As expected, I caught a lot of flak for last week's column suggesting that one of the better, real security solutions an administrator could implement is to prevent unauthorised programs from executing on business-owned computers.
Last week, the curmudgeon in me had a bad day. After reading about new exploit after new exploit while people keep recommending the same old security solutions, I lost it.
I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product.
SSL-evading trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any trojan, this type can do anything allowed by the user's security permissions.
Have you ever had one of those moments where something you knew to be certain was turned upside down and you learned you had been wrong ... for years? A lot of Bruce Schneier's writing gives me moments like that.
A secure connection between browser and back end underlies Internet commerce. But what if it's already compromised?
During my nearly two-decade computer security career, I've always been amazed by how many security myths are propagated as fact by readers, instructors, leaders, and writers.
Ever since Dan Geer was fired in 2003 from @stake.com for being an author of a paper on negatives of a computing monoculture, I've seen article after article recommending that administrators do away with their computer monocultures as a way of minimizing or defeating malware and hackers.
A computer monoculture is a paradigm that says if all your computers are of one type or OS platform, you are more at risk for malicious attack due to all the commonalities the attacker can use.
SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user's security permissions.
Many, many innovations come from the Linux and Unix world. Few are more intriguing to me than port knocking. As a global security plug-in to protect services, it has a lot going for it and few downsides. However, for one reason or another, it suffers from lack of use and understanding. A lot of administrators may have heard of it, but few know how to implement it. Even fewer have used it.
A large percentage of computer security problems have origins in a common issue: end-users installing or running programs without administrative approval and control.
An interesting thing happened last year: It appears that 2005 wasn't worse securitywise than the previous years. Sure, malware and hackers were as crazy as ever, but when I asked many of my computer security friends if 2005 was better or worse than previous years, every one of them said it was better. Granted, our survey is far from a scientific poll, but the collective responses were surprising nonetheless.
I frequently have people write to me to discuss how much Windows sucks and how great open source is. They say it as if Windows is my only security problem and Linux, Apache, and Firefox are our saviors.
Writing perfect secure code is hard. Daniel J. Bernstein has probably come the closest to it in practical, publicly released software. With his almost maniacal drive for security perfection, he has written multitudes of software that remain unbroken.
I'm frequently called to implement advanced computer security infrastructures, things like PKI, network-access management, intrusion protection systems, honeypots, and intrusion detection systems. Although I'm glad to offer my assistance and experience in planning and deploying these types of systems, I'm often surprised about a given organization's disregard of the basics.