Cyber-Security and security

The EDUCAUSE/Internet2 Computer and Network Security Task Force, the National Cyber Security Alliance, and ResearchChannel are pleased to announce the winning entries for the 2007 Computer Security Awareness Video Contest conducted by the Security Task Force to raise awareness of and increase computer security at colleges and universities.

The contest sought videos that explain computer security problems and specific actions that college and university students can take to safeguard their computers or personal information, and had two categories of videos: two-minute-or-less training or instructional videos, and 30-second public service announcements. The videos can be used in campus security awareness campaigns during student orientation and throughout the year.

The September/October EDUCAUSE Review is now available, with a focus section on Privacy & Security featuring articles by Fred H. Cate on the privacy and security policy vacuum in higher education, John Voloudakis on the evolution of effective IT security practices, M. Peter Adler on a unified approach to information security compliance; Lauren Steinfeld and Kathleen Sutherland Archuleta on the role of the CPO, and Rodney Petersen on the role of the CSO. This issue also includes articles on “Making Knowledge Services Work” and on higher ed IT in Brazil and Latin America, along with a report by the 2006 EDUCAUSE Evolving Technologies Committee. EDUCAUSE Review is also available via RSS feed. Click the RSS icon on the EDUCUASE Review home page to

The Guardian is carryingan article by Steve Boggan on how insecure airline passenger'sdetails are. He paints the US government as the principal underminerof the privacy and security of the individual's information, but Iimagine that a number of organisations on this side of the Atlanticfind access to the information very useful too.

A project funded by the US Department of Homeland Security has discovered a bug in X11, the display system used across a wide range of POSIX systems (linux, BSD, and unix) as well as used for platform independence on Microsoft Windows and Apple Macs.

The bug is very serious, but remote activation appears to be blocked by most firewalls, which block remote access to X11. Fixes have already been rolled out for most platforms.

The X11 system seperates the display (or windowing) system from other parts of the operating system. It enforces security seperations and allows remote access, by exposing physical screens as servers (literally, the service they provide is that of displaying data to the user). The X11 protocol is widely supported by a number of operating systems (who provide the servers), applications (who use the service) and utilities. The widely used GTK and QT windowing toolkits typically sit on top of X11 and allow applications to manipulate it in terms of hihg-level objects.

According to a recent netcraft survey, The Apache Software Foundation is now the leading provider of secure web servers. Their stable includes the Apache and Apache 2 workhorses and the Tomcat java web server and servlet engine. Netcraft sees the lowering of legal barriers to the export of cryptographic software from the USA and decision to ship mod_ssl as standard in apache 2 as leading contributors to the rise of apache.

UCISA were at the 2006 JISC Conference, touting their Information Security Toolkit:

The UCISA Information Security Toolkit is intended to support UK Higher and Further Education Institutions in producing Information Security policies to address (and to demonstrate that they are addressing) threats to the confidentiality, integrity and availability of information systems for which they are responsible, and to help meet audit requirements. The sections draw heavily on British Standard BS 7799, not least by adopting its structure for control objectives and controls.

Unfortunately it's very much embedded in the UK legislative framework, so only the technical bits will be of much use to those outside the UK. Strangely enough, I spent three days in Blackpool last week at their big annual event and didn't catch up with the toolkit at all, presumably they were all too busy running the event to promote their own documents.

Bruce Schneier, arguably the most respected computer security expert internationally, has published a review of the Sony Rootkit incident. The casts the story not in fine-grained technical detail, but in terms of the actions and motivations of the various players, particularly the corporate players.

Bad security happens. It always has and it always will. And companies do stupid things; always have and always will. But the reason we buy security products from Symantec, McAfee and others is to protect us from bad security.

...

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?