<<  The hearing aid is great, now what about my cell phone 7   >>
Consider PDF Attacks Last Year
Consider PDF Attacks Last Year
Or Consider Java Today
Or Consider Java Today
Sample Secunia PSI Run Output
Sample Secunia PSI Run Output
Drilling Down on One of Those Programs
Drilling Down on One of Those Programs
Interested in Using PSI/CSI At Your Site
Interested in Using PSI/CSI At Your Site
Part of a Recent DRG ssh Password Auth Report
Part of a Recent DRG ssh Password Auth Report
DRG ssh Username/Password Tag Clouds
DRG ssh Username/Password Tag Clouds
30
30
Nonetheless, Deployment IS Beginning To Happen
Nonetheless, Deployment IS Beginning To Happen
For Example
For Example
For Example
For Example
Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

: joe st sauver. , . , Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About.ppt zip- 880 .

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About.ppt
1Internet2 Security Update: Some 33of the problematic host, the
Excerpts From the 2nd Data Driven timestamp/time zone when the incident was
Collaborative Security Workshop and Some observed, AND the source port number.
Timely Strategic Security Area You Should Unfortunately, many abuse records do not
Be Thinking About. Joe St Sauver, Ph.D. currently include source port info. For
Internet2 Nationwide Security Programs example, if you look at Received: headers
Manager (joe@uoregon.edu or in mail messages, you will NOT see source
joe@internet2.edu) Internet2 Fall Members port information listed. Many other
Meeting, Atlanta GA Thursday, November sources of backtracking information are
4th, 2010 10:30-11:45AM Grand Ballroom similarly bereft. 33.
III/IV 34Loss of Transparency (and Loss of
http://pages.uoregon.edu/joe/sec-update-fa Innovation, and Loss of Throughput, and).
l2010-mm/. 1. Large scale NAT may work adequately well
2Introduction: Were All Busy, But for users with simple mainstream needs
Many of us may all be preoccupied with (such as browsing the web, or sending
major broadband stimulus-related email via a third party web email
infrastructure projects, but security service), but those sort of applications
issues continue to demand the communitys should NOT be the epitome of advanced
attention: -- Unpatched or incompletely applications or high performance
patched systems and applications continue applications in our community! Innovative
to get cracked, potentially resulting in advanced applications and high performance
breaches of personally identifiable data transfers almost always work better
information (PII), -- Malware continues to when Internet connected hosts have
outpace signature-based antivirus globally routed unique IP addresses. For
software, resulting in a steady supply of that matter, even some pretty basic
botted hosts -- Satisfying increasingly applications, such as video conferencing,
demanding compliance-related security often ONLY work if you have a public
requirements can also be daunting and time address. 34.
consuming. Given those pressures, it is 35There Are A Million Different Really
pretty easy to fall into reactive mode, Good Reasons Why We Just Cant Deploy
spending all our security related cycles IPv6!. There may be. Unfortunately, you
just fighting fires and trying to really dont have any good alternative (as
satisfy the auditors.. 2. Iljitsch van Beijnum wrote in Ars Technica
3We Need To Look For Leverage a month or so ago, There is No Plan B:
Opportunities. The only way we can scale Why The IPv4-to-IPv6 Transition Will Be
up to those day-to-day challenges is by Ugly, see
looking for leverage opportunities. arstechnica.com/business/news/2010/09/
Think of leverage opportunities as times there-is-no-plan-b-why-the-ipv4-to-ipv6-tr
when we might be able to use technology to nsition-will-be-ugly.ars ) The time has
simultaneously fight the fires that break come to get IPv6 deployed on your campus,
out (because we must continue to do that), and on your servers, and on your regional
while ALSO making substantive progress networks. 35.
against vulnerabilities that are being 365. Security of the Domain Name System
actively targeted for exploitation. Doing (DNS) and DNSSEC. Pretty much everything
this requires Data, Analysis, on the Internet relies on the ability of
Collaboration and Action, the touchstones users to safely refer to sites by symbolic
of the Data Driven Collaborative names (such as www.internet2.edu) rather
Security approach that weve been than IP addresses (such as
highlighting in the last couple Internet2 207.75.165.151), trusting DNS to do that
Data Driven Collaborative Security translation for them. If that translation
Workshops for High Performance Networks process is untrustworthy, instead of going
(DDCSW and DDCSW2). 3. where you wanted to go, you might end up
4The 2nd Internet2 Data Driven being taken to a site that will drop
Collaborative Security Workshop. Speaking malware on your system, or you might be
of DDCSW2, we held the 2nd invitational diverted from your bank or brokerage to a
Internet2 Data Driven Collaborative fake financial site run by some offshore
Security Workshop (DDCSW2) this summer cracker/hacker. It is absolutely critical
from August 17th-18th, 2010 at the Knight that DNS be trustworthy. DNSSEC, a system
Executive Education and Conference Center of cryptographic signatures that can help
on the Washington University in St Louis insure that DNS results havent been
campus. Thank you for sharing that tampered with, can help secure DNS results
facility with us! As was the case for the -- IF it gets used. 36.
first DDCSW held at the University of 37Two DNSSEC Tasks: Signing and
Maryland Baltimore County, DDCSW2 included Checking. For DNSSEC to work, two things
a mix of academic, corporate, non-profit need to happen: -- sites need to
and law-enforcement / government folks. cryptographically sign their own DNS
Even if you did attend DDCSW2, unlike many records -- other sites need to check, or
closed cyber security meetings, you can verify, that the DNSSEC-signed results
check out some excellent presentations they receive are valid Many sites have
from that meeting online at held off signing their sites DNS records
security.internet2.edu/ddcsw2/. 4. because for a long time the DNS root
5Three Topics From DDCSW2. As a bit of (dot) and the EDU top level domain
a teaser to get you interested in werent signed. Thats no longer a
learning more about DDCSW2, I wanted to problem: both have now been signed. At the
highlight three immediately relevant same time, many recursive resolvers
tactical cyber security issues which were havent bothered to check DNSSEC
raised during that meeting, before signatures because no one has bothered
covering some strategic cyber security to sign their zones. DNSSEC thus formerly
issues. Three tactical cyber security epitomized the classic Internet chicken
issues from DDCSW2 included: 1) Updates and egg deployment problem. 37.
for PC Software OTHER THAN MS Windows, MS 38Nonetheless, Deployment IS Beginning
Office, Internet Explorer, etc. 2) RPZ: To Happen! 38.
DNS Response Policy Zones, and 3) Dragon 392nd Level .edus Which ARE Signed
Research Group and DRG Pods (including (10/12/10). merit.edu monmouth.edu
the DRG ssh project). 5. penn.edu psc.edu suu.edu ucaid.edu
61. Updates for PC Software OTHER THAN upenn.edu weber.edu What about YOUR
Windows Itself, Office, Internet Explorer, school??? Data from:
etc. Microsoft has done a great job of http://secspider.cs.ucla.edu/.
improving their softwares code quality berkeley.edu cmu.edu desales.edu
and helping users to keep Microsofts own example.edu fhsu.edu indiana.edu
software (MS Windows, MS Office, Internet internet2.edu iu.edu iub.edu iupui.edu
Explorer, etc) up-to-date. However, thats k-state.edu ksu.edu lsu.edu. 39.
not the only software youve got on your 40Some Universities Are Now Validating
PC. Most people also have third party DNSSEC Signatures, Too. For example, the
applications installed such as: -- Acrobat University of Oregon is now verifying
or Acrobat Reader -- Flash Player -- Third DNSSEC signatures on its production
party browsers such as Firefox or Opera -- recursive resolvers, and this has
Media helper applications such as generally been going just fine. If you
QuickTime -- Music players such as iTunes need a simple test to see whether your
-- Java -- etc. Unfortunately you and your current recursive resolvers are verifying
users may not be keeping up when it comes DNSSEC signatures, try the (somewhat
to keeping all those other applications irreverent but quite straightforward)
patched up-to-date. 6. thumbs up/eyes down DNSSEC validation
7The Proof Of The Pudding Is In The tester thats available at:
Eating. If you have a personally-owned http://test.dnssec-or-not.org/. 40.
Windows PC, try an experiment. Download 41For Example 41.
