Posts in Kudos, Opinions and Rants

Irony and DHS

Tuesday, May 22, 2007 by Prof. Spafford in General, Kudos, Opinions and Rants, Secure IT Practices,

[tags]DHS,MS Word,threats[/tags]
Earlier, I wrote about the security risks of using Microsoft Word documents as a presentation and encoding format for sending files via email (see posts here and here). Files in “.doc” format contain macros, among other things, that could be executable. They also have metadata fields that might give away sensitive information, and a lot of undocumented cruft that may be used in the process of exploiting security. It is no wonder that exotic exploits are showing up for Word documents. And only today it was revealed that the latest version of Office 2007 may not have even gotten the most recent patch set.

Want to find some vulnerabilities in Word? Then take a look at the list of US-CERT alerts on that software; my search returns almost 400 hits. Some of these are not yet patched, and there are likely many as-yet unpatched flaws still in there.

Clearly, the use of Word as a document exchange medium is Bad (that's with a definite capital B). People who understand good security practices do not exchange Word files unless they are doing collaborative editing, and even then it is better to use RTF (if one continues to be beholden to Microsoft formats). Good security hygiene means warning others, and setting a good example.

Now, consider that DHS has released BAA07-09 to solicit research and prototypes to get fixes for current cyber infrastructure vulnerabilities. I could rant about how they claim it is for R&D but is really a BAA for further product development for fundamentally flawed software that cannot be fixed. But that isn't the worst part. No, the BAA is only available as Word documents!

Can you say “irony”? This is the agency charged with helping guide us to a more secure infrastructure? If so, electronically KYAG.

Update: A response from Dr. Douglas Maughn at DHS points out that the site I indicated for the BAA is actually FedBizOps rather than DHS. The DHS posting site actually has it in PDF...although the FedBizOps link is the one I've seen in several articles (and in a posting in SANS NewsBites).

Of course, it would be great if DHS could get the folks at FedBizOps to clean up their act, but at least in this case, DHS -- or rather, DHSARPA -- got it right. I stand corrected.

Google 419, Part II

Saturday, May 19, 2007 by Prof. Spafford in General, Kudos, Opinions and Rants,

[tags]Google, spam, 419[/tags]

I recently blogged about some unsolicited email I received from a recruiter at Google. Much to my surprised, I was shortly thereafter contacted by two senior executives at Google (both of whom I know). Each apologized for the contact I had received; one assured me he would put in a positive recommendation if I wanted that sys admin position. :-)

I have been assured that there will be some re-examination made of how these contacts are made. So, score one for my blog changing the world! Or something like it.

[posted with ecto]

Google learning from the Nigerians?

Monday, May 14, 2007 by Prof. Spafford in Kudos, Opinions and Rants,

[tags]Google, spam[/tags]
Today I received email from a google.com address. The sender said he had found me by doing a search on the WWW. He indicated he hoped I wasn't offended by his sending unsolicited email. However, he had a great offer for me, one that I was uniquely qualified for, and then offered a couple of URLs.

Does that sound familiar?

My first thought was that it was a 419 scam (the usual “I am the son of the crown prince of Nigeria...” letters). However, after checking out the mail headers and the enclosed URLs, it appears to be a (semi) legit letter from a Google recruiter. He was asking if I was open to considering a new, exciting position with Google.

And what exciting new position does the Google recruiter think I'm ideally suited for? Starting system administrator.....

And by the way, sending email to “abuse@google.com” gets an automated response that states, in no uncertain terms, that Google never sends spam and that I should take my complaints elsewhere.

Gee, think this is a new career possibility for me?

[posted with ecto]

The gutting of cybersecurity

Saturday, May 05, 2007 by Prof. Spafford in General, Kudos, Opinions and Rants,

[tags]cyber security reseach, PITAC[/tags]

I strongly urge you to read Jim Horning's blog entry about a recent Congressional hearing on cyber security research -- his blog is Nothing is as simple as we hope it will be. (Jim posts lots of interesting items -- you should add his blog to your list.)

I have been visiting Federal offices and speaking before Congress for almost 20 years trying to raise some awareness of the importance of addressing information security research. More recently, I was a member of the President's Information Technology Advisory Committee (PITAC). We studied the current funding of cybersecurity research and the magnitude of the problem. Not only was our report largely ignored by both Congress and the President, the PITAC was disbanded. For whatever reason, the current Administration is markedly unsupportive of cyber security research, and might even be classed as hostile to those who draw attention to this lack of support.

Of course, there are many other such reports from other august groups that state basically the same as the PITAC report. No matter who has issued the reports, Congress and the Executive Branch have largely failed to address the issues.

Thus, it is heartening to read of Chairman Langevin's comments. However, I'm not going to get my hopes up.

Be sure to also read Dan Geer's written testimony. It touches on many of the same themes he has spoken about in recent years, including his closing keynote at our annual CERIAS Security Symposium (save the dates -- March 19 & 20, 2008 -- for the next symposium).

Recent Blogs

Blog Archive

Posts in Kudos, Opinions and Rants

Page Content

Irony and DHS

Recent Blogs

Blog Archive