Hello!

Hi there, I just thought I'd drop in and let you know that Network Computing has a security editor again... Me.

You may have read some of my stuff when I was testing Storage and Servers, you may have even emailed back and forth with me about my quirky storage blogging. Or you may remember me as "That guy we fired for..." Oh, no, nevermind. You wouldn't remember me as that.

Quick stuff about the guy that will be offering you security advice - I worked in IT in various roles (app dev, admin, architecture, management) and for various size companies (six person startup to fortune 1Ks) from 1991 to 2004, when I came on NWC staff full-time.

Security is both hobby and passion with me, and I've done it professionally too. I think that probably showed through when I took on the Storage Security topics last year - expect some more of that, I think Storage Insecurity is a better name for it, and I'd like to find viable ways for us to make it better.

I'm into things that allow us to remove the hardcoded usernames and passwords from our internally developed code, and things that control database access as much as I'm into IPS/IDS/NAC/etc. It should be interesting covering the gamut, because like most of you, when I was doing it I concentrated on the things we needed to get the job done, not the broad spectrum.

I won't ramble any more, I'll save that for after the next couple of weeks while I get my feet under me and get set up in my new role. I've got some storage articles to finish out, then you'll hear from me more.

Until then,
Don.

It's a Mal, Mal World

Life used to be so simple. The golden days when a simple virus was all you had to worry about seem almost idyllic compared to the mean electronic streets that we walk today. I recently spoke with Shane Coursen, a senior technology consultant at Kaspersky Labs, about the once and future world of malware. You can hear the podcast here.

Thanks to everyone who sent in ideas for an end-of-year show. As you can tell, I missed the deadline for that, but I'll wrap the ideas into a review and prediction show in the near future. Don't let my somewhat overloaded schedule keep you from sending in ideas, though--there have been some great conversations resulting from notes listeners have sent in.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Anubis Claws" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

A Simple Message

I don't know about you, but I don't think I could work successfully without instant messaging. In an average day, I instant message with colleagues, contractors, vendors, and contacts throughout the industry. I'm not alone--survey after survey shows that employees are hooked on instant messaging as a way to keep in touch. From a security standpoint, of course, instant messaging comes with a pile of caveats. The open feeling that makes instant messaging so useful also makes it a huge security risk. The free and open dialogue it promotes can be antithetical to complying with regulatory separation between departments. Network Computing technology editor Mike DeMaria got together to talk about the possibilities and problems of using instant messaging in the enterprise. You can hear the podcast here.

It's the new year, and I have a huge backlog of interviews to get into podcasts, as well as a look back at 2005. Get ready for some rapid-fire podcasts as I work through the stack and get some solid information coming your way.

If you you haven't already subscribed to the podcast, look around this page, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

WMF Woes? Patch Things Up (Unofficially)!

Worried about the WMF vulnerability. Secure Enterprise Magazine's Editor Mike Fratto has found two 'off the record' fixes that will do a good job of holding down the fort until Microsoft comes up with something more official. Mike explains:

While I am not in the habit of recommending unofficial patches, it seems like the WMF vulnerability is pretty nasty, so you probably want to spend some time testing and deploying the work-arounds. Simply blocking files ending in .wmf won't be enough because Windows handles WMF files based on file structure, not extension. Files ending in .jpg and .gif are just as likely to be WMF files as not.

Ilfak Guilfanov has put together a patch that SANS is endorsing as a viable short term solution until Microsoft comes up with something. F-Secure also has a workaround as well as a wealth of information from their own research and from others like SANS and Ilfak Guilfanov.

I have been using the SANS work-around for days with no ill effects and I, like others, have successfully tested the workarounds against working exploits as well as Metasploits version.

Just remember to remove this patch -- if you use it -- prior to installing Microsoft's.

I Hear You Knockin', But You Can't Come In

Who gets in? Who's kept out? Those are the twin questions that frame network security. In this podcast I talk with Brett Helsell of Lockdown Networks about network access control--not the program put forward by Cisco (though we touch on that), but the very idea of controlling who comes into your network. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up, and the time grows very short. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look around this page, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Fresh Snow", courtesy of Derek K. Miller, who's work can be found at Penmachine. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

From the Inside Looking Out--and In

The glamour in security is all about keeping the bad guys out. Statistically, though, more damage is wrought by supposed "good guys" whittling away at your network and data from the inside. In this Security Channel Podcast, David Lynch of Apani Networks talks with me about security from the inside. As things calm down (for those of us not in retail) towards the end of the year, it's time to think about our approach to security and ask whether we should be taking longer, harder looks at just how porous our defenses are from those whom we think we should be trusting. The answers, arrived at honestly, might have far-reaching effects on the way that our networks--and our security implementations--look. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Acid Trumpet" by Kevin MacLeod. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

Certifiable Security

It's not like we don't have enough acronyms floating around our industry--acronyms for standards, technologies, product designations, and professional certifications. Add to that list the group of acronyms and names for product certifications administered by various groups and the alphabet soup gets truly thick and meaty. After getting Yet Another Press Release (YAPR) touting a product that had received FIPS and Common Criteria certification, I decided to ask just why someone not in government service should care about these pieces of paper. I ended up talking with Tom Gilbert of Blue Ridge Networks about his experience with the certifications and the process to get them. Now, his company makes products that come complete with press releases announcing government-related certification, so he can't be called an entirely neutral source, but I thought tha the interview brought out a number of interesting points concerning certifications and whether (or why) you should care about them in private industry. the You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether product certifications are part of the criteria you use when choosing which products to purchase and deploy.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Anubis Claws" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

A Look at OATH

I've heard it said that you can tell our industry loves standards because there are so many of them. I recently had a chance to sit down and talk with several representatives to OATH, the Initiative for Open Authentication. These folks are clear that they're not trying to become a standards body, but they are active in promoting standards that will allow authentication components from many different vendors to work together. I think it's an interesting idea, and an example of companies coming togethe due to economic necessity--their customers are demanding it--rather than from any sense of duty to an ideal. Regardless of the motivation, though, there are some great possibilities here for benefit to the customer, so I think it should be of more than a little interest. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you think we need more open standards in security, or if you think that standards are, themselves, security vulnerabilities.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Rust" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

What's the True Cost of Security?

