Stories by Stuart McClure and Joel Scambray

Etrade Makes the 'Hit' Parade

One of the classic security attacks is called the "salami technique." The phrase derives from an attack that takes down its target -- one thin, imperceptible slice at a time. One example is the theft of all of those leftover fractions of pennies that result from standard bank interest calculations (a computer program that redirects these into a personal account would probably go unnoticed for a long period of time).

What Does It Take to Secure Your Systems?

On the heels of the dismal security report card of numerous government agencies and the incessant attacks on high-profile Web sites, we wonder what it will take to secure the digital landscape in the new millennium. The U.S. General Accounting Office and the Inspector General released their report of 24 government agencies: Almost all received an F in security. In most of their attempts, the attack teams gained unauthorized access to data.

Quick! Uninstall All of That Popular Software

One of our more popular columns of late discussed the idea that authors of software should be found liable for actions performed by those who use it. We're still waiting for the formation of a new government body to combat this menace (call it the SFT -- Bureau of Software, Firearms, and Tobacco); but until that glorious day, we have another bone for the tort bar to gnaw on: Let's sue all the vendors of popular software packages simply because they're popular.

Carnivore Highlights Need for Public-Source Review

The U.S. Federal Bureau of Investigation announced the existence of an Internet wiretapping system called Carnivore. According to the FBI, the purpose of the system is to listen in on the Internet traffic of a suspected criminal in an effort to collect evidence, similar to what a wiretap of a phone system would provide.

Security Watch

The headline of this article includes a quote from the SANS Institute, regarding yet another Internet Explorer (IE) vulnerability discovered by Georgi Guninski. (See www.nat.bg/~joro/access-desc.html for Georgi's original advisory and www.sans.org/newlook/resources/win_flaw.htm for the quote.)

Security Watch: An Arsenal of Attacks

Anticipating this year's always titillating Def-Con capture the flag contest, we thought it appropriate to open our security toolbox and reveal the latest in the security implements trade. Of course we maintain that commercial security products have their place, but few replace the work we perform as security consultants.

Security Watch

Last week's column on the Life-Changes virus and Microsoft Corp. Windows scrap files got us thinking: Perhaps the quickest avenue to a mother lode of corporate data isn't through the front door. We've preached in this column more than a few times that Web (server) hacking is the bane of e-commerce, but recent events have made us take a serious look at the other end: Internet client software.

Guard Your Garbage from 'Dumpster Driving' Hackers

After years of information system security analysis, we have come to realize that the most damaging data is rarely trumpeted from the front page of the newspaper. True enough, The Wall Street Journal of June 16 ran only a small headline on the front page linked to an article on page A3 describing an attempt by shady individuals to purchase garbage from the Washington offices of a company associated with Microsoft.

Security Watch

One denial of service and virus attack after another has snapped the federal government out of its complacency to realize that there is, in fact, a computer security problem.

Security Watch

The security community often likes to think in terms of black and white. When someone posts an advisory recounting a security vulnerability, everybody goes out and fixes it, and then goes back to business. Of course, reality is rather grayer. Take, for example, the recent announcement of a handful of semirelated vulnerabilities in Microsoft Corp.'s Internet Information Server (IIS) that looked fairly straightforward. Peering between the lines, however, makes for more interesting reading.

Privacy, Microsoft and the Feds

Has anyone considered that Microsoft Corp. and the federal government might deserve each other? With the recent arrival of the Children's Online Privacy Protection Racket, er ... Act (COPPA), the current administration has delivered on its vision that "it takes a village" to raise a youngster in today's Internet-corrupted culture. With the assistance of overeager beavers such as Microsoft's Hotmail service, we have sunk to a new low in this "free" society.

Your Best Defense Against Hack Attacks

If you spend too much time bantering in security circles, you're bound to hear the dogma: Technology won't solve your security problems anytime soon, so stick to the basics, such as policy, risk mitigation, vigilant monitoring, disaster preparedness, and -- most important -- keeping informed on the latest attack information. As disheartening as it may be, it is true.

Security Watch

The Internet Security Conference (TISC), held in San Jose, California, each year, always brings out the top names in the security industry to rant and rave about its highlights and lowlights.

Security Watch

Well, it turns out that Microsoft Corp. is a lot more competitive and contentious than even the mainstream media claims. The "secret password" that was hyped as a backdoor to hundreds of thousands of Web sites by The Wall Street Journal April 14 turned out to be the text string "!seineew era sreenigne epacsteN" (read it backward). Now that's what we call monopolist behavior -- name calling!

Vulnerabilities in E-Comm Apps Challenge Security

We've been touting for some time the critical nature of Web and e-commerce security. Unlike traditional security risks, attacks on e-commerce are moving up the protocol stack to the application layer, effectively blinding many security detection and prevention products. The Web onslaught has only begun.

[]