Yesterday, I testified before a hearing of Colorado's Election Reform Commission. I made a small plug, at the end of my testimony, for a future generation of electronic voting machines that would use crypto machinery for end-to-end / software independent verification. Normally, the politicos tend to ignore this and focus on the immediately actionable stuff (e.g., current-generation DREs are unacceptably insecure; optical-scan is the best thing presently on the market). Not this time. I got a bunch of questions asking me to explain how a crypto voting system can be verifiable, how you can prove that the machine is behaving properly, and so forth. Pretty amazing. What I realized, however, is that it's really hard to explain crypto machinery to non-CS people. I did my best, but it was clear from conversations afterward that a few minutes of Q&A did little to give them any confidence that crypto voting machinery really works.

Another of the speakers, Neil McBurnett, was talking about doing variable sampling-rate audits (as a function of how close the tally is). Afterward, he lamented to me, privately, how hard it is to explain basic concepts like what it means for something to be "statistically significant."

There's a clear common theme here. How do we explain to the public the basic scientific theories that underly the problems that voting systems face? My written testimony (reused from an earlier hearing in Texas) includes links to papers, and some people will follow up. Others won't. My big question is whether we have a research challenge to invent progressively simpler systems that still have the right security properties, or whether we have an education challenge to explain that a certain amount of complexity is worthwhile for the good properties that can be achieved. (Uglier question: is it a desirable goal to weaken the security properties in return for greater simplicity? What security properties would you sacrifice?)

Certainly, with our own VoteBox system, which uses a variation on Benaloh's voter-initiated ballot challenge mechanism, one of the big open questions is whether real voters, who just want to cast their votes and don't care about the security mechanisms, will be tripped up by the extra question at the end that's fundamental to the mechanism. We're going to need to run human subject tests against these aspects of the machine design, and if they fail in practice, it's going to be a trip back to the drawing board.

[Sidebar: I'm co-teaching a class on elections with Bob Stein (a political scientist) and Mike Byrne (a psychologist). The students are a mix of Rice undergrads, most of whom aren't computer scientists. I experimentally built a lecture that began by teaching just enough number theory to explain how El Gamal cryptography works and how it allows for homomorphic vote tallying. Then I described how VoteBox uses this mechanism, and wrapped up with an explanation of how to do Benaloh-style challenges. I left out a lot of details, like how you generate large prime numbers, or how you construct NIZK proofs, but I seemed to have the class along with me for the lecture. If I can sell the idea of end-to-end cryptographic mechanisms to undergraduate non-science students, then there may yet be some hope.]

Funny.

Reset to FAIL
SonicWALL has apologised for a license server outage that left some customers without firewall or email filtering protection for hours yesterday.…

Read more…

BT in trouble over Phorm 'spyware' test: Via Techworld.com

Uk prosecutors are investigating whether BT illegally tested online advertising system Phorm without users' consent.

The inquiry focuses on Webwise, a system from the company Phorm, which monitors a person's web browsing and search terms in order to serve up related advertisements.

An internal BT document leaked in June showed BT conducted a two-week test involving 18,000 subscribers in September and October 2006 but did not inform those users.

Privacy activists have suggested the trials violated wiretapping laws as well as posing data security and privacy concerns. BT maintains no laws were broken.  read more »

Reset to FAIL

SonicWALL has apologised for a license server outage that left some customers without firewall or email filtering protection for hours yesterday.…

Behavioral screening -- the future of airport security?: Via CNN.com

TEL AVIV, Israel (CNN) -- Keep your shoes and belts on: Waiting in long airport security lines to pass through metal detectors may soon be a thing of the past.

Security experts say focus is shifting from analyzing the content of carry-ons to analyzing the content of passengers' intentions and emotions.

"We are seeing a needed paradigm shift when it comes to security," says Omer Laviv, CEO of ATHENA GS3, an Israeli-based security company.

"This 'brain-fingerprinting,' or technology which checks for behavioral intent, is much more developed than we think."

Nowhere is the need for cutting-edge security more acute than Israel, which faces constant security threats. For this reason, Israel has become a leader in developing security technology.  read more »

TSA boosts 'behavior detection,' mulls other changes: Via CNN.com

This holiday season, it's still shoes off and liquids out at airport security, but changes may be on the way to part of this routine, and agents will be watching much more than the contents of your carry-on.

In the coming months, the government expects to revisit its rule for the amount of liquids that may be brought aboard planes, while boosting the number of behavior detection officers deployed at checkpoints across the country.

More than 2,000 are already on the job, and the program is growing every day, said Christopher White, a spokesman for the Transportation Security Administration.  read more »

Alright people, here’s the deal.

I just published my take on the whole “Apple he said/she said you do/don’t need antivirus” thing over at TidBITS. Here’s my interpretation of what happened:

1. Back in 2007 some support guy posts a list of major AV supported on the Mac.
2. On November 21st, it’s updated to reflect the latest version numbers of the tools.
3. Whoever wrote it is a shitty writer, and didn’t realize how people would interpret it.
4. The press finds it and blasts it to the world.
5. Apple management goes, “WTF?!? We don’t tell people they should install three different AV programs all at once. Hell, we never tell them they need AV at all. Not that we’re going to tell them *not* to use it.”
6. The support article is pulled and statements issued.
7. Some people call it a conspiracy, because they like that sort of thing.
8. Somewhere deep in the bowels of 1 Infinite Loop there is a pike speared through a bloody head on prominent display.

So no, most of you don’t need antivirus. You can read my article on this from back in March if you want more help deciding if you should take a look at AV on your Mac.

Alan Shimel is one of a group of people who think it’s about time Mac users payed attention to security and installed AV. I like to break that argument into two sections. First, as I’ve learned since writing for TidBITS and Macworld, the average Mac user is definitely worried about security. But (second) this doesn’t mean desktop AV is the right answer. Right now, the risk of malware infection on the Mac is so low for the average user that AV really doesn’t make sense. That can change, heck, it probably will change, but that’s the situation today. Thus I recommend most people use mail filtering and browse safely rather than installing desktop AV.

Not recommending AV isn’t Apple’s ego (and I don’t deny they have an ego), it’s a reflection of the risk to users in the current environment. Now the odds are us Mac security types will recommend AV long before Apple does, but that day definitely isn’t here yet.

Apple didn’t reverse their policies- something slipped out from the lower levels by accident, and all the hubbub is much ado about nothing.

The day will likely come when Mac users need additional malware protection, but today isn’t that day, and even then, AV may not be the answer. Read my older article on this, and keep up with the news so you’ll know when the time comes.

LogLogic has been advocating comprehensive logging for all IT components (or configuration items if you are in the ITIL camp) including applications for a long time now. We have worked with many of our customers to ensure that there's 100% collection and analysis of their IT log data. In the last several months there's been a huge uptick in the area of application logging, specifically for the application developers. This is partially due to the general interest in cloud computing and SaaS applications.

To quote a few blogs, Amrit Williams said in his blog "Amazon AWS, Google App Engine, Microsoft Azure, and More - Part 1: Can We Secure The Cloud?" (emphasis mine):

The one suggestion that elicited the greatest interest and most questions was a simple one; develop your applications so that they can be easily audited by the security and IT teams once they are in production, enable auditing that can capture access attempts (successful or not), date/time, source IP address, etc…the folks I talked to afterwards told me it was probably the single most important concept for them during the summit - enable visibility.

Todd Hoff said in "Log Everything All the Time":

you need to log everything all the time so you can solve problems that have already happened across a potentially huge range of servers.

What you need to be able to do is trace though all relevant logs, pull together a time line of all relevant operations, and see what happened. And this is where trace/info etc is useless. You don't need function/method traces. You need a log of all the interesting things that happened in the system.

Todd also gave a fairly extensive list of suggestions to application developers on how they should be logging in his article.

By logging, capturing and analyzing everything, IT organizations can enable visibility and transparency into their applications. This not only helps with troubleshooting and forensics as Todd suggested, but it will help IT organizations achieve and enhance accountability. It will help IT do more with less.

Bottom line:

• Log everything all the time
• Capture and centralize archive all logs
• Analyze (search, report, correlate, alert, trend) all logs to understand what's happening in your IT infrastructure
• Continuously monitor the trend (automatically or manually) to ensure no anomalies will occur without notice

Care of Mike Owens and Dustin Kirkland, bogosec has been uploaded to Jaunty (in the NEW queue at the moment). It is a source-code analyzer framework with plugins for lintian, rats, and flawfinder. Out of curiousity, I ran it on all of Intrepid main. Highest 5 scores were:

1. 0.717338929043293 lsscsi
2. 0.612729234088457 nevow
3. 0.561151781356762 powertop
4. 0.431034482758621 language-pack-tk-base
5. 0.431034482758621 language-pack-se-base

As Dustin reminded me, bogosec seems biased against smaller code bases. In the case of the lang packs, the score is entirely from lintian. Both lsscsi and powertop deal mostly with input from kernel strings, so while they scored highly, I doubt either is actually vulnerable to very much. I haven’t looked at nevow yet. Also, both rats and flawfinder yell about things that are mitigated by compiler flags (e.g. -D_FORTIFY_SOURCE=2) so those warnings are less interesting too.

Really, this all boils down to “we need better code analyzers”. The best tool will be one that predicts CVE counts (I would expect the Linux kernel to be at the top, since it has the all-time highest number of CVEs filed against it).

To get closer to reality, I think just doing a normal package build and scanning for stderr output would be meaningful (gcc has plenty of built-in checks already). Steve Beattie suggested writing a plugin for sparse, too.

Copyright Office Should Right DMCA Wrongs in Rulemaking: Via EFF.org Updates

San Francisco - The Electronic Frontier Foundation (EFF) filed three exemption requests with the U.S. Copyright Office today aimed at protecting the important work of video remix artists, iPhone owners, and cell phone recyclers from legal threats under the Digital Millennium Copyright Act (DMCA).

The DMCA prohibits "circumventing" digital rights management (DRM) and "other technical protection measures" used to protect copyrighted works. While this ban was meant to deter copyright infringement, many have misused the law to chill competition, free speech, and fair use. Every three years, the Copyright Office convenes a rulemaking to consider granting exemptions to the DMCA's ban on circumvention to mitigate the harms the law has caused to legitimate, non-infringing uses of copyrighted materials.

One proposal filed by EFF is aimed at protecting the video remix culture currently thriving on Internet sites like YouTube. The filing asks for a DMCA exemption for amateur creators who use excerpts from DVDs in order to create new, noncommercial works. Hollywood takes the view that "ripping" DVDs is always a violation of the DMCA, no matter the purpose.

"Remix is what free speech looks like in the 21st century, which is why thousands of noncommercial remix videos are posted to YouTube every day," said EFF Senior Intellectual Property Attorney Fred von Lohmann. "The DMCA wasn't intended to drive fair use underground."  read more »

The recent attacks in Mumbai were carried out by assailants using high tech methods. It’s just another way in which technology can be used not only for good, but for evil, as well.

read more

Spied-On Lawyers Get Second Chance in NSA Lawsuit?: Via Threat Level

SAN FRANCISCO -- Two American lawyers accidentally given a Top Secret document showing they were eavesdropped on by the government when working for an Islamic charity in 2004 may yet get a court to rule on the government's secret surveillance program, despite being blocked from using that document to prove they were spied on.

Piecing together snippets from public statements from government investigations into Al Haramain, the Islamic charity they were working for, and a speech about their case by an FBI official, the duo's lawyers seemed to have convinced the judge in the case that they likely were spied on.

"There's a lot more meat on this bone than in the initial complaint, isn't there?" U.S. District Court Judge Vaughn Walker asked the government's lawyer Anthony Coppolino at the opening of the hearing in a San Francisco courthouse on Tuesday afternoon.

Being able to prove they were likely spied on is enough to restart the case for attorneys Wendell Belew and Asim Ghafoor, who once looked to have the most likely case to lead to a ruling on the legality of Bush's warrantless wiretapping program. That program started after the September 11, 2001 terror attacks, and involved various initiatives that peered into Americans phone and internet usage without court approval.

The turn of events for the duo came in front of the same judge who six months earlier ruled that he could look at the document in secret to see if the surveillance was illegal, but only if they could first find independent evidence they were spied on.

Judge Walker himself said at the time that hurdle was likely "insurmountable."  read more »

European Network & Information Security Agency Releases Paper on Security of Mobile Devices: Via Privacy Lives

The European Network and Information Security Agency (ENISA) has published a new paper (pdf), “Security Issues in the Context of Authentication Using Mobile Devices (Mobile eID).” ENISA is an independent agency issues advice on technology and security issues to European Union governments and private industry. From the executive summary:  read more »

It’s déjà vu again when Internet scamsters take advantage of the approaching Christmas holidays to entice computer users into opening malicious emails in the guise of holiday promotions or postcards. In the run up to Christmas, every year we see malware authors use varying themes to infect users. And this December is turning out to be no different.

Already into the first week of December, McAfee Avert Labs has observed two active spam campaigns using  malware-laced Christmas themes. The first is a spammed e-greeting that links to an ip address hosting an old school IRC/Bot SFX package. The animated image in the email is taken from a legitimate site while the bait ip address [202.82.11.4] belonging to a compromised web server based in Hong Kong.

The second threat is a new worm christened W32/Xirtem@MM. This worm has a built-in SMTP engine that mass mails copies of itself to email addresses harvested from an infected machine. It uses subjects ranging from Hallmark E-Cards to McDonalds and Coca Cola Christmas promotions. And to lend authenticity to the email, the images displayed in the spammed email are directly borrowed from the parent websites of Hallmark, McDonalds and Coca Cola.

The worm also has the capabilities of spreading via removable storage devices and Peep-to-peer networks. Upon execution, it displays the above picture to trick users into believing that it was a harmless image file.

The upcoming 5453 DATs to be released today contains detection for the W32/Xirtem@MM worm while users of McAfee Artemis Technology are already protected in real-time against these type of threats

In the coming weeks, these tactics will tend to evolve rapidly, from crude to sophisticated, as spammers increasingly use Christmas based themes to lure victims. With the level of sophistication seen in today’s threats, the malicious payload could easily be hidden within layers of obfuscation or clever social engineering, and could fool even the savviest of users who try to inspect an email before opening. It is therefore imperative that users are educated on how to avoid becoming a victim. Visit the McAfee Security Advice Center to learn all about online and computer safety tips to help you stay protected.

-

Make your website safer. Use external penetration testing service. First report ready in one hour!

A low intensity, distributed bruteforce attempt: Via That grumpy BSD guy

We have seen the future of botnets, and it is a distributed, low-key affair. Are sites running free software finally becoming malware targets?

Phase 1: “That's odd …”

During the last few weeks, I noticed an anomaly in the authentication logs on one of my listening posts. There were a larger than usual number of ssh login attempts overall, a higher than usual number of attempts for non-existent user names as well as some failures for a few that actually exist as well.

Looking at the log directly a typical progression would look like this:  read more »

So yesterday I asked readers to comment on thoughts I had that came from a question asked on the ISO 27001 Google Group:

“How I can communicate the value of an ISO implementation to non-security management?”

This question came to me after one of the posters on the ISO Google Group asked about KPIs for ISO implementation.  Got great responses in email, blog comments, and on Twitter from current/former CISO folks and consultants and analysts.  Some really great thought and effort, by the way - thank you.  It’s really great to be able to have these sorts of conversations online.

First, I have to point out some resources Brian Honan linked to from Gary Hinson, just because they’re so cool.  Gary has invested gobs of time and effort to become one of the defacto resources on the ISO (you might also want to read or re-read Gary’s web post on the 7 myths of metrics).   Brian links to an implementation guidance document(pdf) and a metrics example(pdf) document.

As full of awesomeness as they are, though, these are simply metrics “mapped” to the ISO (i.e. the ISO isn’t a pre-requisite for generating this information).  They are not KPI’s that express the value of ISO implementation.  Problem is the metrics created here still require some level of “translation” in order to create some value statement that data owners can understand.  As Myrcurial twittered me “27001 is orthoganal to process” meaning (I hope) that metrics have their foundation in events that are generated by processes.  27001 by itself was never meant to create metrics (see above), and so we’re asking a question the ISO can’t answer.  But the desire, the need to measure still exists.  To that extent we can google “ISO compliance” (whatever that means) and if something can be certifiable or deemed “compliant” we can and are “measuring”.  But does that have value? Rybolov (my favorite Guerilla CISO) wrote:

“Whatever you do, don’t start measuring percentage of compliance. Eventually, that’s what all metrics efforts around a framework devolve into.”

I have to agree.  Being ISO “compliant/certified” has little expressive business value prima facia. I find that one KPI that absolutely asserts value when expressed properly is risk - and similarly  Shrdlu wrote:

“I really have no idea. I personally wouldn’t try to justify an ISO implementation by itself. If I could show traceability on how it affected our overall security risk, then that’s what I’d do.”

And that’s a delightful answer.  That “traceability” (geeze-louise Shrdlu - what a word!) is absolutely what I’m after here.  How do I get that?  

If you’re going to do something with corporate budget (time, money - and goodness knows an ISO implementation is time & money) you better be able to communicate the value.  And while the zealotry for ISO implementation differs from person to person, I have yet to come across someone who says that ISO adoption is totally without value.  It’s just not apparent what that value of adoption is and how we can measure (metrics) and express it (KPIs).

Jenean Paschalidis wrote what he thought that value was in a very nice email in which he puts a qualitative name on the value of adoption:

“Transparency and accountability-this is what all executive/senior management (the company) is on the hook for. ISO provides that. If you want to understand and have confidence in your operations as supported by security (because you will know the who, what, where, when, why and how of a system (human, technical etc.) and you want to be able to trace back why a decision (risk-vetted) had been made - then adoption of this best international practice will assist in providing these answers.”

So working with our above thoughts a little here - if we agree with Shrdlu that the only value of an ISO implementation can only be expressed if we can say how said implementation affected our overall security risk - and we agree with Jenean that the primary benefit is an ability to have confidence in operations as supported by security, then….

The value of the ISO should be expressed as a KPI or set of KPIs that cleary explain how the confidence it generates helps us understand (and then reduce) our risk.

If risk is a probability issue,  ISO adoption helps generate confidence in our predictive analytics.  The dollar value the ISO generates (the ultimate KPI) is part of the cost of being able to make wise risk decisions.

So what is that (making wise risk decisions) worth to you?

SOME CONCLUDING THOUGHTS

First, it occurs to me that this is a real shame.  In a sense, an inability to generate a quantitative value statement for ISO use is simply more witch-doctory (“use it because we, the wise men of the tribe say you should”).  In some future version, the ISO should include some mechanism for measuring and expressing the worth of adoption to the organization (a better reason to use the ISO than “because we said so”).

Second, It should be noted that of Jack Jones’ 3 true value statements from which all metrics/KPIs should point to - we’re only talking about one of those value statements - the ability to reduce risk.  Using the ISO in an organization most certainly could create operational efficiencies (help us do more with less) - but the ISO isn’t a standard that creates operational efficiencies as a primary goal, nor does it give implicit direction on how to create operational efficincies.    The ISO folks do, however, play fast and loose with the idea of “risk” and “risk management” so it’s within this context that I interpreted our conversation.

Finally if you’re going to hire someone to help you with ISO adoption in your organization, the deliverables you ask for in your RFP/SOW/what-have-you should include quantitative (probability) statments about risk reduction and the creation of operational efficiencies.  If the firms answering can’t tell you what value their work will be to your company, then drop me a note and I’ll gladly point you to some friends of RMI’s that know FAIR & all our Risk Management frameworks and also do great ISO work.

On 03/12/08 At 03:45 PM

I am one of the few people to have gotten a pretty good view of the invisible election, and the reality does not match the reports of a smooth, problem-free election that have dominated the national media. As part of Obama's election protection team, I spent 18 hours working in the "boiler room," the spare office where 96 people ran national election day operations. Obama's election protection efforts, organized by Bob Bauer, were more generously funded, more precisely planned, and better organized than any in recent memory. Over the course of the day, thousands of lawyers, field staff, and volunteers reported the problems they were seeing in polling places across the country. A sophisticated computer program allowed the lawyers and staffers in the boiler room to review these reports in real time.

[...list of problems elided...]

I draw three lessons from the time I spent watching the invisible election unfold, all of which point to the need to make the invisible election visible to the public, to policymakers, and to election administrators themselves.

First, it is essential that the public see the invisible election. We are never going to get traction on reforming our election system until we have a means of making these problems visible to voters. Virtually every media outlet has reported that the election ran smoothly.

See, a working democracy is a tremendously valuable asset. It takes years to start up, and (when working) gives us a way to transition between legitimate governments. The thousand years of European wars of succession didn't allow for much liberty or wealth creation. Democracy has huge value, and it's under threat. In 2000, we had a real risk of a crisis. If Al Gore had contested the 5-4 vote in Washington, we had no real way to address it and choose a legitimate next leader. Gore understood this, which is why he was clear that we all had to respect the decision, "for the strength of our democracy." Despite the damage of the Bush years, it was the right call. Because a working democracy is a fragile thing. Trust that the election machinery has gotten the right result and will get the right result next time is an absolutely vital part of the legitimacy of government. Risking it should not be undertaken lightly.

I've been at occasional meetings between voting officials and computer scientists for about eight years now. There's a tremendous gap. The two groups don't understand each other well, although folks like Avi Rubin are working really hard to bridge that gap. Until there's a rough political and technological consensus that's inline with the 'Help America Vote act' or its replacement, we should be cautious about undercutting the system we have now.

I also wanted to juxtapose a little with Ryan Singel's story, "Chertoff: We're Closing that Boarding-Pass Loophole." There are now scanners which read a bar code off your boarding pass to make sure you haven't altered it, and the TSA folks can match your ID to the boarding pass. This was known for years, but driven heavily by Chris Soghoin's make your own boarding pass toy.

Between the airline software, the scanners and the training, we've probably spent tens of millions of dollars to fix the loophole. (Oddly, I haven't been able to find a statement of the costs.) But the truth is, it's a silly thing to fix. Good fake ID is easy to get, and will remain easy to get unless we choose a different balance between terrorism prevention, immigration and kids drinking.

Chris has some other entertaining discoveries, which I'm hoping he keeps to himself. I think they're worth not fixing. That is, the cost of the fix is too high. There are better things to spend money on.

The next few years are going to be rough for the United States. The costs of the Iraq war, our broken health care system, the financial melt-down, the bursting of the housing bubble, infrastructure that's starting to fail, and global climate change are all going to be competing for a slice of budgets while revenues are falling.

We need to ask ourselves which problems we need to fix, and what the costs of fixing it are really going to be. Not every problem needs a fix, and not every problem that needs fixing needs fixing now.

Anti Internet filtering rebels hit the streets: Via Computerworld Australia

Opponents to the government's Internet content filtering scheme will take to the streets in a series of protests planned in Australia's capital cities.

The protests, organised by members from activist groups including the Electronic Freedom Project and
Digital Liberty Coalition, will be held at Sydney's Town Hall, Brisbane Square, Melbourne's State Library, Adelaide Parliament House, Perth's Stirling Gardens and at Tasmania's Parliament Lawns.

Participants have created Facebook groups and a YouTube video to rally support and direct activists to the events. Opposition and Greens senators have expressed interest in attending the protests.  read more »

Report ticks filtered Internet: Via Computerworld Australia

The government's clean feed Internet scheme has been buoyed by glowing results from tests into the effectiveness of Internet Service Provider (ISP) content filters.

The Australian Communications and Media Authority's (ACMA) Internet content filtering report, the latest of a series that was first commissioned in 1993, claims the technology has undergone massive improvements since 2005 when that year's trial returned abysmal results.

ISP content filtering is part of the government's $125.8 million Plan for Cyber Safety which will split funds between law enforcement, technology and education to reduce the proliferation of child porn and inappropriate content.

Communications Minister Stephen Conroy said the government will soon trial blocking prohibited and "additional" material in a live pilot with ISPs using the filters.  read more »

Click here to subscribe to Liquidmatrix Security Digest!.

Good Morning!

I’m back after many days away, it’s good to be here.
Didya miss me?
I think Dave might have.

Thanks for joining us!

The Intern

And now, the news…

1. What’s wrong with tape backup? - The Register
2. Apple Removes Antivirus Support Note, Reiterates OS Xs Built-In Protections - Gizmodo
3. Gunmen Used Technology as A Tactical Tool - The Washington Post
4. Online payment site hijacked by notorious crime gang - The Register
5. U.S. FCC to mull free internet plan - The Globe and Mail
6. Browser Head to head: Chrome vs. Firefox vs Flock - Mashable I’ll put $10 on Flock, thanks.
7. Behavioral screening — the future of airport security? - CNN
8. Secret Geek A-Team Hacks Back, Defends Worldwide Web - Wired I am keenly interested in the thought processes of geeks, this article speaks to that a bit.

Tags: News, Daily Links, Security Blog, Information Security, Security News

Today Napera released the results of our online survey of 200 small and medium-sized enterprises that revealed a high level of security risk and an overall lack of confidence among IT managers. Seventy percent of those surveyed received scores on the Napera Network Test indicating medium to high risk of a network security breach, and more than half of the respondents stated they do not have confidence in the security of devices and users on their networks.

The comment we heard most from folks who took the test was that the questions made them think about network security in a new way and they had never thought about the security risks the test revealed.

For example, making sure users keep their computers up to date and patched is a huge security challenge for many IT managers. Research consistently shows that more than half of all computer users do not update their systems with anti-virus signatures, operating system patches or other application updates.  A recent report from Panda Security showed that 62% of computers tested had either outdated or disabled anti-virus.

As Todd pointed out in his recent blog on the Agent.btz malware infection, much of this risk can be minimized if systems are assessed prior to network access and forced into quarantine if the latest anti-virus signatures have not been downloaded.

In spite of this huge risk, only 29 percent of the companies surveyed perform a compliance check of computers prior to access to make sure they are updated and healthy.  The majority allow users to plug into the network, never knowing whether their systems are updated or not, even if they have security policies requiring users to do so.

Wi-Fi security was another area that showed a high risk scenario among respondents.  Specifically, many smaller enterprises are still using weak or no encryption with wireless access points, most frequently relying on WEP or WPA-PSK for wireless encryption and using shared passwords to control wireless access. Both WEP and WPA-PSK present a range of wireless security risks for business users.

We encourage customers to use WPA Enterprise with wireless access points, and we make deployment of WPA Enterprise easy for companies with our Napera N24 appliance, making it as simple as four steps to deploy robust WPA Enterprise authentication with their existing Active Directory installation.

In general, the survey results add further impetus to our goal of helping small and mid-sized companies control network access and improve their network security, thereby increasing productivity, network uptime and their return on overall security investment.  Network access control solutions address many of the issues facing these companies around keeping computers up to date, allowing safe guest access, securing wireless networks, and enforcing identity. Hopefully, it won’t take an expensive malware outbreak to validate this research.

U.S. supports voting rights law’s extension: Via SCOTUSblog

The Justice Department on Wednesday urged the Supreme Court to uphold Congress’ 25-year extension of the key part of federal voting rights law that requires many states and local governments to get clearance in Washington before they change their election laws or methods.  That is Section 5 of the Voting Rights Act.

In a reply brief filed in Northwest Austin Municipal Utility District Number One v. Mukasey (08-322), U.S. Solicitor General Gregory G. Garre asked the Justices to rule without even ordering written briefs and argument, summarily upholding a three-judge District Court ruling in favor of the extension.  The motion to affirm is here.

The challenge to Section 5’s validity has been a major cause for some conservative activists, who argue strenuously that the law has outlived the problem it was intended to solve, and thus exceeds Congress’ power under either the Fourteenth or Fifteenth Amendments.

The Solicitor General argued on Wednesday that “the constitutionality and scope of Section 5 of the VRA is undeniably important, but the three-judge district court’s unanimous, correct and careful disposition of the questions presented does not warrant plenary review here.”  read more »

This is the story of a woman who sent the scammers $400K:

She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for.

