Access Control

The criminal market online for buying and selling stolen credit cards, pirated software and information about financial accounts is thriving, according to a report published Monday by Symantec.

The case against Julie Amero is finally closed.

A systems administrator was arrested in New Jersey Monday for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off.

An e-mail touting the win of Democratic candidate Barack Obama directs users to a doctored election results page.

Computer systems used by the election campaigns of both President-elect Barack Obama and his Republican rival John McCain were broken into earlier this year, and a large number of files related to the evolving policy positions of the two candidates were stolen, according to a story posted online Wednesday by Newsweek magazine.

An IT manager who logged onto to his former employer's computer network five months after being fired and opened the e-mail server up to spammers has been sentenced to one year in prison.

Proscriptive adoption of information security standards like ISO27001 is bound to fail, according to Joel Weise, principal engineer and chief technologist, Sun client services security program office, Sun Microsystems.

With a faltering economy resulting in increased jobs cuts and corporate belt tightening, security analysts are warning companies to be especially vigilant about protecting their data and networks against disgruntled employees.

IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking.

A major VMware security initiative announced more than six months ago has still not resulted in any new products, but VMware and partners this week are demonstrating several prototypes of technology that will better secure virtual machines.

Best Western International Monday acknowledged it suffered a data breach that exposed sensitive customer information at a European hotel, but strongly disputes claims that an attacker gained access to 8 million customer records with credit-card numbers. Best Western insists no more than a dozen customer records were compromised.

The Cisco hacking scene has been pretty quiet for the past three years, but at this week's Black Hat hacker conference in Las Vegas, there's going to be a little noise.

It's been nearly three weeks since Terry Childs was arrested on four counts of computer tampering and sent to jail on US$5 million bail. In those three weeks, this event has taken turns to the strange, and wound up firmly in the land of the absurd. From bombastic claims in the press to midnight visits by San Francisco Mayor Gavin Newsom to pages of functional usernames and passwords entered into the public record, this case has certainly proven engaging.

The high-profile sabotage this month of the city of San Francisco's fiber backbone network clearly shows both the extent of damage a disgruntled employee can cause and the need for controls to mitigate the risk of such actions.

San Francisco Mayor Gavin Newsom met with jailed IT administrator Terry Childs Monday, convincing him to hand over the administrative passwords to the city's multimillion dollar wide area network.

Despite some shortcomings, software-based network access control technology that enforces policies on network endpoints is often the first choice of customers who adopt the technology.

Whether they're in branch offices or home offices, workers are increasingly telecommuting instead of working in a traditional centralized office environment.

The annual report from Georgia Tech Information Security Center identifies five evolving cyber security threats, and the news is not good.

If there is truly a gray zone in the struggle between online good and evil, anonymous proxy servers live there.

Role mining and discovery: The ability to collect user access and authorization information from a variety of resources, associate this data with candidate roles and responsibilities, propose alternative roles and leverage decisions made about the data on an ongoing basis.

Role management software enables the creation and lifecycle management of enterprise job roles, according to Forrester Research. It does this by discovering and logically grouping application-level, fine-grained authorizations and entitlements into enterprise job roles, which can then be assigned to people by rule-based provisioning or request-approval workflows.

The role management software vendor community is relatively young, and as such, Burton Group says there is no clear market leader. Vendors can be categorized into two segments: general purpose solutions and embedded solutions.

The generation gap. It's a term that has been used for decades to describe the differences between people in various age groups. Corporations are constantly considering what makes different generations tick when it comes to recruiting and retaining employees. But security experts say companies also need to examine age-based perspectives and habits when it comes to risk assessment and policies.

If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?"

Think your security staffers are trustworthy? Competent? Knowledgeable? Ask a security professional for horror stories and you might think again.

Remember the old M&M analogy - security is like an M&M candy, hard shell on the outside, soft on the inside. In other words, put up firewalls, built a strong perimeter and you're good to go. Of course, nobody believes that M&M-type security is sufficient in today's world of insider threats, data leakage, mobile workers, thumb drives and sophisticated malware. So, what's the new metaphor? We asked around and came up with a number of interesting and useful ways to think about enterprise security.

Malicious ATM intrusions, such as the late-winter breach that resulted in the compromise of Citibank debit card data, are not at all surprising given the vulnerable state of many of the servers and other components involved in processing such transactions, according to some industry representatives.

When risk is present it calls for treatment, and security is a never-ending process... right? Yes, but as a security professional, it's easy to become focused on the hard problems (download PDF) of security -- falling into the arms race for more, more, more security controls -- and lose sight of the impact of the controls themselves.

Security issues often seem to smolder more than burn, but these six are certainly capable of lighting a fire under IT professionals at a moment's notice. Handle with care.

Theft of laptops and other mobile devices is spiraling, and the consequences -- financial and other -- are getting increasingly dire.

Employment and training firm CVGT has installed a network management toolkit to enforce compliance and protect the financial and personal data of its 40,000-plus apprentices and trainees.

Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.

Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.

It has been a number of years since the fantasy that hackers will be offered a job by those who they hacked was even a potential reality, but there are reports that this might still be the case in New Zealand.

The Internet Storm Center, operated by SANS, is one of the leading sources when it comes to identifying emerging attacks against networks, through their DShield collaborative network analysis effort. Traffic spikes on network ports that are well above the normal rates of traffic flow can signify a rapidly spreading exploit or it could be a misconfigured network spewing rubbish across the rest of the Internet. One of the ISC's handlers noted a significant spike of traffic on port 7 recently and was surprised by what he found.

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.

When determining the risk to a system and the data stored on it, insider threats are generally regarded as lower risk. Despite the complete access (high risk) that insiders generally have, most of the time insiders are trusted agents (very low risk) on the network. When it breaks down, it can break down in a catastrophic manner, especially if there is money at stake.

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.

Question: We have contractors perform a number of critical services, such as managing our IBM blade servers. These staff have to be on the LAN, and they're long-time contractors, so trust levels run pretty high, but I know they shouldn't be able to go everywhere on the LAN. How can I limit their access while still letting them do their jobs, and most important, not making them feel like I don't trust them?

At their core, Check Point Integrity and Sygate Enterprise Protection are effectively policy-based firewalls. That's the cake. The icing is their capability to monitor other applications for compliance with configuration requirements and send errant machines to quarantine until they can be updated with the latest anti-virus definitions, Windows patches, or other necessities.