If it's your thing - check out this PC World piece, which is full of scary, gloom and doom scenarios. Stems from the SECTOR5 conference taking place this week.

WASHINGTON--At the inaugural SECTOR5 conference that opened in Washington, D.C., Wednesday, the talk of cyberterrorism is talk of an IT doomsday. In it, weapons of mass disruption replace weapons of mass destruction, and instead of a "dirty bomb" filled with radioactive material hitting a city, terrorists pack "logic bombs" in their bag of nasty tricks.

Too much fire and brimstone for my tastes.
posted by mt at 13:26

Two quick ones to start the day. Seven Deadly Security Sins - a good list of standard concerns we all need to address. And Richard Forno of SecurityFocus writes a letter to CIO's. If you're a CSO or security guru - forward it to your boss.

Our three guiding principles are to serve the business by ensuring the confidentiality, integrity, and availability of the systems under our responsibility. As good security practitioners, it’s our duty to think like the bad guys, and figure out how they might cause damage to our corporate information environment.

posted by mt at 09:34

A troubling report from one of the 3 letter agencies - the NSA is dropping SE Linux. I wish there were more details - instead only a nebulous quote.

Deputy Director Schafer said that the GPL issue created so many problems for the security agency that “we won't be doing anything like that again.”

If we only knew the whole story. Was it actual security concerns? Or lobbying by MS?
posted by mt at 12:11

I'm still reviewing old material, but not a lot of stories have caught my eye. So I'm not being lazy, just picky.
posted by mt at 11:41

Remember the Washington Post story mentioned here on the 16th? The security company which found all the flaws on the government's network - they didn't have permission and were not under contract! Unbelievable. The FBI, the Army and NASA officiails recently paid them a vist according to this Post follow-up.

Federal law enforcement authorities searched the computers of a San Diego security firm that used the Internet to access government and military computers without authorization this summer, officials said yesterday.

Investigators from the FBI, the Army and NASA visited the offices of ForensicTec Solutions Inc. over the weekend and on Monday, seeking details about how the company gained access to computers at Fort Hood in Texas and at the Energy Department, NASA and other government facilities, officials said.

The searches began hours after The Washington Post reported that ForensicTec consultants used free software to identify vulnerable computers and then peruse hundreds of confidential files containing military procedures, e-mail, Social Security numbers and financial data, according to records maintained by the company.

You have to wonder what they were thinking. I hope a government investigation is worth whatever publicity they got.
posted by mt at 11:46

I've been followin the Sprint-Vegas story for several months via Kevin Poulsen's reporting at SecurityFocus. I never thought anything would come of it - but evidently that might not be the case.

Citing the "compelling, credible testimony" of ex-hacker Kevin Mitnick, state officials urged Nevada regulators to force a series of dramatic security reforms on Las Vegas telephone company Sprint of Nevada last week, as final arguments were filed in the case of an in-room adult entertainment operator who believes he's being driven out of business by phone hackers.

And to think, it all started with an "adult entertainment manager" complaining that competitors were stealing his incoming calls.
posted by mt at 11:39

I'm trying to dig out from the mound which piled up while I was away. Apologies for the lack of posts, I'll be sure to pass along anything interesting I find playing catch-up today. I did have an article go up today at SecurityFocus - Introduction to Autorooters: Crackers Working Smarter, Not Harder. Please take a look and let me know what you think.

Efficiency and automation: one can argue that they are two of the most valuable by-products of any technology. There is little doubt that the electronic tools of today allow us to get more done in less time. We use software to eliminate tedious work, reduce man-hours, and sift through mounds of data in seconds. Crackers, as we know, are smart... and lazy. It should come as no surprise then that they too, have employed technology to reduce their workload. The result? A type of malicious code known as autorooters, programs designed to automatically scan and attack target computers at blistering speeds.

posted by mt at 11:20