There's something about economics that tends to act like the anti-coffee to most folks. Their eyes glaze over, the head starts to kinda bob back and forth, and before you know it they're snoring on the conference-room table. When it comes to security, we want to focus on the exciting, glamorous parts--the pen tests and intrusion prevention--while we ignore some of the things (like HR policies) that can have a huge overall impact. In this podcast, I talk with John Pironti of Unisys, who has spent a lot of time thinking about the economics of security. I was impressed because he's gone beyond the questions of cost (always the key to security business analysis) to talk about the issues of tangible economic benefit.

If you're still bruised from your last encounter with the budget committee, you'll want to spend some time listening to this podcast. This one goes a few minutes longer than our normal podcast, but I think the five extra minutes are well worth it. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you agree with the kind of analysis that John is applying to security.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

What's in Your iPod?

I don't know about you, but I'm hooked on my iPod. I carry it with me when I mow the lawn, it's my soundtrack when the drive is more than about 10 minutes, and it keeps the outside world at bay when I'm working. I knew that, like most computing devices, the friedly little media players (and their associated software on your PC) carry a security risk, but I hadn't given a lot of thought to just what that penalty might be until I talked with Josh Daymont, director of security of research at Secureworks, a managed security provider. Our conversation makes for an interesting interview (after a bit of a technical glitch on the first question). You can listen to the podcast here. After you do, let me know what kind of MP3 player you carry, and which piece of desktop media software is your favorite--it will be interesting to see what you're listening to.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Thinking About the Worst

Boy, let an unplanned series come to an end and things just go haywire. After a most interesting September we're back with another Security Channel podcast, this time on disaster preparations and business continuity. It seems to me that the most significant (and, by far, the most common) failure in responding to disasters is the basic failure of imagination; we just can't allow ourselves to imagine that the very worst could happen to our businesses and our families. This in spite of ample evidence that the very worst can, and will, happen to at least some of us in any given year. It's tough to think about, and can seem a true pain to actually plan for, but making preparations for the worst-case scenario can be a literal life-saver when that most horrible of times does come. You can listen to the podcast here. After you do, let me know what your worst-case preparations are like; if I can get enough, we'll do a series of podcasts on what responsible companies and individuals are doing to make sure that their lives and work continue when things get bad.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The Privacy Series Pauses

Our unplanned series of podcasts on identity theft and personal information safety wraps up this week. This has been a fascinating topic for me to explore, and I hope that you've gotten some useful information, but we're going to be looking at some other topics for the next few weeks. We wrap up with a good interview, though, with Mike Gibbons, who's vice president and general manager of Federal Security Solutions at Unisys. Mike had a long career at the FBI, and five years with one of the Big Five consulting companies heading up their security practice, so he's been chasing bad guys for a long time. His views on how companies should work with law enforcement, and what the future might hold for personal-information protection are interesting, and can be heard here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@nwc.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

I Gotta Be Me (and not You)

Our unplanned series of podcasts on identity theft and personal information safety continues this week. I wish I could say that I had carefully thought out a theme for the late Summer, but serindipity gets the credit--I'm just pleased to take advantage of the situation. I'm pleased because I think (occasionaly worm outbreak notwithstanding) that keeping customer information safe is the most significant issue in network security today. Frankly, the only other issue that comes close is infrastructure (switch and router) security, and you'll be hearing more about that from us in weeks to come. This week, I had a chance to interview David Zumwalt, the president and CEO of Privacy, Inc.. David has some fascinating things to say about the topic, along with some solid tips for security professionals, and you can hear him talk about them here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Tito on Timbales" from Musica Unidos de Latino America. If you enjoy Latin music, there's some great stuff on their web site, along with links to order DVDs and CDs.

A Subtle Pattern Begins to Emerge...

You know, sometimes a theme is carefully thought out and planned, and sometimes it just happens. It looks like we've got one of the second sort of themes going on here, as we have the latest in an on-going series of interviews focused on privacy and data security issues. Of course, most of the security stories that have made headlines lately have been privacy and data security stories, so I suppose it's not a real stretch to see them here, but it's been fascinating to hear the different takes on the subject. This week's interview is with Dan Verton, author of The Insider: A True Story. He did research on a number of companies and reached some interesting conclusions; I think my favorite is that most companies have no idea where much of their data is stored at any given time. You can hear this and other observations here, in this week's podcast.

If you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work. In addition, we're now listed in most of the major directories (including iTunes), so you should be able to catch the RSS feed in your favorite podcasting client.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Keeping Identities Safe

Sorry for the delay in getting this week's podcast up, but I think it will be worth the wait, since we have a great interview on identity theft and what companies should be doing to keep their customers from becoming victims. Everything we're seeing in research terms shows that identity theft is a huge issue for customers, and that they're in the process of making it a huge issue for companies that do business on the Internet. Neal Creighton, CEO of GeoTrust, is the subject of this week's interview--take a listen here.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Through The Cycle

Let's see, we've had travel (to Chicago), testing (of fixed-point wireless systems), an industry name change (Longhorn becomes Vista), and continuing news of vulnerabilities and attacks. In the midst of all this, I had a very good conversation with Dr. Hugh Thompson, chief security strategist at Security Innovation. We spent some time talking about the state of security in general, with some special attention given to the things that application developers can do to build security into the software they're building It was a good talk, and you can listen to it here.

I realize that I've been asking for comments when our comments section has been broken. Sorry about that--the web team is working to get things working again as soon as possible. In the meantime, feel free to send comments via e-mail to the address you'll find in my bio. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

A bit of Application Security

Well, we've managed to avoid being blown away by a hurricane or burnt to a crisp in the sun while on a roof, so I guess it's been a pretty good week. To top it all off, I had a very good conversation with Paul Henry, senior vice president of Cyberguard. We talked about a number of things, starting with the attitudes he's seeing from companies who are looking at application-layer security.

I've built a podcast on the interview. You can find it here and, as always, let me know what you think. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Built In

OK, it's been a week since the last podcast, with a holiday and many hours crawling around on office-building roofs thrown into the middle. Fortunately, this is a solid podcast, featuring an interview with Kevin Kernan, CEO of Secure Software. The interview covers a lot of territory about information and network security, and should be interesting regardless of the type of products or approach you use for your organization's security.

You'll find the podcast here. Leave a comment, or drop an e-mail to let me know what you think of the podcast.

...and the Survey Says:

There's nothing like spending a couple of days crawling around on roofs and in attics (in June, and in Florida) to make you appreciate the concept of "inside". Add the "excessive rainfall" (a genuine National Weather Service term) that we've been getting for several days, and it's a good time to stay inside and get some work done. You'll see the reason for the outside work in a few weeks--it's for a review of fixed-point wireless networking that will be coming up in Network Computing. It involves testing out in the real world, and down here the real world includes high humidity, warm temperatures, and a fair number of insects, reptiles, and very swampy walking tours. We've just deployed the first of the free-space optical systems, and I get to spend a little time inside, at my desk, while waiting for some more stuff to arrive.

While I've been at my desk, I've seen all sorts of press releases, including two that caught my interest because they talk about surveys conducted on security-related topics. One came from The Conference Board, a business group that's usually in the news with their survey of consumer or purchasing agent confidence, and one came out of a gathering of CSOs in Chicago. Both point to the same conclusion from different angles: Our technology fixes for security are working pretty well, but the problems for which we don't have a good technology solution are cause for ever greater concern.

I've built a podcast on the two surveys. You can find it here and, as always, let me know what you think. There are some more great interview-based podcasts coming up, and some infrastructure changes that should let you subscribe to the podcast and have it arrive automatically. Cool stuff--just what we need as we enter the hot days.

Back from the Desert

Boy, it's been a busy couple of weeks, with travel (NetSec in Scottsdale was a killer conference at a great resort), getting ready for a huge test (fixed wireless networking), and several smaller tests in progress. Oh, yeah, we (CMP, that is) also started a daily video project that I'm contributing to. If you haven't seen The News Show, you should really check it out.

Now on to this edition of the blog and podcast. I had a chance to sit down with Rich Baich, CISO of ChoicePoint, and talk about what it takes to succeed as a CISO in today's environment. He's obviously put a lot of thought into the question, and his answers are a good starting point for anyone on the verge of adding a "C" level title to their security portfolio. You can grab the podcast here and, as always, let me know what you think.

The Threat from Inside

Sorry it's been a week since the last podcast, but it's been a full week, with plans for upcoming tests, new products to look at, and plenty of news on the security front to think about. I've got a couple of longer podcasts coming up--podcasts with interviews and other folks talking so you don't have to just listen to me--but until I get them finished I had some thoughts on one of the big news items of the last couple of weeks; the customer data theft that hit Bank of America and other financial institutions. The big thing about these thefts was that they were instigated by insiders--employees who should have known better. Take a listen to the podcast and let me know what you think. Is there a sure technology fix to the question of insider theft? Let me know your thoughts.

The Federation (Identity)

Tonight's podcast is about identity federation, and especially about IBM's latest announcements on the topic. Last week I had a chance to talk via phone with Joe Anthony of IBM, and he shared some of the thinkgs that he sees in the developing identity federation market. Now, I've seen enough people struggling with multiple computer-based identities to know that identity federation is coming, and ultimately coming in a big way. But I've also covered enough exploits and thefts to be more than a little apprehensive about pulling more and more identity value into data stores that we haven't learned how to--or been willing to--make truly secure from unauthorized access. If all the laws, regulations, and industry rules aren't enough to convince us to get serious about all forms of identity security, the knowledge that a single break-in could affect multiple corporations and a cascading universe of users should be the spur we need. Take a listen to the podcast and let me know what you think. Is your organization already implementing identity federation? I'd be very interested in hearing a real success story or two.

An N+I Interview

I promised more podcasting about the things I saw and heard at Networld + Interop, and I've finally shaken off the need to sleep (and catch up on work that was waiting when I got back) enough to get started. The podcast this time contains a confessiona and a look inside the sophisticated world of recording a podcast, but the focus is on a conversation I had with Jayshree Ullal, Senior Vice President oc Cisco's Security and Technology Group. She had some interesting things to say--take a listen to the podcast and let me know what you think.

Winners from Interop

You know, this business of running on three hours sleep a night has considerably less charm now than it did when I was 25...anyway, I'm going to be doing more podcasts based on things I done here at Interop, but I wanted to give a link to the winners of the awards I mentioned in the last podcast. You can find the full list of winners here. Take a look, and come back soon...some good stuff is coming in the blog and the podcasts.

From the Halls of Interop

This week, I'm out in Las Vegas at the Interop trade show, and the fun is just beginning. I plan to have some interesting news from the show floor, but first, I have to get there. Yesterday and this morning I've been listening to companies talk about their products as part of the Best of Interop awards program. I realize that most folks never get to enjoy a process like this, so I put together a podcast that lets you hear some of the process, and meet some of the people involved. Let me know what you think, and if there are any products or technologies you particularly want me to be on the lookout for here at the show.

At the very least, I'll be back tomorrow evening with news of who won--I'd be interested in hearing who you think should have won based on the pitches you hear in the podcast...

Taking Action against Attacks

How far should we go in defending our networks? Is it enough to stiffen our defenses and patch vulnerabilities, or should we actively pursue (through legal means, of course) those who work to usurp network resources and steal information? For a growing number of organizations, strengthening the bulwarks is no longer enough--it's time to treat network attackers like criminals.

In the course of the last week, I've had three separate conversations on this topic. One was with the executive director of a new organization called CIDDAC. They're trying to gather the data that law enforcement will require to go after phishing, re-direction, and other attacks. The other two conversations were with executives at Microsoft. The two, coming from different aspects of the security whole, had different takes on what their customers and partners were doing towards actively pursuing the attackers.

I think that we're going to hear more and more about companies and organizations teaming with law enforcement to pursue those who attack networks and customers. Take a listen to the podcast and let me know what you think.

It's Been Quite a Week

Sorry that I haven't blogged since Tuesday, but it's been quite a week. I flew up to Seattle, then drove out to spend the day with Microsoft on Wednesday. There are a number of things we discussed that you'll be seeing in future blog posts and Network Computing articles, and a pretty cool podcast that I'm putting together on the topic of agressive responses to attacks--how (and whether) we enlist the help of law enforcement to try putting thieves and vandals in jail, rather than simply beefing up our defenses to keep them out.

The thing that I keep coming back to in discussions with companies (both vendors and users) is a profound change in the way wework with the "people" aspect of security. To this point we've heard more about the technology because, in many respects, technology is the easier problem to solve. Changing products is (relatively) easy; changing people's ingrained behavior is hard. Unfortunately, if we're going to make significant improvements in security, we're going to have to tackle the hard issues.

Old Enemies Come Back

Sunday night we were having dinner with some friends, a gathering that included someone who rides herd on the IDS at a Major University. Just as he got to the house, his phone started ringing--something was knocking a couple of key segments off the network. It turned out that a host on the network had been given a new dose of Sasser--and the result was an IDS log file large enough to choke servers, which cascaded down to sensors, which then caused problems in dealing with the issue. He took care of the problem in a few minutes, but there were more phone calls, and a renewed acquaintance with a problem we thought had been handled.

Now comes word from F-Secure that a new Sober variant, Sober.N is seeding itself, and spreading through infected .ZIP files. As I mentioned in the last podcast, attention to user training (Don't Open Unexpected ZIP Files) will be as important as AV signatures in stopping this one early. Beyond that, the renewal of old threats is a solid reminder that the early versions of these worms tended to be more proof of concept that serious damage attempts--the real payoff in terms of network damage is yet to come. We've been warned--let's get busy protecting our networks through technology and training.

Let's Get Serious

April has, so far, been a month of bad news in the computer security field as Lexis/Nexis and Mastercard revealed that individual data had been release in system breaches. They're not alone, as we've found listening to the steady drumbeat of news stories announcing that data from various organizations has been released without authorization.

The fact is, after all the talk and all the legislation, we're still not taking security seriously. You can hear more about what we're not doing--and what we should be doing--at the podcast found here. Have a good weekend and, as always, drop me a line to let me know what you think.

Introduced to ISA Server

With ISA Server 2004 Enterprise Edition, Microsoft is trying to bring a number of performance and security functions together under a single management interface in a single product. They seem to have done a pretty good job a key portions of the task, if the demonstration we had in the Gainesville, Florida Real World Lab is any indication. We will, of course, reserve judgement until we've had a chance to put the product through its paces on our own, but the management interface, at least, looks quite good.

That management interface was, in fact, the only thing I saw today that gave me any pause. Is it possible to make a product too easy to use? The only worry I have is that, if the folks in the central network management group aren't careful about how they define priveleges for admins at branch offices, a remote admin could wander over his head into security policies very quickly.

In addition to the demo, we were able to talk for a while, and part of the conversation makes up today's podcast, which you can find here. Enjoy and, as always, let me know what you think.

Mile-High Entry

Who would have thought that you could build a podcast and blog entry set at 35,000 feet over western Tennessee? Me, neither, but here it is. This time, I'm talking about a couple of tools, from Dymo, and Levenger that help us keep things straight in the lab. In all honesty, the tools' use isn't confined to the lab--I've used the tool from Levenger almost every day for over a decade.

After the tool talk, it's time to talk about fiber-optic cabling. I hear more and more companies using security as the primary justification for a fiber installation, so I feel comfortable putting it in the security channel. If you are looking at going the fiber route, then you really ought to consider all the different ways of pulling the fiber, including nifty methods like the one I've seen from Sumitomo Electric. They use compressed gas to blow the fiber through a special conduit, and the organizations I've talked with that have decided to use the Futureflex system seem pleased with the results. You can find the podcast with both of these sections here. I hope you enjoy it, and find a little bit of useful information inside.

There's Something About an Airport

I don't know exactly what it is, but something about spending time in a line of strangers, holding my boots and my belt in my hands leads me to thoughts about how to improve security. I think the time has come for companies to take the plunge into two-factor authentication and leave the abomination of "strong passwords" behind. You can hear me discuss my reasons for thinking this in today's podcast, which you can download here.

There's something new in this podcast--I'm spreading my audio wings a bit--so let me know what you think. Let me know, too, what you think about us setting up the RSS feed for the security podcasts so you can have them delivered fresh to your desktop when they happen. As I wrote a couple of entries ago, this is new to me, so let me know how I'm doing.

Security From Two Directions

Once more into the podcast, dear friends, as we consider a couple of products that have been the subject of recent conversations. The first is from Tizor. The TZX 1000 is an appliance that builds logs of database and application access across the network--an important issue if you're in an industry laboring under any of the many regulations requiring you to document who sees what in the corporate information realm.

The other product, from Permeo, is designed to enforce host-configuration policies on remote-access systems--even when the remote hosts don't belong to your organization. I've still got a few questions about this system, but it certainly looks like a promising entry in the remote-access market.

You can get today's podcast here, so take a listen. As always, let me know what you think--this is an evolving thing, so your opinions are very important to me.

Something Completely Different

Hey, everyone, let's try something new. I've become fascinated by the world of podcasting, so I thought it might be interesting to podcast some of my daily observations, and even some of the interviews that are part of my week. The experiment begins with my very first podcast--found here.

Now, the first few podcasts are going to be awfully simple--me and a microphone, as I try to screen out the noise of the switch that sits behind my head in the office. As I get a bit more comfortable with all this, they'll get more adventurous.

Let me know what you think about the podcast as a way to get information from my desk to your head. Let me know what you'd like to hear in future podcasts--right now, I'm especially excited about taking my PocketStudio to conferences and trade shows, to try to get some of our interviews and meetings in front of you.

This particular podcast? A look at two new options for dealing with SPAM. The two products come from two major industry players--the first from IBM and the other from Symantec. I'm all for anything that cuts down on spam--let me know if you want to know more about these products.

Web Application Threats for March

Application security vendor Teros has released a security threat bulletin for March 2005, available here.

The bulletin outlines a list of security vulnerabilities specific to web applications, such as cross-site scripting attacks as well as a list of security advisories for a plethora of applications including IE, PHP4 and Verity UltraSeek.

Crypto-Panic Time or Not?

The recent release of a paper detailing the way that a Shandong University team found a significant flaw in the SHA-1 encryption algorithm has caused major ripples in the cryptoanalysis world, and it's time to ask whether the ripples will turn into major waves for folks implementing computer and network security. The answer depends on a couple of major factors--how far into the future you look when making implementation decisions, and how much security is enough for you and your situation.

First, understand what the paper said. One of the ways in which encryption schemes are evaluated is the frequency with which two different strings of text would encrypt (or hash) to the same result. SHA-1 was designed, and had been assumed, to have a collision in 2⁸⁰ operations. The team at Shandong University found a method by which they could reach a collision in only 2⁶⁹ hash operations.

Now, in realistic terms, that still a lot of operations, and it's more than the average hacker is going to be willing to brute force their way through in order to compromise a piece of communication. For the short term, then, there's no need to panic. Over the longer term, though, there is more room for concern.

The real problem is that the Shandong team's results show that there is a problem with SHA-1, and now the likelihood grows that more issues can be found. Since more people are likely to be looking for problems that could very well exist, the result is a lack of confidence in SHA-1. It's time to start looking for a replacement.

Where are the replacements going to come from? The NIST has four hash versions specified in standards; SHA-224, SHA-256, SHA-384, and SHA-512. These are the most likely replacements in the near term. The good news is that the science and art of cryptography keeps moving forward through research like that engaged in at Shandong University. The bad news is that, like all advances, there's going to be just a hint of a growing pain as we move the state of security forward. Get ready.

Thanks to Bruce Schneier for following cryptography more closely than I do, and for explaining the intricacies without dipping more deeply into the math than is absolutely required. His free monthly newsletter is a must for anyone who wants to keep up with what's happening in cryptography and encryption.

XML Firewall Testing

Testing thus far is on schedule and going as usual. There are always guaranteed to be some problems along the way and this review is no exception to that rule. Luckily none of the issues have caused major problems and we've been able to work through them and continue testing.

Testing of DataPower and Sarvega is complete, with Reactivity being tested right now. Well, as soon as I stop writing this update and get on with it.

We've been able to add some additional scenarios to test for performance because of the limited number of participants, which has made things even more interesting. We're doing some single function testing against multiple features - encryption, signature verification, LDAP based authentication, etc... - that ought to provide some interesting comparisons.

That's on top of our wider spectrum of tests that include a full configuration to stop all the malicious traffic we're blasting at these devices.

Now it's back to the lab for more testing.

The Baddies Stay Current

Give the virus baddies one thing: They keep up with current events. Two viruses making the rounds play off recent news events as part of the ploy to convince users to open the payload.

First, on February 22 the FBI took the unusual step of warning users that the agency does not send unsolicited e-mail to the public, in response to a virus that comes in a message claiming to be from the FBI with a request to answer a survey attached to the e-mail. This one works on making you feel that you've inadvertantly visited an illegal site that's brought you under federal scrutiny--if you don't want to end up in the hoosegow, open the attachment. Needless to say, you shouldn't open the attachment.

