Uncommon Sense Security

You don't really think the floor mats were free, do you?

2008-07-01T20:48:00.002-04:00

Have you ever purchased a car and during the negotiations the salesman offered to throw in free floormats (or some other accessory) to "sweeten the deal"?

News flash #1: If you drop tens of thousands of dollars on this sled, those floor mats are *not* free.

News flash #2: The "free" floor mats may not be the best ones for your needs.

The same applies to "free" features in your IT infrastructure, for example:

Built-in VPN clients and protocols are frequently not very robust or secure.

PPtP, anyone?

Built-in remote access mechanisms are also often not very robust or secure.

MS RDP?

Manufacturer- or vendor-specific tools don't always "play nice" in mixed environments.
Free- if you have enough licenses and excess server capacity.

Like WSUS- Windows Software Update Services

Only runs on Windows Server OSes
Only checks Microsoft products

Don't get me wrong, I like free stuff. And some things included in packages/suites make sense, work well together, and are the best choice (says the UTM engineer).

I just don't believe that free is always the best, or even cheapest, way to go. Sometimes, free is too much to pay.

By the way, Microsoft isn't the only company that does such things, they are just an easy target.

Jack

XSS: it's a feature, not a bug?

2008-06-27T09:50:00.001-04:00

Thomas H. Ptacek pointed out this thread over at 37signals, begging the question "which of the 37 signals it the one for FAIL?".

Leaving your products open to abuse and exposing your users to attack is not being a good net citizen. I am not one of those people who detests the Web 2.0 world- I actively embrace it, I just think fundamental security awareness and responsiveness need to be a part of the system. And maybe have some concern and respect for your customers.

These posts at the Matasano blog dig deeper into the underlying issues:

http://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/

http://www.matasano.com/log/1067/web-20-redux/

Jack

A little comic relief

2008-06-25T12:51:00.003-04:00

Annoyed by overzealous password validation or employee monitoring systems?

Maybe you need some sound effects to lighten the mood in the cubicle:
http://www.instantrimshot.com/
http://instantcrickets.com/
http://www.sadtrombone.com/

Jack

New Fortinet Patents

2008-06-23T21:40:00.001-04:00

Chris Hoff has an interesting post on several new patents Fortinet has been granted. The original article is at vmblog.com, but Hoff's "New Fortinet Patents May Spell Nasty Trouble For UTM Vendors, Virtualization Vendors, App. Deliver Vendors, Routing/Switching Vendors... " adds some insight to the topic.

These patents cover things like:

Systems and Methods for Passing Network Traffic Data

System and Method for Controlling Routing in a Virtual Router System

Distributed Virtual System to Support Managed, Network-based Services

I think much of this is probably covered by prior art or obvious technology exemptions, but the US Patent office is not noted for doing a great job lately, especially in the IP and software patent arena. Maybe they feel bad for IP and patent attorneys and feel that bogus patents destined for litigation will help the starving lawyers find their next meal- or maybe this stuff can be tricky and they just can't handle it (I prefer the snarky answer, facts be damned).

I have a hunch some of the big guys may have something to say about patents which appear to encroach on their territory- Microsoft, EMC/VMWare, and Cisco to name a few that I would hate to challenge to a patent fight.

Oh, yeah, the disclosure bit again: I work for Astaro, one of Fortinet's competitors- but you knew that.

Jack

Welcome, we're glad you could join us.

2008-06-23T09:51:00.001-04:00

Welcome, we're glad you could join us. Thanks for coming, let us know if you have any questions.

This is the way we should greet people joining us in almost any activity; but sadly it is not the greeting many get from some in the security community. If you don't have the same scrap of paper on the wall that they do, or don't have the same level or area of expertise, or dare to challenge their sacred truths, you don't belong with them- at least according to some "security professionals". That attitude is stupid, egotistical and counterproductive. In case you hadn't noticed, the other team found out that there is money to be made in attacking our systems and we need all the help we can get.

