Technofile

In this issue:
Cell Networks Evolve Into Data Networks
Growing Threat to Online Applications
In for Nasty Weather
Quick Bytes
Getting Ahead in IT
NUMBERS
New in Plaintext
A Site to See

Cell Networks Evolve Into Data Networks

Setting up a Wi-Fi connection when you’re on the road can be a trying experience. There are security and accessibility concerns to contend with. For example, is that really the airport’s access point, or are you connecting to a dangerous look-alike? And if you’re in a taxi between the airport and your hotel, you won’t be able to get any signal at all.

An increasingly popular wireless standard known as EV-DO (Evolution-Data Optimized) may be the answer to these problems. It allows a computer with the right kind of wireless card to connect to a cell-phone network. This solution addresses both the availability and security issues while making it possible for road warriors to get download speeds that are becoming competitive with wired broadband speeds.

John Polivka, product marketing manager for Sprint’s mobile broadband service, says that the company’s data network already covers more than 152 million people in North America across all major metropolitan markets (it’s shooting to add almost 70 million people by the end of next year), with other major providers such as Verizon and T-Mobile offering the same service to 150 million or so people as well. That means that strong connections are available almost everywhere on the continent.

“That’s really one of the benefits versus Wi-Fi,” Polivka says. “You get a connection you can use across an entire metropolitan market. You can drive from tower to tower without losing your signal.”

EV-DO doesn’t come cheap, however; unlimited-data plans begin in the neighborhood of $80 a month. It’s also not yet standard equipment. But that’s starting to change. Many computer makers are beginning to embed EV-DO functionality into new laptops.

One reason that the EV-DO standard is catching on is that it is naturally more secure, says Joshua Wright, senior security researcher for Aruba Networks and a member of the Trifinite Group, technology experts who conduct research on wireless security issues.

EV-DO “does not suffer from many of the security vulnerabilities that plague IEEE 802.11 or Bluetooth networks,” Wright says, so concerns over rogue access points may become a thing of the past. EV-DO uses Code Division Multiple Access (CDMA), a technology used for cell networks that provides six levels of protection by coding and encrypting data between the laptop and the tower, Polivka says.

As always, however, security concerns will eventually arise. Wright explains that the major security concern he’s seen so far is the way that built-in EV-DO cards might be used on computers running Windows XP where a user has administrator rights.

You can expose the corporate network to the entire Internet by bridging your EV-DO and LAN interfaces, says Wright. Bridging allows a computer with a wired connection to broadcast access to that connection wirelessly to a laptop with a wireless card, for example.

“When this happens, it makes it possible for an attacker on the Internet to contact the XP system over EV-DO, and possibly exploit a weakness in the system. A successful compromise allows attackers to escalate their privileges, giving them unrestricted access to the internal LAN,” Wright says.

There is a way to close that vulnerability. Wright recommends disabling the bridging feature on XP systems that use EV-DO for wireless Internet access. This may be little more than a safe-computing practice, but those practices are essential in the long and difficult struggle for computer security.

Growing Threat to Online Applications

This summer, an e-mail worm called Yammaner hit Yahoo Mail, a free Web-based e-mail service. The worm, written in JavaScript, tried to send itself to other Yahoo Mail contacts. A quick response from Yahoo ensured that the worm remained a low risk, but it was evidence that online software applications are likely to come under attack as they become increasingly popular.

Samir Kapuria, principal security strategist with Symantec Global Security Consulting, says that attackers “are now more interested in targets of choice rather than targets of chance,” meaning they’re more motivated by profit than bragging rights. Online applications, known variously as Web 2.0, software on demand, and software as a service (SaaS), are good targets, he says.

Web application vulnerabilities, such as the one that attackers tried to exploit with Yammaner, have serious security implications for SaaS, and these are on the rise, Kapuria says. In 2005, more than 3,700 vulnerabilities were identified (a 40 percent increase from 2004), and 69 percent of these affect Web applications.

