InfoSecPodcast.com

We currently have 3 Information Security positions open at MIT Lincoln Laboratory. The first position is Information Technology Security Team Lead. It is position #914 on the Employment page. Rather than re-hashing all the details you can read about it there. The other 2 positions do not have job postings up yet. We need 2 IDS / IPS analysts full time. Details of the positions should be posted soon.

All 3 positions are in Lexington, MA and will require the candidates to be able to obtain at least a SECRET level security clearance. If you or anybody you know may be interested please contact me at: chris.harrington AT ll.mit.edu

Thanks!

–Chris

This morning at work I moderated a panel discussion on Network Access Control. The audience was made up of IT Security staff from several research and development organizations. There were representatives from 3 vendors in attendance as well. The audience represented a good cross section of NAC adopters. Some have had it for 2 years, some deploying this year while others had future or no plans to deploy NAC.

There was good audience participation so I only had to pull out 1 or 2 “canned” questions in the time allotted. I’ve tried to summarize the points and information that we learned from this exercise below. These are in no particular order.

1. No clear definition of NAC
One of the first questions from the audience was about barriers to NAC adoption. One of the vendors replied with the question “what does NAC mean to you?” This person wanted NAC to do machine based authentication with no posture assessment. The next speaker wanted user authentication and posture assessment. A third was looking for post-connect NAC, *cough* IPS *cough*. Yet another wanted machine based authentication followed by user authentication. There was also discussion of machine provisioning on the network based on an HR event. As we have heard before, the definition of NAC is a moving target.

2. Lack of executive buy-in kills
No big revelation here. Without proper senior management participation, understanding and approval almost any initiative will fail. What is interesting is the fact that within this group the challenge of selling NAC to upper management seemed to be more of a barrier to deployment than cost or complexity, the ones usually cited. My guess is that NAC may be an organizational or cultural challenge that is more common in “academic” environments where people may be used to doing what they want with less oversight. That is just a guess on my part. Cost was not mentioned once as an issue.

3. 802.1x is still a long way out for wired deployments
Most security professionals will agree that 802.1x authentication is the preferred enforcement mechanism for NAC. IP’s can be changed, MAC’s can be spoofed but digital certificates pose a formidable challenge to forge. All 3 vendors said that in their experience 90% of wireless NAC deployments use 802.1x. The reason cited was ease of configuration on the client side and general wider acceptance of the protocol. On the wired side that equation was reversed with only 10% deploying 802.1x. Supplicant issues and the prevalence of devices that may not be able to have a supplicant (printers, VOIP phones, etc.) were said to be big issues.

4. Support for non-Windows clients still developing
The majority of the audience organizations have significant numbers of non-Windows clients, specifically Mac’s. We get it. Windows is on 90 something percent of the enterprise desktops. That number is changing. More and more companies are offering choices on the desktop / laptop. The NAC vendors present had different levels of support for non-Windows. Some could do authentication only and some could do posture checking if the NAC device was in-line. Note to NAC vendors: Mac support is not a nice to have any more. Mac will have an ever increasing presence on the desktop. The NAC options should be the same for Windows and non-Windows. I do recognize that Linux is a little more of a challenge due to the variants and much further behind Mac in the desktop OS race.

Some of the other take-aways were:
Make sure you have an accurate inventory of network connected devices
Do not underestimate the increased help desk utilization
Automated remediation is not as common as self-remediation in deployments

Those were the ones worth mentioning. Let me know if any of these jump out at you.

–Chris

Technorati Tags: NAC, Network Access Control

A friend of mine is works in the financial services market. His company has a need to record Instant Messenger video sessions (think AOL and MSN webcam ) and archive them. They need to do this on the network as opposed to having client software do it locally on the desktop. This is due to the varied desktop systems, only half are Windows based.

Anyone know of a commercial solution or open source libraries that could do this? I know many IPS’ can detect IM video but he needs to record. Is IM video even encrypted? Before you start with the privacy concerns this is done with full knowledge of both parties who are also employees of the same company. It is a pilot program at this point.

–Chris

Technorati Tags: AIM video, record, MSN Messenger

World of Warcraft creator Blizzard Entertainment is selling hardware security devices. These small devices can fit on a key ring and provide a second form factor for authentication using something similar to a one time pad. The cost…..6 EUR. Robert over at Errata Security has a pretty good write up on it.

Now if only my bank could figure this out. Wait a minute….don’t they have to under PCI??

–Chris

Technorati Tags: WoW, World of Warcraft, Blizzard Entertainment, 2 form factor

I’ve been working on a new theme for the blog. Please let me know what you think of the new theme!

Thanks!

–Chris

When I first read about Twitter I didn’t see much value in it for me. It wasn’t until I started using it last year when I saw the usefulness for me. Twitter is an interesting communicaiton tool. I call it a cross between an IM client and a Bulletin Board. There are a lot of informal groups that use twitter. One of them is the Security Twits.

Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.

If you have not tried Twitter you should. You may just find it useful if not downright addictive.

– Chris

Technorati Tags: Twitter, Security, Security Twits

I am seeing an increased need and proliferation of web based collaboration tools. WebEx, GoToMeeting, MS LiveMeeting, etc. While these tools are necessary as we see people and organizations looking for collaboration, how secure are they? A couple concerns come to mind. NOTE: I have not done any research into this nor read much of the product literature.

What can these services see?
In a hosted model these companies act a the middle man between the person giving a PowerPoint presentation and the ones viewing it, as an example. Can WebEx or GoToMeeting see the presentation? If so, is it done overtly or covertly? Any audit trail? Is the presentation stored on their servers?

Sharing of desktops?
I know some of these services have the ability to share their desktops or applications. Some can even give control of their entire PC over to another person in the meeting. That could have some significant security implications in certain environments.

How do you handle these technologies? Do you block them? Have an approved one and block the rest?

I would love to hear what you do.

–Chris

Technorati Tags: GoToMeeting, WebEx, Web Meeting

I saw this today on Slashdot. There is an ICANN registrar in China who is apparently not living up to its obligations to verify proper contact information for people registering domain names. The registrar is Xinnet Bei Gong Da Software. How bad is it you ask?

• Of 11,000 suspected spam domains registered through them, NONE were taken down in a 6 month period.

• Approximately 100 new spam sites per day being registered.

• A “significant” number of those domain registrations have apparent bogus contact information

What makes matters worse is that there appears to be some interesting langauge in the ICANN agreement that registrars are supposed to comply with:

“Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”

Reasonable steps? A little vague don’t you think? It will be interesting to see if ICANN does something here. Why does the prhase “Stop or I’ll yell Stop again!!!” come to my mind here?

–Chris

Technorati Tags: ICANN, Spammer, Xinnet