http://news.com.com/2100-7349-5202236.html?tag=cd.top
In a scenario eerily reminiscent of Invasion of the Body Snatchers, security experts are concerned that bots, small programs which are downloaded stealthily and reside on computers until activated, form a greater security threat than the high-profile exploits dominating the current news. The range of damage a bot can do is extensive, from the classic Denial Of Service attack to information espionage on infected systems.
The article discusses a new bot variant which represents an upgrade of an established bot, incorporating public information about a long-standing Windows security vulnerability. As this article indicates, the first indication that something is going wrong may come long after our harbour has been pearled.
More details about this bot variant, with links to diagnostic and remediation tools, as well as even more information, can be found here:
http://www.esecurityplanet.com/alerts/article.php/3347331
http://www.informit.com/articles/article.asp?p=170852
Solutions and issues relating to spam have been covered in this blog already, but here is a novel take on the subject. Starting with the premise that most of the badness we now experience on the InterNet stems from permanently connected SOHO systems [itself something demanding of proof], the author suggests that such individuals be held legally responsible. Should that happen, those who are not motivated to use protection when computing would now have some reason to do so. Whatever one thinks of the merits of this argument, it certainly could form an interesting discussion point in any class dealing with social responsibility and computing.
http://www.knowledgestorm.com/collateral/WTP/50209_58306_99422_QualysYankee.pdf
Static security planning simply is not adequate to today's level of threats, as the 'Sasser' worm so brutally highlights. The indexed white paper "Dynamic Best Practices of Vulnerability Management" explains that such planning has become an operational necessity, and gives some hints and tips on how to proceed. This is useful practical advice, as well as serving as a good base for security teaching.
An extensive white paper on "Protecting Databases" is available here:
http://www.knowledgestorm.com/collateral/WTP/48986_84494_44122_Protecting_Databases.pdf
making the crucial point that it is not enough to protect the security perimeter -- protecting data at the source also has to be implemented, and the paper shows how to get started at this.
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss366_art684,00.html
A commonly accepted explanation for security problems is poorly written software, whether application or operating system. This article discusses 7 major trends in software development, many of which have security implications:
1. Disappearance of Bloated Operating Systems: Microsoft's 'kitchen sink' approach to operating systems has shown its vulnerability both legally and technically; a simple OS is a safer OS.
2. Evolution of Components and Objects: will allow security elements to be seamlessly integrated into application, but will also increase the risks of penetration
3. Rise of Mobile Code: will continue to cause security headaches.
4. Normalization of Distributed Computation: increases complexity, thus increasing exploit risks both logically and geographically.
5. Proliferation of Embedded Systems: PDA's have the organizational security potential of a hand grenade, though location-specific security application may help here.
6. Mass Adoption of Wireless Networks: represent the major challenge to organizational security.
7. Change in Payment Models: Giving digital content economic value makes it impossible to defend.
While many of these factors have a negative implication on security, the fact that they tend to specialized solutions in each application environment means that future security exploits will not be as widespread as at present. But when they do happen, they will cut much deeper.
A related article discusses the problems inherent in complexity, connectivity, and extensibility as these relate to current software:
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss366_art689,00.html
I have known for some time that operating system code has increased in complexity [I remember the DOS days well], but the chart showing that the number of code lines in Windows OS has metastasized from 3 million to 50 million lines in 15 years is a vivid and arresting image!
http://news.com.com/2100-7343-5194756.html
Problems with Digital Rights Management have been touched on in this blog before, indicating the degree to which I felt it was A Bad Thing And A Bad King. The indexed article suggests that while corporations may feel attracted to DRM, in fact there are a host of practical and technical difficulties which must be overcome. In this case [just like in copy protection], the only people really affected are the honest users, who are crimped in their ability to do things, while the bad guys simply overpower the protection and move on.
One point deserving additional stress mentioned in the article: corporate interest in DRM tends to intensify when a high executive is embarassed by leaked information. Of course, the suggestion that such embarassment is more easily avoided, and with greater social benefit, by simply refraining from the behaviour in the first place is simply too, too silly for words.
http://securityadmin.info/faq.asp
A searchable, filterable FAQ on Microsoft Security, with the default showing the top frequently asked questions. A sidebar lists over a dozen subsections of the FAQ base, along with management and contact tools, plus links and a way to view the entire FAQ contents.
Since the FAQ's provide links to both home and business content, they can serve as a most useful source of information generally, as well as, perhaps, inspiring one or more laboratory exercises or case studies.
This is the Open Source Vulnerability Database, which aims to catalogue all of the security issues to which the InterNet is susceptible. The home page shows the most recent entries which have been verified [two of these, for example, were dated the same day as this post]. The database can be browsed and searched, and documentation and FAQ are available from the home page.
http://www.schneier.com/paper-pki.html
Public Key Infrastructure is one of the more mind-deadening things to teach in a security curriculum -- it is just rather hard to interest students about this concept, perhaps not least because there is some disagreement in the IT field itself about how and whether to use it. Here is a white paper: "Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure", which suggests that the benefits of PKI have been oversold, which could be a useful starting point for some more interesting discussions on this subject.
http://www.csoonline.com/read/040104/networks.html
We tend to think of the network as a collection of computers, perhaps extending the term to certain specialized devices like printers and plotters. But as this article points out, we increasingly are supplying IP addresses to devices which are not even remotely characterizable as computers, and the significant security problems which result are addressed at length. Not least of the problem is the explosion in numbers of linked devices, which could reach into the trillions by the end of this decade.
Which suggests, as indicated in this blog before, that we will need IPv6 after all!
http://www.ecommercetimes.com/perl/story/security/33344.html
Problems relating to InterNet security have become bromidic commonplaces, and have been mentioned earlier in this blog. This article addresses the threats inherent in the Net being built on foundations which were never designed with security in mind, and what must be done to remedy this situation.
Another article, looking at at a current TCP flaw which could lead to connection shutdowns, councludes that the vulnerability is there, but can be easily countered, and is in fact in the process of being patched:
http://internetweek.com/security02/showArticle.jhtml?articleID=18902471
http://www.nwfusion.com/news/2004/0405cybersecurity.html
The standard riposte of the IT industry to security problems has been to hold the customer responsible. The weakness of this assumption [which, say, compared to any other area of product liability represents a glaring exception] is beginning to be evident to many. The National Cyber Security Partnership has issued a report, summarized by this article, suggesting that government has a role in implemeting incentives for industry to develop more secure software. Sounds good to me!
A sidebar indexes the NCSP site and some of the reports they offer, and additional articles and resources are provided at the end of the article.
http://www.darwinmag.com/read/030104/mainframe.html
Mainframes have been mentioned occasionally in this blog, because they are still important players in the IT environment, and are also often the server centerpiece of a network. As this article indicates, mainframes have particular security problems, most of which relate to their relative age. The article also suggests solutions -- there is definitely scope for hope here, but the problem must be realized first.
http://news.bbc.co.uk/1/hi/technology/3639679.stm
Link to a short article [with lots of interesting commentary appended] about a couple of surveys on passwords, which indicated that 70% of those in the survey would reveal their password for a chocolate bar. Beneath the surface humour is a serious point: that many of our security activities set themselves up for failure because they simply don't take human nature into consideration. With attacker threats becoming so severe and the value of defended asssets so great, I think it comes close to professionally irresponsible for those in the IT field to keep on pushing the same tired solutions which have been repeatedly shown as inadequate.
