Leaky Nuke Lab Is Poor Endorsement For A Security Product
Posted By Andrew Conry-Murray at 12:45 PM

A new startup has licensed technology from Los Alamos National Laboratory to help enterprises respond to security incidents. But does the company really want to be associated with a lab that routinely mishandles nuclear weapons secrets?

Continue reading "Leaky Nuke Lab Is Poor Endorsement For A Security Product"


Comment on this blog entry

Keeping IT Awake All Night
Posted By Mike Fratto at 03:51 PM

The SANS Institute’s Top 10 Menaces of 2008, developed by panel of security experts, predicts key threats in 2008. While some threats have been with us for some time, like Web-based attacks, spyware, and bot nets, and insider problems, the difference is in the sophistication of the attacks.

Continue reading "Keeping IT Awake All Night"


Comments(2)

CA Gets A Gateway To SOA
Posted By Andy Dornan at 05:32 AM

CA has launched a SOA Security Gateway, part of its IAM (Identity and Access Management) r12. The announcement brings CA into head-on competition with vendors including IBM and Cisco, though it doesn't really represent another player in the market, as much of the technology comes from an OEM deal with Web services security vendor Vordel.

Continue reading "CA Gets A Gateway To SOA"


Comment on this blog entry

Leveraging Your Infrastructure
Posted By Mike Fratto at 05:28 PM

NAC deployments often require more integration than seen at first blush. Especially when the NAC products don't meet with expectations. Take user login/log-offs that were a problem I mentioned in my review of ConSentry's product. There are ways to mitigate problems or bolster your NAC deployments using features you already have.

Continue reading "Leveraging Your Infrastructure"


Comment on this blog entry

The Insider Threat Is Greater Than You Might Think
Posted By Mike Fratto at 01:47 PM

Dr. Eric Shaw‘s Tuesday keynote at the MIS Training Institute's IT Security World Conference 2007 is a sobering presentation about the underlying causes of and dangers in mishandling the rogue or disgruntled employee.

Continue reading "The Insider Threat Is Greater Than You Might Think"


Comment on this blog entry

Breach Notification Service is a Bad Sign
Posted By Andrew Conry-Murray at 04:26 PM

You know data security breaches are way too common when a company builds a business around customer notification of stolen information.

Continue reading "Breach Notification Service is a Bad Sign"


Comment on this blog entry

Pointing fingers
Posted By Jordan Wiens at 10:01 PM

Momma always said every time you point a finger, three more are pointing back at you. Well, there was a lot of finger pointing going on the last few weeks between IE and Firefox over a vulnerability in url handlers, and a recent twist continue to stir things up.

Continue reading "Pointing fingers"


Comment on this blog entry

$28 Million for an Old Idea—Part 1
Posted By Andrew Conry-Murray at 01:04 PM

You have to admire the chutzpah of startup Palo Alto Networks. The company has raised $28 million to sell a "next-generation" firewall based on ideas that are 20 years old.

Continue reading "$28 Million for an Old Idea—Part 1"


Comment on this blog entry

Would You Get Hooked By A Phisher? Test Your Smarts
Posted By Tom LaSusa at 04:47 PM

Think you're too smart to get duped by a phishing scam? Are you absolutely certain you'd be able to recognize an authentic site from a scam? The Anti-virus experts at McAfee aren't as convinced and so they've set up an extremely interesting interactive quiz. The test consists of ten questions, eight of which include screenshots of both a real version of a website and a phisher's dupe. All you have to do is click on which one you believe is the valid site. At the end of the test you'll get your score.

Continue reading "Would You Get Hooked By A Phisher? Test Your Smarts"


Comments(8)

Podcast: IronPort's Scott Weiss
Posted By Tom LaSusa at 01:30 PM

The CEO of IronPort systems talks about his company's acquisition by Cisco and why he sees no end in sight to the problem of spam.

Listen Now | Read the Interview

Comment on this blog entry

Google Hacked... by Google?
Posted By Jordan Wiens at 02:17 PM

Google Hacking is the popular sport of using Google's giant cache and index to discover files or applications that the administrators might not have realized were public. There are whole databases (Johnny Long maintains the most well known) that track fun search phrases to use, but it looks like Google themselves may have been bitten.

Continue reading "Google Hacked... by Google?"


Comments(1)

Microsoft TCG/TNC Announcement
Posted By Mike Fratto at 09:02 PM

While at Interop, I had the chance to talk to Stephen Hanna, Distinguished Engineer at Juniper and Co-chair of the Trusted Computing Group Trusted Network Connect working group and Paul Mayfield, Group Product Manager for Enterprise Networking.

(now you see why I do print)

Comment on this blog entry

It's all about the policy
Posted By Mike Fratto at 05:28 PM

The Trusted Computing Group Trusted Network Connect published Microsoft’s Statement of Health protocol (SoH) which lets NAP clients send health information to a Policy Decision Point (PDP)—the server that makes a decision based in whole or in part on the host health.

Continue reading "It's all about the policy"


Comment on this blog entry

He-Said/He-Said: Open Source 802.1X
Posted By Rich Karpinski at 12:34 PM

Over in NWC News Analysis, we covered the formation of a new group to build an open source 802.1X supplicant. The group, called the OpenSEA Alliance, is working to develop an open-source 801.X supplicant (a client implementation) to ensure a standards-based implementation and speed industry adoption, they said.

Our editors have varying opinions on the move:

Continue reading "He-Said/He-Said: Open Source 802.1X"


Comments(1)

See no vulnerabilities, hear no vulnerabilities
Posted By Jordan Wiens at 09:34 PM

Yesterday, Computerworld reported on a Gartner tidbit that "QuickTime Vulnerability Exposed by Contest Poses Wide Risk". I'm in complete agreement with the title. The QuickTime vulnerability is indeed a pretty nasty one. It impacts both Mac and Windows (including Vista!) machines with any web browser as long as Java and Quicktime are enabled and installed. Pretty bad combination.

Continue reading "See no vulnerabilities, hear no vulnerabilities"


Comment on this blog entry

Skip a security check, do not pass go, go directly to suspension
Posted By Jordan Wiens at 01:44 PM

A University of Portland student was suspended for writing a program to bypass the Cisco Clean Access NAC system on campus. Apparently this incredibly dangerous activity is a Patriot Act violation. Or, at least, it is if you believe the letters being sent out by the administration at UP who seem to be confusing "skipping security checks" and "hack into a licensed product"

Continue reading "Skip a security check, do not pass go, go directly to suspension"


Comments(3)

Mac Attack
Posted By Jordan Wiens at 02:27 AM

Security in OS X is a pretty interesting topic to watch on the web. For every stereotypical Mac user, perfectly smug in the invulnerability of their operating system of choice, there is a detractor who claims Macs only seem secure because nobody uses them and thus nobody tries to break their security. The truth, as is usually the case in such things, surely lies somewhere in between.

