Comments on: Bring in the CPP

By: angel

angel — Thu, 23 Oct 2008 06:21:52 +0000

By: Rigma

Rigma — Thu, 02 Oct 2008 00:05:43 +0000

Military pages that have forums/specops discussions should be kicked of WAN/VOIP etc…
They always hack people!

By: gsak

gsak — Wed, 01 Oct 2008 21:28:44 +0000

Solid advice, all around.

By: Ptsfp

Ptsfp — Tue, 30 Sep 2008 20:20:02 +0000

Kevin,
On the firewall side, I know a lot of companies use Checkpoint.
The founder and CEO, Gil Shwed, is a former member of Israeli intelligence, Unit 8200. I always figured once an intelligence officer, always an intelligence officer. Could this possibly be a national security issue?
Don’t get me wrong, I love Israel, but spooks making security devices always makes me nervous.

By: Kevin

Kevin — Mon, 29 Sep 2008 21:02:54 +0000

OPEN SOURCE
Open source is a very small part of the overall market. I was focusing on the 80% in the Posting. That being said we do need to address the Open Source issue. My Idea on open source consists of two parts.
Part 1
The author must certify they have tested to whatever they post to a certain standard.
Part 2
The organization that chooses to use open source must certify they have tested the software to a certain standard.
So both the authors and the users share in the responsibility for Open Source

By: George

George — Mon, 29 Sep 2008 19:53:59 +0000

Part one sections a — d could be solved with a different OS (Solaris, Linux, BSD, OS X, etc…) Security is a weakest link, why does “evil”-ware still exist when we know what the weak link is…
Part three, Legislation that mandates software testing and vulnerability. What about open source software… Who is the vendor. Who gets the lawsuit?
Part five, cyber weapon. Uhhh what’s that? Give me a 486 with an internet connection is that a “cyber weapon”. Are nmap, nc, dig, ping, nessus, all cyber weapons? Careful with laws and definitions our we will outlaw the “series of tubes”.
LOVE part 10. Where do I put in the job application that would be a fun team to work for “IF” properly funded.

By: Ptsfp

Ptsfp — Mon, 29 Sep 2008 16:30:15 +0000

How about a rule for wireless connections? Wireless is the most unsecure connection type available. And not just for the office, what about home?
I read once that these guys would get the home addresses of executive users and “war drive” their homes. They would sit outside their homes with wifi laptops and see if they could access the exec’s home network. Many times the home networks had no security enabled at all…
Training the employees to look out for social engineering attacks would also be a huge priority. In 18 years of computer support I have only been challenged twice when asking for a user’s password. Also many employees assume that if you are inside the facility, you belong there. I was unescorted 98% of the time on a clients site and have only been challenged when walking through a facility 3 times in 18 years. Two of the challenges were at a single location.
During these times when every company is making cut backs, many lobbies are not even manned anymore. Turn off live network connections in ungaurded lobbies. One penetration testing company bypassed a very high end firewall by simply connecting a wifi router to a live jack in an unprotected lobby. Then they taped “IT department do not remove” on the router. They then could sit in the parking lot and have access to the network.
Just some thoughts.

By: gsak

gsak — Mon, 29 Sep 2008 16:17:39 +0000

Officers & Directors of most companies aren’t familiar enough with stuff like this to authorize it in their budgets; IT Managers are sometimes gutless, and aren’t willing to press for it. I’ve seen this, first-hand. Unless you come-down on a company with the fire of Sarbanes-Oxley, you will get minimal results, despite your best intentions.
Maybe you’d get a few high-schoolers arrested for having directional antennas, WiFi adapters that support Promiscuous Mode, and BackTrack-equipped USB keys.
This level of regulation, however excellent on paper, would be counter-productive if written and enforced by the wrong minds.

By: Dr. Curiosity

Dr. Curiosity — Mon, 29 Sep 2008 15:11:07 +0000

A good, comprehensive list. Okay, immediate thoughts that spring to mind: 1/2: Centralised repositories for uploading attack data. If I were attempting to compromise a device or a network, that would be the first place I would look to take out of the loop, much like the priority of removing malware's "phone home" capabilities to prevent any further potential data leaks while cleaning it up on a system. Any thoughts you'd care to share on hardening such a reporting mechanism? 5: Given that a number of "cyber weapons" are essentially weaponised security tools, I'd be rather concerned about throwing out the baby with the bathwater in terms of such legislation. I'm uncomfortable with the thought that merely possessing a useful tool will be criminalised. We definitely need legislators who have security expertise or good access to it, as I'm sure you will agree. As a comment on your "big brother" point, I feel it's important than any standards and provisions for software in such a system are formed as part of an open standard (albeit federally tested, verified and certified - no proprietary "black box" developments). Otherwise there's too much of a chance that some lobbyist on the hill could attempt to turn a useful trusted computing paradigm into a vendor lock-in monopoly which would not serve anyone's best interests.