Wednesday, October 28, 2009

Wireless Security

Security over wireless networks continues to be an issue and yet is an increasingly important part of overall network security. Over the past few years, wireless security has made some great strides and companies need to be aware of the best techniques for securing their wireless networks. Generally that boils down to using WPA2, rather than its forebears - WEP and WPA. For some reason a lot of people are not aware of the significant improvements brought about by WPA2. Here's a great overview of he issue.

Monday, October 26, 2009

Hardware Authentication

There has been some interest lately in the idea of hardware authentication. This involves the use of software that identifies a particular computer by such means as the serial number of its hard drive or other components, the bad sectors on the drive and even the major applications installed. The idea is to reduce the need for passwords for authentication.

The fundamental problem with hardware based authentication is that it is based on identification of a particular computer and not a particular user. There are situations when users are separated from the computers they normally use, and this would mean that someone else who has access to their computer could log into their services. It would also mean if they are on another computer, they could not log into their own services. This would apply whether or not the computer has been stolen.

The idea is fundamentally flawed, however there might be some usefullness of it as a supplement to passwords. Particularly where extra tight security is warranted. The banks use some of this now, thus the occasional question when logging into online banking asking whether this is the computer you normally use. There are situations where hardware authentication could actually strengthen security, but not where it substitutes for passwords. Technology Review has a write up on this issue.

Thursday, October 22, 2009

Keeping up in a Wireless World
by Gerald Trites

The number of wireless devices continues to grow almost daily, the latest being a plethora of e-readers. like the Kindle, which can connect to WiFi or G3 networks. Of course smart phones continue to grow smarter and more complex, with concomitant growth in functionality. Maintaining security and control in this environment is challenging.

Richard Schaeffer, Director, Information Assurance Directorate (IAD), National Security Agency (NSA), recently gave an interview in which he acknowledged this complexity and difficulty. He points out that the challenge is multifaceted. One important point he makes is that there is a pressing need to keep up with new technologies and quickly develop policies to deal with them. This requires vigilence and a fluid organization that can quickly move with the times. It's not so much understanding the technologies that is the issue, although this is important, but understanding the vulnerabilities they carry with them, and learning how to address these vulnerabilities.

Also, the new technologies work across a variety of platforms, so there is an unprecedented need for policies that reach across these platforms as well.

The interview presents an intriguing look at high end security policy and how it is being shaped by modern technology. There is a write-up on it here.

Thursday, October 15, 2009

More Secure Cloud Computing

Amazon is releasing a beta version of its cloud computing system that addresses a long standing issue with the cloud - security. The new system enables the integration of virtual servers in the cloud with real servers within an organization's system in earth. This makes it possible to decide where particular information is going to be stored and therefore enables the organization to store its sensitive information within its more secure real servers, rather than in the cloud. This could have been done in previous systems, but was much more awkward to achieve, and therefore not a practical solution. The new system is a useful advance in the security of cloud computing. For more, see this article.

Thursday, October 8, 2009

Largest Phishing Case Ever

The FBI has announced that 52 people have been charged in a major phishing case that spanned several continents and took over two years to complete. Investigators say that "Operation Phish Phry" demonstrates the growing complexity and sophistication of international crime rings in planning and executing cyberfraud.

Phishing has been a major means of defrauding innocent people for several years now. It causes major difficulties for system admmininistrators, who have some responsibility to try to protect their users from falling victim to phishing scams. However, there is only so much they can do, not only because the volume of phishing messages is large and the sophistication is growing but also because in the end the success of a phishing expedition depends to some extent on the gullibility of the phishing message recipients. More on Operation Phish Phry at this site.

Thursday, October 1, 2009

Symposium on Information Integrity & Information Systems Assurance

The  tremendously successful UWCISA Bi-Annual Symposium is under way from October 1 - 3 in Toronto. For information on the program, the papers to be presented and the presenters, see the UWCISA website. This year is better than ever, with a wide range of topics being covered by top international scholars.