Continue reading "Mac Attack"


Comments(2)

Is Cobia Open Source?
Posted By Jordan Wiens at 11:57 AM

Thomas Ptacek challenged Alan Shimmel recently on whether StillSecure's Cobia™ Unified Network Platform™ is really Open Source. Alan's response is that essentially most folks only care that open source means free, and the source code comes with it. After all, that is the obvious definition of the term without knowing the back history. It's not, however, the actual, accepted definition of the term. See the FSF's discussion of the two terms for a bit more background on "Free Software" and "Open Source".

Continue reading "Is Cobia Open Source?"


Comment on this blog entry

Web 2.0 Inherently Insecure?
Posted By Jordan Wiens at 12:57 AM

When I first heard a number of claims that AJAX applications were inherently more insecure than standard web applications, I thought that was ridiculous. After all, as long as you don't do anything stupid like do validation of user input only on the client, what would you have to worry about?

While on one level that may be true, it looks like in the general case I was wrong. Splitting web applications into two distinct programmatic components, one that runs in the browser, and one that runs in the server is more complicated (at the very least you've got to be proficient now in two different languages), and there are definitely new types of vulnerabilities that are specific just to AJAX applications.

Continue reading "Web 2.0 Inherently Insecure?"


Comment on this blog entry

Hacking Intranets
Posted By Jordan Wiens at 05:45 PM

If anyone is interested in the Hacking Intranets presentation I gave this week, video (which very poor audio quality, unfortunately), slides, and the demo code are available online. I'm not super-pleased with the results as I think I tried to cram too much information into too short of a time-frame (especially when 15 minutes were subtracted from the length I had to present in!), but the take away of how easy it is to use web browsers to hack intranets is worth reiterating.

Continue reading "Hacking Intranets"


Comment on this blog entry

No cookie for you!
Posted By Jordan Wiens at 08:13 PM

In preparation for my upcoming presentation on web security and abusing browsers, I was going over the long list of protection measures that either aren't in place, or don't work against the potential threats, when I stumbled across one bright spot in an otherwise bleak landscape.

Continue reading "No cookie for you!"


Comment on this blog entry

Infosec World 2007
Posted By Jordan Wiens at 04:21 PM

I'll be making a very brief appearance at Infosec World next week. If anyone's planning on being there and would like to stop by and say "hello", I'm unfortunately presenting at 8:30 on Tuesday, and leaving just after my talk. Still, if for some odd reason you've got a burning desire to see how young I really look in person (Answer: I'm 27 and walking around campus where I work, I'm regularly mistaken for a freshman), here's your chance to find out.

I realize that might be an early talk for those west-coasters still not used to our EST sunrise, but I can promise you the demo for the talk will be entertaining. I won't be presenting any earth-shattering attacks, mostly things that those on the cutting edge of web security are familiar with, but the hands-on examples should be a lot of fun.

Comment on this blog entry

OpenBSD Remote Exploit
Posted By Jordan Wiens at 02:40 PM

OpenBSD is usually touted as one of the most secure networked operating systems. Of course, part of that reputation was gained because for years it's disabled unnecessary services (or even sometimes mostly necessary ones -- like SSH) by default. Still, defaults aside, OpenBSD.org has for many years now had the tag-line, "Only one remote hole in the default install, in more than 10 years!" Just in the last few days, however, that tag-line has changed. The count's now jumped to two remote holes in the default install.

Continue reading "OpenBSD Remote Exploit"


Comment on this blog entry

Spam/Not Spam
Posted By Sean Ginevan at 10:32 AM

Verizon recently won a lawsuit against SMS spammers.

As e-mail providers, ISPs and enterprises have cracked down on e-mail spam, spammers have looked toward other mediums including instant messaging (discussed in Mike DeMaria's article this month on IM security appliances) and SMS.

Carriers have been cracking down on SMS SPAM as of late with some unintended consequences.

In our preliminary testing of Mobile Device Management software for the April 30th issue of Network Computing, two vendors found that SMS messages, sent via e-mail and used to reach mobile endpoints, were being rejected by some carriers (presumably as spam). The same messages sent to other carriers, however, worked fine.

Organizations that use SMS, especially via e-mail gateways, for enterprise applications may look to conduct monthly tests with all possible messages to ensure that messages aren't rejected in the fight to prevent SMS SPAM.

Comment on this blog entry

Default passwords and how not to do it
Posted By Jordan Wiens at 02:18 PM

A recent discussion about a Cisco speakerphone vulnerability reminded me this is far from the first time Cisco's had password problems. You'd think a company that has spent so much on security branding and indeed is recognized as the first company that "comes to mind as a Networking Security leader" in six of their eight target locales (7th in Japan, 5th in China, first in US/CAN, UK, Germany, France, Italy and India -- data courtesy Cisco Systems), they'd be a bit more careful about getting the basics right.

Continue reading "Default passwords and how not to do it"


Comment on this blog entry

For Hackers, By a Hacker
Posted By Jordan Wiens at 10:32 AM

It can sometimes be challenging to convince folks that Network Computing is serious about the motto, "For IT, By IT" (see banner, two inches to the right). It's not just a nice sounding phrase, but a major cornerstone of the philosophy of the magazine.

When I started covering the security beat, the most important challenge was learning the ins and outs of the magazine, working on my writing and other skills, not so much learning the technology. Security isn't just something I write about, it's what I do on a day-to-day basis.

Continue reading "For Hackers, By a Hacker"


Comment on this blog entry

Extrusion Protection Heads for the Desktop
Posted By Andrew Conry-Murray at 01:24 PM

Extrusion protection is heading for the desktop. Once defined by gateway appliances that monitored Web, e-mail and IM traffic for sensitive information that might be slipping out of the enterprise, a new crop of products put an agent directly on the desktop to plug potential leaks.

Continue reading "Extrusion Protection Heads for the Desktop"


Comment on this blog entry

Cisco Trust Agent not going open source
Posted By Mike Fratto at 02:21 PM

According to Neil Wu Becker, PR Manger, Security, for Cisco, "Cisco is NOT open-sourcing CTA, nor do we have any plan to do so. We're not even considering it -- it's not something on our radar and it's not a pressing issue on our agenda."

Continue reading "Cisco Trust Agent not going open source"


Comment on this blog entry

"Real World" Security
Posted By Jordan Wiens at 10:35 PM

As I traveled out to San Francisco for RSA 2007 I was again struck by how, in many ways, the "real world" could use a security refresher. There are a number of examples where security researchers have exposed flaws in physical systems simply because they applied the same critical eye that they're used to using in their electronic analysis. Matt Blaze's research on master keyed locks, is one example, along with the Princeton group who found both physical and software security flaws in Diebold voting machinery.

To that end, I'd like to propose my list of obvious real world security flaws:

Continue reading ""Real World" Security"


Comment on this blog entry

Fixing DHCP NAC Enforcement
Posted By Mike Fratto at 05:16 PM

Extreme's ExtremeXOS 11.6, available on the X450 and BlackDiamond switches are getting an uplift that starts to make DHCP NAC enforcement comparable to 802.1X for enforcement. The feature enhancement tracks DHCP leases as they are handed out and applies ACL's on access ports. Extreme has a solid foundation that enhances NAC DHCP enforcement, but needs to work on a few niggling, but critical details with handing mobile computers, before it is truly enterprise ready. DHCP lease awareness is not new. Cisco has a feature in IOS 12 called DHCP Snooping and IP Source Guard that offers similar functionality. Switching software from other infrastructure vendors like Foundry Networks, and Nortel, also have DHCP snooping features.

