General: June 2005 Archives
The latest issue of SANS Newsbites has some editorial comments from Steven Northcutt that could use some examining. Northcutt comments on the MGM Studios INC vs Grokster by saying " So a gun company can produce a "Saturday Night Special" under the law but Grokster has "unlawful intent"".
First of all so-called Saturday Night Specials are a fiction. They are misnomer used by any ani-gun advocate for cheap guns. Anti-gun advocates want to make it so cheap guns are unavailable. That will make it impossible for people with lower incomes to protect themselves. If they reduce the overall gun owner population it will be easier to remove the right to bear arms.
Second of all, anti-gun advocates have largely been successfully in that campaign. Saturday night specials dont exist.
Third, gun rights are protected by the Bill of Rights. Stealing other people's work is not.
Fourth, the primary purpose of a gun is legal. IE. hunting, target shooting, and self-protection. The primary purpose of Grokster was not legal.
Fifth, look at the caselaw. In the Betamax case, Betamax VCRs were allowed because the primary purpose is legal.
You cant look at these cases without consideration of the primary purpose of the device.
The court unanimously held that peer-to-peer file sharing services will be held liable for the copyright infringement of their customers if the file sharing services affirmatively promote infringement. Since you cant make the claim that gun makers affirmatively promote murder, the comparison is not valid at all.
Telephone and Internet service to 100k NewZealand customers was knocked offline on Monday and the KiWi stock market had to close early. All because some ditch diggers took out one service pipeline and some rats took out the other.
There is no word on whether or not Richard Clarke has called this a Digital Pearl Harbor.
I just noticed that the Google Toolbar has an Enterprise version. Google's always coming up with these new things and hiding them.
I guess the slogan should be 'Google Toolbar, now with 30% less evil'. With this new version, you can encrypt the local index (using efs), restrict file types from being indexed, disable autoupdates, and disable the anonymous reporting back. All this can be done using a provided adm file and tattooing the registry via Group Policy.
It sounds pretty neat. It can also integrate with the Google Enterprise appliance if you have one of those. I wonder if it could be made to submit queries to the Sharepoint search as well.
Makes me want to check on what Microsoft is up to with their MSN Search tool. They bought Lookout a while back. As far as I know that tool is still geared toward end users.
I couldn't help but think of the Southwest Airlines comercial which has the tagline "it is now safe to move around the country" when I saw a Cisco commercial titled "The Hypochondriac." One guy is cleaning his computer with a spray as another guy walks up and asks "did you get my email attachment. The hypochondriac says that he did, but he didn't open it out of fear for viruses. The first guy says its ok because the message was sent on our network and our network is self-defending.
I can imagine the response to this commercial. A lot of security effort is spent convincing users not to click on every random thing that comes along. And here cisco is ruining that education with their marketing.
Part of me agrees with that, but the other part of me says, about time someone restored usability to the network.
Bruce Schneier writes today about a Ben and Jerry's Pint Ice Cream lock.
Brilliant. Does anyone know of a Pepsi lock? At work we have a bit of a problem with people stealing soda out of the fridge.
ps. If anyone is going to do a fake security bulletin about how to defeat the ice cream lock dont make it look like a mi2g release. They'll start chimping. If you haven't read the Wendy's drive through order vulnerability notice go read it now if you're a security geek. (it is not finger related)
The Washington Post has an article on the real threats to password security.
People stealing the password database
People writing their password down
Keystroke loggers
phishers
social engineers
password reset websites
The writer argues that traditional password policy makes the problem worse instead of better.
In the face of tight budgets, we need to make sure the money is spend on what is important. I think HIPS and security education should be at the top of that list.
It is well documented that the best security dollar you can spend is on user education. Security Awareness training has gone from being a good idea to being a best practice, to being required by contracts entered into with our customers, to being required by law. By creating an informed user base, the users become our security watchdog instead of our security nemesis. I conclude that technology is not the solution to computer security. It is at the root a human problem.
HIPS (Host-based Intrusion Detection System) is an up and coming method of proactively defending the endpoint computers. Rather than relying on patching and antivirus, software is placed on the system that disallows specific activity. For example, we could either block or prompt the user when something tries to set itself to run automatically after every reboot. It also attempts to block exploits of vulnerabilities. By taking away the need to patch immediately the second Tuesday of every month, the risk to our systems would be lower.
Without HIPS and without user education, we are reduced to four main defensive mechanisms:
1. Patch like mad and update antivirus like mad.
2. Implement more antivirus. Dont just have a multi-layered email defense. Have a multilayered IM defense. Have a multilayered http defense. Have a multilayered ICQ defense. Have a multilayered ftp defense. Have a multilayered nntp defense. Basically every major protocol would need this. Perhaps a fortinet antivirus firewall or the Cisco IDS with Trend Micro would provide a more all in one solution.
3. Implement common mitigation strategies such as taking away people's' local admin permissions and performing firewalls between internal network segments.
4. Pray
Remember last fall the Kryptonite lock and the pen cap that opened it? Now they've gone through legal wrangling. There is a site http://www.kryptonitesettlement.com with the notice of settlement.
I got word on saturday that I passed the CISSP exam that I too last week. All that is left now is getting a current CISSP to sign the form verifying my experience and also writting up a resume to turn in for this. Once this is sent in, there may be an audit. I should officially be a CISSP soon. Its nice to have passed the major hurdle of the test itself.
I went over to a co-workers place today to take a look at a virus issue on his computer. The viruses were rather pernicious. Everytime you'd run another scan it would find some more. I finally got it to a point where I didn't see any remaining viruses. cross fingers.
The scary thing about this computer is that it hadn't been patched since the clinton administration and it was directly connected to a broadband connection. I went ahead and got him set up with XP sp2, upgraded his SAV and installed Microsoft Antispyware. That and turning on the XP firewall should hold off further infection. Oh and auto updating on the patches.
Last week a vulnerability was announced in the web interface for listserv. If you have Lsoft Listserv with a publicly available web interface, you should be looking at patches.
http://www.lsoft.com/news/securityadvisory2005-05.asp
http://www.securityfocus.com/archive/1/398919/2005-05-23/2005-05-29/0
Unlike some vendors who provide customers with large support Windows and supports older versions, you will have to upgrade to the latest version of Listserv to be able to patch.
This risk to this vulnerability can be somewhat mitigated by restricting who can access the web interface by IP address.
