Hack-proofing a website is hard enough. But the task becomes
gargantuan when you accidentally publish the administrator’s password
on one of your site’s most heavily trafficked pages.

Such a security gaffe may have enabled unauthorized visitors to log in
and access files undetected for more than six months on a server
operated by Carmichael Lynch, a public relations and advertising firm
with several big-name clients. The admin password was inadvertently
published on a page that contained online job postings.

Among the files potentially exposed to outsiders: internal documents,
including customer databases owned by two of the company’s biggest
clients, Porsche and American Standard.

Experts said the incident is the latest example of how shoddy security
can undermine companies’ privacy promises.

Carmichael Lynch removed the posting that contained the admin password
from its site last week. Contained in the help wanted ad, cached here,
were hyperlinks that included a user name and password that human
resources employees used to upload job listings.

Before the problem was corrected, any Internet user could have
accessed files on Carmichael Lynch’s server simply by modifying the
address in the link.

Carmichael Lynch spokeswoman Sara Mulder said the company has no
evidence that unauthorized visitors took advantage of the security
lapse.

Mulder said the firm’s HR team was using Microsoft’s FrontPage Web
publishing software to post job listings, and the program embedded
“unwanted code, creating that loophole.”

An Internet user who asked not to be identified said he discovered the
problem last June and notified Carmichael Lynch. The user said he
decided to go public with the information after the PR company failed
to plug the hole.

Mulder confirmed that Carmichael Lynch learned last June that its
job-posting process contained a security flaw, but she said the
company thought at the time that it had resolved the problem.

Among the files accessible on the server last week was a 13.5-MB
database containing names, addresses, vehicle information and other
data on nearly 75,000 luxury car and SUV owners.

According to Mulder, Porsche owned the database, which was dated Oct.
20, 2002. But the file’s Properties tab indicated the database was
created by Acxiom, a provider of customer-information tools and
services.

Officials from Porsche Cars North America and Acxiom had no immediate
comment on the incident.

Carmichael Lynch’s security flub also exposed a 7-MB spreadsheet that
contained contact information, including e-mail addresses and
registration passwords, for nearly 12,000 people who had registered
with the American Standard website between April 30 and Sept. 10,
2002.

A pop-up window greets first-time visitors to the plumbing supply site
and encourages them to register for access to “site extras” such as a
“wish list” and a preferred dealer locator.

It was not immediately clear why Carmichael Lynch was storing clients’
customer info databases on its public Web server. Such a practice is
dangerous but common among site administrators who are not “security
savvy,” said Harlan Carvey, a security engineer for a financial
services company.

Privacy policies posted on the websites of Porsche, American Standard
and Acxiom state that the companies take “reasonable precautions” to
protect customers’ personal information in their possession. Mulder
said she does not believe Carmichael Lynch has a privacy policy.

Mark Litchfield, co-founder of NGSConsulting, said privacy policies
are often not backed up by strong security practices. Instead, such
statements are merely “jargon” aimed at giving customers “a warm
feeling in parting with their credit card and other associated
sensitive material.”

Privacy expert Richard Smith agreed, and said Carmichael Lynch’s
security practices “don’t live up to the promises being made in their
clients’ privacy policies.”

To prevent such lapses in the future, Mulder said Carmichael Lynch has
“isolated all such data to ensure its security on limited-access
servers.”

Such data spills can be costly to corporations that fail to follow
standard practices for protecting customer data. Last August,
Ziff-Davis Publishing agreed to pay affected customers $500 each after
lax security exposed the personal data of thousands of subscribers.

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.

 …

THE curious thing about the new film “Catch Me if You Can” is how
contemporary it seems. Curious because this tale of Frank W. Abagnale
Jr. – in real life a teenage con artist who cashed millions in fake
checks while impersonating an airline pilot, a doctor and a prosecutor
– is set in the swinging 60’s.

In those days few mortals had used a computer, and Internet wasn’t
even a word. But the young Frank Abagnale seems an eery prefiguration
of a very modern character: the hacker.

Like them, he discovered a vast and arcane system held together with
technology – in his case, the nation’s network of banks. He worked
tirelessly to understand its every facet, from the codes used by the
Federal Reserve system, to the special paper and ink and machines used
to make checks. And he exploited the system with a teenager’s
limitless energy – and limited morality.

Like many of today’s hackers, Mr. Abagnale – who is currently
unavailable for interviews, said a spokesman, having just completed a
publicity tour for the film – finally went legit. He crossed over from
committing crimes to solving them – first for the F.B.I., and these
days as a consultant to the industry he once defrauded. In this, too,
he was ahead of his time. In January 2000, the computer security firm
known as stake hired the seven members of L0pht Heavy Industries, a
hacking collective in Boston. Two years before, a member of L0pht
(pronounced loft) had bragged about the group’s skills to a Senate
committee, saying that any member could take down the Internet within
30 minutes.

Chris Wysopal, who attended that hearing as a L0pht member and is now
the director of research and development for stake, says that while
his firm doesn’t go out of its way to hire hackers, it values
“learning how the systems work through exploration.”

Kevin D. Mitnick, perhaps the nation’s best-known hacker, served five
years in prison on charges of computer and wire fraud and is currently
trying to reinvent himself as a business consultant. He has started a
company, Defensive Thinking Inc., and has written a book on computer
security, “The Art of Deception: Controlling the Human Element of
Security,” with William L. Simon.

Hackers have always been with us, said David J. Farber, who helped to
develop electronic telephone switching when he worked at Bell
Laboratories in the 1950’s and 60’s, and went on to pioneer many of
the technologies underlying today’s networked computers.

“There’s been a big history of – let’s call it hacking,” said Mr.
Farber, citing tricks like using magnets to guide slugs through Coke
machines, and getting free phone calls by turning the telephone
company’s own technologies against it. “I don’t remember doing
anything particularly onerous,” he said, and joked that his memory
might be clouded by the fact that “I don’t know what the statute of
limitations is.”

Broadly defined, he said, it is a fundamental urge to game the system.
“If you could find the records and dug back far enough, it was
probably going on in ancient Rome,” he said.

In that sense, the hacker really is a species of trickster. And as the
“cyberpunk” novelist Neal Stephenson wrote in “The Diamond Age,” the
trickster is universal, but varies in guise from culture to culture.

“The Indians of the American Southwest called him Coyote, those of the
Pacific Coast called him Raven,” Mr. Stephenson writes. “Europeans
called him Reynard the Fox. African-Americans called him Br’er Rabbit.
In 20-century literature he appears first as Bugs Bunny and then as
the Hacker.”

OF course, hackers may have another, less mythological reason for
embracing Mr. Abagnale as one of their own. In the movie, at least, he
is an infallibly successful seducer of women – a particular sort of
con at which the stereotypically male hacker is proverbially inept.

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.

 …

It is a great pleasure for us to introduce the Third World Conference
on Information Security Education, organized by IFIP Working Group
11.8 (IT Security Education) together with the Center for INFOSEC
Studies and Research (CISR) at the Naval Postgraduate School.

The conference will be held in Monterey, California 26-28 June 2003.

Take a few minutes to look around this web site – it contains all the
information you will need if you plan to attend the conference, or if
you want to submit a paper.

Register online!

http://cisr.nps.navy.mil/wise3/

We look forward to meet you at the conference!

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…

“Enterprise Security”, David Leon Clark, 2003, 0-201-71972-X,
U$39.99/C$62.99
%A David Leon Clark
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2003
%G 0-201-71972-X
%I Addison-Wesley Publishing Co.
%O U$39.99/C$62.99 416-447-5101 fax: 416-443-0948
%O http://www.amazon.com/exec/obidos/ASIN/020171972X/robsladesinterne
%P 264 p.
%T “Enterprise Security: The Manager’s Defense Guide”

The preface is heavy on buzzwords (and a few spelling errors) with
little attention paid to concepts and structure. Part one would like
us to think of the forging of a new economy. Chapter one asks “what
is e-business,” and, with a little re-interpretation of history (the
Internet had been in existence for twenty two years and had five
million users, a significant number private and commercial, before it
“became available to the public” according to this book) and ignoring
of inconvenient facts (the hyperinflation of dot com IPO stocks is
stated to prove the success of e-business just before we are told that
the dot com failure was inevitable because of stock hyperinflation)
tells us that e-business uses the net and makes money. Some security
jargon is introduced in chapter two. A confused recycling of trade
press myths about blackhats, in chapter three, seems to state that
these are the only malicious opponents of e-business: there is no
mention of insider attacks.

Part two looks at protecting information assets in an open society.
Chapter four demonstrates an amazingly consistent failure to
understand the technologies supposedly being explained: a
De-Militarized Zone (DMZ) is, by definition, not abandoned outside the
firewall, and Simple Key Management for IP (SKIP) is not a virtual
private network (VPN) product. There are more buzzwords,
miscellaneous security concerns, and more mistakes (ActiveX is *not*
multi-environment) in chapter five.

Part three talks about waging war for control of cyberspace. Chapter
six looks at attacks by syntax, and demonstrates more TCP/IP errors.
(Packet filtering is not exactly built into IP: the ability to handle
a packet based on destination is central to the idea of networking.
The ping-of-death has nothing to do with fragmentation offsets since
it is a single packet, and it is not too small, but too large.) There
is a confusion of attack scripts and script viruses (and cookies, too,
for good measure) in chapter seven. Countermeasures and attack
prevention, in chapter eight, actually looks (tersely) at incident
response. The material isn’t too bad, but has very little detail.
Having talked about DDoS (Distributed Denial of Service) in chapter
six, the attack now gets more pages, but little more detail. Chapter
ten is a grab bag of random safeguards and countermeasures, as is
eleven.

Part four deals with active defense mechanisms and risk management.
Chapter twelve, entitled vulnerability management, suggests collecting
alerts. Given what we’ve seen so far, it is strange that chapter
thirteen *does* address the nominal subject of risk management, albeit
not very well.

This confused collection of random concepts adds nothing of value to
the security literature.

copyright Robert M. Slade, 2002 BKESTMDG.RVW 20020916

-- 
======================
rsladevcn.bc.ca  rsladesprint.ca  sladevictoria.tc.ca p1canada.com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
    February 10, 2003   February 14, 2003   St. Louis, MO
    March 31, 2003      April 4, 2003       Indianapolis, IN

– ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’ in the BODY of the mail.

 …

The end of standard mass mailing worms is nigh – maybe as soon as
before the end of 2003. But there replacements – Trojans and Spyware –
are much, much worse.

Or so Roger Thompson, technical director of TruSecure, a risk
management firm, forecasts. In particular he warns of the risk from
Remote Access Trojans (RATs) or backdoors posted on the Net or spread
via email.

“Malware code writers will continue to disguise RATs and backdoor
scripts as ‘adult’ movies and then post them to pornography new groups
targeting inexperienced users,” he writes. “Expect them to continue
through 2003 but they will be mixed with more and more grey ware (i.e.
spyware and advertising monitoring that is barely legal).”

Thompson notes mass-mailing Windows viruses were largely unsuccessful
in hitting corporations in 2002, with the notable exception of
organisations which did implement proper filters. One of the two
biggest worms of the year was Klez, which infected home PCs mostly.

Macro and script viruses emerged at a rate of 200 to 300 a month in
2002 but this will decrease to approx. 20 to 30 per month, TruSecure
believes.

According to Thompson, the impact of the mass-mailing worm is mostly
over for corporations but it will still have an impact on SOHO (small
office/home office) environments this year.

Code Red

TruSecure (and more particularly its affable “Surgeon General” Russ
Cooper) came to notice in 2001 for predicting that the Code Red virus
had the potential to “meltdown” the Internet.

This warning was, we now know overstated. Cooper told us, when we met
up with him before Christmas, that he did not regret the warning. He
was acting, he said, on early analysis of Code Red and its possible
spread through NT4 boxes. This turned out to be a lesser risk than
first believed.

Fair enough; but TruSecure is still banging on about Code Red-style
attacks to this day. Thompson warning he expects “another attack in
2003 in the class and level of Code Red”.

If he means another outbreak of hysteria from sectors of the security
community (which ought to know better) over some supposed
Internet-crushing threat, how could we disagree?

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…

WASHINGTON, Jan. 2 (UPI) — The India-Pakistan conflict has entered
the cyber realm as hackers across the subcontinent have infected
hundreds of thousands of computers in more than 100 countries on New
Year’s Day and the virus is spreading.

South Asia’s two nuclear rivals have been fighting each other since
their independence from Britain in 1947. They have fought wars in the
air, on the ground and in the sea. When the Internet arrived, it
quickly became yet another arena of conflict.

Last summer, when a terrorist attack on the Indian parliament brought
more than a million troops to the border, Pakistani hackers attacked
the official site of the Indian defense ministry. They inserted
messages proclaiming independence for the Kashmir region, a Himalayan
valley under dispute between India and Pakistan for 55 years.

This was not the first hacking bout between the two rivals, however.
Both sides had engaged in this behavior previously.