Continue reading "Fixing DHCP NAC Enforcement"


Comment on this blog entry

Extended Validation Certs don't help
Posted By Mike Fratto at 01:20 PM

There has been a lot out the upcoming CA/Browser Forum’s Extended Validation Certificates. The certificates are supposed to increase users confidence that a web site is legitimate and also supposed to stop phishing.

Continue reading "Extended Validation Certs don't help"


Comment on this blog entry

Cisco Gets 2 for 1 with IronPort Acquisition
Posted By Andrew Conry-Murray at 03:54 PM

Cisco Systems tapped into two robust markets—anti-spam and messaging compliance—with today's $830 million acquisition of IronPort.

Continue reading "Cisco Gets 2 for 1 with IronPort Acquisition"


Comments(1)

Info Leak Prevention for the Mid Market
Posted By Andrew Conry-Murray at 09:07 AM

Code Green Networks is launching an information leak prevention appliance for the mid market. The appliance sits at the boundary of the internal network and monitors e-mail, Web mail, HTTP and FTP traffic for sensitive corporate information.

Continue reading "Info Leak Prevention for the Mid Market"


Comment on this blog entry

Security Podcast -- Week of 12/06/06
Posted By Tom LaSusa at 04:10 PM

Join Curt Franklin in this Radware sponsored Security Podcast. This week's podcast includes security news; The Worldwide growth of Spyware and Adware; Detecting and Defeating Rootkits | Click to listen

Comment on this blog entry

Security Podcast -- Week of 11/09/06
Posted By Tom LaSusa at 05:14 PM

Join Curt Franklin in this Radware sponsored Security Podcast. This week's podcast includes security news, a security feature: CSI Trendspotting (part one of a two part series), and a security product review: Reflex Disknet Pro. | Click to listen

Comment on this blog entry

Interview With Blue Lane President & CEO Jeff Palmer
Posted By Tom LaSusa at 05:11 PM

Andrew Conry Murray interviews Blue Lane's President & CEO Jeff Palmer. Palmer explains the company's appliances, which sit inline on the network and emulate security patches on real-time traffic to protect servers until the patch is installed. | Click to listen

Comment on this blog entry

What NAC Doesn't Solve
Posted By Mike Fratto at 03:34 PM

Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control.

Continue reading "What NAC Doesn't Solve"


Comment on this blog entry

Security Podcast - October 31, 2006
Posted By Tom LaSusa at 02:35 PM

This Week's Network Computing Security Podcast is brought to you by Radware

Join Curt Franklin as he tells reviews the Kingston Data Traveler Secure and discusses Strategic E-Mail security.

Click to listen

Comment on this blog entry

Bye-Bye Independent Managed Security Providers
Posted By Andrew Conry-Murray at 09:03 PM

BT bought Managed Security Services Provider (MSSP) Counterpane this week for "tens of millions of dollars," according to Chuck Pol, president of BT Americas.

Continue reading "Bye-Bye Independent Managed Security Providers"


Comment on this blog entry

Teaming up for Leak Prevention
Posted By Andrew Conry-Murray at 02:30 PM

Major vendors are partnering with start-ups in the emerging Information Leak Prevention (ILP) market to spice up their products and tap into compliance dollars.

Continue reading "Teaming up for Leak Prevention"


Comment on this blog entry

Barracuda Networks Responds
Posted By Andrew Conry-Murray at 11:22 AM

The following post contains the correspondence between Barracuda Networks and Frank Bulk in response to Frank’s blog on Barracuda’s representation of its Spam Firewall e-mail capacity.

Continue reading "Barracuda Networks Responds"


Comment on this blog entry

Truth vs. 'Truthiness' in Vendor Claims
Posted By Andrew Conry-Murray at 04:33 PM

Veteran IT buyers know that vendor promises about performance or capacity tend to be aspirational rather than factual. But Barracuda, maker of the Network Spam Firewall, has stooped to a new low: eight times lower, that is.

Continue reading "Truth vs. 'Truthiness' in Vendor Claims"


Comment on this blog entry

NAC/NAP: A House of Cards?
Posted By Mike Fratto at 10:38 AM

Is the new Cisco NAC/Microsoft NAP Interoperability Architecture partnership a harbinger of things to come? Is this the situation that NAC vendors have feared (or welcomed, depending on your point of view)? It certainly is an ambitious partnership and if successful, will change the shape of the NAC market and, more importantly, your deployment options.

Continue reading "NAC/NAP: A House of Cards?"


Comment on this blog entry

IBM Acquires ISS for MSSP Biz
Posted By Andrew Conry-Murray at 02:07 PM

IBM today announced it will acquire security vendor ISS for approximately $1.3 billion. ISS made its name selling intrusion detection and prevention products, but Big Blue snapped up the company for its managed security services portfolio.

Continue reading "IBM Acquires ISS for MSSP Biz"


Comments(2)

But Will It Match My Tinfoil Hat?
Posted By Andrew Conry-Murray at 11:44 AM

A new line of wallets has metal-infused RF shielding built in to prevent thieves from remotely scanning RFID-embedded credit cards. This is just silly.

Continue reading "But Will It Match My Tinfoil Hat?"


Comment on this blog entry

Wireless Device Driver Flaws Allow Takeover of PCs, Macs
Posted By Andrew Conry-Murray at 12:14 PM

This week Intel and SANS announced three vulnerabilities for Centrino device drivers on Windows, the worst of which could let the attacker execute code with kernel-level privileges.

Continue reading "Wireless Device Driver Flaws Allow Takeover of PCs, Macs"


Comment on this blog entry

NWC Interview: Arthur W. Coviello, Jr., CEO, RSA Security Inc.
Posted By Tom LaSusa at 03:16 PM

Listen as RSA Security's Chief Executive Officer Art Coviello talks with NWC contributor Robert Hertzberg about Internet crime, privacy protection, terrorism—and storage behemoth EMC's impending $2.1 billion acquisition of RSA. | Listen Now

Comment on this blog entry

Here's to the IETF
Posted By Mike Fratto at 10:51 AM

I always find it interesting to see how standards bodies work. A group is attempting to form within the IETF, though it’s probably more accurate to say the people are talking about forming a working group, called Network Endpoint Assessment (NEA) which from it’s proposed charter aims to standardize protocols, either existing elsewhere or developing new one, for exchanging posture information between a client, a broker, and a server.

The problems this group is addressing is fundamental and while it seems from the meeting notes at a recent Birds of a Feather meeting that a large number of participants are vendors, a few participants were from companies that will ultimately consume the products the vendors will put forth. That’s a huge advantage of a truly open standards process. This group, if it gets started, may have a significant impact on core network access control interoperability and tangentially the feature sets. Without input from stake holders, critical features may be left out weakening the usefulness of the resulting work. I remember watching the activity in the IPSec working group and the decision to not work on NAPT and user authentication resulted in years of non-standardized solutions to remote access VPN which let’s face it, was the driver in that market.

