Saturday, July 23, 2011

In Passing: Amy Winehouse

Amy Winehouse
14 September 1983 – 23 July 2011

Thursday, July 21, 2011

DoD Cyber Defense Plan Draws Fire (Yet Again)

Michael Hardy and John Zyskowski write on

In announcing its latest plan to improve the security of military and related mission-critical networks in the public and private sectors, the Defense Department dutifully acknowledged once again that cyberspace is a new domain in which it must defend the United States and its vital interests.

But cyberspace is unlike any other battlefield the Pentagon has encountered before, and the military is clearly struggling to develop operational ground rules for this complicated new domain where the lines are often fuzzy between DOD and civilian activities, war and peace, and the good guys and the bad guys.

The difficulty of the task for DOD officials is evident in just how messy and prone to criticism the process of creating a cybersecurity policy has become. However, there is little doubt that a strategy is crucial. At the July 14 press conference for the plan’s unveiling, Deputy Secretary of Defense William Lynn also disclosed that in March, a “foreign intruder” was able to steal 24,000 files pertaining to cutting-edge weapons systems from the network of a defense contractor.

As an illustration of the messiness, the vice chairman of the Joint Chiefs of Staff, Marine Gen. James Cartwright, made the unusual move of publicly criticizing the plan’s defensive orientation hours before Lynn officially released it.
More here.

Embedded Web Servers Exposing Organizations To Attack

Kelly Jackson Higgins writes on Dark Reading:

A researcher who has been scanning the Internet for months looking for unsecured, embedded Web servers has found a bounty of digital scanners, office printers, VoIP systems, storage devices, and other equipment fully exposed and ripe for attack.

Michael Sutton, vice president of security research for Zscaler Labs, at Black Hat USA 2011 next month will demonstrate his findings: Ricoh and Sharp copiers, HP scanners, and Snom voice-over-IP (VoIP) phones were the most commonly discovered devices, all accessible via the Internet. "It was pretty shocking to me: Virtually none of these should be exposed to the Internet. There's not a good reason that an HP scanner should be exposed to the Net," Sutton says.

It's a recipe for disaster: Embedded Web servers with little or no security get misconfigured when they're installed. Most likely, the potential victims are small to midsize businesses or consumers with less technical expertise who misconfigure their devices and have no idea they're showing up online. "They're taking this device, plugging it into the wall, and making a mistake on a router or access point ... and suddenly things are exposed to the Web," he says.
 More here.

Wednesday, July 20, 2011

U.S. House Panel Approves Data Breach Notification Bill

Grant Gross writes on ComputerWorld:

A U.S. House of Representatives subcommittee has voted to approve a bill that would require companies to notify affected customers about data breaches, and would require businesses holding personal information to establish data security programs.

The House Energy and Commerce Committee's trade subcommittee approved the Secure and Fortify Electronic Data Act [.pdf] (SAFE Data Act) by a voice vote Wednesday, after hours of debate on the legislation. Democrats on the subcommittee offered several amendments in an effort to broaden the types of personal data the bill would cover, but the majority Republicans rejected the amendments.

The bill is filled with "loopholes that sacrifice data security and privacy," said Representative Henry Waxman, a California Democrat. "A bill that is supposed to be enhancing data security and consumer privacy would actually seriously undermine it."

Representative Mary Bono Mack, the subcommittee chairwoman and a California Republican, urged lawmakers to move forward with the legislation [.pdf], which she sponsored.

More here.