Security rundown for week ending Aug. 19
- 20 August, 2011 04:40
Some older assumptions about security -- such as firewalls are needed for perimeter defense, and we'll all make do with reusable passwords and browser-based SSL connections provide great security -- were once again ripped apart as we heard this week from several individuals who say they simply don't agree.
"I don't think firewalls are necessary. They prohibit work from being accomplished," was one remark from Nathan McBride, executive director of IT at Amag Pharmaceuticals, in describing how the company has migrated off an older Microsoft-based network to one based on both application cloud services and cloud-based single-sign-on for about 240 employees. His story provoked some blistering comments online from Network World readers. Here's a selection from a few:
"Firewalls. This comment can only come from an IT manager. Really? Do you know what a firewall does? ..."
"I almost LOLd! Wow. I'd like to see them pass a PCI scan with no firewalls. Cloud service providers use firewalls, too."
"How dumb does it get? ... let's hire some clueless jerk to make it someone else's responsibility ..."
"Say What? ... And what company doesn't put a firewall between the Internet and their computers, whether PCs or servers? I'm not impressed."
MORE ON SECURITY: Tips and tricks for protecting Android devices
All of this just shows that the debate over whether perimeter firewalls are worth it anymore is still fierce (and yes, the PCI standard for payment-card calls for a lot of firewalls). You may recall that it was the Jericho Forum with its group of IT professionals about five years ago that began pounding the drum on the firewall topic, saying for perimeter defense, a firewall is largely an outmoded idea and can impede e-commerce. The debate is still intense about it.
The Jericho Forum has now taken up the topic of identity management, saying continuing reliance on reusable passwords in this era of cloud computing is totally misguided, and a stronger trust framework needs to unfold for large-scale Internet use.
That's what the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative from the Obama administration is trying to coordinate, with the high-tech industry taking the lead. We caught up this week with NSTIC Director Jeremy Grant, who explained what the federal government has in mind so far to foster more secure alternatives to passwords in a new "identity ecosystem." Don Thibeau, chairman of the Open Identity Exchange (OIX) --the members of which, including Google, want to participate in the NTSIC process -- also told us watch for some innovative pilot projects coordinated among Google, Microsoft and AOL for secure email later this fall.
And finally, when it comes to doubting the usefulness of long-used technologies, this week we heard about a team of researchers pointing out that SSL, the encryption scheme that protects many online transactions, isn't really that trustworthy because the chain of trust that's established via a browser can be broken when phony certificates are issued. Researchers from Carnegie Mellon University think there's a better mousetrap that can be made through their ideas proposed in Perspectives; a second idea, called Convergence, is being worked on by Moxie Marlinspike, a fellow at the Institute for Disruptive Studies, a lab devoted to privacy, anonymity and computer security.
And speaking of anonymity and disruption in the more sinister sense of the words, this week didn't go by without the shadowy hacker group Anonymous yet again hitting more targets for what are apparently their activist causes.
The group Anonymous released personal data belonging to more than 2,000 public transport customers in the San Francisco area in retaliation for the Bay Area Rapid Transit (BART) transit system's shutdown of mobile phone service on Aug. 11.
BART last week officially apologized to the public that its network was hacked and customer data publicly exposed. But it didn't end there. Another hacking break-in took place at the website of the union representing the rank-and-file BART police, an attack which may also be traced back to Anonymous.
Many thought BART went too far in cutting off communications to hundreds of thousands of BART commuters as an attempt to stall a planned protest, and, as an editorial from the San Francisco Chronicle noted, no one held the high ground in the conflict -- not Anonymous, not the BART bureaucracy, not the protesters.
In addition, the Federal Communications Commission also took an interest last week, saying it was investigating what happened. "We are continuing to collect information about BART's actions and will be taking steps to hear from stakeholders about the important issues those actions raised, including protecting public safety and ensuring the availability of communications networks."
It was a pretty busy week for Anonymous, as the group also allegedly hacked yet another U.S. Department of Defense contractor, this time Vanguard Defense Industries. Anonymous says its latest haul, posted at Pastebin, includes internal meeting notes and contracts, schematics and non-disclosure agreement, among other things. Our reporter notes that a cursory look does seem to match the description provided by Anonymous, and one email shows Vanguard's chief executive responding to a U.S. DOJ contact regarding the suitability of its ShadowHawk drone for use by the U.S. Marshals. Anonymous earlier this year said it would be turning its wrath against governments and corporations around the world in retaliation for anything of which it disapproves.
Hackers have a wide variety of motivations. Last week, Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pled guilty to computer-intrusion charges in connection with an attack on that company's network last February. He wiped out 15 VMware host systems running email, order tracking, financial and other services at the Florham Park, N.J., company. The disruption is believed to have cost Shionogi $800,000.
So why did Cornish do this? It's apparently a variant on the disgruntled employee/insider threat. He was a former IT staff employee who was still able to log in to the company's network from a public McDonald's Internet connection with a password. Hmm, maybe the NTSIC program and the Jericho Forum do have a point about reusable passwords ... and should we hope Anonymous one day weighs in on whether firewalls are keeping them out? These days, malicious emails loaded up with malware are apparently a favored route to break into the corporate network. And Google issued a report last week detailing how it's getting harder to detect Web-based malware.
Read more about wide area network in Network World's Wide Area Network section.