Next in our current events report is the ever-popular "See Paris Hilton Nude" ploy, this time working from the recent hacking attack on Ms. Hilton's Blackberry. There are actually two viruses working this angle, a Sober.K variant, and an Ahker.C variety. Both are nasty, and each tempts you to either visit a site or open a file to fill your otherwise drab day with bodacious ta-tas. Needless to say, you shouldn't.

All of these viruses have moved to social engineering (Be Afraid! Be Excited!) to deliver their payload as a way around the generally improving state of virus protection. As always, a solid policy of not opening files if you didn't ask for them is a critical piece of virus protection.

Notes from the Lab

We've all heard about "security through obscurity", but working in labs has taught me that absolute clarity is much more secure than is confusion when it comes to know which devices and segments are connected to the network. With that in mind, I've got nothing but great things to say about the Dymo RhinoPro 5000, a professional labeler that helps keep cables, ports, and devices straight when we're moving too many boxes around in the racks.

The RhinoPro 5000 fits into your hand (OK, it fits into MY hand), so it's easy to carry behind the racks when you need to label a cable that's already in place, or put an identifier next to a device port to help keep things in order. If you're doing things the way they should be done (labeling before installation), the 5000 has hot-keys for pre-formatted labels for wires and cables of various sizes, terminal blocks, patch panels, bar codes, and more. You can print the labels on a variety of different label stocks designed for flat surfaces, pebbled surfaces, and curved surfaces (like cables) of different sizes.

Now you have to understand that I'm a big fan of labeling things anyway, since I've seen far too many problems caused by the rather simple mechanism of plugging dead-end cables into active ports, or vice-versa. I've used other labelers (a Brother p-Touch sits on my desk), but I find that I really like the RhinoPro--it's the sort of thing that will end up in my tool bag next to the hand-held cable analyzer, multi-meter, and other layer-1 goodies.

This isn't to say that the RhinoPro 5000 is absolutely perfect. The rubber bumper that's supposed to protect against dings and scratches is a bit awkward for my fumbling fingers to move on and off, and I wish that the tape cartridges held more linear feet of mylar (or plastic, or nylon) than they do. These are small quibbles, though, and don't take away from the fact that this is a rugged-feeling device that is a major tool in achieving greater security through clarity.

Bill Gates Keynote at RSA

During his keynote today at the RSA Conference, Bill Gates quoted a Gartner report claiming that 75% of all vulnerabilities are application related. Mr. Gates then promptly blamed Microsofts' development tool customers for those vulnerabilities. Well judging by the rate of patches coming out of Redmond, I'd have to disagree. Perhaps the problem is a bit closer to home.

On a related note, Gates briefly described steps Microsoft is taking to provide more secure software such as code reviews, R&D security efforts and better processes. Perhaps XP SP2 is the fruit of that labor, but more needs to be done. Much has been said about how Microsoft is going to be a security company, and how the acquisitions of Giant (spyware) and sybari (antivirus) are supposed to be positive indicators. But Acquisitions, no matter how well placed won't change Microsoft, the company. It will take a long time to convince anyone, especially me, that microsoft is a security company.

Free Software at RSA

Recalling the days of big box software, Shavlik's marketing schtick is bound to be a hit, especially with the color blind.

RSA Protesters?

The crowd was unruly. Chanting and waving placards. While there was no violence, this motley crowd -- from Bluecoat -- made me just a bit nervous.

The Tags are Coming

I've been spending some time thinking about the whole topic of RFID and privacy, trying to sort out some of the conflicting claims about privacy versus security and institutional convenience. Now, I'm a reasonably serious privacy advocate--I think that we do, in general, have the right to be "left alone to be our potty little selves," as G.K. Chesterton put it. With that said, I had a recent conversation that left me more certain than ever that RFID is here to stay. What makes me say that? A billion dollars a year worth of cordless drills and miter saws.

I was at the annual meeting of the National Association of Homebuilders (NAHB) in Orlando when I ran across the Bosch Tool booth. In the middle of demonstrations of their latest compound miter saws (very nice tools) and electronic protractors (very cool if you're installing crown moulding), they were showing ToolWatch, third-party software that works with RFID tags implanted in power tools to keep track of when they enter and leave warehouses and job sites. According to the folks at Bosch, something like a billion dollars a year in tools walk away from jobs sites, never to be seen (by the contractors) again. That number is augmented by the tools that are purchased unnecessarily because no one knows to which job site a rotary hammer or nail gun has been sent.

Contractors have legitimate business concerns regarding stolen tools, and RFID seems to offer a reasonable attempt to slow the loss. Bosch recognizes that these concerns are sufficiently significant to drive tool purchases, so they are placing the tags inside tools at a price ranging from free to $5, depending on the tools and circumstances. Perhaps because the NAHB is made up of contractors, rather than framing carpenters, I didn't hear anyone decrying the loss of privacy that these RFID tags will carry along with the tool's serial number.

There are legitimate concerns about privacy and security attached to many on-going and proposed RFID deployments. We need to work hard to address the concerns, and should be more aggressive at encrypting sensitive information contained in the tags. The important issue, though, is that we do have to come up with solutions, because the economics of deployment are just too great to ignore. There are RFID tags in our future--let's just make that their deployment is intelligent and secure.

Now, let me tell you about this great 3.5 HP plunge router...

XML Firewall Testing

Part of our "Firewall Blowout" plan includes a thorough test of XML Firewalls. We tested XML/Web Services Security Gateways almost two years ago and the space has changed dramatically in that time. Not only did we see a lot of mergers and acquisitions (Actional & Westbridge Merged Digital Evolution acquired Flamenco Networks Oblix acquired Confluent, HP & CA acquire minor players ) but we've watched the convergence of management and security, the deconstruction of pure firewall functionality into separate product lines and the birth of the XML VPN.

So we're going to test again, this time with a focus on functionality and the accuracy of these products to effectively stop XML based attacks from reaching the Web Services they are designed to protect.

We've got our test gear configured and we're ready to blast myriad attacks at the devices in our Green Bay lab. Products are scheduled for testing starting next week, and we're excited to get our hands on them and start poking at them.

Web Service Vulnerability Alert Service

Forum Systems has launched the first of its kind Web services security alert service. Forum VulCon is an alert service focused on the growing category of XML/Web services threats. This is a FREE subscription that can be accessed via Web Services, of course, as well as an RSS feed.

Forum VulCon (for Web Service Vulnerability Containment) delivers up-to-date notification of XML- and Web services-related threats and includes suggestions for effective countermeasures. VulCon has already aggregated over 100 of these potential exposures to popular systems and applications.

As deployment of Web Services continues to expand from limited internal enterprise use to external services providing B2B integration and as fully functional on-demand composite applications, the risk associated with such services will continue to grow. VulCon is one method of keeping security and web services development personnel up to date and providing them with the information necessary to mitigate risk in a timely fashion.

RSA Conference Survivor Kit

The RSA Conference has yet to kick off and already the attendee swag is pouring in.

Good PR is not dead at Vernier Networks. Just in time for the show, we received our Survivor kit.

The box contained everything an intrepid attendee needs: meds for our head after a day full of meetings. (more to come), a water bottle to keep us hydrated and also an full bladder endurance test. And what is Survivor without disgusting food? That powerbar is at least as disgusting as a Madagascar hissing cockroach.

Active Defense

A couple of days ago I attended one day of the Department of Defense Cyber Crime Conference 2005. I was only there one day because that was the only day they had sessions that weren't classified. That I was there at all, though, was a novelty, since this was the first time (in the four years of the conference) that they've invited anyone from the press. There were some interesting presentations (including one you'll hear more about by the general who's now in charge of all DoD computing), but like any conference, some of the most interesting information came when we were away from the conference sessions.

While eating lunch, I got into an interesting conversation with someone who works at a government computer forensics lab. I asked him how the forensics tools available to business compared, in features and function, to the tools he had at his disposal. He said that three years ago there was a huge gulf between the two, but that civilian forensics programs were catching up fast--and he gave the credit to Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and the other regulations that make IT executives crazy. The engineer said that the need to discover, with certainty, not just that corporate information had been taken, but who did the taking, and where they sent the information, was pushing business forensics to develop quickly, and in good directions.

When I talk about unintended consequences, most of the time I've seen something truly bad, but if SOX, GLB, HIPAA, and the rest can drive better tools into the hands of corporate information security professionals, maybe they weren't such bad ideas after all.

I Was Wrong

OK, so they got me. Only a couple of days ago I called up Airespace, then wrote here that any merger was a way off. Little did I know that the "way" was about 48 hours long.

Now that the merger has been announced, what is it likely to mean for customers (and potential customers) of the Airespace wireless networking system? The answer is going to depend on exactly what Cisco sees as valuable in the Airespace aquisition. Cisco has proven, in the way it handled the Linksys merger, that it's capable of allowing a company to continue to do business and trade on its own name while gradually becoming more thoroughly tied to the Cisco way of networking. Of course, they've also proven through purchases like Procket that a company can be swallowed by the big green networking company with nary a burp to mark its passing. So which is Airespace likely to be?

I suspect that the final result will be the Airespace line of Cisco wireless switches and access points. As I wrote in my earlier post, Airespace has wireless security technology that should be a super fit for Cisco's Network Admission Control (NAC) vision of network security. Depending on exactly how they play it, Airespace can add tools ranging from sharply improved wireless monitoring to robust user authentication and authorization to Cisco's device-oriented view of the network.

Of course, the merger marks a real opportunity for companies like Aruba and Trapeze, who can try to fill the OEM void that will be left by Airespace's marriage to Cisco. It will be interesting to see which of the remaining wireless switch companies will be the most aggressive in going after Airespace partners. As for me, I think I'll head back to the lab, and leave the rumor-wrangling to others...

Wireless Rumors

The security consolidation rumor-mill is at it again, this time renewing the notion that Airespace is about to be purchased by Cisco. I made some calls, and it seems like this is a rumor that's at the very least ahead of the facts--while they wrapped everything in standard "We can't confirm anything" language, I didn't get the impression that a purchase is happening in the next couple of weeks.

Don't get me wrong--an Airespace buyout makes some sense from Cisco's perspective. They've certainly shown no reluctance to buy good technology (Procket, anyone?) and some of the things Airespace has done would mesh nicely into Cisco's Network Admissions Control (NAC) framework for network security. From the Airespace point of view, a purchase would make sense in terms of rewarding investors and employees, though they would certainly pay for the rewards in reduced independence and increased organizational overhead.

Airespace has a number of reseller deals with major networking vendors, and the rumored deal for Airespace to play a major role in Microsoft's new internal network has certainly increased the chatter factor about the company. I think it would be a shame to see Airespace sell out this early; they--along with Aruba and Trapeze--have helped push wireless networking security and performance much faster and farther than it would have gone had everything been left to the companies who's major stakes are in the wired network world. The time for consolidation and payoff is coming, but I hope it's later, rather than sooner.

They Just Keep Getting Bigger--Maybe

According to The New York Times, Symantec and Veritas are in discussions aimed at having Symantec purchase the company best known for its data backup packages. Like so many of these stories, there are obvious story lines, and those that are a little more subtle.

The obvious story line is that the number of players in the security market continues to decline as mergers and acquisitions continue at a goodly clip. There are, of course, aspects both good and bad to consolidation, but financial and market forces seem to be moving in the "fewer/larger" direction, so there's little constructive that I can say about it. The less obvious story line actually has more meat, in my opinion; security is gradually moving from asset protection to business continuity assurance.

Think about it: Most security is focused on keeping "the bad guys" from succeeding in their dastardly deeds. Business continuity doesn't really care so much where the threat comes from, it just wants to keep software, hardware, and data assets available and useful to the proper users. Assurance includes security, but doesn't stop there, extending to backup and restoration, disaster recovery, maintenance, regulatory compliance, and a host of other issues. At a recent conference I noticed more people handing out business cards that read "Data Assurance" or something similar, and it's a trend that can work for the security professional on a number of levels.

First, the change in scope can mean that you have meaningful control over more aspects of the network infrastructure, so that security stands a chance of being built into, rather than bolted onto, the network. Next, the greater responsibility can translate into larger budgets--seldom a bad thing in the corporate world. Finally, taking a broader view of assurance can make you much more effective in designing security--the extra work and responsibility can carry some solid professional benefits in horizon-broadening.

More Security Consolidation

The push to consolidation in security continued today as 3Com purchased IPS vendor TippingPoint ** for somewhere in the neighborhood of 430 million dollars. According to the announcement, TippingPoint will continue to operate as a separate division of 3Com, with its headquarters remaining in Austin, Texas.

So what does this mean to the world of security? In one sense, it's just the latest step in the march of security to the network infrastructure. Cisco is the loudest voice talking about the virtues of tying security to the switches and routers at the core of the network, but it's far from the only voice. With this acquisition, 3Com has put some serious money behind this kind of talk, and it's reasonable to expect that they will ultimately tie the products together more closely. There's no surprise in this, but I do think there's good news for security-conscious folks in the small- to medium-business category.

While most of the companies talking about security and the infrastructure have been focusing on products in the enterprise space, 3Com has built a reputation in the SMB market over the last few years. 3Com has also been introducing more products aimed at security, so the company has obviously seen an opportunity to make a market within security-conscious SMB I.T. folks. This is great news for those who have significant concerns about security within smaller companies. TippingPoint is a very solid IPS product (as I found when performing tests for an IPS review that will appear in Network Computing in January), and linking the thinking with 3Com's presence in the SMB world should mean nothing but good things for migrating security capabilities down-market.

I'm looking forward to seeing how 3Com works with TippingPoint as part of the corporate fold. If today's purchase means that a 200-seat busines can get serious intrusion analysis, detection, and prevention, then this is good news for the networking community. I'm going to remain optimistic at this point, but I still have some phone calls to make--I'll let you know more after I have a chance to talk with the folks at 3Com and TippingPoint.

** In the original version of this post, CheckPoint was erroneously identifed as the company purchased by 3Com. Thanks to alert readers who pointed out the error.

From mergers and acquisition to convergence

Less than a month ago Actional and Westbridge Technologies merged into a single entity doing business as Actional. Less than 6 months ago Digital Evolution acquired Flamenco networks. Yesterday the converging technologies of Web Services management and security showed itself with the announcement of Actional's SOA Command and Control Platform and Digital Evolution's XML VPN.

While the products from Actional and Westbridge remain separate entities, the Command Control platform provides a unified management console enabling control over the tight integration between the two products as well as centralized operational and policy control.

Following closely on the heels of the Digital Evolution acquisition of Flamenco and its subsequent new product announcement, the Actional announcement follows the trend within the SOAP and XML security space to converge with the management space - in one way or another. While the two entities have taken different approaches, both are heeding the call of enterprise network and security needs by providing better integration and definition of responsibility of the two complementary but sometimes competing technologies.

Digital Evolution has introduced its XML VPN, the first product to bear the moniker of what will likely be a common term in the coming year. The concept is hardly new, but Digital Evolution is the first to use the terminology to clearly describe what its new product is designed to do. The XML VPN Controller provides central policy and rights management and transaction auditing services for an XML VPN Environment. It is available as software for deployment by a VPN provider.

CSI Show BlogReport

Like any self-respecting New Yorker, I'm still recovering from the Massacre of Nov. 2. My Manhattan neighbors chose regime change nearly 9 to 1, so at least I've had plenty of shoulders to cry on--that is, until my employer sent me to the epicenter of presidential politics, Washington, D.C., for the Computer Security Institute conference this week. Sure, the District of Columbia is mourning the loss on the same scale that the Big Apple is, but I would have preferred to experience all the stages of loss before confronting live images of the White House and the Capitol dome.

Ah, well. I'll have to distract myself with discussions of vulnerability assessment, policy management, configuration management, anomaly detection and, perhaps most important, regulatory compliance.

The day started with a keynote address by Frank Abagnale, the onetime con artist and check forger immortalized by Steven Spielberg and Leonardo DiCaprio in the 2002 film, "Catch Me If You Can." His stories elaborated on many incidents depicted in the movie--how he learned all that aviation and medical jargo