I would like to see this group form and bring some sanity to the network access control space. I think it would benefit everyone involved.

Comment on this blog entry

Can the IETF sort out the NAC standardization process?
Posted By Mike Fratto at 01:39 PM

With competing network access control (NAC) initiatives like the Trusted Computing Group's Trusted Network Connect (TCG TNC), Microsoft's Network Access Protection (NAP), and Cisco's Network Admission Control (CNAC), as well as all the vendor specific NAC products and solutions, one thing is painfully clear. Standardization and conformance is critical. The matrix of security and network infrastructure products that should be included in a NAC solution for either end-point validation, profile authorization, or enforcement, is mind boggling.

Continue reading "Can the IETF sort out the NAC standardization process?"


Comment on this blog entry

Friday Freebie
Posted By Lori MacVittie at 09:49 AM

Happy Friday!

Today's almost-freebie combines security and FTP servers. It's only free for 30 days, but the company suggests that the initial license should give you ample time to analyze network traffic and determine how secure (or insecure) your FTP servers might be.

And today's real freebie is MonoStack from BitRock.

Continue reading "Friday Freebie"


Comment on this blog entry

UTM - Universal Transverse Mercator? Or Unified Threat Management?
Posted By Don MacVittie at 01:11 PM

I was reading Christopher Hoff's blog yesterday and got to pondering the use and usefulness of UTM and UTM architectures to the mid-to-large enterprise.

There's a lot to say on this topic, so I will confine myself to a couple of points. First, why would you even consider a UTM solution, Second who would own a UTM solution, and third what is with the different architectures.

Continue reading "UTM - Universal Transverse Mercator? Or Unified Threat Management?"


Comment on this blog entry

Windows Live OneCare - Caring or Careless?
Posted By Don MacVittie at 11:56 AM

This week, Microsoft began offering Windows Live OneCare. For $49.95 per year, you can get your PC (up to three of them) protected, maintained, and backed up.

I can see how this plan came about...

Continue reading "Windows Live OneCare - Caring or Careless?"


Comment on this blog entry

Is it Safe in the Clear?
Posted By at 03:51 PM

Ahh, encryption. There are few security-related topics that manage to combine complexity, minutiae, and critical needs quite as thoroughly as does encryption. Government agencies simultaneously require and fear encryption, an attitude that is also common among business leaders. Ultimately, there are plenty of reasons to encrypt data (does stolen personal data ring a bell?) and very few reasons to fear it. While relatively few of us might ultimately be the ones implementing encryption, it's important to understand the major issues so we can discuss its implementation and the policies governing its use intelligently. I recently had a phone call with a team of folks from WinMagic, and we discussed encryption as part of a full security program. You can listen to the podcast here.

Continue reading "Is it Safe in the Clear?"


Comment on this blog entry

Newbury Responds
Posted By Tom LaSusa at 01:28 PM

(Originally posted by Mike Fratto on SecureEnterprise Magazine's Website on 02/06/06)

Newbury Networks wants a chance to respond to a blog entry where I opined about their over the top marketing and fear mongering in a white paper they published. I also pointed out what I thought, and still think, are technical inaccuracies. Their unedited response is below.

Continue reading "Newbury Responds"


Comment on this blog entry

Newbury is spreading FUD. Here's the Deal.
Posted By Tom LaSusa at 01:25 PM

(Originally posted by Mike Fratto on SecureEnterprise Magazine's Website on 02/01/06)

Newbury Networks has been pushing extremely hard the idea that Wi-Fi is broken and can't be trusted unless you deploy their products. They are pushing over the top marketing in webinars and white papers. This white paper is one of the most blatant cases of fear mongering I have seen in a long time. Let's take this apart point by point.

Continue reading "Newbury is spreading FUD. Here's the Deal."


Comment on this blog entry

VA Problems Might Be Yours Too.
Posted By Don MacVittie at 03:11 PM

The recent loss of data from the Veterans Administration highlites the need to know who has what data, and what they're doing with it. The VA has thus far handled this event wonderfully, and as a Veteran from a family of Veterans, I am pleased that they're doing what they have to in regards to the lost data.

But there is one thing that worries me, and I think now is as good a time as any to address it. Public outcry and the media frenzy created by sensationalism is going to cost this employee their job. I am pretty positive that the VA will look at the circumstances, correlate facts, and then fire the employee.

Continue reading "VA Problems Might Be Yours Too."


Comment on this blog entry

Open Source Security
Posted By at 05:20 PM

Open Source software tends to be one of those religious topics, where people have strong opinions and feelings that are informed by more than simple facts. It's the kind of topic that is fun to cover because it often brings far more reader and listener response than other, less emotionally-charged areas. In this podcast we wade in with both feet, talking with Mike Ferris, Redhat's Director of Solutions Strategy. He had some interesting things to say, and you can hear them here.

Continue reading "Open Source Security"


Comment on this blog entry

Things I learned at Interop 2006...
Posted By Don MacVittie at 06:23 PM

In keeping with my habit, here is my usual post-show post about Interop.

This time though, there will be less about vendors and more about press and analysts, because I've picked on vendors enough through the years. Though one or two did make my list for this show. As usual, most specific names have been filtered out to protect the guilty.

Continue reading "Things I learned at Interop 2006..."


Comment on this blog entry

NAC Ideas Worth Hearing
Posted By Andrew Conry-Murray at 06:09 PM

So many vendors were shouting about Network Admission Control (NAC) at this year’s Interop that they nearly drowned out the ‘ding-ding’ of the slot machines. That means enterprises investigating NAC first have to tune out high levels of marketing B.S., vendor obfuscation and bandwagon-jumping before they hear of anything with actual business value.

To help save your eardrums, I’ll point you toward two interesting NAC architectures that emerged from the noise at Interop: peer-based enforcement and SSL VPNs on the LAN.

Continue reading "NAC Ideas Worth Hearing"


Comment on this blog entry

Cell Phone Malware Growing Fast
Posted By Andrew Conry-Murray at 08:29 PM

The number of cell phone viruses and Trojans has doubled in the past seven months, leaping from 100 to 200 since October of 2005, according to researchers at F-Secure.

Continue reading "Cell Phone Malware Growing Fast"


Comment on this blog entry

Hyper-Critical?
Posted By Don MacVittie at 03:53 PM

I am pondering the Risk-Cost security equation a lot these days, as I'm certain you all are.

Some things just absolutely must be protected, others just aren't that important. Some days, I think we as an industry forget that little fact.

And legislation/compliance aren't helping any.

Continue reading "Hyper-Critical?"


Comment on this blog entry

Pen Fights ID Theft?
Posted By Andrew Conry-Murray at 05:15 PM

You know identity theft has gone mainstream when pen manufacturer Uni-ball launches an ad campaign touting a high-security ink designed to fight ID fraud.

Continue reading "Pen Fights ID Theft?"


Comment on this blog entry

Click A Kitty
Posted By Tom LaSusa at 02:16 PM

Do your eyes go all kaflooky when the site you're on pops up with one of those scrambled text signups? You know -- the ones where a string of letters or numbers appear up against a weird background that makes it hard to read? The problem with these security measures are that some vision-impaired users cannot always make out the characters. Plus, they're not as secure as some people think -- the right batch of malicious code can slip right past them.

Continue reading "Click A Kitty"


Comment on this blog entry

Sourcefire Acquisition Squelched by Politics, Ignorance
Posted By Andrew Conry-Murray at 02:17 AM

Check Point Software put its proposed $225 million acquisition of IDS/IPS vendor Sourcefire on indefinite hold this Thursday due to political concerns.

The acquisition, announced in October 2005, came under the scrutiny of the Committee on Foreign Investment in the United States (CFIUS) in February 2006. CFIUS, headed by the Treasury Department, investigates the acquisition of U.S. companies and assets by foreign governments. Check Point, which is headquartered in Israel, needed a green light from CFIUS before the acquisition could proceed.

THE POLITICS
Michele Perry, a Sourcefire spokesperson, cited “the current climate for international acquisition” as a key reason for the withdrawal. That’s a reference to CFIUS’s controversial approval of the transfer of operations at several U.S. ports to a company based in the United Arab Emirates. Republicans and Democrats in Congress joined together to kill the deal.

According to an Associated Press story, the Sourcefire deal may have been discouraged in part to pre-empt charges of bias. Such charges would likely arise if the Bush administration approved an Israeli takeover of a U.S. company soon after bowing to Congressional pressure to freeze out the Arabs.

THE IGNORANCE
The FBI and Defense Department also disapproved of the acquisition. These agencies were spooked because they use Snort, an open source IDS created by Sourcefire founder Marty Roesch, to protect classified computers. They were concerned that a foreign government would acquire sensitive technology.

Apparently they don’t understand that ‘open source’ means anyone with an Internet connection can acquire this sensitive technology.

Comment on this blog entry

The best laid plans...
Posted By Don MacVittie at 06:31 PM

Fall apart when implemented.

Whenever you're in a lab environment there are challenges. It takes a certain mentality to say "Let us gather a bunch of products together, try to make them all work correctly in our environment, then run them through some tests, that sounds like fun, doesn't it?"

For the most part, I have that mentality. I like to learn new things and get going through the problems. But about once a year there's a review that just seems horrendous. My WAFS review is one of those.

Continue reading "The best laid plans..."


Comment on this blog entry

Hello!
Posted By Don MacVittie at 02:28 PM

Hi there, I just thought I'd drop in and let you know that Network Computing has a security editor again... Me.

You may have read some of my stuff when I was testing Storage and Servers, you may have even emailed back and forth with me about my quirky storage blogging. Or you may remember me as "That guy we fired for..." Oh, no, nevermind. You wouldn't remember me as that.

Continue reading "Hello!"


Comment on this blog entry

It's a Mal, Mal World
Posted By at 11:03 AM

Life used to be so simple. The golden days when a simple virus was all you had to worry about seem almost idyllic compared to the mean electronic streets that we walk today. I recently spoke with Shane Coursen, a senior technology consultant at Kaspersky Labs, about the once and future world of malware. You can hear the podcast here.

Continue reading "It's a Mal, Mal World"


Comments(3)

A Simple Message
Posted By at 10:27 PM

I don't know about you, but I don't think I could work successfully without instant messaging. In an average day, I instant message with colleagues, contractors, vendors, and contacts throughout the industry. I'm not alone--survey after survey shows that employees are hooked on instant messaging as a way to keep in touch. From a security standpoint, of course, instant messaging comes with a pile of caveats. The open feeling that makes instant messaging so useful also makes it a huge security risk. The free and open dialogue it promotes can be antithetical to complying with regulatory separation between departments. Network Computing technology editor Mike DeMaria got together to talk about the possibilities and problems of using instant messaging in the enterprise. You can hear the podcast here.

Continue reading "A Simple Message"


Comment on this blog entry

WMF Woes? Patch Things Up (Unofficially)!
Posted By Tom LaSusa at 11:56 AM

Worried about the WMF vulnerability. Secure Enterprise Magazine's Editor Mike Fratto has found two 'off the record' fixes that will do a good job of holding down the fort until Microsoft comes up with something more official. Mike explains:

While I am not in the habit of recommending unofficial patches, it seems like the WMF vulnerability is pretty nasty, so you probably want to spend some time testing and deploying the work-arounds. Simply blocking files ending in .wmf won't be enough because Windows handles WMF files based on file structure, not extension. Files ending in .jpg and .gif are just as likely to be WMF files as not.

Ilfak Guilfanov has put together a patch that SANS is endorsing as a viable short term solution until Microsoft comes up with something. F-Secure also has a workaround as well as a wealth of information from their own research and from others like SANS and Ilfak Guilfanov.

I have been using the SANS work-around for days with no ill effects and I, like others, have successfully tested the workarounds against working exploits as well as Metasploits version.

Just remember to remove this patch -- if you use it -- prior to installing Microsoft's.

Comment on this blog entry

I Hear You Knockin', But You Can't Come In
Posted By at 10:59 PM

Who gets in? Who's kept out? Those are the twin questions that frame network security. In this podcast I talk with Brett Helsell of Lockdown Networks about network access control--not the program put forward by Cisco (though we touch on that), but the very idea of controlling who comes into your network. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up, and the time grows very short. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look around this page, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Fresh Snow", courtesy of Derek K. Miller, who's work can be found at Penmachine. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

Comment on this blog entry

From the Inside Looking Out--and In
Posted By at 11:12 PM

The glamour in security is all about keeping the bad guys out. Statistically, though, more damage is wrought by supposed "good guys" whittling away at your network and data from the inside. In this Security Channel Podcast, David Lynch of Apani Networks talks with me about security from the inside. As things calm down (for those of us not in retail) towards the end of the year, it's time to think about our approach to security and ask whether we should be taking longer, harder looks at just how porous our defenses are from those whom we think we should be trusting. The answers, arrived at honestly, might have far-reaching effects on the way that our networks--and our security implementations--look. You can hear the podcast here.

We're coming up on the end of the year, and I'd like to do a "Most Important Events in Security for 2005" podcast to wrap things up. Of course, it will be a lot more interesting if the items on the list come from you, rather than from me, so please take a moment to send an e-mail to cfranklin@cmp.com telling me about your nominee for the event or events that have had the greatest impact on security during this year. If you include your contact information, I might just call and include you in that year-ending podcast. I'll look forward to your comments.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Acid Trumpet" by Kevin MacLeod. He releases much of his music under a Creative Commons license--if you like the sound, head over to the web site and check out the rest of his music.

