NIST published their Critical Infrastructure Protection guidelines and I also noted the National Information Assurance Program (NIAP) Process Control Security Requirements Forum (PCSRF). Wish I had these references about four years ago. This is an especially interesting paper, which I think was done for the PCSRF and ISO/IEC 15408:
The Gas Technology Institute/American Gas Association Encryption page also has some good pointers and here’s the Department of Energy (DoE) guide to CyberSecurity.
Once upon a time, Georgi Guninski wrote AIX buffer overflows. Aleph One provided shellcodes. Now everyone hammers on Microsoft vulnerabilities and Bill Gates is retraining his employees for security awareness. That seems like a good idea as UNIX gopher servers could suddenly gain popularity again. Think your “internal” network is safe? Think again as one of your users might connect to a gopher site…oh, and all versions of IE are vulnerable. Go Minnesota!
So let’s get one thing straight, the “web services” (WS) revolution is a new term for standards-based communication between networked applications. Does this change anything for anyone? Not really, not yet. An executive at a small software company asked me to help them decide what to do about WS, so it’s been on my mind lately. The rather sharp-witted Register points out a clear case where not even Microsoft or Sun can figure out how to turn the WS hype into real value for customers.
There’s something really nice about a good pasta sauce. There are so many recipes on the web, it’s hard to know where to begin. My favorite, of course, is the easiest: a bit of your favorite oil, add some basil, pine nuts, and garlic in the blender. Just press a button and…pesto!
There’s something really suspicious about a product called the White Glove, but there’s no doubt that Fred Cohen has a unique view. In light of this, I think when I build a DMZ for a client tomorrow I will try to convince them to call it a “Packet Trap.”
Had an interesting talk with some folks from Nortel and IBM this morning about managing VPNs. I was told that an insurance company in Northern CA recently spent $1.1 million, more than double their investment in hardware and software, installing remote VPN clients and pushing out updates.
The IBM rep also told a funny story. He said someone had to drive all the way to a branch office to receive the new VPN software. The person became very annoyed, however, when they found out they were expected to bring their PC with them for the update. Apparently they said “Someone should have told me I needed to bring my computer here to have the software installed!”
Push software was tried, but it was inconvenient to end users. Since many of them relied on v90 dial-up connections, they did not appreciate a 3MB push to their computer, especially when they were trying to upload files to meet critical deadlines. They also complained about having to leave their computers running overnight. Clearly any push solution that claims to be efficient, easy, and nonintrustive has to take into account the behavior of recipients, and not just the needs of IT management.
Also discovered that the W3C allows you to easily validate my cascading style sheets.
I have setup my webcam to be able to prove that Euclid sits in the window all day watching the ocean and the birds.
It is hard not to notice bloggers are taking over the web. They are easy and fun, but I do not think I could put it in perspective any better than This Old Weblog. Speaking of links, SecurityFocus has a radio interview with Jennifer Granick regarding digital forensics and the law. She explains why investigating computer crime is different from regular forensics and gives some basic legal advice for companies. Digital evidence is more “fragile” she says. This is definitely not rocket science.
Salon ran a story called “The price of milk (and sex) in Cuba” and I had to write a somewhat prosaic letter to the editor in response. This letter, as well as the constant urging of friends and family, has led me to create a writing section where I will put my own travel stories.
Attended an interesting talk with an engineer from the self-proclaimed leader in Denial of Service protection. I will not mention the company name, but for $50,000 they claim they can solve DoS problems, except single-packet attacks. Not exactly a bargain, even at $10,000, if you still have to worry about the next redbutton.
Appelez-moi fou, but I could not resist the urge to post a translation link. Want to read this this page in French?
TS/SCI information work this morning led me to a handy guide to the US government document classification system. I also started testing the ISCA Certified Tiny Personal Firewall from Tiny Software. It is free and is extremely easy to setup and manage. This sort of tool should be bundled in the next OS release from Microsoft.
While researching news on the Comoros, (the elections are almost here) I read an interesting site that describes Offshore Anjouan as an excellent tax haven for banks and casinos. The same site also advocates buying a second passport and nationality to escape taxes. Ugh.
Afan mentioned the Open H323 Project, which clearly aims to free the H.323 teleconferencing (VoIP) protocol stack and has some excellent backgrounder information on related standards. I also came across this handy PocketGuide to VoIP.
Working with NetMeeting, an H.323 application that runs over IP, I noticed TCP port 1720 is the trigger but it needs all incoming UDP ports 1024 to 65534. Obviously not a well thought out network application. In any case, here is an incomplete reference to ports for popular applications.
There are many serious and well documented security concerns for a NetMeeting call, although you can read Microsoft’s firewall configuration guide and judge for yourself…and I quote: “There are few available products that an organization can implement to securely transport inbound and outbound NetMeeting calls.”
The IP voice communications market can only get hotter as telecomm giants come under pressure to maintain revenue growth. Here are some interesting marketing blurbs by Gartner and The Tolly Group regarding Shoreline’s enterprise solution. Shoreline boasts high-availability and ease of integration with enterprise directory and messaging services. Is it goodbye PBXs or hello open-PBX — like running Linux on the mainframe?