The InfoSec Blog

Last month, this question came up in a discussion forum I’m involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.

The short answer is “no”.
The long answer leads to “no” in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it. Read the rest of this entry »

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

Related articles

• A Peek at a Few Trends (laf.ee)
• Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
• What’s the true cost of piracy? (infographic) (venturebeat.com)
• US mistakenly seizes a music domain – and holds it for 18 months (art2science.org)
• Study: BitTorrent music piracy increases album sales (electronista.com)

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html

The real issue here isn’t Ubuntu, or any other form of Linux.
Its that AV software doesn’t work.
PERIOD.

There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope.

This isn’t news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.

What’s that you say? Other types of AV? Like what?

Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use … and so on.

Many people in the industry – myself included – have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.

Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor – which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.

The local signature makes things unique to each machine so there is no “master key” out there. If your private key is compromised then do what you’d do with PGP – cancel the old one, generate a new one and sign all your software with the new one.

The real problem, though, is not in having the key compromised but is the problem that has always existed – its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don’t bother setting their defaults to “no execution” or just say “yes” to the pop-up asking them to permit execution.

No technical measure can overcome human frailty in this regard.

Related articles

• Avira antivirus upgrade wreaks ‘catastrophic’ havoc on Windows PCs (techworld.com.au)
• How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser (shanicomputers.wordpress.com)
• Intel and McAfee unveil plans for unified security future (go.theregister.com)
• John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
• GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
• A Modest Proposal: Please Don’t Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
• Why Authenticity Is Not Security (leviathansecurity.com)
• Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
• ‘Catastrophic’ Avira antivirus update bricks Windows PCs (go.theregister.com)
• Avira fixes antivirus update that crippled many PCs (neowin.net)
• Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
• Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
• Cryptography pioneer: We need good code (infoworld.com)
• Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
• Public Key Cryptography Explained (q-ontech.blogspot.com)

http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157

So do my cats. But so what?

Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“.

And I’m sure there are _other_ ways to hack that than the one mentioned in the movie.

Related articles

• SSL governance and implementation across the Internet (net-security.org)
• Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
• Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)

 So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a  direct attack).

I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really “spies inside the defensive perimeter”.

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.

But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this;  summing, summing many hundreds of fluctuating variables to one figure.

Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their “Top 100″ or “Top 50″ which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.

Treating big things like small things leads to another flaw in the ALE model.  (which is in turn  part of the fallacy of quantitative risk assessment)

The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)

A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as “dollar value” leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child’s ?

We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.

Right? NO! Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

Image via Wikipedia

Sometimes I wonder why we bother …

The Securities and Exchange Commission doesn’t just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules.

Related articles

• Recently Updated “Securities Law Deskbook” – A Resource to Help Achieve Compliance and Avoid Regulatory Problems, From Bradford Publishing Co. (prweb.com)
• SEC: Bigger potential payouts for whistleblowers (marketwatch.com)
• LATEST FEATURE: Compliance: A hybrid marital troika? (ecmplus.wordpress.com)

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

• preventative
• detective
• compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Related articles

• Sony backs U.S. cybersecurity legislation (canada.com)
• DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
• Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
• Obama to Introduce Cybersecurity Proposal (circleid.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)
• What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
• White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
• Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec’s nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? “One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish,” said the SANS Technology Institute’s Johannes B.
Ullrich in a blog post. “I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security.”

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I’m reminded of the IRA’s statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may – will? – introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS “certified” sites get hacked, and more, *DOES* at least _demonstrate_ “a large scale failure of information security“.

Soe people ae under the mistaken impression that a Pen Test simulates a hacker’s action.  We get ridiculous statements in RFPs such as:

The tests shall be conducted in a broader way like a hacker will do.

LOL! If a real hacker is doing it then its not a test

Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve “borrowing” the laptop or smartphone from one of your salesmen or executives.

Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.

And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation. Read the rest of this entry »

On one of the lists I subscribe to I saw someone make this alarming comment:

There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.

That is a very sad situation to be in, since it

1. shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
2. has no guarantees about what collateral damage the outsider had to do to gain root.
3. says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
4. indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic. Read the rest of this entry »

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn’t call this approach “ad-hoc”. Read the rest of this entry »

We were discussing which should be done first and someone commented:

Many times, we find that the Control Objectives and controls become
prominent before an ISMS is properly established. Where can a SOA stand
if the assets are not identified and risk is not assessed and approved
by the ISMS Management.

As I’ve said, I think this is a fallacious argument.

If you buy a house or a car there are locks already installed.
They are installed regardless of any specific threats or any knowledge of the assets contained. Many (new) houses come equipped with additional security features such as alarm systems, steel-cased doors
and frames and such like. These are BASELINE features that are implemented without any identification of assets or any formal Risk Analysis or approval process.

Please note: I am not saying that a house owner might not institute additional controls such as an insurance policy that identifies specific assets or a guard dog that is taught the boundaries (aka ‘scope’) it has to protect.

Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don’t know.

“Major”?
As in often?
As in large impact that stops the business operating?

If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.

I’ve written here and elsewhere that many people from a technical background don’t understand ‘risk’. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage – else why would you be doing it?

The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.

But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds – in a casino you know them for sure. In InfoSec we don’t know the odds (except when they are a certainty, like SPAM or Viruses).

So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people’s mail or a CFO that defrauds the company by writing phony cheques?

So if a network admin is a “major” threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?

Context, I keep telling you, is Everything.

A business might possibly choose not to have a BCP but they might be interested in doing a BIA
After all, the “impact” might be something positive resulting from some change.

Oh, the Irony!
Expeditious and cost effective.

I’ve audited BCPs and always found them lacking. They are difficult to build and often make assumptions that are necessary to get the plan done but are unreasonable in reality. Read the rest of this entry »

Image via Wikipedia

A friend and colleague who is also a security guru and much better qualified than me and who admits that he is not a huge fan of enterprise architecture frameworks doesn’t think that “enterprise architecture” is on a completely solid footing; he points out that it’s a major business for Gartner, following their takeover of Meta Group.

He asks “Anton, you’re a systems engineer and hence familiar with large-scale modelling and design: what’s your take on the widespread use of ‘architecture’? Is it over-egging the pudding?”

Probably.
Its certainly is a heavily abused term.  One that has been hijacked by marketing and owes more to articles in glossy magazines than engineering substance. Read the rest of this entry »

I’m allergic to absolutes.
In particular absolute statements.

So when someone says

NAT is *NOT* a security solution.

I bristle.

Many of the anti-NAT brigade are actually decrying it since they think IPv6 should be used instead.
Personally I thing many home users can get their heads around NAT but not IPv6.
Those cheap Wifi Routers with built-in NAT they buy from Best Buy are really “plug and play” things; they require no setup. To convert to IPv6 will require a lot more knowledge.

For IPv6 you will need to set up a proper firewall since one of the “good things” about IPv6 is that the massive address space means every device is individually addressable. THis may be a bit beyond Joe Sixpack.

NAT is just a coping mechanism for IPv4′s constrained address space

Well yes, but that’s not the point.
The IPv4 address space has been suffering from the ‘the sky is falling‘ doomsayers since I set up Ontario’s first commercial ISP back in 1989. Every tie there is a quiet spot in the news the technical journalist drag out this issue and kill a few more acres of trees about it.

NAT does not “hide” computers. Capture a NAT’d stream of traffic and it
isn’t very hard to separate the conversations of multiple computers
behind the NAT.

Actually it dies hide things.
The out-of-the-box setting on a NAT Wifi router mean that it rejects all incoming REQs. It proxies outgoing connections, so any traffic has to be initiated fro the inside. Yes, you can over-ride this.

NAT does nothing at all, except break things.

NAT doesn’t ‘break things’. What it does is use unrouteable addresses.
The original model of the ‘Net had no provision for security and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by “the way IP is supposed to work”.

Which is a bit like saying “two’s compliment arithmetic is the way computers are supposed to work”. Or “linear address spaces are the way computers are supposed to work”.

And it makes no sense.

In olden days before the IP protocols were ubiquitous, LANs had their own protocols: Novel, Microsoft and others. all had their own protocols that ran on Ethernet or TokenRing. To talk to the world they needed an ‘protocol translator’ that encapsulated or translated (depending on the remote endpoint) the local packets for transmission over the Internet. The ‘local’ IP address was that of the NAT and it hid the internal addresses. That the internal addresses were not IP addresses was the whole point.

So now e have an updated version, Its still a NAT and it still hides addresses.