Comment on this blog entry

Certifiable Security
Posted By at 09:31 PM

It's not like we don't have enough acronyms floating around our industry--acronyms for standards, technologies, product designations, and professional certifications. Add to that list the group of acronyms and names for product certifications administered by various groups and the alphabet soup gets truly thick and meaty. After getting Yet Another Press Release (YAPR) touting a product that had received FIPS and Common Criteria certification, I decided to ask just why someone not in government service should care about these pieces of paper. I ended up talking with Tom Gilbert of Blue Ridge Networks about his experience with the certifications and the process to get them. Now, his company makes products that come complete with press releases announcing government-related certification, so he can't be called an entirely neutral source, but I thought tha the interview brought out a number of interesting points concerning certifications and whether (or why) you should care about them in private industry. the You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether product certifications are part of the criteria you use when choosing which products to purchase and deploy.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Anubis Claws" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Comment on this blog entry

A Look at OATH
Posted By at 03:40 PM

I've heard it said that you can tell our industry loves standards because there are so many of them. I recently had a chance to sit down and talk with several representatives to OATH, the Initiative for Open Authentication. These folks are clear that they're not trying to become a standards body, but they are active in promoting standards that will allow authentication components from many different vendors to work together. I think it's an interesting idea, and an example of companies coming togethe due to economic necessity--their customers are demanding it--rather than from any sense of duty to an ideal. Regardless of the motivation, though, there are some great possibilities here for benefit to the customer, so I think it should be of more than a little interest. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you think we need more open standards in security, or if you think that standards are, themselves, security vulnerabilities.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Rust" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Comment on this blog entry

What's the True Cost of Security?
Posted By at 10:19 PM

There's something about economics that tends to act like the anti-coffee to most folks. Their eyes glaze over, the head starts to kinda bob back and forth, and before you know it they're snoring on the conference-room table. When it comes to security, we want to focus on the exciting, glamorous parts--the pen tests and intrusion prevention--while we ignore some of the things (like HR policies) that can have a huge overall impact. In this podcast, I talk with John Pironti of Unisys, who has spent a lot of time thinking about the economics of security. I was impressed because he's gone beyond the questions of cost (always the key to security business analysis) to talk about the issues of tangible economic benefit.

If you're still bruised from your last encounter with the budget committee, you'll want to spend some time listening to this podcast. This one goes a few minutes longer than our normal podcast, but I think the five extra minutes are well worth it. You can listen to the podcast here. After you do, drop me a note (cfranklin@cmp.com) to let me know whether you agree with the kind of analysis that John is applying to security.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Comments(1)

What's in Your iPod?
Posted By at 10:57 PM

I don't know about you, but I'm hooked on my iPod. I carry it with me when I mow the lawn, it's my soundtrack when the drive is more than about 10 minutes, and it keeps the outside world at bay when I'm working. I knew that, like most computing devices, the friedly little media players (and their associated software on your PC) carry a security risk, but I hadn't given a lot of thought to just what that penalty might be until I talked with Josh Daymont, director of security of research at Secureworks, a managed security provider. Our conversation makes for an interesting interview (after a bit of a technical glitch on the first question). You can listen to the podcast here. After you do, let me know what kind of MP3 player you carry, and which piece of desktop media software is your favorite--it will be interesting to see what you're listening to.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Bugeater" from the album Aeonblue by subatomicglue. They release their music under a Creative Commons license--if you like the sound, head over to their web site and check out the rest of their music.

Comments(1)

Thinking About the Worst
Posted By at 12:02 AM

Boy, let an unplanned series come to an end and things just go haywire. After a most interesting September we're back with another Security Channel podcast, this time on disaster preparations and business continuity. It seems to me that the most significant (and, by far, the most common) failure in responding to disasters is the basic failure of imagination; we just can't allow ourselves to imagine that the very worst could happen to our businesses and our families. This in spite of ample evidence that the very worst can, and will, happen to at least some of us in any given year. It's tough to think about, and can seem a true pain to actually plan for, but making preparations for the worst-case scenario can be a literal life-saver when that most horrible of times does come. You can listen to the podcast here. After you do, let me know what your worst-case preparations are like; if I can get enough, we'll do a series of podcasts on what responsible companies and individuals are doing to make sure that their lives and work continue when things get bad.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

Comment on this blog entry

The Privacy Series Pauses
Posted By at 01:48 PM

Our unplanned series of podcasts on identity theft and personal information safety wraps up this week. This has been a fascinating topic for me to explore, and I hope that you've gotten some useful information, but we're going to be looking at some other topics for the next few weeks. We wrap up with a good interview, though, with Mike Gibbons, who's vice president and general manager of Federal Security Solutions at Unisys. Mike had a long career at the FBI, and five years with one of the Big Five consulting companies heading up their security practice, so he's been chasing bad guys for a long time. His views on how companies should work with law enforcement, and what the future might hold for personal-information protection are interesting, and can be heard here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@nwc.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

Comment on this blog entry

I Gotta Be Me (and not You)
Posted By at 04:11 PM

Our unplanned series of podcasts on identity theft and personal information safety continues this week. I wish I could say that I had carefully thought out a theme for the late Summer, but serindipity gets the credit--I'm just pleased to take advantage of the situation. I'm pleased because I think (occasionaly worm outbreak notwithstanding) that keeping customer information safe is the most significant issue in network security today. Frankly, the only other issue that comes close is infrastructure (switch and router) security, and you'll be hearing more about that from us in weeks to come. This week, I had a chance to interview David Zumwalt, the president and CEO of Privacy, Inc.. David has some fascinating things to say about the topic, along with some solid tips for security professionals, and you can hear him talk about them here, in this week's podcast.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. In addition, I'd like to ask a favor. Take a minute to drop me a note at cfranklin@cmp.com, and let me know what you'd like to hear in future podcasts. A podcast can be short or long, serious or amusing, hands-on or quite strategic. Let me know what you'd like to listen to, and we'll do our best to make it happen.

The music in this podcast is "Tito on Timbales" from Musica Unidos de Latino America. If you enjoy Latin music, there's some great stuff on their web site, along with links to order DVDs and CDs.

Comments(1)

A Subtle Pattern Begins to Emerge...
Posted By at 12:17 AM

You know, sometimes a theme is carefully thought out and planned, and sometimes it just happens. It looks like we've got one of the second sort of themes going on here, as we have the latest in an on-going series of interviews focused on privacy and data security issues. Of course, most of the security stories that have made headlines lately have been privacy and data security stories, so I suppose it's not a real stretch to see them here, but it's been fascinating to hear the different takes on the subject. This week's interview is with Dan Verton, author of The Insider: A True Story. He did research on a number of companies and reached some interesting conclusions; I think my favorite is that most companies have no idea where much of their data is stored at any given time. You can hear this and other observations here, in this week's podcast.

If you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work. In addition, we're now listed in most of the major directories (including iTunes), so you should be able to catch the RSS feed in your favorite podcasting client.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Keeping Identities Safe
Posted By at 12:59 PM

Sorry for the delay in getting this week's podcast up, but I think it will be worth the wait, since we have a great interview on identity theft and what companies should be doing to keep their customers from becoming victims. Everything we're seeing in research terms shows that identity theft is a huge issue for customers, and that they're in the process of making it a huge issue for companies that do business on the Internet. Neal Creighton, CEO of GeoTrust, is the subject of this week's interview--take a listen here.

If you you haven't already subscribed to the podcast, look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "Polymorphic Journey" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Through The Cycle
Posted By at 12:22 AM

Let's see, we've had travel (to Chicago), testing (of fixed-point wireless systems), an industry name change (Longhorn becomes Vista), and continuing news of vulnerabilities and attacks. In the midst of all this, I had a very good conversation with Dr. Hugh Thompson, chief security strategist at Security Innovation. We spent some time talking about the state of security in general, with some special attention given to the things that application developers can do to build security into the software they're building It was a good talk, and you can listen to it here.

