Ah, that old chestnut. Apparently there is concern that Microsoft has built in a backdoor for the NSA into each copy of Windows 7.

From Computer World:

“The key problem is that NSA has a dual mission, COMPUSEC, computer security, now called cyber security, and SIGINT, signals intelligence, in other words surveillance,” Rotenberg said in an e-mail.

Yesterday, he raised the issue, which isn’t new, of whether the NSA pressures companies like Microsoft to craft so-called “backdoors” into their code that would let the agency track users and intercept users’ communications. Rotenberg called it an “obvious concern,” and added that it might be difficult for major software makers to turn down NSA “suggestions” because the U.S. federal government is an important customer.

I find it interesting that this comes up every time Microsoft releases a new OS. Never gets old. Let’s just all stipulate that, yes, the folks in the puzzle palace can get into your computer any time they want.

For the full article read on.

Article Link

Um, whoops.

It turns out that there are flaws in the clearance process. Hell, I could have told them that. My ex-girlfriend had a Top Secret clearance and lied that she was dating a Canadian…yes, that qualifies as a foreign influence. Eh.

And no, I won’t name names. She was a pain in the arse and will remain in the past.

From Washington Times:

Flaws in the system for granting clearances to Defense Department staff and contractors pose a risk to national security, and the right tools to measure how well the process works are essential, said Rep. Anna G. Eshoo, California Democrat and chairman of a House intelligence subcommittee that oversees personnel and management issues.

“At present, we’re basically operating on faith. This shouldn’t be a faith-based process,” Ms. Eshoo told The Washington Times.

Gee, ya think?

The audit also found that nearly nine in 10 new top-secret clearances last year were granted even though background investigation files on the applicant “were missing at least one type of documentation,” most often employment verification.

Faith? For Top Secret clearances?

Article Link

Security researchers have apparently devised a way to take over a Windows 7 system.

Well, sort of…

From Network World:

Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference.

“There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

When I first read this I was smiling thinking wow, that’s cool. Until I read a little further on and noticed that in order for the attack to work there has to be physical access to the machine. This attack does not work remotely.

Not nearly as sexy as I first thought. Still it makes for some interesting reading.

Article Link

In today’s edition of, “how not to get a recommendation from a former employer”…

From The Chronicle of Higher Education:

University of Florida officials now say that the message was sent by a former employee of Mobile Campus, the vendor that the university uses to operate the text-message alert service. The employee was trying to show off to a friend that he still had access to the university’s system when he accidentally sent the message, according to a statement from the university.

“It raises a concern for us that a former employee was able to still access the system,” said Stephen F. Orlando, a spokesman for the university, in an interview today. “Clearly that’s an issue that needs to be addressed and fixed.”

Ya think? The absence of a staff exit procedure (or use thereof) is self evident. It’s bad enough that the former employee still had access to the aforementioned system. This is a system that is in place as an emergency alert mechanism. It’s a sad reflection on the vendor that this person could still get in.

But, then the requisite stupidity rears its ugly head. The “spin”.

But Mr. Orlando stressed that no one had hacked into the system, and he said the university was working with Mobile Campus to keep any further unauthorized messages from going out.

“No one had hacked”. An exercise in semantics. He didn’t write some buffer overflow. He got in because his access to the system was never removed. Call it a hack, breach or a bag of potato chips. It still happened. I would be less concerned if he accessed the system via a zero day hack than a piss poor procedural failure.

Just saying.

For the full article read on.

Article Link

Verizon steps in it.

From CNN:

“This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama’s personal cell phone account,” Lowell McAdam, Verizon Wireless president and CEO, said in a statement.

“All employees who have accessed the account — whether authorized or not — have been put on immediate leave, with pay.”

The Obama transition team was notified Wednesday by Verizon of the breach, said team spokesman Robert Gibbs. He said the president-elect no longer uses the phone.

Whether or not he still uses the phone is immaterial to be honest. This shows a breakdown in the privacy for the Verizon customer base. I’m cringing as I read the spin doctors at work. The degree to which Obama’s information was compromised isn’t the point. The fact that it was violated at all is.

I’m pleased to see that the employees in question were put on leave until this matter gets sorted out.

Article Link

From MSNBC:

One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues’ salary details, personal e-mails or board-meeting minutes, according to a survey.

U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.

Ah, there it is. One-third admitted to it. OK, that is more what I would expect. Now for the other two thirds get the electric cattle prod and some thumb screws and I’m sure they’ll start singing.

hyuk.

Article Link

In the world of bad ideas we have seen a remarkable array. There was hair in a can, the car-b-q and the pocket fisherman to name a few. Sure they have camp value but, you wouldn’t rely on any of them as a matter of practice. So, why then do people hand over their passwords for chocolate? Or, as in this case, for convenience of an online service.

