Here we go
Privacy concerns continue. The issue today? E911. It's a technology which allows 911 dispatchers to pinpoint your location when you're in trouble and calling via cell phone. Privacy is addressed in the article:
What about privacy? A cellphone that continually divulges the user's location makes some people queasy. Most of the new G.P.S. phones will let owners disable the location feature, except when calling 911 — and there is a way around that, too.
Simple enough, right? No. Just a few paragraphs earlier, this:
The new technology is also believed to have helped track down Lucas J. Helder, a suspect in pipe bombings in five states. As soon as Mr. Helder activated his cellphone on May 7, F.B.I. agents figured out that he was between two small towns in Nevada and, after a high-speed chase on Interstate 80, arrested him. "The F.B.I. won't get into how they did it," said Gary Berks, communications officer for the state's Emergency Management Division, but as for whether E911 data was used, "it sure seems likely."
Now, there are other ways to track a cellphone user's location (triangulation, tower usage), especially when the phone company cooperates. But the comment seems to imply that other means were used. Is there a backdoor of some sort? A switch which can suddenly turn your passive phone - active? We don't know. But this is a technology to keep an eye on. It's a shame that something so good, can likely be abused as well.
For the beancounters out there, a nice piece outlining the return on investment for implementing IDS. If you can swing it, Intrusion Detection Systems are a security tool second only to firewalls. But they require an operator who understands the concepts and frequently reviews the results.
A positive return on investment (ROI) of intrusion detection systems (IDS) is dependent upon an organization's deployment strategy and how well the successful implementation and management of the technology helps the organization achieve the tactical and strategic objectives it has established. For organizations interested in quantifying the IDS's value prior to deploying it, their investment decision will hinge on their ability to demonstrate a positive ROI. ROI has traditionally been difficult to quantify for network security devices, in part because it is difficult to calculate risk accurately due to the subjectivity involved with its quantification. Also, business-relevant statistics regarding security incidents are not always available for consideration in analyzing risk.
Jon Lasser of Security Focus comes through with another good Palladium article. I've got the feeling this whole thing will taper off. As long as their is a demand for non-Palladium hardware, some vendor will sell it. Could MS have another BOB on their hands?
To top it all off, Palladium is unlikely to protect users from most exploits. There are a great number of attacks that can be executed within applications, as those applications have such power and reach. Microsoft Outlook viruses can continue to spread, as can other macro viruses. The cmd.exe execution vulnerability on IIS Web servers executes only trusted code -- but it does so in response to a Web request from an attacker.
There's some SERIOUS mudslinging going on at the Register. The article asks several questions of the famous L0pht hacker group, turned corporate company @Stake. Is it all just rumor? I don't know. I do know those guys are very smart, but the piece has an interesting take on how they got into the spotlight.
And that is strictly correct, though not entirely true. NIPC is not where L0pht's Fed relationship was developed. But according to documents I've received, L0pht did have a relationship with FBI Special Agent Dan Romando, or 'dann0' as they called him, a Boston agent with a cybercrime-enforcement background. Our dann0 was an old friend of Mudge's from high school; and our dann0 had also been an intern in Senator Thompson's office before joining the FBI.
Who are you calling?
Telephone companies will be allowed to share, without consent, private customer data with affiliates that offer communications-related services, under rules adopted by the Federal Communications Commission on Tuesday.
My new Zaurus arrived. Sweet little machine - a tiny linux box! I've got it up on the network already using a Linksys 802.11b CF card. Amazing toy, but it's more for work than play. Honest.
MIT's Tech Review claims George Orwell made a fatal assumption when writing 1984, and we have nothing to worry about. I disagree. The point made is interesting, but the author overlooks the fact that monitoring power lies in regulation and strategic positions.
Windows security standards
The NYTimes reports on new, government mandated security standards for computers running Win2k.
The government will announce the standards on Wednesday to show federal computer engineers how to alter Microsoft's Windows 2000 operating system to make it more secure.
Not a bad idea - a checklist of things which MUST BE DONE before a machine can go online.
