John Pescatore

Three feet of snow from two blizzards within one week gave me plenty of time to monitor how how the squirrel Intrusion Prevention System (SIPS) works on our bird feeder. Cost about as much as squirrel intrusion detection, but actually keeps the seeds safe – and can be used for detection, too…

Valentines day is on Sunday this year. Maybe the phishing/malware attacks from flirtbots will only hit home PCs this year…  Google is all about selling ads around other people’s data – predictable privacy flap over the privacy issues around their Buzz social networking add-on to gmail. When gmail first came out it didn’t have a delete function, since if you deleted emails Google couldn’t see them anymore…

Some signs that government security approaches are moving in the right direction: ATT announced one of the first Managed Trusted Internet Protocol Services (MTIPS) for building security services directly into Internet services for the FTC. Verizon and Qwest have similar offerings – good to see the federal Government starting to realize the best way it can actually increase the overall level of Internet security is to (1) make Government use of the Internet more security; and (2) using the Government’s buying power to increase demand for secure products and services. Much better than trying to lecture private industry, collect statistics to hype up the danger of attacks from China, or fund yet another five years of research on trusted enclaves…

They are trucking snow into the Olympics in Vancouver. This is like FTPing software vulnerabilities to San Jose, CA  and Redmond, WA…   There will be updates to the PCI security standards in 2010. Much the way the RSA Conference leads to security vendor press announcement email DoS floods, look for some guidance coming out around the time of the Electronic Transactions Association conference in April. Major areas of change will likely be around chip&pin, end to end encryption, use of virtualization…

Speaking of encryption (and who doesn’t?) reports of more vulnerabilities being found in SSL/TLS in the renegotiation capabilities. If your websites really don’t need that capability, look into the workarounds. If you can’t turn it off, look for more patching to be required and update those IPS/WAF filters…  More attack paths being made public against chip&pin cards, and much pooh-poohing about the lack of feasibility of the attacks. But, especially in crypto, when you see one termite there are usually a whole lot more happily munching away at your foundation…

More Government news: the State of California may have been reduced to having bake sales to pay its bills, but the Governator did issue an executive order aiming (in part) to “…ensure the security and reliability of the state’s information systems, protect the privacy of information and data…” which has some good things like requiring and formalizing CISO roles at agencies and departments. However, a lot of the security specifics are pretty much the same old dos-i-do aiming at collecting data about intrusions and the like – not a word in the IT or security sections about reducing vulnerabilities…

Chinese authorities shut down a “hacker academy,” which is sort of like me shaking the Japanese beetles off the rose bushes and telling my wife “problem solved”…  In Green news, hackers have already compromised the European Union carbon emission cap and trade system using a spoofed web site to harvest user passwords for the legitimate site. Perhaps we need “reusable password” cap and trade legislation to spur movement away from phishable authentication approach pollution…

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet