So, SOPA is the news of the day, in terms of the Internet and security; it has been for well over a month now. In case you’re not familiar, SOPA is the Stop Online Piracy Act. It will “authorize the U.S. Department of Justice to seek court orders against websites outside U.S. jurisdiction accused of infringing on copyrights, or of enabling or facilitating copyright infringement.” I won’t bore you with the typical arguments about how it’ll infringe on free speech, or weakens safe harbor, etc. These arguments have been made, and they may have some validity, but let’s talk technology. SOPA is the most recent in a long line of legislation intended to regulate the internet. Such legislation is doomed[…]

Sometimes it can be a daunting task to keep up with computer security best practices, especially when it comes to prevention. There is an almost unlimited amount of things to take into account, not to mention significant decisions on which risks you need to address and which aren’t worth the effort. In addition, many different people have many different ideas about what’s important when it comes to baseline mitigation. This may explain why there are so many sources on the topic, often with different core focuses in mind. For example, Cisco’s Network Security Baseline is geared towards networking configuration, while the PCI-DSS regulations are focused on the technology surrounding credit /debit cards. The truth is that no one set of[…]

“I shall be telling this with a sigh Somewhere ages and ages hence: Two roads diverged in a wood, and I I took the one less traveled by, And that has made all the difference.” (excerpt from “The Road Not Taken” by Robert Frost) DHS and MITRE had a big announcement yesterday. MITRE has developed a new system for scoring weaknesses in applications, as well as for combining that score with “business value context” to produce a risk estimate. Overall, the work is interesting, though perhaps more from an academic perspective than anything else. What I find interesting is that we’re going back down this road again (“trust” evaluation), which seems like it will inevitably lead to another game-able system.

It was recently announced that Electronic Health Records (EHR) are in use in all military hospitals. Granted the article is mostly marketing screed for one company, but it still represents a big step. Outside of the Department of Defense (DoD), this probably doesn’t seem like a very big deal. Inside the DoD, it’s HUGE. This is the culmination of years of work and millions, possibly billions, of dollars spent. It’s an important step in improving the health care for Wounded Warriors. It also sets the stage for wider adoption of EHR in the private sector. But there are reasons to be concerned about this, of course. There are few, if any, pieces of information more intrinsically private and personal than[…]

As you’ve doubtless heard, Sony’s PlayStation Network has been down for several days now. The exact cause of this outage, being apparently affected by hackers of some stripe, is doubtless worth investigating. However, since those details haven’t been fully divulged yet, it’s best to wait on that front. But this brings to light an increasing problem: the erosion of standalone functionality. PSN customers have not been able to access online content since April 20th. This is, of course, to be expected – if you shut off the network, the network is not available. Unfortunately, this extends to content which isn’t actually hosted on Sony’s network, since PlayStations use the PSN to connect to outside servers. Still, though, not surprising. Vexingly,[…]

While the software industry continues to make strides in the area of security and data protection, the hardware industry shouldn’t be underestimated. With the announcement of storage devices like Toshiba’s MK-61GSYG hard disk drives, it may only be a matter of time before we see even more creative security features for hardware (due, in part, to industry-wide adoption of standards). Toshiba’s harddrive comes with some interesting security tricks, including the ability to configure the disk to erase itself when connected to an unauthorized host, and the ability for the drive to self-encrypt without relying on the host computer’s operating system for cryptographic operations. Most of the features are drawn from the standards found in the Opal Security Subsystem Class (SSC)[…]