Since SaaS relies on a Web browser for user access, vulnerabilities in browsers are also dangerous. Kapuria says that during the last half of 2005, 24 Internet Explorer and 17 Firefox vulnerabilities were documented. “The average severity rating for both the Internet Explorer and Firefox vulnerabilities was ‘high,’ meaning these vulnerabilities, if exploited, could result in the compromise of an entire system,” he says.

“A growing number of organizations are adopting on-demand applications [such] as customer relationship-management implementations, human resources capabilities, and financial management services such as payroll and accounting,” Kapuria says. “This represents a wealth of information that malicious users might leverage for financial gain.”

He points out that the common limited-time-free offers are a boon for criminals. “This provides potential attackers an opportunity to work with the service and try to determine where it is vulnerable,” he says. In other words, attackers are allowed inside a normally protected perimeter to do reconnaissance.

Kapuria reminds users that the security of their information depends in large part on the security of the service provider and urges them to shun providers “that offer little in the way of authentication or validation. They can also keep their Web browsers, operating systems, and other software patched.”

In for Nasty Weather

Everyone complains about the weather, but nobody does anything about it, goes the old saw. Jason Jackson, director of emergency management for Wal-Mart, is trying to prove the cliché wrong. Even if he can’t change the weather, he can help workers keep abreast of changing conditions and instantly notify them if trouble is looming.

Jackson is using the Smart Notification Weather Service to do this. It was created by WeatherBug, a part of Germantown, Maryland-based AWS Convergence Technologies, Inc., along with Send Word Now, a New York City company that provides on-demand notification services. The service ties weather alerts to telephone or cell phone numbers, e-mail addresses, or pagers.

WeatherBug operates some 8,000 weather stations around the country, providing live local weather data to end users. “We’ve married this with detailed weather intelligence from the National Weather Service, radar information, [and] lightning information, and we can get down to a five-kilometer-grid resolution providing truly neighborhood-level weather information,” Jim Anderson, WeatherBug’s director of business development, explained in a recent Webinar.

The service is just what some emergency managers have been looking for, said Jackson. Before they had this option, his emergency operations center was notifying store managers of potentially dangerous weather conditions by telephone.

“What we realized is, when you have things like a ‘super Tuesday’ of tornados that rolls across the Midwest, and you have tens or even over a hundred tornados spawned, it’s really hard to keep up with that level of activity,” he said, especially with 50 facilities to contact for each update.

“What we wanted, and this is what Send Word Now and WeatherBug have built, is a product or application that would automatically push out that information to our facilities based on location,” Jackson said. “So instead of waiting for someone to call manually we would have an automated call go out and everyone would have the most timely notification of a potential weather situation that’s coming their way.”

Smart Weather Notification Service can deliver alerts in a variety of ways, including through e-mail, text messages, and cell phones, and it gives recipients the ability to bridge into conference calls whenever necessary.

@ You can sample the Send Word Now service for free. Visit SM Online to get there.

Quick Bytes

• Manager’s IT guidebook. Anyone looking for an overview of the elements that make up an information security program can turn to a comprehensive guide released by the National Institute of Standards and Technology (NIST) titled Information Security Handbook: A Guide for Managers. The handbook covers every aspect of security, from awareness and training issues to incident response and recovery strategies. Intended for senior managers, it’s as appropriate for the private sector as it is for government readers; as the authors note, while private- and public-sector requirements may differ, “the underlying principles of information security are the same.” @ Security Management Online has the NIST handbook.
• Unsafe workers. Seventeen percent of employees have launched a hacking tool or keystroke-logging software on their network in the past year, an increase from 12 percent from the year before. That’s no surprise given that 47 percent of the 351 IT decision-makers interviewed by Websense said employees who received phishing e-mails clicked on the link they found in the message, while a third of those interviewed admitted that they don’t block executables in e-mails. The annual Web@Work survey interviewed 351 information technology managers from U.S. companies of all sizes. @ More results of the survey are at SM Online.
• Data breach advice. Not long after a data breach involving the Department of Veterans Affairs, David M. Walker, Comptroller General of the United States and head of the Government Accountability Office, gave testimony to a House committee on steps that can be taken to reduce the likelihood of personal data being stolen. The first is to conduct a privacy-impact assessment before deploying new systems; Walker noted that agencies do not always do this. He also recommended limiting the collection of personal information, and limiting the time that such information is retained. @ ">Privacy: Preventing and Responding to Improper Disclosures of Personal Information is available at SM Online.

