IDG reports: "Microsoft Corp. has pulled an update to security software from its Web site after some users who downloaded the code saw their Internet connections go down.
. . .
The problems caused the update to think it was under attack, so it responded by blocking all traffic."
Sweet! There's one way to secure your connection. One more data point indicating that MS' mulling of external testing for patches and updates should be upgraded to a "Do".
ComputerWorld reports "the California State Senate passed a bill Thursday that would transform spam from a misdemeanor to a felony offense and cost spammers an estimated $500 per unsolicited e-mail sent."
The Bill is called SB12 and works on an opt-in model. Just think about the repercussions, lawyers can chase 'spammers' instead of ambulances now. More seriously, though, if this can be acted on and enforced, the $500 per email fee could be a strong deterrent that may make many spammers think twice before hitting the send button.
That's John Callas, CTO of PGP Corp, on the multiple pasword issue. The whole article is a good read, quoting a poll by searchsecurity.com that found "77% of respondents had six or more passwords to remember for their jobs."
The password issue's a tricky one. The proliferation of password-based access to data, networks, and applications has left almost all users with the problem of password juggling. SSO and other attempts to reduce passwords have their own problems, single point of failure being one of the nastiest.
If I had a solution to the problem, I'd be a wealthy woman. In the meanwhile, companies will do well to train their users on how to select secure passwords and, something that's often overlooked, instruct users not to use these passwords for external access. While cracking a password for an internal corporate system may be fairly difficult, cracking a password for a hotmail account, depending on the vulnerability du jour in the hotmail system, often isn't. If an employee is re-using internal passwords for access to external information there's a potential vulnerability.
So train users to guard their internal passwords carefully.
Short and sweet run down on what to think about before selecting a VPN solution for your company's remote access.
One of the biggest considerations with IPSec is that client software is required. SSL VPNs traditonally use the browser as a client. While this increases mobility (any terminal with a browser will work), it requires data and applications to come through the browser presenation layer. The referenced NWFusion article states that file sharing isn't native to most SSL VPNs, which is true, but there are products, such as Citrix Metaframe that enable file and disk sharing support, as well as access to legacy applications through a browser portal which can make the SSL option more useful for enterprises.
This Searchsecurity.com article presents the pros and cons of Clarke's patch clearinghouse proposal.
What's Chris so shocked about? That the University of Calgary is offering a course that "will focus on developing malicious software such as computer viruses, worms and Trojan horses."
The professor offering the course argues that to be able to combat malicious code students need to understand how it works. This isn't a new concept, any good security professional needs to know how attacks work in order to be able to know how to defend against them. But the wording of the release has got some security professionals alarmed since it could be construed as a way to train virus writers rather than preventers.
What I find most bizarre is that the Universiy feels the need to market themselves like a product and issue press releases about course offerings. Is their enrollment that low?
Mark Ishman, a North Carolina lawyer, started a group called Triangle Law Center in February of this year. This month Ishman's Triangle filed a class action lawsuit agains the major credit card firms for violating "Section 1962(c) and 1962(d) of the Racketeering Influence and Corrupt Organizations Act, Section 16 of the Clayton Act, Section 2(a) of the Robinson-Patman Act" among other things.
I believe this is in direct response to something that small web merchants have been dealing with, unhappily, for a long time- the liability for chargebacks. If a consumer claims non-delivery of an item ordered over the web, because it is considered a CNP (cardholder not present) transaction, the merchant is responsible not only for the cost of goods but must also pay the card issuing banks a chargeback fee of, generally, $25. The ensuing revenue loss can add up for a small merchant pretty quickly.
I did a webcast for ITWorld that talks about this issue and some mitigation techniques. It can be accessed here: http://smallbusiness.itworld.com/Webcasts/.
FCW quotes an Input report that predicts a 43% increase in the US Government's security spending.
As Sky Masterson would say, that's a lotta lettuce.
Vendors hoping to get some of it should look at FIPS compliance, especially 140 and the emerging 199 since most gov't agencies do require adherence to these standards.
Citibank and their customers are the latest victims of a spam/redirection attack.
In the past the email subject, mispellings in the email, and link URLs have been dead giveaways that the email is fraudulent. But recent spams have become more sophisticated in an ongoing effort to trick users into parting with their account and password information.
It's becoming harder for users to discern what communiations are legitimate. Best rule is to *never* click a link that doesn't look valid and don't give out any account information unless you've typed in a site's URL yourself and are sure it's a site you trust. It's not a 100% guarantee, but it's a start.
Bob Brown's article, Scare Tactics implies vendors are only FUD-ding to make sales. And it's true, a lot of vendors fear monger to boost revenue. But not all.
The risks are real. I started out my tech career as a sys admin and spent close to 10 years inside companies trying to help them keep their business running efficiently with technology. I didn't set out to become a security professional, but I quickly learned that to be the best sys admin and then systems architect I could that I had to know security inside and out and then some.
For a business to run, risks have to be managed. There's no need to spend millions to protect thousands, that's basic cost/benefit analysis. But pooh-poohing threats as nothing but vendor FUD is a big mistake.
MS has teamed up with NAI and TrendMicro to provide up to the minute virus information on their site. This is an interesting move because it leaves out the other big player in the AV triumverate, Symantec. Makes a lot of sense for MSFT to partner with AV companies, gives them the AV information they need while helping to boost awareness of the other companies. I do wonder how nicely Trend and NAI will play together in this alliance in the long run though. And how, or if, this will affect SYMC AV sales.
Hot on the heels of the recent Qualys announcement, Ecora the change and configuration management company is offering NetExploroer, a tool that they claim will allow users to "Discover just about every type of device running within a specified IP range, giving you a complete, up-to-date inventory of your network. NetExplorer can also scan all TCP and UDP ports to close potential security holes before someone else finds them."
This points towards a convergence in the market that's been a long time coming. Change, network, and configuration management solutions getting more tightly coupled with vulnerability scanning and remediation.
Nokia has announced they'll start shipping Wi Fi capability on their phones.
eWeek reports -"The Pentagon's research arm, in a report released Tuesday, changed the name of its mammoth electronic surveillance project following public outcry, but concerns that the project will unnecessarily invade privacy without necessarily improving national security remain strong."
TIA used to stand for Total Information Awareness and now is Terrorism Information Awareness. Oh yeesh. Does the government think that by swapping in the term terrorism that the public will embrace being surveilled? "It's okey, Ma! They're not invading our privacy, just looking for terrorists!"
Qualys announced an online networking mapping and vulnerability scanner called FreeMap yesterday. Called by some a 'souped up' version of Nmap, the Qualys tool allows registered users to map their networks via a web browser, for free. Qualys also offers online vulnerability scanning.
While it can be argued that these tools make it easier and easier for attackers to perform reconnaisance on networks, that's nothing new. Skilled hackers have had recon tools like these for years and 'ankle-biter' hackers have benefitted from advances in network discovery.
As usual, the old adage applies for security admins, use these tools yourselves- education is the best protection.
NB: I was unable to test out FreeMap because it would not run with my OS and browser.
Avivah Litan and the Gartner team have recommended that "financial institutions, credit companies, online retailers, and anyone else using Passport for any 'meaningful' business purpose immediately either 'break all Passport connections' until November, or invest in 'an additional, more secure form of authentication for all Passport identities.'"
Strong words! Reminiscent of Gartner's recommendation that companies seek alternatives to IIS back in September '01.
Yes the MS Passport breach (see May 8th's blog entry for more info) is major, but Litan's warning seems a little out of place considering very few banks and FIs were using Passport for business transactions. If any readers know of ones that were, I'd be interested to hear about them.
Ellen Messmer provides an update on Cisco's current state of integration and future plans for the recently purchased Okena technology.
"Cisco Systems Inc. on Monday will launch a series of new and enhanced security management and virtual private network offerings.
Among the new offerings is the Cisco IP Solutions Center V 3.0, which allows users to set up common configurations for multiple VPN devices from a central location and push those out to remote sites. The tool also allows the VPN tunnels to be pushed out from a central location to remote locations, according to early user Carol Henson, director of IT for the U.S. Department of Agriculture, Rural Development, in St. Louis."
It's about time Cisco started offering this kind of remote control for VPN deployment.