I am not saying every group or gathering is the ideal venue for everyone, but that usually becomes obvious quickly and doesn't need to be pointed out to new folks- let them decide what is right for themselves. Nor am I suggesting that groups can't have prerequisites or expect some level of expertise, but that should be clear up front and the requirements should be logical. (For example, InfraGard's background checks make sense, the private CISSP forum should be able to limit membership to CISSPs, etc.)

What should not happen is for someone to show up for a publicly advertised meeting or event and be ignored or dismissed for being curious enough to show up and see what is happening.

Rather than name the offenders, I will say that the groups and events I frequently discuss appeal to me in part because of their openness- NAISG, BeanSec!, SNENUG, SOURCE Boston, and Shmoocon to name a few.

By the way, if I ever to forget this myself, please call me on it.

Jack

Telecommuting taken too far

2008-06-22T12:46:00.001-04:00

Savage Chickens, indeed.

Jack

Backscatter (or bounce) Spam, didn't we already solve this?

2008-06-19T23:07:00.001-04:00

Today I heard yet another email administrator complaining about waves of backscatter spam frustrating him and his users- and his complaint was that users were complaining about it instead of just deleting it.

I have two problems with the situation-

First, as IT personnel, it is our job to deliver results so the business or organization can do its job. Complaining about users complaining about something which annoys and distracts them (and is potentially malicious) is a sign of forgetting why IT exists.

Second, this is yet another issue which was largely solved years ago, and yet still exists. Those users are complaining about about something annoying, distracting, potentially malicious and preventable.

A little background for those unfamiliar with backscatter:

Suppose "Bob" (it is always Bob, isn't it?) wants to spam Dave and improve his chances of successfully getting his message delivered- if he could make his message both appear legitimate and appear to be coming from a known, trusted mail server, Bob would have a good chance at getting the spam delivered. If Bob sends his spam message to an invalid email address at a known and reliable email domain and spoofs the sender address to be Dave's email address:

the message is sent to the legitimate mail server
the email is rejected by the mail server
a bounce message is sent to the address in the "sender" field
Dave gets the email, which appears valid because

it is an real bounce message
it is coming from a valid mail server

How to stop it? The first mail server can reject mail (without a bounce message) from mail that fails SPF, reverse DNS, and blacklist checks. And the real answer- the receiving mail server (or mail gateway) can implement Bounce Address Tag Validation (BATV). Mail servers and gateways which have implemented BATV "tag" all outbound email with a timestamp and token identifying the message as coming from that server. When bounce messages are received, they are checked for the appropriate tag, if there is no tag the message is dropped.

BATV works very well and rarely causes problems when exchanging email with properly configured, RFC-compliant mail servers. Problem solved (at least mostly solved).

Full disclosure: my employer's products implement BATV. But, many Open Source and some competing commercial systems also implement BATV- click here for here a list.

So now can focus on solving problems not already solved?

Jack

Lessons Learned, and those to thank (or blame)

2008-06-16T21:14:00.001-04:00

Many things have changed for me in the past couple of years, much of it because of lessons I have learned from others. Below are a few folks I have learned from and want to thank for their enlightenment. Note that I won't mention what I learned from each, or even when (a few lessons may not have been intentional) because that doesn't really matter, I just want to say "Thank You" to them. In no particular order:

Chris Brogan- people will tell you that Chris is intelligent, articulate, friendly, helpful, insightful, sharing, and on and on. All the gushing over this guy might be a bit much- if it weren't all true.

Jennifer Leggio, aka Mediaphyter- I've only known Jennifer for about six months, and watching her work is amazing. Her ability to "connect the dots" on a dizzying array of levels is amazing and eye-opening.

Critt Jarvis- I have never "clicked" with someone at work the way I did while working with Critt. We often handed each other pieces of a puzzle before the other knew they needed it. Amazing, actually. Thanks, and get out of my head.

Martin McKeay- Content, Community, Identity. I could say a lot more about Martin, but I'll leave it at: he creates content and builds community, and he's Martin. Which is pretty cool.

