Over on the ongoing comment thread about
IT Security: Unnatural Industry
(which started on
Schneier on Security
and is also on
Spire Security Viewpoint
and
1 Raindrop),
Pete Lindstrom asked a question I hadn’t yet answered:
Why didn’t people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?
Well, I think that’s mostly a question about personalities, customs, and precedents.
Continue reading
Bruce Schneier says the obvious:
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?Obvious in an emperor’s new clothes sort of way. Continue reading— Do We Really Need a Security Industry? Bruce Schneier, Schneier on Security, 3 May 2007
It’s that time again:
Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic “matter of opinion” into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come.Want to quantify a pesky subjective security topic? You’ve got until 11 May 2007 to submit a request to participate.— Second Workshop on Security Metrics (MetriCon 2.0) — Call for Papers, MetriCon 2.0 CFP, August 7, 2007 Boston, MA
-jsq
Well, you go away for the weekend, and
Vista fans have a party on your blog….
While one of the commenters seems to mostly know people who like Vista, so far I haven’t found anybody I know who does; could be it’s who you know. Apparently Dell knows quite a few people who don’t want Vista, and the Houston Chronicle talked to some of them.
The people I talk to think Ubuntu Linux is just as good as Vista, and requires fewer resources. Sort of like this opinion: except for perhaps some Windows-specific applications, why not switch to Ubuntu? Dell is also moving to supply Ubuntu as a native operating system within weeks.
Continue reading
Casey Chesnut
claims to have used AI to reliably crack CAPTCHA.
I don’t know whether he really did; he doesn’t provide his code to try, nor any other evidence except websites where he’s
posted comments, which of course he could have done by eyeballing their CAPTCHAs.
But if he didn’t, somebody probably will soon.
What then?
Seems to me like yet another example of how technological security will fail eventually, and then risk management is needed. In this case, part of the risk management may be reworking how comments work yet again.
-jsq
Gunnar posts:
James Clark proposes another way to look at this:
Validity should be treated not as a property of a document but as a relationship between a document and a schema.
From a security perspective the validation relationship is between document and the allowed characters (white list – strongest) or disallowed characters ( black list – weaker).
So which should it be, semantic or syntactic?
Continue readingNeutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It’s used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.Neutralbit also claims this is the first remotely accessible SCADA vulnerability, which the smallest amount of googling shows is not true (I leave that as an exercise for the reader). However, they probably have found a real vulnerability. Continue readingNeutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.
— Hole Found in Protocol Handling Vital National Infrastructure, physorg.com, 25 March 2007
This is from Sourcemedia’s Financial IT Security Intelligencer:
During a year’s worth of bank and credit union security audits, audit firm Redspin found that 30 percent of firewall configurations evaluated violated the institution’s own security policy. Not surprisingly, Redspin offers a tool that can detect and remedy these inadvertent holes. The company pins the industry-wide problem on the fact that most IT administrators have wide-ranging responsibilities rather than network engineering focus. To highlight the issue, the vendor is offering free use of an online version of its analysis tool for the next 90 days, available at www.redspin.com/tools
Here’s redspin’s PR. I don’t have any way to verify this report, but it’s also about what I would expect. Administrators are too busy cleaning the CEO’s laptop of its latest viruses to be ensuring their firewalls work.
-jsq
Pushpa Sathish thinks end users are responsible for botnets. Referring to a recent root DNS DDoS attack, he says:
If you thought the news above was bad, brace yourself, you’re about to hear worse. YOU may have been responsible in part for the attack! Before you go all indignant on me, let me put it across differently. Your computer may have been one in the millions used by hackers to launch the disruption of service, without your knowledge, of course.
Heard of botnets? They’re the armies of zombie computers that have been taken over and are controlled by hackers to perpetrate other heinous crimes on the Internet. If you do not protect your system with adequate measures such as anti-virus software and sensible Internet usage, you leave your doors (Windows?) wide open to hackers. Your computer then becomes the next link in the chain of systems that form a botnet!
Root Cause for the Root Attack – YOU! Pushpa Sathish, Staff Writer, Network Security Journal, 7 Feb 2007
While no doubt end users should be somewhat careful about what they do, suppose we make an analogy to automobiles. If a car manufacturer sold cars that were easy for joyriders to remotely hijack out of your garage at night and drive around without you ever knowing it, who do you think would be liable? You, or the manufacturer?
Seems to me the most relevant part of the above post is the parenthetical remark:
(Windows?)
When will we see software vendor liability like we already see automobile manufacturer liability? That would be some good risk management.
-jsq
Most C-level executives view security as an operational issue — kind of like facilities management — and not as a strategic review. As such, they don’t have direct responsibility for securityWhy should executives get involved with directly managing a bunch of clerks over a bunch of stuff? Continue readingWhy Management Doesn’t Get IT Security, Bruce Schneier, 8 Nov 2006
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. “Security directors appear to be politically isolated within their companies,” Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don’t have many allies in getting their message across to upper management.Kicking Some Brass, Tim Wilson, DarkReading, NOVEMBER 2, 2006