Quantum crypto key exchange demoed in a lab. Unbreakable keys that are easy to distribute - you've gotta like that.
Until recently, the idea of quantum key distribution has been tested only in the physics laboratory. Now, a team from the University of Geneva and Swiss electronics company id Quantique have demonstrated what is described as the "first fully integrated quantum cryptography prototype machine" across a telecommunications network.
The Wall Street Journal had a nice piece this morning on network security, with a good portion discussing Security Focus, a company I write for. Unfortunately, I can't post the article because it's a premium service. But if you see a copy lying around, make sure you check it out.
I've got the feeling it's going to be a depressing day for privacy advocates. MSNBC reports on the CSEA which, among other things, creates a life sentence punishment for hacking.
By rewriting wiretap laws, CSEA would allow limited surveillance without a court order when there is an “ongoing attack” on an Internet-connected computer or “an immediate threat to a national security interest.” That kind of surveillance would, however, be limited to obtaining a suspect’s telephone number, IP address, URLs or e-mail header information—not the contents of online communications or telephone calls.
Neighborhood watch, 1984 style
From the Washington Times:
As part of the country's war against terrorism, the Bush administration by next month wants to recruit a million letter carriers, utility workers and others whose jobs allow them access to private homes into a contingent of organized government informants.
[later] Check out the project's site. The idea is well intentioned, but when you read the propaganda, it's just flat-out scary.
Security Focus column on the crypto battle. We're losing.
We expected a golden era of privacy and security, with encryption allowing us to protect our computers and communications from attacks, make purchases with digital cash, and anonymously browse the net. Once crypto was out in the world it would become ubiquitous and could never be restricted again. We even got complacent. We moved onto new battles.
And the Register reports on the security sell-out, hackers following the money trail and big business. It's been amazing to watch an underground topic become a billion dollar industry. [later] Follow up piece in response to a deluge of comments.
Remember the social engineering story from yesterday? Some more digging revealed that I might have been correct. The stuff really happens, believe me.
Operation Dark Screen
Multiple groups will be working together to simulate a cyber attack. At least they're talking, it's hard to get such massive organizations on the same page.
Funny story. I was recently onsite with a client company that has fallen prey to social engineering in the past. A call comes in and gets passed to me because it "sounds funny". So I start talking to the guy, who gives his name and callback number. But he's dropping technical terms which don't make any sense and has a bizarre accent. On top of that, I check his callback number and it doesn't match what's listed in the company directory. So I'm thinking I've blocked this little attempt and pretty much cut him off. A job well done - right?
A few minutes later, I do some investigating and determine that the number he gave was actually his home phone number, confirmed that he did, indeed, have a heavy accent and learned that his group was having some major technical difficulties. Whoops. Somtimes we security guys can be a little over zealous.
A very interesting piece from ZDNet on the threat of a utility hack. They look at why these systems are at risk and what's being done to address the problem. I disagree with the quote regarding the difficulty - it would take a lot of detailed information and some major security holes to pull off. Definitely not a trivial exploit.
Ultimately, McClure and other security experts would like to see the government, as well as the gas and electrical industries, ferret out the underlying SCADA problems--not just patch them. McClure thinks the SCADA problem is as serious as Y2K.
A closer look
What happens when you dig into those surveys popping up in the news? You find out they might be a tad skewed.
Why should we accept the conclusions within studies such as this and the BSA report, when the studies themselves are so contrived? Sponsored by organizations which want to obtain more of our money, and eagerly devoured by reporters who would rather titillate than educate, flawed 'research' doesn't help decision makers better understand what needs to be spent to provide an appropriate level of protection.
I read the NYTime's article on warez earlier this week, but forgot to post it. It's a well written look at the inside of the cycle. Multiple viewpoints as well, from the pirates and the software makers
Interviews with Mr. Sankus and others involved in the case, including customs and law enforcement officials, offer an unusual glimpse into the world of Internet piracy. It is a community of sorts, with perhaps 30 major groups that issue pirated products by cracking the copy-protection codes of software or making illicit duplicates of movies.