http://news.com.com/2100-7349-5202236.html?tag=cd.top
In a scenario eerily reminiscent of Invasion of the Body Snatchers, security experts are concerned that bots, small programs which are downloaded stealthily and reside on computers until activated, form a greater security threat than the high-profile exploits dominating the current news. The range of damage a bot can do is extensive, from the classic Denial Of Service attack to information espionage on infected systems.
The article discusses a new bot variant which represents an upgrade of an established bot, incorporating public information about a long-standing Windows security vulnerability. As this article indicates, the first indication that something is going wrong may come long after our harbour has been pearled.
More details about this bot variant, with links to diagnostic and remediation tools, as well as even more information, can be found here:
http://www.esecurityplanet.com/alerts/article.php/3347331
http://www.informit.com/articles/article.asp?p=170852
Solutions and issues relating to spam have been covered in this blog already, but here is a novel take on the subject. Starting with the premise that most of the badness we now experience on the InterNet stems from permanently connected SOHO systems [itself something demanding of proof], the author suggests that such individuals be held legally responsible. Should that happen, those who are not motivated to use protection when computing would now have some reason to do so. Whatever one thinks of the merits of this argument, it certainly could form an interesting discussion point in any class dealing with social responsibility and computing.
http://www.knowledgestorm.com/collateral/WTP/50209_58306_99422_QualysYankee.pdf
Static security planning simply is not adequate to today's level of threats, as the 'Sasser' worm so brutally highlights. The indexed white paper "Dynamic Best Practices of Vulnerability Management" explains that such planning has become an operational necessity, and gives some hints and tips on how to proceed. This is useful practical advice, as well as serving as a good base for security teaching.
An extensive white paper on "Protecting Databases" is available here:
http://www.knowledgestorm.com/collateral/WTP/48986_84494_44122_Protecting_Databases.pdf
making the crucial point that it is not enough to protect the security perimeter -- protecting data at the source also has to be implemented, and the paper shows how to get started at this.
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss366_art684,00.html
A commonly accepted explanation for security problems is poorly written software, whether application or operating system. This article discusses 7 major trends in software development, many of which have security implications:
1. Disappearance of Bloated Operating Systems: Microsoft's 'kitchen sink' approach to operating systems has shown its vulnerability both legally and technically; a simple OS is a safer OS.
2. Evolution of Components and Objects: will allow security elements to be seamlessly integrated into application, but will also increase the risks of penetration
3. Rise of Mobile Code: will continue to cause security headaches.
4. Normalization of Distributed Computation: increases complexity, thus increasing exploit risks both logically and geographically.
5. Proliferation of Embedded Systems: PDA's have the organizational security potential of a hand grenade, though location-specific security application may help here.
6. Mass Adoption of Wireless Networks: represent the major challenge to organizational security.
7. Change in Payment Models: Giving digital content economic value makes it impossible to defend.
While many of these factors have a negative implication on security, the fact that they tend to specialized solutions in each application environment means that future security exploits will not be as widespread as at present. But when they do happen, they will cut much deeper.
A related article discusses the problems inherent in complexity, connectivity, and extensibility as these relate to current software:
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss366_art689,00.html
I have known for some time that operating system code has increased in complexity [I remember the DOS days well], but the chart showing that the number of code lines in Windows OS has metastasized from 3 million to 50 million lines in 15 years is a vivid and arresting image!
http://news.com.com/2100-7343-5194756.html
Problems with Digital Rights Management have been touched on in this blog before, indicating the degree to which I felt it was A Bad Thing And A Bad King. The indexed article suggests that while corporations may feel attracted to DRM, in fact there are a host of practical and technical difficulties which must be overcome. In this case [just like in copy protection], the only people really affected are the honest users, who are crimped in their ability to do things, while the bad guys simply overpower the protection and move on.
One point deserving additional stress mentioned in the article: corporate interest in DRM tends to intensify when a high executive is embarassed by leaked information. Of course, the suggestion that such embarassment is more easily avoided, and with greater social benefit, by simply refraining from the behaviour in the first place is simply too, too silly for words.
http://securityadmin.info/faq.asp
A searchable, filterable FAQ on Microsoft Security, with the default showing the top frequently asked questions. A sidebar lists over a dozen subsections of the FAQ base, along with management and contact tools, plus links and a way to view the entire FAQ contents.
Since the FAQ's provide links to both home and business content, they can serve as a most useful source of information generally, as well as, perhaps, inspiring one or more laboratory exercises or case studies.
This is the Open Source Vulnerability Database, which aims to catalogue all of the security issues to which the InterNet is susceptible. The home page shows the most recent entries which have been verified [two of these, for example, were dated the same day as this post]. The database can be browsed and searched, and documentation and FAQ are available from the home page.
http://www.schneier.com/paper-pki.html
Public Key Infrastructure is one of the more mind-deadening things to teach in a security curriculum -- it is just rather hard to interest students about this concept, perhaps not least because there is some disagreement in the IT field itself about how and whether to use it. Here is a white paper: "Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure", which suggests that the benefits of PKI have been oversold, which could be a useful starting point for some more interesting discussions on this subject.
http://www.csoonline.com/read/040104/networks.html
We tend to think of the network as a collection of computers, perhaps extending the term to certain specialized devices like printers and plotters. But as this article points out, we increasingly are supplying IP addresses to devices which are not even remotely characterizable as computers, and the significant security problems which result are addressed at length. Not least of the problem is the explosion in numbers of linked devices, which could reach into the trillions by the end of this decade.
Which suggests, as indicated in this blog before, that we will need IPv6 after all!
http://www.ecommercetimes.com/perl/story/security/33344.html
Problems relating to InterNet security have become bromidic commonplaces, and have been mentioned earlier in this blog. This article addresses the threats inherent in the Net being built on foundations which were never designed with security in mind, and what must be done to remedy this situation.
Another article, looking at at a current TCP flaw which could lead to connection shutdowns, councludes that the vulnerability is there, but can be easily countered, and is in fact in the process of being patched:
http://internetweek.com/security02/showArticle.jhtml?articleID=18902471
http://www.nwfusion.com/news/2004/0405cybersecurity.html
The standard riposte of the IT industry to security problems has been to hold the customer responsible. The weakness of this assumption [which, say, compared to any other area of product liability represents a glaring exception] is beginning to be evident to many. The National Cyber Security Partnership has issued a report, summarized by this article, suggesting that government has a role in implemeting incentives for industry to develop more secure software. Sounds good to me!
A sidebar indexes the NCSP site and some of the reports they offer, and additional articles and resources are provided at the end of the article.
http://www.darwinmag.com/read/030104/mainframe.html
Mainframes have been mentioned occasionally in this blog, because they are still important players in the IT environment, and are also often the server centerpiece of a network. As this article indicates, mainframes have particular security problems, most of which relate to their relative age. The article also suggests solutions -- there is definitely scope for hope here, but the problem must be realized first.
http://news.bbc.co.uk/1/hi/technology/3639679.stm
Link to a short article [with lots of interesting commentary appended] about a couple of surveys on passwords, which indicated that 70% of those in the survey would reveal their password for a chocolate bar. Beneath the surface humour is a serious point: that many of our security activities set themselves up for failure because they simply don't take human nature into consideration. With attacker threats becoming so severe and the value of defended asssets so great, I think it comes close to professionally irresponsible for those in the IT field to keep on pushing the same tired solutions which have been repeatedly shown as inadequate.
Besides, if somebody offered me a 6-pack of LINDT Cognac-filled bars....
http://www.technewsworld.com/perl/story/33293.html
Article reporting that in response to a security consultancy's claim that "the world's safest and most secure online server operating system is proving to be the Open Source family of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin.", an industry analyst says that such judgements are scarcely meaningful. The human element contributes to half of all security breaches, and this remains constant across operating systems. The real point being pushed here is that it is not the OS, but aspects of scale relating to connectivity which cause the problems.
In other words, if OS x and Windows were to invert their market shares, OS X would be the operating system experiencing vulnerability assaults. Far from allowing us to ignore the OS as a factor in all of this, as mentioned earlier in this blog, I would say the OS has to be front and centre as part of the analysis.
http://whitepapers.comdex.com/data/detail?id=1080147941_867&type=RES&src=KA_RES_20040331
While the importance of file transfer in many aspects of organizational operation across the InterNet cannot be gainsaid, it is equally true that the FTP protocol represents a particular vulnerability, and one which can be difficult to remedy. Some alternative standards for secure file transfer have been proposed, and this white paper asks the question: "Evolving Standards for Enhanced File Transfer: Do Recent Secure File Transfer Standards Measure Up?".
One solution to FTP vulnerabilities is deployment of a proprietary solution, as this white paper: "Instant FTP Security Made Easy" demonstrates:
http://whitepapers.comdex.com/data/detail?id=1075911003_39&type=RES&src=KA_RES_20040331
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
Firewalls are devices which have such fundamental simplicity [the equivalent of a locked door against outsiders] that it is easy for the uninitiated to over-simplify their implementation, and therefore create a worse security menace than if nothing had been done. The white paper indexed here: "Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology" provides an in-depth view of what firewalls are and how they work, and what important issues need to be considered in implementing these devices.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=681&zoneid=39
This is a very short guide to a very extensive array of security information available at the Cisco site -- one which explains what can be found somewhat better, I think, than Cisco itself does. Covering security advisories for Cisco products; technologies: security including overviews, case studies, trends analysis, best practices, white papers, and more; enterprise and small-medium business security seminars, white papers, self-study courses, and more; ISPs: managed security services; a security glossary; plus the Networking Professionals Connection: Security Forum, this page indexes a wealth of Cisco information, itself more easily found due to this page.
The degree to which network administrators face multiple threats is manifest from the following selection of security articles:
A good description of countermeasures to ward off the problems inherent in social engineering [which I think is one of the most critical threats in organizations of any size] can be found here:
http://www.windowsecurity.com/pages/article.asp?id=1318
A Windows feature named Alternate Data Streams, originally designed to enhance compatibility with Apple systems, now is a subtile threat (of which many Windows sysadmins are unaware) to such operating systems if the attacker is a clever hacker:
http://www.WindowSecurity.com/pages/article.asp?id=1314
That worm and other malicious code attacks are getting worse because perpetrators appear to be able to release them without much fear of being caught, and the resources available for hacking have become more widespread, forms the core of this article:
http://www.WindowSecurity.com/pages/article.asp?id=1317
An examination of the issues relating to open source security makes the point that whether software is open- or closed-source has little validity as a determinant, since the arguments in this issue can be made so many ways:
http://www.WindowSecurity.com/pages/article.asp?id=1315
http://www.nwfusion.com/research/2004/0322spam.html
Spam, and the problems it causes, form a recurring topic in this blog, because it has implications for IT education both as a subject and a phenomenon. Here is a look at the proceeding of a recent anti-spam conference, with opinions and ideas from leading participants in the fight against spam, and relevant news links following the article. One interesting theme - the participants note that the solutions here may be as much economic as technical.
Another article on this conference can be found here:
http://www.infoworld.com/article/04/04/16/16FEfuturemail_1.html
On the other hand, this article:
http://www.technologyreview.com/articles/wo_johansson032604.asp
suggests that a technological solution [a method which would make spam so computationally intensive that it would be worthless, instead of quick and easy] is the route to a spamless life.
