For those of us in higher education; do not forget that the EDUCAUSE/Internet2 Security Professionals Conference will take place starting this Sunday (May 3). If anyone is going there and would like to meet up, please drop me a note! I'll be getting in Saturday evening around 8pm or so.
April 2008 Archives
Someone asked me today if I had contacts in Law Enforcement in The Netherlands. As a matter of fact, I do. The guy (who I only know by his online alias, and "met" only once) wanted me to contact them so I could inform them of a warez site that he knew about, and of a web site that was defaced by the person who operates that site.
However, when I asked the person for some evidence to back up his claims, he went quiet. All he told me that "he knew about, but was not connected to the site that was defaced". Obviously, it ended right there for me.
It does make you wonder: why does anyone think that I would go to anyone (let alone a law enforcement officer) with a message like: hey, this guy I never met, or have any idea who he really is, would like you to crack down on a site that he claims hosts illegal stuff, but for which he cannot provide any corroborating evidence?
Uhuh.
However, when I asked the person for some evidence to back up his claims, he went quiet. All he told me that "he knew about, but was not connected to the site that was defaced". Obviously, it ended right there for me.
It does make you wonder: why does anyone think that I would go to anyone (let alone a law enforcement officer) with a message like: hey, this guy I never met, or have any idea who he really is, would like you to crack down on a site that he claims hosts illegal stuff, but for which he cannot provide any corroborating evidence?
Uhuh.
A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.
Source: Network Security Blog
Continue reading Information security framework.
I ran into a problem yesterday with my Windows installation. Since this is a laptop that is not part of an Active Directory Domain, has the Administrator account disabled and only has one other local account with Local Admin privileges, I ran into a problem when Windows informed me that my account had expired.
Continue reading Setting account expiration in Windows XP.
One of my responsibilities is security awareness training, and I am
currently in the process of establishing a baseline. This will allow me
to evaluate the effectiveness of any future efforts that I am going to develop. Whenever you embark on something like implementing a new program, make sure that you establish baselines. Without them, you will have no way to evaluate the effectiveness of your efforts. But, I digress.
Today, I re-confirmed that most attacks against IT infrastructure are just too simple to pull off when the attacker targets the users, rather than the technology. Today, I did an experiment using low-tech methods.
Continue reading Be careful with what you leave behind.
Interesting.
ESI is running an article about a potential information disclosure at Southern Connecticut State University.
ESI is running an article about a potential information disclosure at Southern Connecticut State University.
Southern Connecticut State University has alerted current and former students after a review of a university web site discovered a vulnerability that could have allowed an unauthorized individual access to personal information. During a recent review of a web server, the university discovered that unauthorized individuals could have had access to applications for graduation dating back to 2002.What I find interesting in this is that the university chose to notify students, while there does not seem to be proof of a disclosure, just a vulnerability that could potentially have been abused. All affected students (past and current) are offered two years of credit watch.
Source: ESI press release
Continue reading Vulnerability notifications?.
Gunnar Peterson has a brief post up on the two most important rules in information security:
1) Protect your assets
2) See rule 1
I would like to add a rule 0 to that:
0) Do not store what you do not use
I know this is just about as perpendicular to the data warehousing approach that many organizations are taking, but face it: if you don't have it, you don't have to secure it.
Having said this; it is ignorant to assume that protection equals prevention, and any organization should also plan for failure in addition to protection its essential assets.
PS: I am not accusing Gunnar Peterson of being ignorant :-) Unlike many others, he seems to include prevention in protection.
1) Protect your assets
2) See rule 1
I would like to add a rule 0 to that:
0) Do not store what you do not use
I know this is just about as perpendicular to the data warehousing approach that many organizations are taking, but face it: if you don't have it, you don't have to secure it.
Having said this; it is ignorant to assume that protection equals prevention, and any organization should also plan for failure in addition to protection its essential assets.
PS: I am not accusing Gunnar Peterson of being ignorant :-) Unlike many others, he seems to include prevention in protection.
Wesley McGrew has been posting recently about a capture-the-flag event he is organizing for his students. I am currently gathering my notes to teach an introductory computer security class in Fall, and I am also considering a similar event at the end of the semester. Not only is capture the flag fun to play, it is also a very eye-opening experience when you are able to truly hack into your first box.
One of the most important lessons that an information security professional must learn is that users are the weakest link in the defense of your organization's information assets. No matter how well your technical controls are, if you have users who are uninformed (or outright malicious), your protection failures will fail.
One of the most important lessons that an information security professional must learn is that users are the weakest link in the defense of your organization's information assets. No matter how well your technical controls are, if you have users who are uninformed (or outright malicious), your protection failures will fail.
Continue reading Some students get it....
Martin and Rich did a bunch of micro podcasts at the RSA conference last week. The latest episode features David Mortman of Echelon One. The point that they are making is that organizations need to accept that security measures will fail.
I am from The Netherlands, which would be for 65% below sea level, if it were not for some fancy engineering. After a catastrophic flooding in 1953, we embarked on a large-scale water-management project called The Delta Works. As a nation, we are fairly good at water management. Most of the large-scale water project world-wide are done by Dutch engineers.
I am from The Netherlands, which would be for 65% below sea level, if it were not for some fancy engineering. After a catastrophic flooding in 1953, we embarked on a large-scale water-management project called The Delta Works. As a nation, we are fairly good at water management. Most of the large-scale water project world-wide are done by Dutch engineers.
Continue reading Planning for failure.
The Economist has a special topic on Mobile Telecoms this week. In the article Our nomadic future (Economist, April 12th--18th 2008, page 16) the author makes an interesting point. He postulates that by providing knowledge workers with mobile connectivity wherever they are, whenever they want, our society is reverting back to nomadism. "The emerging class of digital nomads also wander, but they take virtually nothing with them; wherever they go, they can easily reach people and information."
While mobile connectivity might seem like just an additional channel, nobody would have believed that "Traffic patterns are beginning to change again: the rush hours at 9am and 5pm are giving way to mare varied "daisy-chain" patterns, with people going backwards and forwards between the office, home, and all sorts of other places throughout the day".
While mobile connectivity might seem like just an additional channel, nobody would have believed that "Traffic patterns are beginning to change again: the rush hours at 9am and 5pm are giving way to mare varied "daisy-chain" patterns, with people going backwards and forwards between the office, home, and all sorts of other places throughout the day".
Continue reading A new type of nomads....
I am involved in the development of the Application for Incident Response Teams (AIRT). AIRT is GNU GPL-licensed Free and Open Source Software that is designed to do one very specific task very well: to support computer security incident response teams (CSIRTs) in the bureaucratic aspects of incident response.
AIRT allows CSIRTs to receive incident reports, extract the relevant information from them, create incident tickets, follow the process flow of handling the tickets, and communicate with the teams that are handling the incidents, or track incident handlers. A lot of AIRT's development is directly influenced by SURFcert, the Dutch National Research and Education Network's CSIRT.
Continue reading Code review can only do so much....
I broke down today.
No, I did not go out and buy an iPhone, or something like that. Triggered by Steve's positive comments, I got in the car and drove to the nearest Barnes & Noble book store to buy a Moleskine notebook.
Two, as a matter of fact.
Continue reading Taking notes.
Sometimes the stars are aligned so poorly that they only thing that might work is sacrificing a chicken. Since most of us are not in the habit of doing that, we will be confronted with situations were things turn for the worse. When the proverbial excrements hit the fan, it is important to know what your role is. Do we need to play an active role, or do we need to step back and let the professionals handle the situation? The answer is probably somewhere in the middle.
Continue reading Incident Management.
I just played the "Capture the flag" game as part of the SANS Security 504 class. Finding the solution was a lot of fun, and I did not think I would enjoy it as much as I did. The question remains: how close is capture the flag to real (white hat) penetration testing? This particular exercise was not that hard to solve, and I find it hard to believe that the "real world" has as many coincidences as the Virtual Lab does.
IT departments often are the largest professional service department of an organization. They provide very valuable services, and users often have a lot of confidence in our abilities to deliver. They trust us to look after their systems and data to the best of our abilities.
IT departments should be constantly growing in their role as responsible service providers. As part of this growth, we want to share with the rest of the community that we are proud of what we do. We do a lot, and what we do, we do well.
For an IT group to look after one hundred systems or more is not unusual. Some of those systems are of critical importance to at least some part of the organization. Most of them impact the company as a whole. We provide a service at a high level of professionalism.
Continue reading Ethics.