Maybe that’s just it.

People have so many passwords that they are falling out of their ears in a lot of cases. Passwords are frequently viewed by the average user as little more than an irritant. They’re not given the importance that people might assign to the banking PIN number. This type of thinking inevitably leads to sticky notes on computers and inane passwords such as “password”, “letmein” and “secret”.

Today (Monday) I read about a service called Clipperz on the Web Worker Daily. This is an online service that will store your passwords for you. Maybe my professional paranoia of the last decade+ as a security operator has rotted my brain but, how is this realistically a good idea?

No ill will intended to the folks at Clipperz. I’m sure they have all the right intentions and have taken proper steps to ensure security.

From Web Worker:

Obviously, security and privacy are a consideration when using such a service. I liked that no personally identifying information is required for registration, not even an email address. On the security side, Clipperz says that all data is encrypted or decrypted locally at the browser level and that even your secure passphrase is never saved or sent to the server. They make the source code available for security review and I found no indication from anyone who questioned their methods.

That isn’t the part that gets me. It’s the message that this conveys to the user. Sure, you don’t know me but, trust me.

I’ll store your password for you.

Want some chocolate?

Article Link

Apple’s 160GB iPod Classic, introduced last September, is a music and movie lover’s dream machine. But for IT departments, it’s a security nightmare.

That’s because any employee can plug this pocket-sized USB storage device into their computer and use it to steal vast amounts of corporate information, including mailing lists, databases, financial records and confidential customer data.

Of course you don’t need an iPod to steal data: 4GB USB memory sticks are cheap and ubiquitous, or, for employees intent on stealing really large amounts of data, devices like Buffalo’s recently announced LinkStation Mini offer a terabyte of storage in a case that fits in the palm of the hand.

Nothing all that new in this article. But, it does give me an opportunity to point to this piece on the Windows registry for locking out USB storage devices.

Article Link

Ah, good ole Cisco. The company that security folks love to hate. I, on the other hand, am indifferent. I have worked with Cisco gear over the last decade+ and for routing and switching it does the trick nicely. Then that fateful day came when they found their shiny new jack boots in the front hall closet and descended on Las Vegas. They managed to leave a seriously negative aftertaste in the mouths of security researchers and hackers alike. Months later I had occasion to speak with an architect from Cisco and he offered, “We fucked up. I wish we as a company hadn’t done that.” But, the genie was out of the bottle.

The dust has settled and Cisco has learned from their mistakes. Well, at least from my perspective.

Michael Lynn was skewered by Cisco’s lawyers for his attempted presentation.

The presentation went on in a edited format. The crux of the conversation was the reverse engineering of Cisco’s IOS code which has historically been a closely guarded secret. Now, in an attempt to play in the virtual space they are opening up access to their code. Hmmm.

From Network World:

“It’s a significant step forward for us,” said Don Proctor, senior vice president of Cisco’s newly formed Software Group, at last week’s C-Scape 2007 analyst conference. “Software turns out to be a key way that we can do what [we've] been talking about for some time, which is link business architecture to technology architecture in a meaningful way.”

Cisco plans to “componentize” IOS – developing only one implementation of a specific function instead of several, depending on the image – dynamically link IOS services and move the software onto a Unix-based kernel. Cisco then plans to open up interfaces on IOS to allow third-party and customer-developed applications to access IOS services.

So, they have effectively made a turnabout in a manner of speaking. Now with this access to IOS I wonder how long until nefarious types gain a greater insight into the code? Oh right. With the writers on strike in Hollywood this is a rerun.

Article Link

Tags: Cisco IOS, Cisoc IOS Access, IOS Code, Code

With the ever growing number of NAC providers it is easy to go damn near insane trying to filter through them all. The company StillSecure has an interesting take on this technology. They are offering a client…for free. Their offering “Safe Access Lite” is available for download.

From StillSecure:

NAC has become notorious for being complex and time consuming to implement, yet the risk of not knowing who and what is on your network is too great to ignore. Safe Access Lite is a free version of the industry’s #1 award-winning network access control (NAC) solution. It enables network and security administrators to realize immediate benefits from NAC without requiring time-consuming and complex network changes or posing risk to end users.

Currently available in beta, Safe Access Lite is a non-disruptive, easy-to-install, monitor-only NAC product that tests up to 250 devices/computers/endpoints to determine if they are compliant with an organization’s security policies and best practices. For quick installation and ease-of-use, Safe Access Lite is offered as a pre-built, pre-configured and ready-to-run VMware download.

Here is a screen shot.

Has anyone tried this yet? I haven’t had the time to st down and test this one. It’s in the queue.

Article Link

Tags: NAC, NAC Solutions, Safe Access Lite, StillSecure