Security rundown for week ending Aug. 19

Some older assumptions about security -- such as firewalls are needed for perimeter defense, and we'll all make do with reusable passwords and browser-based SSL connections provide great security -- were once again ripped apart as we heard this week from several individuals who say they simply don't agree.

"I don't think firewalls are necessary. They prohibit work from being accomplished," was one remark from Nathan McBride, executive director of IT at Amag Pharmaceuticals, in describing how the company has migrated off an older Microsoft-based network to one based on both application cloud services and cloud-based single-sign-on for about 240 employees. His story provoked some blistering comments online from Network World readers. Here's a selection from a few:

"Firewalls. This comment can only come from an IT manager. Really? Do you know what a firewall does? ..."

"I almost LOLd! Wow. I'd like to see them pass a PCI scan with no firewalls. Cloud service providers use firewalls, too."

"How dumb does it get? ... let's hire some clueless jerk to make it someone else's responsibility ..."

"Say What? ... And what company doesn't put a firewall between the Internet and their computers, whether PCs or servers? I'm not impressed."

MORE ON SECURITY: Tips and tricks for protecting Android devices

All of this just shows that the debate over whether perimeter firewalls are worth it anymore is still fierce (and yes, the PCI standard for payment-card calls for a lot of firewalls). You may recall that it was the Jericho Forum with its group of IT professionals about five years ago that began pounding the drum on the firewall topic, saying for perimeter defense, a firewall is largely an outmoded idea and can impede e-commerce. The debate is still intense about it.

The Jericho Forum has now taken up the topic of identity management, saying continuing reliance on reusable passwords in this era of cloud computing is totally misguided, and a stronger trust framework needs to unfold for large-scale Internet use.

That's what the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative from the Obama administration is trying to coordinate, with the high-tech industry taking the lead. We caught up this week with NSTIC Director Jeremy Grant, who explained what the federal government has in mind so far to foster more secure alternatives to passwords in a new "identity ecosystem." Don Thibeau, chairman of the Open Identity Exchange (OIX) --the members of which, including Google, want to participate in the NTSIC process -- also told us watch for some innovative pilot projects coordinated among Google, Microsoft and AOL for secure email later this fall.

And finally, when it comes to doubting the usefulness of long-used technologies, this week we heard about a team of researchers pointing out that SSL, the encryption scheme that protects many online transactions, isn't really that trustworthy because the chain of trust that's established via a browser can be broken when phony certificates are issued. Researchers from Carnegie Mellon University think there's a better mousetrap that can be made through their ideas proposed in Perspectives; a second idea, called Convergence, is being worked on by Moxie Marlinspike, a fellow at the Institute for Disruptive Studies, a lab devoted to privacy, anonymity and computer security.

And speaking of anonymity and disruption in the more sinister sense of the words, this week didn't go by without the shadowy hacker group Anonymous yet again hitting more targets for what are apparently their activist causes.

The group Anonymous released personal data belonging to more than 2,000 public transport customers in the San Francisco area in retaliation for the Bay Area Rapid Transit (BART) transit system's shutdown of mobile phone service on Aug. 11.

That mobile phone and Wi-Fi shutdown was a decision made by BART to try to slow a planned public protest against a police-related shooting awhile back.

BART last week officially apologized to the public that its network was hacked and customer data publicly exposed. But it didn't end there. Another hacking break-in took place at the website of the union representing the rank-and-file BART police, an attack which may also be traced back to Anonymous.

Many thought BART went too far in cutting off communications to hundreds of thousands of BART commuters as an attempt to stall a planned protest, and, as an editorial from the San Francisco Chronicle noted, no one held the high ground in the conflict -- not Anonymous, not the BART bureaucracy, not the protesters.

In addition, the Federal Communications Commission also took an interest last week, saying it was investigating what happened. "We are continuing to collect information about BART's actions and will be taking steps to hear from stakeholders about the important issues those actions raised, including protecting public safety and ensuring the availability of communications networks."

It was a pretty busy week for Anonymous, as the group also allegedly hacked yet another U.S. Department of Defense contractor, this time Vanguard Defense Industries. Anonymous says its latest haul, posted at Pastebin, includes internal meeting notes and contracts, schematics and non-disclosure agreement, among other things. Our reporter notes that a cursory look does seem to match the description provided by Anonymous, and one email shows Vanguard's chief executive responding to a U.S. DOJ contact regarding the suitability of its ShadowHawk drone for use by the U.S. Marshals. Anonymous earlier this year said it would be turning its wrath against governments and corporations around the world in retaliation for anything of which it disapproves.

Hackers have a wide variety of motivations. Last week, Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pled guilty to computer-intrusion charges in connection with an attack on that company's network last February. He wiped out 15 VMware host systems running email, order tracking, financial and other services at the Florham Park, N.J., company. The disruption is believed to have cost Shionogi $800,000.

So why did Cornish do this? It's apparently a variant on the disgruntled employee/insider threat. He was a former IT staff employee who was still able to log in to the company's network from a public McDonald's Internet connection with a password. Hmm, maybe the NTSIC program and the Jericho Forum do have a point about reusable passwords ... and should we hope Anonymous one day weighs in on whether firewalls are keeping them out? These days, malicious emails loaded up with malware are apparently a favored route to break into the corporate network. And Google issued a report last week detailing how it's getting harder to detect Web-based malware.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsconsumer electronicsMicrosoftsecuritysmartphonesAndroidcloud computinginternetAnonymous

More about AOLCarnegie Mellon University AustraliaDOJFCCFederal Communications CommissionGoogleLANMcDonald'sMellonMicrosoftO2TICVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place