Secunia PSI (free for personal use) from 42Verifying DNSSEC Signatures Is Not
http://secunia.com/products/ and run it on Completely Without Risk. In many ways, the
your personally owned system. (Secunia CSI most serious risk you face when validating
is the institutional analogue of Secunia DNSSEC signatures is that DNSSEC will
PSI) When you run PSI I would be extremely work as advertised. That is, a domain
surprised if that tool doesnt find at may accidentally end up with invalid
least one third party application that is DNSSEC signatures for a variety of
either end-of-life or less than fully reasons, and once theyve done that, their
patched on any given system you may happen site will then (correctly) become
to check. The problem of unpatched third inaccessible to those of us who are
party applications is endemic, and it IS verifying DNSSEC signatures.
getting noticed (and targeted!) by cyber Paradoxically, when that happens, the site
attackers. 7. will continue to work just fine for
8Consider PDF Attacks Last Year 8. everyone who is NOT doing DNSSEC, and the
9Or Consider Java Today 9. DNSSEC problem may thus go unnoticed by
10Stefan Frei from Secunia at DDCSW2. the site. This may be an irritating
Given the timeliness of this issue, we experience for your users if a critical
were delighted when Stefan Frei, Research site ends up being inaccessible.
Analyst Director at Secunia, was able to http://dnsviz.net is a great resource for
come to DDCSW2 to talk about their visualizing and debugging these sort of
experience with Secunia PSI on 2.6 million issues when they arise. If you want an
PCs. See intentionally broker domain to try
security.internet2.edu/ddcsw2/docs/sfrei.p testing, try using dnssec-failed.org. 42.
f Some highlights: -- half of all users 43Not Ready to Jump In? Try Taking Baby
have >66 programs from >22 vendors Steps. Maybe you can at least either: --
(dang!) -- The top-50 most common programs sign your own domain or at least -- begin
include 26 from Microsoft, plus 24 3rd to validate the signatures that others
party programs from 14 different vendors have added? You dont need to immediately
(with 14 different update mechanisms!) -- do both simultaneously! Maybe you can sign
Eight programs from three vendors all have just part of your domain (such as your cs
a > 80% user share -- All programs in or engineering subdomains), or you can
the top-50 portfolio have a ? 24% user just try signing a couple of
share -- In the 1st half of 2010, 3rd less-important institutional test
party programs in the top-50 portfolio had domains Maybe you can create additional
275 vulnerabilities, 4.4X more than MS opt-in validating resolvers, even if you
programs -- One exploitable vulnerability dont enable DNSSEC by default on your
is all you need to 0wn a PC 10. production recursive resolvers? 43.
11Sample Secunia PSI Run Output. 11. 446. Security of Mobile Internet
12Drilling Down on One of Those Devices. Theres a huge temptation to just
Programs. IMPORTANT: Dont forget to check focus on traditional networks, servers,
and fix ALL RED TABS! 12. desktop workstations and laptops, but
13Interested in Using PSI/CSI At Your theres been a real revolution quietly
Site? 13. going on: were entering an age where
14BTW, Change Is Coming for Some 3rd mobile Internet devices are becoming
Party Apps. I think were at something of virtually ubiquitous. For example, the
a cusp when it comes to some third party 2009 ECAR Study of Undergraduate Students
software, at least when it comes to some and Information Technology
vendors. For example, as of Mac OS X 10.6 (http://www.educause.edu/ers0906 )
update 3, the version of Java that is reported that 51.2% of respondents owned
ported by Apple and ships with OS X will an Internet capable handheld device, and
be deprecated. (see another 11.8% indicated that they planned
http://tinyurl.com/java-deprecated ). to purchase one in the next 12 months
While it may be possible for a fully open What about faculty/staff? While mobile
source version of Java to be developed for Internet devices and cell phones have
OS X, it may be tricky to get the same formerly been treated as listed property
seamless integration that the vendor by the IRS, Section 2043 of H.R. 5297 (the
supported version of Java currently Small Business Jobs Act of 2010) was
provides. Apps using Java are also signed into law Sept 27, 2010, fixing
reportedly going to be rejected by the that. Because of that recent change,
Apple iPhone App Store. Finally, it also expect to see a lot more institutionally
appears that Apple will no longer be owned faculty/staff mobile Internet
pre-installing Adobe Flash Player on Macs devices soon 44.
(although users can still download and 45Mobile Internet Devices Raise LOTS of
install it themselves). Quoting Bob Dylan, Questions. Ive got a full 110 slide
You better start swimmin / Or youll presentation discussing the security of
sink like a stone / For the times, they mobile Internet devices that I recently
are a-changin.. 14. gave as the closing session for the
152. Another Excerpt From DDCSW2: RPZ. Northwest Academic Computing Consortium
RPZ stands for DNS Response Policy Zones (NWACC) 2010 Network Security Workshop in
and Eric Ziegast of ISC was good enough to Portland (see
come to DDCSW2 and do two talk for us, http://pages.uoregon.edu/joe/nwacc-mobile-
with one of them covering RPZ. See ecurity/ (PDF or PPT formats)). Given our
http://security.internet2.edu/ddcsw2/docs/ limited time together today, Im obviously
iegast-rpz.pdf RPZ stems from a seminal not going to be able to cover all that
July 30th, 2010 article by Paul Vixie of material. Recognizing how common mobile
ISC in CircleID entitled, Taking Back the Internet devices have become, however, I
DNS, see do want to at least alert you to some of
http://www.circleid.com/posts/20100728_tak the security issues that you face from
ng_back_the_dns/ In a nutshell, Vixies mobile devices, leaving you to see the
insight was that its crazy for sites like full presentation for details and
ours to help the bad guys to commit their additional issues. To keep this simple,
cyber crimes by providing trustworthy and well largely focus on the Apple iPhone
reliable DNS service for evil purposes. for the rest of this quick discussion. 45.
For example, our name servers should NOT 46A Few Mobile Internet Device Security
be docilely and dutifully resolving domain Questions. What type(s) of mobile Internet
names known to lead to malware, thereby devices should we support? Blackberries?
helping the bad guys to efficiently infect iPhones? Android devices? Does it matter?
our systems. Think of RPZ as new real time Is cellular wireless connectivity secure
block listing for DNS. 15. enough to protect PCI-DSS or HIPAA or
16Some RPZ Pragmatic Details. RPZ is FERPA data that may be transmitted? Should
currently available as a patch for BIND we centrally manage our mobile devices? If
(see the links from Vixies CircleID so, how? Is there PII on our users mobile
article). ISC is NOT providing a data feed Internet devices? Do those devices have
for RPZ, just the protocol spec and a hardware whole device encryption to
reference implementation (patch) for BIND. protect that data? What if one of these
You could build your own RPZ zone, or mobile devices get lost or stolen? Can we
select one supplied by a third party. If send the device a remote wipe or kill
you do implement RPZ for typical users, code? Do we need antivirus protection for
you may want to also make sure you offer mobile devices? What if users want to
an unfiltered recursive resolver for any jailbreak their device? Is that okay?
campus malware researchers or security And there are many more security
researchers (or at least do not block questions, but few people are talking
their ability to run their own unfiltered about these issues in our community. Why?
recursive resolver, or their ability to 46.
reach Googles intentionally open 47Are We Seeing a Recapitulation Of the
recursive resolvers at 8.8.8.8 and Old Managed vs. Unmanaged PC Wars? For
8.8.4.4). Because of the dismal status of a long time, way back in the bad old
malware protection right now, I think that days, traditional IT management simply
well be hearing a lot about RPZ in the pretended that PCs didnt exist. While
future. 16. they were in denial, people bought
173. The Dragon Research Group and DRG whatever PCs they wanted and
Pods (Including the DRG ssh Project). Many administered them themselves. Sometimes
of you will already be familiar with Team that worked well, other times chaos
Cymru (see http://www.team-cymru.org/ ) reigned. Today's more closely managed
and the excellent work that Rob Thomas and enterprise model was the result of that
his team do in furthering Internet anarchy. At some sites, standardized PC
security. You may not be as familiar with configurations are purchased and tightly
Dragon Research Group, the international locked down and are then centrally
all-volunteer research group offshoot of administered. While Im not a fan of this
Team Cymru (even though they are available paradigm, I recognize that it is
as a link from the top bar on the primary increasingly common. Are we
Team Cymru web site). We were fortunate to re-experiencing that same evolutionary
have Paul Tatarsky, Seth Hall and John process for mobile Internet devices? What
Kristoff provide a briefing on the DRG for might we be able to do if we did use a
DDCSW2, see managed model? 47.
