Hello All, and thanks for reading. Due to business travel committments and the move of the Security Curve offices this weblog will be silent until August 11, 2003. See you again in a couple of weeks.
InfoWorld reports that Microsoft has dropped caps on its liability for products. "Although the changes expand Microsoft's legal exposure,. . . (MS) does not expect the company to actually have to start writing checks."
Hmmm, if they don't expect this move to translate to additonal check writing, is it simply a way to mollify companies who felt MS wasn't accepting enough risk for faulty software? It will be interesting to see if the new approach results in additional lawsuits/more successful ones for customers.
The Electronic Banking Group of the Basel Committee on Banking Supervision, a consortium of banks from the US, Europe, and Asia, has released two new/finalized documents, "Risk Management Principles for Electronic Banking" and "Management and supervision of cross-border electronic banking activities."
The documents are offered as guidance rather than 'hard and fast' requirements that all financial institutions are expected to abide by. Specficially the documents address some of the flux that occurs when traditional risk management is applied to cross-border banking.
Both documents are well worth reading. While neither is an in-depth, how-to, cookbook, they both provide a solid foundation for understanding many of the risk issues facing the international financial community.
Wireless IDS vendor, AirDefense, released a version of their intrusion detection software that supports 802.11g (or Airport Extreme for Mac OS users) this week.
The company also enhanced their product with the ability to push policies to remote access points and graphical mapping of the wireless network.
Tools that map wireless networks are welcome in the market. Not only do they offer a snapshot of the known wireless LAN, but they can also be used to compare against the expected topology to ferret out rogue access points.
Today the English are celebrating "Internet Shopping Day". "Interactive Media and Retail Group (IMRG) is hoping to target the 18 million or so adults in the UK with access to the Net who have not yet ventured online to shop.
Although the campaign has been running all month, today is the "big one" with the chance for shoppers to win more than £4 million worth of prizes, offers and discounts."
Sounds fun, but does it count as a bank holiday?
The Register has an article up commenting on Intel/Linksys' (now owned by Cisco) announcement of the "Verified with Intel Centrino mobile technology" label. Whether the announcement is truly a bid from Intel and Cisco to replace the functionality of the WiFi Alliance with a more vendor specific approach remains to be seen. But the article does raise some interesting points.
SearchSecurity has an article, "Gartner declares IDS obsolete by 2005", online looking more closely at the recent Gartner report. In it, Gartner VP of Research, Richard Stiennon, is quoted as saying: "The underlying problem with IDS is that enterprises are investing in technology to detect intrusions on a network. This implies they are doing something wrong and letting those attacks in."
Hmmm, not sure I fully agree with Mr. Stiennon on that point. Security is about layers, yes- prevent as much as possible, but then detect as well. A new attack may not trigger an alert or block on the firewall, but could, once inside the network, show clear signs of doing harm.
It's sort of like dental care. Don't stop flossing and brushing as the first line of defense, but be prepared to have x-rays and drilling done if a cavity does develop.
"Sounding a united alarm against intrusive federal regulation, industry officials cautioned that over-involvement on the part of the government could impede speedy disaster recovery operations by private companies. First and foremost, they agreed, Congress should keep its hands off when it comes to monitoring or controlling privately held networks."
The Honeynet Project, http://www.honeynet.org/ has released a short but informative, and moderately entertaining to boot, report on credit card fraudsters and how they operate. The report includes snippets of IRC chats between experienced and newbie fraudsters. For anyone that wants to know how the fraudsters do it, it's a terrific read. The report can be downloaded from the Honeynet site.
RSA's main money makers are their two-factor authentication products and Identity Management.
A vulnerability in the Cisco IOS (the OS that runs Cisco's family of routers and switches) has been reported by CERT. The attack results are nasty, send a sequence of IPv4 packets to any interface and force it to shut down, a/k/a cause a DoS (denial of service). Cisco has a patch available and a full advisory here: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.
The recently created NCSD (National Cyber Security Division) is still without a leader.
Consider Dennis Fisher's wry qualifications for the job, "The candidate must be willing to work long hours, be comfortable with getting no credit for his or her successes and take a public thrashing for the smallest failures. And do it all on a limited budget while trying to get personnel from a half-dozen agencies to work together and cooperate."
All jokes aside, though- if the division doesn't get a leader to set direction and milestones soon, it's unclear if the division is going to be able to accomplish much of value.
"Frontbridge Technologies Inc.'s TrueProtect Message Management Suite and SpamShark service stand out as solid anti-spamware, and after two months of real-world testing, the duo earns eWEEK Labs' Analyst's Choice honors for the enterprise market."
A full lab report is available at the link referenced above. If you're investigating Spam solutions for your enterprise, it's definitely worth a look.
Filtering routers don't get a lot of attention these days. But they're still a great first line of defense with the right ACLs (access control list) configured. This recent NWFusion article is a good primer for anyone not aware of what filters on routers can do and a great reminder to anyone who hasn't checked their router ACLs lately.
IBM introduces EPAL for privacy management with an XML based privacy language.
"A new Web site spoofs the PayPal online payment site and attempts to trick PayPal customers into divulging sensitive account and billing information. The fake Web site is the latest example in what security experts say is a rising trend of "brand spoofing" scams."
As with similar spoofs, PayPal customers receive an email sending them to a fake PayPal site where they are instructed to give out their sensitive information. VeriSign's NetSol has also had problems with this, fake emails sending users to a spoof site where they're encouraged to 'renew' their domain registration when in fact they're being asked to move it to a new provider.
If you need to do any account maintenance, don't click through from an email. Go direct to the site through your browser.
In this article, Outsmarting Outsourcers, tha author details how a former EDS outsourcer went to work for the company EDS was providing services for. Course having been inside EDS he knows how to negotiate a good contract with them.
Basing payment on performance isn't a bad idea. But having worked for KPMG, I can see both sides of the argument. A lot of outsourcers make bids based on the information the client provides and then get into the company and realize the project is bigger/more complex than anticipated. Caveat Emptor all 'round.
The Register weighs in: "The Internet is still up and running thanks to the diligence of government agencies like FedCIRC and commercial fearmongers like mi2g. . .Or thanks to the fact that the defacement hackathon was a hoax from the beginning, which it almost certainly was. But the interesting question is, whose hoax was it?"
Last week a vulnerability was reported in the ZoneLabs' ZoneAlarm product on BugTraq. that could allow an attacker to bypass some of the product's Internet blocking functionality. Originally the company told the media that it wouldn't provide a patch because "the hole was a flaw in Windows, and not in its own software." On Thursday the company, though still claiming the bug was "theoretical" announced they would provide a patch which should be available sometime within the next two weeks.
eWeek provides a quick comparison of the Identity Management offers from these two firms.
The third World War Drive, organized by the WWWD is in process with findings to be presented at DefCon in Las Vegas later this month.
But what exactly is a 'war drive' and do you care? "War Driving" is the process of driving around with a client device such as a laptop or PDA with an installed WNIC (wireless NIC) , 'detection software' - software, such as NetStumbler, and, usually, a high gain antenna, searching for wireless Access Points. War driving goes on all the time these days, but the WWWD actually goes to the next step by organizing the information and presenting their findings.
Wired went along with a few of the war drivers and reported, "In just 40 minutes, we logged nearly 400 access points, and many were unsecured." The unsecured part is the important one. Access Points are detectable because they need to be available to authorized users. Finding an Access Point isn't the problem, the concern here is finding an unprotected AP that allows unauthorized users to 'hop on' to the internal network.
So should you care? In a word, yup. But not just about the WWWD, about war driving and the security of your Access Points in general. In fact, try war driving against your own wireless network. If you can get into your network via an unsecured AP so can an attacker. So do your own driving, or the foot based equivalent- 'war walking', i.d. your available Access Points and lock them down. There are a number of ways to prevent unwanted access- such as MAC ACLs and 802.1x/EAP authentication. Take precautionary measures so that when the war drivers come around although they may be able to find your access point, they won't be able to get on it.
While Microsoft was making a major announcement about its Identity Management Solution, Microsoft Identity Integration Server 2003 Released to Manufacturing, their highly deployed web based user authentication product, Passport, was being hit with another security vulnerability,Microsoft patches Passport.
MIIS is not Passport, so the two issues aren't technically related. But it does give one pause. MSFT had a hard time getting Passport right and companies planning to implement the MIIS solution need to complete due diligence to confirm that the product meets their security requirements. Failing to get security right the first or second time is very common. But the MS track record places some burden on the implementers of the solution to ensure that it is, indeed, ready for prime time.
Lock up your web sites everyone, recent headlines are peppered with reports about the so-called "Defacers Challenge" a contest, purportedly set to start this Sunday, July 6th, to see who can deface/attack 6,000 web servers first.
Government Computing News, http://gcn.com/vol1_no1/daily-updates/22623-1.html
Info World, http://www.infoworld.com/article/03/07/02/HNhackattack_1.html
Mercury News, http://www.bayarea.com/mld/mercurynews/business/6225709.htm
While these kinds of media friendly contests are useful for raising awareness about security, businesses should be on the alert for defacements every day of the year, not just when a 'challenge' like this is announced.
Why? Because attackers are active every day and any day could be your own website's "Defacer Challenge." If this recent planned attack helps to get executive awareness up and releases budget for needed security expenditures, that could be a good thing. And in the meanwhile continue with or strengthen existing risk management practices for your web site: hardened systems, gateway and perimeter protection, monitoring for intrusions, and of course regular backups from which to restore in case of emergency.
Every day.