Patrick Dempsey (former FBI agent) recently wrote on his blog that one of the ways to make the Internet safer for users might be to create a second Internet& .

The solution might be to establish two Internets — the current Internet and a new, more secure Internet where users would be required to register prior to gaining access.

Technical and practical considerations aside, it’s an idea that wouldn’t enhance security for anyone. A second Internet might in fact make thing even worse.

• What Do We Mean By Security? – We often hear people, politicians, people on the news, and military saying we’re going to make something “secure”...crime online is too general for a single solution.

• The Solutions Are The Same – Dempsey proposes that people would have to authenticate to Internet #2 with a username/password. Even if people were required to use a hardware token it wouldn’t matter – we already have these technologies and cyber crimes still happen. Moving existing technologies to a new Internet would solve nothing.

• I’m In, Now What? – Is every transaction encrypted? Are there cyber police checking every transaction? None of it matters, all of your online accounts are still stored in a database (Amazon, Citibank, etc) somewhere. Any attacker who can get access to those database’s contents make Internet 2 useless.

• Give People A Choice And They Could Care Less – Even if all people had to do was snap their fingers each time they got online to make everything “secure” hardly anyone would do it. Internet 1 vs. Internet 2 is the same thing as Click “Ok” and “Cancel”.

• Nobody Will Agree How To Secure Or Regulate It – Imagine how many people, companies, nations, and jurisdictions would be involved.

The Internet is flexible and not just a series of connecting nodes in terms of security. There are various applications, databases, and users who get online in a million different ways. A second Internet is not only infeasible, but “sec-useless”.

Finally, what if your magic all-access Internet 2 credentials get stolen?

ISO 17090:2008 Parts 1-3 were released on February 14. But is this a new standard or just a rehash of existing standards? ISO 17090 is not new (previously released in 2002), but there’s no clear indication on how it has changed.

ISO 17090 sets out PKI standards and interoperability requirements for the healthcare industry – including certificate profiles, CPs, etc. I’d love to be able to read those standards (they’re about $125 each) to see how they compare to already existing standards such as SAFE and the Federal Bridge PKI. SAFE’s bridge is explicitly for the healthcare industry, but complies with the Federal Bridge certificate policies which spans multiple industries.

Has the new updated version taken into account these existing standards? Does the ISO standard include encryption certificates? Neither SAFE nor the Federal Bridge focus on encryption (it’s allowed in certificate profiles, but not for identity).

Either way, published standards for PKI interoperability (and not just technical standards) are good for the industry because it allows more PKIs to interoperate and “trust” each other. This gets more certificates in to the hands of healthcare professionals and providers and allows them to protect electronic health records – whether that’s a doctor sending a signed e-mail to a pharmacist containing a scrip for a patient, or pharmaceutical companies submitting electronic information to the FDA for approval.

No offense to the post office, but bits on a wire move a heck of a lot faster than they do.

One of the irritating problems I have to deal with as a developer is the fact that I don’t really get to make any decisions. Sure I can make design decisions regarding the implementation of code modules, but when it comes to post-deployment issues, especially regarding security, all I can do is make some suggestions to managers and hope for the best. For example, in the extremely unlikely event that I find a security hole in one of my impeccably designed modules, I can write up a summary of the bug, mitigating factors, risks, and level of effort it would take to fix it. But, it’s not really up to me whether it winds up getting fixed or not.

A large factor in this is that the people who make decisions about patching security vulnerabilities, at least in custom applications, have very little at stake if a breach is made. If a mechanic puts bad lug nuts on a tire and then the tire fall off, clearly it’s the mechanic’s fault. If management decides that a security hole would cost to much to be patched and a breach occurs, it’s never management’s fault: the intruder’s fault, or the developer’s fault, or it was just a calculated risk that turned out poorly. Also, managers are just as human as developers; decisions about application maintenance can also be affected by fear of changing a “functioning” application, being lazy, or just being too busy with other things to fix something that isn’t broken.

Wouldn’t it be great if there were some accountability to everyone involved in the maintenance of an application in the case of a security breach? Unfortunately, because the outcome of an intrusion usually doesn’t directly affect the people who could have prevented it, there’s not much incentive for vigilance or threat of punishment for inattention. There are far too many ways to pass blame around, and not nearly enough ways to encourage people to consider security as essential as functionality.

CDC has announced a software tool allowing people to leverage Google’s massive store of information to identify possible flaws in websites. The software, termed “Goolag Scanner,” is open source and available for free. It might be an interesting addition to the toolkits of security researchers.

According to the article :

The tool lets people with fundamental programming skills check websites or Internet domains for weaknesses that could be exploited by hackers…
The group said it uncovered “some pretty scary holes” through random tests of the tool in North America, Europe, and the Middle East.

Worth checking out— the source and specifications are available on the Goolag Scanner homepage .

I saw this a while back, and found it quite interesting.

After just recently joining the world of “smart phone users”, and recognizing that the general numbers seem to grow more and more each day. Especially as carriers begin to focus more on smart phones. These types of attacks may begin to become more common, and the risk of revealing personal information like account numbers, addresses, contact information, or even private documents (if using Mobile Office) increases as well.

So what is one to do? It’s a smart idea to set definitive rules for your phone usage, and cut back on what needs to be done via mobile device and what can and should be left to the computer (in a secure environment). Online banking is one of those tasks, if you find yourself in a situation where you must login to access bank information on-the-go, do yourself a big favor, and simply call instead.

source: link

Organized crime is setting up botnets under their control to attack websites, then offering protection from ‘malicious hackers’.

The RBNExploit blog — which is authored by one or more anonymous researchers — spelled out the racket run by the group, which is thought to be headquartered in St. Petersburg, Russia, and has been pegged by security professionals as a major source of malware and cybercriminal activity.

The price for protection is $2,000 per month. This is the same thing that happens on the streets and is very difficult to protect against. The average website owner should brush up on best security practices and the big companies better ask the experts.

According to a DHS Analyst, foreign hackers are after your health care records.

Mark Walker, who works in DHS’ Critical Infrastructure Protection Division, told a workshop audience at the National Institute of Standards and Technology that the hackers’ primary motive seems to be espionage.
“They’ve been focused on the [Department of Defense] – the military – but now are spreading out into the health care private sector,” Walker said.

Bruce Schneier thinks it has to be a joke.

I’m not so sure. The expenses related to clearing a company’s good name, after privacy breaches and violations of HIPAA have degraded public trust, would be huge. It could be true economic warfare, 21st century style. All the more reason to create and follow strong security policies, perform risk analysis and mitigation, and put technologies in place such as identity management and strong encryption.

Or, you can instead believe it’s just a joke.

Fascinating.

You can read more here.

Recent trouble at the Sky News message board shows that a little common sense goes a long way in security development.

It seems Sky’s system had a simple defense mechanism against spam or DOS attacks. If it received a handful of invalid login attempts on an account within a short space of time, it suspended the account. Which was fine, until someone discovered this, and started using it to disable the accounts of active posters on the board. After someone posted how to do it on the board, others seem to have joined in the ‘fun’, and the social fabric of the board collapsed.

Sky News failed to inform their users as to why their accounts were suspended, and users began to wonder about the security of their account information. When a statement was finally released, Sky attempted to wash their hands of the mess.

But let’s be clear: it’s the troublemakers who are actually responsible for messing things up.

Sure, if there were no “troublemakers,” there would be no need for passwords, but there is a sort of Murphy’s Law of security. If you allow something to be misused, someone will misuse it.

Heise Security has a good story called Enclosed, but not encrypted which is essentially about false advertising. They were testing a hard drive which advertises that it provides AES encryption of the drive, decrypting when your RFID tag gets close enough to be read. Unfortunately, things were not as they seemed.

the almost identical columns of numbers suggest that the 512-byte sectors of your drive are not in fact encrypted with AES, but merely with a constant 512-byte cipher block applied as an XOR (exclusive OR) ... an XOR with an unchanging cipher block does represent a major cryptographic flaw – in fact, the open kind of flaw that, used in this way, is susceptible to what are known as “known plain-text attacks”.

Rather than performing 128 bit AES encryption of the whole drive, they instead just AES encrypted the RFID tag in memory, and did 512-byte XOR of the whole drive.

This underscores the need to have a policy which either requires FIPS 140 certification of all cryptographic devices, or enlisting the help of a security expert to dig deeper.