Hello!

Hi there, I just thought I'd drop in and let you know that Network Computing has a security editor again... Me.

You may have read some of my stuff when I was testing Storage and Servers, you may have even emailed back and forth with me about my quirky storage blogging. Or you may remember me as "That guy we fired for..." Oh, no, nevermind. You wouldn't remember me as that.

Quick stuff about the guy that will be offering you security advice - I worked in IT in various roles (app dev, admin, architecture, management) and for various size companies (six person startup to fortune 1Ks) from 1991 to 2004, when I came on NWC staff full-time.

Security is both hobby and passion with me, and I've done it professionally too. I think that probably showed through when I took on the Storage Security topics last year - expect some more of that, I think Storage Insecurity is a better name for it, and I'd like to find viable ways for us to make it better.

I'm into things that allow us to remove the hardcoded usernames and passwords from our internally developed code, and things that control database access as much as I'm into IPS/IDS/NAC/etc. It should be interesting covering the gamut, because like most of you, when I was doing it I concentrated on the things we needed to get the job done, not the broad spectrum.

I won't ramble any more, I'll save that for after the next couple of weeks while I get my feet under me and get set up in my new role. I've got some storage articles to finish out, then you'll hear from me more.

Until then,
Don.

It's a Mal, Mal World

Life used to be so simple. The golden days when a simple virus was all you had to worry about seem almost idyllic compared to the mean electronic streets that we walk today. I recently spoke with Shane Coursen, a senior technology consultant at Kaspersky Labs, about the once and future world of malware. You can hear the podcast here.

Thanks to everyone who sent in ideas for an end-of-year show. As you can tell, I missed the deadline for that, but I'll wrap the ideas into a review and prediction show in the near future. Don't let my somewhat overloaded schedule keep you from sending in ideas, though--there have been some great conversations resulting from notes listeners have sent in.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Anubis Claws" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

A Simple Message

I don't know about you, but I don't think I could work successfully without instant messaging. In an average day, I instant message with colleagues, contractors, vendors, and contacts throughout the industry. I'm not alone--survey after survey shows that employees are hooked on instant messaging as a way to keep in touch. From a security standpoint, of course, instant messaging comes with a pile of caveats. The open feeling that makes instant messaging so useful also makes it a huge security risk. The free and open dialogue it promotes can be antithetical to complying with regulatory separation between departments. Network Computing technology editor Mike DeMaria got together to talk about the possibilities and problems of using instant messaging in the enterprise. You can hear the podcast here.

It's the new year, and I have a huge backlog of interviews to get into podcasts, as well as a look back at 2005. Get ready for some rapid-fire podcasts as I work through the stack and get some solid information coming your way.

If you you haven't already subscribed to the podcast, look around this page, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

WMF Woes? Patch Things Up (Unofficially)!

Worried about the WMF vulnerability. Secure Enterprise Magazine's Editor Mike Fratto has found two 'off the record' fixes that will do a good job of holding down the fort until Microsoft comes up with something more official. Mike explains:

While I am not in the habit of recommending unofficial patches, it seems like the WMF vulnerability is pretty nasty, so you probably want to spend some time testing and deploying the work-arounds. Simply blocking files ending in .wmf won't be enough because Windows handles WMF files based on file structure, not extension. Files ending in .jpg and .gif are just as likely to be WMF files as not.

Ilfak Guilfanov has put together a patch that SANS is endorsing as a viable short term solution until Microsoft comes up with something. F-Secure also has a workaround as well as a wealth of information from their own research and from others like SANS and Ilfak Guilfanov.

I have been using the SANS work-around for days with no ill effects and I, like others, have successfully tested the workarounds against working exploits as well as Metasploits version.

Just remember to remove this patch -- if you use it -- prior to installing Microsoft's.

I Hear You Knockin', But You Can't Come In

Who gets in? Who's kept out? Those are the twin questions that frame network security. In this podcast I talk with Brett Helsell of Lockdown Networks about network access control--not the program put forward by Cisco (though we touch on that), but the very idea of controlling who comes into your network. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up, and the time grows very short. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look around this page, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Fresh Snow", courtesy of Derek K. Miller, who's work can be found at Penmachine. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

From the Inside Looking Out--and In

The glamour in security is all about keeping the bad guys out. Statistically, though, more damage is wrought by supposed "good guys" whittling away at your network and data from the inside. In this Security Channel Podcast, David Lynch of Apani Networks talks with me about security from the inside. As things calm down (for those of us not in retail) towards the end of the year, it's time to think about our approach to security and ask whether we should be taking longer, harder looks at just how porous our defenses are from those whom we think we should be trusting. The answers, arrived at honestly, might have far-reaching effects on the way that our networks--and our security implementations--look. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Acid Trumpet" by Kevin MacLeod. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

Certifiable Security

It's not like we don't have enough acronyms floating around our industry--acronyms for standards, technologies, product designations, and professional certifications. Add to that list the group of acronyms and names for product certifications administered by various groups and the alphabet soup gets truly thick and meaty. After getting Yet Another Press Release (YAPR) touting a product that had received FIPS and Common Criteria certification, I decided to ask just why someone not in government service should care about these pieces of paper. I ended up talking with Tom Gilbert of Blue Ridge Networks about his experience with the certifications and the process to get them. Now, his company makes products that come complete with press releases announcing government-related certification, so he can't be called an entirely neutral source, but I thought tha the interview brought out a number of interesting points concerning certifications and whether (or why) you should care about them in private industry. the You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether product certifications are part of the criteria you use when choosing which products to purchase and deploy.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Anubis Claws" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

A Look at OATH

I've heard it said that you can tell our industry loves standards because there are so many of them. I recently had a chance to sit down and talk with several representatives to OATH, the Initiative for Open Authentication. These folks are clear that they're not trying to become a standards body, but they are active in promoting standards that will allow authentication components from many different vendors to work together. I think it's an interesting idea, and an example of companies coming togethe due to economic necessity--their customers are demanding it--rather than from any sense of duty to an ideal. Regardless of the motivation, though, there are some great possibilities here for benefit to the customer, so I think it should be of more than a little interest. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you think we need more open standards in security, or if you think that standards are, themselves, security vulnerabilities.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Rust" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

What's the True Cost of Security?

There's something about economics that tends to act like the anti-coffee to most folks. Their eyes glaze over, the head starts to kinda bob back and forth, and before you know it they're snoring on the conference-room table. When it comes to security, we want to focus on the exciting, glamorous parts--the pen tests and intrusion prevention--while we ignore some of the things (like HR policies) that can have a huge overall impact. In this podcast, I talk with John Pironti of Unisys, who has spent a lot of time thinking about the economics of security. I was impressed because he's gone beyond the questions of cost (always the key to security business analysis) to talk about the issues of tangible economic benefit.

If you're still bruised from your last encounter with the budget committee, you'll want to spend some time listening to this podcast. This one goes a few minutes longer than our normal podcast, but I think the five extra minutes are well worth it. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you agree with the kind of analysis that John is applying to security.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

What's in Your iPod?

I don't know about you, but I'm hooked on my iPod. I carry it with me when I mow the lawn, it's my soundtrack when the drive is more than about 10 minutes, and it keeps the outside world at bay when I'm working. I knew that, like most computing devices, the friedly little media players (and their associated software on your PC) carry a security risk, but I hadn't given a lot of thought to just what that penalty might be until I talked with Josh Daymont, director of security of research at Secureworks, a managed security provider. Our conversation makes for an interesting interview (after a bit of a technical glitch on the first question). You can listen to the podcast here. After you do, let me know what kind of MP3 player you carry, and which piece of desktop media software is your favorite--it will be interesting to see what you're listening to.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Thinking About the Worst

Boy, let an unplanned series come to an end and things just go haywire. After a most interesting September we're back with another Security Channel podcast, this time on disaster preparations and business continuity. It seems to me that the most significant (and, by far, the most common) failure in responding to disasters is the basic failure of imagination; we just can't allow ourselves to imagine that the very worst could happen to our businesses and our families. This in spite of ample evidence that the very worst can, and will, happen to at least some of us in any given year. It's tough to think about, and can seem a true pain to actually plan for, but making preparations for the worst-case scenario can be a literal life-saver when that most horrible of times does come. You can listen to the podcast here. After you do, let me know what your worst-case preparations are like; if I can get enough, we'll do a series of podcasts on what responsible companies and individuals are doing to make sure that their lives and work continue when things get bad.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The Privacy Series Pauses

Our unplanned series of podcasts on identity theft and personal information safety wraps up this week. This has been a fascinating topic for me to explore, and I hope that you've gotten some useful information, but we're going to be looking at some other topics for the next few weeks. We wrap up with a good interview, though, with Mike Gibbons, who's vice president and general manager of Federal Security Solutions at Unisys. Mike had a long career at the FBI, and five years with one of the Big Five consulting companies heading up their security practice, so he's been chasing bad guys for a long time. His views on how companies should work with law enforcement, and what the future might hold for personal-information protection are interesting, and can be heard here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@nwc.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

I Gotta Be Me (and not You)

Our unplanned series of podcasts on identity theft and personal information safety continues this week. I wish I could say that I had carefully thought out a theme for the late Summer, but serindipity gets the credit--I'm just pleased to take advantage of the situation. I'm pleased because I think (occasionaly worm outbreak notwithstanding) that keeping customer information safe is the most significant issue in network security today. Frankly, the only other issue that comes close is infrastructure (switch and router) security, and you'll be hearing more about that from us in weeks to come. This week, I had a chance to interview David Zumwalt, the president and CEO of Privacy, Inc.. David has some fascinating things to say about the topic, along with some solid tips for security professionals, and you can hear him talk about them here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Tito on Timbales" from Musica Unidos de Latino America. If you enjoy Latin music, there's some great stuff on their web site, along with links to order DVDs and CDs.

A Subtle Pattern Begins to Emerge...

You know, sometimes a theme is carefully thought out and planned, and sometimes it just happens. It looks like we've got one of the second sort of themes going on here, as we have the latest in an on-going series of interviews focused on privacy and data security issues. Of course, most of the security stories that have made headlines lately have been privacy and data security stories, so I suppose it's not a real stretch to see them here, but it's been fascinating to hear the different takes on the subject. This week's interview is with Dan Verton, author of The Insider: A True Story. He did research on a number of companies and reached some interesting conclusions; I think my favorite is that most companies have no idea where much of their data is stored at any given time. You can hear this and other observations here, in this week's podcast.

