Archive for March, 2009

Information Security at Universities

I was sitting comfortably at a conference that I recently attended when someone on a panel announced to the audience that he had talked to someone from a nearby university concerning how well the computers and networks there were secured. This person told him that there was virtually no security. This led the panelist to proclaim that although there is a lot of rhetoric about information security going on at universities, this rhetoric is in essence idle chatter.

Although I concede that I have not exactly always been tactiturn in previous decades of my life, hopefully I have gradually (and painfully) changed into someone who “keeps his cool” far better now. I must admit, however, that this panelist’s minimalization of the state of the practice of information security in universities “lit my fuse.” Read more…

Categories: Uncategorized Tags:

Terms that Information Security Professionals Need to Purge from their Vocabularies

I’ll be the first to admit that I lean towards being a contrarian. That aside, I need to get something off of my chest—some of the terms that we information security professionals use are truly pathetic to the point that hearing them yet another time will invariably make me sick. Here are a few of them: Read more…

Categories: Uncategorized Tags:

The Conficker Worm: The Worm that Refuses to Die

Over the last decade numerous worms have infected a very large number of systems. In many people’s minds, no worm was more prolific than the MSBlaster worm and its numerous variants, which according to some estimates infected over one million Windows systems. Afterwards several worms such as the Beagle and Sober worms and their variants surfaced and spread widely for a substantial period of time, but then to the relief of the information security community, they died, and then fewer and less prolific worms started to emerge. Just as this community started to take the worm threat less seriously and began instead to turn its attention to other threats, the Conficker worm, also called the Downadup worm, struck. This worm is by far the most widely spread computer worm ever. Since surfacing in November 2008, Conficker and its variants have according to numerous estimates compromised more than 11 million Windows systems, including a remarkable 1.1 million of these systems in just a 24-hour period last January. Read more…

Categories: Uncategorized Tags:

Tracing the Origin of Malicious Activity

At a conference last week I heard a speaker talk about a network security methodology in which IP addresses known to be associated with attacks are used to set up special protections for critical assets. The speaker said that in this methodology sources such as and CERT are used to identify malicious IP addresses. After the end of the presentation I expressed doubt concerning the validity of such IP addresses. Surprisingly, he countered that he had a high degree of confidence in them.

Over the years I have learned a few principles regarding IP tracebacks that are nearly always true. One is that unless network traffic consists of IPsec packets, the source IP address of this traffic must be viewed with considerable suspicion. Why? The main reason is the prevalence of IP spoofing in Internet attacks. Another is the emergence of mobile bots, bots that inhabit hosts for a while, then leave and take over other hosts. As such, determining which particular IP address is malicious at any time is nearly impossible. Well-intentioned but mistaken reporting of malicious IP addresses on sites such as is still another reason. Too often users of intrusion detection tools such as Snort take output at face value instead of further investigating exactly what has occurred by collecting and analyzing additional information such as packet dump data. I remember many times when I worked at Berkeley Lab how someone posted a Berkeley Lab host IP address on Many times investigations of supposedly malicious hosts there showed that no malicious activity whatsoever had originated from them; their IP addresses had simply been used in spoofing attacks. Read more…

Categories: Uncategorized Tags:

Information Security Can Support Human Ecosystems

The Knights of Columbus and Marist organizations recently completed a survey of consumers and managers about ethics in today’s business world.  One of the striking things about the outcome of the survey is how much agreement there is between consumers and business managers about the lack of ethical standards behind today’s financial mess. This raises a fascinating topic of the ecology of human values within organizations and information security’s role in preserving and promoting that ecology.

Years ago I worked for an organization that pioneered aspects of modern information technology and also in the research of information security.  One of the things that information security consultants were expected to do back then was to routinely mount “social engineering” attacks on client organizations in order to expose the likelihood that information might be shared inappropriately by members of that organization. Generally speaking, social engineering requires misrepresentation of the social engineer’s identity and role in order to trick the victim — in this case an unsuspecting employee of the organization — into revealing secrets. At our company however we defined a hard and fast rule that no consultant should ever be required to tell a lie as a normal or routine part of their day-to-day job.  Lying is unethical.  Even if done as a means to a worthy end.  Many people observe religious values that prohibit them from telling a lie.  Honesty is the underpinning of much of today’s common law and contract law. Although counterbalanced by the principle of “caveat emptor,” honesty still holds a centrally important role in virtually all we do within business today. But in the Knights of Columbus and Marist poll, consumers and business managers alike saw honesty and ethical behavior as lacking or at least declining  in business organizations today. Read more…

Categories: Uncategorized Tags:

What Is the Most Secure Web Browser?

Which Web browser is the most secure? The answer to this question could easily trigger a “religious war,” something that I have no intention of doing. Yet because so many of today’s attacks target browsers, there is value in looking deeper into this issue, provided, of course, that facts, not presuppositions, are used to address this issue.

Because the most used products and tools generally tend to be the biggest targets of attacks, it is important to know how frequently each type of browsers is being used today. According to, in January 2009, IE7 had 25.7 percent, IE6 had 18.5 percent, and IE8 had 0.6 percent of the browser market. The total among all three versions of IE is 44.8 percent, nearly identical to Firefox’s 45.5 percent. Chrome was a distant third with 3.9 percent, and Safari had 3.0 percent. What is perhaps most striking about these data is that only a few years ago, IE was completely dominant in the Web browser arena with well of 80 percent of all browsers used at that time being IE. To say that the use of Firefox has grown substantially over the past few years is thus a gross understatement. But the bottom line is that based on usage statistics, IE and Firefox should be about equal in their attractiveness to would-be attackers, whereas Chrome and Safari should not be so attractive in this respect. Read more…

Categories: Uncategorized Tags:

The System Shall Be Secure

20+ years after starting my career focused on information security and issues of risk acceptance, assurance, and implementation of appropriate controls within organizations, I’m still seeing the statement “the system shall be secure” as the single indication of security requirements for a given system being proposed for development. I recently had occasion to ask the senior development executive for a leading provider of software to pharmaceuticals firms to define the aspects or elements of his system that supported information security. What I got back in return was a hastily drafted statement complete with typographical errors that contained several hand waving mentions of information security jargon but amounted to essentially nothing in the way of a substantial statement of information security. I got the distinct impression that this company had never been asked for a definitive statement on information security before. Read more…

Categories: Uncategorized Tags:

Security Service Interruptions

If you have read my previous blog entry concerning the demise of High Tower Software, you probably detected some degree of sadness and remorse in my tone. The main reason is that all things considered, High Tower had a very good product. I honestly do not believe that any competitor’s product performed event correlation as well as High Tower’s product did. What also saddens me is that fact that so many customers who relied on High Tower’s product for threat detection and remediation as well as for proof of compliance are now to various degrees out of luck. Read more…

Categories: Uncategorized Tags:

What Is Information Security? Really??

In the current issue of IEEE Security and Privacy, Silver Bullet Editor Gary McGraw, CTO of Cigital, asks an interesting question: “What is security?” His interviewee, Gunnar Peterson, Founder of Artec Group, mentions Dan Geer’s statement that security is “risk management.” Later in the interview, McGraw asks whether security is “a thing”. Peterson says it’s a “set of services”. Also, security is defined by Butler Lampson as authentication, authorization, and auditing (“A-u — the Gold Standard” – ha ha). All of this mumbling about security illustrates an essential problem with the profession and the intellectual domain of information security: there is no good definition of information security that is generally accepted. For years, I have proposed that a better definition of information security than “CIA” is

a well-informed sense of assurance that
information risks and controls are in balance.

Read more…

Categories: Uncategorized Tags: