Thursday, March 31, 2005

PITAC report misses the point entirely

The President's Information Technology Advisory Committee has just released their report on Federal support of basic computer/network security research in this country. As you can probably guess from the title, Cyber Security: A Crisis of Prioritization, the report concludes that the government needs to invest in more support for basic security research if it wants to get the technology and the trained professionals it needs to implement a long-term strategy for securing its information assets.

The report is well worth reading, but by focusing on the research angle, it misses a much more important point for the short- and medium-term security of government systems: The US government often does not provide civilian agencies with adequate funding, personnel or training to carry out appropriate security plans. The entire system is predicated upon the assumption that if a mandate comes down, it will be implemented regardless of operational issues such as cost, suitability to the existing computing environment or available manpower.

Until the government stops trying to simply decree security and starts to really get serious about providing agencies with the ability to implement the decrees, we're not going to see much overall improvement in security posture no matter how much research we do.

Thursday, March 17, 2005

33% of IRS Workers Vulnerable to Social Engineers

The Washington Post has an AP story today stating that "more than one third" of the 100 IRS employees tested by the auditors gave up their login information in response to a simple phone call from a fake technician.

Apparently this was a big increase over the last test 4 years ago, when 71% of those called cooperated, but I think it'd take a lot of guts to try to spin this as an improvement.

Monday, March 07, 2005

NSA Recommends Suite B Encryption Algorithms

The National Security Agency employs some of the US's (and probably the world's) best cryptographers, so when they talk codes & ciphers, people listen. I didn't notice this bit of news when it first happened, but last month the NSA recommended a suite of cryptographic algorithms known as Suite B for use in encrypting sensitive but unclassified data.

The biggest news here is that the NSA is finally recommending a set of algorithms that includes public key cryptography, Elliptic Curve Cryptography (ECC) in this case. Suite B also includes several other algorithms, such as an ECC variant of the Diffie-Hellman key exchange protocol and non-public key schemes, like AES and SHA. Some of the components of Suite B are public standards, but apparently the core ECC technology itself is licensed from Ontario, CA based Certicom. Good news for them, certainly, but I'm not entirely sure what this means for those of us in the Open Source world. You can read their official press release here.

On a final note, these articles raised a question in my mind that I haven't seen anyone else ask yet... What was in Suite A, and why wasn't it approved instead?

Friday, March 04, 2005

Global DNS Cache Poisoning?

SANS's Internet Storm Center is tracking a possible global DNS cache poisoning attempt for several high profile web sites like Google, eBay and Weather.com. Read their preliminary diary entry here, and let them know if you're seeing the same thing.

Remotely identifying computers via clock skew

ZDNet Australia is reporting that a University of California doctoral student has developed a technique for telling different computers apart over the network by detecting their clock skew. According to this article, the technique works behind NAT devices and over long periods of time, even if devices move around a lot.

I need to read the research paper in order to decide whether I believe this or not, but it sounds plausible. Unfortunately, the paper is not yet available.

UPDATE [2005-03-04 12:42]: The paper is indeed available, and can be found here.

Thursday, March 03, 2005

Good take on RHEL's SELinux

Andy Oram has an interesting article on his blog about how his approach to RedHat's targetting SELinux policies changed once he really thought about their intended deployment model. I won't give away the ending, but you can read it for yourself.