A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities.
Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient.
One of the true oddities of the NASA statement is that continuous monitoring is only one component of the overall NIST Risk Management Framework (RMF). It’s unclear how they concluded that they could just pick one box out of the overall process and claim it covers everything – especially considering their claim to be seeking a risk-based approach.
Of course, in the end it may not matter at all. The House has passed FISMA reform this past week in it’s national security spending bill (also see this Information Week article; didn’t we used to call it “Defense appropriations”? anyway…). The bill also calls for the establishment of a “National Office of Cyberspace” to have better authority than Howard Schmidt currently has in his White House cabinet position. Similarly, the Senate is also pushing through reform, including yet another hare-brained attempt to give the federal government broad, sweeping powers over private critical infrastructure in “emergency” situations. This time around, the bill seeks to authorize DHS with such powers, whereas previous attempts focused on authorizing the President directly. We’ll see what becomes of this, but suffice to say that the move has not gone unnoticed in the security community.
For a while now, CAPICOM has been declared deprecated by Microsoft, as it is only implemented in 32-bit, with no plans to roll out a 64-bit version. Microsoft’s Official Recommendation for replacing CAPICOM is to “use the .NET Framework to implement security features”. This is a fine solution for desktop applications, server-side code, web services, and a whole host of other applications. However, there doesn’t seem to be any equivalent support for the functionality the CAPICOM ActiveX control enables within a browser.
The client platform Microsoft wants you to use to run client code in the Browser is Silverlight, a browser add-on similar to Flash or ActiveX. Silverlight uses many of the .NET APIs; however, the support for the System.Security.Cryptography.X509Certificates namespace does not include support for the X509Store class (i.e., how you would enumerate the user’s digital certificates). Nor is there any support for the System.Security.Cryptography.Pkcs namespace, which would allow PKCS7 signatures and encryption to be executed within the browser. Both of these functions are available in the full .NET libraries, just not within Silverlight.
ActiveX as a technology is still alive and kicking, so it seems like the only way around this deprecation (and the corresponding corporate aversion to using CAPICOM) is to roll your own ActiveX control that replicates the functionality you need, using CryptoAPI calls. While not particularly difficult to do, it’s far more likely to introduce bugs and security holes in your application via home grown code than by using something as tried and tested as CAPICOM.
Now, there’s a possibility that I’ve missed something here, and there is still a way to enumerate certificate stores and perform signatures within the browser while not using CAPICOM. If so, please tell me what it is.
For starters, let me just say that I personally have three Mac systems and three Windows systems I interact with on a regular basis. I’m writing this blog post from a Macbook Pro. However, there is a wide and growing misconception about the security of Mac systems vs. the security of Windows systems. I just came across the following post in PC Magazine’s Security Watch blog, and there is a lot of good information in there; specifically the following quote which I want to share:
In the abstract, Macs are every bit as vulnerable as Windows systems, perhaps more so. But in the real world Mac malware is so rare that it actually makes news. Hundreds of Windows trojans like OpinionSpy come out every day. Mac users are generally “irresponsible” about such things, but for now they can afford to be.
My neighbor mentioned the other day that she got a Mac and loved it because (a) it was easier to use, and (b) it was more secure. Point (a) can be argued both ways, some things are easier to do on Windows and some are easier on Mac… but point (b) is something that troubles me. The lack of publicized vulnerabilities and attacks does not mean more security. Joe User wasn’t concerned about the advanced persistent threat before Google released information about the Aurora attacks.
The bottom line I try to keep telling people: there are more vulnerabilities written for Windows because that is where the market share is; the attackers are going after the largest market out there. As the market dries up they will focus their efforts on OSX, and when that happens, beware. Mac users, don’t be too comfortable. Get an anti-malware product. Turn on your firewall. Turn on FileVault. Disable automatic logon. Don’t make yourself the easy target when the bad guys turn their attention to Macs.
The FTC released a statement last Friday indicating that they would push back enforcement of the FACTA Red Flag Rules to the end of the year. This is just the latest delay in enforcement, with the previous enforcement deadline having been June 1st. The delay comes as professional organizations continue to chafe at their inclusion in the scope of action. Courts have already ruled that the American Bar Association (ABA) and its membership are to be excluded from enforcement. The American Institute of Certified Public Accountants (AICPA) and the American Medical Association (AMA) have also filed cases protesting their inclusion.
“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”
For more information, please check out the following links:
In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media.
