| |
Current Topic: Computer Security |
|
The National Strategy for Trusted Identities in Cyberspace |
|
|
Topic: Computer Security |
1:14 pm EDT, Jun 26, 2010 |
Howard Schmidt: Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities. No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. We seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online ...
The National Strategy for Trusted Identities in Cyberspace |
|
Security Data Visualization: Graphical Techniques for Network Analysis |
|
|
Topic: Computer Security |
3:40 pm EST, Jan 25, 2008 |
Greg Conti published a book last October!Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence. Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities. Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate. You'll learn how to use visualization techniques to: # Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT # See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document # Gain insight into large amounts of low-level packet data # Identify and dissect port scans, Nessus vulnerability assessments, and Metasploit attacks # View the global spread of the Sony rootkit, analyze antivirus effectiveness, and monitor widespread network attacks # View and analyze firewall and intrusion detection system (IDS) logs Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective
You can download Chapter 5, "One Night on my ISP", from the publisher. Security Data Visualization: Graphical Techniques for Network Analysis |
|
Why Information Security is Hard |
|
|
Topic: Computer Security |
10:32 am EDT, Mar 26, 2007 |
This Ross Anderson paper from 2001 is worth (re-)reading. I'd be interested in any pointers to further reading along these lines. I particularly liked this quote, from the French economist Jules Dupuit in 1849: It is not because of the few thousand francs which would have to be spent to put a roof over the third-class carriage or to upholster the third-class seats that some company or other has open carriages with wooden benches ... What the company is trying to do is prevent the passengers who can pay the second-class fare from traveling third class; it hits the poor, not because it wants to hurt them, but to frighten the rich ... And it is again for the same reason that the companies, having proved almost cruel to the third-class passengers and mean to the second-class ones, become lavish in dealing with first-class customers. Having refused the poor what is necessary, they give the rich what is superfluous.
Here's the abstract of the paper: According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
Anderson has been working this theme over the past several years; his latest paper is The Economics of Information Security - A Survey and Open Questions. Why Information Security is Hard |
|
Security Engineering - A Guide to Building Dependable Distributed Systems |
|
|
Topic: Computer Security |
2:08 pm EDT, Aug 31, 2006 |
While you're waiting for Acidus to finish his book, read this one. "If you're even thinking of doing any security engineering, you need to read this book" -- Bruce Schneier "Even after two years on the shelf, Security Engineering remains the most important security text published in the last several years" -- Information security Magazine
Ross Anderson is my favorite security researcher. Security Engineering - A Guide to Building Dependable Distributed Systems |
|
Invasion of the Computer Snatchers |
|
|
Topic: Computer Security |
10:08 am EST, Feb 18, 2006 |
Hackers are hijacking thousands of PCs to spy on users, shake down online businesses, steal identities and send millions of pieces of spam. If you think your computer is safe, think again.
This is a really good article on the botnet/spyware industry. Interestingly enough the botnet operator who agreed to be interviewed for this article did so on the condition of anonymity. According to Slashdot the Washington Post published his hometown as the "location" caption for an odd image in the article. He lives in a very small town. Chances are he is going to prison. Invasion of the Computer Snatchers |
|
Blue Boxing Wiretapping Systems |
|
|
Topic: Computer Security |
11:00 am EST, Nov 30, 2005 |
In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.
John Markoff has a story on this today. Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it. Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well... Blue Boxing Wiretapping Systems |
|