The latest virus attack has arrived with a warning for the Pakistani
hackers: “Your days are over, now it is our turn to show that ‘My
India is great’ (‘Bharat mahan hai,’ in Hindi).”

The message continues: “Want peace and prosperity in India? Then
(trash) corrupted politicians.” It also warns politicians: “Talent and
hard work should be respected. Self-styled (expletive) must be
eliminated. No more (expletive) monopoly.”

The message includes an e-mail address — qphhackmail.com — and a
mailing address in New Delhi.

Infected computers are automatically directed to an official Web site
of the Pakistan government. Its virulent spread has enabled thousands
of machines with the code to conduct a distributed denial-of-service
attack aimed at the homepage of the Islamic Republic of Pakistan at
pak.gov.pk.

On Tuesday, the virus forced one Pakistani official site,
infopak.gov.pk, to suspend service.

An earlier message also challenged G-Force, a group of Pakistani
hackers, to match the “intelligence and expertise” of the Indian
hackers.

The G-Force hackers, who reportedly operate from Lahore, Pakistan, had
claimed responsibility for attacking the official site of the Indian
defense ministry in the summer.

“Come & work with us” against “the G-Force-Pak shiites,” the message
urged Indian hackers.

Also earlier this week, e-mail management firm MessageLabs gave the
new virus, dubbed W32/Yaha.M, the No. 2 spot on the list of the most
virulent computer viruses.

The first copy of the virus was detected June 15 in an e-mail from
Kuwait. Most copies now being stopped are coming from Egypt, Saudi
Arabia and the United Kingdom.

The e-mail messages, which are about 45-47 kilobytes in length, try to
lure the receiver to download “sexy screensavers.” Some messages offer
“love partners” and chatting “opportunities” with members of the
opposite sex.

“Enjoy this friendship Screen Saver and Check your friends circle,”
the message says. “Send this screensaver to everyone you consider a
FRIEND, even if it means sending it back to the person who sent it to
you. If it comes back to you, then you’ll know you have a circle of
friends,” it advises.

Most of the senders have South Asian names. The early senders had
female names such as Savera, Madhuri and Rekha that seem to have been
borrowed from India’s Bollywood movies.

South Asian names still dominate but now the senders have both Muslim
and Hindu names and some IP addresses can be traced to both sides of
the India, Pakistan border.

When a receiver opens an infected file, the virus quickly spreads
through the system. A distributed denial-of-service attack floods a
Web site with user requests, overwhelming the server and locking out
site visitors.

It enters Internet explorer and installs itself as the default
homepage with addresses that lead to either hirosh.tk or hackers.com
but it does not seem affect Netscape.

Every time users click Internet Explorer, they are automatically led
to one of the two sites. The default action can be suspended
temporarily by going to the security setting and placing the two
addresses in the restricted sites.

Because a hacked system does not allow access to Internet options, a
user can go there through pop-up ads that still appear in the Internet
Explorer window.

Although the two addresses reappear as the default home page every
time a computer restarts, this temporary relief allows a user to
download antivirus software.

Yaha virus, which is also spelled Yahaa, is a mass mailer that sends
itself to all e-mail addresses in the computer’s Microsoft Windows
Address Book, MSN Messenger List, Yahoo! Pager list, and ICQ list. It
disables some anti-virus and firewall programs. All anti-virus
programs currently have up-to-date definitions to protect against Yaha
or Yahaa.

Those who use Norton Anti-Virus tools can download removal
instructions from sarc.com.

If the worm has run already, the user first must reverse the change it
effected. If the worm has not run:

— Configure Windows to show all files.

— Copy Regedit.exe to Regedit.com (in most cases).

— Edit the registry and reverse the change that the worm made.

— Update the virus definitions, run a full system scan, and delete
all files that NAV detects as W32.Yahaa.E.

Computer users without antivirus protection can go to bitdefender.com
for a free removal tool.

*==============================================================*
“Communications without intelligence is noise; Intelligence
without communications is irrelevant.” Gen Alfred. M. Gray, USMC
================================================================
C4I.org – Computer Security, & Intelligence – http://www.c4i.org
*==============================================================*

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…

> Forwarded from: Russell Coker <russellcoker.com.au>
…
> Interesting that they claim their software-only solution can survive
> fdisk and format. I wonder if they will claim that it can survive the
> installation of a different OS?
>
> Something like TCPA MIGHT be able to do this, but nothing less will.

I thought about this too, and I came up with one option: the BIOS.
We’ve seen viruses which can erase a Flash BIOS, so wouldn’t it be
possible to write a small virus (just a few kilobytes) living in the
unused areas in the top of that Flash ROM, which knows how to hook in
to various common BIOSes (AMI, Award and Phoenix cover over 99% of the
market), scan for supported operating systems at boot and install
itself into their partitions?

Admittedly, I’m not aware of a case where this has been done, and it
would certainly be tricky, but it cannot be dismissed as impossible
just yet. Look at what worm writers can do with less than a kilobytes
of shellcode.

The virus might not “support” any operating system other than Windows,
but it could perhaps survive the installation of such an OS, lying
dormant in the BIOS until such a time as a supported operating system
is reinstalled, and then quietly reinject itself again.

Once the virus code was running under Windows it would of course have
access to the victim’s, ahem, user’s internet connection to detect
whether the machine had been reported stolen.

If it hasn’t been done yet, perhaps it is a business idea for someone?
I don’t have time to implement it myself.

> > Data Delete
>
> Hasn’t anyone ever heard of cryptography?

Not really, many people think it’s “a deadly cyber-weapon used by
terrorists” or some such nonsense, and most people can’t deal with the
risk of losing their passphrase. Of course they sacrifice their own
security for safety as a result, but such is life.

> Surely if you want to steal someone’s data then the first thing you
> do is power the machine down and remove the hard drive to prevent
> such erasure!

Yeah, but how many machines (apart from MI5’s laptops) are stolen
_because_ of the data contained? I would venture that casual thieves
often do not realise the value of the information they’ve stolen until
they take a good look at the machine. By that time, such trivial
defenses as Data Delete would have had time to operate. Let’s also
remember that luckily, most thieves did not come from the deep end of
the gene pool or receive cyber-espionage training. =)

> Conclusion, after you steal someone’s laptop to get their data don’t
> immediately connect it to the Internet, copy the data off first!
> Don’t boot from the same OS they used, put the hard drive in your
> own machine (for best results mount the hard drive on a non-Windows
> OS).

True, and these solutions could never, ever protect against a
determined thief. They have some value in the war against casual theft
which is the biggest risk (in terms of frequency and publicity) for
most users.

> My observation is that “rm -rf /” is fast enough that even
> experienced administrators often don’t catch it while there’s still
> something left. mkfs is even faster.

Ever tried that under Windows? =)

> As for “disguiseing your location with a false IP address”, that’s
> an amusing claim.

I certianly agree with this, since it’s almost impossible to get a
reply to a genuinely spoofed packet, so it would not do the thieves
much good to surf with one.

> Firstly IP addresses on their own aren’t THAT useful for locating
> people (think about NAT, think about ISPs in other countries that
> won’t accept court orders).

Again, casual theft is the main target of these programs, whatever
their creators may claim. I don’t think many thieves would take their
freshly-stolen laptop all the way to Morocco just to download their
pr0n in peace.

> Secondly if you want your program to trace it’s location based on IP
> addresses then you could give it “traceroute” functionality and
> have it send the complete trace log to the server.

Yes, that would actually be a rather good way of tracing. But you
don’t need the complete trace. The next hop upstream (your ISP’s
dialup router) is definitely not spoofing its packets, and if you can
get its IP address by a one-hop traceroute and send it to someone,
then that someone can run the rest of the trace themselves.

> Of course it’s undetectable. It’s so undetectable that even fdisk
> can’t find it… :-#

Undetectable != unremovable of course, and neither applies to the
product, but fdisk isn’t looking for “agents”, especially not in the
BIOS.

> A much better option is to encrypt all the disks and have the
> encryption keys stored in a central office.

Absolutely.

> NB If using an encrypted file system on your laptop be sure to
> permanently disable the “Hibernation” facility in the BIOS. If a
> thief can get a dump of all kernel memory to disk then the
> encryption key will be available in there.

OS vendors should probably wipe this area immediately after resuming
from it, to prevent the accidental retention of sensitive information.

Cheers, Chris.