Evaluating both sides of this debate is certainly a useful classroom tool, with the only certainty being the fact that the debate will go on.
http://comment.cio.com/soundoff/032504.html
Spyware has become a sufficiently pervasive and annoying problem that it has been mentioned several times in this blog. Because applied IT students should be using the InterNet vigorously, and exploring some of its more 'dangerous' nooks and crannies, beginners particularly are extremely vulnerable to these pests. Since too many institutions still mistakenly insist on Internet Explorer as their mandated browser, the situation is even worse. How bad it is is suggested by this article [which is accompanied by vigorous and interesting commentary] -- infection rates of 90% are posited, and credible. This is a major problem which must be faced and overcome to protect continuing health of the Net.
As this article suggests, help is on its way:
http://www.technewsworld.com/perl/story/33231.html
Of course, if we get the same 'assistance' from these folks as we got with the CAN-SPAM act....
This is not the only government initiative relating to surveillance; as this article indicates, the USA's FBI wants to make nettapping faster and easier, getting a hook into broadband:
http://www.pcmag.com/article2/0,1759,1549618,00.asp
Since this amounts to rearchitecting the Net in the interest of government agency surveillance, it definitely is a hot topic.
On the other hand, when it is not them doing the spying, lawmakers can get knotted knickers in a great hurry to regulate who spies on what. RFID issues have been discussed a good deal in this blog, and now some legislators are moving to control it:
http://www.wired.com/news/privacy/0,1848,62433,00.html
Since this would seem to put lawmakers at odds with big business lobbies, it will be interesting (and perhaps instructive) to see how all this turns out.
For many years after 1984 was published, the knock against the surveillance society depicted in the book was that it was neither feasible nor desirable. Technology is solving the feasibility issue -- how the desirability issue gets handled is going to be a major test of how democratic processes can continue to develop and flourish.
http://networking.ittoolbox.com/documents/document.asp?i=3773
To paraphrase Mr. Twain: "Everyone talks about event logs, but nobody ever does anything with them". This is, of course, an exaggeration, but it is true that while event logs can be of signal importance in an IT production envrionment, teaching about their effective use can be quite difficult outside that environment.
Logs are the raw material for an audit, and the indexed white paper, "Event Log Management: A Guide to a Stress-free Audit", explains how the current USA regulatory environment makes logging even more significant as an activity, and explains how to use them in preparation for an audit. Such a focus can be of great use in providing a practical pedagogical example.
http://whitepapers.comdex.com/data/detail?id=1079029984_674&type=RES&src=KA_RES_20040317
The URL indexes a white paper on "Integrated Security: Defending against Evolving Threats with Self-Defending Networks", which is Cisco's initiative to produce integrated security deep within the infrastructure. Something like this does seem like the best solution to this problem, and of course, can help improved Cisco's bottom line.
Some other security white papers from Cisco are:
Cisco IP Communications Security Policy Development and Planning Guide
http://whitepapers.comdex.com/data/detail?id=1078939330_728&type=RES&src=KA_RES_20040317
Trust and Identity Management: Solutions Overview
http://whitepapers.comdex.com/data/detail?id=1079026302_550&type=RES&src=KA_RES_20040317
IP Telephony Security in Depth
http://whitepapers.comdex.com/data/detail?id=1057858103_115&type=RES&src=KA_RES_20040317
Another major white paper on identity management, "Enterprise Identity Management: It's About the Business" defines the technologies involved to produce a solutions roadmap, and can be found here:
http://whitepapers.comdex.com/data/detail?id=1079109672_743&type=RES&src=KA_RES_20040317
A white paper on "Log Management: Closing the Loop on Security Event Management" explains this crucial networking activity, and can be cound at:
http://whitepapers.comdex.com/data/detail?id=1079109677_478&type=RES&src=KA_RES_20040317
Two security papers relating to the Windows world are "Best Practices for Designing a Secure Active Directory - Multi-Org Exchange Edition", available at:
http://whitepapers.comdex.com/data/detail?id=1042225768_732&type=RES&src=KA_RES_20040317
and "Architecture and Design Review for Security", which can be found here:
http://whitepapers.comdex.com/data/detail?id=1079366506_346&type=RES&src=KA_RES_20040317
http://www.informit.com/guides/content.asp?g=security&seqNum=51
The informIT site at www.informit.com is a valuable tool for the working professional. They publish a number of topical guides, including a security guide. This discusses Web Application Security, Operating System Security, Network Security, Hardening Your System, Wireless Security, and the Legal and Ethical Issues of Security.
What has been added, and worth noting at the URL given, is a section on Data Forensics, providing an example, and material on Forensics Fundamentals, Forensics Tools, Forensics and Encryption, and PDA Forensics.
http://www.pcworld.com/news/article/0,aid,115214,tk,dnWknd,00.asp
I have waxed pessimistic about the ability of the white hats to overcome the black in terms of the escalating dangers of cyberspace, and the indexed report suggests that we are in a handbasket moving rapidly to its destination. On the other hand, given that the source is Symantic, producer of protective products, it can hardly claim to be disinterested -- yet at the same time, this does not make the report wrong.
Having a good practical guide on what steps you can take to mitigate these threats is certainly welcome, and one such can be found here:
http://www.pcworld.com/howto/article/0,aid,114727,tk,dnWknd,00.asp
http://www.definitivesolutions.com/bhodemon.htm
Exploits against one's Web browsers are as exquisitely annoying as a hangover, and most are realized through Browser Helper Objects, explained in the indexed site, along with the provision of a tool called BHODemon which allows you to remove unwanted BHO's.
While anti-spyware/adware software is the usual court of first resort in these cases, they don't always work, so having some additional weapons in your arsenal is never a bad idea. Here is a discussion site featuring another BHO-removal tool:
http://wwwspywareinfo.com/~merijn/cwschronicles.html
A tool which prevents homepage hijacking [as, does, incidentally, a buried setting in Spybot Search & Destroy] can be downloaded here:
http://www.wilderssecurity.com/bhblaster.html
Another more general computer security site which offers a forum on BHOs is:
http://www.computercops.biz/index.php
http://www.linuxjournal.com/article.php?sid=6811
'Port knocking' -- only allowing systems to connect if they implement a sequence of closed port access attempts -- is an idea which could help VPN security and similar implementations in Linux. This article shows how do to it -- it represents a useful addition to the whole armour of security which administrators must implement these days.
http://www.securityfocus.com/infocus/1761
Creating a 'honeypot' as a means of detecting/deflecting attackers on a network has a venerable history [and the technique's vritues and limitations should be clearly recognized]. Wireless networks can deploy anologous techniques, as explained in this detailed, illustrated, and well-referenced article.
http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci930122,00.html?track=NL-103
Intrusion detection systems are a cornerstone of effective network security, and an open-source tool, 'Snort', can be a valuable item in teaching how to use IDS. The indexed URL provides a range of resources explaining Snort and how to use it most effectively.
Intrusion detection or any other measure of security analysis is meaningless without effective incident response planning, and this is often neglected in organizations. Here are some resources to help with this:
http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci944780,00.html?track=NL-363
http://www.irchelp.org/irchelp/security/
Internet Relay Chat is another of those temptations to network disaster that I resist on the grounds they Promote Rust, although there are times I have to use it. This starkly plain but fully-functional resource explains how to use IRC in the safest manner, and includes exploit news, Trojan attacks, DoS, downloading issues, a firewall FAC, general security, parental guides to IRC, IRC backdoors, IRC for administrators, how to find and report IRC abuse, and IRC's connection with hackers.
Since in the educational environment in particular, IRC may be an important method of participant communication, this represents another security site well worth bookmarking.
http://www.csoonline.com/read/020104/perimeter.html
Something as complicated as network security, especially when the InterNet is factored in, relies on metaphors for general understanding, but the models of perimeter security based on individual bastions is increasingly meaningless in an environment where 'inside' and 'outside' the firewall is a term with less and less precision. Mobile computing and wireless are two major contributors to this.
Am effective defensive model for this new security environment requires a combination of the concrete and the abstract. Defense in depth cannot be founded on a static security model, but the fact that there is no fixed starting point makes finishing the journey difficult. Alternatives are discussed in this article, and sidebars index a number of related articles as well.
http://www.spywareguide.com/articles/
Not only is spyware a security problem [because some variants leave your system at risk to outsiders] and a performance problem [it is indicted as the cause of many system crashes], but it is also something which impacts most users personally. This leads to a high degree of dudgeon, so sources and resources to provide information and product reviews are well worth collecting.
The main site here allows you to find out about spyware, presenting lists of categories, online tools, product reviews, a mailing list, and education on this class of malware. The indexed URL lists some two dozen papers on aspects of spyware which can support a research project or spark classroom discussion.
The nastiness of spyware [not least in the lack of trust it inculcates between InterNet software suppliers and the using public] requires responses, and this on-line guide contains sections on Lookup Spyware, List of Spyware, List of Categories, and List of Companies; Terms & Definitions and FAQs; online detection and removal tools; plus introductory information, how-tos, and an extensive set of classified product reviews.
http://www.WindowSecurity.com/pages/article.asp?id=1313
For an individual machine, a software firewall can often be sufficient [although of course it should not be regarded as a security panacea], but for a server or other high-end resource, a hardware firewall [and often more than one of them] is definitely indicated.
How to tell which one is best? This white paper, "Comparing Firewall Features", presents an evaluative structure which will let you decide.
http://www.ists.dartmouth.edu/
If you want to access the resources of a major research institute on cybersecurity and cyberterrorism, you merely have to follow the above link. The institute provides an extensive description of its activities, which are certainly interesting in their own right. It also provides a heaping helping of security resources.
While the searchable site is cleanly laid-out in an elegant presentation, you must realize that its structure contains considerable depths, and you will get the best feel for what this site can do for you by poking around and reading carefully -- expect to take more than 5 minutes doing this.
The result may be a permanent reward for anyone teacing any aspect of IT security studies.
http://www.securityfocus.com/infocus/1763
http://securityfocus.com/infocus/1766
A two-part well-referenced article [the link to the first part appears at the end of the second, but the first part has no link to the second -- hence both links] by a noted expert on spam, the battle against it, and the security issues involved [identity theft, malware propagation, and combined exploits].
Filters are seen as limited, at best. Reverse lookup will help control header forgeries, but will leave those whose domains do not host a mail server out in the cold, while also causing problems for mobile computing. Challenge systems and cryptographic systems also have their limitations.
The conclusion to this article is rather depressing: "...a good solution today is unlikely to be a good solution tomorrow".
A related white paper, discussing "E-mail spam: Is it a Security Issue?", is available here:
http://www.WindowSecurity.com/pages/article.asp?id=1311
Another article, indicating that the spammers are 'winning' this war [of course, their 'victory' will prove disgustingly barren], with indications that 80% of USA e-mail traffic is spam, can be read here:
http://www.baltimoresun.com/technology/bal-te.spam14mar14,0,3015793.story
The technology of turning intermediate machines into spam zombies exacerbates the problem -- and increases the desirability for condign punishment for the perpetrators.
http://www.eweek.com/article2/0,1759,1540556,00.asp
The Apple Filing Protocol used in the 'Panther' version of OS X was revealed to have a security weakness allowing a malefactor to steal passwords or data. I have remarked before about Mac enthusiasts chortling about their relative immunity to vulnerabilities. Once again, we see that no operating system is perfect [even though a variety of circumstances may make OS X less vulnerable, the difference is one of degree and not of kind.] The indexed article discusses the problem at some length.
http://www.crime-research.org/news/29.02.2004/95
Brief description of the InterNet scam called 'phishing', where a fake site location is sent to the victim through e-mail, in order to gather information that the victim would expect to enter at the valid site. This is a growing problem, and some experiences of involved institutions are discussed here.
As if this was not enough, the risk of cyberterrorism has been raised in this article:
http://www.crime-research.org/news/28.02.2004/92
This article details some analysis showing that January, 2004 established new records for Net-borne malware:
http://www.crime-research.org/news/26.02.2004/83
The costs of Net fraud are in the same ballpark as global e-commerce incomes, according to this article:
http://www.crime-research.org/news/24.02.2004/internet_fraud_1
Problems of dysfunctional behaviour on the Net have been addressed previously in this blog.
http://www.trendmicro.com/en/security/white-papers/overview.htm
The URL indexes the Secuirty Information white papers section of the Trend Micro site, with nearly a dozen papers directly relevant to malware and secuity problems. These papers are downloadable in .PDF format.
In addition to their products, the site offers a Weekly Virus Report, a Virus Map and a Virus Encyclopedia, downloadable test files, general virus tnformation, Webmaster Tools, and a description of onging research/development at TrendLabs.
http://www3.ca.com/solutions/collateral.asp?CID=33504&ID=1128&CCT=
Policies represent the grey underside of networking -- in the educational context, partly because it is very difficult to create meaningful practical examples, most students summon less enthusiasm for them than they do for wet blotting paper. Yet policies are a major management tool, and effective antivirus protection is impossible without them.
The indexed URL links to the Computer Associates Virus Information Center, and discusses antivirus policies in terms of policy effectiveness, policy principles, and policy constants. Given that the site sponsor sells antivirus software, there may be a note of 'special pleading' here, but this is nevertheless a useful stimulant to the development and discussion of policy in the classroom environment.
http://www.cs.dartmouth.edu/~carlo/research/tr2004-489.pdf
A white paper covering an aspect of networking security which, because of its complexity, can get glossed over: "Keyjacking: The Surprising Insecurity of Client-side SSL". The client-side vulnerabilities are discussed in detail -- this is a good antidote to a lot of the security 'happy talk' which tends to predominate in certification resources discussing this subject.
http://www.eweek.com/article2/0,4149,1525830,00.asp
Firewalls are a staple of the network security environment, and while they are not a panacea, they remain an important component of networking security, particularly for organizations connecting to the InterNet. The indexed article discusses the additional security available from perimeter firewalls implementing deep packet filtering technology. The power such firewalls bring to fighting malware certainly will offset their purchase costs and operational overhead in small and medium-sized networks, whereas tradeoffs need more careful evaluation in larger systems.
A number of related articles are linked in a sidebar.
http://news.com.com/2008-1032-5164246.html
Spam is a significant and continuing problem for network managers, particularly those involved in backbone networking; it is a constant topic in this blog. The URL indexes an interview with a major spam-fighter which makes an interesting comparison: spam is like cancer -- it is not a single object, but a whole cluster of objects. This means that there will not be any 'single cure', and we also have to create cures which will not wind up killing the 'patient'. The article makes a particular point of the ineffectiveness of the current legal restrictions against spam compared to the effectiveness of the law outlawing junk faxes, suggesting some avenues for emulation.
A relevant related article here:
http://www.ecommercetimes.com/perl/story/32931.html
agrees with the thrust of the first article -- multiple approaches are needed to stop spam, including filtering [connection, SMTP, content, HTML tag, and Bayesian], URL domain blacklisting, delivery/processing rules, end-user education, and false positive prevention. The article has a sidebar listing related articles of interest.
http://www.csoonline.com/read/020104/shop.html
Just as the computing 'Grand Challenges' mentioned earlier in this blog stimulate the imagination and can act as a focus for research/study activity, so this article emulates such activity in the security field, presenting four grand challenges for security:
1. Eliminate epidemic-style attacks (viruses, worms, spam) within a decade.
2. Develop tools and principles allowing socially important large systems to be highly trustworthy despite being attractive targets.
3. Develop quantitative information-systems risk management to be robust as its financial equivalent within 10 years.
4. Give end users security controls they can understand and privacy they can control and which will be adequate for future needs.
The focus of this initiative is to emphasize strategic directions over tactical elements, in a security context where there is no time to be lost in effecting a cure.
http://www.mit-kmi.com/articles.cfm?DocID=384
Article indicating the degree to which the USA's National Security Agency is leading the way on a number of security issues:
* Secure interoperability between wireless and wired systems
* Iridium satellite security
* Creation of a database of wireless vulnerabilities
* Advanced encryption with emphasis on wireless systems
* Satellite connectivity
The technical details in the article give a good idea of the complexity and importance of this undertaking, which certainly seems necessary in today's networking security environment.
http://www.securecomputing.com/pdf/remoteinsecurity.pdf
Sometimes less really is more. The URL indexes a 4-page white paper titled "Remote Insecurity: How business travelers risk exposing their companies when remotely accessing company networks". This gives a number of common scenarios where travellers put their data and systems at risk; these can be a most stimulating source of discussion and can serve as the initial foundation for some interesting practical projects.
http://www.syllabus.com/campussecurity/index.asp
If security often seems like a bad dream, the unique situation of college campi make this venue seem like a nightmare of the bleakest hue. This site offers a variety of useful resources and links relating to the practice of security in higher education, in a well-laid out and easily used format. One thing worth considering is the greater educational value of being able to provide students in IT security with examples and studies which are relevant to their immediate surroundings. A sharper point is given to these considerations by massive and recent attacks at university and research facilities hosting high-performance computer projects: http://utilitycomputing.itworld.com/4829/040414gridattack/page_1.html with the potential [not apparently realized] to compromise scientific data. Since many of these systems were Solaris and Linux boxes, Microsoft cannot be blamed for this one. This could certainly serve as a case study of how hackers exploit vulnerabilities
http://www.pcworld.com/news/article/0,aid,114982,tk,dn022604X,00.asp
'Longhorn' and its unfurling development have been the subject of much previous comment in this blog. An equal emphasis has been given to security, and mention has been made of autonomous systems which are capable of 'healing' themselves. The importance of security in its broadest sense [i.e. not merely keeping things confidential, but also keeping the system bandwidth available for productive use] has sharply escalated in the last couple of years. Complex problems require complex solutions, which is why all three above-mentioned themes are converging in 'Longhorn' development.
Thus the discussion in this article of how Microsoft's next-generation operating system will automagically take care of many important security problems is worth some attention. If Bill Gates can delliver on this promise, he well may make Microsoft's desktop position unassailable.
http://www.pcmag.com/article2/0,4149,1523357,00.asp
With spyware [and related browser hijacking] becoming increasingly severe as a problem, the variety of tools to combat it have proliferated. This article discusses a comparative test among 14 anti-spyware programs. Treated as well are the characteristics of spyware, how to avoid it, and how to tell if you have been infected by it. This is a good one-stop-shop for determining resources and strategies for dealing with these pests.
The article should be valuable as a discussion starter for those studying basic InterNet security, as well as giving directions on how to find the best tool to actually use in a given case.
http://www.windowsecurity.com/articles/Wireless_Security_Primer_101.html
http://www.windowsecurity.com/pages/article.asp?id=1151
Since the above articles represent the first and second parts of a primer on wireless security, I thought it would be most useful to display them together. This as a very good brief overview of the subject, covering what is involved and how it all works, in a manner conducive to easy learning. As mentioned elsewhere in this blog, the attractions of wireless go hand-in-hand with the security risks involved, making this an important topic.
A discussion of the range of potential wireless attacks is presented here:
http://www.windowsecurity.com/articles/Wireless_Attacks_Primer.html
A revised version of an in-depth paper on applying the Cisco SAFE methodology to Wireless LAN security is presented here:
and can also be downloaded in a 75-page .PDF version.
http://whitepapers.comdex.com/data/detail?id=1076950008_357&type=RES&src=KA_RES
Wireless remote access is desirable, and, as noted in this blog from time to time, poses significant security risks. Criteria for mitigating such risks are outlined in this white paper: "Four Keys to Secure Wi-Fi Remote Access", as follows:
1. User authentication must be administered at the enterprise level.
2. Virtual Private Networks must be connected end-to-end.
3. Multi-service coverage should be broad.
4. Your remote access client must be wireless-enabled.
Some methods for doing these things are discussed in the white paper.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci949830,00.html
The major flap about the ASN.1 vulnerability issue in Microsoft Windows of course represents a serious core issue [not least the fact that the company 'sat on' the problem for 6 months after being notified]. But it is just as important to understand how fundamental this flaw is -- ASN.1 is the specification which drives the data definition for all networked elements, and is at the heart of SNMP.
Also important is understanding the nature of the flaw -- it was a buffer overflow [and where have we heard that before?], allowing the attacker to take over and run the affected machine remotely. The fact that the flaw was located in the parser library for ASN.1 just makes this worse, since this library is used in cryptographic and authentication routines like Kerberos. The irony of this, of course, is that the exploit just affects the 32-bit and 64-bit versions of the Windows OS, which are supposed to be the most secure.
Now a patch is available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp
but this should not really help us sleep at night. Because ASN.1 is so fundamental to network operations, we have to ask ourselves: are the ASN.1 libraries used by other operating systems really safe?
http://www.ecommercetimes.com/perl/story/32874.html
Short analytic article indicating that wireless flexibility is a great boost to productivity, but security problems still persist. Implementing organizational protection for portable devices is difficult, because the environment in which such devices are used is both various and unpredictable. IT security professional vigilance is required as much, if not more, for wireless applications, which should be implemented according to a specific policy based on cost/benefit calculations.
The article also links to others on this and related topics.
http://www.crime-research.org/
This is an excellent site to get news and information about computer crime. The searchable site offers news, information about crime/security events, articles, books, keeps tabs on legislation, provides a wealth of links, and has an archive. Many of the articles have a Russian slant; they are supplemented by analytics and interviews from an international perspective.
There is also a weekly newsletter from the organization, to which you can subscribe.
http://whitepapers.comdex.com/data/detail?id=1074104559_384&type=RES&src=KA_RES
The volume of commentary on spam indicates how severe and continuing a problem it is -- if Bill Gates can deliver on his promise of a spam-free world by 2006, he will become a hero of the computer age to rival Linus Torwalds. In organizations, of course, spam has a cost, and measures to counter spam also have costs, and the metrics for all this are abstract and slowly emerging. This white paper: "Measuring Up: Evaluating the Return on Investment (ROI) of Spam Filtering" can provide some useful advice and statistics.
Of course, the spammers try to subvert filtering, and current trends involve the use of complex code concealed in HTML, as explained in this white paper on "Spam: A Many Rendered Thing; An in-Depth Look at Current Trends in Spamming Techniques" which is also worth considering:
http://whitepapers.comdex.com/data/detail?id=1074104558_819&type=RES&src=KA_RES
Another article, with links and references, which expresses skepticism of the methods Microsoft has proposed to control spam [and which also explains the intiative in outline] can be found here:
http://www.nwfusion.com/news/2004/0301microsoftspam.html?nl
http://whitepapers.comdex.com/data/detail?id=1076090569_333&type=RES&src=KA_RES
Though anyone who works in IT directly may find it somewhat amazing that line administrators are often insouciant about security threats, this nevetheless remains a brute fact about life in the corporate world. From the executive's point of view, secuirty is simply an expense without reward [though of course insurance, in the ideal situation, is something analogous], and the risks may seem quite diffuse and hypothetical. A primer on how to educate management is therefore useful, and this white paper: "Network Security: 11 Reality Checks to Help the CEO 'CYA'" would appear to be worth a look.
