Not much in the security industry has been afoot that a million people haven't already commented on, such as the Lycos debacle, which is nicely summarized, including repercussions & fallout, on SecurityFocus by Mark Rasch. As a brief aside, I'd just like to comment that while civil suits might be a deterrent for future acts of "vigilantee-ism", there really should be criminal repercussions as well.

I have a long article planned concerning the impending release of the 2004 OIG FISMA report (the 2003 report is available here). For those of you fortunate enough to not be bogged down with US Government bureaucracy, this is the report that assigns grades to, and evaluates the posture of, information security at all major US Government Agencies. My comments could apply to last year's report, but will be more timely with the release of 2004's report and have more meaning using updated statistics in examples. Free preview without spoilers: FISMA is good, but could easily be better.

One perennial story that's never gotten a whole lot of attention is the ongoing drama between a Las Vegas adult service operator and Sprint, the local phone company. The issue, in its most basic form, is a lawsuit by the adult service operator accusing Sprint of negligence and seeking damages from supposed lost business. He claims business was lost when hackers compromised Sprint's equipment and redirected calls to his competitors. When I first read about this story a few years ago, it was so sensational that I was hesitant to believe it. The accuser has strong "anecdotal evidence," and after following the story I don't believe it's that far-fetched. Virtually no one's equipment was secure in 1994. What's disturbing is the reason that it was dismissed in 2002: "Sprint's security is no better nor no worse than that of other telephone companies." Excuse me, come again? Just because everyone else had poor security doesn't make Sprint less liable. IANAL, so this may hold in a legal sense, but it's horrible logic. At the very least this case deserves some close technical scrutiny.

On a much more technical (and lighter) front, ISC handler Cory Altheide gets my InfoSec gold star for using the phrase "packet-fu" in a summary of the strange UDP packets some of us InfoSec folk have been seeing on the Internet the past week.

And, on a final note, Penn State is now recommending its users switch from Microsoft Internet Explorer to an alternate web browser that is more secure. I've been recommending this for months.


As a postscript, my apologies for getting this out so late. I had this article completed a number of days ago but technical difficulties prevented me from posting it until now.

No comments: