Network Computing | Security Channel

Europe: For All Your Spam Needs

Wed, 06 Feb 2008 20:04:02 -0500

Europe has been taking the lead in several areas of technology lately. The European Space Agency (ESA) will be the first to send an unmanned cargo ship to the international space station. London will be Europe's first city to get A380 Airbus service. Now Europe claims another "accolade" -- Symantec says it's responsible for most of the spam sent worldwide. I guess two outta three ain't bad.

Leaky Nuke Lab Is Poor Endorsement For A Security Product

Wed, 23 Jan 2008 12:45:19 -0500

A new startup has licensed technology from Los Alamos National Laboratory to help enterprises respond to security incidents. But does the company really want to be associated with a lab that routinely mishandles nuclear weapons secrets?

Keeping IT Awake All Night

Mon, 14 Jan 2008 15:51:51 -0500

The SANS Institute�s Top 10 Menaces of 2008, developed by panel of security experts, predicts key threats in 2008. While some threats have been with us for some time, like Web-based attacks, spyware, and bot nets, and insider problems, the difference is in the sophistication of the attacks.

CA Gets A Gateway To SOA

Tue, 20 Nov 2007 05:32:20 -0500

CA has launched a SOA Security Gateway, part of its IAM (Identity and Access Management) r12. The announcement brings CA into head-on competition with vendors including IBM and Cisco, though it doesn't really represent another player in the market, as much of the technology comes from an OEM deal with Web services security vendor Vordel.

Leveraging Your Infrastructure

Fri, 19 Oct 2007 17:28:54 -0500

NAC deployments often require more integration than seen at first blush. Especially when the NAC products don't meet with expectations. Take user login/log-offs that were a problem I mentioned in my review of ConSentry's product. There are ways to mitigate problems or bolster your NAC deployments using features you already have.

The Insider Threat Is Greater Than You Might Think

Wed, 19 Sep 2007 13:47:12 -0500

Dr. Eric Shaw�s Tuesday keynote at the MIS Training Institute's IT Security World Conference 2007 is a sobering presentation about the underlying causes of and dangers in mishandling the rogue or disgruntled employee.

Breach Notification Service is a Bad Sign

Thu, 16 Aug 2007 16:26:12 -0500

You know data security breaches are way too common when a company builds a business around customer notification of stolen information.

Pointing fingers

Wed, 25 Jul 2007 22:01:06 -0500

Momma always said every time you point a finger, three more are pointing back at you. Well, there was a lot of finger pointing going on the last few weeks between IE and Firefox over a vulnerability in url handlers, and a recent twist continue to stir things up.

$28 Million for an Old Idea�Part 1

Fri, 20 Jul 2007 13:04:17 -0500

You have to admire the chutzpah of startup Palo Alto Networks. The company has raised $28 million to sell a "next-generation" firewall based on ideas that are 20 years old.

Would You Get Hooked By A Phisher? Test Your Smarts

Thu, 19 Jul 2007 16:47:28 -0500

Think you're too smart to get duped by a phishing scam? Are you absolutely certain you'd be able to recognize an authentic site from a scam? The Anti-virus experts at McAfee aren't as convinced and so they've set up an extremely interesting interactive quiz. The test consists of ten questions, eight of which include screenshots of both a real version of a website and a phisher's dupe. All you have to do is click on which one you believe is the valid site. At the end of the test you'll get your score.

Podcast: IronPort's Scott Weiss

Tue, 05 Jun 2007 13:30:08 -0500

The CEO of IronPort systems talks about his company's acquisition by Cisco and why he sees no end in sight to the problem of spam.

Listen Now | Read the Interview

Google Hacked... by Google?

Tue, 29 May 2007 14:17:00 -0500

Google Hacking is the popular sport of using Google's giant cache and index to discover files or applications that the administrators might not have realized were public. There are whole databases (Johnny Long maintains the most well known) that track fun search phrases to use, but it looks like Google themselves may have been bitten.

Microsoft TCG/TNC Announcement

Wed, 23 May 2007 21:02:45 -0500

While at Interop, I had the chance to talk to Stephen Hanna, Distinguished Engineer at Juniper and Co-chair of the Trusted Computing Group Trusted Network Connect working group and Paul Mayfield, Group Product Manager for Enterprise Networking.

(now you see why I do print)

It's all about the policy

Tue, 22 May 2007 17:28:51 -0500

The Trusted Computing Group Trusted Network Connect published Microsoft�s Statement of Health protocol (SoH) which lets NAP clients send health information to a Policy Decision Point (PDP)�the server that makes a decision based in whole or in part on the host health.

He-Said/He-Said: Open Source 802.1X

Tue, 15 May 2007 12:34:49 -0500

Over in NWC News Analysis, we covered the formation of a new group to build an open source 802.1X supplicant. The group, called the OpenSEA Alliance, is working to develop an open-source 801.X supplicant (a client implementation) to ensure a standards-based implementation and speed industry adoption, they said.

