(Note: we have our first two event dates and locations

March 25th: Chicago

April 1st: Seattle)

By Jim Reavis

This is an open letter to the best and the brightest network security architects to help me on a project to help design the ultimate next generation firewall. Firewall 2.0 to deal with Web 2.0. I am organizing half-day collaboration sessions in several cities and will also organize an online forum once we have completed our initial face-to-face meetings.

The problems we are trying to address are familiar. Firewalls today tend to be blind to the bulk of threats tunneled inside of port 80. Enterprise data leakage is ignored for the most part. Network security architects are required to deploy a variety of security point solutions that do not communicate and integrate well with each other. If the payload is encrypted, forget about it. Meanwhile, technical innovations are bringing new devices and applications into enterprises at a breakneck speed (iPhone anyone?), without regard for security vetting. The problem is getting worse, and we need some out-of-the-box thinking to find the solutions.

Our goal is to get some of the best minds together to collaborate for a few hours hours and talk about key issues that the next generation firewall must address. We hope to brainstorm a few innovative ideas and create a permanent “birds of a feather” group that can discuss these issues on a regular basis together and online.

The events are by invitation only. If you live and breathe network security, please drop me a line.

By Larry J. Hughes, Jr. (larry.hughes@infosecintrospect.com)

What exactly is a security bug?

Virtually everyone vaguely familiar with the Internet — indeed, computers — has a vague sense of the term. After all, security bugs cause security problems, and we all know what those are.

Techies, of course, have a superior sense of the term. Yet none that I’ve asked to date — admittedly a fraction relative to the qualifying population — have given me a good definition. By that I mean one that is both (a) comprehensive enough to satisfy techies, and (b) understandable enough to satisfy laity.

This lack of a good definition bothers me, though not for the reasons you might think. I understand that security bug, like security itself, is an abstraction, and that abstractions are defined mostly by group-think.

What bothers me is that in in the course of pushing security bugs, and more generally security vis-a-vis technology to the forefront of our online consciousness, we have objectified it to it’s logical extreme without ever having defined it. I want to go on the record as saying this is dangerous.

Over time I’ll have a lot to say about why it’s dangerous. Meanwhile, I’ve broken ground for what I think is a good definition of security bug at http://en.wikipedia.org/wiki/Security_bug.

By Emerson Tan (et@c4i.org)

Whilst doing my regular troll through the morning’s information detritus, I stumbled upon an article in the “The Register” on the new Biometric Passports that the US Dept of State is insisting that countries issue if they are to remain part of the US Visa waiver program. The first part of the article [1] seems to give it all away:

“But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

There are a number of pros, cons and alternatives to port knocking.

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

Port knocking is defined as:
In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s). [1]

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

Traditionally physical security has been addressed primarily by mechanical locks to control access to places, be they buildings or a specific room. A business would have mechanical locks on all external doors and many internal doors, and these would typically be locked when no-one is around (e.g. at night). Combined with a decent alarm system the mechanical locks would slow an intruder down long enough for them to be detected and for the police to respond in most cases. For areas without an alarm system the locks would ideally discourage the attacker, there is a big difference between kicking in a door and simply turning the knob to see if it’s open.

For centuries (indeed in some areas millennia) this balance held, mechanical locks were effective in discouraging attackers or slowing them down enough to be effective. However a new lock picking technique has changed the balance, potentially rendering most mechanical locks useless.

Continue Reading »

By Kurt Seifried (kurt@seifried.org)

One aspect of information security that is often under looked is physical security. While attention is often paid to secure areas containing servers, network equipment and telecommunication gear not as much attention has been paid to the fringes of the network. Although some security standards such as 802.1x and various network access control (NAC) products exist that can be used to address the network fringe they all contain one major weakness.

Assuming a network has implemented end to end security in the form of 802.1x or a network access control (NAC) solution they all make one major assumption: that a man in the middle attack can’t be executed once the end point has authenticated. For example 802.1x addresses this directly, if the network port detects that the connection is dropped it requires the end point to re-authenticate before it’s allowed to have network access again. If the network hasn’t implemented such a scheme then it becomes trivial to execute a man in the middle attack by physically inserting another computer in between the network equipment and the end machine.

But that would be pretty obvious wouldn’t it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.

Maybe. Maybe not.

Continue Reading »