Security Bullet In
Communiques from the security front, sir
Tuesday 6 May 2008, 4:17 PM
Google sponsors open source security project
Google has announced it is to sponsor oCERT, an open source computer emergency response team.
In a blog post on Monday, Google security engineer Will Drewry said that one of the problems with open source security was getting fixes out quickly to everybody using a particular piece of open source software.
"It has been unclear how to best resolve this issue. There is no centralized security authority for open source projects, and operating system distribution publishers are the best bet for getting updates to the highest number of users," wrote Drewry. "Even if users can get updates in this manner, how should a security researcher contact a particular project's author? If there's a potential, security-related issue, who can help evaluate the risk for a project? What resources are there for projects that have been compromised, but have no operational security background?"
So, Google will donate some sponsorship to the oCERT project, to try to address some of these issues.
It's a shame Drewry declined to wade into the long-running debate about which is more secure, open source, or proprietary software.
Tuesday 6 May 2008, 12:38 PM
Indian officials accuse China of cyber attacks
China is actively engaged in mapping India's computer networks, according to the Times of India.
China is mounting "almost daily" attacks against Indian Government computer systems, including scanning networks for possible vulnerabilties to exploit in the event of conflict, said the TOI. According to the article, over the last two months China has attacked the Indian National Infomatics Centre, and the Ministry of External Affairs.
The Chinese are also compromising Indian computers to create botnets for possible future Ddos attacks, and installing keyloggers for espionage purposes, the article claimed.
While this wouldn't surprise me, it also wouldn't surprise me if all major countries with sophisticated IT infrastructures were doing the same thing. I've talked to UK politicians before who have told me, in a head scratching way, that a scan of their computers (it was by guys from Trend Micro) revealed that there were over 30 pieces of malware installed, including keyloggers, on their computers in the Houses of Parliament.
Who has subverted those systems? Why, probably everybody who could.
The Times of India claim echoed comments made to me at the recent Infosecurity Europe 2008 by Alan Paller, the director of research for the SANS Institute, who said that 25 countries were all engaged in some form of cyber intelligence gathering, while countries including China and France also gather commercial intelligence on private sector organisations.
"My guess is there are 25 countries being involved in this at some level or another," said Paller. "The commercial side of it seems to be more China and France."
Tuesday 29 April 2008, 5:10 PM
XP SP3 out on general release
The third service pack for Windows XP has been released to Windows Update for voluntary dowload.
The service pack, which has been available to manufacturers and volume licence customers since 21 April, mostly seems to be a round-up of previous updates to XP. However, according to the XP Professional SP3 summary document, the service pack also includes "Black Hole" router detection turned on by default, includes a network access policy enforcement platform, and has a "more descriptive" Security Options control panel.
Friday 18 April 2008, 5:44 PM
ISO may change its processes following OOXML debacle
The normally august International Organisation for Standardization (ISO) has said that it may change its fast track processes following the controversy around Microsoft's Office Open XML.
I've been involved in a long and very interesting round of emails between myself, a spokesperson for ISO, and Dr James D. Mason, who until the autumn chaired SC34, the ISO committee in charge of document specifications.
I did also ask Microsoft for its opinion this morning, but most correspondence from me gets sent to Redmond for a response, which is in a different time zone.
I asked the ISO spokesperson whether Microsoft's actions, which included encouraging partners to join the national standards bodies and vote in favour of OOXML, had damaged ISO's reputation, and whether it will prompt ISO to change its processes. According to earlier Microsoft statements, other companies including IBM have also tried the same tactics.
The spokesperson wrote:
"The issue of revising the fast-track procedure, or any other ISO or IEC procedure, is an ongoing process, and the experience with ISO/IEC 29500, along with the results of other standards-development activities, will indeed assist to determine whether further continued improvements should be made,"
So it seems that ISO may be scrutinising its processes. You can read more in the story I wrote about Tim Bray (XML author) and Dr. Mason's comments about OOXML and ISO.
James D. Mason's comments were very interesting. There wasn't enough space to print them in full in the story, so I'll reproduce one of my questions, and Mason's answer here:
Q. As OOXML has now been ratified, would it be fair to say that ISO had its hands tied by its own processes, in that SC34 had to accept the votes of the National Bodies?
A. JTC1 has been concerned about the perceived long time needed to approve standards for a very long time. More than a decade ago, they were worried that they were slower than the IETF. Then they worried about the W3C. The Fast Track process is an outgrowth of those worries, but it is a process that's rarely been used and so wound up getting its first serious test in the ISO 29500 case. It's fairly clear that the process is broken; even some people at Microsoft think that.
But the fundamental problem is with the overall ISO business model and process.
It's supposed to be a democratic process, driven by national standards bodies, each of which can set its own procedures. The recent experience shows that is full of pitfalls: Small National Bodies simply don't have the resources to do an adequate job of participating in lots of committees. They're generally volunteer organizations, and they take all the help they can get. So if Microsoft sends a volunteer, they take him. On the other hand, large national bodies, such as INCITS, which does the JTC1 work for ANSI, are heavily politicized, and that often prevents decisive action. V1, which does SC34 work in INCITS, was at a stalemate, and INCITS cast a U.S. vote that represented political decisions by the board rather than technical consideration of the issues. Something similar happened in Norway.
ISO, and JTC1 in particular, respond to the presence of other standards-making bodies not by looking at their overall business but by knee-jerk reactions, like creating the Fast Track process. I've been saying for more than a decade that JTC1 simply doesn't understand standards making in the Internet age. The IETF and then the W3C were created for the Internet age. One of the keystones of their operations is that they are online, and all texts are freely available. ISO still has a model that (1) requires face-to-face meetings and (2) expects to pay for operations from the sale of paper documents. I can't begin to tell you how many small NBs wrote me, expecting me to send them paper copies of DIS 29500, all 7000 pages of it! We have to remember that many national bodies have built large paper publishing organizations. Indeed, DIN, in Germany, seems to have started as a publishing house in the 19th century and only gradually evolved into a standards-making body in the 20th.
I don't know that the W3C's operating model is more fair or that it produces better standards than JTC1's, but it has different fundamental assumptions. For me, working in a service organization in a government agency, it was much easier to participate in ISO because getting voting membership in the W3C requires joining the consortium, which is very expensive. I also know that there is a whole bunch of people who left SC34 and went to the W3C when XML was getting started and then came back to SC34 because they got fed up with the particular politics of the W3C."
ISO denied that its processes were broken - the ISO spokesman wrote (in part):
"The JTC 1 fast track process is not a new development, it was introduced about 20 years ago. The total number of JTC 1 standards that have been fast tracked is 267, of which 212 are current today.
The ISO process continues to work well, producing about 100 new and revised standards every month. The ISO process continues to deliver voluntary international standards that are broadly accepted in the marketplace and by regulators, consumers, governments and other interests.
ISO/IEC 29500 has attracted a great deal of publicity and pointing out that ISO has a current portfolio of more than 17 000 standards which benefit business, government and society puts this publicity into context. The amount of publicity related to ISO/IEC 29500 on the Internet and in the press is itself an indication of ISO's success in developing standards. Its work for the IT sector has facilitated the growth of important applications, e-business and the overall exchange of information."
Friday 18 April 2008, 5:01 PM
Chinese attack on CNN predicted
A contributor to the 'Dark Visitor' blog has predicted an attack on news company CNN.
The blog, which claims to track Chinese hack attacks, has said that the attack will occur on April 19 at 8.00 pm, Beijing time. I can't read Chinese, but according to the Dark Visitor contributor 'Heike', calls for a distributed denial of service attack against CNN's website have appeared on various Chinese language websites.
The call for a Ddos attack is apparently in retaliation for coverage of the recent violence against Tibetan liberation protesters, those vicious Buddist monks.
Meanwhile, on Tuesday security vendor McAfee found an interesting piece of malware. According to McAfee, the file that was being distributed appeared to be a cartoon of a Chinese gymnast doing a vault at the upcoming Olympic games, for which she was given nul points by the judges. There are then images supporting a free Tibet.
However, while the film ran, a keylogger with a rootkit was installed onto a user's PC. The cartoon was being distributed as an email attachment called "RaceForTibet.exe.", while captured information was transmitted to a computer that appeared to be located in China.
Perhaps a way for pro-Chinese supporters to keep an eye on pro-Tibetan supporters?
Previous
