Last Build Date: Thu, 23 Jun 2005 03:19:59 GMTCopyright: Copyright 2005 FredOnSomething
Thu, 23 Jun 2005 03:19:55 GMT
The blog has moved
The present version of this blog will not be updated in the future.
I hope that you will enjoy the new format and the future things I will write on it,
Mon, 17 Jan 2005 16:13:23 GMTPolice Technology by Robert E. Foster Buying a book on internet can sometimes be painful. You don't know what he look like, you just have one or two resumes, no more information on the publisher's website. If you are lucky, there are some comments on Amazon. However, personally, I just buy books on internet now. Why? Because websites like Amazon have astronomical selection of books. You search for a book, you'll find it. Out of print since 20 years? Try Alibris or Abebooks. More and more books are searchable online and good resume are made. Soon, it will probably be the primary place where to buy books. I have been contacted by Mr. Robert E. Foster. He sent me a really good resume and a lot of information about his new book. I post it on the blog because it's in direct relation with it: the union of security and technology; an introduction for students of colleges and universities. These 3 words (security, technology and education) are enough for me to post this information on the blog. Bellow I put the fact sheet wrote by Mr. Foster. You also can check the table of content, and four reviews  of his book. I didn't personally read it (if anyone want to send me a copy of it, leave me a message in my email box and I'll do a review of it with pleasure) but I think it worth his low 33.33$USD. ---------------------- Subject: The use of the text book Police Technology (Prentice Hall, July 2004) in colleges and universities. Background: An often asked question is How does Police Technology fit into current course curriculum? A cursory examination of university and college catalogs will review few that include courses that directly explore police technology such as computers in law enforcement or the management of public information systems. However, nearly every criminal justice program includes a course similar to current issues, critical issues or contemporary issues in policing. Analysis: Issue Police Technologys Advantages Terrorism and Homeland Security Explains and discusses fragmentation and interoperability Chapter Seventeen is devoted to using the Unified Command Concept as a technology. The development of the National Incident Management System (a January 2005 requirement for federal funding at the state and local level) is explored and thoroughly explained as the Standard Emergency Management System. The PATRIOT Act and technologies used in conjunction with tracking and surveillance such as traditional wire taps, Carnivore and Magic Lantern are explained and explored. Privacy, legal and practical issues related to surveillance are discussed throughout. DNA The science of DNA is explained, along with the development of DNA databases and the ethical and legal considerations. Several states have had recent legislative changes (including a California referendum) relative to DNA. DNA figures prominently in many recent and ongoing criminal prosecutions. Community Based Policing The text defines and traces the history. The text looks at technologies that may enhance the model. The text compares and contrasts how technology may actually reinforce the previous model of policing (professional) and not Community-based. Crime Analysis The theory and science of crime analysis are explained and explored. Advanced methods of analysis such as geographic profiling are explored. Technology Basics The text is designed for the computer novice and expert. All students will become better end-users The Internet The History and technology is explained. The use of the internet by law enforcement is explored. Numerous examples are used to show how the Internet may enhance community policing. Hi-[...]
Fri, 07 Jan 2005 00:13:41 GMT
What to be aware of before signing the contract
In some of my past posts I worried about some security treats with software development outsourcing. Today as I read my feeds I found a fascinating article on the subject. It was pointed out by a blog dedicated to the subject: The Outsourcing Times. You can read the article there: Outsourcing Contracts: Protecting Project Information.