InfoWeek reporting on The451's assessment of SAN security. They cite, in part, the complexity of the SANs that's causing the problem.
This underscores a refrain that most people who've heard me speak on security have heard before: "There's no business without security." No matter what the business need, be it storage, collaboration, knowledge management, etc- it has to be secure to be reliable and run properly for the business. Security on the edge isn't enough. Companies that say, "we're secure- we've got a firewall and use SSL on our web site" don't get it.
Security is the foundation of business, more correctly- risk management is. SAN needs to be secured and so does every other facet of the organization. From the way people are trained, to the way data is managed, to every line of code in the applications used. Until businesses accept this fact, and act on it, stories like this "Ooops, SAN isn't secure" article are going to continue to appear and unexpected vulnerabilities will plague enterprises in a costly way.
Reports are that Trinity runs NMAP in "Matrix Reloaded" to discover vulnerable SSH. But since the Matrix is run by machines does that mean that even the machines in AD 2800 haven't figured out how to manage patching?
Though it makes for geeky fun to see NMAP find an SSH vulnerability in a big hollywood movie, this is a reminder that patch management is a very real problem today. Failure to patch, leaves systems vulnerable, and while it's a stretch to say this leaves the human race at risk, as it is in the "Matrix" triology, it definitely leaves corporate servers and data vulnerable.
Secure phones no obstacle to wiretapping - US Govt.
The Register quotes from the recent US gov't report on wiretapping and provides comments and analysis from crypto-pundit Bruce Schneier.
In a recent email, Lisa Phifer writes:
"Sometime last week my neighbor installed a new AP, so when AirDefense spotted it, it was news to me. That prompted me to take a little drive around the neighborhood, AirMagnet in hand. Would you believe that the highest concentration of WLANs is on my little street (6 homes out of 32 in the neighborhood) - and that's not counting my own APs? The encouraging news is that several are using WEP and/or MAC ACLs. In the past, I've seen mostly wide-open APs in residential neighborhoods. Perhaps there IS hope for security after all!"
Hopefully this indicates a general trend and home users (and corporations!) are getting the message about taking some basic security measures to protect their WLANs.
"Internet users want to keep their personal information private, but they want privacy tools to be cheap, easy to use and nearly invisible."
Well, yes, don't we all. But there's the old catch-22 that's been dogging security and privacy for years: if customers won't pay for the technology, where's the incentive for vendors to provide it? Easy to use and invisible tools have a much better chance of coming market if end-users are willing to pay.
These folks have a SOHO/SMB line of VPN/Firewall appliances and NAPT (Network Address & Port Translation) technology designed to get around some of the problems with NATting on VPNs.
Interesting that Symantec has acquired a smaller mid-tier aimed player since they've been very concentrated on gaining traction in the large enterprise space. On the other hand, the companies have had a licensing deal for a while, with SYMC using some of the Nexland technology in their VPN/Firewall line.
An IDG News Article at NW fusion reports: Fake bank Web site scam reaches U.S. This one targeting Bank of America customers. Though it could have been any bank.
Take a look at the URL of a site before entering personal information. It's not a foolproof protection, but it's a great place to start.
"Verisign now has the ability to shut down any registrar that conducts and displays the results of multiple TLD availability queries for a domain name. And, of course, any registrar who reads this article is now on notice of that fact."
It's a pretty good bet that the patent office didn't understand the potential repercussions of this. As one of the commenters quipped: "The USPTO has been granting patents to the most mind-numbingly obvious concepts, as long as they involve computers or the Internet."
Check out the discussion at ICANNWatch.
I'd go a little farther on this one, it's not just unlicensed wireless that's vulnerable, it's any WLAN that isn't using strong authentication, ACLs, and encyption to protect the data in transit.
Some sensible insights from Barbara Simons of the ACM in this article. The problem with this kind of legal protection is that it prohibits researchers and security professionals from being able to explore and publish/raise awareness about weaknesses. The cryptographic community has benefitted for a long time from independent researchers who try to crack published algorithms and expose ones which are flawed.
The people who are trying to crack copy protection software illegally are generally in stealth mode and rarely caught. There should be a strong definition of what consitutes acceptable use and research while still allowing for prosecution in cases of truly illegal activity.