In addition to educating student on the sorts of vulnerabilities which are present in today's networking environment, a paper like this can help them understand that they have to be issue champions as well. It also could serve as a useful starting point for discussions or exercises.
Another angle on this situation is presented in this white paper: "The Top Five Challenges to Achieving Outstanding Enterprise Security and How to Overcome Them", which can be found here:
http://whitepapers.comdex.com/data/detail?id=1076950016_881&type=RES&src=KA_RES
http://www.pcmag.com/article2/0,4149,1464011,00.asp
E-mail, one of the most popular and widely used InterNet services, certainly has been taking a battering, as previous entries in this blog have testified. This extensive article suggests that 2003 represented a tipping point: spam now accounts for more than 50% of e-mail messages, and e-mail is increasingly used as a hacker attack method.
This extensive discussion, with embedded links, discusses the rising tide of problems, what must be done to improve matters [and the effort that this involves], the role of clients in a variety of venues, and how spam blockers can and should work.
Meanwhile, lawmakers are saving ourselves from ourselves, while not really doing much to improve the problem -- in fact, as this article indicates, they may be making it worse:
http://www.governing.com/articles/1spam.htm
United Business Media's CMP division has launched a set of tightly focussed searchable Web pages called 'pipelines', which index news, trends, how-to-do-its, products, white papers, webcasts, sponsored links with downloadable software, and a glossary. Those of specific interest to most applied IT teachers are:
http://www.securitypipeline.com/ covering desktop, network, and infrastructure security plus policy & privacy.
http://www.linuxpipeline.com/ covering core Lunux, applications, enterprise open source, and business.
http://www.networkingpipeline.com/ covering security, infrastructure, wireless, and voice/data integration.
http://www.serverpipeline.com/ covering entry-level, mid-range, and high-end servers, plus their supporting technlogies (including operating systems).
http://www.itutilitypipeline.com/ covering utility computing and services, grid computing, and enterprise systems.
http://www.desktoppipeline.com/ covering desktop operating systems, application software, and hardware as these relate to all current desktop OS.
Additional pipelines address small business, mobile computing, and storage issues. These look like excellent information sources to benchmark and revisit, for students and teachers alike.
http://news.com.com/2100-1032_3-5153485.html
As Daffy Duck would say: "D-E-E-SPPTH-ICABLE!!" The problem of 'spyware' -- programs which download/install themselves on your computer and report back on your surfing habits quite predictably led to the development of spyware killers. Now, just as predictably, reports are filtering in that a number of spyware killers in fact function as spyware themselves.
Now all this is infuriating enough, and a number of people are as mad as hell and not going to take it any more, but there is an additional consideration: lots of spyware doesn't just fink on you, it also slows down your computer and makes it more likely to crash.
The article discusses the development of spyware problems, the attempt to reduce/eliminate such parasitic software, and what actions are being taken by those victimized what is clearly unfair and deceptive practices.
Because many in the educational environment depend on computers but have little comprehension of their internal workings, effective education about spyware is a basic requirement, to which the indexed article (with links to related information) can provide substantial assistance.
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=17200256&classroom=
Domain Name Service is a vital cog in any InterNet service machine, and like every other part of the TCP/IP suite [DNS is considered an Application Layer protocol], it was not designed with security in mind. The range of risks will only increase as wireless technologies achieve widespread adoption in organizations.
This detailed article, with extensive embedded supporting links, explains what the problems are, and what you can do to guard against them. Such articles underscore the fact that security is a multifaceted activity, not simply a slapping a firewall in front of your LAN and using passwords. In addition to being a valuable reference for a course dealing with Net security, for the more creative amongst us it could serve as a source of ideas for attack testing under laboratory conditions.
The article includes references to DNS concepts and operations, and detailed methods of implementing DNS security.
http://whitepapers.comdex.com/data/detail?id=1075747187_769&type=RES&src=KA_RES
The tussle between the black and white hats continues unabated -- the one secure claim we can make is that this problem will continue to escalate in complexity and impact. How threat management is responding to such challenges is outlines in this white paper: "The Next Generation of Threat Management".
It rather sounds like we need this bad.
http://www.eweek.com/article2/0,4149,1484760,00.asp
I have, for more than several years, been pessimistic about network administrators to prevail in the contest against malware. The attacker not only has surprise on his side, he also has the advantage of human inertia and complacency in the face of a threat which is probabalistic and diffuse. This article suggests that antivirus researchers are coming to the same conclusion.
If there is any dawn to this dark night, it is still a long way away.
http://www.certmag.com/articles/templates/cmag_feature.asp?articleid=580&zoneid=1
The URL indexes a short, simply-written article on the basics of network security, looking at the architecture, its vulnerabilities, security practices in response to these, the technologies of their implementation, and the certifications currently available for security.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci945775,00.html
A survey of information security professionals indicated that the whopping majority (97%) feared employee negligence/abuse of data resources as their most worrisome concern. Right next to this was lack of resources, cited by 90%. In comparison, only 70% worried about a catastrophic external threat.
Despite the small size of the survey [n=34], this sounds about right, in terms of the conventional wisdom that the majority of all security issues originate from inside an organization, rather than coming from outside.
http://www.againsttcpa.com/tcpa-faq-en.html
I have commented on the "trusted computing" issue several times in this blog -- the indexed article discusses the ins and outs of this technology, and overall holds it to be a Bad Thing And A Bad King. As do I.
But we have to realize that some of the things which trusted computing is intended to implement are not in the least objectionable [I have, for example, no problem at all with Microsoft being able to enforce payment on all who use its products], and will, in fact be highly desirable to a small minority, who just happen to have access to the levers controlling the legislative system. It is equally true that some of the things which trusted computing could do are highly objectionable.
Then the question must be re-focussed: are the costs worth the benefits? In particular, would it be possible to control some of the objectionable aspects through the operation of standard commercial law? The problem with a positive answer here is that the technology of enforcement is sufficiently stealthy that it might be extremely difficult to detect and remedy non-compliance with such law.
Like many other things in IT and life in general, when examined closely, this does not turn out to be a simple topic at all, and we may get answers less by prescription in advance than by muddling through and working out what prove to be the inevitable consequences.
http://whitepapers.comdex.com/data/detail?id=1074104558_819&type=RES&src=KA_RES
The evolutionary contest between spam and spam control techniques parallels that between virus and antivirus software, with convincing echoes of the biological eponym. This white paper, with a title after my heart: "Spam: A Many Rendered Thing; An in-Depth Look at Current Trends in Spamming Techniques" looks at the variety of new techniques spammers use to outfox filters.
There is, of course, an odd and melancholy irony to all of this -- if the spammers succeed, they will remove all reason to use e-mail, whereupon they will be broadcasting to thin air.
http://www.pcpitstop.com/gator/
A major online annoyance is material from Gator [adba Clarita] popping up when you surf, with potentially unpleasant effects on your system. The indexed URL explains all about this disservice, as well as what you can do about it.
My thought on the matter -- the Gator staff should be introduced to hungry examples of their eponym, on a one-to-one basis -- that would be fun to watch!
While the primary emphasis of this blog is definitely not on programming, since I could not code my way out of a wet antistatic bag, the fact remains that effective coding has to be one of the major building blocks to improved security. While this site is devoted to a specific book on the topic [with the highly arcane title of Secure Coding: Principles & Practices], it also contains a mailing list, and a book companion with Additional Case Studies, Checklists, Software Tools, Code Snippets, Bibliography and Links, Contributions, and Analysis of Topical Vulnerabilities.
All in all, this looks like a useful site to bookmark for those who can benefit from it.
http://www.computerworld.com/printthis/2003/0,4814,88646,00.html
In a worst-case scenario for the InterNet by 2010, the result is complete chaso. Cheer up! We likely will not reach that state, because long before then we will have suffered a 'Digital Pearl Harbor' that will show how severely we need to change. Exactly what the nature of this will be is a matter of some debate -- but we won't like it, whatever it is. One of the major casualties of the disaster will be innovation, and another will be privacy.
I really can't argue much against these predictions -- they sound all too plausible.
http://www.pcworld.com/news/article/0,aid,114328,00.asp
A major and continuing source of security exploits is buffer overflows. AMD's 64-bit processors now add a feature called "Execution Protection", which prevents execution takeover after an overflow event. Intel is also looking at adding this technique. This looks like a major hardware solution to a persistent software problem.
http://itmanagement.earthweb.com/secu/article.php/3298191
I tend to be a gloomy gus about security issues, and probably the balance of security-related posts on this blog reflect that. However, there is a small pile of evidence accumulating suggesting that hacking attacks are having less effect and are shifting to service denial and similar exploits rather than actual theft. Improved security measures are seen as the reason behind this improvement, but this also masks the fact that the attacks are more sophisticated and coming faster on the heels of vulnerability discovery.
Something in the epidemiology models would have suggested this was the case -- so there is some cloud surrounding that silver lining after all.
http://cl.com.com/Click?q=2c-DaaOIc0OqhKF1bqRXlAUBvCWr9RR
The indexed article discusses the important concept of secure identity management. The following materials offer other information about security:
A set of "Best Web Links" on security basics, "for those just entering the world of security", covering a wide range of topics, from biometrics to viruses, can be found here:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281891,00.html
Another set of "Best Web Links" on common vulnerabilities is here:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281934,00.html
Given the prevalance of Microsoft OFFICE in the workplace, some advice on locking it down for security is not amiss, and this comes from an expert, Roberta Bragg:
http://mcpmag.com/columns/article.asp?editorialsid=555
A white paper "The Secret to Simplified Firewall and VPN Security" covers a popular and significant topic:
http://searchSecurity.com/r/0,,16172,00.htm?stonesoft
Some straightforward secuity advice can be found here:
Knowing How Much Security You Need on a Windows 2000 Network
http://www.dummies.com/WileyCDA/DummiesArticle/id-1512.html
Breaking into the Basics of Network Security
http://www.dummies.com/WileyCDA/DummiesArticle/id-1808.html
Firewalls: Defending Your Network from Internet Attacks
http://www.dummies.com/WileyCDA/DummiesArticle/id-1518.html
http://whitepapers.comdex.com/data/detail?id=1036681158_105&type=RES&src=KA_RES
Security threats to e-business, both established and pending, are sufficiently high-profile to make a white paper called "Internet Security - A Defense Model for E-Business" attractive without saying a word more.
http://whitepapers.comdex.com/data/detail?id=1052750276_21&type=RES&src=KA_RES
Wireless is different, wireless is coming on strong, and wireless poses [as has been mentioned in this blog before] major security problems. Getting a grip on where to start may be assisted by this white paper: "Understanding the Layers of Wireless LAN Security & Management", which obviously goes beyond security issues.
http://whitepapers.comdex.com/data/detail?id=1073402060_588&type=RES&src=KA_RES
E-mail spoofing is a serious problem, particularly with the development of 'phishing' scans, which use e-mail to direct victims to realistic-looking but bogus Web sites. A range of "Proposed Solutions to Address the Threat of Email Spoofing Scams" is discussed in the white paper of the same name indexed by this URL. Both prevention and cure are discussed; understanding the pros and cons of various approaches can be useful for teaching many aspects of networking as well as security.
