Archive

Archive for May, 2008

A Requiem for CIAC

Those of you who know me probably remember that my real start in the information security profession was my having founded and managed the Department of Energy’s Computer Incident Advisory Capability (CIAC)* while I worked at Lawrence Livermore National Laboratory (LLNL) back in the late 1980s. This was a real “trial by fire” job, with incredibly horrific politics both within the DOE and LLNL, new and increasingly complex incidents emerging all the time, and a shortage of resources. The team started with four full-time people, Dr. Tom Longstaff, Ana Marie de Alvare, David S. Brown, and myself (the program manager), and one part timer, Russell Brand. We worked ourselves to the bone, trying as hard as we possibly could to be of service to the entire, often quirky DOE community (which at the time included 78 DOE sites and laboratories as well as DOE headquarters). One of the best outcomes of our efforts was that we provided timely security alerts about new, significant vulnerabilities as well as ongoing incidents that could potentially adversely affect the sites we served. We crafted the bulletins such that the first part provided a higher-level perspective and analysis, something that managers could understand, while the rest of the content described procedures that system administrators could follow to patch systems or to apply workarounds until a patch was available. Read more…

Categories: Uncategorized Tags:

Mobile Computing Risks: Part 3

I have already discussed risks due to lost or stolen mobile computing devices as well as the implications of these devices not being connected directly to an organization’s network. Another serious risk to consider is related to the fact that vendors usually do not address security issues in mobile computing products as well as in conventional products. Configuration settings that tighten security in conventional systems are often not available in mobile devices. Additionally, vendors too frequently turn their backs to vulnerabilities in their products. A good example is Research in Motion (RIM), the vendor of BlackBerry devices. Until fairly recently, RIM virtually ignored vulnerabilities in its products. BlackBerry vulnerabilities were posted at various Web sites, but RIM did not produce patches or workarounds (or even post information about these vulnerabilities on its own Web site), even though some of the vulnerabilities were critical. For example, a buffer overflow condition during meetings synchronization with Microsoft Exchange was discovered in BlackBerry 7230. Read more…

Categories: Uncategorized Tags:

Mobile Computing Risks: Part 2

I discussed the problem of lost or stolen mobile computing devices at some length in my last blog entry. But as we all know, this problem is only part of the myriad of security-related problems that these devices introduce. Another part of the risk equation for these devices is the fact that in most cases, obtaining mobile access means that users must connect to networks other than an organization’s own network. It is thus generally much more difficult to control devices that are connected in this manner. Consider, for example, the issue of performing security maintenance (let alone IT maintenance in general). Suppose that a new worm that targets one or more mobile computing devices starts to spread and that installing a new patch prevents the worm from infecting these devices. System administrators can normally readily remotely connect to devices that are connected to their organization’s network and then push the patch into these devices through remote administration tools. The same is not true of users who are on travel or who are working from home, a hotel room, or an airport Read more…

Categories: Uncategorized Tags:

Mobile Computing Risks: Part 1

I am in an airport as I write this blog entry and am using a laptop to do so. All around me are people using laptops, BlackBerries, BlueBerries, Personal Digital Assistants (PDAs), smart phones, and more. I seriously wonder how many of them understand the level of security risk associated with their use of these devices. The risk of theft or of devices being lost is one of the greatest. According to recent statistics I have seen, approximately 40 percent of mobile devices are lost or stolen within two years of their purchase. Once when I was in a hurry to catch a flight, I somehow left my laptop at an airport security screening counter. I blissfully gathered my things (except, of course, for my laptop) and went running for the departure gate. It was not until early the next day—when I was supposed to start teaching a course—that I noticed that my laptop was missing. Believe it or not, I was able to get the computer back. I asked my wife to go to the airport to retrieve it. She showed identification that indicated she had the same last name and address as myself, but giving her the computer was against the rules. Instead, the airport security guards had to mail the computer to our home address. I was lucky, but a large percentage of people who did what I did are not. Read more…

Categories: Uncategorized Tags:

The Prioritizing Resources and Organization for Intellectual Property (Pro-IP) Act

The U.S. House of Representatives recently passed a bill designed to protect intellectual property. The bill, called the Prioritizing Resources and Organization for Intellectual Property (Pro-IP) Act, provides federal officials with the necessary authority to confiscate any equipment being used in reproducing and distributing illegally copied materials as well as any materials obtained as the result of intellectual property theft. It would also establish a new post within the Executive Office, the U.S. Intellectual Property Enforcement Representative, who would serve as intellectual property czar. This person would be appointed to this position by the president. Read more…

Categories: Uncategorized Tags:

Ethical and Other Issues Concerning the Kraken Botnet

Something very significant from an information security point of view happened recently. Two TippingPoint employees, Pedram Amini and Cody Pierce, reverse engineered the zombie code used in the prolific Kraken botnet. They then created what appeared to be a genuine Kraken server and waited for zombies to respond to it. Any zombies that responded could thus be identified and presumably removed from computers in which they resided. Approximately 25,000 zombies responded, but then Amini and Pierce suddenly faced an ethical dilemma. They reasoned that the systems were already compromised; by removing the zombie code from each, theywere, according to this point of view, actually doing the owners (as well as the Internet as a whole) a favor. Others, Amini and Pierce’s boss included, took an opposing point of view, reasoning that because the owner of each infected machine had not given access permission, deleting the zombie code from each compromised machine might constitute unauthorized access to a computing system, something that is forbidden by several U.S. statutes. They also worried that they might accidentally cause damage to the compromised systems. Others countered by saying that failure to remove the zombie code constituted the worst ethical failure of all. Read more…

Categories: Uncategorized Tags:

Audit-related Issues

I often go to conferences in which auditing is the central theme, or if not, is at least a major theme. I also know many professional auditors. From a very high level perspective, an audit function within an organization must determine whether that organization’s management is providing suitable oversight and direction, whether resources are being used responsibility and in accordance with major business and/or operational needs, whether other functions such as business units and risk management are fulfilling their purposes and if so, whether they are doing it efficiently, and whether or not fraud, waste and misuse are occurring. Read more…

Categories: Uncategorized Tags:

Another Blow to Privacy Rights in the U.S.

A ruling by the Ninth Circuit Court of Appeals dealt yet another blow to privacy rights in this U.S. The ruling upheld giving the U.S. Customs and Border Protection Service the right to search portable computers and other types of electronic devices at U.S. borders without sufficient grounds or reasonable suspicion. The appeal concerned a court ruling in which a person was arrested and charged with child pornography following a search without a warrant of his laptop by Los Angeles International Airport customs staff. The decision in the original trial was that the evidence was gained through unreasonable search and was thus inadmissible. This decision was subsequently overturned. Read more…

Categories: Uncategorized Tags:

Network Access Control Technology: Will it Succeed?

I recently attended the Interop Conference in Las Vegas. As I strolled around the exhibition area, I could not help notice all the booths at which Network Access Control (NAC) products were being promoted.  NAC technology is used to prevent potentially dangerous systems from being able to connect to networks. NAC tools examine various aspects concerning each system that tries to connect to a network, and then on the basis of the results, either allow or deny network access to that system. So, for example, if the user of a Windows XP system tries to connect to a network, but that system is infected by a worm, NAC technology is supposed detect the infection, sever the existing network connection, and apply a defensive measure such as denying any IP address to that system until it is healthy again. Some NAC implementations perform tests such as determining whether a system connecting to the network has unpatched vulnerabilities, or whether it has the ability to connect using IPv6, or whether certain security-related settings are enabled, and more. Read more…

Categories: Uncategorized Tags: