Wozz: Info Security From Wozz

Lost in cyberspace

Tue, 04 Mar 2003 17:56:08 GMT

"Nothing so bold is forthcoming in the Strategy. Which is yet another indicator that the czars of national computer security are perfectly content to tease out the hyperbole in perpetuity. The bigger the perceived threat, the greater their importance inside the Beltway."

I've been neglecting my Info Security category, for no real good reason other than nothing interesting has popped out at me, until now. Bush's "National Strategy to Secure Cyberspace" - which I've mentioned here a few times before - was released last month, to resounding silence. Most of the Info Security punditry had already dismissed it as an industry scary-story with few good practical suggestions and a complete lack of serious consequences. In this Slate opinion piece, New American Brendan Koerner joins the chorus, blaming the security industry, government policy makers and law enforcement agencies for using a serious problem for political and financial gain. OpenBSD also gets a good mention at the expense of Microsoft, always a crowd pleaser around these parts.

TIA trinkets

Thu, 06 Feb 2003 04:31:32 GMT

The Total Information Awareness program may have removed its ominous logo from its Web site -- but you can still get your TIA-insignia T-shirts, teddy bears, mugs and thongs! Hurry, though, they're going fast (into detention)!

I want the greeting cards in hat form.

[via Scott Rosenberg's Links & Comment]

--
Composed with Newz Crawler 1.3 http://www.newzcrawler.com/

DMCRA re-introduced. Ask your representatives to support it

Mon, 03 Feb 2003 18:27:03 GMT

"The Digital Millennium Copyright Act of 1998 (DMCA) tilted the balance in our copyright laws too heavily in favor of the interests of copyright owners and undermined the longstanding fair use rights of information consumers, including research scientists, library patrons, and students at all education levels. With the DMCRA, we intend to restore the historical balance in our copyright law that has served our nation well in past years. "

As mentioned here before, the DMCRA is an important piece of legislation that will be considered this year. It aims to knock the DMCA down a peg and restore our fair use rights. The EFF is starting a campaign to get the word out to your representatives. Drop them a letter and let them know you want your rights back.

[via Slashdot]

Oops, here it is

Fri, 24 Jan 2003 03:05:46 GMT

CDT has the text of both the Wyden and Grassley amendments mentioned below and Grassley's comments before the Senate. The potential toothlessness lies here:

"Notwithstanding any other provision of law, commencing 60 days after the date of the enactment of this Act, no funds appropriated or otherwise made available to the Department of Defense, whether to an element of the Defense Advanced Research Projects Agency or any other element, or to any other department, agency, or element of the Federal Government, may be obligated or expended on research and development on the Total Information Awareness program unless--

[...]

(2) the President certifies to Congress in writing, that--

(A) the submittal of the report to Congress within 60 days after the date of the enactment of this Act is not practicable; and

(B) the cessation of research and development on the Total Information Awareness program would endanger the national security of the United States."

I think the potential of abuse is mitigated by having to notify Congress in writing, so lets hope this doesn't get cut somewhere along the way.

Senate Blocks Funding for Pentagon Database (washingtonpost.com)

Fri, 24 Jan 2003 02:08:30 GMT

...or do they?

"Saying they feared government snooping against ordinary Americans, U.S. senators voted on Thursday to block funding for a Pentagon computer project that would scour databases for terrorist threats.

By a voice vote, the Senate voted to ban funding for the Total Information Awareness program, under former national security adviser John Poindexter, until the Pentagon explains the program and assesses its impact on civil liberties."

The provision has been tacked onto the Omnibus Appropriations Bill currently being considered by the Senate. If it makes it through the House and Senate, TIA wouldn't be able to be operationally deployed, and here's the key, EXCEPT IN CASES OF NATIONAL SECURITY. Given this Administrations penchant for using their executive powers, this provision would seem a little more toothless than the article is making it out to be. The text isn't up yet, but I'll keep an eye out for it to see if I'm missing something from the Post's summary.

"viadrudge"

Sen. Edwards introduces information security bill

Wed, 22 Jan 2003 03:31:58 GMT

"Sen. John Edwards has introduced a bill that would require agencies to identify vulnerabilities in their systems and set up timetables for eliminating them.

The North Carolina Democrat’s National Cyber Security Leadership Act of 2003 would also mandate the use of IT security standards and guidelines established by the National Institute of Standards and Technology. "

A candidate that has good ideas on infosec? I'll keep be keeping an eye out for more info on this.

[via NewsNow: Encryption/Security]

--
Composed with Newz Crawler 1.3 http://www.newzcrawler.com/

Exploit Code At Security Focus Removed

Thu, 09 Jan 2003 23:25:52 GMT

"Observant Derek Vadala noted that it ' Looks like the exploit code from the Security Focus (i.e. Bugtraq) vulnerability database has been removed. There used to be an _exploit_ tab between _discussion_ and _solution_ on the individual vulnerabilty pages. It provided exploit code, if available. This was extremely useful for doing vulnerability testing so it's too bad. Seems to me that this is just one less resource for white hats and one more advantage for the blacks hats. I wonder if the recent acquisition by Symantec had something to do with the change."'

Of course, there's a flip side to Symantec aquiring all those companies. Securityfocus takes one more step towards irrelevence.

The View From Symantec's Security Central (TechNews.com)

Thu, 09 Jan 2003 23:18:47 GMT

"Inside a cavernous room on the first floor there, security analysts for Symantec sit in long, curved rows 24 hours a day, working on computers and facing a wall of theater-size screens. Information displayed on the screens helps them keep tabs on whether any attacks are underway at any of the company's more than 600 corporate clients. "

A good short article on Symantec's managed security business and what they've been doing with their recent aquisition of Riptech and Securityfocus. While this type of operation isn't really new - Security Operation Center's (SOC's) have been around for a couple of years now - it does give a good layman's picture of the usefulness of data collection and mining for insight into security problems, something on many people's minds with the emergence of TIA. They even have a video tour!

[via SecurityNewsPortal]

Happy New Year!

Wed, 01 Jan 2003 07:02:51 GMT

Let's hope this year is better than the last, and that there's many more to come!

Happy Holidays!

Mon, 23 Dec 2002 05:41:38 GMT

For those that care, I'm off for the Holidays this week, so I'm not likely to be posting much of anything.

Wired News: Jury Finds ElcomSoft Not Guilty

Wed, 18 Dec 2002 03:21:34 GMT

"Russian software developer ElcomSoft has been cleared of charges that it illegally created a program to disable encryption on Adobe e-books.

The jury verdict, announced Tuesday in U.S. District Court in San Jose, California, concludes the first criminal trial of a company accused of violating the Digital Millennium Copyright Act, a 1998 federal statute that protects copyrights on electronic content."

The first criminal trial test of the DMCA is over, and the Act took a beating.

KnownGoods Database

Wed, 11 Dec 2002 02:40:31 GMT

"Unless you've built your OS from source (more than likely you have not),the executable applications from the original distribution should never change in content, and/or size. The checksums in this database can quickly tell you if a file has been modified since it was first installed from the distrubution. "

This is a useful tool for helping determine if a system compromise has occured. Sun has provided similar information for a few years through its Fingerprint Database and its proved helpful to me in many situations, and this database extends these benefits to several other operating systems, including FreeBSD, Linux and OS X.

"viaslashdot"

Salon.com Technology | Is Big Brother our only hope against bin Laden?

Thu, 05 Dec 2002 04:27:58 GMT

"In the end, the debate over TIA, if it comes, may hang on this point: Are the rules good enough? For some people, no number of safeguards may be OK. Lee Tien, of the Electronic Frontier Foundation, for example, says that "I can't possibly say yes based on what I know now. I'd have to be convinced there would be a commitment to privacy from the get-go, and we just don't see that now. This administration is known for its secrecy. They are as bad as Nixon, maybe worse. We certainly cannot trust them with this system."