Besides, if somebody offered me a 6-pack of LINDT Cognac-filled bars....
http://www.technewsworld.com/perl/story/33293.html
Article reporting that in response to a security consultancy's claim that "the world's safest and most secure online server operating system is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin.", an industry analyst says that such judgements are scarcely meaningful. The human element contributes to half of all security breaches, and this remains constant across operating systems. The real point being pushed here is that it is not the OS, but aspects of scale relating to connectivity which cause the problems.
In other words, if OS x and Windows were to invert their market shares, OS X would be the operating system experiencing vulnerability assaults. Far from allowing us to ignore the OS as a factor in all of this, as mentioned earlier in this blog, I would say the OS has to be front and centre as part of the analysis.
http://whitepapers.comdex.com/data/detail?id=1080147941_867&type=RES&src=KA_RES_20040331
While the importance of file transfer in many aspects of organizational operation across the InterNet cannot be gainsaid, it is equally true that the FTP protocol represents a particular vulnerability, and one which can be difficult to remedy. Some alternative standards for secure file transfer have been proposed, and this white paper asks the question: "Evolving Standards for Enhanced File Transfer: Do Recent Secure File Transfer Standards Measure Up?".
One solution to FTP vulnerabilities is deployment of a proprietary solution, as this white paper: "Instant FTP Security Made Easy" demonstrates:
http://whitepapers.comdex.com/data/detail?id=1075911003_39&type=RES&src=KA_RES_20040331
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
Firewalls are devices which have such fundamental simplicity [the equivalent of a locked door against outsiders] that it is easy for the uninitiated to over-simplify their implementation, and therefore create a worse security menace than if nothing had been done. The white paper indexed here: "Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology" provides an in-depth view of what firewalls are and how they work, and what important issues need to be considered in implementing these devices.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=681&zoneid=39
This is a very short guide to a very extensive array of security information available at the Cisco site -- one which explains what can be found somewhat better, I think, than Cisco itself does. Covering security advisories for Cisco products; technologies: security including overviews, case studies, trends analysis, best practices, white papers, and more; enterprise and small-medium business security seminars, white papers, self-study courses, and more; ISPs: managed security services; a security glossary; plus the Networking Professionals Connection: Security Forum, this page indexes a wealth of Cisco information, itself more easily found due to this page.
The degree to which network administrators face multiple threats is manifest from the following selection of security articles:
A good description of countermeasures to ward off the problems inherent in social engineering [which I think is one of the most critical threats in organizations of any size] can be found here:
http://www.windowsecurity.com/pages/article.asp?id=1318
A Windows feature named Alternate Data Streams, originally designed to enhance compatibility with Apple systems, now is a subtile threat (of which many Windows sysadmins are unaware) to such operating systems if the attacker is a clever hacker:
http://www.WindowSecurity.com/pages/article.asp?id=1314
That worm and other malicious code attacks are getting worse because perpetrators appear to be able to release them without much fear of being caught, and the resources available for hacking have become more widespread, forms the core of this article:
http://www.WindowSecurity.com/pages/article.asp?id=1317
An examination of the issues relating to open source security makes the point that whether software is open- or closed-source has little validity as a determinant, since the arguments in this issue can be made so many ways:
http://www.WindowSecurity.com/pages/article.asp?id=1315
http://www.nwfusion.com/research/2004/0322spam.html
Spam, and the problems it causes, form a recurring topic in this blog, because it has implications for IT education both as a subject and a phenomenon. Here is a look at the proceeding of a recent anti-spam conference, with opinions and ideas from leading participants in the fight against spam, and relevant news links following the article. One interesting theme - the participants note that the solutions here may be as much economic as technical.
Another article on this conference can be found here:
http://www.infoworld.com/article/04/04/16/16FEfuturemail_1.html
On the other hand, this article:
http://www.technologyreview.com/articles/wo_johansson032604.asp
suggests that a technological solution [a method which would make spam so computationally intensive that it would be worthless, instead of quick and easy] is the route to a spamless life.
Evaluating both sides of this debate is certainly a useful classroom tool, with the only certainty being the fact that the debate will go on.
http://comment.cio.com/soundoff/032504.html
Spyware has become a sufficiently pervasive and annoying problem that it has been mentioned several times in this blog. Because applied IT students should be using the InterNet vigorously, and exploring some of its more 'dangerous' nooks and crannies, beginners particularly are extremely vulnerable to these pests. Since too many institutions still mistakenly insist on Internet Explorer as their mandated browser, the situation is even worse. How bad it is is suggested by this article [which is accompanied by vigorous and interesting commentary] -- infection rates of 90% are posited, and credible. This is a major problem which must be faced and overcome to protect continuing health of the Net.
As this article suggests, help is on its way:
http://www.technewsworld.com/perl/story/33231.html
Of course, if we get the same 'assistance' from these folks as we got with the CAN-SPAM act....
This is not the only government initiative relating to surveillance; as this article indicates, the USA's FBI wants to make nettapping faster and easier, getting a hook into broadband:
http://www.pcmag.com/article2/0,1759,1549618,00.asp
Since this amounts to rearchitecting the Net in the interest of government agency surveillance, it definitely is a hot topic.
On the other hand, when it is not them doing the spying, lawmakers can get knotted knickers in a great hurry to regulate who spies on what. RFID issues have been discussed a good deal in this blog, and now some legislators are moving to control it:
http://www.wired.com/news/privacy/0,1848,62433,00.html
Since this would seem to put lawmakers at odds with big business lobbies, it will be interesting (and perhaps instructive) to see how all this turns out.
For many years after 1984 was published, the knock against the surveillance society depicted in the book was that it was neither feasible nor desirable. Technology is solving the feasibility issue -- how the desirability issue gets handled is going to be a major test of how democratic processes can continue to develop and flourish.
http://networking.ittoolbox.com/documents/document.asp?i=3773
To paraphrase Mr. Twain: "Everyone talks about event logs, but nobody ever does anything with them". This is, of course, an exaggeration, but it is true that while event logs can be of signal importance in an IT production envrionment, teaching about their effective use can be quite difficult outside that environment.
Logs are the raw material for an audit, and the indexed white paper, "Event Log Management: A Guide to a Stress-free Audit", explains how the current USA regulatory environment makes logging even more significant as an activity, and explains how to use them in preparation for an audit. Such a focus can be of great use in providing a practical pedagogical example.
http://whitepapers.comdex.com/data/detail?id=1079029984_674&type=RES&src=KA_RES_20040317
The URL indexes a white paper on "Integrated Security: Defending against Evolving Threats with Self-Defending Networks", which is Cisco's initiative to produce integrated security deep within the infrastructure. Something like this does seem like the best solution to this problem, and of course, can help improved Cisco's bottom line.
Some other security white papers from Cisco are:
Cisco IP Communications Security Policy Development and Planning Guide
http://whitepapers.comdex.com/data/detail?id=1078939330_728&type=RES&src=KA_RES_20040317
Trust and Identity Management: Solutions Overview
http://whitepapers.comdex.com/data/detail?id=1079026302_550&type=RES&src=KA_RES_20040317
IP Telephony Security in Depth
http://whitepapers.comdex.com/data/detail?id=1057858103_115&type=RES&src=KA_RES_20040317
Another major white paper on identity management, "Enterprise Identity Management: It's About the Business" defines the technologies involved to produce a solutions roadmap, and can be found here:
http://whitepapers.comdex.com/data/detail?id=1079109672_743&type=RES&src=KA_RES_20040317
A white paper on "Log Management: Closing the Loop on Security Event Management" explains this crucial networking activity, and can be cound at:
http://whitepapers.comdex.com/data/detail?id=1079109677_478&type=RES&src=KA_RES_20040317
Two security papers relating to the Windows world are "Best Practices for Designing a Secure Active Directory - Multi-Org Exchange Edition", available at:
http://whitepapers.comdex.com/data/detail?id=1042225768_732&type=RES&src=KA_RES_20040317
and "Architecture and Design Review for Security", which can be found here:
http://whitepapers.comdex.com/data/detail?id=1079366506_346&type=RES&src=KA_RES_20040317
http://www.informit.com/guides/content.asp?g=security&seqNum=51
The informIT site at www.informit.com is a valuable tool for the working professional. They publish a number of topical guides, including a security guide. This discusses Web Application Security, Operating System Security, Network Security, Hardening Your System, Wireless Security, and the Legal and Ethical Issues of Security.
What has been added, and worth noting at the URL given, is a section on Data Forensics, providing an example, and material on Forensics Fundamentals, Forensics Tools, Forensics and Encryption, and PDA Forensics.
http://www.pcworld.com/news/article/0,aid,115214,tk,dnWknd,00.asp
I have waxed pessimistic about the ability of the white hats to overcome the black in terms of the escalating dangers of cyberspace, and the indexed report suggests that we are in a handbasket moving rapidly to its destination. On the other hand, given that the source is Symantic, producer of protective products, it can hardly claim to be disinterested -- yet at the same time, this does not make the report wrong.
Having a good practical guide on what steps you can take to mitigate these threats is certainly welcome, and one such can be found here:
http://www.pcworld.com/howto/article/0,aid,114727,tk,dnWknd,00.asp
http://www.definitivesolutions.com/bhodemon.htm
Exploits against one's Web browsers are as exquisitely annoying as a hangover, and most are realized through Browser Helper Objects, explained in the indexed site, along with the provision of a tool called BHODemon which allows you to remove unwanted BHO's.
While anti-spyware/adware software is the usual court of first resort in these cases, they don't always work, so having some additional weapons in your arsenal is never a bad idea. Here is a discussion site featuring another BHO-removal tool:
http://wwwspywareinfo.com/~merijn/cwschronicles.html
A tool which prevents homepage hijacking [as, does, incidentally, a buried setting in Spybot Search & Destroy] can be downloaded here:
http://www.wilderssecurity.com/bhblaster.html
Another more general computer security site which offers a forum on BHOs is:
http://www.computercops.biz/index.php
http://www.linuxjournal.com/article.php?sid=6811
'Port knocking' -- only allowing systems to connect if they implement a sequence of closed port access attempts -- is an idea which could help VPN security and similar implementations in Linux. This article shows how do to it -- it represents a useful addition to the whole armour of security which administrators must implement these days.
http://www.securityfocus.com/infocus/1761
Creating a 'honeypot' as a means of detecting/deflecting attackers on a network has a venerable history [and the technique's vritues and limitations should be clearly recognized]. Wireless networks can deploy anologous techniques, as explained in this detailed, illustrated, and well-referenced article.
http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci930122,00.html?track=NL-103
Intrusion detection systems are a cornerstone of effective network security, and an open-source tool, 'Snort', can be a valuable item in teaching how to use IDS. The indexed URL provides a range of resources explaining Snort and how to use it most effectively.
Intrusion detection or any other measure of security analysis is meaningless without effective incident response planning, and this is often neglected in organizations. Here are some resources to help with this:
http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci944780,00.html?track=NL-363
http://www.irchelp.org/irchelp/security/
Internet Relay Chat is another of those temptations to network disaster that I resist on the grounds they Promote Rust, although there are times I have to use it. This starkly plain but fully-functional resource explains how to use IRC in the safest manner, and includes exploit news, Trojan attacks, DoS, downloading issues, a firewall FAC, general security, parental guides to IRC, IRC backdoors, IRC for administrators, how to find and report IRC abuse, and IRC's connection with hackers.
Since in the educational environment in particular, IRC may be an important method of participant communication, this represents another security site well worth bookmarking.
http://www.csoonline.com/read/020104/perimeter.html
Something as complicated as network security, especially when the InterNet is factored in, relies on metaphors for general understanding, but the models of perimeter security based on individual bastions is increasingly meaningless in an environment where 'inside' and 'outside' the firewall is a term with less and less precision. Mobile computing and wireless are two major contributors to this.
Am effective defensive model for this new security environment requires a combination of the concrete and the abstract. Defense in depth cannot be founded on a static security model, but the fact that there is no fixed starting point makes finishing the journey difficult. Alternatives are discussed in this article, and sidebars index a number of related articles as well.
http://www.spywareguide.com/articles/
Not only is spyware a security problem [because some variants leave your system at risk to outsiders] and a performance problem [it is indicted as the cause of many system crashes], but it is also something which impacts most users personally. This leads to a high degree of dudgeon, so sources and resources to provide information and product reviews are well worth collecting.
The main site here allows you to find out about spyware, presenting lists of categories, online tools, product reviews, a mailing list, and education on this class of malware. The indexed URL lists some two dozen papers on aspects of spyware which can support a research project or spark classroom discussion.
The nastiness of spyware [not least in the lack of trust it inculcates between InterNet software suppliers and the using public] requires responses, and this on-line guide contains sections on Lookup Spyware, List of Spyware, List of Categories, and List of Companies; Terms & Definitions and FAQs; online detection and removal tools; plus introductory information, how-tos, and an extensive set of classified product reviews.
http://www.WindowSecurity.com/pages/article.asp?id=1313
For an individual machine, a software firewall can often be sufficient [although of course it should not be regarded as a security panacea], but for a server or other high-end resource, a hardware firewall [and often more than one of them] is definitely indicated.
How to tell which one is best? This white paper, "Comparing Firewall Features", presents an evaluative structure which will let you decide.
http://www.ists.dartmouth.edu/
If you want to access the resources of a major research institute on cybersecurity and cyberterrorism, you merely have to follow the above link. The institute provides an extensive description of its activities, which are certainly interesting in their own right. It also provides a heaping helping of security resources.
While the searchable site is cleanly laid-out in an elegant presentation, you must realize that its structure contains considerable depths, and you will get the best feel for what this site can do for you by poking around and reading carefully -- expect to take more than 5 minutes doing this.