If you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work. In addition, we're now listed in most of the major directories (including iTunes), so you should be able to catch the RSS feed in your favorite podcasting client.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Keeping Identities Safe

Sorry for the delay in getting this week's podcast up, but I think it will be worth the wait, since we have a great interview on identity theft and what companies should be doing to keep their customers from becoming victims. Everything we're seeing in research terms shows that identity theft is a huge issue for customers, and that they're in the process of making it a huge issue for companies that do business on the Internet. Neal Creighton, CEO of GeoTrust, is the subject of this week's interview--take a listen here.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Through The Cycle

Let's see, we've had travel (to Chicago), testing (of fixed-point wireless systems), an industry name change (Longhorn becomes Vista), and continuing news of vulnerabilities and attacks. In the midst of all this, I had a very good conversation with Dr. Hugh Thompson, chief security strategist at Security Innovation. We spent some time talking about the state of security in general, with some special attention given to the things that application developers can do to build security into the software they're building It was a good talk, and you can listen to it here.

I realize that I've been asking for comments when our comments section has been broken. Sorry about that--the web team is working to get things working again as soon as possible. In the meantime, feel free to send comments via e-mail to the address you'll find in my bio. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

A bit of Application Security

Well, we've managed to avoid being blown away by a hurricane or burnt to a crisp in the sun while on a roof, so I guess it's been a pretty good week. To top it all off, I had a very good conversation with Paul Henry, senior vice president of Cyberguard. We talked about a number of things, starting with the attitudes he's seeing from companies who are looking at application-layer security.

I've built a podcast on the interview. You can find it here and, as always, let me know what you think. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Built In

OK, it's been a week since the last podcast, with a holiday and many hours crawling around on office-building roofs thrown into the middle. Fortunately, this is a solid podcast, featuring an interview with Kevin Kernan, CEO of Secure Software. The interview covers a lot of territory about information and network security, and should be interesting regardless of the type of products or approach you use for your organization's security.

You'll find the podcast here. Leave a comment, or drop an e-mail to let me know what you think of the podcast.

...and the Survey Says:

There's nothing like spending a couple of days crawling around on roofs and in attics (in June, and in Florida) to make you appreciate the concept of "inside". Add the "excessive rainfall" (a genuine National Weather Service term) that we've been getting for several days, and it's a good time to stay inside and get some work done. You'll see the reason for the outside work in a few weeks--it's for a review of fixed-point wireless networking that will be coming up in Network Computing. It involves testing out in the real world, and down here the real world includes high humidity, warm temperatures, and a fair number of insects, reptiles, and very swampy walking tours. We've just deployed the first of the free-space optical systems, and I get to spend a little time inside, at my desk, while waiting for some more stuff to arrive.

While I've been at my desk, I've seen all sorts of press releases, including two that caught my interest because they talk about surveys conducted on security-related topics. One came from The Conference Board, a business group that's usually in the news with their survey of consumer or purchasing agent confidence, and one came out of a gathering of CSOs in Chicago. Both point to the same conclusion from different angles: Our technology fixes for security are working pretty well, but the problems for which we don't have a good technology solution are cause for ever greater concern.

I've built a podcast on the two surveys. You can find it here and, as always, let me know what you think. There are some more great interview-based podcasts coming up, and some infrastructure changes that should let you subscribe to the podcast and have it arrive automatically. Cool stuff--just what we need as we enter the hot days.

Back from the Desert

Boy, it's been a busy couple of weeks, with travel (NetSec in Scottsdale was a killer conference at a great resort), getting ready for a huge test (fixed wireless networking), and several smaller tests in progress. Oh, yeah, we (CMP, that is) also started a daily video project that I'm contributing to. If you haven't seen The News Show, you should really check it out.

Now on to this edition of the blog and podcast. I had a chance to sit down with Rich Baich, CISO of ChoicePoint, and talk about what it takes to succeed as a CISO in today's environment. He's obviously put a lot of thought into the question, and his answers are a good starting point for anyone on the verge of adding a "C" level title to their security portfolio. You can grab the podcast here and, as always, let me know what you think.

The Threat from Inside

Sorry it's been a week since the last podcast, but it's been a full week, with plans for upcoming tests, new products to look at, and plenty of news on the security front to think about. I've got a couple of longer podcasts coming up--podcasts with interviews and other folks talking so you don't have to just listen to me--but until I get them finished I had some thoughts on one of the big news items of the last couple of weeks; the customer data theft that hit Bank of America and other financial institutions. The big thing about these thefts was that they were instigated by insiders--employees who should have known better. Take a listen to the podcast and let me know what you think. Is there a sure technology fix to the question of insider theft? Let me know your thoughts.

The Federation (Identity)

Tonight's podcast is about identity federation, and especially about IBM's latest announcements on the topic. Last week I had a chance to talk via phone with Joe Anthony of IBM, and he shared some of the thinkgs that he sees in the developing identity federation market. Now, I've seen enough people struggling with multiple computer-based identities to know that identity federation is coming, and ultimately coming in a big way. But I've also covered enough exploits and thefts to be more than a little apprehensive about pulling more and more identity value into data stores that we haven't learned how to--or been willing to--make truly secure from unauthorized access. If all the laws, regulations, and industry rules aren't enough to convince us to get serious about all forms of identity security, the knowledge that a single break-in could affect multiple corporations and a cascading universe of users should be the spur we need. Take a listen to the podcast and let me know what you think. Is your organization already implementing identity federation? I'd be very interested in hearing a real success story or two.

An N+I Interview

I promised more podcasting about the things I saw and heard at Networld + Interop, and I've finally shaken off the need to sleep (and catch up on work that was waiting when I got back) enough to get started. The podcast this time contains a confessiona and a look inside the sophisticated world of recording a podcast, but the focus is on a conversation I had with Jayshree Ullal, Senior Vice President oc Cisco's Security and Technology Group. She had some interesting things to say--take a listen to the podcast and let me know what you think.

Winners from Interop

You know, this business of running on three hours sleep a night has considerably less charm now than it did when I was 25...anyway, I'm going to be doing more podcasts based on things I done here at Interop, but I wanted to give a link to the winners of the awards I mentioned in the last podcast. You can find the full list of winners here. Take a look, and come back soon...some good stuff is coming in the blog and the podcasts.

From the Halls of Interop

This week, I'm out in Las Vegas at the Interop trade show, and the fun is just beginning. I plan to have some interesting news from the show floor, but first, I have to get there. Yesterday and this morning I've been listening to companies talk about their products as part of the Best of Interop awards program. I realize that most folks never get to enjoy a process like this, so I put together a podcast that lets you hear some of the process, and meet some of the people involved. Let me know what you think, and if there are any products or technologies you particularly want me to be on the lookout for here at the show.

At the very least, I'll be back tomorrow evening with news of who won--I'd be interested in hearing who you think should have won based on the pitches you hear in the podcast...

Taking Action against Attacks

How far should we go in defending our networks? Is it enough to stiffen our defenses and patch vulnerabilities, or should we actively pursue (through legal means, of course) those who work to usurp network resources and steal information? For a growing number of organizations, strengthening the bulwarks is no longer enough--it's time to treat network attackers like criminals.

In the course of the last week, I've had three separate conversations on this topic. One was with the executive director of a new organization called CIDDAC. They're trying to gather the data that law enforcement will require to go after phishing, re-direction, and other attacks. The other two conversations were with executives at Microsoft. The two, coming from different aspects of the security whole, had different takes on what their customers and partners were doing towards actively pursuing the attackers.

I think that we're going to hear more and more about companies and organizations teaming with law enforcement to pursue those who attack networks and customers. Take a listen to the podcast and let me know what you think.

It's Been Quite a Week

Sorry that I haven't blogged since Tuesday, but it's been quite a week. I flew up to Seattle, then drove out to spend the day with Microsoft on Wednesday. There are a number of things we discussed that you'll be seeing in future blog posts and Network Computing articles, and a pretty cool podcast that I'm putting together on the topic of agressive responses to attacks--how (and whether) we enlist the help of law enforcement to try putting thieves and vandals in jail, rather than simply beefing up our defenses to keep them out.

The thing that I keep coming back to in discussions with companies (both vendors and users) is a profound change in the way wework with the "people" aspect of security. To this point we've heard more about the technology because, in many respects, technology is the easier problem to solve. Changing products is (relatively) easy; changing people's ingrained behavior is hard. Unfortunately, if we're going to make significant improvements in security, we're going to have to tackle the hard issues.

Old Enemies Come Back

Sunday night we were having dinner with some friends, a gathering that included someone who rides herd on the IDS at a Major University. Just as he got to the house, his phone started ringing--something was knocking a couple of key segments off the network. It turned out that a host on the network had been given a new dose of Sasser--and the result was an IDS log file large enough to choke servers, which cascaded down to sensors, which then caused problems in dealing with the issue. He took care of the problem in a few minutes, but there were more phone calls, and a renewed acquaintance with a problem we thought had been handled.

Now comes word from F-Secure that a new Sober variant, Sober.N is seeding itself, and spreading through infected .ZIP files. As I mentioned in the last podcast, attention to user training (Don't Open Unexpected ZIP Files) will be as important as AV signatures in stopping this one early. Beyond that, the renewal of old threats is a solid reminder that the early versions of these worms tended to be more proof of concept that serious damage attempts--the real payoff in terms of network damage is yet to come. We've been warned--let's get busy protecting our networks through technology and training.

Let's Get Serious

April has, so far, been a month of bad news in the computer security field as Lexis/Nexis and Mastercard revealed that individual data had been release in system breaches. They're not alone, as we've found listening to the steady drumbeat of news stories announcing that data from various organizations has been released without authorization.

The fact is, after all the talk and all the legislation, we're still not taking security seriously. You can hear more about what we're not doing--and what we should be doing--at the podcast found here. Have a good weekend and, as always, drop me a line to let me know what you think.

Introduced to ISA Server

With ISA Server 2004 Enterprise Edition, Microsoft is trying to bring a number of performance and security functions together under a single management interface in a single product. They seem to have done a pretty good job a key portions of the task, if the demonstration we had in the Gainesville, Florida Real World Lab is any indication. We will, of course, reserve judgement until we've had a chance to put the product through its paces on our own, but the management interface, at least, looks quite good.

That management interface was, in fact, the only thing I saw today that gave me any pause. Is it possible to make a product too easy to use? The only worry I have is that, if the folks in the central network management group aren't careful about how they define priveleges for admins at branch offices, a remote admin could wander over his head into security policies very quickly.

In addition to the demo, we were able to talk for a while, and part of the conversation makes up today's podcast, which you can find here. Enjoy and, as always, let me know what you think.

Mile-High Entry

Who would have thought that you could build a podcast and blog entry set at 35,000 feet over western Tennessee? Me, neither, but here it is. This time, I'm talking about a couple of tools, from Dymo, and Levenger that help us keep things straight in the lab. In all honesty, the tools' use isn't confined to the lab--I've used the tool from Levenger almost every day for over a decade.

After the tool talk, it's time to talk about fiber-optic cabling. I hear more and more companies using security as the primary justification for a fiber installation, so I feel comfortable putting it in the security channel. If you are looking at going the fiber route, then you really ought to consider all the different ways of pulling the fiber, including nifty methods like the one I've seen from Sumitomo Electric. They use compressed gas to blow the fiber through a special conduit, and the organizations I've talked with that have decided to use the Futureflex system seem pleased with the results. You can find the podcast with both of these sections here. I hope you enjoy it, and find a little bit of useful information inside.

There's Something About an Airport

I don't know exactly what it is, but something about spending time in a line of strangers, holding my boots and my belt in my hands leads me to thoughts about how to improve security. I think the time has come for companies to take the plunge into two-factor authentication and leave the abomination of "strong passwords" behind. You can hear me discuss my reasons for thinking this in today's podcast, which you can download here.

There's something new in this podcast--I'm spreading my audio wings a bit--so let me know what you think. Let me know, too, what you think about us setting up the RSS feed for the security podcasts so you can have them delivered fresh to your desktop when they happen. As I wrote a couple of entries ago, this is new to me, so let me know how I'm doing.

Security From Two Directions

Once more into the podcast, dear friends, as we consider a couple of products that have been the subject of recent conversations. The first is from Tizor. The TZX 1000 is an appliance that builds logs of database and application access across the network--an important issue if you're in an industry laboring under any of the many regulations requiring you to document who sees what in the corporate information realm.

The other product, from Permeo, is designed to enforce host-configuration policies on remote-access systems--even when the remote hosts don't belong to your organization. I've still got a few questions about this system, but it certainly looks like a promising entry in the remote-access market.

You can get today's podcast here, so take a listen. As always, let me know what you think--this is an evolving thing, so your opinions are very important to me.

Something Completely Different

Hey, everyone, let's try something new. I've become fascinated by the world of podcasting, so I thought it might be interesting to podcast some of my daily observations, and even some of the interviews that are part of my week. The experiment begins with my very first podcast--found here.

Now, the first few podcasts are going to be awfully simple--me and a microphone, as I try to screen out the noise of the switch that sits behind my head in the office. As I get a bit more comfortable with all this, they'll get more adventurous.

Let me know what you think about the podcast as a way to get information from my desk to your head. Let me know what you'd like to hear in future podcasts--right now, I'm especially excited about taking my PocketStudio to conferences and trade shows, to try to get some of our interviews and meetings in front of you.

This particular podcast? A look at two new options for dealing with SPAM. The two products come from two major industry players--the first from IBM and the other from Symantec. I'm all for anything that cuts down on spam--let me know if you want to know more about these products.

Web Application Threats for March

Application security vendor Teros has released a security threat bulletin for March 2005, available here.

The bulletin outlines a list of security vulnerabilities specific to web applications, such as cross-site scripting attacks as well as a list of security advisories for a plethora of applications including IE, PHP4 and Verity UltraSeek.

Crypto-Panic Time or Not?

The recent release of a paper detailing the way that a Shandong University team found a significant flaw in the SHA-1 encryption algorithm has caused major ripples in the cryptoanalysis world, and it's time to ask whether the ripples will turn into major waves for folks implementing computer and network security. The answer depends on a couple of major factors--how far into the future you look when making implementation decisions, and how much security is enough for you and your situation.

First, understand what the paper said. One of the ways in which encryption schemes are evaluated is the frequency with which two different strings of text would encrypt (or hash) to the same result. SHA-1 was designed, and had been assumed, to have a collision in 2⁸⁰ operations. The team at Shandong University found a method by which they could reach a collision in only 2⁶⁹ hash operations.

Now, in realistic terms, that still a lot of operations, and it's more than the average hacker is going to be willing to brute force their way through in order to compromise a piece of communication. For the short term, then, there's no need to panic. Over the longer term, though, there is more room for concern.

The real problem is that the Shandong team's results show that there is a problem with SHA-1, and now the likelihood grows that more issues can be found. Since more people are likely to be looking for problems that could very well exist, the result is a lack of confidence in SHA-1. It's time to start looking for a replacement.

Where are the replacements going to come from? The NIST has four hash versions specified in standards; SHA-224, SHA-256, SHA-384, and SHA-512. These are the most likely replacements in the near term. The good news is that the science and art of cryptography keeps moving forward through research like that engaged in at Shandong University. The bad news is that, like all advances, there's going to be just a hint of a growing pain as we move the state of security forward. Get ready.

Thanks to Bruce Schneier for following cryptography more closely than I do, and for explaining the intricacies without dipping more deeply into the math than is absolutely required. His free monthly newsletter is a must for anyone who wants to keep up with what's happening in cryptography and encryption.

XML Firewall Testing

Testing thus far is on schedule and going as usual. There are always guaranteed to be some problems along the way and this review is no exception to that rule. Luckily none of the issues have caused major problems and we've been able to work through them and continue testing.

Testing of DataPower and Sarvega is complete, with Reactivity being tested right now. Well, as soon as I stop writing this update and get on with it.

We've been able to add some additional scenarios to test for performance because of the limited number of participants, which has made things even more interesting. We're doing some single function testing against multiple features - encryption, signature verification, LDAP based authentication, etc... - that ought to provide some interesting comparisons.

That's on top of our wider spectrum of tests that include a full configuration to stop all the malicious traffic we're blasting at these devices.

Now it's back to the lab for more testing.

The Baddies Stay Current

Give the virus baddies one thing: They keep up with current events. Two viruses making the rounds play off recent news events as part of the ploy to convince users to open the payload.

First, on February 22 the FBI took the unusual step of warning users that the agency does not send unsolicited e-mail to the public, in response to a virus that comes in a message claiming to be from the FBI with a request to answer a survey attached to the e-mail. This one works on making you feel that you've inadvertantly visited an illegal site that's brought you under federal scrutiny--if you don't want to end up in the hoosegow, open the attachment. Needless to say, you shouldn't open the attachment.

Next in our current events report is the ever-popular "See Paris Hilton Nude" ploy, this time working from the recent hacking attack on Ms. Hilton's Blackberry. There are actually two viruses working this angle, a Sober.K variant, and an Ahker.C variety. Both are nasty, and each tempts you to either visit a site or open a file to fill your otherwise drab day with bodacious ta-tas. Needless to say, you shouldn't.

All of these viruses have moved to social engineering (Be Afraid! Be Excited!) to deliver their payload as a way around the generally improving state of virus protection. As always, a solid policy of not opening files if you didn't ask for them is a critical piece of virus protection.

Notes from the Lab

We've all heard about "security through obscurity", but working in labs has taught me that absolute clarity is much more secure than is confusion when it comes to know which devices and segments are connected to the network. With that in mind, I've got nothing but great things to say about the Dymo RhinoPro 5000, a professional labeler that helps keep cables, ports, and devices straight when we're moving too many boxes around in the racks.

The RhinoPro 5000 fits into your hand (OK, it fits into MY hand), so it's easy to carry behind the racks when you need to label a cable that's already in place, or put an identifier next to a device port to help keep things in order. If you're doing things the way they should be done (labeling before installation), the 5000 has hot-keys for pre-formatted labels for wires and cables of various sizes, terminal blocks, patch panels, bar codes, and more. You can print the labels on a variety of different label stocks designed for flat surfaces, pebbled surfaces, and curved surfaces (like cables) of different sizes.

Now you have to understand that I'm a big fan of labeling things anyway, since I've seen far too many problems caused by the rather simple mechanism of plugging dead-end cables into active ports, or vice-versa. I've used other labelers (a Brother p-Touch sits on my desk), but I find that I really like the RhinoPro--it's the sort of thing that will end up in my tool bag next to the hand-held cable analyzer, multi-meter, and other layer-1 goodies.

This isn't to say that the RhinoPro 5000 is absolutely perfect. The rubber bumper that's supposed to protect against dings and scratches is a bit awkward for my fumbling fingers to move on and off, and I wish that the tape cartridges held more linear feet of mylar (or plastic, or nylon) than they do. These are small quibbles, though, and don't take away from the fact that this is a rugged-feeling device that is a major tool in achieving greater security through clarity.

Bill Gates Keynote at RSA

During his keynote today at the RSA Conference, Bill Gates quoted a Gartner report claiming that 75% of all vulnerabilities are application related. Mr. Gates then promptly blamed Microsofts' development tool customers for those vulnerabilities. Well judging by the rate of patches coming out of Redmond, I'd have to disagree. Perhaps the problem is a bit closer to home.

On a related note, Gates briefly described steps Microsoft is taking to provide more secure software such as code reviews, R&D security efforts and better processes. Perhaps XP SP2 is the fruit of that labor, but more needs to be done. Much has been said about how Microsoft is going to be a security company, and how the acquisitions of Giant (spyware) and sybari (antivirus) are supposed to be positive indicators. But Acquisitions, no matter how well placed won't change Microsoft, the company. It will take a long time to convince anyone, especially me, that microsoft is a security company.

Free Software at RSA

Recalling the days of big box software, Shavlik's marketing schtick is bound to be a hit, especially with the color blind.

RSA Protesters?

The crowd was unruly. Chanting and waving placards. While there was no violence, this motley crowd -- from Bluecoat -- made me just a bit nervous.

