Qcheck
Qcheck is a must have and handy tool for any IT professional. It does much more than the traditional “ping” command

Other tools are available on this excellent website. I recommend that you take a few minutes, review the offerings and add to your toolbox those tools of value to you.

Thanks for reading and let’s continue to be good network citizens.

Doing Microsoft packet analysis? - Microsoft releases Network Monitor 3.3

If you do packet capture or analysis in a Microsoft environment, then you are probably already familiar with Microsoft Network Monitor. If not, please read my real-world use of it for PROTOCOL analysis vs protocol analysis (with a small p). Microsoft has updated Network Monitor to v3.3. The announcement of its release can be found on the Technet blog. Some of the new features listed are:

· Ability to capture WWAN (mobile broadband) and Tunnel traffic on Windows 7.

· Full Hyper-V support on Windows Server 2008

· Right-click-add-to-alias: Right-click a frame in the Frame Summary window with an IPv4, IPv6 or MAC address to add that address as a new alias. This is one of those little things that simplifies your work-flow.

· Right-click-go-to-definition: Have you ever wondered where and how the protocols fields you see in the Frame Details are defined in our in-built parsers? Wonder no more. Introducing right-click-go-to-definition: right-click a field in the Frame Details window and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

· Autoscroll: Another one of those little, but priceless things … auto-scroll. See the most recent traffic as it comes in. In a live capture, click the AutoScroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in. Click Autoscroll again to freeze the view in its present location.

Several other new features are described in the Technet blog. If you capture packets on a Microsoft network, then you should get this upgraded version to add to your toolbox.

Thanks for reading and let’s continue to be good network citizens.

Doing less with less - the glass is the wrong size!

I am an optimist by nature. I always look for the positive in everything. However, that is sometimes a challenge in today’s economic environment. There is a time when you have to be a realist and see the situation for what it is. Continued »

Pandemic preparation, risk and business continuity

I’m not the kind to run around thinking the sky is falling or that the swine or bird flu risk is non-existent. I take a lot of these warnings with a grain of salt. However, the pandemic watches of the past few years should obviously have organizations thinking about their risks and business continuity plans. In fact, my organization has a few sites in Mexico and along the border with Mexico. So, this situation has the potential to directly affect our employees.

I wanted to bring your attention to a recent posting on the excellent SANS organization website about the pandemic watch of 2009. This posting is titled Pandemic Watch April 2009. This has very good explanations of the current situation and the potential health risks.

The section that I think is most appropriate to IT folks (actually to everyone) describes a skeleton plan for companies to help deal with the situation. The following is an excerpt from the SANS website.

Don’t Panic!

Initial monitoring stage (where we are right now)

* If you’re sick, stay home
* Family is sick, stay home
* Close contact with someone showing symptoms, stay home
* Wash your hands, cover your cough

Then, if multiple cases in your area,

* Think about telling non-essential workers to stay home
* Recommend workers take kids out of daycare

Pandemic stage

* Everyone will be staying home, how will you handle it?
* Do you have enough laptops?
* Can your VPN concentrators handle the load

I would recommend taking some time to read the summary about the health risks of the various flu strains. Let’s continue to keep our thoughts and best wishes for those who have already been affected by this most recent health issue.

Thanks for reading and let’s continue to be good network citizens - stay healthy too and if you are not healthy, then please contact a health care organization as soon as you can. Get well soon!

Simple is not always easy - SNMP for network management

SNMP - Simple Network Management Protocol has been around since the late 1980’s (RFC 1065, 1066, 1067). It has moved from SNMPv1 to the current SNMPv3 (RFC 3411 - 3418). Older versions are considered obsolete or historical.

SNMP is available on almost every network device such as switches, routers, servers, desktops and laptops. It is a feature provided by the operating system on these devices. Since it is so prevalent and across so many platforms, it is a significant risk to an environment if the SNMP configuration is enabled and the defaults are not changed, a malicious hacker could gain a lot of information and possibly control an organization’s infrastructure with little or no notice by the affected organization.

It is critical that each sysadmin and netadmin understand this service/protocol. It is not something to be taken lightly. Device configurations can be changed using SNMP. Data can be sniffed, redirected and decoded using SNMP. The upside of SNMP is it can be used effectively as a warning system of system/network issues. Thresholds can be monitored and notifications sent before the users detect any issues. Trend analysis can be performed based on historical data.

Here’s a sampling of some SNMP resources to help you gain a better understanding of this protocol/service that is likely already running on your network but not being monitored.

SNMP Link Org - a portal to all things SNMP; has news, software, appliance information and other SNMP related resources.

SNMP Wikipedia article - a great page with links to many SNMP resources

GetIF - a nice free SNMP tool that I use occasionally to quickly watch some SNMP MIBs on devices

What SNMP tools do you like that are easy to use and available for other administrators to use?

Thanks for reading & let’s continue to be good network citizens.

5 Things we learned from the Conficker non-event

1. The media can take a story about Information Technology and say nothing of substance. What did the 60 Minutes story do for the IT industry? It made Symantec look like they could not effectively address security risks and might even create a sense of false security. I wonder how the CBS IT staff felt when it was revealed that some computers had been compromised. Who was this April Fools joke for? Working in IT at times makes you feel like Rodney Dangerfield - “I don’t get no respect”

Continued »