Chris Hoff- Is really smart. "Stop it now, Hoff, my head's gonna explode" kind of smart. You can't help but learn from him, and he's a great guy to be around- but I can't imagine trying to keep up with him for any length of time.

The list is far from comprehensive, there are certainly others I have learned from and should thank- and many more I should have learned from, but didn't.

Maybe you can learn something from these folks, too. Or you can find your own people to learn from. Maybe you could even learn from my mistakes, there's plenty of material there.

Jack

NAISG expansion, and a question answered

2008-06-14T11:57:00.005-04:00

I have gotten a lot out of my involvement with the National Information Security Group- as a member, presenter, chapter chair and board member. Since making the decision to move from a single regional group to a chapter-based organization, NAISG has grown to five chapters and is continuing to expand. Brad Dinerman, (the founder, President and all-around great guy) has recently launched an effort to continue the expansion, asking the members of the NAISG mail lists and Linkedin group to consider starting a chapter in their area. It is a great idea, if you are interested please visit the Start a Chapter page of the NAISG site and feel free to contact me with any questions you may have.

I think NAISG a great organization which fills a unique space in the IT security world, and that leads to a question which occasionally comes up: do we really need more NAISG chapters when there are already a proliferation of other security groups and associations- ISACA, ISSA, InfraGard, and many more?

Yes, we do. The other security groups are outstanding organizations, but they are not NAISG- they tend to cater to security professionals and focus on the enterprise. NAISG is an open and approachable group, with no membership fees or pre-requisites except for an interest in security. NAISG encourages anyone with an interest in security to join, regardless of their experience. We present a variety of topics of varying technical levels throughout the year so that members at all skill and experience levels will be rewarded for their involvement. And, we focus on the technology and ideas, not the products- there are plenty of places to hear a vendor's sales pitch, but NAISG is not one of them. (We do offer vendors the opportunity to gain exposure through technology and concept-centric presentations and, of course, through sponsorships).

So, yes, we do need more NAISG chapters...

Jack

Playing with Fire

2008-06-10T23:57:00.001-04:00

One of the things I've done lately (instead of blogging) was attend the New England Blacksmith's 30th annual Spring Meet. It was a little over a week ago, and it was a great event with a great bunch of folks.

What happens when you get about 100 Blacksmiths of all skill levels together for the weekend? Check out this Flickr photo set. Be sure to take a look at the short videos at the end of the set (I'll be adding more video to this set later).

There will be a large regional blacksmith event in early September, the Atlantic Coast Blacksmiths Conference in Olivebridge, NY. I can't wait.

Jack

I'm not lazy, just busy- and things are changing

2008-06-05T23:45:00.003-04:00

Yep, the blog is feeling a bit neglected. I am working on a solution to that, and sometime in the next few weeks my content output should jump. I don't know exactly where or when it will jump, but it will jump. It may involve moving this feed to FeedBurner and possibly a new URL. Details to follow, film at eleven, etc.

For now, a couple of stray thoughts.

When I was a one-man IT shop and I was this busy I cut corners. Not small-time, but chainsaw-style corner cutting. It happens to everyone on some level, and that is a bigger problem for security than any zero-day, virus, bot, trojan or cracker. Manage everything from anywhere, with telnet? Sure, if it saves time. Buy a sub-standard "solution" from a vendor when you know you can build better yourself? Of course- because as hard as it is to get money, time is even harder to find. Note: When I hear people advocate spending the time to learn a program and deploy a "do it yourself" solution, I hear people who haven't battled the 70 to 100-hour workweek (these are real, and I can assure you that you are tired at the end of them, and I'm glad I am not that busy anymore). One of the many great things about my current position with Astaro is that I can usually turn off the BlackBerry when I'm not at work (OK, only one of the BlackBerries gets turned off- but it is a start).

Sometimes you need to unwind, and I really enjoy putting things in the fire and then hitting them with a hammer. Last weekend was the 30th annual New England Blacksmith's Spring Meet, and it was a great time. Over 100 blacksmiths of all experience and skill levels attended and worked together on a set of community service projects for the recreational area of Brentwood, NH. This fall we are working with several other groups to present the first Atlantic Coast Blacksmiths Conference in Olivebridge, NY. If you are interested in the craft and will be anywhere in the area, stop by, check out the demonstrations, and say hello.

Jack

Not really a defense of the CISSP, but...

2008-05-20T21:13:00.001-04:00

It is pretty funny hearing the detractors of CISSP and other "management" certifications (you know, the folks who consider themselves the "real" and "technical" security pros) as they discover amazing concepts such as:

Business Continuity and Disaster Recovery Planning
Risk Analysis
Security Metrics
Aligning security with business practices and principals
Physical Security (beyond lockpicking at cons)
The importance and value of Policies and Procedures
The minefield of Corporate Ethics
and the rest of the CBK

Imagine that, maybe a wide ranging course of security topics can expose you to things outside of you area of expertise and make you a more well-rounded professional.

Jack

Debian predictable PRNG fiasco

2008-05-14T21:49:00.004-04:00

I am a big fan of Debian and Ubuntu- but not a big fan of gaping, ginormous security holes. The "predictable Pseudo Random Number Generator" OpenSSL vulnerability in Debian (and Ubuntu, and other Debian variants) leaves a gaping hole not only in those systems, but systems which are using keys from vulnerable systems. Patches need to be applied and keys regenerated, and we probably only have a couple of days before exploit code is loose. From the Debian Security Advisory:

"It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."

Rather than mangle a technical discussion of the issue, here are some actually useful references:

Debian Security Advisory DSA-1571-1

Related OpenSSH advisory DSA-1576-1

Ubuntu Security Notice USN-612-1
NVD summary of CVE-2008-0166
Article at ZDNet Australia
SANS ISC Diary entry

Note, misidentifies the problem as being with OpenSSH- the root problem is with OpenSSL, which extends to OpenSSH.

Not directly related, but worrisome coincidence, SANS ISC post on SSH brute-force attacks.

This one's very real. I may have seen a pile of systems' doorknobs rattled on port 22 in something I get paid to do.

In review, we have stuff to do. And, the if word "predictable" can be used to describe your "random" process, you have a problem.

Jack

Botnets as Art?

2008-05-14T20:49:00.002-04:00

Tired of botnet stories yet? CSO Online has a different take, a visual representation of bot networks with some interesting geometric results.

There is actually quite a bit of good data visualization information over at secviz.org. With the volume of data coming at us, we need to find new ways to make sense out of it without just grepping through piles of syslogs, and data visualization is really starting to mature enough to be useful.

Raffael Marty from Splunk gave a great data visualization talk at SOURCE Boston and then gave another outstanding presentation with Alain Mayer from Red Seal at RSA this year.

Jack

An OLPC post (but not-quite-dead-yet) mortem

2008-05-13T21:04:00.001-04:00

Ivan Krstic has shared his feelings and a look behind the scenes at the state of the XO/OLPC project in his blog post Sic Transit Gloria Laptopi. It is worth a read, even if you don't agree with all of his opinions.

A tip of the hat to Ryan Naraine for bringing this to my attention.

Jack

Podcast updates

2008-05-12T22:10:00.003-04:00

It has been a while since I reviewed my list of security podcasts and a few new ones have made it into rotation since I last visited the topic. My regular listens and a link to the Getmon Security Podcast list are in my Podcast.com widget (over there on the right, scroll down a bit and you'll see it). Click away at any of the titles for episode details, links to Podcast.com pages, or to play episodes.

My previous recommendations still stand:

Pauldotcom Security Weekly
- Pauldotcom has grown into an empire, with video and webcasts and an entire community involved.
The Network Security Podcast
- Rich Mogull is now Martin McKeay's cohost and his addition has expanded the perspective of this great show.
CyberSpeak
- Brett and Ovie continue to deliver informative and entertaining forensics and cyber-crime content on a quasi-weekly basis (They are busy guys).
Security Now*
- Steve Gibson and Leo LaPorte talk security, and stuff.
- *figure out the asterisk for yourself.

And newer in the rotation:

Risky Business
- This one is a must-listen, an outstanding weekly podcast featuring news and interviews hosted by Patrick Gray (Patrick Gray is great, and he also has a weekly networking and systems podcast, "A Series of Tubes").
The Silver Bullet Podcast:
- In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine.
Radio Free Security
- A good podcast aimed at the small business IT administrator produced by WatchGuard LiveSecurity Service reporters.
- NOTE- this shares a feed with their "Firebox Special", a podcast dedicated to the WatchGuard Firebox. Unless you are a customer, you may want to skip those.

And a few seem to have faded away, but I haven't completely given up on them:

The Security Roundtable [UPDATE: The Round Table is back, see comments below]
The Rear Guard
Sploitcast*
- *Not quite dead.

Happy Listening!

Jack

Matrícula de coche con inyección SQL -or- Language is no barrier.

2008-05-02T20:32:00.008-04:00

My Spanish is pretty rusty, but you don't need to understand "Matrícula de coche con inyección SQL"- in this post you only need to look at the photo of the car.

(The Google translated page is here).

Jack

Defense in Depth?

2008-05-01T21:34:00.001-04:00

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security. At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:

"sold"

Ah, this angle works for me. As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could. Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth. The layers have to make sense and work together.

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.

Wouldn't that be nice? We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.

Jack

Architecture astronauts take over

2008-05-01T06:32:00.003-04:00

Your Moment of Zen

2008-04-28T22:33:00.001-04:00

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it. You may argue about the definitions of "vulnerable" and "compromised", but that misses the point. Our systems are vulnerable and will be compromised. Now what do we do?

Focus on the things you can actually accomplish.
Accept that we really do need a "Plan B", (and maybe C, D...)
- Work on those plans.
Prioritize work based on real exposure.
Think about risk
- There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others). It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability". Mike Rothman's "Pragmatic CSO" includes elements of it. My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience. It has always been true, but now it is OK to accept it- and move on.

Jack

The Linkedin "John Smith" scam

2008-04-23T08:32:00.002-04:00

I had my doubts, but I tend to be fairly open with Linkedin requests and keep a mental track of those I really know and those I don't- so when a highly-linked Mr. John Smith (including links to people I *really* know) sent a connection request, I added "him". A bunch of others did, too. No big deal for most folks who think about what info they share (and how much of it is available elsewhere). Turns out Mr. John Smith was an "awareness campaign" or "publicity stunt" depending on your point of view. I received this email today:

Dear LinkedIn user: Meet Mr. John Smith!

You have a profile on LinkedIn.com and you have chosen to connect with "John Smith". This itself is not a problem, if it wasn't for the fact, that John Smith doesn't really exist (in real life). The profile was invented as part of a security experiment were we try to determine and illustrate potential risks using social networks, such as LinkedIn. The presentation was just released on the Fraud Europe conference in Bruxelles today.

We decided not to release any detailed information about who and how John Smith got connected with in his network. However, we felt obligated to inform all Linkin accounts hooked up with John Smith about this piece of research and the release of the final edition of "Social Networking Risk - Who Do You Want to be Today?".

With the paper being released we will delete the "John Smith" profile!

If you've not already guessed it, you're receiving this e-mail because you are linked with john Smith. We hope this will be a leason learned and nothing else ...

All data harvested during the past year, will be deleted. We will also inform LinkedIn and asking them to remove the profile.

You can download the presentation given at Fraud Europe conference at the following URL:
http://www.csis.dk/dk/media/LinkedIn-Threats.pdf

The technical paper, used as background for this presentation and released in January 2008, can be downloaded here:
http://www.csis.dk/dk/media/LinkedIn-V2.pdf

Best regards,

Dennis Rand, Security- and Malware researcher
CSIS Security Group
http://www.csis.dk

Oh, well. But my next question is this- what about that "Information Security" group on Linkedin? A few friends and I questioned the legitimacy of that (after joining) at a recent event.

Bottom line, if it is on the Internet it is out there for all to see. Remember that, act accordingly, and you'll be OK.

Jack

The "Theme" of the Expo at RSA

2008-04-22T21:41:00.003-04:00

I am working on a few posts on RSA, things like "Your Moment of Zen" and "Confessions of a Booth Babe", but first...

One of the oft asked questions at RSA was "What's the theme?" There was an official Turing theme, but it didn't really take. I spent quite a bit of time in the Expo with all of the vendors, so I proposed:

"Simple solutions to complex problems"

Rich Mogull suggested this refinement:

"Meaningless, content-free answers to important questions"

From the Expo floor there was also a strong undercurrent of:

"Buy our product and you will be (fill in the blank) compliant
(and thus secure)."

No surprises, really, but it is depressing how few people selling stuff (any stuff, not just security stuff) are aware of their own market. Security is hard and the odds are against "winning", so the hyperbole (100% effective against SPAM!) and oversimplification just annoy and offend the educated customer.

Don't get me wrong, overall I had a great time at RSA, but the stupid sales weasels just amaze and appall me. Keep in mind that I have spent the past thirty years in and supporting the car business, I know stupid sales weasels when I see them.

Jack

Hypocrisy, Patriotism, Bullshit.

2008-04-19T22:13:00.002-04:00

No security angle here, just an incendiary rant. (Unless we're talking economic security, but we won't go there). You've been warned.

A few weeks ago I spent the weekend in Gettysburg, Pennsylvania. Gettysburg is a great town, rich in history of course; but also a nice college town with a well-maintained downtown and a real sense of community.

Sure, there are the obligatory tacky tourist traps- including sacrilegiously named stores, restaurants, and hotels (winner in this category, "Gettysburg Battlefield Resort"), but not all of the tourism is bad. The Park Service is trying to restore many areas to period-appropriate condition and has just opened a new visitor center.

The Rant:

On the edge of town, out by the highway, is Battlefield Harley-Davidson (not near the battlefields, by the way). Battlefield Harley-Davidson is housed in a large steel building, near failed and failing auto dealers and the requisite highway off-ramp hotels and shopping centers. Like most H-D dealers, it is a large and impressive facility, nicely landscaped and well-maintained. When you enter the building, you are greeted by dozens of shiny new Harleys, but beyond the front line is the magic- a bewildering array of clothing, accessories (both motorcycle and "lifestyle" accessories) and trinkets. This is the stuff anyone can afford, even if you can't swing a new 'Glide. Unfortunately, much of it poor quality and almost all of it made in China. For a company which touts quality and wraps itself in the American flag as much as Harley-Davidson does, you might expect some true patriotism and dedication to quality American-made goods- but you won't find it. Even the more expensive goods are almost exclusively Chinese, so it isn't just the cheap stuff they outsource.

This isn't really about Battlefield H-D (except the BS name and proximity to sites of historic patriotism), it is about Harley-Davidson's corporate greed. Want to sell inexpensive stuff made in China? OK, there are some issues with that, but it is a legitimate business model. Want to milk false patriotism for a buck? (Note, I believe John Deere gets a dishonorable mention in this arena, too- for similar reasons). That's fine for spineless cowards and hypocrites. I'll pass on that ride, thank you.

Jack

RSA Security Bloggers Meet-up

2008-04-17T23:22:00.004-04:00

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

New NAISG Chapter, Connecticut River Valley

2008-04-16T23:53:00.002-04:00

NAISG recently announced our sixth chapter:

"We are pleased to announce the formation of the Connecticut River Valley chapter of NAISG. This chapter will serve the Springfield, MA and the Enfield/Hartford, CT areas. More details will be announced as they become available."

As always, information will be at the NAISG website.

Jack