The Tags are Coming

I've been spending some time thinking about the whole topic of RFID and privacy, trying to sort out some of the conflicting claims about privacy versus security and institutional convenience. Now, I'm a reasonably serious privacy advocate--I think that we do, in general, have the right to be "left alone to be our potty little selves," as G.K. Chesterton put it. With that said, I had a recent conversation that left me more certain than ever that RFID is here to stay. What makes me say that? A billion dollars a year worth of cordless drills and miter saws.

I was at the annual meeting of the National Association of Homebuilders (NAHB) in Orlando when I ran across the Bosch Tool booth. In the middle of demonstrations of their latest compound miter saws (very nice tools) and electronic protractors (very cool if you're installing crown moulding), they were showing ToolWatch, third-party software that works with RFID tags implanted in power tools to keep track of when they enter and leave warehouses and job sites. According to the folks at Bosch, something like a billion dollars a year in tools walk away from jobs sites, never to be seen (by the contractors) again. That number is augmented by the tools that are purchased unnecessarily because no one knows to which job site a rotary hammer or nail gun has been sent.

Contractors have legitimate business concerns regarding stolen tools, and RFID seems to offer a reasonable attempt to slow the loss. Bosch recognizes that these concerns are sufficiently significant to drive tool purchases, so they are placing the tags inside tools at a price ranging from free to $5, depending on the tools and circumstances. Perhaps because the NAHB is made up of contractors, rather than framing carpenters, I didn't hear anyone decrying the loss of privacy that these RFID tags will carry along with the tool's serial number.

There are legitimate concerns about privacy and security attached to many on-going and proposed RFID deployments. We need to work hard to address the concerns, and should be more aggressive at encrypting sensitive information contained in the tags. The important issue, though, is that we do have to come up with solutions, because the economics of deployment are just too great to ignore. There are RFID tags in our future--let's just make that their deployment is intelligent and secure.

Now, let me tell you about this great 3.5 HP plunge router...

XML Firewall Testing

Part of our "Firewall Blowout" plan includes a thorough test of XML Firewalls. We tested XML/Web Services Security Gateways almost two years ago and the space has changed dramatically in that time. Not only did we see a lot of mergers and acquisitions (Actional & Westbridge Merged Digital Evolution acquired Flamenco Networks Oblix acquired Confluent, HP & CA acquire minor players ) but we've watched the convergence of management and security, the deconstruction of pure firewall functionality into separate product lines and the birth of the XML VPN.

So we're going to test again, this time with a focus on functionality and the accuracy of these products to effectively stop XML based attacks from reaching the Web Services they are designed to protect.

We've got our test gear configured and we're ready to blast myriad attacks at the devices in our Green Bay lab. Products are scheduled for testing starting next week, and we're excited to get our hands on them and start poking at them.

Web Service Vulnerability Alert Service

Forum Systems has launched the first of its kind Web services security alert service. Forum VulCon is an alert service focused on the growing category of XML/Web services threats. This is a FREE subscription that can be accessed via Web Services, of course, as well as an RSS feed.

Forum VulCon (for Web Service Vulnerability Containment) delivers up-to-date notification of XML- and Web services-related threats and includes suggestions for effective countermeasures. VulCon has already aggregated over 100 of these potential exposures to popular systems and applications.

As deployment of Web Services continues to expand from limited internal enterprise use to external services providing B2B integration and as fully functional on-demand composite applications, the risk associated with such services will continue to grow. VulCon is one method of keeping security and web services development personnel up to date and providing them with the information necessary to mitigate risk in a timely fashion.

RSA Conference Survivor Kit

The RSA Conference has yet to kick off and already the attendee swag is pouring in.

Good PR is not dead at Vernier Networks. Just in time for the show, we received our Survivor kit.

The box contained everything an intrepid attendee needs: meds for our head after a day full of meetings. (more to come), a water bottle to keep us hydrated and also an full bladder endurance test. And what is Survivor without disgusting food? That powerbar is at least as disgusting as a Madagascar hissing cockroach.

Active Defense

A couple of days ago I attended one day of the Department of Defense Cyber Crime Conference 2005. I was only there one day because that was the only day they had sessions that weren't classified. That I was there at all, though, was a novelty, since this was the first time (in the four years of the conference) that they've invited anyone from the press. There were some interesting presentations (including one you'll hear more about by the general who's now in charge of all DoD computing), but like any conference, some of the most interesting information came when we were away from the conference sessions.

While eating lunch, I got into an interesting conversation with someone who works at a government computer forensics lab. I asked him how the forensics tools available to business compared, in features and function, to the tools he had at his disposal. He said that three years ago there was a huge gulf between the two, but that civilian forensics programs were catching up fast--and he gave the credit to Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and the other regulations that make IT executives crazy. The engineer said that the need to discover, with certainty, not just that corporate information had been taken, but who did the taking, and where they sent the information, was pushing business forensics to develop quickly, and in good directions.

When I talk about unintended consequences, most of the time I've seen something truly bad, but if SOX, GLB, HIPAA, and the rest can drive better tools into the hands of corporate information security professionals, maybe they weren't such bad ideas after all.

I Was Wrong

OK, so they got me. Only a couple of days ago I called up Airespace, then wrote here that any merger was a way off. Little did I know that the "way" was about 48 hours long.

Now that the merger has been announced, what is it likely to mean for customers (and potential customers) of the Airespace wireless networking system? The answer is going to depend on exactly what Cisco sees as valuable in the Airespace aquisition. Cisco has proven, in the way it handled the Linksys merger, that it's capable of allowing a company to continue to do business and trade on its own name while gradually becoming more thoroughly tied to the Cisco way of networking. Of course, they've also proven through purchases like Procket that a company can be swallowed by the big green networking company with nary a burp to mark its passing. So which is Airespace likely to be?

I suspect that the final result will be the Airespace line of Cisco wireless switches and access points. As I wrote in my earlier post, Airespace has wireless security technology that should be a super fit for Cisco's Network Admission Control (NAC) vision of network security. Depending on exactly how they play it, Airespace can add tools ranging from sharply improved wireless monitoring to robust user authentication and authorization to Cisco's device-oriented view of the network.

Of course, the merger marks a real opportunity for companies like Aruba and Trapeze, who can try to fill the OEM void that will be left by Airespace's marriage to Cisco. It will be interesting to see which of the remaining wireless switch companies will be the most aggressive in going after Airespace partners. As for me, I think I'll head back to the lab, and leave the rumor-wrangling to others...

Wireless Rumors

The security consolidation rumor-mill is at it again, this time renewing the notion that Airespace is about to be purchased by Cisco. I made some calls, and it seems like this is a rumor that's at the very least ahead of the facts--while they wrapped everything in standard "We can't confirm anything" language, I didn't get the impression that a purchase is happening in the next couple of weeks.

Don't get me wrong--an Airespace buyout makes some sense from Cisco's perspective. They've certainly shown no reluctance to buy good technology (Procket, anyone?) and some of the things Airespace has done would mesh nicely into Cisco's Network Admissions Control (NAC) framework for network security. From the Airespace point of view, a purchase would make sense in terms of rewarding investors and employees, though they would certainly pay for the rewards in reduced independence and increased organizational overhead.

Airespace has a number of reseller deals with major networking vendors, and the rumored deal for Airespace to play a major role in Microsoft's new internal network has certainly increased the chatter factor about the company. I think it would be a shame to see Airespace sell out this early; they--along with Aruba and Trapeze--have helped push wireless networking security and performance much faster and farther than it would have gone had everything been left to the companies who's major stakes are in the wired network world. The time for consolidation and payoff is coming, but I hope it's later, rather than sooner.

They Just Keep Getting Bigger--Maybe

According to The New York Times, Symantec and Veritas are in discussions aimed at having Symantec purchase the company best known for its data backup packages. Like so many of these stories, there are obvious story lines, and those that are a little more subtle.

The obvious story line is that the number of players in the security market continues to decline as mergers and acquisitions continue at a goodly clip. There are, of course, aspects both good and bad to consolidation, but financial and market forces seem to be moving in the "fewer/larger" direction, so there's little constructive that I can say about it. The less obvious story line actually has more meat, in my opinion; security is gradually moving from asset protection to business continuity assurance.

Think about it: Most security is focused on keeping "the bad guys" from succeeding in their dastardly deeds. Business continuity doesn't really care so much where the threat comes from, it just wants to keep software, hardware, and data assets available and useful to the proper users. Assurance includes security, but doesn't stop there, extending to backup and restoration, disaster recovery, maintenance, regulatory compliance, and a host of other issues. At a recent conference I noticed more people handing out business cards that read "Data Assurance" or something similar, and it's a trend that can work for the security professional on a number of levels.

First, the change in scope can mean that you have meaningful control over more aspects of the network infrastructure, so that security stands a chance of being built into, rather than bolted onto, the network. Next, the greater responsibility can translate into larger budgets--seldom a bad thing in the corporate world. Finally, taking a broader view of assurance can make you much more effective in designing security--the extra work and responsibility can carry some solid professional benefits in horizon-broadening.

More Security Consolidation

The push to consolidation in security continued today as 3Com purchased IPS vendor TippingPoint ** for somewhere in the neighborhood of 430 million dollars. According to the announcement, TippingPoint will continue to operate as a separate division of 3Com, with its headquarters remaining in Austin, Texas.

So what does this mean to the world of security? In one sense, it's just the latest step in the march of security to the network infrastructure. Cisco is the loudest voice talking about the virtues of tying security to the switches and routers at the core of the network, but it's far from the only voice. With this acquisition, 3Com has put some serious money behind this kind of talk, and it's reasonable to expect that they will ultimately tie the products together more closely. There's no surprise in this, but I do think there's good news for security-conscious folks in the small- to medium-business category.

While most of the companies talking about security and the infrastructure have been focusing on products in the enterprise space, 3Com has built a reputation in the SMB market over the last few years. 3Com has also been introducing more products aimed at security, so the company has obviously seen an opportunity to make a market within security-conscious SMB I.T. folks. This is great news for those who have significant concerns about security within smaller companies. TippingPoint is a very solid IPS product (as I found when performing tests for an IPS review that will appear in Network Computing in January), and linking the thinking with 3Com's presence in the SMB world should mean nothing but good things for migrating security capabilities down-market.

