The InfoSec Blog

Read this ….

Posted by Anton Aylward

HP Pavilion zv6115EA.Image via Wikipedia.... and think about it the next time you take your laptop through
customs ....

http://securosis.com/2008/06/17/pink-slip-virus-2008/

Scarey, eh?

Zemanta Pixie
Filed under: Risk No Comments

Is Windows or is IT the problem with security?

Posted by Anton Aylward

http://news.cnet.com/8301-13505_3-9970323-16.html

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community's respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn't downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it
was so badly configured that it may well have already been hacked, said
Tami Loehrs, a forensics investigator hired by Fiola's defense team. The
Microsoft Systems Management Server software on the laptop was
misconfigured and was not receiving critical software updates, and the
laptop's Symantec antivirus software was either misconfigured or not
working properly, she said.

"He was handed a ticking time bomb," she said.

In this case, it's called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola.
Could this have happened with Linux or the Mac? Yes and maybe.

Yes, because weak IT yields weak security.

But maybe, because both of these Unix-like systems handle security much better than Windows traditionally has. But that's not really the point.

No, what's really the point is things like this and the case where a teacher was accused of exposing her class to
pornography.

The article ends with

Did Microsoft create this problem for Mr. Fiola? No. If anything, it
sounds like his IT department is to blame. But if it were me, I'd beMac OS Logo
asking for a Mac when joining a new company. With the Mac, my odds of
having a Fiola-esque experience go down dramatically.

Which makes me think of another article I saw that indicates

MacOS experienced 50% growth as a primary development platform and 380% growth as a targeted platform during the period.

Zemanta Pixie

Smartphones ‘bigger security risk’ than laptops

Posted by Anton Aylward

http://www.networkworld.com/news/2008/060208-smartphones-bigger-security-risk-than.html

I've just been looking at the Sony-Ericsson X1 as a replacement for my Newton. An Apple Newton Messagepad 100

I admit that many PDAs aren't really that comprehensive, don't really store much above names and numbers, but there is a awful lot of information on my Newton. The X1 looks like it will be a small laptop.

But then, depending on your job and working tools, there is a lot of 'portable electronics' hat can easily go missing. My voice recorder is about the size of a pen and has many interviews and notes. Their value to someone else (aka espionage) is small, but their loss would impact me.

However, lets be realistic. I've never lost or misplaced the recorder or my laptop or my Newton. I have lost my house and car keys on a number of occasions.

Zemanta Pixie
Filed under: Risk No Comments

RIM Questions India’s BlackBerry Encryption Worries

Posted by Anton Aylward

http://www.informationweek.com/news/security/encryption/showArticle.jhtml?articleID=208401643

BlackBerry maker Research In Motion (NSDQ: RIMM) told the Indian
government Monday that lowering the encryption level of its smartphones'
services will not solve the country's security concerns because there
are other companies offering similar systems.

Indeed.
And in addition there are all the other encrypted services like PGP, S/MIME and any form of encryption tool you choose to download, never mind things like Skype.

I won't even go into matters such as sending telegrams or conventional phone calls with code phrases, and other techniques that proved efficacious in the first half of the 20th century and prior to that.

Officials in New Delhi said they were concerned that because these
e-mails couldn't be intercepted, militants could be using BlackBerry
services to coordinate terrorist attacks.

It seems odd to my mind that the highly terrorist-sensitive security forces of the USA are not also demanding RIM hand over a master key.
Is it because the NSA have cracked AES-256?

I doubt it. Its more likely that the value of business communications to the economy outweighs the risk of terrorists remaining undetected and using modern technology to communicate.

As the article goes on to say ...

But during a presentation to India's Department of Telecommunications,
RIM pointed to four other mobile e-mail systems in the country --
Windows Mobile ActiveSync, Nokia Intellisync, Motorola's Good, and Seven
Networks -- that utilize similar encryption.Because these other services are widely available, RIM contends that the government would have to also take actions against those companies
instead of singling out RIM.

Quite so. And it would have to ban and take enforcing action to deal with other forms of secure communication. And lets face it, the cold war showed that wasn't feasible.

Do we have another example of governments emphasising ELINT when they should be developing HUMINT?

Zemanta Pixie
Filed under: Risk No Comments

Strong passwords or nothing at all

Posted by Anton Aylward

http://blogs.zdnet.com/hardware/?p=1998&tag=nl.e539

Adrian Kingsley-Hughes
tries out the latest Live CD for Ophcrack.

Of course you idea of "strong" may differ from his.

Reblog this post [with Zemanta]
Filed under: Security No Comments