Industry News
Can Germany really ban hacking tools?
This week’s Security Blog Log roundup starts with Germany’s stunning move to ban hacking tools. I use the word stunning because I don’t see how any government could possibly enforce such a thing. According to The Register, Germany is updating its criminal code to define denial-of-service attacks and attempts to spy on third-party wireless networks as […]
This week’s Security Blog Log roundup starts with Germany’s stunning move to ban hacking tools. I use the word stunning because I don’t see how any government could possibly enforce such a thing.
According to The Register, Germany is updating its criminal code to define denial-of-service attacks and attempts to spy on third-party wireless networks as criminal actions. Punishment would include a fine and up to 10 years in jail. The regulations also make it a crime to bypass computer security defenses to access sensitive data. As part of all this, it becomes illegal to make, use or distribute hacking tools.
Before the changes, only direct attacks against companies and government organizations were considered indictable offenses, the report noted.
As security professional Dave Lewis puts it in his Liquidmatrix blog, this sounds like a bad idea on so many levels.
“Think of the countless sysadmins that use ‘hacking’ tools to make sure their systems are secure,” he wrote. “I must admit this seems absurd. This will not preclude attackers from using them, of course, which would put the ‘defenders’ on very unstable footing. Now, I’m curious if this would encompass tools like EnCase and Forensic Toolkit?”
Lewis isn’t the only one who thinks the move is crazy. Chaos Computer Club spokesman Andy Mueller Maguhn has been quoted in several publications, including the Chaos Computer Club site, saying that “safety research can [now] take place only in an unacceptable legal gray area.” The group also worries the new legislation will make it easier for police to obtain information by hacking—something that was outlawed by the courts a few months back.
These are good points. And whether the good guys or bad guys decide to break the law and use their hacking tools, one has to wonder how any government could enforce such a ban. I’m interested in any thoughts readers may have on this.
Reaction to Google security moves
There’s plenty of blogosphere buzz about Google’s recent security activities. Last week, I wrote about how Google has started its own security blog, and Wednesday I wrote of Google’s acquisition of GreenBorder Technologies.
In general, bloggers think Google is moving in the right direction, though they are still trying to get a clearer idea of the search giant’s larger motives.
The Darknet blog said it seems as though Google is moving heavily into Web applications and application security with a specific focus on malware defense.
“It’ll be interesting to see what happens to [GreenBorder] after the acquisition and if they get merged into Google’s existing product folio (Google Toolbar?) or [if] Google will develop it further,” the blog said.
In SearchSecurity.com’s own Security Bytes blog, my colleague Dennis Fisher wrote that Google seems to be on the right track, though it’s still unclear to him what the company’s intentions are in regards to security.
“Will they be releasing Web security tools for users and webmasters to implement? Or will the security folks just be working behind the scenes on in-house projects?” he asked. “It’s probably too early to tell, but if the recent past has taught us anything about Google, it’s that the company doesn’t do anything halfway or without a lot of forethought. That might portend more sleepless nights for security vendors who already have to worry about Microsoft encroaching on their turf and now have the considerable shadow of the Googleplex hanging over them.”
Was too much made of Estonia attacks?
The blistering cyberattacks against the Baltic nation of Estonia in recent weeks has gotten plenty of media attention, and
You might remember that the Russian government was initially thought to be the instigator of the attacks, but that researchers eventually determined that ragtag groups in command of botnets were the culprits.
Graham vented his disgust over the media’s rush to judgment in the Errata Security blog.
“Journalists love the story and have been blindly repeating it,” he wrote. “This story reflects the general paranoia of the Internet. Whenever anything happens, people seek to uncover the ‘plan’ behind it. In reality, most bad things that happen on the Internet occur by happenstance, without any plan or conspiracy behind them.”
Unfortunately, he added, “happenstance” is not a legitimate story angle that reporters can report on.
How vendors should handle flaw findings (or not)
I end with this amusing item from Dave Goldsmith in the Matasano Chargen blog on reporting a flaw in the Web 2.0 world.
Here’s his account of what happened when he reported a vulnerability on a Web site developed by a popular Web 2.0 company:
“Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.
They reply:
Thanks for the tip, David. It’s been noted.
I reply:
Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?
They reply:
Hi David, We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.
I reply:
How will I know when this vulnerability is fixed?
They reply:
Actually, they don’t reply at all.”
Maybe the company in question will have a starring role in the next “month-of” disclosure project.
Technorati Tags: Google+security, German+security
Source: feeds.feedburner.com
Mobility forces Sun to open Windows
Had an interesting conversation with new Sun Microsystems CISO Leslie Lambert this week. Lambert is a Sun veteran having held a litany of IT roles including several line-of-business CIO titles. Lambert shared a little bit about her short- and long-term goals and they include different aspects of identity management such as role-based access controls, and […]
Had an interesting conversation with new Sun Microsystems CISO Leslie Lambert this week. Lambert is a Sun veteran having held a litany of IT roles including several line-of-business CIO titles. Lambert shared a little bit about her short- and long-term goals and they include different aspects of identity management such as role-based access controls, and change management. The most interesting, however, reflects concerns any enterprise with intellectual property would have: data protection and mobility.
Sun is a global enterprise and its development and sales forces operate on campuses around the world. Sun Ray virtual desktop Java thin clients will remain standard issue, she says, but the need for mobility means a prevalence of Macintosh and Windows-based notebooks and devices. This is unavoidable and necessitates some flexibility and admittedly some security tradeoffs, says Lambert, who carries a Sony P910 mobile phone.
“Sun is an environment where we have not permitted a lot of Windows desktops. We’re shifting there,” Lambert says. “With our [employees] working from home or various campuses, the need to put more mobile devices for productivity is a reality. We’ll have to now focus on higher levels of data protection.”
Lambert says Sun employees can expect a ramp-up of awareness programs and security tools on those devices including antivirus, firewall and network access control that authenticates and audits mobile devices before they connect to the Sun network. In addition, depending on the categorization of data on the device and job responsibilities, hardware encryption may soon be part and parcel of laptops; all will have encryption software installed.
“Sun has been in a position to be able to create so much unique intellectual property to offer to the industry,” Lambert says. “Our collection of IP is who we are; protecting that is important.”
Technorati Tags: Sun, Java, identity+management, access+controls, intellectual+property, Leslie+Lambert
Source: feeds.feedburner.com