February 2008 Archives

Information Security Management's primary function is to ensure that the risks that may lead to unauthorized alteration or disclosure of information does not exceed an acceptable level.

Mechanisms that we use to achieve that acceptable level consist mainly of controls that can roughly be grouped in policy and technology. Setting the level at which risk is acceptable is not the responsibility of the information security manager.

Information Security Management's responsibility includes ensuring that users can be aware of the policies that are in place, and that they know how to use information security technology.

To ensure that policies are followed, and that technology is used properly, information security management also includes the responsibility for preventing, detecting, and investigating breaches of policy, or threats against the technology used to manipulate information.

Anyone who reads my blog should have heard it by now from other sources: full-disk encryption can often be defeated by extracting data from DRAM chips, even after the computer in which they reside has been powered off or put to sleep.

A group of researchers at Princeton University figured out that by cooling the memory modules, their contents decay slower and can be recovered, at least to a substantial degree. If that content happens to contain an encryption key used to decrypt the contents of a hard-drive, the encryption can be defeated by compromising the key.

The Security Catalyst Community is a group of information security practicioners, designed to support those responsible for protecting information by providing a professional, supportive environment to ask for help, foster a culture that welcomes ideas; share your experiences and insights regardless of your experience, and share your passion and blend your energy with others.

A recent topic (registration required) that sparked my interest is Eliminating Bad Passwords. I think that topic should have been: Eliminating Passwords.

I am looking for a soldering station for use by an average guy. My primary use will be small HAM radio work, and the occasional fix of consumer electronics. The first place I went to was the website of Radioshack to see what they have for sale. To my surprise, there were only two stations there and both got just about the worst reviews imaginable.

Not having lived in the USA for very long yet, I am a little bit lost. Where do I go to find a decent soldering iron if Radioshack does not sell it? Even harder: where do I go if I want it now?

Looking forward to replies!

Polytechnic University students at the Information Systems and Internet Security Lab recently started a new information security blog. While it appears that they have a focus that is a little more hard-core technical than I generally have, I will keep an eye on it in the future.

From the posts at their blog, it does seem like they a lot of the same stuff that I read.

Welcome to the community!

Knight Rider.

Tonight, NBC, 9 Eastern (8 Central).

Need I say more?

I am seriously considering to start an informal forum for security people on Long Island to get together regularly and discuss issues that we encounter, and ways that we address them. The goal is to be as open as we can without compromising our companies, and build a level of trust and respect among peer practitioners.

Most of the established security groups, such as ISSA, focus strongly on New York City and its financial services industry, and I believe that having an additional Long Island-centered forum to discuss issues will be beneficial.

If anyone is interested in this, please respond to this message or send me a message. I'd love to talk to you in more detail and see if this is viable.

I just booked my spot for the Educause Security Conference. I'll be in Virginia from May 4 until May 6, and I'm looking forward to hooking up with peers from around the country. If you are attending the conference, please drop me a note and we'll try to work something out.

A very insightful man was interviewed on DarkReading.

In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments.

[...]

Tippett also suggested that many security pros waste time trying to buy or invent defenses that are 100 percent secure. "If a product can be cracked, it's sometimes thrown out and considered useless," he observed. "But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."

This article supports my personal motto very strongly: better is worse than good enough. While I have not fully processed the extent of the points made in the article yet, it sits well with me after a first read.

Like many organizations, we get our fair share of spam and phishing emails. Last week, the Internet Storm Center reported on a phishing attack that seemed to concentrate (mostly) on institutes for higher education in the United States. The same topic was discussed on mailing lists, such as the EDUCAUSE security mailing list and the SANS University Security Operations Group (UNISOG) list.

The fact that .edu's were targeted was confirmed by many schools throughout the USA that had received the phishing emails.

Another damaged cable damaged (the fourth this one). Interesting write-up on the NANOG mailing list. Four cables in five days?

The Hunt for Red October, anyone?

Digital Intelligence and Security Operations Group (DISOG) has an article up on how to start investigating botnets.

They article contains a number of sections:

• Section 1, the rules of behavior
  
• Section 2, Locating binaries
  
• Section 3, extracting information
  
• Section 4, putting it all together
  
• Section 5, moving on
  

The current issue of IEEE Security & Privacy features an article titled Becoming a Security Expert.

In it, the authors (Michael Howard, Microsoft) ponders about the question: "How do you try to learn security?"

REDMOND, Wash. -- Feb. 1, 2008 -- Microsoft Corp. (NASDAQ:MSFT) today announced that it has made a proposal to the Yahoo! Inc. (NASDAQ:YHOO) Board of Directors to acquire all the outstanding shares of Yahoo! common stock for per share consideration of $31 representing a total equity value of approximately $44.6 billion. Microsoft's proposal would allow the Yahoo! shareholders to elect to receive cash or a fixed number of shares of Microsoft common stock, with the total consideration payable to Yahoo! shareholders consisting of one-half cash and one-half Microsoft common stock. The offer represents a 62 percent premium above the closing price of Yahoo! common stock on Jan. 31, 2008.
Source: Microsoft Press Release

Now-- I dont even know where to start forming an opinion on this..