Ill not comment the article. It talks by itself. It give some good hints on how-to outsource software development in
Wed, 05 Jan 2005 21:48:14 GMTInvisible doesnt mean non-existant Is because you dont see a thing that this thing doesnt exist? This question can be one of faith or observation. We know that some things exist without being able to see them but with experimentation we can demonstrate that the thing really exists. Now, is this because you deleted a file on your personal computer that the file is deleted? Depending of your settings, he will be in the garbage bin. So, if you empty the bin, will the file always exist? Obviously not. The file will always be there; only his reference in the file system will be deleted. Okay, if you rewrite on the files old sector and/or perform a low format on the hard drive; will the file be finally deleted and not recoverable? Unfortunately not. It will not be easy to recover the file but it will always be there; entirely or partially. Am I crazy? No. It will get time and resources but its possible. How? Its the product of a phenomenon called residual magnetism. The subject gets in the news by ComputerWorld.com some weeks ago. If my memory is right, I read in Body of Secrets by James Bamford that the NSA is able to recover data on hard drives until between 5 to 7 low level formats. Is this freaky? Not if you dont have state secret to hide. Remember, they need resources to recover these data. This is not easily done but its possible. Some years ago you would have had been able to get unformatted hard drive in a governmental overstock outlets. Yes, and? You are asking. Think about it, which type of information your government is manipulating? Yes, mostly personal information. I remember that around 5 years ago the government of Quebec had been in trouble because citizen records have been found on old computers unformatted hard drives in such a store. This is a real problem. Is the income of a couple of dollars worth the embarrassment? I dont think so. Are they always doing it? I dont know; I havent been in such a store since then. The best thing to do is destroying the hard drive, not selling it. Youll get rid of all related possible problems. Check the price of a gig of storage space. Is the possible resulting problems worth the incomes? Personally I dont think so.[...]
Mon, 20 Dec 2004 23:06:57 GMTThe operating system oriented security debate is restarted Phase 2 Examples of what I was saying. Some days ago I was saying: "What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. Youll tell me: Yes but the programming is perfect, without bugs then its impossible that such a thing append; if it happened then the cause is the user, not me, so its not mine. If you build a hell to configure system then yes its your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices" As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them. First, Google Desktop. As you can read in the New-York Times: "The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said" Its probably one of the best examples of the phenomenon I was talking about two days ago. Its sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isnt just in function of his code quality. Two programs can be without security flaws but together, security holes appear. A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you dont have any way to check their authenticity. Whats cool with Firefox is that its a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment. Finally I dont say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares.[...]
Sat, 18 Dec 2004 15:22:20 GMTThe operating system oriented security debate is restarted. Please stop your child plays. I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is: · 0.17 bugs per 1,000 lines of code in the Linux kernel · 20 to 30 bugs per 1,000 lines of code for commercial software These statistics have been collected by the Carnegie Mellon University's CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. Its sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. Its exactly the present situation. What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it. What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. Youll tell me: Yes but the programming is perfect, without bugs then its impossible that such a thing append; if it happened then the cause is the user, not me, so its not mine. If you build a hell to configure system then yes its your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices. How can they resume computer security risks with lines of code? Is anyone can tell me this?[...]
Wed, 10 Nov 2004 02:12:49 GMT
Sun, 24 Oct 2004 19:35:36 GMT
Do not give power to your foes
The principle of information pipeline
Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.
Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. Its done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning.
... Read the full story...
Fri, 22 Oct 2004 02:10:06 GMT
Articles published by Microsoft this week
All on computer security
This week many interesting articles about security have been published by Microsoft. I just write this little post to let you know about them. The most important publishing was the MSDN magazine issue of November 2004. All articles are about computer security. Articles cover a wide range of subject from cryptography to .NET technology. After this, there was another really interesting article called The Security Risk Management Guide. It was written to help Microsofts client to type, build and maintain a security risk management program.
Finally there is the Security Application section of the .NET framework on MSDS that is always a good reading. It include Role-Base Security, Secure Coding Guidelines, Code Access Security, Security Policy Management, Security Policy Best Practices and Security Tools.
This is all I have to say on this today. Then good reading on Microsoft!
Wed, 13 Oct 2004 01:58:42 GMT
Get an eye on your teckies
You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they dont find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he have a problem with the topology of your enterprises network, hell probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, hell ask these questions during is working hours. There isnt any problem with this fact, but who say working hours also say companys computer and companys computer settings like companys email address and identification. Then they will use their enterprise email to get answers to their questions.
If you understand the problem, youll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprises network infrastructure tagged to it by the email of the so helpful employee.
What you can do? Educate them. The only thing that they want is doing their job. But sometimes they dont see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. Its your job, not necessary their.
If you dont believe what I say in this post, try it. Youll be astonished by the results.