Big news surrounding the Fizzer worm and the Cisco VPN 3000 vulnerabilities. Fizzer was on the front page of one of the local Boston papers this morning.
There's no doubt both of these are nasty, but there are mitigation techniques and updates available. The links above lead to Symantec and Cisco fixes for Fizzer and the VPN problems respectively.
For other Fizzer concerned AV users check out the following or whichever vendor solution you use for updates.
Some analysts attributed part of the downturn in IBM's mainframe hardware business this year to IT departments that were waiting for T-Rex's (a/k/a z990) release.
There's no question that mainframe capabilities are not going to go away, nor are mainframes themselves, for a good long while. Just step into most large corporate data centers for proof. The legacy is there and re-writing all those applications isn't going to happen overnight. And the humorously named T-Rex (IBM=Dinosaur) has a lot going for it that existing mainframe users will appreciate, 32 processors and 15 paritions for a start.
However, there's question of whether the new T-Rex will be where companies put their upgrade and forward looking, web-services oriented money. Or will they move towards solutions like high-end Unix and the MS Windows 2003 Server running on the UniSys ES7000/500 series? z/OS is by no means extinct, but it remains to be seen if T-Rex will save it from becoming so over the next few years.
"Sendmail Inc. joined forces with Hewlett-Packard Co. and Intel Corp. to announce Monday a joint offering to bring e-mail to deskless workers, mostly in the health care and manufacturing sectors."
Whether using this recently announced Sendmail/HP solution, or another mail solution for deskless and wireless workers: a friendly security reminder. Wireless and other mobile workers usually access email over an insecure and unprotected link. For companies that don't want to, or can't, protect the traffic using a VPN w/encryption, at least encrypt the mail from the server to the client. This is especially important for sectors like healthcare where private data is often exchanged via email.
Sendmail supports TLS (transport layer security) via its Mailstream manager, and most mail clients and servers support some kind of SSL (secure sockets layer) encryption as well.
The always tart "Register" calls out the problems with T-Mobile's wi-fi from Starbucks business model. It didn't work for the now defunct MobileStar either...
More Checkpoint, this time embedded on a blade for installation directly into servers. Coupled with the 'application layer' input validation announced below, it drives security into a corporation's networks and directly to servers.
Cisco announced firewalling on blades last year, but the blades go inside switches rather than the servers themselves. Putting the firewalling/VPN blades in the switch rather than the individual servers reduces the need for hardware, but depending on the corporate requirements and switch availability, a PCI card like the IBM/14 South solution could be a better fit.
As this article points out, this is a direct response to market demand as well as Cisco's Okena and NAI's Entercept purchases. Also, checking for expected and valid http input, starts to put the firewall's functionality into the space covered, in part, by 'application firewall' vendors like Sanctum and KaVaDo.
Entercept is an OS level intrusion prevention technology that sits on the host, not on a gateway firewall. So it does server a similar business purpose but approaches the solution in a different manner.
Checkpoint's approach is something that firewall's really should have been doing a long time ago. One question, though, is going to be how and if this affects the firewall's performance. Checkpoint has built a reputation on speed and ease of use and doing additional data inspection can affect throughput if it's not architected properly.
"That Apple's store sold a million tracks in the week following its April 28 launch apparently shocked record executives, who said they would have been satisfied with a million in a month."
. . .
"Singer-songwriter Janis Ian, a Grammy Hall of Fame inductee and vocal critic of her industry's anti-piracy tactics, is thrilled by Apple's offering.
'You can't call it visionary because they should have come up with this five years ago,' she said. 'It's ironic that a computer manufacturer is teaching the record industry the next step, and so far, that's what's happening.'"
Yup.
"Spam is already plaguing some wireless devices in the U.S., despite claims at a spam forum in Washington, D.C., last week that the nation was behind others at least in that one type of unwanted commercial e-mail.
PDAs that allow users to download their e-mail, such as BlackBerry devices, have the same problems with spam as "wired" computers, but have the added problems of cellular-phone spam, because PDA users may be paying per-minute charges to download the junk e-mail."
