+1 812 868 ROSS (7677)

National Vulnerability Database

I’ve been following this for sometime… This is an important resource of information for keeping up on information relating the vulnerabilities of a variety of technological systems.

We have a pre-disposition to believe that Windows is the only real attack vector in our information infrastructure, but the reality is that, though it is a huge target, other systems sport vulnerabilities waiting to be exploited.

To that end you’ll see on the right hand side of the page, a new list of the recently found exploits as published by the DHS and NIST on systems vulnerabilities.

This is a difficult position, because I hate fear mongering, and hate being the one to shout "the sky is falling!" But if you saw the piece from Wired Science on PBS October 3rd, you’ll see there is some merit to being concerned. "Forewarned is forearmed" as the saying goes.

World War 2.0

I sat down after dinner tonight to begin studying for a data analysis assignment I had been putting off when I noticed a story that caught my eye on the new PBS series “WIRED Science.”

The story titled “World War 2.0” talked about the recent botnet attacks by Russian loyalists on the country of Estonia. It seems that after the end of World War II the Soviets drove the Germans out of the country. Now in the 21st century, Estonia is a member of the EU and NATO. In an attempt, Josh Davis, the story’s author points out, to distance themselves from their Soviet past, many ethnic Russians were none too happy about the idea, and took to the streets.

It’s here that the story gets interesting, see some of these ethnic Russians are also consummate computer hackers, and when physical riots didn’t produce the desired effect, they took to cyberspace. Through the use of several botnets, these hackers created an astounding display of cyber-warfare or cyber-terrorism, by launching a large scale distributed denial of service attack at the several high profile targets including the largest bank in Estonia, Hansapank, and one of the leading newspapers Postimees. The affects were devastating, people were cut off from the bank for days, and the country had effectively garrisoned itself from the rest of the wire world. No news, no information, was allowed in or out.

So here’s the point, and a warning; launching an attack like the one that hit Estonia would have little effect on the resources of the United States. But proportionately sized, not out of the question by the way, would cripple the information infrastructure of this country. Now all of a sudden, who needs nukes? Distributed computing, some ingenuity, and a political agenda are all that’s needed to cripple a businesses, county, city, or state agency. And if you think these activities are being executed by pimple faced teenagers with a grudge and a notebook, think again. Several countries in the far east and pacific rim have state sponsored cyber-warfare programs with the specific agenda of disabling national and private infrastructure, it is far more profitable, decimating an economy, without all the… well, dead bodies.

Information Security, Fear Mongers, and Universal Peace

Well, that about covers it doesn’t it?

I’ve been listening to "The Power of Now" by  Ekhart Tolle, he makes some very good points. Now, while I’m not a "new age" spiritualist, I’m fairly traditional in my monotheistic beliefs, and I do believe he has something to say, primarily that we spend too much time letting our minds rule our lives (an interesting observation given my nickname is ‘Analysis Paralysis’). The aphorism "don’t borrow worry, tomorrow has enough worries of its own" is a good way of putting it; living in the now helps us combat the fears we conjure up in our mind about "worse case" scenarios.

Here’s the funny thing though; through my graduate studies, I have a graduate education in Information Security/Information Assurance and it seems to me that these studies along with the whole notion of security altogether is contradictory to the points Tolle makes in his book. Wendell Phillips oft quoted “Eternal vigilance is the price of liberty,” made in reference to the slavery movement of the 19th century prior to the American Civil War, is used as a mantra for the homeland security, and information assurance disciplines.

I’ve had this nagging voice, all during the time I was attending grad school, saying to me “Are you being a fear monger?” My struggle has been how I reconcile the lessons learned about securing our future with the connecting to peace through the “Now.” Are they mutually exclusive? As I write this, I believe they are not. One becomes a practical function of the other. As a practical matter, insuring we bring peace to our lives through connection with the infinite requires attention to that around us wishing to impose dissonance.

So where is the balance between the “Now” and vigilance? It sits with every one of us along with the recognition that there are those whose motivations for “peace” are only articulated as vigilance. “Quis custodiet ipsos custodes?” as Juvenal puts it requires that WE watch the watchmen. Separation of power insures that NO one holds all the keys to the kingdom, and WE can experience the peace we are all, me included, desperately seek.

GRC | Security Now!

I’ve been a listener of Security Now! since Steve Gibson and Leo Laporte since its beginning in August of 2005. I’ve never really been the type of person to "testify" to anyone else, but I do find myself saying frequently saying "let me tell you what my last week has been like."

Such is the case for Security Now! I find myself using it as an ongoing resource for both my graduate studies, and as a resource for my work. Steve Gibson has a way of presenting ver complicated issues in information security in very approachable ways.

It seems to me that I find myself going back repeatedly to refer and catch up on material I’ve missed. I recommend Security Now and all of the TWiT (www.twit.tv) netcasts if you’re involved in technology at any level.

Link: GRC | Security Now! | Featuring episode #104  .

Disk Drive Failure Rates

I’ve just been listening to episode 81 of Security Now, yeah I know I’m behind. Anyway the subject is about a paper published by Google on the long term reliability of disk drives.

It turns out, the single device that we depend on the most at home and in the enterprise isn’t so reliable. It’s quite enlightening, and a little bit frightening.

You can read/hear about it at: www.grc.com/securitynow.