Do you have a firewall? Maybe it's not as useful as you think it is. I was surprised to discover that IPv6 was enabled on several hosts with default firewall policies of ACCEPT and no rules. This allowed IPv6 traffic to completely bypass the numerous IPv4 rules!

IPv6 makes me queasy security-wise due to features such as making all IPv6 hosts into routers that obey source routing, as well as the excessively eager and accepting autoconfiguration. More recent doesn't imply more secure, especially if it's unmanaged because you don't realize it's ON. The issue is IPv6 being enabled by default in a fully open mode. Not everyone realizes this is happening, as we're very much still thinking in terms of IPv4. Even auditing tools such as Lynis (for Linux/UNIX systems) don't report this; it only checks if the IPv4 ruleset is empty. There are going to be a lot of security problems because of this. I know it's been so for some time, but awareness lags. I'm not the only one who thinks it's going to be a bumpy ride, as pointed out elsewhere.

You can mitigate this issue in several ways, besides learning how to secure IPv6 (which you'll have to do sometime) and using your plentiful spare time to do so enterprise-wide. Changing all the default IPv6 policies to DROP without adding any ACCEPT rules breaks things. For example, Java applications try IPv6 first by default and take several minutes to finally switch over to IPv4; this can be perceived as broken. If you have Ubuntu on your desktop, you can use ufw, the Uncomplicated FireWall, to configure your firewall with a click of the mouse. When "turned on", it changes the default policy to DROP but also adds rules accepting local traffic on the INPUT and OUTPUT chains (well done and thanks, Canonical and Gufw developers). This allows Java applications to contact local services, for example. You can also disable IPv6 in sysctl.conf (and have Java still work) if you have a recent kernel (e.g., Ubuntu 10):

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

followed by a reboot. You can also do this immediately, which will be good only until you reboot (note: sudo alone doesn't work, you need to do "sudo su -"):

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/lo/disable_ipv6

This removes the IPv6 addresses assigned to your network interfaces, and then Java ignores IPv6. If you have an "old" kernel (e.g., the most recent Debian) and need to support Java applications, the above kernel configurations are not available at this time. However, there are other ways to disable IPv6 for Debian, well documented elsewhere. You can also manually add firewall rules like those done by ufw, as described above.

Almost two years ago I wrote in this blog about how CERIAS (and Purdue) was not going to resubmit for the NSA/DHS Centers of Academic Excellence program.

Some of you may notice that Purdue is listed among this year's (2010) group of educational institutions receiving designation as one of the CAEs in that program. Specifically, we have received designation as a CAE-R (Center of Academic Excellence in Research).

"What changed?" you may ask, and "Why did you submit?"

The simple answers are "Not that much," and "Because it was the least-effort solution to a problem." A little more elaborate answers follow. (It would help if you read the previous post on this topic to put what follows in context.)

Basically, the first three reasons I listed in the previous post still hold:

1. The CAE program is still not a good indicator of real excellence. The program now has 125 designated institutions, ranging from top research universities in IA (e.g., Purdue, CMU, Georgia Tech) to 2-year community colleges. To call all of those programs "excellent" and to suggest they are equivalent in a meaningful way is unfair to students who wish to enter the field, and unfair to the people who work at all of those institutions. I have no objection to labeling the evaluation as a high-level evaluation of competence, but "excellence" is still not appropriate.   
2. The CNSS standards are still used for the CAE and are not really appropriate for the field as it currently stands. Furthermore, the IACE program used to certify CNSS compliance explicitly notes "The certification process does not address the quality of the presentation of the material within the courseware; it simply ensures that all the elements of a specific standard are included.." How the heck can a program be certified as "excellent" when the quality is not addressed? By that measure, a glass of water is insufficient, but drowning someone under 30ft of water is "excellent."
3. There still are no dedicated resources for CAE schools. There are several grant programs and scholarships via NSF, DHS, and DOD for which CAE programs are eligible, but most of those don't actually require CAE status, nor does CAE status provide special consideration.

What has changed is the level of effort to apply or renew at least the CAE-R stamp. The designation is now good for 5 academic years, and that is progress. Also, the requirements for the CAE-R designation were easily satisfied by a few people in a matter of several hours mining existing literature and research reports. Both of those were huge pluses for us in submitting the application and reducing the overhead to a more acceptable level given the return on investment.

The real value in this, and the reason we entered into the process is that a few funding opportunities have indicated that applicants' institutions must be certified as a CAE member or else the applicant must document a long list of items to show "equivalence." As our faculty and staff compete for some of these grants, the cost-benefit tradeoff suggested that a small group to go through the process once, for the CAE-R. Of course, this raises the question of why the funding agencies suggest that XX Community College is automatically qualified to submit a grant, while a major university that is not CAE certified (MIT is an example) has to prove that it is qualified!

So, for us, it came down to a matter of deciding whether to stay out of the program as a matter of principle or submit an application to make life a little simpler for all of our faculty and staff when submitting proposals. In the end, several of our faculty & the staff decided to do it over an afternoon because they wanted to make their own proposals simpler to produce. And, our attempt to galvanize some movement away from the CAE program produced huge waves of ...apathy... by other schools; they appear to have no qualms about standing in line for government cheese. Thus, with somewhat mixed feelings by some of us, we got our own block of curd, with an expiration date of 2015.

Let me make very clear -- we are very supportive of any faculty willing to put in the time to develop a program and working to educate students to enter this field. We are also very glad that there are people in government who are committed to supporting that academic effort. We are in no way trying to denigrate any institution or individual involved in the CAE program. But the concept of giving a gold star to make everyone feel good about doing what should be the minimum isn't how we should be teaching, or about how we should be promoting good cybersecurity education.

(And I should also add that not every faculty member here holds the opinions expressed above.)

I have been friends with Linda McCarthy for many years. As a security strategist she has occupied a number of roles -- running research groups, managing corporate security, writing professional books, serving as a senior consultant, conducting professional training....and more. That she isn't widely known is more a function of her not seeking it by having a blog or gaining publicity by publishing derivative hacks to software than it is anything else; There are many in the field who are highly competent and who practice out of the spotlight most of the time.

One of Linda's passions over the last few years has been in reaching out to kids -- especially teens -- to make them aware of how to be safe when online. Her most recent effort is an update to her book for the youngest computer users. The book is now published under the Creative Commons license. The terms allow free use of the book for personal use. That's a great deal for a valuable resource!

I'm enclosing the recent press release on the book to provide all the information on how to get the book (or selected chapters).

If you're an experienced computer user, this will all seem fairly basic. But that's the point -- the basics require special care to present to new users, and in terms they understand. (And yes, this is targeted mostly to residents of the U.S.A. and maybe Canada, but the material should be useful for everyone, including parents.)

Industry-Leading Internet Security Book for Kids, Teens, Adults Available Now as Free Download

Own Your Space® teams with Teens, Experts, Corporate Sponsors for Kids' Online Safety

SAN FRANCISCO, June 17 -- As unstructured summertime looms, kids and teens across the nation are likely to be spending more time on the Internet and texting.

Now, a free download is available to help them keep themselves safer both online and while using a cell phone.

Own Your Space®, the industry-leading Internet security book for youth, parents, and adults, was first written by Linda McCarthy, a 20-year network and Internet-security expert.

This all-new free edition -- by McCarthy, security pros, and dedicated teenagers -- teaches youths and even their parents how to keep themselves "and their stuff" safer online.

A collaboration between network-security experts, teenagers, and artists, the flexible licensing of Creative Commons, and industry-leading corporate sponsors, together have made it possible for everyone on the Internet to access Own Your Space for free via myspace.com/ownyourspace, facebook.com/ownyourspace.net, and www.ownyourspace.net.

"With the rise of high-technology communications within the teen population, this is the obvious solution to an increasingly ubiquitous problem: how to deliver solid, easy-to-understand Internet security information into their hands? By putting it on the Internet and their hard drives, for free," said Linda McCarthy, former Senior Director of Internet Safety at Symantec.

Besides the contributors' own industry experience, Own Your Space also boasts the "street cred" important to the book's target audience; this new edition has been overseen by a cadre of teens who range in age from 13 to 17.

"In this age of unsafe-Internet and risky-texting practices that have led to the deaths and the jailing of minors, I'm thankful for everyone who works toward and sponsors our advocacy to keep more youth safe while online and on cell phones," McCarthy said.