I'm looking forward to seeing how 3Com works with TippingPoint as part of the corporate fold. If today's purchase means that a 200-seat busines can get serious intrusion analysis, detection, and prevention, then this is good news for the networking community. I'm going to remain optimistic at this point, but I still have some phone calls to make--I'll let you know more after I have a chance to talk with the folks at 3Com and TippingPoint.

** In the original version of this post, CheckPoint was erroneously identifed as the company purchased by 3Com. Thanks to alert readers who pointed out the error.

From mergers and acquisition to convergence

Less than a month ago Actional and Westbridge Technologies merged into a single entity doing business as Actional. Less than 6 months ago Digital Evolution acquired Flamenco networks. Yesterday the converging technologies of Web Services management and security showed itself with the announcement of Actional's SOA Command and Control Platform and Digital Evolution's XML VPN.

While the products from Actional and Westbridge remain separate entities, the Command Control platform provides a unified management console enabling control over the tight integration between the two products as well as centralized operational and policy control.

Following closely on the heels of the Digital Evolution acquisition of Flamenco and its subsequent new product announcement, the Actional announcement follows the trend within the SOAP and XML security space to converge with the management space - in one way or another. While the two entities have taken different approaches, both are heeding the call of enterprise network and security needs by providing better integration and definition of responsibility of the two complementary but sometimes competing technologies.

Digital Evolution has introduced its XML VPN, the first product to bear the moniker of what will likely be a common term in the coming year. The concept is hardly new, but Digital Evolution is the first to use the terminology to clearly describe what its new product is designed to do. The XML VPN Controller provides central policy and rights management and transaction auditing services for an XML VPN Environment. It is available as software for deployment by a VPN provider.

CSI Show BlogReport

Like any self-respecting New Yorker, I'm still recovering from the Massacre of Nov. 2. My Manhattan neighbors chose regime change nearly 9 to 1, so at least I've had plenty of shoulders to cry on--that is, until my employer sent me to the epicenter of presidential politics, Washington, D.C., for the Computer Security Institute conference this week. Sure, the District of Columbia is mourning the loss on the same scale that the Big Apple is, but I would have preferred to experience all the stages of loss before confronting live images of the White House and the Capitol dome.

Ah, well. I'll have to distract myself with discussions of vulnerability assessment, policy management, configuration management, anomaly detection and, perhaps most important, regulatory compliance.

The day started with a keynote address by Frank Abagnale, the onetime con artist and check forger immortalized by Steven Spielberg and Leonardo DiCaprio in the 2002 film, "Catch Me If You Can." His stories elaborated on many incidents depicted in the movie--how he learned all that aviation and medical jargon so he could pass for a pilot and a doctor, how he filled out a stack of blank deposit slips with his account number and placed them back on the pile so that unsuspecting account holders would mistakenly deposit their hard-earned money into his account, and how he dropped 90 pounds during a grueling four-year stay in federal prison.

Abagnale was paroled in the early 1970s on the condition that he serve out the rest of his sentence in service to the FBI. Some 30 years later, he still teaches at the FBI academy and doesn't get paid. "I'm paying back a debt that I owe," he says. He has also done paid consulting work for all of the 50 largest banks as well as for Novell, Computer Associates, Unisys and other tech companies.

The movie glamorized his juvenile delinquency, Abagnale says. This time in his life was far from glamorous. He says he ran away because he didn't know how to deal with his parents' divorce, and he spent those years hanging out with strangers 20 years his senior and crying his lonely self to sleep at night. He works voluntarily for the FBI all these years later because, he says, he's grateful for the second chance the bureau gave him. Without that chance he wouldn't have met his wife of three decades, and he wouldn't have three boys, one of whom recently became a lawyer while the other two are attending college.

What all this has to do with enterprise security, I'm not sure, but it was a touching and entertaining keynote just the same.

A short time later I met with Gerhard Eschelbeck, the chief technology officer for Qualys Inc., a provider of vulnerability assessment services. The vendor took its first step toward integrated reporting with a new trouble-ticketing module for the vendor's flagship QualysGuard product that funnels vulnerability information into Remedy's help-desk software. A set of XML APIs will make it possible to integrate that same vulnerability data into a variety of intrusion prevention and security information management products after the release of QualysGuard 3.4 this winter, Eschelbeck says. Version 3.4 will also include "trusted scanning" for Unix systems, allowing for scanning down to the PC level without having to run agents on every desktop and server, he says.

Next I sat down with Dmitry Shapiro, chief technology officer for Akonix Systems Inc., a developer of security, logging and auditing software for enterprise instant messaging systems. The company's L7 (Layer 7) Enterprise product provides IM management and a secure proxy server for IM, and it integrates with all the major public and private IM services. It includes policy enforcement, content filtering, logging, archiving and auditing. The company's Enforcer product prevents technical users from circumventing the controls at Layer 7 by policing other ports for traffic that looks like instant messaging. Such software could help an IT organization stop employees from using the Web versions of AOL Instant Messenger and other IM products. Enforcer can also be used to shut down peer-to-peer traffic. Version 4.0 adds support for eDonkey, which has surpassed Morpheus and Kazaa to become the biggest swapper of songs and movies.

Perhaps the most interesting part of our discussion was Shapiro's contention that IM traffic will soon subsume email traffic. To his mind, IM is to the telephone what email is to voicemail. That is, when IM grows up our first inclination will be to try to track down colleagues or friends on IM before leaving them a message to read later. All IM needs is integration among all the major network providers along with better presence awareness, and email will, like voicemail, become a secondary medium for communication, he says, citing various analyst reports agreeing with him.

I heard next from the folks at BigFix Inc., a maker of security configuration management software. Gregory Toto, the company's VP for product management, emphasized the real-time nature of the company's flagship BigFix Enterprise Suite, which is now on its fifth rev. The product can perform a real-time inventory of systems and software and provide instant reporting, a necessity in this age of increasing regulation, Toto says. "Knowing what you have is the firs step toward compliance," he says. The package also includes modules for mobile and remote system configuration, patch management, antivirus and personal firewall management, and vulnerability management. Along with Qualys, BigFix is emphasizing its ability to serve up relevant reports to business-line managers and executives, who increasingly are accountable to customers and government regulators for the security of their systems.

Lancope Inc., maker of network behavior anomaly detection (NBAD) software, used the CSI show to introduce StealthWatch XE (eXtended Enterprise), a component of the vendor's StealthWatch System 4.2 NBAD product. The module collects NetFlow data found in Cisco, Juniper and other routers and sends the information to the StealthWatch System software for analysis. Among other things, StealthWatch XE makes it possible to perform such inspections without having to deploy a StealthWatch System appliance inline between every switch and router.

The finale was Breach Security Inc., a little San Diego startup that specializes in application security. Its BreachGate appliances include Sitegrity, for serving up authenticated content; BreachView SSL, a plug-in decryption module that makes it possible to inspect SSL traffic; and Detect, which protects dynamic content originating in databases.

Products like BreachGate represent the next generation of application protection, says company CEO John Payne. "We look not only at what goes into the application but also what comes out of the application," he says. Such an approach limits the risk and exposure for companies that must comply with strict disclosure regulations, he says.

Live Show Report: Anti-Spam

Brad Shimmin here, reporting to you live (literally via a handy Wi-Fi connection) from the Next Generation Networks Conference in Boston, Mass. I plan on attending a number of sessions over the next two days, taking notes as I go and sharing those here. I hope you find them useful.

First up is "Anti-Spam: Analyzing the Alternatives," which sounded like it would yield a good mix of approaches to squashing spam, pairing the CEO of anti-spam vendor Barracuda (which won our recent review) with a scientist from VeriSign and the Cyphertrust CTO. Dave Piscitello moderated this panel. He's the technology evangelist with MediaLive International, although the materials from the show have him down as a telecommunications evangelist.

Dean Drako, president of Barracuda Networks, gave a very, very short presentation that focused on the Rate Limit Approach to spam, naming the following pros and cons:

Pros:

• Defends against DOS/DHA attacks, zombies/open proxies
• Makes high-volume spamming a lot more difficult

Cons:

• Primarily effective against "attacks"

He then went on to discuss spam statistics, which were pretty self-evident. Next...

Dr. Paul Judge, CTO of CypherTrust, talked about spam epidemiology, which certainly sounded highbrow if nothing else.

According to Dr. Judge, there are a number of motivations for spamming: Fun, Challenge, Prestige, Profit. The guys going for profit focused upon very specific attacks and techniques, while the "script kiddies" out there tried their hands at a broad spectrum, including port scans, DoS attacks, viruses, phishing, etc.

Primarily, though, most people send spam to make money. What makes e-mail attractive to us also makes it attractive to spammers. Both have products and potential customers. To send an e-mail message, it costs 0.0005 cents per. So they can live with one person in 1,000 as a response rate and still make money. This is supposedly the business model in mathematical formula used by spammers.

=(Ns[(ASd)(1-ASe)+(1-ASd)](R-Pi)-(NS)(Cl+Cs)-(I-Cp)

Mmmmm.Yummy.

Anyway, for Dr. Judge, the solution is easy. How do you make it go away? You make it no longer profitable. And you create deterrents strong enough to make this business model no longer viable.

I found the following stat very interesting (OK, terrifying).

Spam attacks have a response rate of way less than one percent. But phishing attacks have a response rate that's about 3.5 percent. That's what happens when you gain someone's trust.

Lastly, here's Dr. Judge's 30,000-foot view of how anti-spam techniques have evolved:

1. First we simply dropped suspect messages
2. Then we realized that false positives were bad, so we quarantined messages
3. Now we're recognizing that we can and perhaps should actively respond to suspect messages, working against the spammers where possible.

-------

Dr. Phillip Hallam-Baker, principle scientist at VeriSign, talked about authentication and accreditation--not surprising as an employee of VeriSign.

For Phillip, the problem stems from a lack of accountability, which we'd lost when the Net was a small, academic network. So instead of focusing on the bad guys, let's focus on the good guys. "How can I prove that you should read my e-mail?"

He's created the Aspen Framework. Today, we are mistakenly demanding accountability through blacklists, but they're not exercising accountability themselves. First to do is to authenticate the sender, to prove you are who you say you are. This is pretty easy for individuals, but where large organizations are concerned (as in phishing attacks), the problem is more complex. For that we need a much more robust authentication system.

There are two approaches at VeriSign.

For users: Sender-ID (which will soon be renamed), also known as SPF. This uses DNS records to publish IP addresses of legitimate e-mail originators.

For anti-phishing: Cryptography and digital signatures. So you want to directly authenticate the e-mail source. But then we need accreditation on top of this, so that we can be sure there's an actual business on the other end of the line; it's knowing something about the sender that makes you trust the sender.

VeriSign's approach to identity today stems from its Verified Domain List (VDL), which is a list of legitimate SSL certificate holders that the company makes available for free to anti-spam vendors. VeriSign will let private individuals hook up with this in the future.

Keep the Spies Away

If you're like me, your life is punctuated by conversations in which folks gripe about the latest problem with their computer. Lately, the biggest single gripe has been spyware--the software that looks at your keystrokes and Internet habits, and may "helpfully" redirect browsers to various entertaining web sites.

I was surprised, then, by this article that says fewer than ten percent of companies have installed any sort of anti-spyware software on their desktop computers. Now, it's true that most anti-spyware software is something of a pain in the rear, but it can make a huge difference in keeping people productive. If you're looking to experiment, Ad-Aware is a good place to start. I've been using ZeroSpyware for a while now, and it's caught several helper objects trying to attach themselves to my browser.

With virus and worm traffic continuing to grow, spyware may seem just an inconvenience, but I have seen heavily-infected systems taken down because of the burden placed on the CPU, and no one wants strangers watching your keystrokes. Anti-spyware software is easy enough to find and install--make it your Awesome Autumn gift to your employees and their bosses.

Boo!

If it's Friday, it must be time for another Bagle/W32 variant. This time, it seems that the coders are playing games that make it easier for the virus to get past AV scanners. It is a good reminder to keep signature files up to date, and post notices that employees really shouldn't go around opening strange attachments they weren't expecting.

I suppose it's appropriate to get a little scare just before Halloween. Just remember to keep the little goblins in check, and have a scary, safe weekend.

Mozilla vs. Microsoft

Alyce Lomax of Motley Fool fame has posted an article (sorry, registration required) highlighting the continued migration away from Microsoft Internet Explorer and toward the more OSS-friendly Mozilla, citing security as one of the major reasons for this slow defection.

What Alyce doesn't examine, however, is the feature set differentiation between the browsers. To blame security entirely for the defection is too easy. It isn't just about security, that's the straw that's breaking the camel's back. It's about features and functionality.

Yes, yes. IE 6 has pop-up blockers too. But the feature is hidden in the menuing system and isn't easily accessible like the ones available for Mozilla/Firefox. Sometimes you *need* to allow pop-ups. WebEx/MeetingPlace are prime examples of sites that require the ability to randomly pop up windows at will. It's easier to just click a checkbox on the toolbar before loading the site than it is to navigate through the menu system to find the option and turn it off, then hope you remember to turn it back on again. The lack of tabbed browsing has been cited numerous times by convertees. "Once you experience browsing in a tabbed environment you'll wonder how you lived without it." And with no upgrade to IE in sight in terms of features/functions, it's difficult to advocate staying with a 1999 browser in a 2004 world.

Standards compliance - not support - has become a big issues as well. Most of the blog sites, which have grown very popular of late - are based on CSS. IE supports CSS, but then only implements a subset of level 1. Mozilla, on the other hand, supports CSS to the letter, making it more compliant than IE in this respect. When you're trying to support a wide variety of browsers OUTSIDE the corporate environment, where you have no control over the user's decisions on browsers, it is generally best to fall back on standards. When IE doesn't truly support those standards, what is a developer to do?

You can put a big sign on your site "You must use IE to access this site", but the more savvy of us will simply use the masquerading feature of Mozilla/Netscape to change our user-agent to fool you or, worse, we'll simply write you a nasty letter and take our business elsewhere. IN a world of shrinking profit margins, every customer counts - and that means those customers who won't use IE for whatever reason.

Alyce makes some interesting points, but she's stuck on the security hype and that may be a motivator to move from IE to ABM (anything but Microsoft) but that isn't the reason people stay with an alternative browser or push at corporations to provide support for both IE and gecko-based browsers.

Looking Inside

The latest high-visibility security exploit is trouble in the way that some Microsoft products deal with JPG files. The problem revolves around the comment field in a JPG file--Microsoft programmers assumed that the field would always have a length greater than one. If the field is defined in the file as zero- or one-length, the system may crash, but if the right information is included in the proper place, the info can be passed to the system and interpreted as computer instructions.

The bad news is that Microsoft was aware of this exploit for a long time before they fixed it in SP2. The good news is that they did, in fact, fix it in SP2, and the risk should decrease as more people update their systems.

If you want to see exactly what the exploit will do, let me refer you to an excellent security site, K-otik Security. Look at the Exploits tab, and you'll find out precisely how someone can take advantage of this (and many other) weaknesses in software. Reading about the nasties is one thing, but there's no real substitute for looking at code that can harm your system. It's not the most comforting reading on a Friday afternoon, but if it help prevent problems over the weekend, you can relax just a little bit more.

Off the Hook?

Phishing has been one of those technology topics that keeps popping up in the popular press as consumers are conned into providing all their personal details to fake banking or government sites. This social-engineering exploit (and it is social engineering since most people willingly provide their information) is becoming better known among consumers, and a lack of trust is the last thing e-commerce needs right now.

I'm beginning to see products designed to increase customer trust in the sites they visit. Last week I spent some time on the phone with folks from GeoTrust talking about their TrustWatch product, a free IE add-in toolbar that provides green, yellow, or red indicators based on the relative trustworthiness of the site. Now, theirs is a fairly simple process of determining the color of the light; if there is a valid security certificate, then the light is green, no certificate with no other negative points is yellow (www.nwc.com shows up as a yellow site), and known bad sites or those whose behavior violates certain rules turn up as red sites.

I'm not a huge fan of IE toolbar plug-ins, but this one is fairly unobtrusive, and it does its stated job pretty well. Until we figure out how to shut down phishing sites entirely, products like this one may be a solid step towards making consumer breathe a little easier when they spend their money on-line.

Clash of the Titans

All the fun we've had with single-vendor computing platforms seems likely to spill over into the security world as Microsoft and Cisco get cranking with the idea of end-to-end security. This story gives a pretty good overview of the initial issues, but everything is going to continue to boil down to how well products designed to work within a unified environment can integrate with one another.

Preston Gralla provides great perspective on this issue, and it's important to remember that we're seeing the early skirmishes in a battle that promises to be huge as enterprises focus more effort and money on protecting information. It's been a long time since I've seen so many different approaches to solve the same broadly-defined problem (MS-DOS versus CP/M-86, anyone?), and the plethora of options is tough on anyone looking to make an iron-clad decision. The good news is that this surfeit of products, technologies, and architectures can be the fastest path to innovate security that fully solves the very real security threats facing companies. It's messy, but it can be a very good mess.

Security Threat Watch Update

Compliments of today's Security Threat Watch newsletter:

There have been a number of interesting vulnerabilities this week. Microsoft released a patch for a vulnerability in JPEG graphic parsing in various GDI libraries. Part of the problem with this bug is that various applications are supposed to ship their own versions of the GDI libraries, which means you literally have to search your file system for vulnerable files to update. Then there is the issue of whether the third-party application will even function correctly with the newer GDI library.

Multiple vulnerabilities have been found in the Mozilla application suite (Mozilla, Firefox and Thunderbird). Some of these bugs have been reported before, but we thought we'd re-report the collected advisory.

Lastly, Corsaire released a large number of advisories relating to the improper parsing of MIME documents by various products. The exact impact is product-specific, but improper MIME parsing can be exploited directly (buffer overflows, etc.) or indirectly (bypassing virus scanning gateways, creating malicious attachments, etc.). The slew of advisories are collected in this issue under a single entry with the title "Multiple vendors: various MIME interpretation problems."

Shameless plug: This is just the introduction to a complete listing of vulnerabilities and patches organized by platform. You can get the whole kit and caboodle by signing up for this free, weekly newsletter, created by a great bunch of security wonks at Neohapsis.

Transaction Minder 6.0

Netegrity has announced the release of Transaction Minder 6.0. The big news for this release is its Web Services security play. TM 6.0 includes full support for WSSE 1.0, which means the product can consume and produce WS Security headers for all three approved profiles (Username/Token, X.509 and SAML token).

Transaction Minder 6.0 also provides limited WS Encryption support; either the full document or header can be encrypted. Individual elements within a SOAP document cannot be encrypted/decrypted. That means point-to-point exchanges can easily be secured but that exchanges requiring an intermediary may be problematic unless keys are shared. Most XML exchanges today are point-to-point, but intermediaries - such as XML Security Gateways - will become more prevalent and will require the ability to dig down and encrypt individual elements within an XML document. Netegrity says it's watching this need closely across its customer base.

TM 6.0 is not a replacement for perimeter solutions such as those offerings from DataPower, ForumSystems, Westbridge and Reactivity. Rather it is designed to be a complementary system that extends comprehensive triple-A and SSO support to Web Services. TM 6.0 does not provide traditional network perimeter based security in the form of schema validation, data scrubbing or attack scanning; rather it is designed to provide a mechanism for enterprises to integrate Web Services into their existing security infrastructure.

That's a good move for Netegrity considering that it is one of the major partners XML Security Gateway vendors turn to for identity management integration. Competing with partners is never a good idea and Netegrity appears to have done a fine job of walking that line, providing value for both the enterprise and partners while annoying neither.

TM 6.0 will be generally available the end of this month and is priced at $40,000/CPU.

The World Ends (Take MCMCXXIII)

So everyone knows that anything labeled "Critical" must be, like, really important, right? And if Microsoft labels something "Critical" then it must be just totally double-plus ungood, right? So when Microsoft comes out with a critical alert regarding a vulnerability in the software that lets you look at .JPG files, then we should all run outside and dash around in mad, tight little circles while screaming because, you know, the world is about to come to an end. Right?

