According to FCW the Air Force Air Combat Command is going to implement the Anixis Password Policy Enforcer. I’m a big fan of Anixis Password Policy Enforcer and recommend its us in AD environments for more granular password security requirements.
With native password enforcement in Microsoft, you basically have one option, on or off. You cant make the requirements granular. They must apply to all. With third party software such as Anixis, you can apply password policy to an OU, security group or individual account. The password complexity options are greater as well. If you use client software, you can provide an accurate error message telling the user why their password was rejected. Natively Windows can only recite the full policy which does not help the user select a better password.
Archive for September 2006
Air Force Implements Anixis PPE
Chase Credit Card Tape Loss
Chase Circuit City has joined the lost Personally Identifying Information club.
“Chase Card Services is notifying some current and former Circuit City credit card account holders that computer tapes containing their personal information were mistakenly identified as trash and thrown out. If your personal information was included on the tapes, you will be notified by mail.
No other credit card and bank accounts were affected by this.
Working closely with federal and local law enforcement, we conducted a thorough investigation and we believe that the tapes were compacted, destroyed and are buried in a landfill.
We have not identified any misuse of personal information connected to this incident. We will continue to closely monitor affected accounts.
Link: Security Pro Pleads Guilty to USC Breach
Security Pro Pleads Guilty to USC Breach
So this guy finds a SQL injection attack, verifies it, reports it and gets charged with computer hacking. Not the first time this has happened. But kind of a stark reminder.
I think people who find and publicize vulnerabilities in software products do much more damage.
This so-called researcher (the USC hacker, not Moore), embarrassed the university so they took him down. In the article it says he is responsible for paying back $38k worth of damage.
Wow!
Thomas Shinder’s Anti-Bluecoat Rant
Thomas Shinder attempted to rebut a Bluecoat webcast in this blog entry from February. In their Webcast, Bluecoat apparently presented the results on a report from Broadband-Testing comparing ISA and Bluecoat in the area of HTTP security. Mr. Shinder clearly has a dog in the fight since apparently makes his living writing ISA books, as an MVP in ISA, and moderating on isaserver.org. Looking at his other posts, he really has it in for Bluecoat. I’m not sure why.
I have used ISA 2000 and 2004 and am currently testing a Bluecoat appliance. I have read the Broadband-Testing document and I’ve probably seen the webinar he references.
Lets take it by the numbers. According to Shinder, Bluecoat asserts:
1. Bluecoat is more secure because its built on the SGOS rather than a Windows OS that needs constant patching.
I would say the SGOS is security through obscurity. However, its not going to be used as a firewall so it shouldn’t be held to the same standard as ISA. The bottom line is however, that with ISA you could be patching the OS monthly. Not so with Bluecoat.
2. ISA cant content inspect SSL traffic
Here, Shinder knows what they are talking about but misdirects the issue into that of content inspection of traffic that is reverse proxied (external to internal). The real issue is that if I’m behind an ISA firewall, my SSL traffic goes straight out. Bluecoat can play man in the middle and intercept SSL traffic and perform content inspection and antivirus. This becomes important as more and more traffic is sent over SSL.
From another one of Shinder’s articles it does appear that there is an add-on product for ISA that would compete with Bluecoat in this area.
3. ISA is unable to manage P2P and IM
Hinder answers as if the issue is blocking P2P. The idea is manage it. Does Bluecoat do as good a job as Akonix, Symantec, et al? No they don’t, but they certainly do more than ISA.
4. ISA has limited access control
I’m not really qualified to compare the depth and breadth of access control options. I think ISA’s control options are geared to the firewall not to http controls.
5. Performance
Shinder attacks the external study claiming the ISA server must have been mis-configured to attain such results.
The bottom line for me is that ISA works great at protecting OWA servers and allowing remote employees to access email. However, its not a great HTTP security system without a bunch of add-ons. Those add-ons just ultimately create a kludge rather than a solution.
Check out the comments from Shinder’s post. Its hard to tell who is actually the 18 year old kid the commenter named anti-Shinder or Shinder himself.
Spammer using Word to hide
McAfee’s AVERT blog reports that they have seen SPAM emails using Microsoft Word documents.
johnny cache speaks
The people who believe in full disclosure of Microsoft bugs continue to attack en mass Johnny Cache presenter of the Mac and Intel wireless bug.
Johnny Cache posted a response to the Daily Dave list here.