The result may be a permanent reward for anyone teacing any aspect of IT security studies.
http://www.securityfocus.com/infocus/1763
http://securityfocus.com/infocus/1766
A two-part well-referenced article [the link to the first part appears at the end of the second, but the first part has no link to the second -- hence both links] by a noted expert on spam, the battle against it, and the security issues involved [identity theft, malware propagation, and combined exploits].
Filters are seen as limited, at best. Reverse lookup will help control header forgeries, but will leave those whose domains do not host a mail server out in the cold, while also causing problems for mobile computing. Challenge systems and cryptographic systems also have their limitations.
The conclusion to this article is rather depressing: "...a good solution today is unlikely to be a good solution tomorrow".
A related white paper, discussing "E-mail spam: Is it a Security Issue?", is available here:
http://www.WindowSecurity.com/pages/article.asp?id=1311
Another article, indicating that the spammers are 'winning' this war [of course, their 'victory' will prove disgustingly barren], with indications that 80% of USA e-mail traffic is spam, can be read here:
http://www.baltimoresun.com/technology/bal-te.spam14mar14,0,3015793.story
The technology of turning intermediate machines into spam zombies exacerbates the problem -- and increases the desirability for condign punishment for the perpetrators.
http://www.eweek.com/article2/0,1759,1540556,00.asp
The Apple Filing Protocol used in the 'Panther' version of OS X was revealed to have a security weakness allowing a malefactor to steal passwords or data. I have remarked before about Mac enthusiasts chortling about their relative immunity to vulnerabilities. Once again, we see that no operating system is perfect [even though a variety of circumstances may make OS X less vulnerable, the difference is one of degree and not of kind.] The indexed article discusses the problem at some length.
http://www.crime-research.org/news/29.02.2004/95
Brief description of the InterNet scam called 'phishing', where a fake site location is sent to the victim through e-mail, in order to gather information that the victim would expect to enter at the valid site. This is a growing problem, and some experiences of involved institutions are discussed here.
As if this was not enough, the risk of cyberterrorism has been raised in this article:
http://www.crime-research.org/news/28.02.2004/92
This article details some analysis showing that January, 2004 established new records for Net-borne malware:
http://www.crime-research.org/news/26.02.2004/83
The costs of Net fraud are in the same ballpark as global e-commerce incomes, according to this article:
http://www.crime-research.org/news/24.02.2004/internet_fraud_1
Problems of dysfunctional behaviour on the Net have been addressed previously in this blog.
http://www.trendmicro.com/en/security/white-papers/overview.htm
The URL indexes the Secuirty Information white papers section of the Trend Micro site, with nearly a dozen papers directly relevant to malware and secuity problems. These papers are downloadable in .PDF format.
In addition to their products, the site offers a Weekly Virus Report, a Virus Map and a Virus Encyclopedia, downloadable test files, general virus tnformation, Webmaster Tools, and a description of onging research/development at TrendLabs.
http://www3.ca.com/solutions/collateral.asp?CID=33504&ID=1128&CCT=
Policies represent the grey underside of networking -- in the educational context, partly because it is very difficult to create meaningful practical examples, most students summon less enthusiasm for them than they do for wet blotting paper. Yet policies are a major management tool, and effective antivirus protection is impossible without them.
The indexed URL links to the Computer Associates Virus Information Center, and discusses antivirus policies in terms of policy effectiveness, policy principles, and policy constants. Given that the site sponsor sells antivirus software, there may be a note of 'special pleading' here, but this is nevertheless a useful stimulant to the development and discussion of policy in the classroom environment.
http://www.cs.dartmouth.edu/~carlo/research/tr2004-489.pdf
A white paper covering an aspect of networking security which, because of its complexity, can get glossed over: "Keyjacking: The Surprising Insecurity of Client-side SSL". The client-side vulnerabilities are discussed in detail -- this is a good antidote to a lot of the security 'happy talk' which tends to predominate in certification resources discussing this subject.
http://www.eweek.com/article2/0,4149,1525830,00.asp
Firewalls are a staple of the network security environment, and while they are not a panacea, they remain an important component of networking security, particularly for organizations connecting to the InterNet. The indexed article discusses the additional security available from perimeter firewalls implementing deep packet filtering technology. The power such firewalls bring to fighting malware certainly will offset their purchase costs and operational overhead in small and medium-sized networks, whereas tradeoffs need more careful evaluation in larger systems.
A number of related articles are linked in a sidebar.
http://news.com.com/2008-1032-5164246.html
Spam is a significant and continuing problem for network managers, particularly those involved in backbone networking; it is a constant topic in this blog. The URL indexes an interview with a major spam-fighter which makes an interesting comparison: spam is like cancer -- it is not a single object, but a whole cluster of objects. This means that there will not be any 'single cure', and we also have to create cures which will not wind up killing the 'patient'. The article makes a particular point of the ineffectiveness of the current legal restrictions against spam compared to the effectiveness of the law outlawing junk faxes, suggesting some avenues for emulation.
A relevant related article here:
http://www.ecommercetimes.com/perl/story/32931.html
agrees with the thrust of the first article -- multiple approaches are needed to stop spam, including filtering [connection, SMTP, content, HTML tag, and Bayesian], URL domain blacklisting, delivery/processing rules, end-user education, and false positive prevention. The article has a sidebar listing related articles of interest.
http://www.csoonline.com/read/020104/shop.html
Just as the computing 'Grand Challenges' mentioned earlier in this blog stimulate the imagination and can act as a focus for research/study activity, so this article emulates such activity in the security field, presenting four grand challenges for security:
1. Eliminate epidemic-style attacks (viruses, worms, spam) within a decade.
2. Develop tools and principles allowing socially important large systems to be highly trustworthy despite being attractive targets.
3. Develop quantitative information-systems risk management to be robust as its financial equivalent within 10 years.
4. Give end users security controls they can understand and privacy they can control and which will be adequate for future needs.
The focus of this initiative is to emphasize strategic directions over tactical elements, in a security context where there is no time to be lost in effecting a cure.
http://www.mit-kmi.com/articles.cfm?DocID=384
Article indicating the degree to which the USA's National Security Agency is leading the way on a number of security issues:
* Secure interoperability between wireless and wired systems
* Iridium satellite security
* Creation of a database of wireless vulnerabilities
* Advanced encryption with emphasis on wireless systems
* Satellite connectivity
The technical details in the article give a good idea of the complexity and importance of this undertaking, which certainly seems necessary in today's networking security environment.
http://www.securecomputing.com/pdf/remoteinsecurity.pdf
Sometimes less really is more. The URL indexes a 4-page white paper titled "Remote Insecurity: How business travelers risk exposing their companies when remotely accessing company networks". This gives a number of common scenarios where travellers put their data and systems at risk; these can be a most stimulating source of discussion and can serve as the initial foundation for some interesting practical projects.
http://www.syllabus.com/campussecurity/index.asp
If security often seems like a bad dream, the unique situation of college campi make this venue seem like a nightmare of the bleakest hue. This site offers a variety of useful resources and links relating to the practice of security in higher education, in a well-laid out and easily used format. One thing worth considering is the greater educational value of being able to provide students in IT security with examples and studies which are relevant to their immediate surroundings. A sharper point is given to these considerations by massive and recent attacks at university and research facilities hosting high-performance computer projects: http://utilitycomputing.itworld.com/4829/040414gridattack/page_1.html with the potential [not apparently realized] to compromise scientific data. Since many of these systems were Solaris and Linux boxes, Microsoft cannot be blamed for this one. This could certainly serve as a case study of how hackers exploit vulnerabilities
http://www.pcworld.com/news/article/0,aid,114982,tk,dn022604X,00.asp
'Longhorn' and its unfurling development have been the subject of much previous comment in this blog. An equal emphasis has been given to security, and mention has been made of autonomous systems which are capable of 'healing' themselves. The importance of security in its broadest sense [i.e. not merely keeping things confidential, but also keeping the system bandwidth available for productive use] has sharply escalated in the last couple of years. Complex problems require complex solutions, which is why all three above-mentioned themes are converging in 'Longhorn' development.