If you've read this far and aren't yet laughing then you, my friend, need to walk away from the computer and breathe deeply for a little while. The folks over at Vmyths.com have done their usual good job of figuring out what's important in this one--and the only thing that's really important is downloading the patch Microsoft has already released--and separating the heat from the smoke.

Breathe. Having survived a couple of tropical storms in recent weeks, I recommend it without reservation. I might even call it critical...

This week in Vulnerabilities

Courtesy of Security Threat Watch, comes this quick overview of last week's most important vulnerabilities and patches.

Many critical vulnerabilities have been found in Oracle and IBM DB2 database servers. The vulnerabilities allow the remote compromise of the databases and the systems they run on. Shops running either database server product will want to grab the recently released vendor security updates.

http://archives.neohapsis.com/

archives/cc/2004-q3/0005.html
http://archives.neohapsis.com/
archives/vulnwatch/2004-q3/0038.html
http://archives.neohapsis.com/
archives/vulnwatch/2004-q3/0041.html

Kerberos shops using the MIT flavor of Kerberos also will want to look for security updates from their particular platform/vendor because of some remotely exploitable vulnerabilities that could allow an attacker to take over the KDC.

http://archives.neohapsis.com/
archives/cc/2004-q3/0006.html
http://archives.neohapsis.com/
archives/cisco/2004-q3/0005.html
http://archives.neohapsis.com/
archives/bugtraq/2004-08/0418.html
http://archives.neohapsis.com/
archives/bugtraq/2004-09/0038.html

SP2 Keeps Moving

Since my last post most of the news in the industry has swirled around Microsoft's Windows XP SP2 and the effect it's likely to have on your computing environment. I've got it sandboxed on one machine in my lab--I'm looking forward to seeing what still works, what works better, and what doesn't work at all.

Others haven't waited as long as I did, and they've been diving into the SP2 maelstrom since slightly before its release. There have been a ton of news stories on SP2, its problems and its benefits (and, yes, there seem to be several important benefits to SP2). If you have a couple of hours to kill and want to read a lot of high-volume declaiming on the subject, the folks at Slashdot have been doing their usual thorough job of wringing something out (both technically and linguistically).

Be sure to check out the Buzzcuts in the next issue of Network Computing--there's more information coming. For that matter, check out the Buzzcuts in every issue. They're quick to read, they're pithy, and they tend to give us all new things to think and argue about.

When Hashes Collide

Compliments of this week's Security Threat Watch newsletter.

The security industry was abuzz last week with news that collisions--when two different messages result in the same hash--have been discovered in the SHA and MD5 cryptographic functions. When a cryptographic hashing function is found to produce collisions, it is generally accepted that the overall security of the function will continue to degrade as more optimized methods for producing collisions are discovered.

In other words, once you can cause the function to collide, it's only a matter of time until you can find quicker, easier ways for it to collide. Does this mean that the SHA and MD5 functions should be immediately tossed into the waste bin? Not necessarily. Using a stronger SHA version (like SHA-256) is still a viable option at the moment.

Link1
Link2
Link3

The Hacking, Attacking Youth of Today

Is it just me, or does it seem like the average age of 'Net attackers is getting younger and younger?

Last week, High School Senior Jeffrey Parson pleaded guilty to unleashing a variant of the "Blaster" internet worm that hosed thousands of computers last summer.

This isn't the first time something like this has happened. Young kids are exploring the wonderful world of virus deployment as well as hacking for reasons such as impressing their friends, getting free stuff, etc.

Used to be kids would steal a chocolate bar or comic book from the corner store to gain attention.

Are we not doing something right by them? Are we not teaching kids the rights and wrongs of hacking and attacking? How old will the next attacker be -- 16? 14? Younger?

It's probably way too early on a Monday to be waxing on about this stuff, isn't it?

They couldn't just play Yahtzee?

OK, so is this really such a good idea? Singapore has decided to have a contest to find and reward the city's best hackers. As if the chance to use stolen credit card accounts and spam millions of e-mail in-boxes weren't enough, now computer criminals can compete for exciting prizes. I'm sure this will work out really well. Really.

I'm so Blue

Sorry about the break in blogging. Blame it on travel, on some surgery, or on the fact that we get a blue moon tomorrow night. Whatever it was, I'm back.

Good thing, too, because I had an interesting conversation yesterday with Mikko Hypponen, who's in charge of the anti-virus team at F-Secure. I'll probably have several posts based on the conversation, but the issue that has me most interested this morning is the first Bluetooth virus, a wonderful little beast that can infect your cell phone just because you walked within Bluetooth distance of an infected phone.

This first virus, known as Cabir, isn't terribly harmful in and of itself, but Mikko calls it a solid "proof of concept" for other, more damaging, programs. There are already programs out to disinfect your cell phone, and I'm sure the cell-phone anti-virus packages are on their way, but until you have one there are two choices; turn Bluetooth off when you're not actively using it, or start skulking around the perimeter of rooms, suspiciously eyeing each person's cell phone and wondering when the next infection will strike. Call me silly, but the "off" parameter seems the better option for the short run.

From the home office in Santa Clara, Ca.

Borrowing from David Letterman (after all who hasn't?), security firm McAfee has announced their top ten threats of the year so far. Can we get a Drum Roll?

1. Exploit-MhtRedir.gen (also known as Download.Ject or Scob)
2. VBS/Psyme
3. Adware-Gator
4. Adware-180Solutions
5. Adware-Cydoor
6. Adware-BetterInet
7. W32/Netsky.d@MM
8. W32/Netsky.p@MM
9. W32/Netsky.q@MM
10. W32/Mydoom.a@MM

From the Inside

We spend a lot of time preventing people outside our organization from cracking into the system. Sometimes, though, we need to put more effort into keeping people on the inside from being naughty. Over at Linux.com, Joe Bolin has written up some basics on preventing local intrusions--the article is a good reminder to look at both sides of the firewall when we're putting together security plans.

...and that's why we need security

What happens when there are vulnerabilities in your network and database? Sometimes, a thief gets in and steals 8 gigs of customer data. Think any of the people who had their e-mail accounts turned into spam-pots are unhappy with the database company? Yeah, me too.

Bagle times Three

The Bagle virus just gets more and more entertaining, with three variations launching since the weekend.

The variations seem to be getting worse as time passes. It's hard to know whether it's the natural evolution of programmers working on a theme or people doing systematic probes to see which attacks are successful quickly and on a large scale.

I don't think the two are mutually exclusive, and the paranoid part of me keeps looking for an attack that takes advantage of things that worm and virus writers have learned through the efforts of the last couple of years. One thing's for sure--if you haven't put a serious anti-virus, firewall, and IDS combination in place, it's time to get started.

The Game is Over

It's nice to know that the end of spam is at hand. Now that the good folks at the International Telecommunications Union (ITU) have decided that spam is a bad thing, I'm sure that the spammers will see the error of their ways and go back to less obtrusive ways of getting their message across--telemarketing, say, or trying to put the 937th blow-in card in your favorite magazine.

I suppose I should give the bureaucrats credit for trying to address the problem, but I'm not convinced that incredibly broad statements are the answer. "...there was widely held view that along with legislation, there was a need to deploy effective technical measures at the level of ISPs, carriers, mobile operators and end-users." Really?!? As my sixteen-year-old son would say, "No duh."

What we don't need is regulation on a global scale that tells us how to use e-mail. Spam is a PITA, and it takes some effort to knock it down, but that doesn't mean I need a trans-global sledgehammer protecting me from people who think my love life would improve if I just "gained confidence" by taking their little pills. The various levels of spam filters already make sure that I don't see nearly as many SPAM messages as I do ads for personal ungents on television, and I'm confident that SPAM will diminish as its effectiveness decreases. In the meantime, I think I'll just be grateful that happy, vague press releases are as much action as the ITU is likely to generate on this particular topic.

Another Little Phishy

OK, so maybe it's time to shelve the "my browser is more secure than your browser" arguments once and for all. Sam Greenhalgh has discovered a new phishing technique that uses cross-site scripting to successfully spoof either IE or Mozilla browsers. There are plenty of reasonable arguments to be made for one or another browser's superiority on performance, feature-richness, or functional bases, but the growing legions of script kiddies are going to do their best to make sure that no browser is immune from attack.

I think we're heading into a time when more and more folks are going to start looking for scapegoats for security problems like this one. Here's my nominee for the top of the list: Web site designers so eager to insulate users from the fact that they're using computers (rather than televisions with keyboards) that they sought out ways to keep information on which server was providing information to the user. Microsoft (and, frankly, every web-side technical committee) was more than happy to help since the result seemed to be more, and happier, web users. Now, though, the "happy user experience" chickens are coming home to roost with phish in their beaks.

Thanks to Larry Seltzer for the pointer to this one.

A Code with a Schmear

Doncha just love variations on a theme? There's a new variation on the Bagle virus
floating around--time to make sure that your virus signatures are up to date. I can't help but think that there are a ton of script kiddies who could use a nice summer camp right now...

Wemoweh Code

Since many network security components work by identifying either suspicious behavior or known code signatures, how worried should we be about worms that sleep on our systems?

Part of me says that the possibility of malicious code, digital Manchurian Candidates that wait until a specific trigger is provided, is a good argument for checksumming every file on your system and doing a regular scan. The other part of me says to get real, and lose the paranioa. For now, keeping tabs on behavior is as good as it gets, but I've now got a new reason to pop awake at 0330 and stare at the ceiling. It's just what I needed.

Oh, yeah, if you're wondering about the title--go listen to "The Weavers at Carnegie Hall. All will be explained.

Set 'em up again...

Have you updated yet? If not, your computer, your family, and Western Civilization As We
Know It may have only hours to live!! Yeah, it's time for the latest in the on-going series
of Windows updates.

I know I shouldn't be flip about this--as far as I can tell, it really is important to
put these patches in place if you're running a current-generation Windows system with
current-generation IE. The problem is that I've got a couple' dozen Windows machines here
in my mini-swamp, and it takes a real chunk of time to update all of them. Oh, I know, I
could just have everything auto-update, but the idea of letting someone else tell my
computers when they're going to make changes to the operating system--well, it just makes
me uncomfortable.

I've been looking at low-cost patch management solutions lately, but I keep feeling like
there ought to be something better. So, help me out here--what are you using? I'd love to
find a good open-source solution, but I'm not willing to take the "throw out all the Windows
code and go to Linux" leap just yet. Until then, I guess I'll just keep complaining--and
asking you for suggestons.

