Security Blog |
8.9.2002
Slow news day 8.8.2002
Who would have thought?
A shocking report (wink wink) on the wire this evening. The FTC and Microsoft agree to make several changes to the Passport system, which collects more info than previously thought. The settlement addresses allegations that Passport collects too much information, uses unfair or deceptive practices, and fails to adequately protect the privacy or security of personal information, particularly of children. The FTC's investigation and settlement came in response to a series of complaints made against Passport last summer, said agency chairman Timothy Muris. I'm certain everything will be OK now. Not. When will MS realize that people are starting to place real value on privacy? Any company that respects our concerns is sure to do well in this day and age. NASA compromised
Computerworld reports on a big NASA crack. Supposedly they've confirmed the claims of a Brazilian cracker known as Rafa by examining a series of stolen documents. However, a hacker known only by the nickname RaFa, a former member of the now defunct World of Hell Hacker gang, uploaded to a Web site more than 43MB worth of documents, including a 15-part PowerPoint presentation that included detailed engineering drawings. The documents also included detailed mechanical design information on the COBRA space shuttle engine design program, and the risk reduction plan for the Boeing TA4 Advanced Checkout, Control & Maintenance System (ACCMS). The ACCMS is essentially the ground control system for the next generation of space shuttles. Stories like this concern me. If this was pulled off and made public, what remains unknown? It's kind of scary - especially considering the Wired story from last week on crackers who infiltrated Akami for over a year. They were brought in on unrelated incidents, then spilled the beans. Really good crackers who hang out in chatrooms and brag aren't scary. Really good crackers who never say a word are. Blog M.O.
I'd like to provide more commentary, opinion and editorial pieces. Help me out - send feedback. I'll still gather interesting news, but will attempt to provide more insight. Cyberattack. Says who?
Wired reports on an NIPC cyberattack warning. The problem? It seems that although the feds successfully "predicted" and "responded" to the attack - no one else noticed it. Since the NIPC doesn't have a sterling reputation among many security experts, more time and energy was devoted to attempts to figure out what might have induced them to issue their latest alert rather than hardening websites and systems. The article speculates that the attack was launched by a group of Italian teenagers with little skill. Sounds like grandstanding and PR moves to me. Late posts
I'm running a little behind today due to a meeting, so I haven't had a chance to hit the news yet. SecurityFocus is running two new articles at the moment. Jon Lasser has an interesting piece on open source. He says the SSH trojan incident from last week was a wake-up call for the free software community. Paul Schmehl takes a look at malware and the future of the virus - very interesting. 8.7.2002
Crypto DB
O'Reilly's running an interesting piece on translucent databases - db's that use encryption to secure the information they contain. It's a fascinating topic, but something you don't see implemented very often, if at all. Definitely a topic to keep an eye on. A translucent database uses cryptographic methods like hash functions and public key cryptography to mathematically protect information so that it cannot be wrongly divulged -- not even to a crooked database administrator. Translucent databases provide for unparalleled protection of sensitive information, be that information personal, corporate, or academic. Yet, with one notable exception, translucent databases are practically unknown and unused in IT today. Encrypt, encrypt, encrypt
There's some questionable statements in this article on email security, but the overall message is good. Everything you send is much like a postcard - someone who wants to read it, can. Encryption is the only way to protect yourself. The fact is that most e-mail -- including the most sensitive messages from doctors to patients, lawyers to clients -- is floating around in cyberspace like open postcards. I should add that doctors and lawyers won't be able to do that much longer, thanks to sweeping security changes in their respective industries. DEA data thief
Kevin Poulsen of SecurityFocus reports on the DEA agent who sold information to PI's. A 14-year veteran of the U.S. Drug Enforcement Administration plead guilty Monday to selling sensitive data from federal law enforcement computers to a Los Angeles private investigations firm working for the insurance industry. Quite an abuse of power. And a privacy concern we all need to be aware of. MS security push
Since security is the only thing selling at the moment, Microsoft is looking to break into the market. The release makes it sound like they're pushing new products, not the secure initiative they've been talking up since spring. Why don't they fix their other products first? Microsoft Corp. is poised for an onslaught into the security software market that could displace many of the sector's leading vendors, IDC analyst Chris Christiansen forecast Tuesday during a keynote address here at CIBC World Markets' Enterprise and E-Business Software Conference. 8.6.2002
Titles Kinks
Woohoo After much cajoling, Scott, AHEM, Jiri, AHEM - I've update to Blogger Pro in order to get the RSS feed. I am playing with it - check it out.
Wifi Look for the WiFi Security Project to go live tonight. This will house the project discussed last week: guidelines for maintaining an open, secure hotspot. Share the access and protect yourself.
Defcon I've been reading highlights from this year's DefCon. Evidently there was a wardriving contest. Las Vegas must be in shock - hundreds of hackers probing their networks for days. Eeeeek!
DMCA commentary From Mark Rasch of SecurityFocus: The problem with the DMCA lies in the awkward definition of a "technological measure" designed to protect a copyrighted work. Although geared at copy protections, it is broad enough to include passwords, source code or anything that either prevents access to a copyrighted work, or protects any of the rights of a copyright holder.
Busy Very busy lately, which explains the lack of posts. I just finished an article for SecurityFocus which I hope will be published later this month. I'll let you know. Currently, I'm researching several topics for a new paper I hope to release in the next few weeks. It's on exploits of the near future. I should hit the news hard today in order to catch up, so check back soon. 8.5.2002
On HIPAA Here's a link to the HIPAA article I'm quoted in, mentioned last week on the blog. It's a nice look at how HIPAA is affecting local companies, including my own. As the deadline looms for compliance with a federal health insurance and patient privacy act, some local companies are seeing dramatic increases in their business. 8.4.2002
Wifi security project Updated the project page to reflect the wifi security standards discussed last week. I'm deciding on the best way to organize it: blog, PDF, et cetera. Send me your suggestions. Remember, we're trying to outline a way you can manage a public hotspot, but still protect yourself and your network.
Life without broadband Sorry for the lack of posts this weekend, my access has been up and down. More consistency tomorrow, I promise. |