For more than two years, Spears sent tens and hundreds of thousands of dollars. Everyone she knew, including law enforcement officials, her family and bank officials, told her to stop, that it was all a scam. She persisted.

Spears said she kept sending money because the scammers kept telling her that the next payment would be the last one, that the big money was inbound. Spears said she became obsessed with getting paid.

An undercover investigator who worked on the case said greed helped blind Spears to the reality of the situation, which he called the worst example of the scam he's ever seen.

Mac malware meme put in its place
One of the more famous Get a Mac ads boasted that Apple systems, unlike Windows boxes, didn’t need anti-virus software. So when an article on an Apple support site encouraged the use of anti-virus software on Macs it seemed like news. In truth the article reiterated long-standing, though little publicised, advice from Apple.…

Read more…

Mac malware meme put in its place

One of the more famous Get a Mac ads boasted that Apple systems, unlike Windows boxes, didn't need anti-virus software. So when an article on an Apple support site encouraged the use of anti-virus software on Macs it seemed like news. In truth the article reiterated long-standing, though little publicised, advice from Apple.…

Yes, it can happen to you. It happened to me over the weekend. I got a bit suspicious as I was taking my family back to the airport and some strange emails started showing up in my inbox. Questions from some folks in Hong Kong about shipping an “unlocked” iPhone to Russia. Huh?

The transition of PABP to PA-DSS looks more complete every day. In the last 24 hours, the PCI Council has posted their validated application list. Many of these applications were grandfathered under various versions of PABP and will have to be reviewed under PA-DSS in the next one to two years.

As of today, 85 payment applications are listed from 55 vendors.

The European Voice - a weekly for Eurocrats in Brussels - publishes on its first page an alert from an important European banker that if the banks in Western Europe continue to refuse to lend to banks in Eastern Europe that more countries in Eastern Europe will have to turn to the IMF or go broke.

"EU banks with substantial operations in eastern Europe include Unicredit Group and Intesa of Italy, Erste Bank Austria and Raiffeisen Bank Austria, Alpha Bank and Piraeus Bank of Greece, and Swedbank and SEB of Sweden"

I remember that KBC was proud of its investments in the East......

as was Dexia with its US operation and Fortis with its takeover.....

They call it viral marketing and it is the basis of their success and their downfall. What is a site that is being blocked by networks all over the world (now maybe in small numbers but wait...) because they are eating too much traffic.

Facebook is eating enormously much traffic. But wait. It is not facebook it are more or less the facebook profiles that are eating so much traffic. And even if you visit facebook there are high traffic services like photo's that you could be able to block also.

It is not up for the network admins to try to keep uw with all these changes. Facebook - if it wants to survive in business networks - should make a light edition and a full edition. This way you can block the access to the profiles from other sites and limit access to facebook itself to the the parts of the websites that are text intensive.

Otherwise, your free service is too expensive for our bandwith.....

This counts also for ebay embeds for example....

source

The problem with some sites in the facebook infrastructure is that they don't have the same domainname. If this isn't known beforehand and hardencoded in antiphishing and anti-xss defense systems and tools, those other sites will be seen as phishing or fraud. For them you can transferring login information to another sites or between sites and in theory that is phishing or XSS.

This can also be the case for subdomains.

It means that you should stay as much as possible within your own domain.

An important Belgian site that has the same problem - and that we have written about already several times is .... the ever so popular taxonweb.be

Een boodschap van Al Blogger from Maarten Schenk on Vimeo.

Eén van de beste jokes around

De Nederlandse superblog geenstijl.nl heeft reeds een stalking campagne aangekondigd. Decrem zal nu overal en altijd op zijn woorden en daden moeten letten want een hele categorie mensen blijken nogal erg op hun tenen geprikt. Wel er is iemand in de bak gevlogen en vervolgd omdat een eerste minister hem in het parlement een gevaarlijk iemand noemde. Hij werd pas veel later door het gerecht gezuiverd van alle blaam.

Misschien kan DeCrem tevens enkele oude militairen als bodyguards meenemen.