Thus the discussion in this article of how Microsoft's next-generation operating system will automagically take care of many important security problems is worth some attention. If Bill Gates can delliver on this promise, he well may make Microsoft's desktop position unassailable.
http://www.pcmag.com/article2/0,4149,1523357,00.asp
With spyware [and related browser hijacking] becoming increasingly severe as a problem, the variety of tools to combat it have proliferated. This article discusses a comparative test among 14 anti-spyware programs. Treated as well are the characteristics of spyware, how to avoid it, and how to tell if you have been infected by it. This is a good one-stop-shop for determining resources and strategies for dealing with these pests.
The article should be valuable as a discussion starter for those studying basic InterNet security, as well as giving directions on how to find the best tool to actually use in a given case.
http://www.windowsecurity.com/articles/Wireless_Security_Primer_101.html
http://www.windowsecurity.com/pages/article.asp?id=1151
Since the above articles represent the first and second parts of a primer on wireless security, I thought it would be most useful to display them together. This as a very good brief overview of the subject, covering what is involved and how it all works, in a manner conducive to easy learning. As mentioned elsewhere in this blog, the attractions of wireless go hand-in-hand with the security risks involved, making this an important topic.
A discussion of the range of potential wireless attacks is presented here:
http://www.windowsecurity.com/articles/Wireless_Attacks_Primer.html
A revised version of an in-depth paper on applying the Cisco SAFE methodology to Wireless LAN security is presented here:
and can also be downloaded in a 75-page .PDF version.
http://whitepapers.comdex.com/data/detail?id=1076950008_357&type=RES&src=KA_RES
Wireless remote access is desirable, and, as noted in this blog from time to time, poses significant security risks. Criteria for mitigating such risks are outlined in this white paper: "Four Keys to Secure Wi-Fi Remote Access", as follows:
1. User authentication must be administered at the enterprise level.
2. Virtual Private Networks must be connected end-to-end.
3. Multi-service coverage should be broad.
4. Your remote access client must be wireless-enabled.
Some methods for doing these things are discussed in the white paper.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci949830,00.html
The major flap about the ASN.1 vulnerability issue in Microsoft Windows of course represents a serious core issue [not least the fact that the company 'sat on' the problem for 6 months after being notified]. But it is just as important to understand how fundamental this flaw is -- ASN.1 is the specification which drives the data definition for all networked elements, and is at the heart of SNMP.
Also important is understanding the nature of the flaw -- it was a buffer overflow [and where have we heard that before?], allowing the attacker to take over and run the affected machine remotely. The fact that the flaw was located in the parser library for ASN.1 just makes this worse, since this library is used in cryptographic and authentication routines like Kerberos. The irony of this, of course, is that the exploit just affects the 32-bit and 64-bit versions of the Windows OS, which are supposed to be the most secure.
Now a patch is available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp
but this should not really help us sleep at night. Because ASN.1 is so fundamental to network operations, we have to ask ourselves: are the ASN.1 libraries used by other operating systems really safe?
http://www.ecommercetimes.com/perl/story/32874.html
Short analytic article indicating that wireless flexibility is a great boost to productivity, but security problems still persist. Implementing organizational protection for portable devices is difficult, because the environment in which such devices are used is both various and unpredictable. IT security professional vigilance is required as much, if not more, for wireless applications, which should be implemented according to a specific policy based on cost/benefit calculations.
The article also links to others on this and related topics.
http://www.crime-research.org/
This is an excellent site to get news and information about computer crime. The searchable site offers news, information about crime/security events, articles, books, keeps tabs on legislation, provides a wealth of links, and has an archive. Many of the articles have a Russian slant; they are supplemented by analytics and interviews from an international perspective.
There is also a weekly newsletter from the organization, to which you can subscribe.
http://whitepapers.comdex.com/data/detail?id=1074104559_384&type=RES&src=KA_RES
The volume of commentary on spam indicates how severe and continuing a problem it is -- if Bill Gates can deliver on his promise of a spam-free world by 2006, he will become a hero of the computer age to rival Linus Torwalds. In organizations, of course, spam has a cost, and measures to counter spam also have costs, and the metrics for all this are abstract and slowly emerging. This white paper: "Measuring Up: Evaluating the Return on Investment (ROI) of Spam Filtering" can provide some useful advice and statistics.
Of course, the spammers try to subvert filtering, and current trends involve the use of complex code concealed in HTML, as explained in this white paper on "Spam: A Many Rendered Thing; An in-Depth Look at Current Trends in Spamming Techniques" which is also worth considering:
http://whitepapers.comdex.com/data/detail?id=1074104558_819&type=RES&src=KA_RES
Another article, with links and references, which expresses skepticism of the methods Microsoft has proposed to control spam [and which also explains the intiative in outline] can be found here:
http://www.nwfusion.com/news/2004/0301microsoftspam.html?nl
http://whitepapers.comdex.com/data/detail?id=1076090569_333&type=RES&src=KA_RES
Though anyone who works in IT directly may find it somewhat amazing that line administrators are often insouciant about security threats, this nevetheless remains a brute fact about life in the corporate world. From the executive's point of view, secuirty is simply an expense without reward [though of course insurance, in the ideal situation, is something analogous], and the risks may seem quite diffuse and hypothetical. A primer on how to educate management is therefore useful, and this white paper: "Network Security: 11 Reality Checks to Help the CEO 'CYA'" would appear to be worth a look.
In addition to educating student on the sorts of vulnerabilities which are present in today's networking environment, a paper like this can help them understand that they have to be issue champions as well. It also could serve as a useful starting point for discussions or exercises.
Another angle on this situation is presented in this white paper: "The Top Five Challenges to Achieving Outstanding Enterprise Security and How to Overcome Them", which can be found here:
http://whitepapers.comdex.com/data/detail?id=1076950016_881&type=RES&src=KA_RES
http://www.pcmag.com/article2/0,4149,1464011,00.asp
E-mail, one of the most popular and widely used InterNet services, certainly has been taking a battering, as previous entries in this blog have testified. This extensive article suggests that 2003 represented a tipping point: spam now accounts for more than 50% of e-mail messages, and e-mail is increasingly used as a hacker attack method.
This extensive discussion, with embedded links, discusses the rising tide of problems, what must be done to improve matters [and the effort that this involves], the role of clients in a variety of venues, and how spam blockers can and should work.
