Category: News

In a document titled “Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities,” published June 10 by the DHS’s critical infrastructure threat analysis division and recently posted to Wikileaks, DHS urges business leaders and U.S. officials to “leave [electronic devices] at home” when traveling.

Recognizing that for some it may be impossible to travel without a laptop and phone, DHS recommends buying a single-use cell phone locally, carrying a designated “travel” laptop with a minimum of information on it, and using temporary Internet e-mail accounts that are not associated with a corporate or government entity.

“Even with these strategies, however, travelers should assume that all communications are monitored,” the DHS Threat Assessment says. “All visitors should be aware that they have no reasonable expectation of privacy in public or private locations,” the bureau warned.

Peter P. Swire, a law professor at Ohio State University’s Moritz College of Law and a senior fellow at the Center for American Progress, says travelers ought to take such warnings seriously and practice good computer hygiene.

Nonroutine searches, such as a strip search, are distinguished by their invasiveness and require a “reasonable suspicion” that the person searched is involved in an illegal activity. It’s not clear from a legal perspective whether laptop searches are routine or nonroutine, and it probably won’t be until the Supreme Court rules on the issue or Congress passes a law requiring reasonable suspicion for searches of electronic devices, which could happen next year.

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210601724

If the software detects that your phone’s SIM card has been altered, it will notify your reporting contact phone, sending them a log of calls and messaging activity made on the phone.

By sending a “Hang” command to your stolen phone, a loud alarm goes off repeatedly. The only way to make it stop — short of smashing the phone — is to remove the battery.

But that is only short-term relief, as Jain happily explained, since the alarm will resume blaring the moment the battery is replaced. “We’ll have support for Blackberry and Windows Mobile devices in the next four to six weeks,” Jain later told InternetNews.com.

Jain said the company is negotiating with carriers and other potential partners and expects to have information on rates and availability in the U.S. shortly.

According to Maverick’s Web site, another feature of the software, called “Spy Call”, will let the owner call the stolen device from the reporting phone.

http://www.internetnews.com/mobility/article.php/3770266/An+Alarming+Development+at+Tech+Conference.htm

To measure a company’s ability to deal with security incidents, the group suggested that companies measure the mean time between security incidents and the mean time to recover from security incidents.

As an indicator of a company’s network security readiness, companies should measure the fraction of systems configured to approved standards, the fraction of systems patched as per corporate policy, and the fraction of systems with antivirus software, CIS stated.

Finally, companies should review their software applications for potential security issues by measuring the fraction of business applications that have had a risk assessment, the fraction with a penetration or vulnerability assessment and the fraction of application code that had a threat-model analysis or security code review prior to deployment.

http://www.securityfocus.com/brief/814?ref=rss

Some major hosts have no TTLs or very low TTLs and, for those servers, you gain very little, he said.

“If we can’t override them — can’t override high TTLs — those sites go down for a very long time,” Kaminsky said.

“I never claimed my one-character patch would fix all bugs in bind (sic) — I don’t have that kind of power,” Somlo joked on the mailing list.

http://www.securityfocus.com/brief/808

The technology, known as DNSSEC, promises to secure the domain name system (DNS) against attempts to subvert the infrastructure, such as the cache poisoning attack found by researcher Dan Kaminsky earlier this year.

Because of the technical hurdles — and the political problems in designating companies or governments to hold the keys to the domain-name system — both governments and private sector companies have held off deploying DNSSEC for more than a decade.

The OMB has set a deadline for initial implementation plans of September 5, with mutually agreed on final plans completed by October 24, 2008.

http://www.securityfocus.com/brief/807

“If you look at log files or system events to understand what is going on in your machines or in your network, a lot of people look at their textual logs.” The goal is to take network traffic, intrusion defense system and firewall data and begin visualizing pieces of it to create an overall picture of the company’s security posture. When you start developing the appropriate chart or graph to better flesh out the data, you can begin to see patterns and sometimes certain pieces of information stand out, Marty said.

Firewall log files would be useless with little domain expertise on staff to help generate graphs.

Marty has released a Linux CD called Data Analysis and Visualization Linux (DAVIX).

“With firewall log files, you don’t need to know what specific IP address is connecting to me from the outside,” Marty said. “You can cluster it to get a general idea of what happened and then if you want to drill down you can open up that cluster.” For example, a chart or graph could help visualize violations per Payment Card Industry Data Security Standard (PCI DSS) requirement, helping companies determine where they fall short of the standard. It can be used to audit large database management systems, such as Oracle and Microsoft’s SQL-Server to figure out who accessed a particular table, and whether the database table was altered.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1327341,00.html