Archive for the ‘LINKS’ Category.
October 15, 2001, 10:24 am
Robert Fleck, Cigital: Wireless insecurity + ARP Poisoning (pdf) (FAQ)
Observations:
- It’s true.
- It’s shameless security consultant self-promotion.
These are not new problems.
- ARP poisoning is still a problem on wired networks too. VPN and/or encrypted security contexts (e.g. SSL) are the solution.
Related article:
DowJones: Security Experts Are on Alert Over Wireless-Hacking Technique. Quicken.com Oct 15 2001 6:32AM ET
“Mr. Fleck of Cigital combined those wireless vulnerabilities with an attack that has been identified and addressed in most wired networks. Known as ARP poisoning, from the acronym for address resolution protocol, the attack manipulates software in the circuit boards that connect computers to corporate networks. That software contains addresses of other connected machines; a skilled hacker can fool the software to make it seem like his machine has an authorized address to receive data packets on the network. An attacker who understood both techniques, Mr. Fleck said, could use a laptop with a wireless connection to enter a company’s wireless network, and then effectively tell machines on the wired portion of the network to pass all data packets through his laptop.
“The most obvious solution to the problem is to segregate the gateway device that acts as the front door for machines making wireless connections to a network. That can be done using routing devices or filtering programs known as firewalls.”
[via Moreover Computer security news]
October 13, 2001, 11:58 am
Here’s one of those good ideas you’re glad someone else implemented. “When you find a page on the web whose address is too long to paste into an email or other document, you can use our free service to generate a shorter, simpler address.” Let’s give it a try. Here’s a pointer to Stewart Alsop’s article on Fortune through the shorterlink service. 
[Scripting News]
October 13, 2001, 11:53 am
October 13, 2001, 11:49 am
October 12, 2001, 3:23 pm
Yahoo:
Demonstrators hold up a poster of terrorist suspect Osama bin Laden during a pro Bin Laden rally in Dhaka, Bangladesh Monday, Oct. 8, 2001. Within the poster, at center right, is a printed image of “Sesame Street” children’s television character “Bert.”
Azad Products, who manufactures the poster was not aware of the appearance of Bert in one of the collaged images that make up the poster. “We got the images through e-mails and off the internet. We did not give the pictures a second look or realize what they signified until you pointed it to us,” Mostafa Kamal, production manager, told The Associated Press. Sesame Street or Bert are hardly known in Bangladesh. (AP Photo/Pavel Rahman)
Previously covered in http://www.lindqvist.com/bert.php.
October 12, 2001, 3:19 pm
Don’t eat while you read this 
| |
Terror isn’t only something that is done to people. It’s also what makes people to do terrible, terrifying things. I was one of the Taliban’s torturers: I crucified people is the brief story of Hafiz Sadiqulla Hassani, an accountant who committed hideous atrocities as a member of the Taliban secret police and finally as a bodyguard for Mullah Omar, the Taliban’s leader. The story is apocolyptic, right out of Conrad’s Heart of Darkness, or the more familiar Apocalypse Now, with Osama bin Laden playing Col. Kurtz. Consider this narrative, which begins with a profile of Omar: |
| |
“He’s medium height, slightly fat, with an artificial green eye which doesn’t move, and he would sit on a bed issuing instructions and giving people dollars from a tin trunk,” said Mr Hassani. “He doesn’t say much, which is just as well as he’s a very stupid man. He knows only how to write his name `Omar’ and sign it. |
| |
“It is the first time in Afghanistan’s history that the lower classes are governing and by force. There are no educated people in this administration – they are all totally backward and illiterate. |
| |
“They have no idea of the history of the country and although they call themselves mullahs they have no idea of Islam. Nowhere does it say men must have beards or women cannot be educated; in fact, the Koran says people must seek education.” |
| |
He became convinced that the Taliban were not really in control. “We laughed when we heard the Americans asking Mullah Omar to hand over Osama bin Laden,” he said. “The Americans are crazy. It is Osama bin Laden who can hand over Mullah Omar – not the other way round.” |
| |
While stationed in Kandahar, he often saw bin Laden in a convoy of Toyota Land Cruisers all with darkened windows and festooned with radio antennae. “They would whizz through the town, seven or eight cars at a time. His guards were all Arabs and very tall people, or Sudanese with curly hair.” |
| |
He was also on guard once when bin Laden joined Mullah Omar for a bird shoot on his estate. “They seemed to get on well,” he said. “They would go fishing together, too – with hand grenades.” |
| |
This time, however, we don’t seem to be sending a Willard up the river to “terminate the Colonel’s command.” But when it’s over, if it ever is, how do we save this hell from itself? |
[Doc Searls Weblog]
October 12, 2001, 12:27 pm
USA ACT (PDF):
SEC. 217. INTERCEPTION OF COMPUTER TRESPASSER COM-
MUNICATIONS.
Chapter 119 of title 18, United States Code, is
amended—
(1) in section 2510—
(A) in paragraph (17), by striking ‘‘and’’
at the end;
(B) in paragraph (18), by striking the pe-
riod and inserting a semicolon; and
(C) by inserting after paragraph (18) the
following:
‘‘(19) ‘protected computer’ has the meaning set
forth in section 1030; and
‘‘(20) ‘computer trespasser’—
‘‘(A) means a person who accesses a pro-
tected computer without authorization and thus
has no reasonable expectation of privacy in any
communication transmitted to, through, or from
the protected computer; and
‘‘(B) does not include a person known by
the owner or operator of the protected computer
to have an existing contractual relationship with
the owner or operator of the protected computer
for access to all or part of the protected com-
puter.’’; and
(2) in section 2511(2), by inserting at the end
the following:
‘‘(i) It shall not be unlawful under this chapter for
a person acting under color of law to intercept the wire
or electronic communications of a computer trespasser,
if—
‘‘(i) the owner or operator of the protected com-
puter authorizes the interception of the computer
trespasser’s communications on the protected com-
puter;
‘‘(ii) the person acting under color of law is
lawfully engaged in an investigation;
‘‘(iii) the person acting under color of law has
reasonable grounds to believe that the contents of
the computer trespasser’s communications will be
relevant to the investigation; and
‘‘(iv) such interception does not acquire commu-
nications other than those transmitted to or from
the computer trespasser.’’.
October 11, 2001, 9:26 am
TechRepublic:
Groups vie for superiority in security standards competition
Oct 8, 2001
Judith N. Mottl
- The National Information Assurance Partnership (NIAP)
The NIAP was created in 1997 to join the efforts of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to meet the security testing, evaluation, and assessment needs of both IT producers and consumers. Its long-term goal is to boost consumer confidence in their information systems and networks. Agencies such as the Federal Aviation Administration are starting to work with NIAP to better define their security requirements, and NIAP is looking for other target communities where the organization can serve as a catalyst to spur security requirements and standardization of rules.
- Generally Accepted System Security Principles (GASSP)
The GASSP effort began in mid-1992 in response to a 1990 recommendation from the National Research Council. The effort is sponsored by the International Information Systems Security Certification Consortium ((ISC)2), an international common criteria effort to develop IT product-related information security principles. Its objectives include promoting good practices and providing an authoritative point of reference for IT professionals and a legal reference for the rest of the world for information security principles, practices, and opinions. The GASSP Pervasive Principles have been developed, and work has begun on defining and mapping the GASSP Broad Functional Principles.
- The Center for Internet Security
The Center, founded in October 2000, is focused on helping organizations worldwide efficiently manage information-security risk. The group, which is vendor neutral, provides tools to measure, monitor, improve, and compare the security status of Internet-connected appliances and systems. Nearly 200 members help identify the top security threats and participate in creating practical methods to reduce those threats.
- British Standard (BS) 7799
This enterprise security policy standard is popular in several European countries. BS 7799 has two main parts: a code of practice for information security management and a specification for information security management systems. It prescribes a specific process to determine what policies should be in place, how to document them, and how to develop those that are not specifically identified in the model. It hasn’t been widely adopted within the U.S. IT community, as the International Organization for Standardization (ISO) community considers it incomplete and too restrictive. The ISO, established in 1947, is a non-government, worldwide federation of national standards bodies from some 140 countries.
- Commonly Accepted Security Practices & Recommendations (CASPR)
The CASPR project, launched in August 2001, focuses on distilling expert information through a series of free papers available via the Internet. With the open source movement as a guide, CASPR has nearly 100 certified security professionals involved and is actively recruiting subject matter experts in all areas of information security.
October 9, 2001, 12:24 pm