Mon, 11 Oct 2004 15:37:50 GMTKnow you Enemy Does he really know them? First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that Ill comment is 5 days old but I want to comment it anyway. There is an article that I need to comment on. The problem with it is that he doesnt focus on his subject, go everywhere and try to cover a wide question in a little article. The title is "Know your enemy" -- cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on: "Should US companies worry about hackers in Russia and other countries? Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.) Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work. If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking. I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances. What security measures offer the best protection against hackers? Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally." The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. Its true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, hell not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace. Its my 2 penny to the discussion. [In addition to the post: 12 October 2004]--------------------------------------------------- I just read Bruce Schneiers October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. Its interesting to see that Im not alone to share this view. I know that many other people do too. There is the excerpt from his post:"What's the biggest threat to information security at the moment? Schneier: Crime. Criminals have discovered IT in a big way. We're seeing a huge increase in identity theft and associated financial theft. We're seeing a rise in credit card fraud. We're seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there's a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right n[...]
Mon, 27 Sep 2004 01:13:30 GMT
Fri, 24 Sep 2004 23:52:34 GMT
Whats best: block a port or lets Windows Automatic Updates go on?
This is another thing that I ear from the company mentioned in this story. This time, they block all ports, except 80 and few others. Blocking all ports mean the Windows Automatic Updates programs port too. What do you think is best, blocking a random port or download and automatically install windows patch in your park of about 100 computers? It seems that its not every body that learns from experience. After being infected by MyDoom and some other virus, the holes are always open. They will not if they dont change their mentalities and do a review of their security policies (if they have some).
The purpose of this post is just to give you another example of what companies can do. This is not an isolated case. Ill come back with some stats for you this weekend.
Thu, 23 Sep 2004 02:40:14 GMT
In the life of some computer security workers for a day.
I just finished reading an interesting article about a day in the life of Johannes Ullrich of the Internet Storm Center's. It was entertaining because this type of article is quite interesting and relatively rare. Its always interesting to see how other people works in there environment. Its why Im posting this today, to show you another point of view of how some people works in the field of computer security (in this case: virus infection response team).
Another interesting blog called A Day in the Life of an Information Security Investigator is interesting to read for the same reason. Chief is mainly writing about anecdotes that he encounter during a day of work.
Wed, 22 Sep 2004 01:23:53 GMTYou need a foundation before rising your house. Avoid complexity when you talk of security, back to basis I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise dont need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure. " Wheatman also singled out "500-page security policies" and security awareness posters as things an IT manager would be better off not spending company resources on. "You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late. " Its the same as for physical security. If you are not the president of the United-States, you dont need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. Its the same principles as them in self-defence. Youll not use your kung-fu style if you are assaulted in a bar. Youll use your gross skills that dont need any reflection to use. Youll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. Its the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature. Another interesting thing that I noted in this article is this discussion: " Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security. " " We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail," Smith said. "But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed. " I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.[...]
Sun, 19 Sep 2004 21:12:22 GMT
Where to start in computer security
When someone is interested in a new subject, he try to find an introduction work that will tell him what the subject is about, the fields that compose it, the terminology and references for further reading. You need a start point that will be the root node of your search tree on this subject.Computer security is not excluded and fit this pattern. I read a post on joatBlog that point me out this article: First Things First - An Introduction to Learning About Network Security. I didnt take the time to read it this week. I just finished reading it and its why Im writing this post now. It remembered me the methodology of searching on a new subject. The importance of introduction works in a field. Its why I take the time to share this article with you. If you dont have any experience in this field and that you want to learn more about it, I recommend you to read it and the references pointed out in it. Moreover, I suggest you to read most of the articles on the SecurityFocus website. This is another great source of information for any person interesting in computer security. I recommend you to read these sources of information before buying any book on computer security. In this way, youll know if the book worth his price and the specific field that you want to deepen.
Have a good reading. Remember, if you have any question dont hesitate to ask me them.
Sun, 12 Sep 2004 21:26:05 GMT
Fri, 10 Sep 2004 23:55:21 GMT
I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password... Read the full story...