Digital Undercurrents

An excellent article in the CS Monitor, discussing the current state of cyberwar and how it differs from conventional warfare and its doctrines. Not a lot of new material for those of us who work in the field, but an excellent summation for the layman.

The web page of Dr. Rick Smith features, among other things, The Center for Password Sanity. This is a set of essays, written while he was working on his book Authentication, all about passwords, their strengths, and their weaknesses. Definitely worth a read, and might even be worth passing along to managers who are still thinking that passwords should be handled the same way they were in 1988.

Every so often, Microsoft will issue security fixes that are not tied to a known vulnerability, and which are not intended as a response to a particular CVE bulletin. Many people refer to these as “silent updates”, since their purpose has not been publicly announced. Last week, an explanation of this phenomenon was posted on Technet.

This paper (warning: PDF) from the Usenix FAST conference looks at an interesting question: with hard drives quickly giving way to solid-state drives (SSDs), how do we securely wipe data from workstations using the new technology?

From the paper:

Reliably erasing data from storage media (sanitizing the
media) is a critical component of secure data manage-
ment. While sanitizing entire disks and individual files is
well-understood for hard drives, flash-based solid state
disks have a very different internal architecture, so it
is unclear whether hard drive techniques will work for
SSDs as well.

We empirically evaluate the effectiveness of hard
drive-oriented techniques and of the SSDs’ built-in san-
itization commands by extracting raw data from the
SSD’s flash chips after applying these techniques and
commands. Our results lead to three conclusions:
First, built-in commands are effective, but manufactur-
ers sometimes implement them incorrectly. Second,
overwriting the entire visible address space of an SSD
twice is usually, but not always, sufficient to sanitize the
drive. Third, none of the existing hard drive-oriented
techniques for individual file sanitization are effective on
SSDs.

A recent survey conducted by Harris Interactive reveals that roughly 1 in 10 IT professionals still has access to accounts from a previous employer. And, considering that this was a survey of IT people, it’s pretty likely that these accounts are privileged in some way.

Are your employment termination procedures up to date?

(The survey has some other interesting conclusions as well, though I would take them with a grain of salt. Most of them concern account and identity management, and the survey was sponsored by a software company that just happens to have products in that space.)

Apparently, something like 60% of AOL’s profits are coming from customer ignorance. About 80% of their income is from subscription fees, and 75% of those subscribers have cable or other broadband connections – meaning, essentially, they’re paying AOL for nothing but an @aol.com email address and a backup dialup account, presuming their computer has a modem.

That’s an interesting business model. But I don’t think it’s all that unusual – I can’t tell you how many times I’ve heard of things like maintenance or support contracts being paid for years after the specified hardware or software was taken out of service. If you’re in charge of that sort of thing at your business, it might be smart to take an audit of everything that’s still being billed and make sure that it’s still relevant.

Cisco’s report on security trends from last calendar year [Warning: PDF File] has been released, and it’s an interesting read. Among the highlights:

• An increase in attacks targeting iOS and other mobile platforms. In the past, desktop and server Windows operating systems were the main target of attackers; it appears that they are now after the sensitive information on mobile devices as well.
• An uptick in the use of Java as a mechanism for exploits, both as a language for writing tools and the JRE as a target.
• For the first time in memory, global spam volumes were actually down this year (though the volume did increase in Europe)

If you’re interested in the current global landscape in information security, this report is definitely worth a quick read.