http://tinyurl.com/3uam3
An article from searchwindowssecurity.techtarget.com reports on companies making the effort and taking the PR hits to become more secure. This includes banning user’s personal equipment including home computers, and providing web portals for users to access mail rather than having a full VPN connection. The article also talks about endpoint compliance such as that provided by Infoexpress.
Archive for August 2004
Get Tough Network Policies Now the Norm
The RIAA comes a knocking
http://www.cybercrime.gov/sarnaPlea.htm
Fox Cable Networks discovered a FTP server on its computer network containing pirated materials. They contacted the Securet Service Electronic Crimes Task Force and they plus the FBI investigated the case.
The FTP site was found to contain movies and pirated software. Four System Administrators/ Network Admins and a Help Desk Mananger plead guilty to charges that could lead to a prison sentence of up to one year.
This reminds me of a case posted on the Business Software Alliance website. In that case, it was proven that the company knew about a mp3 server made available to employees. They faced a hefty fine.
A Master In SANS
I got an email last week from SANS stating that they are looking at interest in a MS in Information Security Management for a MS in Information Security Technology Leadership. They don’t state any specifics but it seems clear from the context that they are looking at creating a Masters programs based around (or completely based on) their SANS conferences and the accompanying certification.
Think about it. You spend one week in the conference. This is equal to the 40 hours of classroom time you might spend in degree program. You are evaluated in a Practical / Term Paper as well as an exam (in some cases two).
I thought Mary Washington College already offered this sort of degree program. Or at least, I can find a Google mention of it from a few years ago.
I would have probably jumped at this a few years ago. I’m not really a math and programming guy and I don’t always see how that relates to my quasi-role as computer security guru. So a degree based on SANS courses would have sounded too good to be true.
But now my opinion has changed some what. I see people getting degrees in networking that consist largely of a Cisco certification. Two to four years to learn to configure a router? To me its just colleges looking to cash in on the computer boom.
What about the quality of the degree. Sure its a fancy sounding degree title that will likely fool HR, but will it be respected by the guys actually doing the hiring? While I have chosen a tougher road in getting a Masters in Computer Science majoring in Information Security, I think it is one that will pay off more in the long run.
Doomed by the Copier
If you’re running a networked copier, you’ve probably already figured out that they can be security nightmares if the manufacturer is clueless. Network copiers are basically appliances designed to allow you to print via the network, run copies, or scan something at the copier and pick it up from your desktop computer. To provide this functionality they often have a full featured operating system sitting underneath them.
In the first generation of copiers at my company, security wasn’t even considered. As a result, we were running a Canon copier which was running Windows NT 4. Its administrator password was blank and since it was an appliance we weren’t supposed to patch it lest the warranty be voided. Needless to say when blaster came out, we yelled at the copier tech who got a patch canon had released months earlier.
The other copiers from Toshiba were running Linux. More secure right? Not hardly. Its like connecting Red Hat 7.2 to a network. All the services are available and none of them are patched.
We recently upgraded to some new copiers and it was gratifying to see that the vendor had more of a clue. No longer are all the services network available by default. One thing I didn’t like is that disk wiping was a security add on. To wipe the drive prior to return you needed to pay more money to the vendor. Who knows how much data is retained on those hard drives that have spooled everything you’ve printed.
If it can be hooked up to the network, it can be a network security problem.
There are no Secrets
We’re installing Microsoft Sharepoint as the new company portal. Part of their functionality is to index and allow people to search across file shares. This had some unintended consequences.
Shoe is On the Other Foot
Normally, I get to be the one scanning for vulnerabilities and asking the sysadmins to fix their problems. Today the shoe was on the other foot. A government customer who has been running Foundstone scans (without asking permission first) approached us with a scan report from July. Each of the items listed was minor at best. They listed two of the items as “critical.” What a joke. Its so hard to respond nicely to their demand that we fix our insecurity without telling them exactly its not a problem.
Friends Don’t Let Friends use MS VM
I’m taking an online class in a Information Security Masters program. One of the classes this fall is using a program called Tegrity to broadcast recordings of course lectures. The problem is that the program requires the use of Microsoft Virtual Machine. The Microsoft VM is rather buggy and not a lot of development goes into it. The only reason it is supported at all right now is because MS paid Sun a billion dollars. The current version of the Tegrity program doesn’t have this problem. It uses the Sun JVM which incidentally makes it available with more Operating Systems and browsers.
I went ahead and bit the bullet and installed the MS VM. They didn’t bother telling me they were installing a vulnerable version. It installed build 3805. I let SMS update me to build 3810 when I got to the office the next day.
You’d think a information security program of study wouldn’t require me to install insecure software.
We’re Doomed I tell ya
Andrew Briney writes in the last page off this months Information Security Mag about flipping coins. In flipping a coin he writes, “history has no impact on the future”. (side note, when something has an impact, I generally think of a violent collision. I think he means effect. Or is that affect?). Because of that, he concludes that just because there hasn’t been a global Internet catastrophe yet, that doesn’t mean one isn’t right around the corner.
Andrew then runs through the Internet destruction idea of the day and how it would ruin all of our lives and plunge America into a third world country soon to be followed by invading Chinese tanks. You see the Chinese economy is not as dependent on the Internet so they will be ready….Oh wait, I’ve gotten off track. That was the Y2k fear mongering. I’m getting that confused with the coming global Internet super-storm. Soon to be portrayed in a book by Whitley Streiber, Art Bell and Richard Clarke.
His writing would be nice if the security industry was populated with a bunch of head in the sanders. But its not. We cant go five minutes without hearing predictions of doom. Doom is big business. Its what sells I.T security. Its was a Winntmag columnist called the booga-booga factor. So before you try to sell me on the end of the world as we know it. Come up with more than the “inevitable doom” doctrine and a fanciful theory on how it will happen. You’ve got to argue against all the fakes and charlatans on your side who tell me the economy will melt down and we will all die if we cant dial into AOL or if the ATM is down for half an hour.
CA purchases Pestpatrol
http://www3.ca.com/Press/pressrelease.asp?CID=61871
Computer Associates, the collector of software companies, has purchased PestPatrol. Pestpatrol was most recently in the news for providing a spyware plugin for the Yahoo toolbar, but conveniently turning off the detection for Claria (Gator) which provides a large portion of Yahoo’s income.
Pest Patrol has also released a first generation corporate anti-spyware scanner that has an interface resembling a high schoolers c++ final project.
