Dear Expert,

I am a Network Engineer at the University of Anonymous. I’m not sure if this is an irrelevant question, but here it is any way..

I want to have a Network Monitoring Software with the following characteristics

1 - I want to be able to monitor all the active workstations in each of the Labs.
2 - I want to have a list of trusted MAC addresses. I need this because I want to block any non-trusted device from accessing network resources. Exceptions might be given when the device is verified to be secure..
3 - I want to be able to detect any suspicious activities (pining, high traffic) and Block the associated IP address.

So please, tell me if there is any software of combination of software that enable me to do what I want..

I hope I will hear from you soon

Yours

M.M.

—

Our readers have been very helpful to person who wrote the previous post, I believe our readers have the answer in this case as well, and as in the previous case, further, the combined answer was way better than anything we could have provided.

So I am going to let our readers answer this interesting question. Readers - what do you say?

I remember hearing a lecture circa 1995-6 about Ipv6 and how the Internet world will come to an end if we don’t adopt it soon. The crisis was a dwindling allocation of IP’s (the early Internet version of a carbon footprint). The fear was that “In 10 years, every man on the planet will have between 10 to 20 IP addresses on him”. But when I heard that, I didn’t really think about the poor IP forests that are taken down every year to accommodate the greedy globalization economy, I thought of privacy.

The end of that discussion is now clear: shortly after I heard the lecture Network Address Translation (NAT) became popular, and IP allocation was no longer a problem. Not only that, but IPv6 went from a “must have” to “we’ll get around to it some day” and is still in the process of being rolled out (slowly) to this day. But the privacy issue still remains.

If every person has an IP (or more than one IP, although that seems less likely nowadays) then we know everything about him. Unlike the virtual world, where we no longer can connect a person with an IP address without correlating half a dozen logs, in the physical world an IP will likely be more like a phone number – something unique and personal.

I thought about this when I read about a Nokia experiment where people transmitted their location to a Nokia center to enable traffic monitoring. Nokia says data is sent anonymously, and I believe them; but even if not, every Nokia device has a private (NAT’ed) address changed almost randomly by DHCP. So tracking again requires long and tedious log correlation and privacy is difficult to compromise.

What, then, will happen with IPv6? If DHCP and NAT increase privacy, is IPv6 a threat? Not an imminent threat, of course, but it is definitely ‘creeping’ in, and some day if there are enough addresses and NAT is not necessary, perhaps every blackberry in the world will have a unique IP address that will be with it forever. That’s a scary thought – if you comment in this blog post using your real name, I can take this information with me and give it to a friend of mine that works in Nokia who will tell me where you are right now. Think about the scene in “Jay and Silent Bob” where they go and beat up the people who posted bad comments about their movie; it suddenly becomes a whole lot easier to do…

Dear Expert,

I know that a restricted user is less vulnerable to most exploits but is knowing that your users have restricted access enough of a reason NOT to patch? I am advocating that my IT support team update/ patch the following software for our end users; QuickTime, Java, Adobe Reader and Acrobat. Currently all of our installed versions have multiple known vulnerabilities. I am being told patching is unnecessary because 95% of our users have restricted user rights and therefore cannot be exploited.

Will you please clarify? I understand how restricted user rights increases security, but is that enough of a layer to justify not patching. When I inquired about scanning thumb drives, this same answer is given, “It is not necessary because the users have restricted rights.” Many of our users have access to confidential and sensitive data and I remain concerned. I really appreciate any assistance that you can provide on this issue. Thank you for your help.

Regards,
L.P
Anonymous University

A: I am going to let our readers answer this interesting question. Readers - what do you say?

My bank forced me to change the login password again; they claim it’s an automated procedure that happens every 90 days, but I know that it actually waits for me to remember the password and then immediately forces me to change it.

When I went in to change it, I was reminded of the draconic rules: it has to be at least 6 characters, with at least 2 numbers and at least 2 uppercase and 2 lowercase. These guys went to the security by obstruction school, no doubt.

I decided to fight back. As I finally got around to remembering this awkward strange password I had to pick 90 days ago, I decided I’m staying with it. So I changed it to something else, which I had to write on a piece of paper for fear of forgetting within 30 seconds (if you saw memento, that movie is about me. And I try to always order beers in bottles since seeing it), and I then went to the ‘change password’ section to change it back to my awkward-but-conditioned-to-memory password.

Naturally, the bank was trying to set me straight. “You can’t change back to any of your last 5 passwords” it told me with a grinning smile, giving me the solution right there. As you can undoubtedly guess, I returned the favor by changing the password 5 times to different things and then changed it back to my old one. I win. Next round in 3 months.

People will always outsmart security systems that try to force them into making the ‘right’ decision. What I’ve done today (and I’m quite proud of it, thank you) is being done every day by people who use their CD-ROMs as coffee trays and have never used any
program that didn’t automatically run when double clicking an icon.

But here’s what is really bothering me: What exactly is the attack scenario here? I would like to see the statistics that show how many attackers actually manage to capture a username and password and only fail because they try to use it after 90 days. While these huge numbers are crunched, please put on the Y-axis how many attackers found the password on a post-it stuck to the monitor because the password is so complicated to remember.

Or maybe so many attackers brute force the password, obviously hundreds of millions of times every day for a single account since there is a clear an immediate need for a long and complicated password (BTW, if this attack is possible, someone should tell me how to do it. I’ve been locked out a few times for failing to type the password correctly within a few guesses. I need a few guesses because I didn’t remember which was the current password, which, as you remember, changes every 90 days).

Being the cynic that I am, and having read enough security policy documents, I can guess why the password policy is the way it is: it’s easy to explain and justify, and it makes sense when showing in a powerpoint slideshow. I once heard from a high-profile organization that due to a successful break-in to their network they decided to tighten up security: all passwords now had to be 9 characters instead of 8. I’m guessing someone was promoted for this genius action, and there’s still enough room to increase it further when the next break-in comes (now that’s thinking ahead).

How is a complex password policy bad? Let me count the ways; It makes your user you enemy instead of your ally. It distracts the security people from the real threat. It gives a false sense of security. It encourages your users to find flaws in your security system and use them. What else? I had more, but somebody just came in the door and I forgot.

Ophir put together a nice analysis on how much it would cost to break the security system of SmugMug.com.
This, in response to a bounty that is advertised on their web site.

I think he’s being generous. The really bad guys (people who make money from cybercrime) have access to countless of “free” machines; the crackers can easily break into a few boxes to use them for the attack Ophir describes. But mainly he’s being generous because he is giving them free security consulting, which is what they really need. Hey, SmugMug guys: a security contest is not a cheap replacement to an actual security audit (or consulting with an expert) just like bug bounties are not replacements for QA.

And only god knows why in 2007 the notion of my-url-is-so-long-nobody-will-guess-it is still alive. What do they teach in CS anyway?