You are here


Observations on information security.

Passwords, Open ID, and "Information Cards"

Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.

The "Information Card Foundation" is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.

Personally, I'm not convinced that Information Cards are any safer or easier to use than Open ID can be.

Post category: 

The Security Process

I've been working on ways of teaching information security. I think it's essential to teach some sort of systematic approach to security ("the process") and that this should include risk assessment, policy development, monitoring, and such. For educational purposes, my process contains six phases
Post category: 

Penalizing Unauthenticated SSL Certificates

Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site's crypto credentials have not been countersigned by a recognized certificate authority.

In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.

This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can't verify a site's identity - that's what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it.

Post category: 

Finally - fixing the updater vulnerability

One of my personal nightmares is in the automatic software updating mechanism that infests every significant modern software package. It's a huge vulnerability.

Many vendors ignored the problem because they hadn't seen a real exploit. In a recent article, Security Fix tells of a researcher in Argentina who has implemented a sample exploit, so vendors are (finally!) paying attention.

In these days of commercialized hacking, it makes sense to armor plate the whole software distribution pipeline. It's about time people started paying attention.

Post category: 

That's not a one-time pad!

It's amazing how subtle a one-time pad really is. On one level they're deceptively simple: you simply match up the text of your message with a collection of "random bits" you share with the recipient. To decrypt, the recipient matches up a copy of those "random bits" to retrieve the message.

The trick is in the definition of "random bits."

Post category: 

Six Minute History of Information Security

I have been reading the ACM's Model Curriculum on Information Technology (a prototype "IT" major) with a special eye towards the information security coverage. I've been teaching information security courses and recently developed a major in the area.

The curriculum provides minimum times to cover major topics in the field, like 3 hours to cover "Fundamental Aspects" including the "history" of information assurance and security. After factoring out the other dozen 'learning outcomes' for that topic, one is left with six minutes to cover the "history" of information security.

Bad attitudes versus malicious administrator

The San Francisco story is sounding more like a techie's personal tragedy and less like terrorism or hijacking or a ransom thing. Paul Venezia was contacted by someone in the IT department who knew Terry Childs, the "rogue admin."

Apparently Childs is a highly talented admin who is obsessed with his network. If the anonymous source is painting an accurate picture, then it's just an unfortunate combination of limited social skills on his part and hysterical overreaction on the part of his managers.

Post category: 

Fixing the Insider Threat: Separation of Duty

It's not an easy fix because it requires planning ahead, discipline, and effort. But it's essentially why banks can hire low-wage tellers and not worry about theft at the till (or at least not as much).

San Francisco has lost control of their FiberWAN. It's not clear how much this affects day to day operations, since the city appears to still be working. And that in itself is a tribute to separation of duty.

Post category: 

Mixed Bag: Lifehacker's Top 10 Computer Annoyances

There's some terrific stuff here. Unfortunately, it's packaged with Internet-based password selection.

Get it straight: you're only supposed to share your passwords with yourself and your keyboard. You aren't supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.

read more

Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer