The Security Awareness Company has a new poster.
I just saw this letter that Senator Harry Reid sent to the President yesterday regarding the lack of computer security in the US government. I agree with PGN that hopefully both sides will bring it up and it won't be ignored as coming from "the other side", but given the trend in that area it's probably not likely.
Jesper Johansson has written an article called Help Wanted — Need "People" People for July's TechNet. It's an interesting writeup about how technological solutions to computer security problems will never work, and it needs to be addressed through changing opinion. Even brings out the classic quote "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." The dancing pigs example is back too.
He does bring out the point that we need "people" people to do that, which I think is important. The problem from my point of view seems to be convincing the more technical people people that it's in the user's best interest to be told no for certain things and explain why, rather than saying the users aren't technical and they'll never understand it. Just saying no isn't enough, as if someone is told know but just thinks it's arbitrary or because IT doesn't have time or doesn't want to support it, they'll try to do it on their own and make it worse than if they were assisted.
His perspective is actually that the technical people have to figure out how to deal with people to get around that. I can see that in a way. There are several non-technical people at work who I've built up relationships where I give complete answers of why we want to do something in a completely different way. They've learned in the long run that it's easier for both of us, and now are pretty much willing to take my responses without explanation. I think the key is after reaching that point to still keep explaining things, so things don't revert back to an "us vs them" mentality. It makes things easier to explain in small pieces gradually and let it sink in rather than hitting a point where it no longer makes sense and the whole background has to be rebuilt.
Unfortunately there are a couple issues with this. The first being it ends up not falling under and interfering with trying to keep a single-point-of-contact Help Desk. Part of the problem here I think stems from the fact that often the front line doesn't have enough technical knowledge to see the reasoning (or doesn't care about telling the user about it), and doesn't have an interest in learning it, so passes information through that sounds like an arbitrary mandate. The problem isn't needing to change the Help Desk model, that's needed for a lot of the front line stuff. Sysadmins need uninterrupted time to concentrate and work on projects. The people I work with for example understand that they can't always come to me with stuff. Most stuff goes to the Help Desk, especially if they need response right away. If it's an explanation that will end up with jumping through hoops at the Help Desk and they're willing to wait for action, it may not go through there. They understand I can't respond to stuff instantly (although for simple stuff I know the history and can do it in 10 seconds rather than them spending 30 minutes explaining what it is to someone asking completely unrelated things because they don't know it), and in some cases may take weeks to finish a request. And and understanding or dealing with the occasional "that needs to go through the Help Desk". I think there's probably a good medium between the techs dealing with people and the Help Desk workers understanding and communicating reasonings. There's also the need to get the information out to work the way down the chain through smaller jumps in technical knowledge, somehow minimizing the telephone effect.
Of course there are always the people who won't care, and will refuse all attempts to explain anything. Those are the ones who will probably need a few rounds of getting their identity stolen or financial accounts compromised, and losing their data due to lack of any sort of data management habits before thinking there may be a reason behind why they can't do whatever they want. What are your opinions on this issue?
Aaron Margosis posted an interesting thought on Anti-Virus vs Non-Admin (LUA). Basically with what's out there and the assumptions it makes, it's currently better to just run LUA (not as an Administrator) without any anti-virus or anti-malware than to run as admin because the protection software breaks otherwise.
I didn't realize there was such broken "security" software for Windows. They didn't name names in the articles though. Does anyone know which they are so I can avoid them when others ask me?
There's a remote code execution vulnerability in Macromedia Flash client. The vulnerability also includes Shockwave due to the embedded flash support. Unfortunately this seems to be preinstalled almost everywhere and considered safe usually, so it's a rather big one. Download links to new versions are on that page. As a side note I recommend Flashblock both to minimize general annoyance and to help minimize the impact of things like this (it turns it into a click-to-exploit rather than load-page-to-exploit). You can check your version of Flash Player (should be at least 8.0.24) and Shockwave Player (should be at least 10.1.1 (10.1r(\d+) on the check is 10.1.0.x\1)) on Macromedia's site.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
