Security Blog |
6.28.2002
Backlog Security Focus has 2 articles from earlier this week which I just finished reading. There's the final installation of the No Stone Unturned series - a fictional, but fact filled, story about a security incident. And Jon Lasser gives his thoughts on disclosure in his regular column. On Monday, I have an article going up, so be sure to check back in for the link.
It's still a good thing With all the posts here about the risks associated with technology, I thought this would be a nice change of pace. The fictional British spy used technology to his advantage when tracking down criminal masterminds. But in the real-world fight against terrorism, the situation shouldn't be different, Gilman Louie, chief executive of In-Q-Tel, said during a keynote speech at the TechXNY trade show here. 6.27.2002
Slashdot thoughts I just noticed that 3 of the 10 or so stories on Slashdot, also appeared here. When did they turn into such a security focused site? I've got to work hard to beat them to the punch!
Unbelievable Got this from Slashdot, but it's so over the top I had to pass it along. The FBI and local authorities raided multiple homes in Toledo for - (drumroll) excessive bandwith! I am floored. Was the FBI needed for this? Why didn't the provider just cancel their service? One of the strangest stories I've read in quite some time.
Cyberterrorism The Washington Post has a good article on a topic often blown out of proportion - cyberterrorism. Definitely worth a read. Pieces likes this normally contain nonsense and far-fetched warnings, but this is an exception. Well written and researched. Great quote from Richard Clarke: "Who does the damage to you is far less important than the fact that damage can be done. You've got to focus on your vulnerability . . ."
It Does Happen We'll have to keep an eye on this case - industrial espionage in the content delivery world. Boston-based Akamai Technologies sued rival Speedera Networks on Tuesday, accusing Speedera's chief technology officer of breaking into a partner's database and stealing proprietary Akamai information. 6.26.2002
Great point Glenn Reynolds talks about privacy going out the door as security rolls in: So keep your eyes open. I predict that within the next year we'll see major and intrusive efforts to protect Big Entertainment and Big Software, disguised as efforts to protect us against hostile hackers. Those efforts will be the more dangerous because there will be a grain of truth at their core: there really are hostile hackers out there trying to spread damage, and their numbers are growing. But don't let legitimate concerns about security blind you to opportunist grabs by people who have shown their opportunism in the past.
Russian mobs at college? More Russian mob stories! The government has issued an alert - the same eleaborate (joke!) scam could be happening all over the country. It's good to see someone got it right: "It's basically like rifling through one person's mailbox and hoping a credit card is being sent at that time,'' said Ross Stapleton-Gray of University of California technical services.
Open source Palladium? I feel as if this has been the only topic all week. It's important, but everywhere you go there's Palladium talk. News.com is reporting that MS plans to release the source for review. I'll believe it when I see it. Microsoft, long a proponent of keeping source code secret, plans to publish the source code to a critical part of its Palladium project to enhance security, a representative of the software giant said Monday. 6.25.2002
Linux and Palladium The Register has a scary take on what Palladium could do to Linux. Without a doubt, it's an attempt by MS to lock ALL competitors out. It's the very fact that this appears insoluble to me that helps me realize that MS has put tremendous, careful thought into it. To make the commons Linux-hostile, MS is taking dramatic steps to make it GPL-hostile. Very clever and admirably diabolical.
That's what I said The ads in Minority Report were one of the creepiest elements in the whole movie. All over the place, all the time. And they know who you are too. Most viewers will probably shudder at the thought of enduring a world even more ad-soaked than the one we live in already, one where the pitches on every available service shout not just figuratively but literally, with a personalized precision that quietly brushes away the last shreds of our privacy. At first glance, there's something almost cautionary in director Steven Spielberg's riffs of the future of marketing.
Popular Privacy PopSci has an in-depth look at modern day privacy. An excellent piece. They demonstrate just how often we are watched, logged, scanned, calculated, computed and recorded during a normal day.
Going to court From the Chicago Tribune: A former employee of Near North Insurance Brokerage Inc. was sued by the firm Monday in federal court, accused of illegally accessing tens of thousands of the firm's private e-mails and providing their contents to competitors. And why are they mad? In September he began a new job and repeatedly accessed Near North's computer system over several months. The lawsuit contends that from March 12 to April 17 Cheley accessed 20,000 Near North e-mail messages marked "important" or "confidential" or "urgent," the lawsuit said.
Strange Days in Vegas You might remember this story from a few months ago - Las Vegas phreaking. One guy is complaining that the Sprint network is run by crackers, who work with "adult entertainers" to divert incoming calls to the highest bidder. Well now Kevin Mitnick, of all people, is serving as an expert witness. Witness to what you ask? To the fact that he owned the Las Vegas switching network several years ago. I say it every time this story makes the news - bizarre. "I had access to most, if not all, of the switches in Las Vegas," testified Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC). "I had the same privileges as a Northern Telecom technician."
The Language of WiFi Cool idea. You're out and about, looking for some 802.11. And then you see the symbol. Warchalking. Collaboratively creating a hobo-language for free wireless networking.
