Security

Overheard: The Great Firewall of China

Depending on how you look at it, the Chinese government’s attempt to rein in the Internet is crude and slapdash or ingenious and well crafted. John Ritter, The Connection Has Been Reset

When American technologists write about the control system, they tend to emphasize its limits. When Chinese citizens discuss it—at least with me—they tend to emphasize its strength. All of them are right, which makes the government’s approach to the Internet a nice proxy for its larger attempt to control people’s daily lives.

Overheard: There’s no killer app for GRC software

Most people assume that so-called GRC software–governance, risk and compliance–will continue to gather steam, as big boys like Oracle and SAP continue their marketing. It makes sense to automate compliance and risk issues, but the reality of this nascent field is that there really isn’t a single point solution. John Hagerty, CFOs face complex GRC software decisions

Overheard: AML software and the law of unintended consequences

Poor Eliot Spitzer. The former governor of New York resigned in disgrace last month amid allegations he hired a high-priced call girl. In a matter of days, Mr. Spitzer went from potential presidential candidate to — in the tech world, at least — the poster boy for software usually used to snare fraudsters, money launderers and terrorists. Ian Harvey, Anti-laundering software casts wide net to catch big fish

A little more info about how AML software accidently caught a big fish.

By law in Canada and the U.S., banks are obligated to report cash transactions of more than $10,000. According to U.S. federal officials, Mr. Spitzer’s transactions were flagged because it appeared as though he was trying to evade notice by moving several smaller amounts, which is known as “structuring.” In Mr. Spitzer’s case, three cash transactions amounting to more than $10,000 within a relatively short time frame set off alarms.

Video: Robot demonstrates face recognition

Kind of cool!

Overheard: Change the default password for crying out loud!

OpenDNS released a free tool today called fixmylinksys.com that lets Linksys users easily change their default password to protect themselves from the [DNS rebinding] hack Kaminsky will demo. Kelly Jackson Higgins RSA Session Features Live Linksys Router Hack

I bet you still know people who use admin or 123456 as a router password. Let them know about DNS binding attacks.

Overheard: Is Kraken buzz just Damballa’s attempt to make a name for itself?

“Many folks in the anti-virus and broader Internet security space say Damballa is trying to make a name for itself by hyping this threat, and that Kraken is nothing more than a renamed and repackaged “Bobax,” a worm of similar lineage and methods that was discovered several years ago.” Brian Krebs, Kraken Spawns a Clash of the Titans

Overheard: Mandatory EINSTEIN

“What is different is that we’re going to have comprehensive coverage across federal networks, and that all the information about potential intrusions or malicious code would flow to a central point, the U.S. Computer Emergency Readiness Team at the Department of Homeland Security.” Scott Charbo, as quoted in Analysis: Einstein and U.S. cybersecurity

Mr. Charbo is the Chief Information Officer at the Department of Homeland Security.  He’s talking about EINSTEIN, a federal government’s intrusion detection software application. It’s been available since 2004, but now the DHS is going to make it mandatory. 

What took them so long, you ask? Well, apparently there wasn’t a single ”business owner” with enough power to mandate EINSTEIN’s global use until February, when President Bush signed that multi-billion-dollar cybersecurity initiative.  EINSTEIN has received its share of criticism. Some detractors point out that it’s not robust enough. Some worry that if everyone’s using the same software, everyone shares the same vulnerabilities. Some people just seem content to make Bush/Einstein jokes.

I’m not sure what I think about this yet.

See also: Einstein keeps an eye on agency networks 

Overheard: Finger vein ID

Both finger prints and iris patterns can be more prone to copying by a third person. But finger veins are not directly visible to a third person, which makes them more suitable for security use. Hitachi spokesman Atsushi Konno, as quoted in Vein recognition touted for ID systems

I wonder if the finger has to be attached to a live person for this technology to work? That makes it even MORE suitable.

Overheard: Forget hiding your SSID — pay attention to what you name it

Many people (including myself) have tried to “hide” SSID as a security measure. Unfortunately, efforts to hide SSID ultimately fail and degrade overall WLAN performance. Lisa Phifer, Configuring service set identifiers

SSIDs are analogous to Windows workgroup names. PCs use those names to browse a network neighborhood and discover others in the same workgroup. When a PC actually tries to access a fileshare, permission is determined by computer name, user name and password. Similarly, stations use SSID to discover APs in the same ESS, but access depends upon other parameters like the station’s address, WEP keys and 802.1X credentials. Access requests must carry the right name, but the workgroup or ESS name is not a password – it identifies the resource to be accessed.

Overheard: Role mining driven by compliance

We are headed into a phase in Identity Management that is heavily driven by compliance and security, corresponding to a strong demand for intelligent role management and compliance reporting to automate and simplify these processes for enterprises. Jutta Cymanek as quoted in Omada Appoints RBAC Specialist to Identity Management Team