Getting Ahead in IT

If you are an IT security professional or are interested in becoming one, you’ll find a new career guide issued by (ISC)2 to be a helpful resource. The guide describes the types of jobs available (including typical job titles) and explores the various areas of expertise within information security, as well as educational requirements, technical skills needed, salary ranges, and the certifications that can help you advance your career. The guide also includes a list of schools offering IT security curricula and relevant professional associations. @ Career Guide: Decoding the Information Security Profession is at SM Online. go to www.securitymanagement.com and click on “beyond Print.”

Numbers

5

Maximum percentage of IT budget spent on security by the average U.K.-based company, according to a survey of information security breaches by PricewaterhouseCoopers.

New in Plaintext

Since Wallace Wang’s new book, Steal This Computer Book 4.0: What They Won’t Tell You About the Internet, hit my desk, a strange thing happened: Almost every person who saw it immediately asked to borrow it. This wasn’t just the other office geeks, but some downright technophobes, as well. So far, no one has heeded Wang’s exhortation to steal it, but I won’t be surprised if it happens.

There are good reasons for all the interest. The book, published by No Starch Press, is a provocative look at the ways the Internet can be used, misused, and abused. It’s written for an Internet user of any ability. It’s clever (at times sarcastic) and well designed. And it includes a CD containing 23 folders of software programs that do everything from cracking passwords to writing pop-up ads (as well as software that blocks these ads).

Though Wang is not advocating illegal activities or encouraging readers to become malicious hackers, he does teach such dubious skills as virus writing. “The purpose of this book isn’t to teach you to be a hacker,” he cautions in the Introduction, “but rather to teach you to think like one.”

The book is best browsed through in front of a computer, because you’ll be eagerly visiting the Web sites he writes about and trying the software and tactics he describes. Many of the latter I had never heard of. For instance, in a chapter on how to work around censorship (government or corporate) of Web sites, he describes how to access banned Web pages by having them e-mailed to you. No special software is required; just send an e-mail containing the URL of the Web site you want to see to a certain e-mail address, and the full site will be sent back to you inside a return message.

Readers who are very tech-savvy may not find too much new here (though some who browsed my copy certainly did), but novice readers will get a jargon-free look at the dark underbelly of the Net.

The only problem with the book is that everyone who saw it wanted to walk away with it. @ You can get a copy from online retailers for about $20. But you may have trouble keeping it.

A Site To See

It’s estimated that millions of Americans each year suffer identity theft. The Federal Trade Commission (FTC) has set up a Web site to help deter, detect, and defend against identity theft. The site contains a number of educational resources, including a 10-minute educational video that provides an overview of the problem, a PowerPoint presentation, and several PDF publications. The FTC urges that these be used in workplaces, communities, and houses of worship to build a better understanding of how to defend against this growing crime. These rich resources make the FTC’s identity-theft Web site this month’s Site to See.

@ Get there via SM Online.

Magazine Highlights| Marketplace | library/Links | Events | Beyond Print| Today's News | Forums | Feedback|Subscribe | Advertise | Reader Service | Writer's Guidelines | Contact Us | Security Industry Buyers Guide|ASIS Online

Copyright© 1996-2006 Security Management Magazine.
All rights reserved.
This material may not be published, broadcast, rewritten or redistributed without permission.
For permission email: Sherry Harowitz.
Report any broken links to the webmaster.