Additionally, here is a Web site devoted to the phishing problem and what can be done to prevent it, with archives and news:
http://www.straightdope.com/mailbag/mplurals.html
OK, I admit it, I was worng, rawng, REAUGHNG! For years I have resisted the locution 'viruses' in favour of the more euphonic 'viri'. However, I have about enough Latin to be able to say coma canensis on the day after...so this detailed, erudite, and ultimately devastating analysis of the hows and whys of proper pluralization has convinced me to the point that I make a public confession in humiliation and remorse.
From now on, the plural of 'virus' is 'viruses'. Case closed!
http://open.itworld.com/4917/040105holekernel/page_1.html
The chortling by Linux fans whenever a Windows security exploit is reported was rather muffled by publication of a serious security hole in the Linux kernel. A kernel hole is exceptionally serious as a vulnerability class, since it can allow attackers to destabilize the OS or take control of the system.
Patches to fix the hole have been made available. The point worth study here is: was there any difference between the genesis, gestation, revelation, and resolution of this security issue in Linux and a similar case in Windows? The outcome of this could be a stronger recommendation for one OS type over another, or a realization that the Linux community has been overstating the case, perhaps "more than somewhat".
http://www.computerworld.com/securitytopics/security/story/0,10801,88359,00.html
From my worm's-eye view, in the security battle, it looks like the bad guys are winning -- the level of disruption I have experienced this year on the InterNet is much greater than any year previous. However, this article suggests the light at the end of the tunnel is not an oncoming e-mail virus -- that tools which will mimic an immune system will be available as the result of ongoing research, reducing the threat accordingly.
We badly need something like this -- we cannot ask all computer users to become security experts to do their daily jobs, after all.
http://www.bankinfosecurity.com/?q=node/view/334
Well-written article on assessing the risks of a wireless network, along with an enumeration of risk management considerations. Other portions of the site discuss many aspects of security, with articles on topics ranging from Sarbanes-Oxley to Security & Privacy. I have touched on wireless security in previous postings to this blog, and this is a useful addition to such material.
http://www.computerworld.com.au/index.php?id=2057465071&fp=16&fpid=0
According to this author, we have a bushel basket of new security challenges awaiting us in 2004, which will have to be met in organizations by improved and stricter [and unpopular] controls. Resisting the compulsion to connect, understanding that new technology developers don't put security first, and remembering that the bad guys are endlessly creative are three keys to understanding how security issues are going to play out in the future.
http://www.securityfocus.com/infocus/1752
An in-depth comparison of how three different worms (Blaster, Slammer, and Code Red I/II) impacted networks once the external security was breached. This is a useful examination not only of the effects such malware has, but also on how to create a remedial plan.
http://www.youdzone.com/signature.html
The concept of assymetric key encryption is a security issue upon which many students' [and faculty's] understanding founders. Here is a simple explanation of public key cryptography, digital certificates, and certificate authority which makes the outlines of the process somewhat easer to grasp.
http://whitepapers.comdex.com/data/detail?id=1069861581_120&type=RES&src=KA_RES
A short white paper: "Bewafre Spyware" which gives a quick overview of this type of malware, useful for informing teachers and students alike. If people read something simple and basic about this, which looks digestible, they may be more motivated to do something about this. I would be prepared to bet a small chocolate bar that home users in the thousands still do not appreciate the spyware threat, even though they are suffering the consequences.
http://www.pcmag.com/article2/0,4149,1408953,00.asp
An article taking a gleeful chortle over the revelation of a serious security vulnerability [which would allow a Mac system to be taken over remotely] in the Macintosh OS/X Jaguar/Panther release. Mac enthisasts have been echoed by remote observers like yours truly in the assumption that the reduced vulnerablity of Macintosh systems could justify their higher purchase price.
Say it ain't so, Steve! Well, in fact, there is somewhat less to this, I think, than flashes on the screen. It may well be that protection through minority status has resulted in this flaw not being exploited as yet, but I consider it a completely valid assumption that OS/X, with its UNIX roots, is inherently less susceptible to security flaws, and the degree of OS implementation has little to do with this. This is not the same as saying the OS has no flaws, just fewer flaws, and a better way of reducing such exploits when and as they happen.
But never let it be said I was hostile to exposing opinions which differ from mine, no matter how wrong they might be....
http://www.esecurityplanet.com/trends/article.php/3288271
Everyone agrees that e-mail is broken, and now some fixes are being proposed. The latest concept is a technical specification enabling e-mail recipients to verify sender identity, which then could be extended into a reputation report. Experts agree that e-mail identity is the requisite first step to reform. The pros and cons of this have been highlighted in this blog, because I feel this is no small issue in the way in which the IT environment is evolving.
Despite the eloquence and the genuine case that anonymity proponents have mustered in this debate, I still find myself, somewhat uncomfortably, under the tent of the identity brigade. In some sense, this demonstrates how central e-mail has become to the computing experience of most of us.
Article summarizing the USA National Cyber Security Summit, which came up with a recommendation for more secure code and coding practices. This will involve a massive effort, requiring inter alia extensive retraining for those software developers who are already in the production stream. Similarly, current curricula must be revamped to give additional emphasis to responsible development with security in the main focus.
There is a lot more disagreement on the 'how' of this, and what the most effective model should be, but the output from this conference would not go amiss as the input to future curriculum development in software engineering [where, I must hasten to point out, I cannot claim even the thin veneer of expertise I profess in terms of networking].
http://www.computerworld.com/securitytopics/security/story/0,10801,87554,00.html
Article with two salient points of interest. One revolves around the ever-increasing capability of malware, which will only increase as hardware and software powers increase. That the bad guys appear to be winning the war suggests this pessimistic take has a lot of merit.
But hidden away on the second page of this article is an arresting little chart, which shows the date at which a computer implemented the processing power of some living organism. For example, the processing power equivalent of a bacterium was available in 1975. I was under the vague impression that we were at the insect level today, but according to this, we passed lizard equivalency in 2000, and are making strides towards the capacity of the average mouse.
While human capacities are nearly two decades away, according to this [and I suspect 'the devil is in the details', and the timespan may be longer than that], just imagine something considerably lesser -- a computer system with the responsiveness and processing power of a dog. Such a level of achievement would itself be a massive upgrade in the ability to use computers as a tool, and would be made even more impressive if we could teach such computers not to make a mess indoors....
http://www.usenix.org/events/sec02/full_papers/staniford/staniford.pdf
An analysis of the risks and propects for worms on the InterNet, using Code Red as a model. This paper: "How to own the Internet in your Spare Time" suggests some preventative measures which can and should be deployed.
http://whitepapers.comdex.com/data/detail?id=1070473161_825&type=RES&src=KA_RES
If wireless security is not a concern, it should be; the basic WEP standard has demonstrated weaknesses, and undetected interception is so much easier with wireless that additional measures must be undertaken. This white paper: "Practical Solutions for Securing Your Wireless Network" can give you some pointers on how to reap wireless roses without security exploit thorns.
Another security paper from Cisco Systems focusses on: "Technology Best Practices for Endpoint Security":
http://whitepapers.comdex.com/data/detail?id=1070907383_68&type=RES&src=KA_RES
which introduces another layer into the security cake.
http://www.intranetjournal.com/spyware/
With the increasing prevalance of malware [computer programs foisted on you to your detriment] a good clear guide on what it is and how to deal with it certainly will not go amiss, and here is one such. In addition to being used for maintenance purposes, this is a good way to make students aware of many potential problems in computing practices they may take for granted.
Once you have worked in networking or security for a while, you take all this for granted, but for those without a technical background, this is a useful wake-up call.
http://whitepapers.comdex.com/data/detail?id=1070381782_523&type=RES&src=KA_RES
There is certainly enough going on in the security world these days that having a set of useful tips on hand for vulnerability reduction can come in quite handy for practitioners and educators [the latter sometimes wearing both hats] alike. This white paper: "Best Practices for Vulnerability Management" provides some guidance of how to go about reducing your risks.
More assistance can come from the following white paper:
http://whitepapers.comdex.com/data/detail?id=1069950009_199&type=RES&src=KA_RES
which covers this topic "From Project to Process - Policy-Based Vulnerability Management".
Looking at crucial isues relating to the IT core comes from a white paper titled "Core Security", found at:
http://whitepapers.comdex.com/data/detail?id=1069861581_139&type=RES&src=KA_RES
http://news.com.com/2100-1028_3-5112430.html
The egregious attempt by Diebold to use the DCMA to throttle criticisms of its defective electronic voting system has resulted in the company's ignominous capitulation in court. In fact, the apellants are still seeking a court order proscribing like acts in the future.
It is pleasant to see the good guys win one for a change.
http://www.informationweek.com/story/showArticle.jhtml?articleID=16000606
Extensive article looking into the motivation of the hacker community, pointing out that it has its educational virtues as well as its criminal tinges. Knowing the motivation and activity of hackers should interest educators, especially as many hackers either get their start or remain comfortably esconced in university computer systems.
http://www.economist.co.uk/science/displayStory.cfm?story_id=2246018
An Economist article covering much of the ground as a number of specific past posts to this blog relating to networking security problems. Provides a good review of the major issues, and suggests methods of countering this disruption. Interestingly enough, in view of the position I have taken on this matter in previous posts, is one suggestion that outright anonymity cannot be supported on the InterNet of the future.
http://www.microsoft.com/technet/itsolutions/MSIT/Security/mssecbp.asp
Given that Microsoft's own network is a number-one target for attacks, some explanation of the principles used in that corporation to safeguard themselves is certainly worth inspection, and that is what this white paper: "Security at Microsoft", provides.
Most of the suggestions relate to using Windows 2003, but could be retrofitted to W2K systems.
The range of Ziff-Davis/EWeek topic centers is certainly comprehensive, and each features news, reviews, opinions, and analysis, in the following categories:
Database http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3850-1
Desktop http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3853-1
Developer & Web Services http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3856-1
Enterprise Applications http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3859-1
Linux and Open Source http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3862-1
Macintosh http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3865-1
Messaging & Collaboration http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3868-1
Mobile Devices http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3871-1
Networking http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3874-1
Security http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3877-1
Storage http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3880-1
Windows http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3883-1
Wireless http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-95-1-1-618817-3886-1
With this cornucopia, there should be little reason for an assignment or a research paper to lack content.
http://www.eweek.com/article2/0,4149,1384450,00.asp
Article on how it is still easy to hijack someone else's domain name, made most interesting by the wall of secrecy which the principals throw up, which is not exactly comforting in regards to their accountability. Also indicates how aged some parts of the InterNet structure are, and a useful account of some of the real problems with DNS.
URL indexes a single floppy distribution Linux firewall designed for Ethernet connections to the Internet (cable or xDSL), allowing connection sharing. This would be a good example of a class project which students could use for home purposes as well, providing extra motivation.
http://www.foundstone.com/resources/freetools.htm
While security tools are useful adjuncts to classroom teaching, their cost can be prohibitive. Here is a link indexing a page of useful security tools for assessment, forensics, intrusion detection, scanning, and stress testing. When the the menu sections are accessed, a page with a short description of each of these utilities displays.
The cost is hard to beat, since they are free.
http://www.masternewmedia.org/2003/10/12/microsoft_ready_to_achieve_lockin.htm
There are some issues which are sufficiently complex and yet so pregnant with import that even if one cannot understand them in detail and scale, some sort of reaction is called for, mostly along the lines of "do no harm". I have recorded my unease about the concepts behind Microsoft's "Trusted Computing" in previous articles, and I still have grave doubts about this initiative.
This article links to an-online report on the risks involved in this development, with a wealth of internal links and additional references to other articles on this subject. This is one of these forks in the road which, taken blithely, can come back to stab us in some tender parts indeed.
Indexes an online service providing firewall tests, allowing vulnerabilities to be probed safely, and also offering explanations and links for specific vulnerabilities. This would be an effective tool to deploy as a 'before and after' test instrument for a security class.
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/11/03/BUGD42O8E41.DTL
The problems with attacks on the InterNet are becoming sufficiently severe to justify a multi-million research grant to a California team of universities to create an accurate model of the Net. By using a sufficiently complex test bed, the consequences of hostile action can be determined so policymakers can react successfully and network designers can improve infrastructure security, locking up the barn door before the horse is stolen.
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-87-1-1-618817-3574-1
Security is not quite like the weather: not everybody talks about it, and somebody does something about it. Identifying problems is all well and good, but this article goes further and reviews remedies which operate at the personal security level.
http://security.itworld.com/nl/security_strat/11112003/
Even a relatively small network (one with, say, 20 hosts) which is connected to the InterNet can benefit from the security staff (or person) having a security laboratory. This need not be elaborate -- some obsolete hosts and connecting gear -- but can be an invaluable tool for testing solutions, as this article makes clear.
More on security testing labs [including cost issues] from:
http://www.geekspeed.net/~beetle/download/attacklab.html
http://www.giac.org/practical/GSEC/Greene_Paul_GSEC.pdf
This information has obvious application in just about any educational environment where information technology security is being taught.
http://entmag.com/news/article.asp?EditorialsID=6017
Scapegoating is a common organizational practice, and comes out in full form when a major virus incident happens. This article suggests that attempts to place blame are ultimately counterproductive, so this human impulse should be resisted.
http://entmag.com/news/article.asp?EditorialsID=6018
As viruses continue to escalate in complexity and destructiveness through using InterNet propagation methods, the protection model is evolving to fit. The concept of layered defense, which provides protection at the server and gateway level as well as at the desktop, has become prominent. In networking terms, this means more devices will have to be configured and monitored, which becomes an issue for both design and maintenance.
http://www.newsfactor.com/perl/story/22542.html
One of the many questions about Mocrosoft's next desktop version of Windows [the Longhorn project] is whether security will be enhanced to the degree the IT community feels appropriate. While Microsoft has had major problems with this issue, it has continued to make improvements. Yet to the extent that Longhorn adds new features, it also adds new risks. With a due date at least two years in the future, there will be, at least, some time to assess this carefully.
In addition to this article, links to some related articles on Longhorn and on security are provided.
More information on Longhorn can be found at:
http://news.com.com/2100-7345-5097537.html http://entmag.com/news/article.asp?EditorialsID=6012
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-82-1-1-618817-3367-1
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-82-1-1-618817-3373-1
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-82-1-1-618817-3376-1
http://eletters.wnn.ziffdavis.com/zd1/cts?d=75-82-1-1-618817-3376-1]
http://www.securityfocus.com/infocus/1737
The 'classic' firewall solution is enabled in a router. This works, but there are administrative and performance costs to such a solution. This article explains how a transparent bridge can be set up to be a firewall also, and what some of the drawbacks and benefits of such an approach can be. Intelligently applied, using a transparent bridge can boost security without penalizing perfomance.
The article provides links to Linux resources for implementing bridging firewalls, although there is no particular reason why this technique should be confined to Linux.
http://seattletimes.nwsource.com/html/businesstechnology/2001772631_spam23.html
Article reporting a survey indicating that the most serious effect of spam has been less technological [though this is serious enough] and more on the degree of faith people have in the InterNet and e-mail. When spam reached a critical point, it ceased to be an annoyance and became a problem, which took much of the bloom off the non-technological rose of global communication.
The fact that many people do not employ any filter, but just delete spam as it arrives, is good indication of what spam costs. I do not use a filter myself, or any other form of rejection process, simply because I dread a false negative [a real message deleted as spam]. I would estimate, since I use a previewer, that spam only adds about 5% extra time onto my e-mail experience, but I spend a lot of time with e-mail, so that still amounts to a significant time loss.
http://security.itworld.com/nl/security_strat/10212003/
"Social Engineering" is widely acknowledged as a major security problem, but convincing examples of this attack technique in practice can be difficult to construct. A poorly-constructed example may fail completely in getting the point across. This article presents a real-world example which could be most useful as a starting point for in-class discussion.
http://www.cdt.org/speech/spam/030319spamreport.shtml
An interesting, albeit somewhat dated, report on what sorts of online behaviour result in spam, and providing a list of simple, common-sense tips for avoiding it. The numerous charts and graphs provide an enlightening display of a number of facts and trends.
http://www.eff.org/IP/P2P/howto-notgetsued.php
Whatever one thinks about the latest inane antics by the RIAA [and what I say could only be recorded on phosphors made of asbestos], the bottom line is that they can cause a System Administrator a world of hurt. This is so, even if nobody in the organization is deliberately sharing files. This site provides a process checklist to make sure you cannot be easily sued, and is worth implementing in any network for which someone has administrative responsibility.
It is worth implementing on your home system, as well.
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
With the increasing proliferation of scumware and other pestiliferous software, knowing what is going on in a Windows system when it starts up is crucial. However knowing what is going on requires additional information, which this site provides: an alphabetic index of startup entries [not] processes, including which ones are actually caused by a virus.
Another take on this, using the same information base classified in a different way, which may be just the way students will most easily understand it, is this site:
http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
This lists startups and executable programs with a direct link to each item mentioned.
Here is a startup application database which classifies starting programs into categories ranging from essential to dangerous:
http://www.greatis.com/regrun3appdatabase.htm
http://www.nwfusion.com/newsletters/nsm/2003/0818nsm1.html
The regulatory environment around IT has become increasingly strewn with minefields, making compliance as important an issue for IT as it is for human resources or finance. This article suggests what IT professionals should know about compliance activities, and provides links to other sources of related information.
The wise IT worker will not be caught napping by this issue -- it can have fatal effects on career prospects!
http://whitepapers.comdex.com/data/detail?id=1066151815_96&type=RES&src=KA_RES
Effective security is not a matter of absolute prevention -- that's impossible -- but of managing risks. This white paper: "Security Risk Management - Strategies for Managing Vulnerabilities and Threats to Critical Digital Assets" outlines how to create requirements for such strategies.
http://www.esecurityplanet.com/
A cleanly laid-out site devoted to security issues, including white papers, news, ongoing research, training and cerfification, resources, trends, and opinions, plus premium services available for a fee.
http://www.tscm.com/warningsigns.html
In today's organizational climate, being concerned about covert observation is not paranoia, it is just common sense. The URL referenced provides a plain and easily understood list of signs indicating someone may be listening to more than you would like. Some valuable steps to follow in effecting a remedy are also outlined.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci863439,00.html
Many security experts consider that a majority of security threats come from inside the firewall, and this article discusses this in some detail, making the point that fatal damage is much more likely to come from the inside. In addition to the article referenced, a sidebar offers links to additional articles, references, webcasts, and tips.
http://abcnews.go.com/sections/business/SiliconInsider/SiliconInsider_030114.html
Much of the discussion about security focusses on crackers, who are the equivalent of a random natural disaster from any specific organization's point of view [in other words, I was not running around waving my golf club in the air, but I got struck by lightning anyway], or on insiders who have an "inside" motivation. This article indicates that industrial espionage is becoming a more prevelant problem, with obvious security implications as well.
http://www.fourmilab.ch/documents/digital-imprimatur/
Certainly one of the most attractive aspects of the InterNet was its reputation as a technology providing liberated freedom of speech, since it turned the old saw about a free press ["a press is only free to whomever has the gold to own one"] on its head. Increasingly, however, a variety of developments have called this bright promise [which at its most anarcho-libertarian probably was fools gold] into question.
This on-line publication by an experienced and concerned observer: "The Digital Imprimatur" gives its plot away in its subtitle: "How big brother and big media can put the Internet genie back in the bottle". Increasingly, alas, it does look like this is going to happen, and there is SFA we can do about it.
A more generalized view of this, which essentially concludes that we will sell our souls for a mess of pottage, can be found here:
http://msnbc.msn.com/Default.aspx?id=3606168&p1=0
http://www.anonymizer.com/tensteps/index.shtml
With privacy concerns ramping rapidly upwards [although here I agree with Larry Ellison of Oracle: "There is no privacy any more. Get over it!"], having a quick referece quide to simple steps to assist with this has obvious merit for students and teachers alike, and that is exactly what this page offers.
An important perspective worth emphasizing: nobody can protect yourself better than you -- you do have a responsibility to act safely in these matters.
http://entmag.com/news/article.asp?EditorialsID=5983
As the gorilla of inteterminate weight sitting smack-dab in the middle of major security problems, Microsoft is not sitting back and snacking on bananas. This article indicates its PR reaction, with intentions for more secure technologies Real Soon Now. Given the prominence of the Microsoft bashers, it is only reasonable to consider the alternative case.
For this article, the multitude of lengthy, technically detailed, and mostly negative comments are as interesting as the original statement, if not more so.
This is a SANS report [as distinguished from an AVEC report, which is something else altogether] on the top 20 InterNet vulnerabilities, 10 from the Windows side of the house and 10 from UNIX/Linux. That IIS should continue to hold top position in the Windows listing should not come as a flabbergasting surprise to anyone.
http://itw.itworld.com/GoNow/a14724a87343a89073442a1
While products and services to provide security are available in profusion, no single solution provides all the protection you need. A layered approach is definitely the most appropriate and fruitful solution process, and this white paper: "Network Configuration Management: An Additional Layer of Security" gives advice on how to implement this as part of your network configuration, which certainly should be part of anyone's defensive planning.
http://www.forbes.com/2003/10/10/1010grovepinnacor.html
Article discussing the degree to which the InterNet, as we have come to know it, is at risk from the garbage and malware currently flooding it. The potential for Net balkanization is considered very real [and this would simply be another example of a "Tragedy of the Commons"]. The concept of 'end-to-end' communication is ultimately at risk here.
A related viewpoint avaliable as a downloadable .PDF file, coming essentially to the same conclusion, is "The Beginning of the End of the Internet? Discrimination, Closed Networks, and the Future of Cyberspace", available from:
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-239800A1.pdf
My, for some reason, the most recent set of posts have been gloomy and doomy!
http://www.ecommercetimes.com/perl/story/31679.html
The current spate of computer malware is bad enough if it simply represents crackers working their revenge on the world of the straights. This article raises the more disturbing spectre that criminal organizations are behind the most recent proliferation of worms, to permit them to implement extortion attacks against companies. Another profitable criminal undertaking in regards to networking is credit-card number theft.
In addition to the main article, sidebars link to a variety of other resources on this and related topics.
http://security.itworld.com/4357/030922activedefense/index.html
Index to a collection of articles on "active defence" -- carrying a hacking attack back to the attacker. While emotionally satisfying, there are lots of pros and cons about this, making this collection valuable for working professionals as well as a useful source for a stimulating debate about one aspect of computer ethics.
http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci928819,00.html?track=NL-118
While software security is a major problem, and one which just seems to be getting worse, it is not going to improve in the short run -- and some feel that useful tools will be a decade in coming. Given the variety of players who have to be brought together on this, the size of current and future vulnerabilities, and the current level of deployment against these, this pessimistic prognostication looks all too plausible.
What the article ignore is this: can we wait a decade? Will the outright harm and the loss of trust this breeds result in diminished or eliminated WAN opportunities? The cavalry may arrive to see nothing but the feathered ends of long-buried arrows.
http://techrepublic.com.com/5100-6313-5070697.html
While the article focusses on the motivation of malware writers, it also makes two other points worth hoisting inboard:
1) Any cure for this problem is likely to be almost as bad as the disease, at the very best; and
2) As its display of punishments meted out to those convicted of wrongdoing makes entirely clear, there is no proportion between the seriousness of the crime and the severity of the punishment.
I have made my minority opinions clear on this in previous comments, but once again, the overall theme is arresting: the degree to which the contemporary legal system is simply inadequate as a tool for dealing with information technology matters, a situation not likely to receive any rapid remedy.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=448&zoneid=39
We all know what prevention is worth, but sometimes we have to apply the pound of cure, and it is extremely helpful to have a set of tips for responding to something as traumatic as a worm attack, which this article summarizes. There are links to a longer version, but this requires sign up for membership, which I normally eschew in listing resources like these.
http://www.cioinsight.com/article2/0,3959,1213563,00.asp
Article indicating that the extent of security problems requires a management response equivalent to business process re-engineering -- in other words, security has to be designed in, not patched on. Links to additional articles provide additional perspectives on this issue.
http://www.ccianet.org/papers/cyberinsecurity.pdf
The title and subtitle of this paper pretty much sum it up: "CyberInsecurity: The Cost of Monopoly; How the Dominance of Microsoft's Products Poses a Risk to Security". Despite its alarmist title, it is written by a bevy of well-known security analysts from all sections of the IT industry, and presents an argument for a diversified software ecology clearly and concisely.
The report makes a point that is worth quoting: "The average user is not, does not want to be, and should not need to be a computer security expert any more than an airplane passenger wants to or should need to be an expert in aerodynamics or piloting.". The tendency to "blame the victim" in many of these cases is totally misplaced, and in fact impedes potential solutions.
A short commentary on this paper is available here:
http://mcpmag.com/news/article.asp?editorialsid=613
and a more extended commentary with reflection on the wider issues is available here:
http://news.com.com/2009-7349_3-5140971.html
Another more recent rebuttal is here:
http://www.fortune.com/fortune/techatwork/articles/1,15704,485825,00.html
The current chaos on the InterNet is generating both concerns and proposals. Here we have a cogent statement of the problem with the advice that business itself has a responsibility and an opportunity to apply better remedial measures than simply blaming Microsoft.
Among the more obvious, painful, yet perhaps unavoidable conclusions is that corporate security spending must increase, perhaps doubling. This may be the only course which can redeem this tragedy of the commons. The alternative is to abandon the InterNet altogether, which does sound like a cure being worse than the disease.
http://www.extremetech.com/article2/0,3973,1274197,00.asp
The significance of Intel's "LaGrange" security initiative has been remarked upon before -- here is a good detailed review of what is going on with this initiative:
• Objectives and Components
• Policy, Target Markets, and Rollout
• Trusted Platform Architecture Review
• Inside LaGrande CPU and Chipset Modifications
• Protected Environment Setup – Initial Steps
• Launching Protected Domain
• Handling Special Cases.
Once the facts are understood, we can conduct the debate relating to this technology in a more rational and perhaps constructive manner.
http://www.businessweek.com/technology/content/sep2003/tc20030916_6815_tc129.htm
Article discusses the need for reform and restructuring of the InterNet -- in a manner analogous with post 9/11, there is recognition of the cost of openness and a determination to change things. The problem in both cases is that the bathwater and the baby have to be carefully separated, and the nature of the InterNet decision-making process makes unintended consequences [because non-technical 'voices' will not be represented] more likely.
Yet, given that even I have agreed that Something Must Be Done, it is hard to cavil when you get what you wanted, pace Oscar Wilde.
http://wired.com/news/politics/0,1283,60461,00.html
The abuses perpetrated under the Digital Millenium Copyright Act are sufficiently well known among IT folk, but now, from this article, it appears that at least one USA Senator understands what the balance between corporate and individual rights ought to be. He has introduced a bill which would significantly up the ante in difficulty for industries seeking to force data from an ISP and by extension, to violate the privacy of an individual consumer.
The absences of checks and balances in the DMCA should be a serious concern to all those outside the industry who are concerned not only with rights, but with maximizing information flows for the greatest public benefit. One has to hope that this legislation represents the first step in the rollback of rights losses.
http://www.pcworld.com/news/article/0,aid,112519,00.asp
Intel is no stranger to social controversy stemming from technical decisions, and it has wisely seen that the "LaGrande" technology, which had all sorts of potential to make information decidedly 'unfree', is not a blanket solution. Some Intel chips will use the technology, and others will not, and people will be free to choose which variety they want. Nor will 64-bit Itanium chips have the technology.
The LaGrande technology is expected to be in production by 2006. It is pleasant to see that Big Brother will not be a necessary add-on to every Intel product purchased by then.
http://www.businessweek.com/technology/content/sep2003/tc20030916_9564_tc129.htm
The article indexed by this URL is interesting enough in its own right, indicating how many vital public networks remain vulnerable to destructive intrusion, what countermeasures are required, and what these will cost. This is a useful reminder of priorities and problems as they relate to high-value systems, as well as the degree to which we have developed an inextricable dependency upon them.
In addition, a wide variety of interesing special reports, reviews, and other articles relevant to IT and networking are indexed in the sidebars.
http://whitepapers.comdex.com/data/detail?id=1063389252_145&type=RES&src=KA_RES
The increasing scope of attacks on networks makes a white paper covering "Optimizing Security and Network Operations" particularly useful.
While the Computer Security Site is a good source in itself to keep tabs on training for security in general and the CSI certifications in particular, as this entry is written, in addition there is a downloadable report avilable: the eighth annual Computer Crime and Security Survey, which clearly shows that computer crime and security remain significant issues.
http://www.crime-research.org/
Web site of the Computer Crime Research Center, a non-profit subsidiary of The American University, providing many useful security resources. A cleanly laid-out page indexes news, articles, analytical essays, and intervals, with links to Legislation, Seminars, other links, and a news archive.
The site offers a free newsletter and is searchable, and provides a fast way to keep up to date with what is going on in the rapidly-changing world of network security.
http://www.virusbtn.com/vb100/archives/products.xml?table
A comparative display of reviews of nearly three deozen antivirus products, as tested against Windows 2000, NT, RedHat Linux, XP Professional, and Netware 6.0. The results can be displayed in a variety of ways, by vedor or by platform, with a summary overview of the pass/fail capacity of the specific product, and a link to the vendor Website. The most interesting thing that comes out of this is that there is no single product which is 100% effective across all the platforms tested, although it is unlikely any single machine in a production environment would be using all of these operating systems at once.
This suggests that more than one antivirus product may be needed in a network running a variety of operating systems.
http://www.informationweek.com/story/showArticle.jhtml?articleID=14200065
"East is East, and West is West/And never the twain shall meet" might have been Kipling's take on globalization, but the "small world" created by the InterNet means computers the world over face the same sort of security threats. A summary of the 2003 Global Information Security Survey from Information Week suggests both the nature of the threats which apply in this arena and some of the costs associated with their activation and cure.
http://www.baddteddy.com/tutorials/virus.htm
While the layout of this site is somewhat eye-straining, it is worth considering as a pedagogical resource, not only because of its importance, but also as an exercise in evaluating Web information. I was led to this by the "Infopacjets Gazette" listserv, which is intended for computer newbies, serving me as a valuable source of tutorials and other pointers for those just beginning to find where the "On" switch is [and I will confess without a blush that once in a while I find something directly useful on the Infopackets site].
Key questions to ask: is the technical content convincing? Does it agree or disagree with other major sites dealing with the same material? Does the particular website and the anonymous authorship increase or decrease credibility?
Sometimes a gem can be flawed, and yet spark our imaginations.
http://www.zdnet.com/anchordesk/stories/story/0,10738,2914622,00.html
Despite the concerns which have been expressed about its negative aspects, Radio Frequency ID tagging of merchandise is a beast which has not only slouched towards Bethelehem, but also is now sitting down eating soup with a long spoon. The commercial advantages of this technology are so great that we cannot realistically expect to hold it back, demonstrating once again how, when human values conflict with economic values, the former lose.
However depressing this may be as an overall prospect, it appears an aspect of this modern world which we cannot escape. Again, this is one of those "iceberg" technologies, towards which we are charging at full speed, frantically re-arranging the deck chairs as we go.
http://www.zdnet.com/anchordesk/stories/story/0,10738,2914622,00.html
Article claiming that those who assist in the propagation of viruses and worms are being penalized too harshly by the criminal justice system. I have already made my predelictions towards physical mutilation without anaesthesia as the proper remedy, so it should come as no surprise that I disagree vociferously with the author.
Virus and worm release represents a form of "one-to-many" crime, just as, for example, does a Ponzi scam. The individual loss in any case may not amount to much, but collectively the loss is enormous. It is exactly this loss which should be penalized [along with, of course, the loss of public trust which results], and harsh penalties are certainly supportable. The fact that some other people have been treated more leniently is, to my view, unfortunate, but it is no justification to treal all malware offenders that way.
Of course, given that I am a vengeful SOB, this opinion should not be all that surprising.
http://www.edbott.com/protect_your_pc.htm
Ed Bott is a byname in the PC world; in this article he outlines the elements of a comprehensive security policy for Windows 2000 and Windows XP machines. Another section on his site:
http://www.edbott.com/windows_tips.htm
Offers a whole host [practically a plethora, though certainly not a surfeit] of articles covering Internet Explorer, Windows Tweaks, Outlook Express, Hardware
Troubleshooting / Maintenance, Privacy / Security, and Windows Update.
http://www.smh.com.au/articles/2003/09/04/1062548967124.html
Physical security is sometimes neglected in discussions of computer security; this article shows why it should receive some emphasis. The idea of someone stealing an entire mainframe is like something out of a movie [except that I don't think I have ever seen this particular stunt in anything I have seen].
http://whitepapers.comdex.com/data/detail?id=1062090016_670&type=RES&src=KA_RES
A white paper titled "Fast Path to Secure Systems Architectures and Network Designs", directed towards enterprise/large-scale security, again from a source which has a lot of experience with this, both good and bad.
http://www.ingrian.com/resources/index.html#wp
While the initial inpetus for this posting is a white paper on "Five Threats to Data Security", this site also contains other related papers, plus specifications for the company's products and solution/fact sheets of how these can be applied.
http://news.bbc.co.uk/2/hi/technology/3172967.stm
While I happen to think that the punishment for writing a computer virus and releasing it on the InterNet ought to be, at a minimum for the first offence, loss of the dominant hand without benefit of anesthetic, I had not thought of the reasoning behind this article. We should look for more virus activity, it says, because the virus writers are forging a profitable relationship with spammers and hackers.
Which, of course, is another reason why we should oppose spam [the minimum first offense punishment there cannot be revealed in a blog intended for professional viewing, but the fact that it involves fire ants, honey, aardvarks, and old telephone crank generators, inter alia, should give some inkling of its awesome power].
http://www.securitypipeline.com/
A CMP TechWeb resource site on computer and network security, covering news and trends; explanations; a product finder; desktop, network, and infrastructure categories; policy and privacy; a free newsletter; a security glossary; and downloadable white papers.
