Here’s an example of why security adoption can be so slow and fraught with difficulty.

My brother, an IIS and Exchange administrator for a large corporation, ran into an interesting problem. He was moving their Outlook Web Access installation from a single web server to a load-balanced cluster of three servers. He changed the DNS entry to point to the new cluster, and began to see unexplained errors in client web browsers. Internet Explorer (on some machines) was complaining of an expired certificate, but the whole certificate path displayed by IE was current and valid. Firefox was complaining with a “Website Certified by an Unknown Authority” error. All very confusing.

Problem was solved with some clever googling. The problem was that since the server certificate was exported from one server and imported to another, it didn’t transfer the new intermediate CA certificate. (The one installed with Windows Server 2003 expired in 2004.) This certificate was being passed to the browsers as described in this posting. Clients were failing to build the path sent by IIS (unless they had the valid intermediate certificate already in their own cache). A description of how to solve this problem is provided by Verisign but is a little daunting.

What’s broken here? Should IIS be sending expired certificates as part of its chain? Should IIS alert the administrator that some of the certificates it uses are expired? Should Microsoft Update push the newest intermediate certificates to clients as part of regular patch management? Should clients be able to give you information on exactly which certificate had the problem? Obviously this is just one example of why security adoption can be so difficult.

There seems to be nothing that we can’t Google. Probably one of the greatest and most useful tools that anyone online has for finding information. Google has really transformed the digital landscape.

Google’s search engine, is good. Really good. And might be better than most companies think, as this interesting article points out…

Google Hacking (loosely defined)

What it is: Using search engines to find intellectual property. It’s Google intel: The researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization’s strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal.

For instance, the top hit on a search for “GENERAL MOTORS” “NOT FOR DISTRIBUTION” was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!)

The most important quote from the article, that everyone should be aware of, is this. “If it’s on Google, it’s all legal.”

Here’s a link to the full article.

You may want to hold back that itchy double-click finger when it comes to opening word attachments in emails, at least till Microsoft gets a new patch out.

A zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.
...

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

Full article from eWeek via /.

According to news.com.com, an update to the Payment Card Industry (PCI) standard will be out this summer.

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities
...

Today, the requirement is to make all information unreadable wherever it is stored…But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures.
...

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls.

OK, so how many system break-ins, thefts of customer data, and exposures of personally identifying information must there be before the industry can get serious about data protection measures? Who could possibly think this was a good idea?

Being a student at an online university (UMUC), Google Notebook sounded great to me – I could save snippits of research on one subject all in one location. There was one catch – Could I save/note the library database pages that I have access to through the university? – things like ACM, IEEE, ABI/INFORM, etc. Notebook wouldn’t be very useful to me if I couldn’t access these important sources.

So, I just tested it out. You have to use Firefox or IE, which is OK, as I have to use FF to access the pages anyway, but you can view your Notebook in any browser by going to http://www.google.com/notebook/fullpage and logging in. I browsed to this month’s issue of Communications of the ACM and copied a chunk of text from an article and “Noted” it. I closed out firefox to have it drop my library session, then opened my notebook – The text is there. I also tried it in Safari, where there has never been a session to the library proxy, and I could read it there as well.

Notebook also allows you to make your notebooks public – I’m not making mine public, but it presents an interesting question: Whose responsibility is it to protect the copyrighted material? Google’s or mine?

Forwarded to me in an email, and worth sharing. Full story is on ComputerWorld’s Shark Tank but here’s a synopsis:

Setting up 150 user accounts seemed like a simple enough job to keep a non-technical intern busy. Intern is instructed to create passwords that consist of a word from the dictionary, followed by two or three digits.

Rather than creating passwords like ‘book345’ or ‘house57,’ he instead found a list of the 200 most commonly misspelled words to generate the passwords… As expected, we fielded numerous support calls from users trying to enter passwords such as ‘accommodate85’ and ‘asphyxiate33.’

This is what one of the Microsoft salespeople at the AMD – Microsoft Server Build Event told the people in attendance—mostly system builders and value-added resellers—about the Microsoft Security Solutions competency. I’m paraphrasing here because I didn’t have a pen and paper handy…

Folks are real concerned with security these days, and with training in Internet Security and Acceleration Server 2004, you can build additional services revenue by creating firewalling rules for your customers. The Microsoft Security Solutions competency can be a great revenue builder.

This is why information security—and Microsoft—gets a bad name. Giving people whose job is putting together computer components the idea that they should be making money off security. Meanwhile, those of us that focus 100% of our effort on security can’t help, because their system builder “took care of” the security. Yikes.

Imagine you’ve got a bank, and your job is to secure that bank.

Secure from who? Well, bad guys for one. Then there are the people who work at the bank, can’t have them stealing other people’s money either. There is Bob, Ted, Tina, and Jenny who work at the bank – and oh, yes God. God works at your bank. Let’s call God “Adminstrator” at our bank. Now you can see a problem information security folks face all the time.

As is often the case, there are many administrators in a given system. Sometimes work can’t be done if an employee is not an admin. Ever had to store information in a database that the DBA is not supposed to read or have access to?

I’ve heard many opinions and perspectives – and this is really a broad question to a problem that often requires a specific answer. It’s a very common issue, but the question remains, how much do you trust administrators?

Linked on /. this morning is an editorial entitled Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. It is an interesting read and is meant to serve as a wakeup call to the industry. I’d love to see people’s comments on this article. Below are some of mine.

Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.

Not every information security business is based around protection or defense. Many of us focus on long-term strategy and planning, best practices, and policies in addition to technological solutions.

One only has to open a newspaper and view current headlines documenting the almost constant loss of personal and financial data due to carelessness and hacking. It isn’t just careless individuals that are leaking confidential information – it is large, multinational corporations with smart, capable I.T. departments with dedicated security professionals and huge security budgets.

If all the advice given by those dedicated information security professionals was heeded, would we really be where we are today? For every information leak and hack attack you show me, I can probably show you a situation where the recommendations were not followed because of:

• cost


• interference with long-standing practices


• ease of use

It is easy to put the blame on the information security professionals, but not when they are offering solutions that are not implemented.

Through increased awareness can there be new dialogs and discussions on solutions. Because what is clearly missing is more dialog to come up with solutions to today’s security challenges.

Is more dialog really needed? Is all we need to do to solve this problem is get together and talk about it? Not on your life! It is time for action; time to stop talking about solutions and start implementing them. When solutions such as web content filters, intelligent managed PKI, encryption of disks and databases, virtual private networks with strong authentication, and patch management systems are installed everywhere, I suspect we will find the situation to be less dire than the author of this article supposes.

You see, I and almost every other American have put a lot of trust into many companies. Some company or another has our credit card numbers, social security numbers, health records…etc. We’ve all seen those late night news magazines showing how devastating ID theft can be.

What’s worse is that most of these companies (outside of California and 22 other states), are not required to notify anyone if there is a data breach.

Currently Congress attempting to pass a bill (that is currently 10 proposed bills) that makes notification a federal law. One of the things being debated is:

What is the threshold for notification and who decides that?
(Some of the bills actually let the companies decide!!)

Congress needs to take a cue from California and New York, both of which have competent notification laws (that don’t let the companies decide what a data breach is, for one) and get something passed this year. Us in the security field can work to provide encryption and all sorts of other neat things to protect data, but as long as companies are allowed to sell our personal information and not disclose if it is stolen…a major problem exists for everyone. Kind of like getting an alarm system for your house and giving the key to someone who can make copies, sell them to anyone and they don’t have to tell you if one of the house keys is stolen or missing.

How secure is your house really then?