NovaInfosecPortal.com

A few weeks back I noticed a great little CSI newsletter being passed around the office that provided links to three great guides on how to lock down your profiles on MySpace, FaceBook, and LinkedIn. As a paranoid security person I’ve severely restricted my activities on these sites but have always yearned after the possible networking opportunities. Using these guides you can somewhat minimize the risks associated with putting your personal information online. I haven’t tried any of the suggestions yet but I’m guessing that if you implement them all, it probably makes the service a lot less usable. Such is the tradeoff between security and usability… When skimming the guides I was shocked to discover the one site I thought was most secure, LinkedIn, actually had the least amount of security controls in place. I’m still treading lightly but maybe you’ll see me more active on these sites some day. Here are links to the guides: MySpace, FaceBook, and LinkedIn.

You may want to pass these nice little guides around to any family and friends so they can tighten down their profiles as well. Also for anyone out there that uses these services more than I do, what do you think of these guidelines? Will they severely limit their usability?

The folks over at Darknet just threw up a blog post entitled “OpenVAS - Open Vulnerability Assessment System (Nessus is Back!).” Finally! I won’t go into too much detail but was just excited to see this posted. Too bad BackTrack 3 just recently came out. It would have been nice to have this version of Nessus, I mean OpenVAS, on the CD. There’s always the next version…

I came across an interesting New York Times story by Randall Stross over the weekend that discusses how we should be replacing passwords with information cards and how so-called single sign-on (SSO) services (e.g., OpenID and I’m sure any commercial product SSO efforts as well) just don’t add the security we need. Here are the relevant snippets from the article:”The solution urged by the experts is to abandon passwords - and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.”

“We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials. OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”

Strangely enough, Microsoft seems to be involved in this new information card technology. It sounds a lot like Microsoft’s well-known CardSpace technology. As a matter of fact, Microsoft is part of a new Information Card Foundation (ICF) along with other heavyweights such as Equifax, Google, Novell, Oracle and PayPal. But then Microsoft is also a supporter of OpenID. How ironic…

The only issue I see with the way these information cards are them being desktop icons that you click to login as described in the New York Times story. When I’m logging into Windows at the beginning of the day, what do I do then? I won’t have access to these information card icons yet. Passwords anyone? Plus this doesn’t alleviate the problem of computers being infected with malware. If I can click it, a Trojan or virus can too. I agree with all the points about OpenID and other SSO efforts… but they’re such so darn convenient! There are a lot of questions that need to be addressed here and I’m sure we’ll all be learning a lot more about this technology as it evolves.

What do you think about this new authentication technology? Does your organization have plans to replace passwords with information cards? Here’s a link to the New York Times article.

Rybolov from The Guerilla CISO, a local infosec NoVA-based blog, has put together a great blog post about NIST’s latest effort to modernize SP 800-30: Risk Management Guide for Information Systems. In his post he stresses how NIST should not change this document into a “catalog of controls gap analysis” process to favor compliance management over risk management.

Overall, Rybolov is right on point! We really need to stop stressing being compliant and start focusing on risk management. Compliance should be a by-product of risk management, not the other way around.

Over at the Carnal0wnage Blog, CG made a nice post about the updated draft version of DoD 8570.1M that is probably relevant to many of us in NoVA. This is the directive that requires many of us to have some kind of IA certification if we want to do work for the government. CG focused on requiring the CISA or GSNA to perform any auditing activities however this draft document is well worth reading as its implementation becomes more of a reality. You can review the latest draft version of DoD 8570.1M here.

Since most of us deal with the federal government in Northern Virginia (NoVA), we thought you might find this article interesting. It’s an older but interesting SecurityFocus.com article by Robert Lemos about how most government agencies are failing to meet the OMB-mandated Federal Desktop Core Configuration (FDCC). (more…)

We came across an interesting InfoWorld article by Roger Grimes in which Bruce Schneier thinks computer security isn’t going to get any better in the next 10 years. Basically, security and complexity are interrelated. Security is getting better, but these advances are far outpaced by systems becoming more and more complex. Read the full article here. The interesting thing to contemplate is how this prediction could affect our careers as security professionals. Is this a good or bad thing for our careers? Good - probably because it offers career stability… Bad - because our jobs could become a lot more difficult… What do you think?