Our editors have varying opinions on the move:

See no vulnerabilities, hear no vulnerabilities

Wed, 02 May 2007 21:34:50 -0500

Yesterday, Computerworld reported on a Gartner tidbit that "QuickTime Vulnerability Exposed by Contest Poses Wide Risk". I'm in complete agreement with the title. The QuickTime vulnerability is indeed a pretty nasty one. It impacts both Mac and Windows (including Vista!) machines with any web browser as long as Java and Quicktime are enabled and installed. Pretty bad combination.

Skip a security check, do not pass go, go directly to suspension

Fri, 27 Apr 2007 13:44:27 -0500

A University of Portland student was suspended for writing a program to bypass the Cisco Clean Access NAC system on campus. Apparently this incredibly dangerous activity is a Patriot Act violation. Or, at least, it is if you believe the letters being sent out by the administration at UP who seem to be confusing "skipping security checks" and "hack into a licensed product"

Mac Attack

Sat, 21 Apr 2007 02:27:02 -0500

Security in OS X is a pretty interesting topic to watch on the web. For every stereotypical Mac user, perfectly smug in the invulnerability of their operating system of choice, there is a detractor who claims Macs only seem secure because nobody uses them and thus nobody tries to break their security. The truth, as is usually the case in such things, surely lies somewhere in between.

Is Cobia Open Source?

Tue, 03 Apr 2007 11:57:56 -0500

Thomas Ptacek challenged Alan Shimmel recently on whether StillSecure's Cobia� Unified Network Platform� is really Open Source. Alan's response is that essentially most folks only care that open source means free, and the source code comes with it. After all, that is the obvious definition of the term without knowing the back history. It's not, however, the actual, accepted definition of the term. See the FSF's discussion of the two terms for a bit more background on "Free Software" and "Open Source".

Web 2.0 Inherently Insecure?

Mon, 02 Apr 2007 00:57:17 -0500

When I first heard a number of claims that AJAX applications were inherently more insecure than standard web applications, I thought that was ridiculous. After all, as long as you don't do anything stupid like do validation of user input only on the client, what would you have to worry about?

While on one level that may be true, it looks like in the general case I was wrong. Splitting web applications into two distinct programmatic components, one that runs in the browser, and one that runs in the server is more complicated (at the very least you've got to be proficient now in two different languages), and there are definitely new types of vulnerabilities that are specific just to AJAX applications.

Hacking Intranets

Fri, 23 Mar 2007 17:45:00 -0500

If anyone is interested in the Hacking Intranets presentation I gave this week, video (which very poor audio quality, unfortunately), slides, and the demo code are available online. I'm not super-pleased with the results as I think I tried to cram too much information into too short of a time-frame (especially when 15 minutes were subtracted from the length I had to present in!), but the take away of how easy it is to use web browsers to hack intranets is worth reiterating.

No cookie for you!

Sun, 18 Mar 2007 20:13:21 -0500

In preparation for my upcoming presentation on web security and abusing browsers, I was going over the long list of protection measures that either aren't in place, or don't work against the potential threats, when I stumbled across one bright spot in an otherwise bleak landscape.

Infosec World 2007

Thu, 15 Mar 2007 16:21:15 -0500

I'll be making a very brief appearance at Infosec World next week. If anyone's planning on being there and would like to stop by and say "hello", I'm unfortunately presenting at 8:30 on Tuesday, and leaving just after my talk. Still, if for some odd reason you've got a burning desire to see how young I really look in person (Answer: I'm 27 and walking around campus where I work, I'm regularly mistaken for a freshman), here's your chance to find out.

I realize that might be an early talk for those west-coasters still not used to our EST sunrise, but I can promise you the demo for the talk will be entertaining. I won't be presenting any earth-shattering attacks, mostly things that those on the cutting edge of web security are familiar with, but the hands-on examples should be a lot of fun.

OpenBSD Remote Exploit

Wed, 14 Mar 2007 14:40:14 -0500

OpenBSD is usually touted as one of the most secure networked operating systems. Of course, part of that reputation was gained because for years it's disabled unnecessary services (or even sometimes mostly necessary ones -- like SSH) by default. Still, defaults aside, OpenBSD.org has for many years now had the tag-line, "Only one remote hole in the default install, in more than 10 years!" Just in the last few days, however, that tag-line has changed. The count's now jumped to two remote holes in the default install.

Spam/Not Spam

Thu, 08 Mar 2007 10:32:50 -0500

Verizon recently won a lawsuit against SMS spammers.

As e-mail providers, ISPs and enterprises have cracked down on e-mail spam, spammers have looked toward other mediums including instant messaging (discussed in Mike DeMaria's article this month on IM security appliances) and SMS.

Carriers have been cracking down on SMS SPAM as of late with some unintended consequences.

In our preliminary testing of Mobile Device Management software for the April 30th issue of Network Computing, two vendors found that SMS messages, sent via e-mail and used to reach mobile endpoints, were being rejected by some carriers (presumably as spam). The same messages sent to other carriers, however, worked fine.

Organizations that use SMS, especially via e-mail gateways, for enterprise applications may look to conduct monthly tests with all possible messages to ensure that messages aren't rejected in the fight to prevent SMS SPAM.