Meanwhile, lawmakers are saving ourselves from ourselves, while not really doing much to improve the problem -- in fact, as this article indicates, they may be making it worse:
http://www.governing.com/articles/1spam.htm
United Business Media's CMP division has launched a set of tightly focussed searchable Web pages called 'pipelines', which index news, trends, how-to-do-its, products, white papers, webcasts, sponsored links with downloadable software, and a glossary. Those of specific interest to most applied IT teachers are:
http://www.securitypipeline.com/ covering desktop, network, and infrastructure security plus policy & privacy.
http://www.linuxpipeline.com/ covering core Lunux, applications, enterprise open source, and business.
http://www.networkingpipeline.com/ covering security, infrastructure, wireless, and voice/data integration.
http://www.serverpipeline.com/ covering entry-level, mid-range, and high-end servers, plus their supporting technlogies (including operating systems).
http://www.itutilitypipeline.com/ covering utility computing and services, grid computing, and enterprise systems.
http://www.desktoppipeline.com/ covering desktop operating systems, application software, and hardware as these relate to all current desktop OS.
Additional pipelines address small business, mobile computing, and storage issues. These look like excellent information sources to benchmark and revisit, for students and teachers alike.
http://news.com.com/2100-1032_3-5153485.html
As Daffy Duck would say: "D-E-E-SPPTH-ICABLE!!" The problem of 'spyware' -- programs which download/install themselves on your computer and report back on your surfing habits quite predictably led to the development of spyware killers. Now, just as predictably, reports are filtering in that a number of spyware killers in fact function as spyware themselves.
Now all this is infuriating enough, and a number of people are as mad as hell and not going to take it any more, but there is an additional consideration: lots of spyware doesn't just fink on you, it also slows down your computer and makes it more likely to crash.
The article discusses the development of spyware problems, the attempt to reduce/eliminate such parasitic software, and what actions are being taken by those victimized what is clearly unfair and deceptive practices.
Because many in the educational environment depend on computers but have little comprehension of their internal workings, effective education about spyware is a basic requirement, to which the indexed article (with links to related information) can provide substantial assistance.
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=17200256&classroom=
Domain Name Service is a vital cog in any InterNet service machine, and like every other part of the TCP/IP suite [DNS is considered an Application Layer protocol], it was not designed with security in mind. The range of risks will only increase as wireless technologies achieve widespread adoption in organizations.
This detailed article, with extensive embedded supporting links, explains what the problems are, and what you can do to guard against them. Such articles underscore the fact that security is a multifaceted activity, not simply a slapping a firewall in front of your LAN and using passwords. In addition to being a valuable reference for a course dealing with Net security, for the more creative amongst us it could serve as a source of ideas for attack testing under laboratory conditions.
The article includes references to DNS concepts and operations, and detailed methods of implementing DNS security.
http://whitepapers.comdex.com/data/detail?id=1075747187_769&type=RES&src=KA_RES
The tussle between the black and white hats continues unabated -- the one secure claim we can make is that this problem will continue to escalate in complexity and impact. How threat management is responding to such challenges is outlines in this white paper: "The Next Generation of Threat Management".
It rather sounds like we need this bad.
http://www.eweek.com/article2/0,4149,1484760,00.asp
I have, for more than several years, been pessimistic about network administrators to prevail in the contest against malware. The attacker not only has surprise on his side, he also has the advantage of human inertia and complacency in the face of a threat which is probabalistic and diffuse. This article suggests that antivirus researchers are coming to the same conclusion.
If there is any dawn to this dark night, it is still a long way away.
http://www.certmag.com/articles/templates/cmag_feature.asp?articleid=580&zoneid=1
The URL indexes a short, simply-written article on the basics of network security, looking at the architecture, its vulnerabilities, security practices in response to these, the technologies of their implementation, and the certifications currently available for security.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci945775,00.html
A survey of information security professionals indicated that the whopping majority (97%) feared employee negligence/abuse of data resources as their most worrisome concern. Right next to this was lack of resources, cited by 90%. In comparison, only 70% worried about a catastrophic external threat.
Despite the small size of the survey [n=34], this sounds about right, in terms of the conventional wisdom that the majority of all security issues originate from inside an organization, rather than coming from outside.
http://www.againsttcpa.com/tcpa-faq-en.html
I have commented on the "trusted computing" issue several times in this blog -- the indexed article discusses the ins and outs of this technology, and overall holds it to be a Bad Thing And A Bad King. As do I.
But we have to realize that some of the things which trusted computing is intended to implement are not in the least objectionable [I have, for example, no problem at all with Microsoft being able to enforce payment on all who use its products], and will, in fact be highly desirable to a small minority, who just happen to have access to the levers controlling the legislative system. It is equally true that some of the things which trusted computing could do are highly objectionable.
Then the question must be re-focussed: are the costs worth the benefits? In particular, would it be possible to control some of the objectionable aspects through the operation of standard commercial law? The problem with a positive answer here is that the technology of enforcement is sufficiently stealthy that it might be extremely difficult to detect and remedy non-compliance with such law.
Like many other things in IT and life in general, when examined closely, this does not turn out to be a simple topic at all, and we may get answers less by prescription in advance than by muddling through and working out what prove to be the inevitable consequences.
http://whitepapers.comdex.com/data/detail?id=1074104558_819&type=RES&src=KA_RES
The evolutionary contest between spam and spam control techniques parallels that between virus and antivirus software, with convincing echoes of the biological eponym. This white paper, with a title after my heart: "Spam: A Many Rendered Thing; An in-Depth Look at Current Trends in Spamming Techniques" looks at the variety of new techniques spammers use to outfox filters.
There is, of course, an odd and melancholy irony to all of this -- if the spammers succeed, they will remove all reason to use e-mail, whereupon they will be broadcasting to thin air.
http://www.pcpitstop.com/gator/
A major online annoyance is material from Gator [adba Clarita] popping up when you surf, with potentially unpleasant effects on your system. The indexed URL explains all about this disservice, as well as what you can do about it.
My thought on the matter -- the Gator staff should be introduced to hungry examples of their eponym, on a one-to-one basis -- that would be fun to watch!
While the primary emphasis of this blog is definitely not on programming, since I could not code my way out of a wet antistatic bag, the fact remains that effective coding has to be one of the major building blocks to improved security. While this site is devoted to a specific book on the topic [with the highly arcane title of Secure Coding: Principles & Practices], it also contains a mailing list, and a book companion with Additional Case Studies, Checklists, Software Tools, Code Snippets, Bibliography and Links, Contributions, and Analysis of Topical Vulnerabilities.
All in all, this looks like a useful site to bookmark for those who can benefit from it.
http://www.computerworld.com/printthis/2003/0,4814,88646,00.html
In a worst-case scenario for the InterNet by 2010, the result is complete chaso. Cheer up! We likely will not reach that state, because long before then we will have suffered a 'Digital Pearl Harbor' that will show how severely we need to change. Exactly what the nature of this will be is a matter of some debate -- but we won't like it, whatever it is. One of the major casualties of the disaster will be innovation, and another will be privacy.
I really can't argue much against these predictions -- they sound all too plausible.
http://www.pcworld.com/news/article/0,aid,114328,00.asp
A major and continuing source of security exploits is buffer overflows. AMD's 64-bit processors now add a feature called "Execution Protection", which prevents execution takeover after an overflow event. Intel is also looking at adding this technique. This looks like a major hardware solution to a persistent software problem.
http://itmanagement.earthweb.com/secu/article.php/3298191
I tend to be a gloomy gus about security issues, and probably the balance of security-related posts on this blog reflect that. However, there is a small pile of evidence accumulating suggesting that hacking attacks are having less effect and are shifting to service denial and similar exploits rather than actual theft. Improved security measures are seen as the reason behind this improvement, but this also masks the fact that the attacks are more sophisticated and coming faster on the heels of vulnerability discovery.
Something in the epidemiology models would have suggested this was the case -- so there is some cloud surrounding that silver lining after all.
http://cl.com.com/Click?q=2c-DaaOIc0OqhKF1bqRXlAUBvCWr9RR
The indexed article discusses the important concept of secure identity management. The following materials offer other information about security:
A set of "Best Web Links" on security basics, "for those just entering the world of security", covering a wide range of topics, from biometrics to viruses, can be found here:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281891,00.html
Another set of "Best Web Links" on common vulnerabilities is here:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281934,00.html
Given the prevalance of Microsoft OFFICE in the workplace, some advice on locking it down for security is not amiss, and this comes from an expert, Roberta Bragg:
http://mcpmag.com/columns/article.asp?editorialsid=555
A white paper "The Secret to Simplified Firewall and VPN Security" covers a popular and significant topic:
http://searchSecurity.com/r/0,,16172,00.htm?stonesoft
Some straightforward secuity advice can be found here:
Knowing How Much Security You Need on a Windows 2000 Network
http://www.dummies.com/WileyCDA/DummiesArticle/id-1512.html
Breaking into the Basics of Network Security
http://www.dummies.com/WileyCDA/DummiesArticle/id-1808.html
Firewalls: Defending Your Network from Internet Attacks
http://www.dummies.com/WileyCDA/DummiesArticle/id-1518.html
http://whitepapers.comdex.com/data/detail?id=1036681158_105&type=RES&src=KA_RES
Security threats to e-business, both established and pending, are sufficiently high-profile to make a white paper called "Internet Security - A Defense Model for E-Business" attractive without saying a word more.
http://whitepapers.comdex.com/data/detail?id=1052750276_21&type=RES&src=KA_RES
Wireless is different, wireless is coming on strong, and wireless poses [as has been mentioned in this blog before] major security problems. Getting a grip on where to start may be assisted by this white paper: "Understanding the Layers of Wireless LAN Security & Management", which obviously goes beyond security issues.
http://whitepapers.comdex.com/data/detail?id=1073402060_588&type=RES&src=KA_RES
E-mail spoofing is a serious problem, particularly with the development of 'phishing' scans, which use e-mail to direct victims to realistic-looking but bogus Web sites. A range of "Proposed Solutions to Address the Threat of Email Spoofing Scams" is discussed in the white paper of the same name indexed by this URL. Both prevention and cure are discussed; understanding the pros and cons of various approaches can be useful for teaching many aspects of networking as well as security.
Additionally, here is a Web site devoted to the phishing problem and what can be done to prevent it, with archives and news:
http://www.straightdope.com/mailbag/mplurals.html
OK, I admit it, I was worng, rawng, REAUGHNG! For years I have resisted the locution 'viruses' in favour of the more euphonic 'viri'. However, I have about enough Latin to be able to say coma canensis on the day after...so this detailed, erudite, and ultimately devastating analysis of the hows and whys of proper pluralization has convinced me to the point that I make a public confession in humiliation and remorse.
From now on, the plural of 'virus' is 'viruses'. Case closed!
http://open.itworld.com/4917/040105holekernel/page_1.html
The chortling by Linux fans whenever a Windows security exploit is reported was rather muffled by publication of a serious security hole in the Linux kernel. A kernel hole is exceptionally serious as a vulnerability class, since it can allow attackers to destabilize the OS or take control of the system.
Patches to fix the hole have been made available. The point worth study here is: was there any difference between the genesis, gestation, revelation, and resolution of this security issue in Linux and a similar case in Windows? The outcome of this could be a stronger recommendation for one OS type over another, or a realization that the Linux community has been overstating the case, perhaps "more than somewhat".
http://www.computerworld.com/securitytopics/security/story/0,10801,88359,00.html
From my worm's-eye view, in the security battle, it looks like the bad guys are winning -- the level of disruption I have experienced this year on the InterNet is much greater than any year previous. However, this article suggests the light at the end of the tunnel is not an oncoming e-mail virus -- that tools which will mimic an immune system will be available as the result of ongoing research, reducing the threat accordingly.
We badly need something like this -- we cannot ask all computer users to become security experts to do their daily jobs, after all.
http://www.bankinfosecurity.com/?q=node/view/334
Well-written article on assessing the risks of a wireless network, along with an enumeration of risk management considerations. Other portions of the site discuss many aspects of security, with articles on topics ranging from Sarbanes-Oxley to Security & Privacy. I have touched on wireless security in previous postings to this blog, and this is a useful addition to such material.
http://www.computerworld.com.au/index.php?id=2057465071&fp=16&fpid=0
According to this author, we have a bushel basket of new security challenges awaiting us in 2004, which will have to be met in organizations by improved and stricter [and unpopular] controls. Resisting the compulsion to connect, understanding that new technology developers don't put security first, and remembering that the bad guys are endlessly creative are three keys to understanding how security issues are going to play out in the future.
http://www.securityfocus.com/infocus/1752
An in-depth comparison of how three different worms (Blaster, Slammer, and Code Red I/II) impacted networks once the external security was breached. This is a useful examination not only of the effects such malware has, but also on how to create a remedial plan.
http://www.youdzone.com/signature.html
The concept of assymetric key encryption is a security issue upon which many students' [and faculty's] understanding founders. Here is a simple explanation of public key cryptography, digital certificates, and certificate authority which makes the outlines of the process somewhat easer to grasp.
http://whitepapers.comdex.com/data/detail?id=1069861581_120&type=RES&src=KA_RES
A short white paper: "Bewafre Spyware" which gives a quick overview of this type of malware, useful for informing teachers and students alike. If people read something simple and basic about this, which looks digestible, they may be more motivated to do something about this. I would be prepared to bet a small chocolate bar that home users in the thousands still do not appreciate the spyware threat, even though they are suffering the consequences.
http://www.pcmag.com/article2/0,4149,1408953,00.asp
An article taking a gleeful chortle over the revelation of a serious security vulnerability [which would allow a Mac system to be taken over remotely] in the Macintosh OS/X Jaguar/Panther release. Mac enthisasts have been echoed by remote observers like yours truly in the assumption that the reduced vulnerablity of Macintosh systems could justify their higher purchase price.
Say it ain't so, Steve! Well, in fact, there is somewhat less to this, I think, than flashes on the screen. It may well be that protection through minority status has resulted in this flaw not being exploited as yet, but I consider it a completely valid assumption that OS/X, with its UNIX roots, is inherently less susceptible to security flaws, and the degree of OS implementation has little to do with this. This is not the same as saying the OS has no flaws, just fewer flaws, and a better way of reducing such exploits when and as they happen.
