State of the industry – June 2009

As the month comes to an end, there were a few interesting happenings of late that I wanted to comment on. First is the state of the spam blacklist SORBS. Apparently the University of Queensland wants to stop hosting SORBS, so SORBS is looking for a new home to immediately host their full 42RU rack of servers and enough bandwidth to cover their 30 billion DNS queries each day. Apparently SORBS has a checkered past, with many feeling that a closure of SORBS would be a good thing since the service apparently incorporates political and other questionable motivation that compromises its technical value. My thought? Spammers should be clamoring to host/buy it (discretely, of course). Think about it: make sure all of your competition is listed, and don't list yourself. Your spam gets a free ticket through the first line of spam defense. If spam is really that lucrative, then buying/hosting SORBS would make financial sense.

Next is the state of Microsoft's anti-virus efforts. Many AV industry experts claim that Microsoft's entry into the AV market would be laughable and minimal. Indeed, Microsoft's previous OneCare suite left a lot to be desired. But according to AV-Test, Microsoft's new Security Essentials (codename "Morro") actually holds its own (well, the beta version at least). There was also speculation that Microsoft's AV scanner would be cloud-based, but it's confirmed to be a traditional local client application. The Security Essentials site indicates that no more beta downloads are being offered at this time, so we'll probably need to just wait for a full release later this year. In the meantime, Microsoft's AV efforts are readily apparent on their Malware Protection Center page. Also interesting is the quote by the CEO of AVG, another anti-virus company, in the previously linked ComputerWorld article. He basically says that viruses are so yesterday, and incoming web nasties and malware such as browser exploits are the big threats now. True.

Lastly is the state of man-in-the-middle attacks on public networks. Have you ever noticed that things like wireless hotpots and hotel networks are a huge catch-22 for trust and network security? You connect to a network and get assigned IP, DNS, and routing information from a DHCP server that may or may not be the legitimate DHCP server. Then you could come to a captive portal page that may or may not be the legitimate captive portal. The captive portal page says you must enter in various information (Room number? Credit card? T-mobile login? Daily access code?) before you can use the network, but the information it requests may or may not be the legitimate information that is necessary. And that's assuming you even connected to the legitimate wireless AP in the first place (see more than one AP broadcasting the same SSID? Yeah...) Even SSL doesn't help here, because different places use different hostnames for their captive portal service...so you have no idea whether https://secure.FooBarHotelNetworkServices.com/captiveportal/sheraton/ is the right place or not when asked for your credit card number to get Internet access. An attacker can register any legitimate-looking domain name, get an SSL cert for it, and run their attack, and you would never know. ("Hello? Front desk? Can you please tell me the exact hostname for your captive portal, and whether or not I will need to enter in a credit card number to get Internet access?") In a world of laptop cellular aircards and mobile phone tethering, they are a much safer bet these days.

Until next time,
- Jeff