Friday, January 07, 2005

Security Checklists at NIST Karen Evans, the federal egov czar, recently released this report on Expanding E-Government. An article in FCW discusses the Utah CIO position which currently remains vacant. NIST has published this draft standard for Personal Identity Verification for federal employees. This bulletin on securing VoIP networks (from NIST) is also interesting.  We are preparing to meet with several customers regarding their interest in VoIP.  If you're involved with security, also be sure to check out the NIST security checklist program at checklists.nist.gov  11:04:16 AM    comment []

Thursday, December 16, 2004

Cybersecurity for the Homeland Earlier this week the The House of Representatives Homeland Security Committee’s Cybersecurity Subcommittee released a comprehensive report, "Cybersecurity for the Homeland http://hsc.house.gov/files/cybersecurityreport12.06.04.pdf The press release can be found at http://hsc.house.gov/release.cfm?id=275 8:07:53 AM    comment []

Friday, September 24, 2004

High Stakes for Security We need no reminder to emphasize the importance of information security, but here are a few headlines from this week: Services take sick leave as bugs, viruses plague computers (Denver Post) Computer woes prompt questions on preparedness (The Coloradan) Want a driver’s license? No luck (Colorado Springs Gazette) Faculty and staff preparation key to successful for SSN changeover (Penn State U.) Worm burrows way into state computers (Times Union) Hacking the Presidential Election Computer worm impacts drivers license process (Grand Island Independent) Cyber-nightmare (Forbes) Hackers or cyber soldiers? Tech sleuths track hacker Required computer registration reduces virus attacks Security failures exposed records Hackers and viruses are not the only threat.  We must all get more serious about business continuity.  And here's an interesting article on spyware in the LA Times with this quote: "Spyware is generally legal (in every state except Utah) as long as its original intent is to monitor browsing and shopping habits.Unfortunately, unscrupulous marketers and criminals have hidden their software under the spyware cloak to avoid being called viruses. Some spyware authors get paid about 15 cents a hit, while virus writers seem to be more motivated by the thrill of hacking into computer networks or disrupting corporations and government." 2:13:33 PM    comment []

Thursday, July 29, 2004

Utah Information Security Conference I spent yesterday morning at the State information security conference.  Governor Walker (video stream coming) announced an increased focus on cybersecurity and asked for each department to appoint a Chief Security Officer that will be part of the State Information Security Council.  She was followed by Rob Clyde, CTO of Symantec, who gave an excellent presentation.  While hunting around, I found these video / audio streams of several recent conferences that have some interesting information on current trends. Simple registration is required. Yesterday afternoon, we signed off on the Omnilink installation at UCAN.  I learned that Indiana and Ohio are using the same technology to support their statewide wireless initiatives.  Indiana's Project Hoosier SAFE-T is at a similar stage and is being coordinated between all levels of government.  Here's a map of their current and planned implementation.  The terrain makes the task very different from Utah where we have the mountains to deal with. 7:12:47 AM    comment []

Wednesday, April 21, 2004

Morning thoughts Jeff says that "web services are really cool."  Yes they are and we have only begun to tap their potential. Kinja is being discussed in Cre8asite.  Here's my initial Kinja site. NASCIO is naming a new executive director on the eve of its midyear conference. The National Cyber Security Partnership Task Force on Technical Standards and Common Criteria released its recommendations this week.  Meanwhile reports are circulating on a new Cisco vulnerability. John Gotze points out that Denmark garners the #1 spot in this year's eReadiness Report.  The U.S. has fallen to number 6 in the report.  The report, which is supported by IBM and the Economist, points out that the differences between the top eight were relatively minor.  Why is the U.S. falling behind.  One major reason is the relatively slow rollout of broadband services.  Four of the top five are in Scandinavia. 7:52:49 AM    comment []