No winners Harsh. Network World just wrapped up a 30-day IDS shootout. The results? They all stink! Because no product distinguished itself, we are not naming a winner. The eight products we tested - from Cisco, Intrusion, Lancope, Network Flight Recorder (NFR), Nokia (running on OEM version of Internet Security Systems RealSecure 6.5), OneSecure, Recourse Technologies and the open-source Snort package - all ask too much of their users in terms of time and expertise to be described as security must-haves. It's good to see such evaluations, but keep in mind, an IDS is still an essential tool for any network. It's not a simple tool, you need security expertise to extract the value. 6.24.2002
Depressing Posting some of these stories makes me sad. Orwell's world creeps closer everyday. From San Francisco - watch what books you're reading. Section 215 gave the FBI authority to obtain library and bookstore records and a wide range of other documents during investigations of international terrorism or secret intelligence activities. And this is lovely: Nearly everything about the procedure is secret. The court that authorizes the searches meets in secret; the search warrants carried by the agents cannot mention the underlying investigation; and librarians and booksellers are prohibited, under threat of prosecution, from revealing an FBI visit to anyone, including the patron whose records were seized.
Privacy Mark Rasch of SecurityFocus discusses the ramifications of some recent changes to FBI monitoring and surveillance guidelines. Privacy is the right to be left alone. Political freedom is the right to engage in vigorous discourse and exploration of ideas -- even unpopular and potentially subversive ideas. We have and should expect a right to privacy even in those things that occur and are reported on in the public. The mere act of the FBI collecting newspaper clippings mentioning our name -- something clearly public -- has a chilling effect on our free discussion. The requirement that they do so only where there is some reason to believe that were are engaged in criminal activity is not unreasonable. And David Wong has a great piece up on the fundamentals of secure programming. By now, you must be wondering, with all these potential problems, how do I find out if my software has these problems? More importantly, how do I fix them? The answer to the first question is easy. Perform security audits, security tests, and security code reviews to identify security bugs in the application. The answer to the second questions is much more difficult. Building secure software has been a problem many people have been trying to solve for a long time. We don’t pretend to the answers here, but below are a list of guidelines that can help you avoid 90% of the commonly exploited security vulnerabilities.
Fear MS Eric Norlin does. He knows they're up to something big. 2 words to describe Mister Softee: Brill-iant. Either I read too much into things, or these guys are the Masters of Distraction and the Kings of Strategy. God I'd love to drink scotch with Gates. Bill -- call me.
Wow A fantastic response to Palladium. Richard Forno chimes in with why it's nothing but bad news. Definitely worth a read. In short, under the feel-good guise of 'enhanced security' and 'new features for customers' and despite its being found guilty of being a monopoly, Microsoft still wants to rule all it surveys. "Palladium" can be interpreted as Microsoft's attempt to play God. Again. 6.23.2002
More Here's the link to the Newsweek story - more meat. Reading this, I see some good things, and some bad things. MS is still eyeing DRM in this, so they're in bed with Hollywood and the music industry for sure. And while it doesn't explicity say so, I'd be willing to bet that the standards/protocol for Palladium will be closed, meaning use MS or you're SOL. Overall, it's an aggregation of several security ideas which have been floating around for many years, nothing revolutionary. I'll wait and see if they can pull it off.
Palladium? First I've heard of this - Palladium, from Microsoft. It's supposed to be some new, ultra-secure, privacy protecting OS/program. Not a lot of details, but it got me thinking. MS could reverse their downward spiral, by helping people protect their privacy rights. Interesting thought. Though Microsoft does not claim a panacea to security and privacy concerns, the system is designed to dramatically improve the ability to control and protect personal and corporate information. Even more important, Levy reports, it's intended to become a new platform for a host of yet-unimagined services to enable privacy, commerce and entertainment in the coming decades. "This isn't just about solving problems, but expanding new realms of possibilities in the way people live and work with computers," says product manager Mario Juarez. Could Microsoft become a consumer privacy advocate? They're big enough. They could bully other companies into respecting it. I'm certain they could make money off it. Keep an eye on this. Bill Gates turned the company on a dime in the mid nineties. They missed the Internet boat, but came roaring back. Maybe he sees privacy as the next big thing. And keep in mind, MS is PO'd at the US government for the antitrust stuff. This could be their revenge.
Cracker extortion MSNBC is reporting on Zilterio - a cracking group which extorts money from its victims. I have to wonder, as the authors do, why these guys haven't been caught. They are flagrant in terms of communication and are full of bravado. Seems like law enforcement doesn't have much of an interest. “What was interesting through all this was the lack of effort on the FBI’s part. They did very little investigation themselves,” Burnett said. “Most of the investigation work was done by myself. I tracked him down to a prepaid dialup ISP account in Ukraine. I had very strong evidence backing this all up, but I never heard anything more from the FBI about it,” he said. “It’s quite amazing that with all the e-mail accounts, break-ins, domain registrations, web hosting, etc. there must be a ton of evidence to track this guy down. .... I’d say the FBI is seriously dropping the ball on this case.” |