http://security.internet2.edu/ddcsw2/docs/ 48An Example of One Simple Mobile
atarsky.pdf For todays update, well just Internet Device Policy Question: Device
highlight two things related to the that Passwords. If a mobile Internet device is
talk: volunteering to run a DRG pod, and lost or stolen, a primary technical
an example of one project enabled by DRG control preventing access to/use of the
pod data, the DRG ssh project. 17. device is the devices password. Users
18DRG Pods. Dragon Research Group hate passwords, but left to their own
makes available a customized Linux Live CD devices (so to speak), if they use one at
distribution that securely converts a all, they might just use a short (and
system (or virtual machine) into a DRG easily overcome) one such as 1234 You and
data collection endpoint (or pod). A your school might prefer that users use a
full description of the distribution and longer and more complex password,
how you can sign up to participate is at particularly if that mobile Internet
www.dragonresearchgroup.org/drg-distro.htm device has sensitive PII on it. You might
Because network activity policies vary even require the device to wipe itself if
from site to site, the DRG distribution it detects that it is the target of an
intentionally provides substantial in-person password brute force attack. If
flexibility. Thus, for example, if your the device is managed, you can require
site will only permit passive measurement these things but are your mobile
activities, the pod can be configured to Internet devices managed? Many arent. 48.
carefully support that policy, while if 49Other Potential Local iPhone
your site allows active measurements, that Policies Include. Adding or removing
more liberal framework can also be root certs Configuring WiFi including
accommodated. All DRG pod locations are trusted SSIDs, passwords, etc. Configuring
confidential. A nice example of the sort VPN settings and usage Blocking
of work that the DRG pods can enable is installation of additional apps from the
the DRG ssh project, which well describe AppStore Blocking Safari (e.g., blocking
next. 18. general web browsing) Blocking use of the
19The DRG ssh Project. ssh (secure iPhones camera Blocking screen captures
shell, e.g., an encrypted version of Blocking use of the iTunes Music Store
telnet) is the preferred way that most Blocking use of YouTube Blocking explicit
security-conscious individuals remotely content Some of these settings may be less
login to Unix boxes and other systems. On applicable or less important to higher ed
many hardened systems, sshd may be the folks than to corp/gov users. 49.
only network service thats accessible. 50Scalably Pushing Policies to the
Because sshd may be the only service iPhone. To configure policies such as
thats open, it gets a lot of attention those just mentioned on the iPhone, you
from cyber criminals who scan the Internet can use configuration profiles created via
looking for vulnerable hosts. Anyone the iPhone Configuration Utility
running sshd is all too familiar with (downloadable from
failed ssh login attempts from random http://www.apple.com/support/iphone/enterp
sources in their syslogs. Wouldnt it be ise/ ) Those configuration files can be
nice if you could see a list of all the IP downloaded directly to an iPhone which is
addresses that have recently been seen ssh physically connected to a PC or Mac
scanning? Wouldnt it be particularly nice running iTunes -- but that's not a
to know if one of those actively scanning particularly scalable approach. The
hosts is actually a (likely compromised) configuration files can also be emailed to
system on your campus? You can read more your users iPhones, or downloaded from
about the DRG ssh project at the web per chapter two of the Apple
http://www.dragonresearchgroup.org/insight Enterprise Deployment Guide. While those
. 19. configuration files need to be signed (and
20Part of a Recent DRG ssh Password Auth can be encrypted), there have been reports
Report. 20. of flaws with the security of this
21DRG ssh Username/Password Tag Clouds. process; see iPhone PKI handling flaws
21. at cryptopath.wordpress.com/2010/01/. 50.