-- 
_ ___ __     _
 / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

– ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’ in the BODY of the mail.…

The challenges to info-tech security will surely be daunting, and
companies’ efforts to stay safe will have to keep increasing

With holiday cookies and sweets still being shared around offices
everywhere, security is the least of concerns these days as most
businesses are thinking merry, not wary. So what better time to
examine the year ahead for what to expect in terms of computer
security? First, 2003 will surely pose some pretty daunting challenges
to chief security officers and the organizations they protect. At the
same time, improvements in software and technology will elevate
computer security to another level. Here’s a quick rundown of what to
expect:

Spam becomes an even bigger headache

According to e-mail security-service provider Message Labs, spam’s
growth rate will continue be faster than that of legitimate e-mail —
and in terms of sheer volume, spam will eclipse the legit stuff. That
will make the spam torrent more burdensome and harder to control.
Companies that haven’t invested in antispam software will need to do
so, pronto, or have their employees waste more and more time simply
hitting the delete key.

Part of the bargain will be businesses accepting the fact that some
messages will get tossed out with the trash, as antispam programs are
hardly perfect. Still, it’s better than being up to your eyeballs in
smutty missives and come-ons for investment scams from randomly
generated e-mail addresses.

Instant messaging succumbs to spam, too

Once a relative haven, instant messaging has recently become a target
for spammers seeking new outlets. According to e-mail consultancy
Ferris Research, IM spammers works off lists of addresses freely
traded on the Internet. They usually send a message to someone on live
IM asking them to visit a Web site that sells smut, bogus software, or
often legitimate products being marketed in unfortunate ways.

Since no IM spam-screening software is yet available, an IM user on
the wrong list could spend a good chunk of time refusing invitations
from IM spammers. That coverage hole will force many corporations to
consider moving their IM users onto private messaging systems not
accesssible to the public Internet.

Hardware, hardware, hardware

Security isn’t shrink-wrapped anymore. Eighty percent of the licenses
for expensive, high-grade firewall programs come on specially
configured pieces of hardware designed to run this software. That’s
way up from a few years ago. And its only the start.

From virtual-private-network servers to intrusion-detection systems to
newer pieces of software designed to spot behaviorial aberations that
point to a security breach, more and more products are moving from a
piece of self-contained software that an IT consultant or your own
systems administrator installs to a specialized piece of equipment
built with security in mind. The upside? These systems are generally
easier and cheaper to install and launch in a network. The downside?
Less flexibility for companies with special software needs.

Safe computing outside the corporate perimeter Employees logging into
corporate networks from home PCs over public broadband connections are
now commonplace. As a result, security software and hardware that once
did a fine job of guarding sensitive systems looks increasingly
vulnerable. That’s because all these remote networkers, be they
employees or partners, are no longer snuggly inside the “official”
data-security perimeter.

Also, persistant worm-virus outbreaks, such as Nimda, explain why more
and more corporations are going through the considerable hassle of
putting security software — firewall, intrusion detection systems,
antivirus software — on every desktop machine. Companies with
end-to-end protection remain in the minority, but they won’t be for
long as it becomes easier to link up fleets of desktops with central
control consoles that not only talk to the big, heavy-duty security
appliances but also to the thousands of small programs guarding the
road warriors’ machines.

Identity theft goes berserk online

Call in the copycats. When well-organized ID thieves convinced a clerk
at a Long Island (N.Y.) software company to give them access to tens
of thousands of credit reports using his company’s password, they
illustrated how the Net makes the part of ID theft that was hard until
now — accumulating the information — much easier. With widely
available credit reports such an integral part of American business,
it’s hard to imagine how the credit agencies can quickly and simply
limit access to the reports without impeding the flow of commerce.

With easy access to credit reports available to thousands of people
throughout the U.S., expect blockbuster ID thefts in 2003 and beyond.
Whereas credit-card numbers were traded freely on the Internet in the
past, now the bad guys will trade entire personal dossiers. And fixing
the problem will be much harder because it’s pretty easy to screen out
someone who has picked up one of your credit-card numbers but much
harder when it comes to a rogue who has that, your bank-account
number, you social security number, and the last five addresses you
have called home.

Of course, this little list is just the beginning. I haven’t even
touched on still-early trends such as merging physical and online
security: Companies are starting to look at guarding these assets in
coordination because often computer-security breaches start with
physical breaches.

Likewise, more and more businesses are installing software that tracks
theft of sensitive, high-end intellectual property. Once hamfisted,
the second generation of these systems works much better, according to
Gartner security analyst John Pescatore. Both of these are topics I’ll
explore in depth during the next few months as their markets and uses
develop.

All told, computer security remains one of the more dynamic areas of
the moribund IT sector. And it’ll get only more interesting in the
coming year.

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…