I realize that I've been asking for comments when our comments section has been broken. Sorry about that--the web team is working to get things working again as soon as possible. In the meantime, feel free to send comments via e-mail to the address you'll find in my bio. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

A bit of Application Security
Posted By at 09:35 PM

Well, we've managed to avoid being blown away by a hurricane or burnt to a crisp in the sun while on a roof, so I guess it's been a pretty good week. To top it all off, I had a very good conversation with Paul Henry, senior vice president of Cyberguard. We talked about a number of things, starting with the attitudes he's seeing from companies who are looking at application-layer security.

I've built a podcast on the interview. You can find it here and, as always, let me know what you think. Oh, one other thing; if you look over to the left, you'll find the link to subscribe to the Security Channel podcast. The folks who work behind the scenes here at nwc.com have done a super job making it possible for me to podcast, and I hope that you can take advantage of all their hard work.

The music in this podcast is "We Live as We Dream" from the album Secret Journey by NumberSix. They're an Internet-savvy group, and you can find their album here. Give them a listen.

Security Built In
Posted By at 09:02 PM

OK, it's been a week since the last podcast, with a holiday and many hours crawling around on office-building roofs thrown into the middle. Fortunately, this is a solid podcast, featuring an interview with Kevin Kernan, CEO of Secure Software. The interview covers a lot of territory about information and network security, and should be interesting regardless of the type of products or approach you use for your organization's security.

You'll find the podcast here. Leave a comment, or drop an e-mail to let me know what you think of the podcast.

...and the Survey Says:
Posted By at 09:49 PM

There's nothing like spending a couple of days crawling around on roofs and in attics (in June, and in Florida) to make you appreciate the concept of "inside". Add the "excessive rainfall" (a genuine National Weather Service term) that we've been getting for several days, and it's a good time to stay inside and get some work done. You'll see the reason for the outside work in a few weeks--it's for a review of fixed-point wireless networking that will be coming up in Network Computing. It involves testing out in the real world, and down here the real world includes high humidity, warm temperatures, and a fair number of insects, reptiles, and very swampy walking tours. We've just deployed the first of the free-space optical systems, and I get to spend a little time inside, at my desk, while waiting for some more stuff to arrive.

While I've been at my desk, I've seen all sorts of press releases, including two that caught my interest because they talk about surveys conducted on security-related topics. One came from The Conference Board, a business group that's usually in the news with their survey of consumer or purchasing agent confidence, and one came out of a gathering of CSOs in Chicago. Both point to the same conclusion from different angles: Our technology fixes for security are working pretty well, but the problems for which we don't have a good technology solution are cause for ever greater concern.

I've built a podcast on the two surveys. You can find it here and, as always, let me know what you think. There are some more great interview-based podcasts coming up, and some infrastructure changes that should let you subscribe to the podcast and have it arrive automatically. Cool stuff--just what we need as we enter the hot days.

Back from the Desert
Posted By at 12:52 AM

Boy, it's been a busy couple of weeks, with travel (NetSec in Scottsdale was a killer conference at a great resort), getting ready for a huge test (fixed wireless networking), and several smaller tests in progress. Oh, yeah, we (CMP, that is) also started a daily video project that I'm contributing to. If you haven't seen The News Show, you should really check it out.

Now on to this edition of the blog and podcast. I had a chance to sit down with Rich Baich, CISO of ChoicePoint, and talk about what it takes to succeed as a CISO in today's environment. He's obviously put a lot of thought into the question, and his answers are a good starting point for anyone on the verge of adding a "C" level title to their security portfolio. You can grab the podcast here and, as always, let me know what you think.

The Threat from Inside
Posted By at 08:21 PM
Sorry it's been a week since the last podcast, but it's been a full week, with plans for upcoming tests, new products to look at, and plenty of news on the security front to think about. I've got a couple of longer podcasts coming up--podcasts with interviews and other folks talking so you don't have to just listen to me--but until I get them finished I had some thoughts on one of the big news items of the last couple of weeks; the customer data theft that hit Bank of America and other financial institutions. The big thing about these thefts was that they were instigated by insiders--employees who should have known better. Take a listen to the podcast and let me know what you think. Is there a sure technology fix to the question of insider theft? Let me know your thoughts.

Comment on this blog entry

The Federation (Identity)
Posted By at 10:06 PM

Tonight's podcast is about identity federation, and especially about IBM's latest announcements on the topic. Last week I had a chance to talk via phone with Joe Anthony of IBM, and he shared some of the thinkgs that he sees in the developing identity federation market. Now, I've seen enough people struggling with multiple computer-based identities to know that identity federation is coming, and ultimately coming in a big way. But I've also covered enough exploits and thefts to be more than a little apprehensive about pulling more and more identity value into data stores that we haven't learned how to--or been willing to--make truly secure from unauthorized access. If all the laws, regulations, and industry rules aren't enough to convince us to get serious about all forms of identity security, the knowledge that a single break-in could affect multiple corporations and a cascading universe of users should be the spur we need. Take a listen to the podcast and let me know what you think. Is your organization already implementing identity federation? I'd be very interested in hearing a real success story or two.

Comment on this blog entry

An N+I Interview
Posted By at 10:11 PM

I promised more podcasting about the things I saw and heard at Networld + Interop, and I've finally shaken off the need to sleep (and catch up on work that was waiting when I got back) enough to get started. The podcast this time contains a confessiona and a look inside the sophisticated world of recording a podcast, but the focus is on a conversation I had with Jayshree Ullal, Senior Vice President oc Cisco's Security and Technology Group. She had some interesting things to say--take a listen to the podcast and let me know what you think.

Comment on this blog entry

Winners from Interop
Posted By at 02:59 PM

You know, this business of running on three hours sleep a night has considerably less charm now than it did when I was 25...anyway, I'm going to be doing more podcasts based on things I done here at Interop, but I wanted to give a link to the winners of the awards I mentioned in the last podcast. You can find the full list of winners here. Take a look, and come back soon...some good stuff is coming in the blog and the podcasts.

Comment on this blog entry

From the Halls of Interop
Posted By at 01:11 PM

This week, I'm out in Las Vegas at the Interop trade show, and the fun is just beginning. I plan to have some interesting news from the show floor, but first, I have to get there. Yesterday and this morning I've been listening to companies talk about their products as part of the Best of Interop awards program. I realize that most folks never get to enjoy a process like this, so I put together a podcast that lets you hear some of the process, and meet some of the people involved. Let me know what you think, and if there are any products or technologies you particularly want me to be on the lookout for here at the show.

At the very least, I'll be back tomorrow evening with news of who won--I'd be interested in hearing who you think should have won based on the pitches you hear in the podcast...

Comment on this blog entry

Taking Action against Attacks
Posted By at 10:34 PM

How far should we go in defending our networks? Is it enough to stiffen our defenses and patch vulnerabilities, or should we actively pursue (through legal means, of course) those who work to usurp network resources and steal information? For a growing number of organizations, strengthening the bulwarks is no longer enough--it's time to treat network attackers like criminals.

In the course of the last week, I've had three separate conversations on this topic. One was with the executive director of a new organization called CIDDAC. They're trying to gather the data that law enforcement will require to go after phishing, re-direction, and other attacks. The other two conversations were with executives at Microsoft. The two, coming from different aspects of the security whole, had different takes on what their customers and partners were doing towards actively pursuing the attackers.

I think that we're going to hear more and more about companies and organizations teaming with law enforcement to pursue those who attack networks and customers. Take a listen to the podcast and let me know what you think.

Comment on this blog entry

It's Been Quite a Week
Posted By at 03:21 PM

Sorry that I haven't blogged since Tuesday, but it's been quite a week. I flew up to Seattle, then drove out to spend the day with Microsoft on Wednesday. There are a number of things we discussed that you'll be seeing in future blog posts and Network Computing articles, and a pretty cool podcast that I'm putting together on the topic of agressive responses to attacks--how (and whether) we enlist the help of law enforcement to try putting thieves and vandals in jail, rather than simply beefing up our defenses to keep them out.

The thing that I keep coming back to in discussions with companies (both vendors and users) is a profound change in the way wework with the "people" aspect of security. To this point we've heard more about the technology because, in many respects, technology is the easier problem to solve. Changing products is (relatively) easy; changing people's ingrained behavior is hard. Unfortunately, if we're going to make significant improvements in security, we're going to have to tackle the hard issues.

Comment on this blog entry

Old Enemies Come Back
Posted By at 11:58 PM

Sunday night we were having dinner with some friends, a gathering that included someone who rides herd on the IDS at a Major University. Just as he got to the house, his phone started ringing--something was knocking a couple of key segments off the network. It turned out that a host on the network had been given a new dose of Sasser--and the result was an IDS log file large enough to choke servers, which cascaded down to sensors, which then caused problems in dealing with the issue. He took care of the problem in a few minutes, but there were more phone calls, and a renewed acquaintance with a problem we thought had been handled.

Now comes word from F-Secure that a new Sober variant, Sober.N is seeding itself, and spreading through infected .ZIP files. As I mentioned in the last podcast, attention to user training (Don't Open Unexpected ZIP Files) will be as important as AV signatures in stopping this one early. Beyond that, the renewal of old threats is a solid reminder that the early versions of these worms tended to be more proof of concept that serious damage attempts--the real payoff in terms of network damage is yet to come. We've been warned--let's get busy protecting our networks through technology and training.

Comment on this blog entry

Let's Get Serious
Posted By at 11:14 PM

April has, so far, been a month of bad news in the computer security field as Lexis/Nexis and Mastercard revealed that individual data had been release in system breaches. They're not alone, as we've found listening to the steady drumbeat of news stories announcing that data from various organizations has been released without authorization.

The fact is, after all the talk and all the legislation, we're still not taking security seriously. You can hear more about what we're not doing--and what we should be doing--at the podcast found here. Have a good weekend and, as always, drop me a line to let me know what you think.

Comment on this blog entry

Introduced to ISA Server
Posted By at 10:05 PM

With ISA Server 2004 Enterprise Edition, Microsoft is trying to bring a number of performance and security functions together under a single management interface in a single product. They seem to have done a pretty good job a key portions of the task, if the demonstration we had in the Gainesville, Florida Real World Lab is any indication. We will, of course, reserve judgement until we've had a chance to put the product through its paces on our own, but the management interface, at least, looks quite good.

That management interface was, in fact, the only thing I saw today that gave me any pause. Is it possible to make a product too easy to use? The only worry I have is that, if the folks in the central network management group aren't careful about how they define priveleges for admins at branch offices, a remote admin could wander over his head into security policies very quickly.

In addition to the demo, we were able to talk for a while, and part of the conversation makes up today's podcast, which you can find here. Enjoy and, as always, let me know what you think.

Comment on this blog entry

Mile-High Entry
Posted By at 07:06 PM

Who would have thought that you could build a podcast and blog entry set at 35,000 feet over western Tennessee? Me, neither, but here it is. This time, I'm talking about a couple of tools, from Dymo, and Levenger that help us keep things straight in the lab. In all honesty, the tools' use isn't confined to the lab--I've used the tool from Levenger almost every day for over a decade.

After the tool talk, it's time to talk about fiber-optic cabling. I hear more and more companies using security as the primary justification for a fiber installation, so I feel comfortable putting it in the security channel. If you are looking at going the fiber route, then you really ought to consider all the different ways of pulling the fiber, including nifty methods like the one I've seen from Sumitomo Electric. They use compressed gas to blow the fiber through a special conduit, and the organizations I've talked with that have decided to use the Futureflex system seem pleased with the results. You can find the podcast with both of these sections here. I hope you enjoy it, and find a little bit of useful information inside.

Comment on this blog entry

There's Something About an Airport
Posted By at 05:26 PM

I don't know exactly what it is, but something about spending time in a line of strangers, holding my boots and my belt in my hands leads me to thoughts about how to improve security. I think the time has come for companies to take the plunge into two-factor authentication and leave the abomination of "strong passwords" behind. You can hear me discuss my reasons for thinking this in today's podcast, which you can download here.

There's something new in this podcast--I'm spreading my audio wings a bit--so let me know what you think. Let me know, too, what you think about us setting up the RSS feed for the security podcasts so you can have them delivered fresh to your desktop when they happen. As I wrote a couple of entries ago, this is new to me, so let me know how I'm doing.

Comment on this blog entry

Security From Two Directions
Posted By at 01:41 PM

Once more into the podcast, dear friends, as we consider a couple of products that have been the subject of recent conversations. The first is from Tizor. The TZX 1000 is an appliance that builds logs of database and application access across the network--an important issue if you're in an industry laboring under any of the many regulations requiring you to document who sees what in the corporate information realm.

The other product, from Permeo, is designed to enforce host-configuration policies on remote-access systems--even when the remote hosts don't belong to your organization. I've still got a few questions about this system, but it certainly looks like a promising entry in the remote-access market.

You can get today's podcast here, so take a listen. As always, let me know what you think--this is an evolving thing, so your opinions are very important to me.

Comment on this blog entry

Something Completely Different
Posted By at 08:57 PM

Hey, everyone, let's try something new. I've become fascinated by the world of podcasting, so I thought it might be interesting to podcast some of my daily observations, and even some of the interviews that are part of my week. The experiment begins with my very first podcast--found here.

Now, the first few podcasts are going to be awfully simple--me and a microphone, as I try to screen out the noise of the switch that sits behind my head in the office. As I get a bit more comfortable with all this, they'll get more adventurous.

Let me know what you think about the podcast as a way to get information from my desk to your head. Let me know what you'd like to hear in future podcasts--right now, I'm especially excited about taking my PocketStudio to conferences and trade shows, to try to get some of our interviews and meetings in front of you.

This particular podcast? A look at two new options for dealing with SPAM. The two products come from two major industry players--the first from IBM and the other from Symantec. I'm all for anything that cuts down on spam--let me know if you want to know more about these products.

Comment on this blog entry