The thing is that NAT renders a subnet inaccessible to the ‘Net at large because the addresses on it are unroutable anyway. That’s not ‘breaking’, that’s a lazy way of filtering. Unless you have tunnels or exceptions (which most NAT’ing devices allow for) that is equivalent to a firewall with a “DENY ALL INCOMING REQUESTS” policy. Yes its not a firewall in that it it doesn’t do a lot of other things a firewall could and should, but that doesn’t mean its not a security barrier. A lazy one, and incomplete one, one that can’t be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window.

The unroutable subnets were not *intended* as an address exhaustion deerment mechanism. That was unintended side effect that has taken over – the tail that is wagging the dog – and yes, has impeded the acceptance of IPV6. Vendors saw how they could “add features” and as far as Joe Sixpack goes

Please do not attribute intent where there is not one.

As for security and filtering of IPV6 addresses … Don’t make me laugh.
The malware of today does not rely on machines ‘raw’ on the net unfiltered anyway . The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still ‘tunnel’ out to ‘Net, report keylogging and form Botnets. IPV6 and filtering won’t stop that any more than NAT or IPV4 and firewalls and filters ever did. Its not a packet or address level problem.

A completely different set of tools is needed for that security.

I also object to the absolute implied in saying “NAT is not security solution”. That’s trite and unhelpful. AV is not a security solution; deep packet inspection filtering is no a security solution; proxies are not a security solution; user awareness is not a security solution; whitelisting is not
a security solution. All these and more are just components that can be used to improve your security stance.

A simple NAT’ing router has value to Joe Sixpack for many reasons.
For him it means he doesn’t have to argue with his ISP to get a (ever scarcer) subnet, doesn’t have to acquire the technical expertise to manage it and does’ have to pay the ISP or all those extra addresses. From his POV it simply lets him connect his, his wife’s and his kid’s computers to the ‘Net. He doesn’t know about IPV4 or IPV6. He doesn’t care either. He paid his – somewhere between $10 and $60 – for the router and as far as he’s concerned its ‘plug and play’[1].

A ‘solution’ of making him use IPV6 means he’s going to have to get and manage a subnet. That there’s plenty to go round is beside the point. Joe Sixpack bought that NAT router to avoid needing the technical knowledge that you and I take for granted. What he’s going to do is wait until a vendor comes up with another ‘box’ that does it all invisibly for him. And the vendors are used to selling based on features, like NAT, like DHCP. Like making it easy for Joe.

And do you imagine they will let go of NAT? Joe is used to certain keywords. The stuff he’s bought in the past with those ‘features’ works fine so he’s going to seek them out again. What do you want to bet the next generation of IPV6 ‘routers’ targeted at the home market (where there are an enormous number of potential customers) will see “more of the same”?

[1] Well, OK, maybe he was foolish enough to get a wireless router for
less than $10 on eBay perhaps, and then he’s got a whole pile of
other security problems, but tat has nothing to do with IPV4, IPV6
or NAT.

Related articles

• IPv6 and IPv4 Co-existence (itexpertvoice.com)
• The Case for IPv6 in an IPv4 World: The Manager’s View (itexpertvoice.com)
• Ready or Not: Your Network is Moving to IPv6 (itexpertvoice.com)
• 100 days of IPv4 left (infoq.com)
• Can Large Scale NAT Save IPv4? (tech.slashdot.org)
• What the IP Address Meltdown Means For You (pcworld.com)
• Are We Running Out of IPv4 Addresses? (q-ontech.blogspot.com)
• NAT won’t save you from the need to switch to IPv6 (zdnet.com)

If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I have to step away from the keyboard, go outside and take some deep breaths to calm down.

I get upset because policy is important and developing — and more importantly communicating — policy has been an important part of my career and the professional service I offer. Policies need to be easy to understand and follow and need to be based on business needs.

If you begin with a list of policies, you end up adapting the the reality of your business – the operations – to the list. You are creating a false sense of security. You need to address what you need to control, and that is Identity and Access.

Lets face it, passwords, as Rick Smith points out in his book “Authentication“, are not only awkward, they are passée – even Microsoft thinks so. More to the point, using passwords can be bad for your financial health.

They should be used with care and not as a default.

And they should most certainly NOT be entombed in a corporate policy statement. Read the rest of this entry »