An Information Security Place

As most of you know, Twitter was hit with a series of worms this past weekend.  They were created by 17 year old, Mikey Mooney, creator of the website StalkDaily.com (don’t visit the site).  The original worm seemed fairly innocuous, with messages that were created to drive traffic to the StalkDaily website.

I wrote a Computerworld blog post, where I detailed the original attack as well as provided a list of security recommendations.  In that post, I commented that Twitter users should be on the lookout for modified worms, especially as additional details of the original attack come to light.

After Twitter patched the original cross site scripting (XSS) flaw, which exploited the “link” field in a user profile, another variant of the worm appeared.  This time, the worm exploited the “color” setting of the user profile.   Modifying the worm highlighted that the XSS vulnerability was not limited to a single field and that Twitter would have to institute a comprehensive patch, not a band-aid solution.

The variant of the worm automatically generated tweets with the term “mikeyy”. These were sarcasitic in nature and seemed to be tounge-in-cheek.  Examples include:

• Mikeyy I am done…
• Mikeyy is done…
• Twitter please fix this, regards Mikeyy

The general consensus today is that the “StalkDaily” and “Mikeyy” worms have been adequately addressed.   However, I am not fully convinced. Four days after the original worm, I am still seeing suspicious behavior.  A colleague of mine has a Twitter account that automatically started generating tweets saying “I am not here right now.”

Using a third party iPhone application, TweetStack, I am conducting periodic searches on the string “I am not here right now.”  I found that this is not nearly as wide spread as the “StalkDaily” Twitter worm, but has affected at least a couple dozen accounts.

While this could be yet another variant of worm created by Mikey Mooney, my suspicion is that this is a copycat worm created by another party (most likely a Scriptkiddie).

Are YOU still seeing anomalous behavior on Twitter?  I would love to hear about it!  Please comment below as well as notify the Internet Storm Center if you see anything noteworthy.

- WiFiJedi

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing…)

Here is another guest post by WiFi Jedi

————————————————————————————

Can IT Vendors truly be objective? Or does everything they say have to be viewed through a lens of “they are trying to sell me something”?

Join me while I rant…

Personally, I think IT vendors can be objective.

Sure, we manufacture and sell things…

*Gasp* – We even profit from selling.

But that doesn’t mean we can’t be objective.

i.e. – I try to provide solid vendor-neutral information to the wireless community through my blog, http://wifijeidi.com.

(In fact, only 2 of the nearly 40 blog posts I have completed to-date have been about my employer, Xirrus.)

However, not everyone sees it that way.

Let me give you an example…

I requested press access to an industry event as a blogger.

However, I was told that I can’t get a pass of this nature because I work for a vendor.

Furthermore, I was told that bloggers of major publications (ComputerWorld, Network World, ZDNet, etc.) would qualify.

So I went out seeking a spot with one of these publications as one of their bloggers.

(I even had a solid lead directly to an editor with a reference from another well know blogger at one of these publications.)

However, I was turned down again. Because I work for a vendor.

My “commentary”…

Presumably, working for a vendor means that I can’t be objective. Which I personally think is %^&$*&!

Let’s take a look at some profiles of bloggers who have been picked up by these publications. I would like to take a closer look at two common blogger profiles: Value Added Resellers (VARs) and Independent Consultants.

I have noticed that if you work for a VAR, you can blog for major publications. Correct me if I am wrong – as a VAR, don’t you sell some vendor’s equipment, but not others? It would seem to me, in that position, it is possible to have nuances or conflicting agendas. At least working for a manufacturer, you know where my “official” loyalties are.

Other common profile for bloggers on these publications is that of an “independent” consultant. I would think a large portion of their livelihood depends on their ability to provide consulting services. If that’s the case, don’t you think they would blog about things that (at least indirectly) drive their own business? After all, their financial success is directly tied to the success of a single person - themselves. Working for a manufacturer (or any large organization) mitigates this factor because my financial situation is determined by the success of the group, and not by what I do or say to drive my own consulting business.

This isn’t intended as an attack on publications or their bloggers, just an honest discussion of how they can be objective, but somehow it is perceived that I can’t. What about my credentials?!?

Besides working for a vendor (for several months), I have also worked as a consultant and auditor (for many years). I hold over a dozen IT certifications, ALL of which are vendor-neutral. On my LinkedIn profile, I have the coveted “500+ connections”, many of who are employed by my competition – Aruba, Meru, Motorola, etc. I started my blog to serve as a thought leader and I am a frequent speaker at industry events, professional organization meetings, and universities.

If you know someone at an IT publication that is willing to have me as a wireless networking and security blogger, have them contact me at douglas.haider@xirrus.com

Wait, I had better not use my corporate email address. That might signal I can’t be objective. 

Instead, have them contact me at douglashaider@hotmail.com

Yesterday was one of the few days that I bought a hard copy of the USA Today newspaper.  I get the Arizona Republic paper delivered to the house daily. I even get six copies of the Sunday paper  (don’t ask…)  I bought it because one headline on the cover page of the USA Today caught my attention.  It was “Who Might Rise From the Wreckage” with a subtitle of “It’s happened before – Cisco and MySpace emerged in tough times.  Tech can bloom again“.

The headline and subtitle brought up a good point.   In the economic crash of the late 1980’s, Cisco began it’s rise as one of the large tech companies.  The article mentions Facebook and MySpace as companies who had a similar rise after the dot-com crash.  Personally, I remember two *other* (more relevant to networking) companies who accomplished a similar jump in market share in the wake of the dot-com crash – Foundry Networks and Extreme Networks.

This economic downturn presents the same opportunity for tech companies to rise out of the aftermath stronger than when they entered.  Who are likely candidates this go-around?   I would suggest that the opportunity is particularly ripe for Wireless LAN vendors.

Why?  There are several reasons WLAN manufacturers have an opportunity to grab market share in this economy, especially compared to their wired counterparts.  Most reasons point back to the fact that organizations are now forced to do more with less.

During these times companies…

• …need to get more out of their employees – WLANs enable their employees to be connected everywhere in their enterprise all the time

• …will not want to invest in permanent infrastructure - WLANs can easily be moved from location to location vs. desktop switches / cabling

• …will want even tighter security because of dismissed employees and competitive pressures – WLANs allow for easy deployment of 802.1X port based authentication and can execute rapid adds and deletes

Which WLAN vendor is poised to take advantage of such a situation?  Aerohive? Bluesocket? Meru? Rukus? Xirrus?  Let me know what you think in the comments section!  Be sure to state specific reasons that you think one vendor will be able to gain more market share than another.  Also, if you like this post, check out my blog for related info such as 50 Questions K-12 School Districts Should Ask WLAN Vendors.

- WiFi Jedi

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costs?  Personally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi