Security Blog |
4.6.2002
I am still trying to shake this cold, plus I've been out most of the day, so not much to report. I have been looking into a new toy. What do you think? 4.5.2002
Sorry for the lack of posts, I'm a bit under the weather today and have been away from the computer. I did come across this article which discusses secure programming and college CS courses. It's an issue which should be as relevant as any other taught in class: efficiency, design, OOP, software engineering. Here is a piece discussing some recent criticism of NASA's operational security regarding shuttle launches - it doesn't sound like they did a very good job. Atlantis' 5:12 p.m. launch time -- one of NASA's worst-kept secrets -- officially remained confidential until Wednesday despite being known for weeks by thousands in the shuttle program and being readily available on the Internet. Under NASA's new policy, the space agency will release only a four-hour launch window until the day before liftoff. Then, all of the times for the mission's milestones, including the shuttle's landing, will be made public. That's probably it for today, I've got to shake this cold - too much to do! 4.4.2002
Microsoft is releasing a line of security products. What can I say? Stop laughing, it's not a joke. Perhaps this is a late April Fools headline?
Security in schools is difficult, especially in collegiate environments. It's hard because so many people need to do different things. And unlike a corporation, you cannot deem something unnecessary - it might be required for research. Moreover, large university networks have a history of being relatively loose on policy. Definitely one of the more challenging places I've ever addressed security.
Nothing like trash talking tech giants. In this case, Checkpoint, makers of the commercial juggernaut Firewall-1 software, come out firing against Cisco - one of the largest companies in the world. I love it! "Cisco keeps on re-inventing their security strategy every few years because they keep on failing to get it right," he said. "They should leave it to those who know. Cisco does not co-operate in the security industry either which could be one of the reasons for their products' shortcomings." Read the rest of the insults here.
For the frequent fliers - some advice on getting your technical gear through security. Laptops and other electronics are now scrutinized heavily, rightly so. This can be a hassle, especially if you're in a rush. Sadly, the article recommends not bringing them onboard altogether.
There's a piece on social engineering at ZDNet. The message is good, but I don't think removing instant messaging will solve any problems - as the author suggests. Training, awareness and communication or the only things that can protect an organization from such threats. You can't stop con artists from trying to take advantage of your employees and your business. But you can educate your workforce so they're prepared to deal with them.
Anytime I see a football metaphor in a security article, I'll pass it along. Finally, agencies should provide continual training in and enforcement of security policies and procedures, even if they seem obvious. Wright likened this to the hundreds of hours that football players spend doing basic drills at training camp. 4.3.2002
This Kazaa nonsense is mind boggling. Evidently they were planning on using their software to control the PC's of people who used the service. They could do all sorts of things - marketing, distributed processing and plenty of snooping. If you downloaded this - get rid of it! Switch over to Gnutella. Plenty of content and clients for several platforms. And Gnutella won't use your computer for their own gain.
According to this study, laziness is still a major element in security flaws. There is a correlation between the increase in concern about securing the enterprise and the rise in vulnerabilities. While companies invest in protecting their business processes they are not allocating enough resources to address the true problems. Companies could eliminate 95% of potential threats by implementing elementary security features on new devices. Every piece of equipment should be secured before deployment.
The FBI is improving its audit trails in light of an internal security review. It will closely limit access to sensitive electronic documents to only those agents approved to look at them, and it will track who prints copies, said Chiaradio, the FBI's executive assistant director for administration. He said the FBI's current technology can't keep track of who is looking at what online. 4.2.2002
Newsforge has some examples which demonstrate the need to constantly update security. The reason I wrote this article is for purely selfish reasons. Those people, such as ISPs, who expose themselves to attack expose us as well! I still do random checks on my subnets, and I still find weaknesses. People are not perfect and not all of them are network professionals, but we could limit attacks if people would at least do some system hardening.
A quote from a story on "white collar" hacking: Professor Piper said, “The biggest obstacle to greater Internet security is corporate complacency. Many businesses fail to protect themselves, believing that hackers are only interested in consumer crime, such as online credit card fraud..." What's funny is that home users believe the exact opposite - hackers only care about business machines. I pointed this out in a recent article for SecurityFocus: People often assume they possess nothing of interest to crackers. Some believe that, with millions of potential targets on the Net, they can safely slip under the security radar. Such assumptions are false. Crackers are not necessarily after secret files or valuable corporate data, many just want a machine - fast. So there you have it, everyone on the Internet thinks crackers are after somebody else. We're all targets, big and small, corporate and broadband, every machine is a potential victim.
Tales of war-driving from O'Reilly. It wasn’t long into my trip to Charlotte before access points started popping up on my screen quicker than I could count. I found access points coming from industrial centers along the interstate's service road, along with convenience stores and other shops. Even while crossing high overpasses a few new ones would pop up.
The Washington Post has an informative piece on what it takes to get a security clearance. This is something a lot of people ask me about. Unfortunately, September 11 has added to the glut of existing applicants - the average processing time is 6-18 months.
A Carnivore story to start the day off. It's actually a rehash of something I posted a week ago, but this bit jumped out at me. Regardless of whether people approved of its decision, the FBI deployed Carnivore on ISPs across the country after September 11th, according to numerous reports. 4.1.2002
There's a good look at the state of antivirus technology on SecurityFocus. The author speculates on the direction of the industry and how the virus scanner, as we know it, needs to evolve. To keep up with constantly emerging viral attacks, vendors must devise new definition files and sometimes new scan engines. In order to design a new virus definition file, a virus researcher has to obtain a “live” copy of a new virus (sometimes not the easiest thing to do), determine its behaviors through testing, decipher its algorithms to determine precisely what it does, decompile it if its code is compiled and determine how best to detect its presence. In some cases a virus will use encryption (Hybris is a good example), and the researcher cannot decrypt the virus. This leaves behavioral verification as the only method of determining how best to detect the virus.
Dorothy Denning is working on an interesting idea - an encryption scheme which uses geographic location as part of the key. Loads of commercial and military applications could make use of this. Working with a Hollywood movie executive and an Internet entrepreneur, Denning has invented a way to keep information scrambled until it reaches a precise location, as determined by GPS satellites. Armed with Denning's geo-encryption system, which she co-patented in 1998, only people in specified locations, such as movie theaters, living rooms or corporate conference rooms, would be able to unscramble the data.
This is classic - probably the funniest thing we'll read all month. I wonder if it's an April Fools Joke? It can't be true! A Web site sponsored by Microsoft and Unisys as a way to steer big companies away from the Unix operating system is itself powered by Unix software.
How has Microsoft gotten away with downplaying security for so many years? And now it's the focus of every article you see coming out of Redmond. Amazing. In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software. 3.31.2002
The St. Louis Post Dispatch has an article on blogs in the Sunday A&E section, check it out. They give a good introduction to this strange, new world. |
