The Washington Post reports on some government penetration tests which were rather successful. That's bad because they were testing their own networks.

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.

Next up is a long paper discussing the rapidly approaching security concerns of voice over IP and IP telephony in general. There isn't alot of research on this topic, so definitely take a look at this one.

The telephony landscape and its relation to society is rapidly changing. When the phenomenon of 'convergence' between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent.

And finally, a strange story from MSNBC. Evidently Russia has charged an FBI agent with hacking. The strange part? It was done over the course of an investigation. Nothing will likely come of it, but it has some fascinating ramifications for international computer law.

In a first in the rapidly evolving field of cyberspace law, Russia's counterintelligence service on Thursday filed criminal charges against an FBI agent it says lured two Russian hackers to the United States, then illegally seized evidence against them by downloading data from their computers in Chelyabinsk, Russia.

posted by mt at 10:28

Ultra busy at the moment. I have a mound of work to wade through and I'll be out of town for a few days. Posting will likely be scarce, but I'll be checking email and working via 802.11. One other thing - I have an article going up early next week. As soon as I get the link, I'll post it here.
posted by mt at 21:37

Ray Ozzie ,of Lotus Notes fame, has a good article entitled The Myth of Cybersecurity. He hits on several important points: how insecure our networks are, liability and secure engineering.

Enterprises need, and must demand, more cellular approaches to trust and secure information-sharing, such as peer trust, webs of trust and fine-grained federated trust. The "Great Wall" approach is outdated, with the distinction between inside and outside becoming blurred. We need alternatives to the firewall and VPN models of protection.

We need more layers to truly enhance security. And a new mindset.
posted by mt at 11:32

Not much new stuff out there today. The 6th installment of SecurityFocus' No Stone Unturned series is up - a fun (and informative) read.
posted by mt at 11:21

Good article outlining some of the tech upgrades the FBI is looking to implement in the near future.
posted by mt at 13:58

Remember the Princeton-Yale cracking incident? Evidently a dean is losing his job over it.
posted by mt at 09:58

A first for the security blog - audio. Rob Rosenberger, editor of Vmyths, has uploaded his keynote from CERT 2002. I haven't had a chance to listen yet, but the descriptions sounds intriguing.

In part 1, I bashed a speaker in the audience who "verbally confirmed" the mafia now does hits over the Internet. I also talked about how Al Qaeda might exploit the computer security industry (at least twice!) as idiotic pawns in future physical terrorism events. "Fool me once, shame on you. Fool me twice, shame on me..." In part 3, I described the co-dependent relationship between CERT & NIPC, plus I laid heavily into CERT director Richard Pethia. (Listen for my "hey Richard, as one woman to another..." quip.)

Everyone who frets about computer security should listen to this audio. Enough said.

He's confident, no doubt. If I get a chance to listen this week, I'll post my impressions.
posted by mt at 09:54

A long day. Not much time to post, but I wanted to reiterate the security engineering topic. If you haven't done so, skim the article below, it's full of examples, good thoughts and some historical tidbits. Hopefully more tomorrow.
posted by mt at 00:46

A LONG article from the Atlantic on Bruce Schneier (courtesy of Slashdot). If you've got the time, it's worth reading. I like it because the crux of the article, and Schneier's message, revolves around security engineering - a crucial concept for the future of this business.
posted by mt at 10:46

Interesting story at Wired on a string of cracks against high profile security names. The bulk of the story revolves around Project Mayhem, a group promoting hacker reform by targeting white-hats.

The break-in at Russell's Thieveco.com site, which is hosted by a Canadian ISP, appears to be the latest in a series of attacks against white hats and prominent figures in the information security profession.

Claiming responsibility for the attacks is a shadowy group named el8. Earlier this year, members launched Project Mayhem, a campaign designed to "cause worldwide physical destruction to the security industry infrastructure," according to an article published last month in el8's online magazine.

And later, some insight into the group itself:

"The only real difference is that the el8 guys are not script kiddies. Nothing has changed, other than the bar has been raised," Manzuik said.

Much of Project Mayhem's modus operandi appears borrowed from Hollywood. The group's newsletter cribs heavily from the 1999 movie Fight Club, starring Brad Pitt and Edward Norton, which depicts disaffected young males who find release in punching each other out and contemplating the complete and total destruction of society.

Interesting stuff. Check it out.
posted by mt at 10:24

Here's a piece wondering why there haven't been a major virus this year. First - knock on wood. Secondly - I still see dozens of Nimda and Code Red variants in my logs everyday. They're still out there.

A number of explanations could help explain the downward trend. Corporations are taking extra steps to shore up their computer networks, a development the anti-virus community points to as a big victory, and they have limited employees' email freedoms.

I think businesses and people have gotten smarter about protecting themselves. It's not too hard if you follow a few, basic steps.
posted by mt at 09:23

Jason sent this odd link to some anti-hacking propaganda from the government. Pretty amusing.

If you like computers, don't use your brains to hack systems, invade other people's privacy, and take away their networks. Hacking can get you in a whole lot more trouble than you think and is a completely creepy thing to do. If you're so smart, use that computer to do great things!

posted by mt at 13:04

The Register is running an interesting report of a speech given at DNSCON, a UK hacker conference. It contains some interesting insight into the hacker community and motives.

Hacking is an intellectually challenging, obsessive activity for solitary geeks - and one thing it should never be is about bonding with other hackers, he told us.

And a little later:

Point and click tools are dumbing down hacking, so many script kiddies are now attacking sites running code they don't understand. Gus deplores this trend, which he believes is getting worse, but controversially said the s'kiddies have more right to call themselves hackers than people who post code on BugTraq or take part in discussion forums because "they're actually out there hacking".

I just finished an article about this topic. Funny, both hackers and professionals loathe the script kiddy.
posted by mt at 10:19