Security: Opinions

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

Remaining platform and technology agnostic in Information Security is a progressively more difficult task as people and companies develop the skills and abilities to form professional fee-based relationships with the vendors that they previously reported about.

Following TJX's major loss of credit card data last year, the company implemented a series of internal changes that were meant to make it more difficult for theft to take place again in the future. The only problem was that the implementation was not exactly ideal and at least one TJX employee identified this and made an effort to report the situation internally. When faced with no response from the company, he chose to release the information publicly.

Recent reporting from AP and The Charleston Gazette demonstrates that selling snake oil will eventually catch up with you. LifeLock, an identity theft protection company based in Arizona, is facing a class-action lawsuit alleging that their services are 'inept' at preventing identity theft from taking place.

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

Antivirus and antimalware developers have been in the spotlight for the last month or so and have been the focus of malware developers for much longer over the plan to run the Race to Zero contest at this year's DefCon in Las Vegas. Now, it might be the turn of companies that produce and promote 'This Site is Safe from Hackers'-style certification and coverage for their clients to share the spotlight.

If you are running a Debian-based Linux system and haven't already caught up with the announcement [1] that there was a major flaw with the generation of SSH, OpenVPN, DNSSEC, SSL/TLS session keys and X.509 certificate key material, you might want to update your system to address the problem.

Many Information Security practices have outcomes that are difficult to quantify. How do you prove that your measure is effective at preventing whatever malicious activity is out there from being effective against your system?

Unintentional exposure of sensitive data through Word files is a has caused problems for companies in the past, especially when people forget that Track Changes can easily allow document recipients to view information that has been deleted or sanitised for release.

I had to go to the bank recently for the first time in months and, although it was the day before a public holiday, I was still amazed to see how many people were queuing up to talk to a teller. It felt like I'd stepped into a time warp.

Corporate IT executives need to beware the seven dirty secrets of the security industry that can undermine the safety of business networks, a security expert told attendees at Interop Las Vegas.