He added that "one of my biggest fears is that they are working on this stuff and they have some breakthroughs, and then something happens -- an attack -- and all of a sudden TIA's riding the white horse to the rescue. And then it's, 'Gee we haven't worked out the privacy,' and 'We haven't had new legal protections, but the exigencies are such that we need it now.'"

That's probably a valid fear. But so is the fear of terrorism, says Ramakrishnan. "You know, not to make its sound grandiose, but I think there is a battle here, and we're facing the kinds of things the people who invented the atom bomb were thinking. It's probably not whether we should -- I don't think we have a choice. I would rather that we understood this and took the time to enforce reasonable safeguards. To the extent that we do this in the open and have in place an array of legal legislative guidelines, I'd be much happier with that." "

A very good article on Salon about the pro's and con's of Total Information Awareness. As a info security nerd, I understand the usefulness of mining databases to protect infrastructure and predict events, but the leftish libertarian in me doesn't trust the government, let alone the cops, to use such capabilities ethically. I'm honestly very conflicted on this matter. People let supermarkets track everything they buy to save a few cents on a can of soup. Amazon keeps track of everything you buy and in return we get very occasionally useful recommendations (what ever became of the Firefly Agent stuff from MIT, it was great!). Is giving up some privacy for a potentially safer world tantamount to Ben Franklin's admonition against giving up liberty for security? Does TIA really collect any information that isn't already collected by corporations, an entity that I tend to distrust as much as the government? If the TIA data were held by the judicial branch, and only released after proper consideration, would this be satisfactory?

Don't get me wrong, the whole thing makes me queasy. But why is it that folks have no problems letting corporations track their information but not the government - when in the same breath they'll claim the government is being run by corporations?

Secure Interaction Design

Wed, 04 Dec 2002 23:47:15 GMT

"The security of any computer system that is configured or operated by human beings critically depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This paper establishes some starting points for reasoning about security from a user-centred point of view: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state. Ten key principles for secure interaction design are identified; case studies illustrate and justify the principles, describing real-world problems and possible solutions. It is hoped that this work will help guide the design and evaluation of secure systems."

Its good to see someone thinking about these issues. How many times have you been presented with a dialog-box telling you an SSL certificate is invalid? How many times did you click yes on that dialog box, thereby acknowledging that you don't care if who you're talking to is who they say they are? How many of you realize that was what you were acknowledging?

The ten principles for secure interaction presented are:

"Path of Least Resistance. The most natural way to do any task should also be the most secure way.
Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken. "

Salon.com | Test-drive Salon Premium

Tue, 12 Nov 2002 23:01:52 GMT

"Dear Salon Reader,

A year and a half ago we launched our subscription service, Salon Premium. In that time we've been heartened that more than 52,000 of you have stepped up to subscribe. Our subscribers have had exclusive access to all of Salon's award-winning content -- our investigative scoops, our in-the-trenches coverage from Afghanistan, everything.

But some of you continue to tell us that you're still on the fence. You've considered subscribing but you want to sample the merchandise first. Well, you're in luck. For a limited time, the folks at Mercedes-Benz will essentially pick up the tab for you. Consider it a Salon Premium test drive of sorts. You can access Salon Premium for the day and all you'll be asked to do in return is interact with a few screens featuring the new Mercedes E-Class luxury sedan. To take advantage of this offer just go to a Premium article and select the Mercedes-Benz link at the bottom. "

Obviously, I find a lot of value in supporting Salon, whether through my premium membership, or through this weblog. Now here's a chance to get a taste of what Salon's premium content is all about. Try it, you might like it. And with a few different plans available, it may be cheaper than you think. I don't mean to sound like a Salon pimp, but I think they provide very valuable, reasoned content for a fair price. And if you don't support that, it will no longer exist. Oh yeah, and if you missed out on the fund-raising drive over the last month or so, go support your local NPR station too!</PledgeBreak>

Economist.com - Securing the cloud

Fri, 01 Nov 2002 18:06:33 GMT

"Until recently, most people were either unaware of computer security or regarded it as unimportant. That used to be broadly true, except in a few specialised areas—such as banking, aerospace and military applications—that rely on computers and networks being hard to break into and not going wrong. But now consumers, companies and governments around the world are sitting up and taking notice. Why?"

A very good article on the increasing importance, and the public awareness of the problems of information security. It cites the emerging view of computer and network as utilities - along the lines of phone and water - and the hightened awareness of security in general after 9/11 as reasons for the burgeoning public awareness of the problem, and industries reaction to this awareness.

TCPA and Palladium Technical Analysis

Tue, 29 Oct 2002 05:02:43 GMT

This article presents a technical analysis of the TCPA hardware system and the Palladium operating system. Palladium and TCPA have been covered in some depth on slashdot and various FAQA. Unfortunately, much of the information available from these sources is highly subjective and confusing (for example, TCPA and Palladium are presented as if they were the same thing). Reliable and objective technical information on Palladium and TCPA has been hard to come by-and the actions of Microsoft has not made obtaining such information any easier.

An interesting technical overview of how the TCPA/Palladium platform will work. There are some interesting comments on this paper in a thread on Kuro5hin.

[via Kuro5hin]

SecurityFocus HOME Columnists: Certifiably Certified

Thu, 24 Oct 2002 23:20:59 GMT

"That having been said, I'm happy to announce that I'm going into the certification business. If anyone cares to send me $500 and copies of their alphanumeric passwords, I'll return to them a diploma conferring on them the title "Certified Strong Password-Using Professional" (CSPUP) that's good for four years from the date on their check or money order."

Richard Forno on the paradox of rising marketplace values of increasingly useless Info Security certifications.

[via ISN]

TISC Insight: Federal Cybersecurity: Get a Backbone

Thu, 17 Oct 2002 17:48:11 GMT

So here's a Cyber Security strategy that would work. It's as anti- competitive as you can get and has a snowball's chance in hell of being adopted. It's downright Machiavellian. Or, perhaps, Napoleonic:

Make it illegal to sell a PC that doesn't come with a fully-licensed Antivirus product and personal firewall pre-installed on it.

Standardize government Infosec products in use on a best-of-breed basis like any FORTUNE 500 company would - across all federal computers.

Terminate federal employees and their supervisors if they are proven responsible for security breaches due to their negligence.

Spend a few million dollars (or use some internal resources) to code a government-issue personal firewall and anti-virus product. Give it away. Standardize on it. Make it available to ISPs. Writing firewalls isn't hard. I've written two single-handedly.

Establish a standard firewall configuration policy (e.g.: a site security policy) for all internet-connected federal agencies and adhere to it rigorously. 99% of the government's security problems result from incompatible policies and lax enforcement. FORTUNE 500 firms get this right; the taxpayers' employees should do no less.

So it's anti-competitive and Machiavellian. National defense always is.

Don't sweat consensus. Lead.

Marcus Ranum, the man behind SEAL - the first commercial firewall, Gauntlet - another early commercial firewall, and NFR - the first commercial intrusion detection platform, comments on the lack of teeth in Bush's Cybersecurity Plan, and offers a plan of his own.

Counterpane: Crypto-Gram: National Strategy to Secure Cyberspace

Wed, 16 Oct 2002 02:54:29 GMT

"For some reason, Richard Clarke continues to believe that he can increase cybersecurity in this country by asking nicely. This government has tried this sort of thing again and again, and it never works. This National Strategy document isn't law, and it doesn't contain any mandates to government agencies. It has lots of recommendations. It has all sorts of processes. It has yet another list of suggested best practices. It's simply another document in my increasingly tall pile of recommendations to make everything better. (The Clinton Administration had theirs, the "National Plan for Information Systems Protection." And both the GAO and the OMB have published cyber-strategy documents.) But plans, no matter how detailed and how accurate they are, don't secure anything; action does.

And consensus doesn't secure anything. Preliminary drafts of the plan included strong words about wireless insecurity, which were removed because the wireless industry didn't want to look bad for not doing anything about it. Preliminary drafts included a suggestion that ISPs provide all their users with personal firewalls; that was taken out because ISPs didn't want to look bad for not already doing something like that.
And so on. This is what you get with a PR document. You get lots of varying input from all sorts of special interests, and you end up with a document that offends no one because it demands nothing.
The worst part of it is that some of the people involved in writing the document were high-powered, sincere security practitioners. It must have been a hard wake-up call for them to learn how things work in Washington. You can tell that a lot of thought and effort went into this document, and the fact that it was gutted at the behest of special interests is shameful...but typical. "

From today's Crypto-Gram. Bruce Schneier wasn't too impressed with Bush's Cybersecurity Plan.

Anti-hacking copyright law to get review - Tech News - CNET.com

Sun, 13 Oct 2002 08:23:06 GMT

"The United States Copyright Office is launching a rare round of public comment on rules that bar people from breaking through digital copy-protection technology on works such as music, movies, software or electronic books. Regulators aren't looking to change the law, but they are looking for public suggestions on what kinds of activity should be legalized in spite of the rules."

The public gets another chance to provide comment on the types of material that should be immune from the DMCA's effects.

"This time around, the office is again asking for specific examples of cases where the law's restrictions cause "actual instances of verifiable problems occurring in the marketplace." Inconvenience or "theoretical critiques" are not enough, the office warned."

NIST Computer Security DRAFT Publications

Fri, 11 Oct 2002 19:00:47 GMT

The Computer Security Division (CSD) of NIST has been quite busy lately producing a lot of surprisingly useful (for government work) papers. You can keep tabs on their new publications through their mailing list. Just email listproc@nist.gov with "subscribe compsecpubs FirstName LastName" in the body. If you work in info security, you should definately familiarize yourself with their publications.

Some of their more recent draft publications:

[Edited: I mispelled compsecpubs as comsecpubs, my bad]

TechNews.com - Bills Would Bolster the Right to Copy

Sun, 06 Oct 2002 18:25:52 GMT

"Two bills introduced this week in the House sought to redefine consumer rights in the digital era, a departure in a congressional session during which more attention has been paid to protecting copyrighted works from computer-aided piracy. "

A short review of the two "anti" DMCA bills (here's the text of one, the other hasn't been published online yet) introduced this week. It also presents some comments from Jack Valenti who, surprisingly to me, admitted "[...] that 100 percent protection is not possible."

ps. I had to edit this because thomas.loc.gov sucks. It generates all sorts of temporary links which stop working over time.

World's greatest computer hacker raises alarm | csmonitor.com

Sat, 05 Oct 2002 22:02:09 GMT

"Although some will accuse Mitnick of creating a handbook that teaches crooks how to break into organizations, the truth is that we all need to understand these con games to protect against them. To stress this point, his last two chapters contain policies, procedures, and training that companies can implement to further protect themselves. In keeping with his premise that the most damaging security penetrations are the result of deceit - not technical penetration - almost none of Mitnick's suggestions is technical in nature."

A good review by Simson Garfinkel of Kevin Mitnick's new book, "The Art of Deception". Now I'm not big on the whole "Free Mitnick" schtick and hoo-ha - the kind of thing that leads to this sort of silliness. Sure, his case was handled badly, but he is a crook. However, his insights into social engineering are probably more useful than 90% of the computer security books on the market today, as he is an acknowledged master of the art. I haven't seen the book yet, but its on my wish list.

Bill: Copyright Power to People

Sat, 05 Oct 2002 21:23:32 GMT

On Thursday Rep. Rick Boucher (D-Va.) and Rep. John Doolittle (D-Calif.) introduced the Digital Media Consumers Rights Act to preserve specific fair-use rights to copy digital works as well as "circumvention" rights to bypass copy protections. With no chance of passage this year, the bill's introduction prepares the ground for battle in the next session of Congress.

Another bill introduced to give us digital consumers some rights and roll back a bit of the DMCA.