Sunday, February 15, 2004

Sunday at the "Digital Choke" house started out normally, and ended normally. Meetings at church in the morning, the regular meeting in the afternoon. Dinner with the family (Jared/Christine/Joelle/Liam, plus "Max-to-be"). Playing with the grandkids. Bath time with much splashing. A couple of stories under a blanket to help the grandkids wind down before they leave.

A bit of geek-potato during a movie that Pam wanted to see. A nice relaxing evening.

Tomorrow is a holiday, in honor of Presidents Lincoln and Washington. Sleeping in is the first order of the day, then a few minor chores. We might take in a movie tomorrow. But mostly relaxing stuff.

I'll worry about the security of the network later. For you new kids, take a look at our story. Comments are welcome on anything around here.

Monday,February 16, 2004

Today was one of those days that you want to stay inside, at least here in California. Yeah, other areas might be snowed in; you might have been caught in traffic jams due to the weather, or you might be shoveling out from under a lot of snow.

But, here in Northern California, the day was windy and a bit rainy. The temperature never got above 60 F, and the wind was blowing up to 25 miles per hour. And it was a holiday, so school was out and many parents also got the day off.

All of this -- the wind, the rain, the temperature, the holiday -- conspired to the major problem of the day.

A trip to the mall.

Yes, we braved the wind and the rain and the cold to find a parking spot close to an entrance. There were shoppers everywhere, mostly teenagers trolling the stores with their friends, most of them with a cell phone attached to their ear. There were families with children. We went to various stores to purchase needed items. And yes, we even ate at the Food Court, where we had to wait for an empty table.

Well, it actually wasn't that bad.

Pam and I started out the day just as we planned: by sleeping in. Then Pam fixed some French Toast, which we had while reading the morning paper. The weather was a bit blustery, and it was raining, although not very hard. We cleaned up the breakfast dishes, then relaxed around the house. I worked on the computer a bit, while Pam read. I didn't sleep well last night, so there was also some dozing involved.

Around lunch time, we decided we should get out a bit. Pam wanted to pick up some more towels at the local Penny's store, since they were having a sale on everything, with an additional 15% off if you use their store credit card (which we pay off each month). So we wandered over to the mall, which is about five minutes away. I managed to snag a parking space that wasn't too far from the entrance. And it wasn't raining that hard.

It was a bit crowded, and the Food Court was pretty full, but we did find a table. And the turkey and cranberry sandwich on wheat bread was quite good.

Pam got her towels, and I snagged a new wallet (half-price) and a white long-sleeve dress shirt (18 1/2" x 36", if you are curious, also on sale) and we got the extra 15% off. I also got to go to Sears, where I grabbed a small torpedo level for $8.00. Then it was off to the grocery store for a few supplies for the week.

We spent the rest of the day at home. I had to work on some Church meeting reports and some email, and checked up on a few of the systems at work. It was a fairly relaxing day.

Even with a trip to the mall.

Tuesday, February 17, 2004

Today started out interesting. While making the rounds of various security sites, I noticed the emergence of the "Bagel.B" virus. So, I checked our mail server, and found that we were blocking quite a few of that viral message with our "rule" that blocks any message with an executable attachment. This has protected us against other "zero-day" viruses -- those viruses that are not "known", and therefore are not blocked by an anti-virus program.

So our blocking of messages with exectables is a good virus defense. You might think that any message with an executable should be blocked, perhaps at the ISP level. One of Jerry Pournelle's readers posted the same thought in his letters area for today (it's towards the end of the Tuesday letters). So I sent off this reply:

Steve Setzer (in your Tuesday post) was wondering about ISP's filtering email attachments, blocking any type of executable. Although that can be done, let me tell you (and your readers) about my experiences with email filtering and executable blocking.

I am the security dude for a large local government agency. Our average daily mail load is about 45-50K messages per day (about 30-35% is spam, but that's another subject). We use the SurfControl email filter product
(www.surfcontrol.com) to filter our mail.

Our defense against viruses is two-stage: all messages are scanned for known viruses (using the Network Associates/McAfee virus definitions). We also block any message with any type of executable attachment.

The advantage of this two-stage approach has been proven with the MyDoom virus outbreak (and today's "Bagel.B" virus). We started getting Bagel virus messages about 4am this morning (Tuesday). McAfee didn't update the virus dat files until about 9am this morning. By 10am (about) our mail filter got the virus dat file updates (it checks about once an hour). If we didn't have the executable blocking in place, a couple hundred viral messages would have made it inside. And, even with all the warnings we give to users, someone would have opened the attachment.

So, our two-stage virus checking is very important to our virus protection. But it does cause some problems.

It is common to get valid executables by mail. Patches for custom applications are one example. "Hiding" them inside a ZIP file won't work, since our filtering software (and most others) can look inside a ZIP for executables. (Many viruses like to hide inside ZIP files.) So, to make allowances for those situations, messages with executables are placed in a holding area. They are inspected manually (usually when a user complains about a missing message), and released if they are valid files. This process works pretty well.

If the ISP is blocking executables (even SCR or PIF files), we would have no way to get valid executables from our vendors and consultants. Although it seems like a good idea, it would put a crimp in a lot of business use of email.

A better solution for virus protection would be if all ISP's implemented a virus scanning process for their email. This would be a major expense just for the hardware (we have two pretty powerful Compaq servers running our email filtering), not to mention the software licensing and technical support. Even a single-phase protection (against known viruses) would be helpful in controlling the spread of viruses. It wouldn't protect against the "zero-day" problem, such as happened today with Bagel.B before the virus dats were released.

But anti-virus scanning at the ISP level would be a good start.

So my recommendation for anti-virus is to ensure that you have a two-stage defense: use a good anti-virus program (and keep it current -- I check for updates hourly at work, but daily is usually OK), and block (and hold) any message that has an executable. Make sure that your anti-virus program is checking all email. If you use Outlook, you can move any message with an attachment into a separate folder, although it can't block based on the type of executable. There may be an add-in that will do that, if you know of one, use the mailbox icon to let me know.

On another subject, you probably know about the Windows code that was released to the network last week. The first exploit based on somebody looking at the source code is making the rounds. Although the exploit was for Internet Explorer 5.0, and Microsoft had already released a patch for that problem. Another reason to keep things up to date.

Wednesday, February 18, 2004

I was reading over at Wired News about the "Grand Challenge". This is a 200 mile race over the desert, and the racers are unmanned vehicles. The vehicle makes all the decisions about the path to take for the race. The only outside information that the vehicle can receive on race day is GPS readings. The race course is a secret, and there are checkpoints that the vehicle must pass through during the race. It's an interesting race, and is attracting some high-powered entrants, along with some backyard amateurs. The prize is $1 million to the first finishers of the race.

One of entrants is from Carnegie Mellon University. They have outfitted a Hummer (called "Sandstorm") with all sorts of gadgets: stereo cameras, computers, laser range-finder, 180 degree radar, and more. This is quite interesting. Here's the Wired news story, and here's the Sandstorm site. The Sandstorm site has videos of their Hummer. Here's the "Grand Challenge" site. On that site, the "Teams" link will get you to a list of all the participants and their web pages. Be prepared to spend a lot of time wandering around those sites. (As usual, all links will open new windows.)

Lots of activity on the virus front. The "NetSky" virus (the "B" version) started spreading quite rapidly. McAfee came out with an update this morning, then another update this afternoon. At work, our blocking of messages with executable files protected us from the virus getting through until McAfee released the updates. With the number of viral messages we were getting, allowing them to get through into user's mailboxes would have resulted in a user releasing the virus. This 'zero day' blocking is an important part of our viral defense at work.

Thursday, February 19, 2004

I was wandering around the 'net last night (what a surprise). It seems that a possible relative of mine, Parley Hellewell, is running for the Governor of Utah. Not sure exactly how he is related, but with a last name like mine, there has to be a relation somewhere. I did some quick geneology research last night, and couldn't find a relative of his that was also a relative of mine. So I sent out an alert to the family; perhaps one of them will find a link.

I did some more planning on the latest security project. It looks like it will get funded, which is good, because it will help with the protection of our network. I also did some scanning of the computers in one department. I found lots of unneeded services running on several systemsm there. I probably should run the same scan on our department. I suspect that I'll find some problems there also.

Pam and I went to the gym tonight -- that's two nights in a row. We went about an hour after dinner, so it wasn't too crowded. I did the treadmill thing for about 30 minutes, then I spent a short time on a couple of weight machines. Not too much work, since I am in a shape other than good. ("Round is a shape"). But I have lost a few pounds in the past couple of months. At least that's going in the right direction.

... more later ...
Last Week	Next Week	mail	bookmark	The Digital Choke story