A detailed, useful, and professionally laid-out tool which is definitely worth bookmarking.
http://www.cioinsight.com/article2/0,3959,1215795,00.asp
Well-argued paper with examples on the necessity for process re-engineering to be applied to security problems and issues. The overall state of corporate IT security is less than healthy, and this article makes clear that nothing less than a deep approach to the topic can have any hope of success.
http://whitepapers.comdex.com/data/detail?id=978728650_214&type=RES&src=KA_RES
Countering Denial of Service attacks [particularly those of the distributed variety] represents a difficult challenge against a highly probable threat. This white paper, "Security on IP Networks - Countering Denial of Service (DoS) Attacks: An Overview of the Key Challenges and Countermeasures", looks at the issues involved, including access control, authentication, Denial of Service Attacks, Ethernet Switches, hackers, IP Networks, policy-based management software, Quality of Service, and the RADIUS Protocol.
http://whitepapers.comdex.com/data/detail?id=1057858101_721&type=RES&src=KA_RES
The journey of 1000 miles of network security begins with a single step -- this white paper: "Action Steps for Improving Information Security" explains how to complete the journey for your infrastructure.
One thing you can say in regards to a "Threats and Countermeasures Guide" from Microsoft is that they have had a lot of experience with the former, at least! This easily-read and recent reference to security settings in XP and Windows 3003 can be viewed online or downloaded, and looks like a meaty, thorough discussion of its topic.
Additional resources are a dowloadable Windows 2003 Security Guide and a downloadable Windows XP Security Guidde.
http://whitepapers.comdex.com/data/detail?id=1057858077_908&type=RES&src=KA_RES
A white paper on the "Economic Impact of Network Security Threats" gives some quantifiable assessments of threats to network operation, which may serve as a useful focussing device.
Spam keeps getting worse; this article discusses fixes for the problem, based on replacing SMTP or fixing it. No consensus except, I opine, if we are going to solve spam and reliability, we will have to give up some of the open connectivity potential which has made the InterNet such a joyful place.
Another demonstration of the price of progress.
http://www.gfi.com/mailsecurity/wptrojans.htm
Company white paper demonstrating how Trojans can avoid standard antivirus solutions, while suggesting that the more extensive use of freeware and peer file sharing also increases Trojan risks. Of course, specialized anti-Trojan suites are also available [e.g. TDS-3 http://tds.diamondcs.com.au/ ].
HREF="http://whitepapers.comdex.com/data/detail?id=1057858120_962&type=RES&src=KA_RES
This free white paper on "Network Security - An Executive Overview" would be a good resource for students, since they often need the same 'high level' view as executives, so the forest emerges from the trees.
http://news.com.com/2100-1033_3-5055803.html?tag=fd_lede2_hed
IPv6 will certainly solve any shortage of IP addresses for the forseeable future, but because the USA was allocated a major slice of IPv4 addresses in the original address distribution, it has not pressed this issue. As a result, despite concern, concerted effort to make a change of this magnitude [which will not be trivial] has not been forthcoming.
The supplementary benefits of IPv6, like greater security, are simply not sufficient to cause such a changeover in themselves. They may, however, become more salient if networking problems which can be allocated to IPv4 increase in severity.
http://www.sunbelt-software.com/product.cfm?id=925
A protocol sniffer is an essential tool for serious network administration and proactive security defence. Here is one from a well-reputed supplier at an apparently reasonable price for an enterprise product.
There are, I am sure freeware/cheap versions of this sort of tool, but the ease with which this particular example can be used and managed may in fact offset any price differential in a short time.
The issue of security patches is sufficiently high-visibility and -stress that a good guide to patch management is a valuable resource. Here is one from Microsoft itself, providing not only a wealth of detail about what patching is all about -- to the tune of some 100 pages -- but also in a downloadable as well as a Web version.
The downloadable version provides scripts, templates, and other useful supplements.
On the other hand, you should not rely on Microsoft to handle all your patching needs, so a white paper on "How to Keep Your Microsoft Software Secure" is a useful addition to the above publication, and can be found here:
http://cl.com.com/Click?q=eb-HlLoQkD1IUBe2PnEeahpbuKd99RR
Billing itself as the "security news site for systems administrators & hackers" this site provides News, archives, XML feeds, links, downloads, reports, advertisements, comment and chat rooms, and a numer of online utilities. Not particularly fancy from the graphics point of view, yet there appears to be a wealth of information and applications here.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=348&zoneid=39
Technical application of security tools at the server face are next to useless (and perhaps positively dangerous) if implemented in the absence of a security policy. Creating such a policy may be hard, but greater security ease will result, making this annotated list of security policy resources, templates, and books a useful starting point to such a creation.
http://www.atruereview.com/Articles/winsecurity.php
Short and to-the point article "Increasing Windows 2000 and XP Security", with a number of straightforward procedures simply and concisely described. Given continuing problems with W2000 and XP relating to security, it never hurts to have some more advice.
http://www.entmag.com/news/article.asp?EditorialsID=5877
Microsoft has alerted people to a critical flaw in Windows Server 2003, which was supposed to offer unprecedented security. The Remote Procedure Flaw could allow someone to take over another, remotely located, Windows machine. This does not enhance Microsoft's reputation for creating secure OSs.
https://gtoc.iss.net/documents/summaryreport.pdf
A downloadable report covering the current state of risks on the InterNet, suggesting attacks and their effects are both on the upswing, while also touting, naturally, the originating company's services.
http://www.cert.org/advisories/CA-2003-15.html
A vulnerability in many Cisco routers could lead to the device requiring a reboot to clear a potential exploit. Full details at the CERT advisory referenced above.
http://www.youdzone.com/cryptobooks.html
An annotated guide to nearly 150 books on cryptography, divided into functional areas, with 7 of the books being downloadable, and many of the rest available for online purchase, is obviously a useful security resource.
http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html
The tension between what can be known and what should be known is exemplified by the example of a PhD student, whose dissertation has mapped every part of the USA economy to its connecting fibre-optic network. Since all the data were gathered from public information, no direct security breach resulted from their compilation and interpretation.
Both corporations and the government, however, are eager to suppress these research results, and the university involved will only allow publication of the most general information about this topic. This is a major problem, in that suppression is antithetical to the benefits which open research generates, so we may have a bad precedent here.
It is equally understandable why those in authority should object to vulnerabilities being easily known, although ultimately the only justification for continued censorship here is to give the responsible parties the time to cure the identified defects. Previous examples in this regard do not give rise to undue confidence that those in control will "do the right thing".
To the extent that the defects are not capable of correction, a posture of public ignorance is at least questionable and at worst, objectionable.
http://www.net-security.org/index.php
You may find yourself overwhelmed by security issues, but even if not, it helps to have resources to consult. This proprietary page offers reviews, white papers, notification of exploits, and a listserv e-letter in a cleanly laid-out searchable site.
http://www.infopackets.com/hacking+hackers+hack.htm
Here is some simple and basic information on how to prevent the majority of hack attacks. It is ideally suited to those who are just getting started on the subject, since it won't overwhelm them, but will give them a good sound start.
A free online tool for testing how well your computer can stand up to external attack, and, indeed, if it is even "visible" on the Net at all.
While the immediate attraction to the Computer Security Institute site is a free CSI/FBI survey on computer crime and security, announcements of conferences and training opportunities make it worth bookmarking. The advantages of becoming a CSI member are also explained in an attractive fashion.
http://www.technologyreview.com/articles/schwartz0703.asp
One-time registration is required to view this article on the problems caused by spam, as well as the cure potentially being worse than the disease. Spam has been with us for some time in a controllable way, but in this last year it appears to have metastisized to a point producing genuine problems for users and the network alike.
There are a lot of sides to this story, which is why it promises to be never-ending.
http://whitepapers.comdex.com/data/detail?id=1055792639_449&type=RES&src=KA_RES
Those in command at Pearl Harbor, it can be argued, were not negligent -- they were just looking for the wrong things in the wrong direction -- and the rest really is history. Here is some common-sense security advice, telling you to tend to the beam in your own eye, before bothering with your sibling's mote: "Sweat the Small Stuff: Making Your Enterprise More Secure with Less Effort".
http://whitepapers.comdex.com/data/detail?id=1028048649_631&type=RES&src=KA_RES
Although the security community has been fairly vigilant in promoting the fact that just installing a firewall no more handles all your security problems than having a lock on your front door prevents your house from flooding, the general consensus is that a segment of the endangered spaces have not realized this. This white paper: "Beyond the Firewall - Using a Layered Security Strategy to Address Internal Security Threats" provides some practical suggestions about implementing a security strategy which will help repel the variety of threats the real world offers.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=260&zoneid=39
The extent to which viruses and related malware have become serious and persistent problems is indicated by this range of sources for such information.
http://eletters.wnn.ziffdavis.com/zd/cts?d=75-19-1-1-618817-592-1
http://eletters.wnn.ziffdavis.com/zd/cts?d=75-19-1-1-618817-595-1
These two articles report on Bugbear.B and W32/Sobig/c-mm, and indicate how much more sophisticated this sort of malware is becoming -- the ability to log keystokes, the capacity to mask or mutate the virus program appeaance, or even having a built-in SMTP engine. The increase in virus capability seems to be outstripping most defences. I am frankly pessimistic about the future [in a manner analogous to the failure of most antibiotics againt real viruses -- we are waiting for the other shoe to drop with a thud].
http://whitepapers.comdex.com/data/detail?id=1053093882_459&type=RES&src=KA_RES
http://whitepapers.comdex.com/data/detail?id=1035812992_853&type=RES&src=KA_RES
A couple of white papers offering methods of security implementation for large and medium/small organizations respectively. Reading both gives you some impression of what elements are common across all organizations, and where size matters, when security is concerned.
http://entmag.com/news/article.asp?EditorialsID=5844
Intrusion detection systems have been traditionally [to the extent that anything as newborn as the current computer security nexus of concerns can be said to have a "tradition"] considered as an important component of the security toolkit. Now some new Gartner analysis suggests that IDS may not be worth it, and will soon be obsolete. Resources previously directed to this sector should be directed towards improving firewalls.
Since this is a contrarian approach to a staple of practical security courses at the higher educational level, it should be worth reading.
http://www.certmag.com/articles/templates/cmag_nl_infosec_content.asp?articleid=271&zoneid=39
An annotated guide to five sites worth consulting when seeking information on security issues: guidelines, news, industry associations, and additional links to other useful Web locations.
http://whitepapers.comdex.com/data/detail?id=1035812992_853&type=RES&src=KA_RES
"Better Security - A Practical Guide - Network Security for the Small to Medium Enterprise" is available in editions for both distributed enterprises and small- to medium-sized businesses. They show how to build up the barriers to unwanted entry and how to keep an eye on what is going on.
PUBLISHER: WatchGuard Technologies, Inc.
http://mcpmag.com/Features/article.asp?EditorialsID=348
http://com/columns/article.asp?EditorialsID=552
http://mcpmag.com/columns/article.asp?EditorialsID=555
Three articles on firewalls, wireless security, and implementing security in Office XP, respectively.
http://www.cybercrime.gov/usamarch2001_6.htm
is an explanation from the USA DOJ as to why people fail to report computer crime.
http://www.usdoj.gov/criminal/cybercrime/searching.html#A
provides a USA DOJ manual on "Searching and Seizing Computers and Related Electronics Issues".
This is a phenomenon which is certainly relevant to the study of security, so these resources may well be worth consulting.