Category: Uncategorized

Gathered at the Millennium Hilton across the street from the site, attendees of the Fall 2004 Biometrics Summit heard about the challenges and benefits seen by those who would implement biometrics, both before and after the 9/11 attacks that put a greater focus on security needs.

Acknowledging that most of the 9/11 attackers used driver’s licenses to board the airplanes they would use as weapons, one presenter said biometrics should be a key tool, in conjunction with better verification of identity-proving documents, in the process of obtaining driver’s licenses.

Illinois was the first to use facial recognition technology in its DMVs, four years before 9/11, and the state is currently preparing an upgrade to its systems, said Beth Langen, administrator of the policy and programs division of the Driver Services Department in the Illinois Office of the Secretary of State. The measures have helped combat fraud, catching those who try to get multiple licenses for different identities. In all, 1,700 cases of fraud have been discovered using the facial recognition software, with 173 people claiming three or more identities.

Originally, the department had considered using fingerprint readers, but went with facial recognition for several reasons. It now contains 16 million pictures, and it is growing by 8,000 to 12,000 every day. The department had used a sign-up sheet before that, but employees who didn’t want anyone to know they came in late started ripping out pages, said Malachy Higgins, chief of administration. The office tried using card readers, but found that administering the cards was a big headache, and if they were going to be late, employees could give cards to others who went in earlier to make it appear that they were on time.

Scott Sykes, group managers of strategic technology at Capital One, encountered a lot of resistance to his ideas for bringing biometrics technology into the financial services firm. The fundamental point of resistance was whether the reduced risk, cost savings and increased efficiency outweigh the expense required, Sykes said. Biometrics readers aren’t built into laptop or desktop computers, making the readers a hassle to add into a network.

Until these hurdles are overcome, biometrics will have a hard time getting a foothold in most enterprise companies, Sykes said.

http://www.nwfusion.com/news/2004/1028biometrics.html

In a blog post titled “Why you shouldn’t be using passwords of any kind on your Windows networks”, Robert Hensing argues that the inclusion of password-cracking tools in recent worms and trojans illustrates the need for sturdier authentication schemes.

Hensing notes that Windows 2000 and Windows Server 2003 support passphrases of up to 127 characters, including spaces and unicode characters.

Some older Unix versions using the Data Encryption Standard (DES) only support passwords up to eight characters, or ignore any characters after the first eight.

Epps suggests an alternative method: select a passphrase, type out the first letter of each word, and any numbers and punctuation that come out of it.

Even longer passphrases are not immune to crackers who are persistent with dictionary attacks, powerful processors and social engineering, as noted in the passphrase FAQ, which emphasizes that good passphrases should be obscure. “The short version on common phrases is don’t use them ever,” it advises.

Microsoft will have more to say on passphrases, according to Hensing, whose blog post has been widely discussed on mailing lists in recent days.

http://news.netcraft.com/archives/2004/10/21/microsoft_blogger_replace_windows_passwords_with_passphrases.html

“Regulations recognize you can’t protect yourself from everything,” Proctor told delegates at Thursday’s Information Security Decisions conference.

But, he acknowledged, their built-in flexibility also can work against an organization if controls aren’t mapped to a proactive, process-oriented security program based on an ongoing risk assessment.

Corporate governance-oriented SOX, which holds public companies’ top executives accountable for internal data controls, is especially vague on security.

The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager.

Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.

Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn’t meeting security and privacy guidelines.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1013875,00.html

PLCs are microprocessor-based systems programmed to make the timing and control decisions in machine automation that once required arrays of electromechanical relays.

On older systems, PLCs communicated over RS-232 serial lines — slow going, but relatively secure. But modern PLCs can plug right into a plant’s Ethernet, exposing them to whatever threats lurk therein.

Coming from an IT environment, Cupps hoped to find that the control systems at his company’s plants were protected by at least as much security as a Windows desktop. The controls systems at Cupps’ company are made by Rockwell Automation, but Cupps hastens to point out that the absence of authentication on PLCs is an industrywide problem, and not at all limited to one particular vendor.

Other experts agree, and say the root cause is historical: the control systems rely on protocols and industry standards that were built for dedicated serial lines – not shared TCP/IP networks.

“It’s script kiddy material to control PLCs,” says Eric Byres, a researcher and critical infrastructure security specialist at the British Columbia Institute of Technology (BCIT).

The implications are disturbing to Byres and Cupps; in factories across the globe PLCs control pumps, conveyer belts, paint sprayer booths, welding machines, motors and other equipment. “We found numerous ways to perform single-packet denial of service attacks against PLCs,” says Byres.

The 13 cyber security incidents logged between the years 1982 and 2000 were almost all attributable to accidents, inappropriate employee behaviour, or sabotage by disgruntled employees.

Processer Power Issues In a lot of those external attacks, control systems were merely collateral damage from IT issues like worms, “because we have Windows running all over the plant floor,” says Byres. Michael Bush, security program manager at Rockwell Automation, acknowledges that Ethernet-enabled control systems “change the rules significantly” from the days of dedicated serial lines.

For his part, Cupps says he took emergency measure to shore up the control systems at his company, then committed to a massive reorganization of its networks, putting the factory floors on their own subnets, adding firewalls between them, and installing intrusion prevention systems, among other things.

http://www.securityfocus.com/news/9671

Rather than thinking about the value of their mobile or laptop, employees need to be trained about the value of information to their company,” said Perry.

Esther George, policy advisor for the Criminal Prosecution Service (CPS), said that the authorities are limited in what they can do when it comes to prosecuting criminals by a general reluctance on the part of companies to admit to hack attacks.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Martin Jordan, a senior manager from KPMG, said that despite the best efforts of the security community, end users would always be playing catch-up to hackers and criminals — what companies need to decide is how far they are want to lag behind.

During the debate, some criticism was made of the lack of new legislation to tackle hacking but George argued that despite the lack of new laws, older ones were wide enough in scope to be applied to modern Internet crimes.

Computer Associates’ Perry said that another key factor in combating hacking is for home users to take security as seriously as business users, because many new viruses and spyware are propagated on personal machines.

http://news.zdnet.co.uk/internet/security/0,39020375,39168216,00.htm

An emerging class of security compliance gateways can scan networks to ensure that any new machines being hooked onto the network comply with an organization?s security policies and are configured properly, said Alan Paller, research director at the SANS Institute, a security training and education organization.

The four essential items are:
1. Vulnerability Management
2. Automated Patch Management
3. Enterprise firewalls and intrusion prevention
4. Token Based Identity Management

http://www.fcw.com/fcw/articles/2004/0920/tec-4sec-09-20-04.asp