Network Security Blog

Many security professionals consider the position of Cybersecurity Czar to be guaranteed to fail.  But it looks like Robert S. Zitz is willing to give it a try.  He probably decided he’ll be in a better postion than he is now, even if he fails.  Good luck, Mr. Zitz, you’e going to need it.

It has too be said, what an unfortunate last name.

Technorati Tags: security, DHS

Wordpress has released version 2.0.4 as a security fix.   According to Darknet the vulnerability is related to the subscribe users section of the code and could lead to the web site being damaged by a malicious user.  Dang, just when I was seriously contemplating a move over to Wordpress.  Of course MT has had it’s security issues too.

Hey, take a moment to thank the System Administrators for your company.  These are the guys who make it possible for you to get your job done in this day and age.  And if you’re the SA, keep up the good work.  Happy SysAdminDay!

Technorati Tags: sysadmin day

Alan Shimel invited my on his podcast to talk about one of my favorite topics, ME.  Actually, it’s kind of embarassing to talk about myself like this, but it was interesting to understand what the people I interview feel like.  If you’ve ever wondered how I got into security and what made me the person I am today, then you’ll like this interview.  I also talk about blogging, podcasting and how I got into both.  It went a little longer than originally intended, but I seem to have that problem a lot lately.

StillSecure, After All These Years, Podcast #8

Technorati Tags: security, interview, Alan Shimel, Martin McKeay

Last night I went to the San Francisco Podcast Meetup last night, which is always a blast.  Shel Holtz and Chris Heuer and I sat in a corner making snarky comments about the speaker.  Hint for the future:  when talking to podcasters, talk about how your company relates to them, not about how your company makes money for themselves and independent music companies.  When he finally got to the stuff podcasters were interested in, there was a lot of good stuff about iodapromonet, but he’d already lost a lot of the audience.

One of the high points for me was the fact that Adam Curry showed up.  If you don’t know about Daily Source Code, you haven’t listened to one of the most popular podcasts on the ‘Net.  He’s also the main personality behind Podshow.  Of course, if you’re in my age group, you know Adam from his days as an MTV VJ.  One of the traditions at the Meetup is to pass the mic around at the start of the meeting and everyone introduces themselves and their podcast.  When I introduced myself, I heard Adam say something and point to me, but at the time, I knew I couldn’t have heard what I thought I had.  So after the main meeting I asked him what he’d said, and I’d heard him correctly, he’s subscribed to my podcast!  Now I’m sure Adam’s subscribed to a lot of podcasts, and we’ll see if he stays subscribed, but it felt good to have a high profile subscriber.  Plus, Adam’s only the second or third person I’ve met face to face who’s actually listened to my podcast.  Okay, ‘pat-yourself-on-the-back’ time is over.

Adam getting a business card from the youngest podcaster

Technorati Tags: podcast, Adam Curry, SF Podcast Meetup

I turned up this article from Marcus Ranum while doing some research on patching policies.  It’s exactly two years old today (ancient by internet standards), but the wisdom it contains is still as applicable today as it was then.

Technorati Tags: security, patching, wisdom

If your users don’t already know that they shouldn’t click on links in email, here’s another reminder for them:  an email is going around, supposedly from Microsoft, asking users to update their systms and then installing an IRC backdoor.  If you haven’t already educated your users, this is a great example to show them.

Technorati Tags: security, spam, virus

This week I talked to Ravi Ganesan, founder of TriCipher.  He fills me in on some of what’s been happening with Man in the Middle attacks against two-factor authentication used by banks and financial institutions.  It sounds like this is a fairly small issue right now, but it could quickly grow in the near future.  Ravi is clearly an expert on authentication solutions and gives some hints about where security professionals need to be looking in the future.  I also take a few minutes to talk about some changes that may be happening to the PCI standards in the near future, the concept of compensating controls.   By the way, I mistakenly called Ravi the CEO in the podcast, sorry for the mistake.   I’m not a CSO either, so I figure that makes us even. 

Network Security Podcast, Episode 36, July 25th, 2006

Time: 45:27

Tonight’s Music:  Shemekia Copeland - Breakin’ Out

Technorati Tags: security, podcast, Man in the Middle attack

I wish this suprised me; Federal Air Marshalls have been putting innocent people on watch lists to meet quotas.  I especially like the quote from one of the air marshalls:

“Well, it’s intelligence information, and like any system, if you put garbage in, you get garbage out,” the air marshal said.

Bruce Schneier has a lot more to say on this situation, but the very concept of law enforcement professionals having a quota they have to meet is stupid.  That’s like telling a computer security professional that they have to log a certain amount of IDS alerts a month.  Sure, I can tweak the IDS signatures to meet that quota, but the information generated by the IDS is going to be rendered nearly useless by the process.

Technorati Tags: security, air marshalls, quota

Boy, that’s a mouth full.  And the report itself isn’t small either.  I haven’t had the time to read more than the Executive Summary of this report, but it gives a good idea of what at least on government group would like to see us focusing our attention on.  Why are goverment agencies worried about researching new technologies when they can’t even adequetly implement the technologies they already have?  Their efforts would be better spent getting at least a ‘C’ on the General Accounting Office report cards than researching new technologies.

Technorati Tags: security, government