This article discusses ways to use Spam filters to eliminate corporate email spam which will reduce replicated Spam to BlackBerries and phones, but there's not much discussion about what to do with direct SMS spam. Partly, that's because the US hasn't been hard hit with SMS spam attacks. Yet.
Japan and the EU have. The EU considered SMS spam-bans but settled on a simple "opt-out" solution. At this point, there simply aren't a lot of controls to prevent direct SMS spam in the US. But as the problem grows, which it will, wireless providers, if not the FTC, will need to put in place ways to keep it in check.
Watch for one of the drivers to be economic, since many people pay per text message or have only a limited number of free ones, most will request chargebacks for SMS spam from providers. This will increase customer support calls and likely drive wireless providers to stem the tide of SMS spam when it hits the States.
While watching my dogs play in the park this morning I was thinking about Napoleon in "Animal Farm" and the way the phrase "All animals are equal" morphed into the scary and ominous, "All animals are equal, but some are more equal than others." (One of my dogs is quite clever and very strong and she invariably gets all the best toys to chew and chase.)
Unlike the hierarchical canine world and most political constructs, the 'net is a place where equality does seem to work. Proprietary networks such as the original AOL and MSN gave way to open standards and HTML. And the rise of blogging and RSS feeds into news readers is becoming a way of 'net life. Push technology comes to mind. It was supposed to be the future and desktops were lousy with PointCast and other 'push' clients. After millions of downloads, PointCast sent their final 'push' in February 2000.
Was that the end of targeted and focused delivery of information to desktops? Not at all, it was only the beginning. Next generation news readers and RSS feeds deliver exactly what people want to see when they ask for it. And anyone with access to the 'net can set up a blog and an RSS feed for little or no money. Everyone can join in and consumers have the final say over what information they see.
And the normalization makes every headline feed look the same. My friend's posts come into my reader in the same format as CNet's and The New York Times. Readers chose what to click on for more details based on the quality of the information, not the flashiness of the delivery. In some ways, with push some were more equal than others- with RSS, all 'bloggers' are equal.
"Sooner or later it had to happen. Microsoft is putting a lot of money into Digital Rights Management, and expects to get a lot more money back out so long as it can persuade consumers that DRM is their fluffy friend, and most certainly not a fiendish plot to allow the music companies to squeeze even more money out of them. This time, the knife was pointing at Steve Ballmer when it stopped spinning, so the prez's name went onto a DRM apologia sent out as Microsoft's regular customer information email."
Yup, the public is starting to twig to the fact that some of the Trusted Computing and NGSCB work over at MS could well mean loss of control over data on their computers. While most people are against out and out piracy (granted there are plenty that are all for it, but let's leave them out of the discussion for the nonce), that doesn't mean they want to lose control of the data they've paid for. Most consumers want to be able to reproduce legally paid for music files for different form factors (legal CD purchase that's loaded on an MP3 player for gym time listening, for example). To take that freedom away won't sit well at all.
I think MS should concentrate on DRM for IP inside enterprises and leave the RIAA and personal data issue out of it. This article isn't the first to indicate that a big storm is brewing with the public. MSFT should pay careful attention. When the buyers speak loudly enough, vendors must listen.
"A serious security flaw in Microsoft's Passport service put customers' accounts, including their personal information and credit card numbers, at risk of being hijacked.
The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure."
According to the article, the first thing MS did to control damage was to shut off valid users' ability to reset their passwords! Fairly disturbing. MS takes a lot of heat on the security front. And while their recent efforts to increase OS and application security are laudable, application logic flaws like these aren't acceptable in widely distributed security solutions, especially ones that hold high value data such as credit card information.
MS has come a long way with their security, but as this flaw highlights, they still have a way to go.
"Enterprise IT departments prefer best-of-breed security technologies. That's been a statement of fact for as long as it has taken information technology to evolve from the mainframe to the network.
That statement of fact may not be holding water for much longer, however. Rumblings of all-in-one security appliances are getting louder as companies, vendors and analysts wonder how much they can integrate into a single box."
This article exposes a confusion that is persisting in the security space. Does the term appliance have to mean integrated? The answer is no, but it's a little hard to discern from a lot of writing. An appliance, such as a 1U or 2U unit or a blade can house just a 'best of breed' solution. There are two issues here, but both fall under appliance and the market needs to separate them.