Thanks for being our guest, now strip...

I've just about decided that the perfect outfit for travel while flying is a hospital gown and shower slides. The question is whether that flattering and oh, so practical garb will become a requirement for corporate on-site visits, as well. It seems that the British Ministry of Defence has decided that Apple's iPod is a significant hazard to national security and will no longer be allowed into critical areas. It seems that people are beginning to notice that many modern products are able to connect to a computer's USB port and transfer data, often without requiring any notification of or permission from system administrators.

So why stop at iPods? We've already seen companies banning certain models of cell phone because of industrial espionage concerns. Why should running shoes, watches, or Swiss Army knives with USB dongles be exempted from the ban? As we build more and more intelligence into common items, the days of the gaping gown and flip-flops may not be far off.

The answer, of course, is for firms interested in security to do things like turning off plug and play functionality. Until they come to their senses, though, Lester Haines at The Register has come up with a list of sensible precautions.

One Piece at a Time

Sometimes, it's enough to solve one piece of the problem rather than waiting for the magic bullet that will make the problem disappear. Protecting your users against phishing attempts can be tough, since the design of pages (and facilities of browsers) can make it difficult to know which page you're actually viewing. I like a little IE add-in called SpoofStick that the folks at CoreStreet have developed and released for free download. It adds a small bar that shows where the web page is coming from--an interesting bit of information to compare with where you think you're browsing. Their page gives an an example of how it works, it carries no spyware, and the price is right.

Security Threat Watch: Update

A note from this week's Neohapsis Security Threat Watch newsletter:

A lot of discussion this past week concerned the appropriateness of the Organization for Internet Safety (OIS), a vendor-formed organization meant to create a guideline for security vulnerability disclosure. OIS released a public invitation to review its latest guideline revisions, which raised various concerns by numerous security researchers. The largest concern seems to be the bias of the guidelines in favor of vendors and not security researchers or end users. For those interested in following some of the thread, the initial post is located in our archives.

Also, there was additional discussion on various Internet Explorer exploit derivatives that still seem to be functional, despite the application of the latest patches and hardening techniques. We feel that, as time progresses, the security liability of Internet Explorer will continue to increase.

Unsafe at any site?

Do you remember muscle cars? I know I had a serious case of the hots for
a '71 Hemi 'Cuda when I was, oh, 12 years old or so. Detroit kept
pushing large-displacement cars as far as they could go, and teen-aged
boys loved them. Of course, the day came when the insurance companies
(and the reality of gas prices) made them too expensive to own, and the
genre died overnight. Now, of course, we have cars that with better
performance in nearly every aspect, plus enhanced safety and better
fuel economy. Let's call it product maturity.

It's just possible that Microsoft's Internet Explorer will someday be seen
as the Hemi 'Cuda of web browsers. The folks in Redmond have done an
admirable job of building performance features into the world's favorite
browser, but we keep being reminded that it can be expensive to operate.
The latest reminder came in the guise of a CERT Security Alert that warned
of ways in which hackers could cause malicious code to execute on a
system in spite of existing security software. Wonderful.

Now, Microsoft has responded (after only three weeks), but
it's a sure bet that thousands upon thousands of systems will remain
unprotected for months to come. The question is whether it's time for
IT managers to bite the bullet and switch to another browser.

I'm one of the strange folks who runs around with several browsers on
my system. I've long been a fan of Mozilla (Firebird is my current favorite)
and Opera has a lot to recommend it. Unfortunately, a lot of otherwise
reasonably developers have decided to tie critical web application functions
to IE features, so it's going to require a firm stand on the part of
large organizations before things change in any meaningful way.

So what do you think? This blog is going to be a back-and-forth kinda
thing, and I'm eager to hear you tell me why I'm entirely wrong.
It's a holiday weekend, so blogging will be light until next week. Enjoy
the fourth, and let me know what you want to see from me.

Hello from the NetSec show in San Fran

Dave Joachim here from Network Computing and Secure Enterprise magazines, coming to you from sunny San Francisco, where our NetSec conference kicked off today. As I write I'm enjoying a glorious landscape view of the Bay Bridge from my hotel room window. Yes, it pays to check in early.

I've had one of those marathon trade show days, evidenced by the layer of sweat covering my forehead. Back to back vendor meetings all day. I only had to fight back yawns during the last meeting. Not bad.

Anyone with even an ouce of claustrophobia will have a hard time of it here at the Hyatt Regency Embarcadero. The show floor is in the basement. The ceiling is low and the booths are all crammed together. It's manageable as long as you take frequent breaks outside into the crisp bay air.

The cross-country trip is proving worth it, though. Day 1 served me up some interesting characters from a range of security providers. I kicked off the day at Starbucks with Steve Schall of Nokia, sponsor of the first day's luncheon (thanks for the grub, Steve). He tells me there are more mobile devices than PCs attached to the Internet now, which certainly is fortunate for a company that makes cell phones and mobile security products. Steve got pretty jazzed talking about Nokia's SSL VPN product, which Nokia got working on a while ago when it realized that there would be a swarm of mobile devices coming into the enterprise, sanctioned and unsanctioned, and they would all require secure access to corporate data.

Nokia is using our show to tell the world that version 2.0 of its Secure Access System is available. It adds features called Single Sign-On and Configuration Replication. The first feature is pretty self-explanatory, but the second one gives IT guys and gals a way to set access configurations on one gateway and replicate those settings to other gateways.

I had some cell phone envy when Steve broke out his Nokia phone, which flips open to reveal a handy thumb keyboard. I've got one of those old Nokia brick phones, scarred by all the times I dropped it on New York City pavement.

I also met with Jesse Casman and Janet Hendrickson, marketing folks from a little startup called Tablus. It's one of a handful of new security vendors that focus on outbound content. Tablus's software, delivered inside an appliance, uses linguistics analysis to identify content that should not be leaving the enterprise, either for competitive or regulatory reasons. It's a passive system, in that it doesn't block the content; it only flags it for review. They told me of one customer who had an employee who forwarded his email to his AOL account during an outage of his email servers. Until his employer installed the Tablus Content Alarm (alarming name, no?) they didn't know that he had left the forwarding feature active for 18 months. Bad boy.

I got a kick out of the names of Tablus's competitors, including Vontu, Vericept, Vidius and Verdasys. It sure was smart of Tablus to pick a T name for differentiation.

Clearly the venture capitalists know something we don't about this outbound security stuff. They've apparently poured some $60 million into this category in the last year or so. It's not all that surprising when you consider all the regulations (Sarbanes-Oxley, HIPAA) that require greater accountability of information that goes out the enterprise door.

In other news, Cyber-Ark's Richard April showed me a new product called the Inter-business Vault. It's a way to set up an "instant WAN" to connect you with your partners. It's billed as an alternative to setting up a *real* WAN (expensive) or SSL VPN connections, which tend to be good for ad hoc, now-and-then file transfers rather than consistently large transfers of big files like CAD/CAM manufacturing drawings. In fact, Cyber-Ark makes special modules of the software for finance, manufacturing and source-code sharing. The last one is especially intriguing if you want to provide controlled access to offshore developers.

(We wrote about the Mohegan Sun casino's use of Cyber-Ark's Password Vault in April: http://nwc.securitypipeline.com/
showArticle.jhtml?articleID=18901632.)

That's about it for today. See you tomorrow. I'm gonna go wash the trade-show gunk off my face.

Secure World Expo, Lighter On Airlines, Same Tasty Content

This week’s Secure World Expo in Atlanta was an interesting show – the whole Secure World show model is to be a local show with national players. Companies and speakers were drawn from the local Atlanta area (for instance, local up-and-coming Lancope), but this didn’t prevent the show from having some pretty heavy content and relevant vendor booths. It definitely wasn’t huge, but it was nicely focused.

The presenters were also pretty good...

While I must make fun of any book entitled “Hacking for Dummies,” (what’s next? “Brain Surgery for Dummies?”) Kevin Beaver, the author, was at the show and did a very credible job of discussing WiFi security, recommending ways to avoid drive-bys, and talking about what you can do NOW to protect your WiFi network versus what’s going to be available soon.

The panels that I saw were kept honest by what Phil Agcaoili of Scientific Atlanta (both an independent speaker and a moderator) called “the Gong effect”. Market-speak was kept to a minimum, mostly, when moderators like Phil (a non-vendor) reeled ‘em in. Even one of the vendor panelists said reality-check stuff like “none of this stuff is going to do 100% of what you want.” (Of course, this was a guy with the most unlikely last name for engineer that I’ve ever heard, the Pivot Group’s Ed Sale.)

Infragard, the alliance between the FBI and private sector businesses, was there in force, as were other user groups such as the ISSA (the Information Systems Security Association), the NPA (Network Professional Association), and the IISFA (International Information Systems Forensics Association). Despite the overwhelming number of TLAs, business at these booths seemed to be brisk, with newcomers and battle-scarred veterans opining on various security topics.

Other stuff, overheard:

“If we came up with a product that went beyond 80% of your needs in patch mgmt, would you pay for it?” --Panelist replying to a feature request of an audience member. (Uh, try me, man.)

“I’m not so sure that IT should be acting like it’s HR.” --Joe Culpano from SolSoft. (Well said! I myself have seen the burn marks from IT managers veering into HR turf!)

“The underground isn’t releasing exploit code … they're holding on to it ... it’s worth money... Any [legal] restrictions on security research is not a good thing.” --Preston Futrell, ISS. (Scary, yet right on, man.)

Catch you all next time!

--Jonathan Feldman

Posted by Jonathan Feldman at 04:27 PM

Spam Chat Transcripts Online

Thanks to everyone who attended and contributed to our Spam Chats this week with Ron Anderson regarding his recent review of Anti-Spam hardware and software solutions. We've posted the complete chat transcripts from both sessions here. Enjoy.

• Session #1, recorded on May 18th
• Session #2, recorded on May 20th

Spam Chat Today

Hi folks. Today at 12:30pm eastern, please join Ron Anderson for a fireside chat on Spam prevention. You can ask him about his recent review, or you can ask him anything you like on the topic of squashing spam. The floor is yours.