what we’re reading, week of 7/6

Around the Blogosphere…
This past week, researchers at Carnegie Mellon discovered it’s possible to figure out people’s social security numbers. Researchers used statistical techniques to predict the SSNs solely from an individual’s date and birth location. They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts; and for people recently born in smaller states researchers needed just 10 or fewer attempts to predict all nine digits. This may be a wake-up call for security experts. Here are three opinions on the research.

Emergent Chaos
Social Security Numbers are Worthless as Authenticators
Told you so—Adam Shostack believes SSNs are “a godawful authenticator”. For years, Adam has agreed with the security and privacy professionals against the use of SSNs for identification, and only now people are paying attention.

Digital Soapbox – Preaching Security to the Digital Masses
[RANT] Forget SSNs
Rafal Los does not see the point in having SSNs at all, and believes we should ditch them all together. For obvious reasons, everyone goes to great lengths to protect their SSNs, but what’s the point, he asks? Now someone can just come along and guess it by your DOB and birth location. Rafal suggests using another identification number, such as a patient ID

Security Fix | Washington Post
Predicting Social Security Numbers
Brian Krebs wrote an article in the Washington Post, but hones in on additional resources and information in his blog. In his post he includes FAQs about the study and the full report.

IT Security…
VPN: The Pros and Cons
John Edwards lists the pros and cons of VPNs. We thought the drawbacks listed in the article were important to highlight, because they are important considerations to make when picking out a VPN. Choose a universal and flexible solution—it will make your life easier.

Forcing IPSec or SSL on a Market is Wrong

Read an interesting post on Cisco and its lack of support of the 64-bit IPSec VPN client. What was more interesting to us though, was a reader’s comment listed below the post—Robert, comment no. 7.

Robert disagrees with blogger, Greg Ferro’s post, and believes Cisco is going in the right direction with its support of SSL. “IPSec was never designed to be a user VPN solution,” says Robert. “Anyone [who] has to deal with multiple VPN clients, [knows] it’s a pain because of where IPSec is inserted into the stack.”

We disagree! IPSec’s historic downside has been the complexity created by so much flexibility (Robert’s point). But this has been fixed. However, the bigger picture here is that supporting solely SSL or IPSec is not good enough. Arguments for both SSL and IPSec have been an on-going debate for some time now, and there is a clear argument for the use of both, under different situations. One or the other does not apply.

Regardless of a user’s access, an enterprise solution should support both SSL and IPSec. It is necessary to build VPN systems around mobility, productivity and policy needs, rather than limit these with a biased technology choice.

what we’re reading, week of 6/29

The VAR Guy…
Are you really A VAR?
Differentiating between resellers, VARs and partners, blogger Heather Margolis argues that in today’s industry, the positions of partners and VARs have blended, making the term reseller an insult. Recently, many partners have been promoting themselves as VARs when in actuality they are a reseller. Heather asks vendors if they have seen different opportunities for both, and if partners are differentiating themselves? Let us know your thoughts on this issue.

Ha.ckers…
Detecting MITM/Hacking Proxies Via SSL
Robert lists several ways to handle man in the middle attacks and hacking proxies through a SSL connection. Focusing on a Website, he looks at the scenario of the user coming in using a hacking proxy. If the user claims to be one of the common standard browsers, the techniques Robert provides should work, although he suggests testing the techniques before deploying.

Branden Williams’ Security Convergence Blog…
Guest Post: The IT forecast – Cloud-y with a 10% Chance of Effective Security
Guest blogger, Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group discusses the cons of security within the cloud. Reminding us of the risks associated with cloud adoption, Robert holds the Cloud services vendor (who’s running the security infrastructure) to the same standards of the MSSP.

What We’re Reading, Week of 6/22

SearchSecurity…
Cloud computing security: Choosing a VPN type to connect to the cloud
Friend of NCP, Diana Kelley, analyst at SecurityCurve is writing a series on cloud computing security. In this 1st part series, Diana drills down and discusses the specifics regarding devices that connect to the cloud, and how VPNs affect cloud security. The article takes point-to-point into perspective, as opposed to whether or not SSL or IPSec is best suited – there are varied uses for each within Kelley’s article. Well worth a read and it begs the bigger questions of, “is VPN really a factor for applications living in a cloud, or is securing the applications themselves really the issue”? For example,

“VPN types include network-to-network, multiple service host-server, to single-service host-server. Each of these implementations can be used in a cloud computing environment, and each has security strengths and weaknesses. The oldest VPN technology is the network-to-network VPN. This architecture has the greatest risk associated with it, due in part to the number of hosts involved. While this architecture would not likely be used in the client-to-cloud connection, it could be used within the cloud, especially with server farms or mashups.”

What are your thoughts on cloud computing security?

what we’re reading, week of 6/15

End-Point Security.Info…
Employees Couldn’t Care Less about Data Security
Gathering information from the Ponemon Institute, Agent Smith provides shocking statistics about employees and their security practices. So how does this list relate to VPNs? I’m glad you asked! Users will bypass cumbersome VPN policies if they can get away with it. Network admin’s need to look at their policies and how the technology they use supports these. Do they hinder the user? Can the user change settings? Will you be able to tell something has been changed? User education and centrally managed policy enforcement are key for VPNs.

Datamation…
Fixes for Wi-Fi Hotspot Annoyances
Are you always on the go? Do you get frustrated with WiFi? Eric Geier provides travelers tips when connecting wirelessly. Going one step further, VPN Haus recommends making sure you’re mindful of man-in-the-middle attacks which are all too common at hotspots. If you have a run-of-the-mill VPN client, chances are high that data packets are being allowed access to your device while the client authenticates you to the network. A better solution is to find a VPN client that forces the network to authenticate itself to your device. No data transfer and now man-in-the-middle.

WindowsSecurity.com…
What’s in the Windows 7 Firewall?
Deb Shinder previews the Redmond’s newest firewall and offers configuration tips. We have to ask, “With W7 pushing IPSec VPN on the masses, what good is a built-in firewall without central policy control”? Exhibit A: Agent Smiths’ post. The W7 firewall is, in effect, a personal firewall that the user, well, uses! We’re sure it’s a good firewall although we have to question the lack of central management.