Tuesday, April 20, 2004

Spyware Control Debate Continues Spyware is at the center of a growing debate.  Earlier this month, following the passage of the Utah Spyware Control Act, Andis Kaulins of LawPundit wrote, Utah has thus begun what will surely be a necessary and welcome surge in legislation prohibiting or restricting spyware and/or similarly intrusive unwanted software programs. The FTC just held a workshop to explore the spyware issue and, while "calling spyware the next great internet scourge" has also urged restraint in adopting new laws to control it.  The Center for Democracy & Technology presented what they are calling a "consensus list" of deceptive spyware scenarios at the conference.  I expect that we will need both techological and legal solutions to the growth of these practices including hijacking, surreptitious surveillance, and "inhibiting termination".  I've already seen a lot of this when you install something and then can't completely get rid of it. Several weeks ago, Sabrina Pacifici asked if the Utah bill would start a trend.  But spyware legislation is not new.  Sen. John Edwards introduced legislation in October 2000.  Burns, Wyden and Boxer introduced more legislation in February of this year.  I have no idea how many spyware bills have been issued in between that time. Many marketers insist that it is a critical part of their marketing efforts and fully supportable.   But opposition is growing.  Bambi Francisco of CBS Marketwatch, rebuts the arguments that its simply a marketer's right: "...it's not just being a smart consumer.  We're moving beyond the wild west of the World Wide Web. There should be some protection and controls, like those established in Utah recently." An America Online exec (quoted in PC World) who opposes excessive legislation argues that the industry will be somewhat self-regulating, "We'll learn what the consumer thinks based on how they respond; it's not tied to any legal definition."   I'm not quite convinced of that. 6:10:00 PM    comment []

Friday, April 16, 2004

Federal eGov The Whitehouse website has become much more interactive.  Recently, they have added features such as Whitehouse radio and Whitehouse interactive (direct response to email), along with themed sites like Presidents and Baseball and the Easter Egg Roll. It should be time for the March 31st scorecard to come out for federal agencies.  According to the last scorecard, only two federal agencies have met the standards for eGov - the Office of Personnel Management and the National Science Foundation.  I am not quite sure what sets these agencies apart from the rest. I did initiate a customized profile with NSF that provides you with a personalized page along with options for email notifications.  In doing so, I noticed an item on data mining for pinpointing network intrusions.  The Minnesota Intrusion Detection System (MINDS), funded by an NSF grant looks at the challenging issue of drilling through massive amounts of data to real attacks vs. false alarms. New Mexico provides an additional incentive for tax filers who file online - they have until April 30th to do it. 7:58:09 AM    comment []

Thursday, March 18, 2004

Global Assault A UPI article examines the cyberwar that is taking place on the internet.  We are impacted by it everyday.  We installed MT blacklist yesterday to ward off the comment spam that had infiltrated the MT stuff that we are using to generate RSS feeds for production services. "A global assault for control of millions of computers is occurring," Steven Sundermeier, said. "This appears to be a war for power and seniority among these authors." According to another article in the Detroit News, the annual cost in software and lost productivity related to spam is between 10 and 87 billion dollars. Bruce Schneier provides his monthly Crypto-Gram newsletter as an RSS feed. Public Technology also recently published an analysis of global digital warfare. 12:38:04 PM    comment []

Monday, March 01, 2004

Cybersecurity Update Senator Ron Wyden (OR) is sponsoring the Citizens' Protection in Federal Databases Act that prohibits the use of databases to mine for hypothetical scenarios and prevents government agencies from browsing bank records, online purchases or travel plans without regard to actual intelligence or law-enforcement information.  That bill was assigned to the Senate Judicial Committee last summer and has not been seen since.  Last week, Wyden teamed with Barbara Boxer to sponsor a new anti-spyware bill. The Judicial Committee held a hearing on cyberterrorism last week.  Speaking of cyberterrorism, Bill Gratsch's eGovLinks site was hacked over the weekend by the "EmpEror SeCUriTy Team".  The Department of Homeland Security is working with the National Association of Attorneys General (“NAAG”) to compile the Computer Crime Point-of-Contact List, a 50-state list of state and local prosecutors and investigators who are responsible for computer-related crimes within their respective jurisdictions. This list allows agents and prosecutors from one jurisdiction to call upon their colleagues in another jurisdiction for rapid response in cybercrime matters. Here's a good powerpoint on legal frameworks for combatting cybercrime. F-Secure reports that "a new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders."  We saw a lot of NetSky last week so I guess we'll be continuing to screen thousands of attempted intrusions. 8:49:02 AM    comment []