But never let it be said I was hostile to exposing opinions which differ from mine, no matter how wrong they might be....
http://www.esecurityplanet.com/trends/article.php/3288271
Everyone agrees that e-mail is broken, and now some fixes are being proposed. The latest concept is a technical specification enabling e-mail recipients to verify sender identity, which then could be extended into a reputation report. Experts agree that e-mail identity is the requisite first step to reform. The pros and cons of this have been highlighted in this blog, because I feel this is no small issue in the way in which the IT environment is evolving.
Despite the eloquence and the genuine case that anonymity proponents have mustered in this debate, I still find myself, somewhat uncomfortably, under the tent of the identity brigade. In some sense, this demonstrates how central e-mail has become to the computing experience of most of us.
Article summarizing the USA National Cyber Security Summit, which came up with a recommendation for more secure code and coding practices. This will involve a massive effort, requiring inter alia extensive retraining for those software developers who are already in the production stream. Similarly, current curricula must be revamped to give additional emphasis to responsible development with security in the main focus.
There is a lot more disagreement on the 'how' of this, and what the most effective model should be, but the output from this conference would not go amiss as the input to future curriculum development in software engineering [where, I must hasten to point out, I cannot claim even the thin veneer of expertise I profess in terms of networking].
http://www.computerworld.com/securitytopics/security/story/0,10801,87554,00.html
Article with two salient points of interest. One revolves around the ever-increasing capability of malware, which will only increase as hardware and software powers increase. That the bad guys appear to be winning the war suggests this pessimistic take has a lot of merit.
But hidden away on the second page of this article is an arresting little chart, which shows the date at which a computer implemented the processing power of some living organism. For example, the processing power equivalent of a bacterium was available in 1975. I was under the vague impression that we were at the insect level today, but according to this, we passed lizard equivalency in 2000, and are making strides towards the capacity of the average mouse.
While human capacities are nearly two decades away, according to this [and I suspect 'the devil is in the details', and the timespan may be longer than that], just imagine something considerably lesser -- a computer system with the responsiveness and processing power of a dog. Such a level of achievement would itself be a massive upgrade in the ability to use computers as a tool, and would be made even more impressive if we could teach such computers not to make a mess indoors....
http://www.usenix.org/events/sec02/full_papers/staniford/staniford.pdf
An analysis of the risks and propects for worms on the InterNet, using Code Red as a model. This paper: "How to own the Internet in your Spare Time" suggests some preventative measures which can and should be deployed.
http://whitepapers.comdex.com/data/detail?id=1070473161_825&type=RES&src=KA_RES
If wireless security is not a concern, it should be; the basic WEP standard has demonstrated weaknesses, and undetected interception is so much easier with wireless that additional measures must be undertaken. This white paper: "Practical Solutions for Securing Your Wireless Network" can give you some pointers on how to reap wireless roses without security exploit thorns.
Another security paper from Cisco Systems focusses on: "Technology Best Practices for Endpoint Security":
http://whitepapers.comdex.com/data/detail?id=1070907383_68&type=RES&src=KA_RES
which introduces another layer into the security cake.
http://www.intranetjournal.com/spyware/
With the increasing prevalance of malware [computer programs foisted on you to your detriment] a good clear guide on what it is and how to deal with it certainly will not go amiss, and here is one such. In addition to being used for maintenance purposes, this is a good way to make students aware of many potential problems in computing practices they may take for granted.
Once you have worked in networking or security for a while, you take all this for granted, but for those without a technical background, this is a useful wake-up call.
http://whitepapers.comdex.com/data/detail?id=1070381782_523&type=RES&src=KA_RES
There is certainly enough going on in the security world these days that having a set of useful tips on hand for vulnerability reduction can come in quite handy for practitioners and educators [the latter sometimes wearing both hats] alike. This white paper: "Best Practices for Vulnerability Management" provides some guidance of how to go about reducing your risks.
More assistance can come from the following white paper:
http://whitepapers.comdex.com/data/detail?id=1069950009_199&type=RES&src=KA_RES
which covers this topic "From Project to Process - Policy-Based Vulnerability Management".
Looking at crucial isues relating to the IT core comes from a white paper titled "Core Security", found at:
http://whitepapers.comdex.com/data/detail?id=1069861581_139&type=RES&src=KA_RES
http://news.com.com/2100-1028_3-5112430.html
The egregious attempt by Diebold to use the DCMA to throttle criticisms of its defective electronic voting system has resulted in the company's ignominous capitulation in court. In fact, the apellants are still seeking a court order proscribing like acts in the future.
It is pleasant to see the good guys win one for a change.
http://www.informationweek.com/story/showArticle.jhtml?articleID=16000606
Extensive article looking into the motivation of the hacker community, pointing out that it has its educational virtues as well as its criminal tinges. Knowing the motivation and activity of hackers should interest educators, especially as many hackers either get their start or remain comfortably esconced in university computer systems.
http://www.economist.co.uk/science/displayStory.cfm?story_id=2246018
An Economist article covering much of the ground as a number of specific past posts to this blog relating to networking security problems. Provides a good review of the major issues, and suggests methods of countering this disruption. Interestingly enough, in view of the position I have taken on this matter in previous posts, is one suggestion that outright anonymity cannot be supported on the InterNet of the future.
http://www.microsoft.com/technet/itsolutions/MSIT/Security/mssecbp.asp
Given that Microsoft's own network is a number-one target for attacks, some explanation of the principles used in that corporation to safeguard themselves is certainly worth inspection, and that is what this white paper: "Security at Microsoft", provides.
Most of the suggestions relate to using Windows 2003, but could be retrofitted to W2K systems.
The range of Ziff-Davis/EWeek topic centers is certainly comprehensive, and each features news, reviews, opinions, and analysis, in the following categories:
Database http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3850-1
Desktop http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3853-1
Developer & Web Services http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3856-1
Enterprise Applications http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3859-1
Linux and Open Source http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3862-1
Macintosh http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3865-1
Messaging & Collaboration http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3868-1
Mobile Devices http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3871-1
Networking http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3874-1
Security http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3877-1
Storage http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3880-1
Windows http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3883-1
Wireless http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3886-1
With this cornucopia, there should be little reason for an assignment or a research paper to lack content.
http://www.eweek.com/article2/0,4149,1384450,00.asp
Article on how it is still easy to hijack someone else's domain name, made most interesting by the wall of secrecy which the principals throw up, which is not exactly comforting in regards to their accountability. Also indicates how aged some parts of the InterNet structure are, and a useful account of some of the real problems with DNS.
URL indexes a single floppy distribution Linux firewall designed for Ethernet connections to the Internet (cable or xDSL), allowing connection sharing. This would be a good example of a class project which students could use for home purposes as well, providing extra motivation.
http://www.foundstone.com/resources/freetools.htm
While security tools are useful adjuncts to classroom teaching, their cost can be prohibitive. Here is a link indexing a page of useful security tools for assessment, forensics, intrusion detection, scanning, and stress testing. When the the menu sections are accessed, a page with a short description of each of these utilities displays.
The cost is hard to beat, since they are free.