Ok, so the actual article headline is “Obama pledges better cybersecurity, top advisor”. The article goes on to detail the plan as such:

In the homeland security document, published on Thursday, the administration pledged to create a top cybersecurity position, harden the nation’s infrastructure, fund research and development of secure computing technologies, and work with the private sector to set standards from cybersecurity. The document also promised that the administration will work with industry to develop better defenses against cyber espionage, shut down the mechanisms through which online criminals profit from their crimes, and mandate better privacy and breach disclosures. (Emphasis Added)

I’m not opposed to the government taking a more active role in securing the communications infrastructure, and I’m especially not opposed to mandating better breach disclosure. However, the part about “developing better defenses against cyber espionage” has me concerned, as this would seem to indicate an increased level of monitoring the internet. Regardless of what comes of this effort, I hope that the administration at least takes an open approach to letting us all know what exact steps are being taken as opposed to vague platitudes about keeping everyone safe. That statement bears striking resemblance to the justifications for the PATRIOT act, and we all know how well that turned out.

Although people are starting to become more willing to keep their computers secure with frequent security updates, sometimes it’s easy to forget about all the other vulnerabilities computers may have. Fortunately, some programs help keep things in check. Microsoft’s Baseline Security Analyzer (MBSA) is a free program that goes through a user’s computer making a note of all the potential security misconfigurations it finds (checking Windows settings, registry keys, installed Microsoft products, etc). MBSA checks everything from IE web content “zones” to the permissions of user accounts allowed to use the CmdExec role in SQL Server. It even checks the strength of passwords and software security update statuses.

Although it was designed for scanning multiple computers on a network, it does just fine scanning a single machine. Even if not used by security professionals, MBSA is still quite a useful tool for the average Windows user to have.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

I’ve been playing with Windows 7 Beta since its official release. As most have expected, it really is much like the current Vista. But I’ve noticed enough tweaks to be inspired. It can really be looked at as like the jump from Win98 to Win98 2nd Ed. It definitely improves over Vista, and so far, every way is better (at least to me). There are quite a few GUI and UI changes, but I’m not going to get into those. What I’ve focused on so far is tracking down any and all security related items that seemed to irk me in Vista.

One of the first things I checked out was UAC. They changed it slightly but mostly just to ease the pains of some people’s annoyances with it (I was one of them). The underlying intentions are still there. They even go so far as to claim that even if you disable all notifications, it is still working in the background. So for this, I can see many support calls on why something didn’t happen when a user tried something (because you were never notified of the pending actions needed). My actual experience with the UAC is pretty much still unchanged, I went with the setting just below default, and still got numerous prompts and displays when trying to install something.

User Account Control (UAC)

Another area I wanted to explore was the default settings on the firewall. One area which I always assumed should be defaulted was blocking outbound connections. This was a feature added in Vista but was not default. I’m guessing 75% of people never even knew it was a feature. I was hoping MS would get their act together and enable this by default. But I guess like the previous UAC, this would have caused too many nagging issues for the user. One more thing I’ve read about but haven’t had a chance to look into deeper is that MS has opened the doors to the built-in firewall and are going to allow 3rd party vendors the ability to integrate with the firewall. But with this also comes the ability to enable/disable parts of the firewall as needed. I’m not entirely sure how I feel about this. The first thing that comes to my paranoid mind is malicious software exploiting this to simply turn off your firewall, or open a port for its own use. I’m not exactly sure how this “feature” is going to work, but I think this will be my next deep dive.

Gone are the ways of the “Security Center” – in its place we get the “Action Center.” I really wasn’t impressed by what it had to offer. It is an improvement, but basically it just combined a handful of otherwise tedious to manage items into a single one-stop-shop for management (Items included: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control).

Action Center

One of the other areas that was extended was with the BitLocker Drive Encryption. It has been extended to support external media now. I’m still a fan of TrueCrypt, but I like that MS is trying.

BitLocker Management

So, overall, I think MS is definitely going in the right direction. This is still beta software, so I’m sure some things will change before final release. Who knows? Maybe we’ll even find some of these enhancements in a Vista SP2.

OS X (both Leopard and Tiger) comes with a built-in firewall that’s disabled by default. The Leopard firewall is a little bit different than Tiger’s, so I’m focusing on that. The underlying firewall is ipfw – the same as on FreeBSD, so if you know what you’re doing, you can edit it to your heart’s content. More details on controlling the firewall from the command line are available in this O’Reilly article. This article is going to talk about dealing with the firewall through the available GUI interface.

First, you have to access the firewall. System Preferences -> Security then the Firewall tab. By default, it’ll have “Allow all incoming connections”. If you’re not quite sure what you’re doing, “only allow essential services” is a good option, and OS X will control it via your “sharing” system preference. For example, if you turn on Remote login, OS X will add SSH(22) as an allowed incoming port.

The other option is “Set access for specific services and applications”, which gives you finer control over the incoming connections. For example, I can allow Adium and Skype to have incoming connections (so that people can send me messages or call me), but deny incoming connections to Microsoft Word (why does Word need incoming connections again???). While you’re using the system, if an application asks to accept connections, you will be asked if you want to allow or deny the connection. Your choices are recorded in this system preference just in case you want to change it later.

One thing OS X’s firewall supports (through the command line, but not the GUI) but doesn’t give you easy access to is outbound filtering. If you aren’t familiar with ipfw, and want outbound filtering, I highly recommend Little Snitch. It’s not free, but it’s $30 and worth it to not have to hassle with ipfw rules

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

According to the IRS:

The IRS has developed six new security and privacy standards to better protect taxpayer information collected, processed, and stored by Authorized IRS e-file Providers participating in Online Filing of individual income tax returns.

These new standards are based on industry best practices and are intended to supplement the Gramm-Leach-Bliley Act and the implementing rules and regulations promulgated by the Federal Trade Commission.

So, what does this mean for the average online tax-filer? It means that the company that you e-file through (TurboTax, efile, TaxACT, etc) will have to adhere to stricter policies and standards regarding the handling of customer information.

Most of these policies seem to be standard precautions from a security perspective. However, I can certainly understand how a provider may be unfamiliar with the risk involved with handling such sensitive information. The 6 suggestions are mostly focused on tightening the security around the provider’s web presence: they call for strong EV SSL certificates (SSL 3, 1024-bit RSA), weekly third-party vulnerability scans, a written privacy policy, CAPTCHA-like capability, an ICANN domain name from a registrar located in the USA, and the prompt reporting of security incidents.

These are all good policies and are definitely a step in the right direction. The only issue I see is that these “standards” are currently optional. Although the IRS suggests that providers follow them, they aren’t required yet. In a way, this defeats the purpose of having them in the first place.

In the first two parts of this series, I explained public-key cryptography and the role of trusted third parties in a PKI. In this post, I will briefly discuss some standards that have been developed and are used to implement the various pieces of a public key infrastructure.

Read the rest of this entry »