Monday, December 29, 2003

Security/Privacy Problem Virginia's auditor during an audit of surplus computers found the following information on old computers being auctioned to the public: Vaccination information; Women Infant and Children (WIC) personal information; Personnel evaluations of individuals; Personnel records of grievances of individuals; Scholastic evaluations of individually identifiable students; and Personal credit card number of a Dean of a college. With all the effort spent to comply with HIPAA, other privacy laws, and standard information security, this is one hole that needs to be plugged everywhere, not just in Virginia. 8:27:31 AM    comment []

Monday, December 08, 2003

December Infragard Meeting The Infragard meeting on 12/17/03 will be at the Salt Lake City Public Library, 210 East 400 South, Salt Lake City, UT in Conference Room B, Level 1.  The speakers for this month's meeting have changed slightly.  The speakers and their  topics will be as follows: Ken Crook - "Terrorism - The Threat" Karl Schmae - "Securing the Homeland and Terrorism Indicators" 8:07:37 AM    comment []

Thursday, September 18, 2003

Tech Blogalization has picked up my news feed. NetWorld Fusion includes two Utah bloggers on its Top Ten list. Mitch Ratcliffe presents an interesting application for VoIP.  VoIP has been slow taking off here and we need to identify a critical mass of business-oriented applications to drive the conversion.  Meanwhile, we need to get serious about how we install technology in new facilities, including the new state archives building. At yesterday's Infragard meeting Brian Grayek suggested that education (colleges, universities, and K-12) presets some of the greatest challenges for cybersecurity.  This month's issue of The Journal looks at many of those issues and presents some suggestions. Update on electronic voting in Utah. The House just passed an internet tax ban.  It does not ban taxes levied on goods sold via the internet. Here's an interesting site that is tracking the growth of weblog activity in Portugal, a country which supports weblogs for all of its legislators.  Jose Luis Orihuela references an article in Jornal de Noticias on the growth of blogging in Portugal. DARPA is exploring Brain Machine Interfaces.  A Carnegie-Mellon scientest has been charged by NSF with designing a new national communications infrastructure. Weather.gov is down today.  Probably overwhelmed by Isabel. In Washington, some are calling the departure of three people a "brain drain" on the nation's eGov efforts and Intel is claiming it can't find enough good IT workers in this country of 292,107,007 people. 8:17:44 AM    comment []

Monday, September 15, 2003

Total Security Management The next InfraGard (of the Wasatch) meeting will be on 9/17/03 at 12 pm.  The meeting will be held at the Parks Department, 2nd Floor, 1965 West 500 South, Salt Lake City, UT instead of at the usual location at the City & County Building. If you will be attending the meeting and have not yet rsvp'd, please e-mail Cheney to let him know that you will be attending. The speaker will be Brian Grayek, Technology Strategist to the Office of the CTO, Computer Associates.  Brian has over 20 years experience in security and is highly regarding for his security expertise in the industry.  The topic of his presentation will be Total Security Management. 5:36:20 PM    comment []

Wednesday, August 27, 2003

Infragard meeting scheduled for September The third quarter meeting of the InfraGard of the Wasatch has been scheduled for 9/17/03 at 12 pm. This meeting is being sponsored by Computer Associates.  The speaker will be Brian Grayek, Technology Strategist to the Office of the CTO, Computer Associates.  Those planning to attend should RSVP to Cheney Eng-Tow via e-mail as soon as possible. The meeting will be held at the Parks Department Building located at 1965 West 500 South, Salt Lake City, UT.   If there are any questions, please contact me. 1:42:07 PM    comment []

Friday, May 23, 2003

Security Groups The first national Infragard conference is being held today in Washington, DC.  I just came across the local ISACA website.  Many ISACA members are also involved with Infragard.  The fifth annual Network Security Conference sponsored by ISACA will be held in Las Vegas in September.  The agenda looks useful. 2:39:55 PM    comment []

Enterprise Security Dave McNamee said something VERY important the other day regarding security.  He referred to a Gartner study that says that the average employee has access to 15 to 17 applications during employment and that the same employee may still have access to about 10 of those applications after termination.  Obviously, this supports the positon of implementing security at the enterprise level where access can be linked to human resource information.  We have many critical pieces of that model in place with the Utah Master Directory. A recent series in the Washington Post points out how hackers in Russia are affecting businesses throughout the U.S. 9:16:26 AM    comment []

© Copyright 2005 David Fletcher.