One: integrated appliance. This is a 'swiss army knife' solution that houses multiple security products on a single unit.
Two: single use appliance. A 1U, 2U, or even a blade that comes pre-loaded from the vendor with a 'best of breed' solution.
There are pros and cons to both solutions, and even to software only solutions, but the market needs to make a strong distinction between integrated v. single use appliances. In the future more companies will be looking for software that ships on hardware, whether that hardware holds integrated or single use security applications is another matter.
"It's highly unlikely that the United States will experience a crippling "digital Pearl Harbor," the CIO of homeland security says. "While this is a possibility, the probability is relatively low," Steven Cooper said in an online chat sponsored by The Washington Post. "We have done a lot in the federal arena to provide multilayered security for our digital environments and continually 'red team' our networks and applications to find vulnerabilities."
. . .
• The government is moving to a single identity credential and smart card for physical and logical access to facilities and computers and their data."
The probability of someone crashing two passenger jets into the World Trade Center was probably fairly low as well, but if the risk is great enough even when the probability is low it's still a risk. It's good to know the US government is trying not to scare people, but I do hope that Cooper himself doesn't have a false sense of security.
About the Smart Cards, suspect he's referencing the SSP/Litronic CAC. Though there's much in support of simplfying access, if too many systems are accessible though a single card, there's a vulnerability. Cards can be left in readers and lost, and if the associated password/phrase is crackable or written down where an attacker can get it, that CAC could be the 'keys to the kingdom' in the wrong hands.
"Some of the world's largest record labels are quietly financing the creation of programs by small software firms that, if deployed, would sabotage the computers and Internet connections of people who download pirated music, according to a published report.
Citing industry executives, The New York Times reported in an article that appeared on its Web site on Saturday, that the efforts bear varying degrees of legality including attacking a computer's Internet connection to slow or halt downloads and overwhelming distribution networks with programs that masquerade as music files."
The chaff server idea's been around for a while and used with varying degrees of success. I'd consider it more annoying than illegal. But sabotaging a user's Internet connection? Vigilante justice at its worst. Are the music companies spending any money on trying to actually profit from an alternate (digital not CD) distribution model? Or are they spinning all their wheels on quasi-illegal plans for strike back? See previous post for more on where digital distrbution is going.
"RealNetworks Inc. launched Monday a new service that delivers music, sports, news and entertainment audio and video to mobile phones and handheld computers running its software, the digital media software maker said."
Nothing specific about security in the article, but it begs the question of how to protect the information (music) in transit from theft. In future having an MP3 player, whether it's a combo with a phone, PDA, handheld computer or just a standalone, that's wi-fi ready to download music wherever and whenever makes a lot of sense and will be used by consumers. Yet as these products come into the market, the RIAA and others will have a challenge if they want to keep tight control on the data.
"The panelists at an ongoing Federal Trade Commission (FTC) spam conference here couldn't even agree on the definition of spam, with some antispam advocates saying spam is all unsolicited bulk e-mail and some e-mail marketers arguing that spam should be defined more narrowly as unsolicited commercial e-mail that includes false subject lines or misleading e-mail headers."
The DMA (Direct Marketing Association) members balked at spam being defined as any unsolicited commercial e-mail. Spam really is in the eye of the beholder. Some people like getting unsolicited adverts. (Note to all the spammers out there, I'm NOT one of them.)
While some legislation for recourse is a good thing for consumers, the FTC can't entirely stop the problem. Anti-spam software and filtering in email clients and gateways will continue to be a requirement for keeping the inbox clean.
"Microsoft is considering an external testing programme to improve the quality of its security patches.
Difficulty in applying patches and instances where fixes fail to work properly - or cause unfortunate side effects - have long been an issue in Microsoft shops."
Having been on the front line trenches with NT/WinOS admins during a number a alarming security patch installs, this comes as welcome news. Seeing a line of product servers go paws up after applying a patch, even though it was tested on staging servers, is an awful sight to behold. (Especially the look on the admin's face.) Here's hoping Mike Nash sees this through and produces more stable patches in the future.