22An Aside on Ssh Scanning Tools. At 51Whats The Big Deal About Bad Config
least some of the hosts that are engaged Files? If I can feed an iPhone user a bad
in ssh scanning/brute forcing are likely config file and convince that user to
infested with the dd_ssh brute forcing actually install it, I can: -- change
script. For more information about this their name servers (and if I can change
attack tool, see: their name servers, I can totally control
http://isc.sans.edu/diary.html?storyid=937 where they go) -- add my own root certs
Metasploit Framework 3.4.0 (released May (allowing me to MITM their supposedly
18th, 2010) also now includes strong secure connections) -- change email,
support for brute forcing network WiFi or VPN settings, thereby allowing me
protocols, including support for brute to sniff their connections and credentials
forcing ssh, see -- conduct denial of service attacks
http://blog.metasploit.com/2010_05_01_arch against the user, including blocking their
ve.html These sort of brute forcing tools access to email or the web These config
mean that brute forcing attacks are likely files also can be made non-removable
here to stay Many sites may want to (except through wiping and restoring the
consider deploying anti-brute forcing device). 51.
scripts as part of their system 52We Need to Encourage Healthy
configuration. One such tool is fail2ban, Paranoia. Because of the risks associated
see with bad config files, and because the
http://www.fail2ban.org/wiki/index.php/Mai config files be set up with attributes
_Page however there are many others you which increase the likelihood that users
might also try. 22. may accept and load a malicious
23DRG Will Be Doing More Cool Projects. configuration file, iPhone users should be
So as cool as the preceding ssh analyses told to NEVER, EVER under any
are, they are really just an example, the circumstances install a config file
tip of the proverbial iceberg, if you received by email or from a web site. Of
will. With your help, many further course, this sort of absolute prohibition
interesting projects may become possible. potentially reduces your ability to
Wed encourage you to consider scalably and securely push mobile Internet
participating in the DRGs activities by device security configurations to iPhones,
hosting a pod at your site. If nothing but This issue also underscores the
else, youll at least want to keep an eye importance of users routinely
on their ssh scanner/ssh brute forcer syncing/backing up their mobile devices
report to make sure your ASN or ASNs used so that if they have to wipe their device
by your colleagues, dont show up as a and restore it from scratch, they can do
source of abusive ssh brute force traffic! so without losing critical content. 52.
23. 53What About Hardware Encryption?
24Should We Continue Having DDCSW Another example of a common security
Meetings? So now you know a little about control designed to protect PII from
three of the great security-related unauthorized access is hardware
presentations that were shared at the last encryption. Many sites require whole
DDCSW. An open question to those of you in disk encryption on all institutional
the Internet2 community: Should we have devices containing PII. Some mobile
further DDCSW events in the future? We Internet devices (such as earlier versions
think the quality of the material of the iPhone) didnt offer hardware
presented at both DDCSWs was outstanding, encryption; 3GS and 4G iPhones now do.
but we recognize that everyone in the However, folks have demonstrated that at
security community is very busy. Some least for the 3Gs (and at least for some
might go so far as to say that the biggest versions of iOS) was less-than-completely
gift we could give the security bullet proof; see for example Mr NerveGas
community would be to REFRAIN from (aka Jonathan Zdziarskis) demo Removing
offering yet another security meeting iPhone 3G[s] Passcode and Encryption,
competing for limited time and travel www.youtube.com/watch?v=5wS3AMbXRLs This
resources. So should we consider merging may be a consideration if you are planning
DDCSW with another meeting? Which one? to use certain types of iPhones for PII or
Should we drop DDCSW entirely? Wed other sensitive data. 53.
appreciate your feedback! (please send it 54Remotely Zapping Compromised Mobile
to joe@internet2.edu) If we do decide to Devices. Strong device passwords and
hold another DDCSW, would you be hardware encryption are primary
interested in attending and presenting at protections against PII getting
it? Or maybe hosting it? 24. compromised, but another potentially
25Thats It For Our Brief Taste of important option is being able to remotely
DDCSW and Overview of A Few Tactical wipe the hardware with a magic kill
Security Topics. Now lets move on and code. Both iPhones and BlackBerry devices
talk a little about some timely big support this option. Important notes: --
picture or strategic security topics. If a device is taken off the air (e.g.,
25. the SIM card has been removed, or the
26Three Strategic Security Topics. While device has been put into a electromagnetic
there are many important strategic isolation bag), a device kill code may not
security topics we could talk about today, be able to be received and processed. --
there are three strategic security Some devices (including BlackBerries)
challenges which have largely received acknowledge receipt and execution of the
short shrift at most of our sites: 4) IPv4 kill code, others may not. -- Pre-3GS
Exhaustion and IPv6 Deployment 5) Security versions of the iPhone may take an hour
of the Doman Name System and DNSSEC, and per 8GB of storage to wipe (3GSs wipe
6) The Security of Mobile Internet Devices instantaneously). 54.
Lets briefly talk about each of those 55Terminating Mobile Device-Equipped
topics. 26. Workers. A reviewer who looked at an
274. IPv4 Runout and IPv6: IPv4 Runout earlier draft of some of these slides
Is Nigh. Only 5% of global IPv4 address pointed out an interesting corner case for
space remains unallocated. The last large remote zapping: -- Zap codes are usually
unallocated IPv4 netblocks (/8s, each transmitted via Exchange Active Sync when
1/256 of the total IPv4 address space) the mobile device connects to the sites
will be allocated by IANA on or about 4 Exchange Server, and the users device
June 2011. The regional Internet authenticates -- HR departments in many
registries (such as ARIN) will begin to high tech companies will routinely kill
exhaust their last IPv4 allocations on or network access and email accounts when an
about 27 January 2012. Neither of those employee is being discharged to prevent
dates are very far from now: 4 Nov 2010 incidents -- If HR gets network access
--> 4 Jun 2011: 212 days 4 Nov 2010 and email access killed before the zap
--> 27 Jan 2012: 1 year, 2 months, 23 code gets collected, the device may not be
days. 27. able to login (and get zapped), leaving
28Preparing for Imminent IPv4 Runout. the now ex-employee with the complete
Between now and then, you should be doing contents of the device See:
three things: 1) If you have legacy IPv4 http://tinyurl.com/zap-then-fire Of
address space, review your records course, complete user level device backups
documenting that allocation (if you have may also exist 55.
any and if you can find them) and decide 56Malware and A/V on the Non-Jailbroken
if youre going to sign the ARIN Legacy iPhone. Because earlier versions of the
Registration Services Agreement. (See iPhone disallowed applications running in
https://www.arin.net/resources/legacy/ ) the background, it was difficult for
2) If you have a legitimate need for traditional antivirus products to be
additional IPv4 address space for any successfully ported to the iPhone. To the
pending projects, request that space NOW. best of my knowledge, your options for
If you wait six months to make that antivirus software on the iPhone are still
request, it may be too late. (Note: I am quite limited, with no offering from
NOT suggesting that you request space you traditional market leaders such as
dont legitimately need PLEASE be Symantec and McAfee at that time. On the
reasonable and responsible) 3) Everyone other hand, since the iPhone used/uses a
should be proceeding with deployment of sandbox-and-cryptographically "signed
IPv6 on the networks and systems they app" model, it was hard for the
operate. 28. iPhone to get infected. Will you allow
29Most Universities Have NOT Deployed users to jail break that security model?
IPv6. Only a few universities have 56.
deployed IPv6 both throughout their 57And If Theres NOT A/V For Mobile
infrastructure AND on all their Devices Some sites may accidentally
public-facing servers. See IPv6 Status adopt an overly broad policy when it
Survey, comes to deploying antivirus, perhaps
http://www.mrp.net/IPv6_Survey.html If decreeing that If it cant run antivirus,
your site isnt listed, you can check it it cant run. As you might expect, I
using the form thats at: believe this is a mistake when there are
http://www.mrp.net/cgi-bin/ipv6-status.cgi compensating controls (such as use of a
Note: this test only checks public signed-app model in the case of the
services for IPv6-accessibility. You iPhone), or cases where the demand for A/V
should also check to see if your on a platform is so minimal theres not
institution has enabled IPv6 throughout even a commercial A/V product available.
your local area network for use by end There are ways to avoid malware besides
user workstations. 29. just running antivirus software! Remember
3030. compensating controls!. 57.
31Weve Intentionally Decided to NOT Do 58What About Jailbroken iPhones?
IPv6. Some universities may be aware of Normally only Apple-approved applications
IPv4 runout, AND may have made an run on the iPhone. However, some users
intentional decision to NOT deploy native have developed hacks (NOT blessed by
IPv6 for their users. You may even be from Apple!) that will allow users to break
one of those universities. If so, I would out of that jail and run whatever
urge you to reconsider that decision. If applications they want. Jailbreaking your
you do NOT deploy native IPv6, your users iPhone violates the license agreement and
will (intentionally or inadvertently) end voids its warranty, but it is estimated
up transparently accessing IPv6 content that 5-10% of all iPhone users have done
via a variety of non-native transition so. Q: Is jailbreaking my iPhone legal?
mechanisms such as Teredo, 6to4, ad hoc A: I am not a lawyer and this is not legal
manually configured tunnels, etc., whether advice, but see: EFF Wins New Legal
you support native IPv6 or not. This will Protections for Video Artists, Cell Phone
ultimately be a mess, and far less secure Jailbreakers, and Unlockers, July 26,
than just biting the bullet and doing 2010,
native IPv6. See IPv6 and the Security of http://www.eff.org/press/archives/2010/07/
Your Network and Systems, 6. 58.
pages.uoregon.edu/joe/i2mm-spring2009/i2mm 59Jailbroken iPhones and Upgrades. When
spring2009.pdf. 31. a jail broken iPhones gets an OS upgrade,
32Large Scale Network Address the jailbreak gets reversed and would
Translation. If you do find yourself typically need to be redone. This may
talking to those who arent planning to cause some users of jail broken iPhones to
add IPv6, and you ask them How will you be reluctant to apply upgrades (even
scale IPv4 addressing post-IPv4 runout? upgrades with critical security patches!),
the most common answer youll hear is that until the newly released version of iOS
they plan to do large scale NAT (you may also gets jailbroken. Thats obviously a
also hear this called carrier grade NAT, security issue and cause for concern. If
although most large scale NAT solutions you do successfully jailbreak your iPhone,
are not really carrier grade). Sites your exposure to malware will increase.
that try large scale NAT will be sharing a 59.
single public IPv4 address across dozens 60Your Should Be Talking About These
or sometimes even hundreds of users. Large Issues. If your user support and security
scale NAT will pose many challenges, and staff arent talking about these sort of
after you think about them a little, we issues at your site, youre likely not
hope that you will reconsider your ready to address the security issues that
decision to go down that road. For will arise in conjunction with mobile
example 32. devices. Id urge you to review the full
33Incident Handling in a Large Scale NAT talk about mobile Internet device security
World. Incident handlers and security that I mentioned on slide 45, and to
staff know that abuse complaints involving initiate local conversations about mobile
dynamic addresses need both the address of Internet device security as soon as you
the problematic host, AND the can reasonably do so. Thats all Ive got
timestamp/time zone when the incident was for you for you today for my part of the
observed in order to be actionable. As security update session. I assume well
large scale NAT becomes more widely hold questions till the end of the
deployed, actionable abuse reports will session. Thanks! 60.
now need to have THREE items: the address
Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About.ppt
http://900igr.net/kartinka/anglijskij-jazyk/internet2-securiy-update-some-excerpts-from-the-2nd-data-driven-collaborative-security-workshop-and-some-timely-strategic-security-area-you-should-be-thinking-about-218232.html
c

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

English for you - ENGLISH FOR YOU. You are welcome! . . . . . EuroTalk.

Data Mining - Data Mining. Data Mining. Data Mining. Data Mining. . Data mining. Data Mining. . ( ) .

The animals - POLAR BEAR. SCORPIO. The animals which live in the polar regions. FLAMINGO. ELEPHANT. The animals which live in the desert. FISH. BISON. LIZARD. The animals which live in the forest. TIGER. FOX. REINDEER. STARFISH. SQUIRREL. KOALA. SEAL. DOLPHIN. WOMBAT. BOBCAT. LION. ZEBRA. SNAKE. PARROT. The ANIMALS of our planet.

The english-speaking countries - Scotland. Australia. USA. Great Britain. Disneyland. The English-speaking countries.

The green movement - The main objective to achieve the decision of global environmental problems, including by attraction to them of attention of the public and the authorities. Several active workers managed to steal up on a raft to a platform and to chain themselves to it. It became the first African who has headed this organization.

About Russia - The money used is the ruble. Some Famous Russians. Where is Russia? What Russian Kids Do. Celebrating Birthdays in Russia. Russia ABCs. Tom Streissguth. Learn More About Russia. Russia: A Portrait of the Country Through Its Festivals and Traditions. The population of Russia is 149,476,000. Petersburg.

11

29
900igr.net > > > Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About