Everyone interested in downloading Own Your Space® for free can visit myspace.com/ownyourspace, facebook.com/ownyourspace.net, and www.ownyourspace.net. Corporations who would like to increase the availability of the book and promote child safety online through their hardware and Web properties can contact Linda McCarthy atlmccarthy@ownyourspace.net.

McCarthy is releasing the book in June to celebrate Internet Safety Month.

I am posting the following at the request of someone associated with this effort at NITRD:

On May 19 the White House announced a new effort to enlist public involvement in defining new areas to "change the game" for cybersecurity. Three areas for research were proposed:

1. Moving Target – Systems that move in multiple dimensions to disadvantage the attacker and increase resiliency.
2. Tailored Trustworthy Spaces – Security tailored to the needs of a particular transaction rather than the other way around.
3. Cyber Economic Incentives – A landscape of incentives that reward good cybersecurity and ensure crime doesn’t pay.

For the next few weeks (until June 18), the public is being invited to make comments. As readers of this blog tend to be well-informed about security issues and research needs, I'd like to encourage you to review the details of the research areas and add your thoughts to the discussion at http://cybersecurity.nitrd.gov As this effort will impact the Federal funding of research for FY2012 and beyond, adding your thoughts is not only beneficial to the government, but also beneficial to those of us in the research community to ensure that research topics are both useful and feasible.

As I've noted before I believe that referring to this as "game change" has the potential to create the wrong attitudes towards the problems. However, at least this isn't an attempt to solve everything in 60-90 days!

Wednesday, March 31, 2010 Panel Members: * David Bell, Retired, Co-author Bell-La Padula Security Model * Joe Pekny, Purdue University * Kenneth Brancik, Northrop Grumman * Petros Mouchtaris, Telcordia Summary by Utsav Mittal The panel was started by Petros Mouchtaris. He said that applying for funding is not that bad although the researcher gets a lot of rejections, but then also once the funding comes through it gives the researcher a lot of control about the areas he wants to work in. He said in the last 10 years most of their funding came from DARPA, initially the funding was for long-term small projects. He said that a smaller, long-term project gives more time to foster basic research about abstract ideas. Joe Pekny, who has worked in Discovery park for about 10 years, said that the fundamental principle about generating funding is about that "Research follows impact." He said that difference between getting and not getting funding is between the ability of the researcher to relate his potential and ability to provide impact. He also talked about the research opportunities in electronic medical records and about privacy issues in videos surveillance that is widely used. He mentioned some tactics that help in order to monetize the research impact: 1. Leverage: He mentioned that everyone wants a big grant which runs long, but that is not always possible, so the researcher should leverage whatever opportunities that he has to have the biggest advantage. 2. Interdisciplinary: He said that this is important, as many problems that we face today are of a complex nature and no single idea can crack the problem, so different smart minds from different areas should work on it. 3. Minimalistic: Joe said that a minimalistic team should be assembled in order to crack the problem, there should not be too many people working on the project. 4. Relationships: Joe stressed the importance of fostering long standing relationships for generating funding. 5. Entrepreneurship: Joe mentioned that money never comes in the form that a person wants it to, so a researcher should have the spirit of entrepreneurship. 6. Operations v. Philanthropy: He meant that if a organization thinks that the researcher has the potential to solve an operations problem then it would shell out billions and fund it. On the other hand if they do not believe in the potential then they may give money as philanthropy. 7. Vision: Joe said that an enduring, fundamental over arching vision is needed for a researcher to be successful. A researcher should have creativity and innovation is every situation. Kenneth Brancik shared his experiences about research funding in the last 30 years. He related his life experience and its help in increasing his "situational awareness."" He said that technology is an enabler for business. He said we should think out of the box and be aware about the "situational awareness" related to cyber security. He said that a researcher, in order to understand the complex cyber security problems, should: 1. Think out of the box 2. Understand the business impact related to it. 3. Use a wide angle lens to look at the picture. David Bell started his talk by quoting Mark Twain and about people being lost in "Power Point Age" which cracked the audience up. David shared his experiences that he had working with ARPA and other federal agencies. He also mentioned about various projects like "Blacker." He mentioned that in the earlier research was "Tethered research." People were not very sure what they were working on, all they knew was that they are working on some advanced technology. His current take on federal funding was that it has dropped from 1.3% to 1%, and a lot needs to be done in the area of cyber security.