Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Information Security News: Hackers to concentrate on moving targets

Hackers to concentrate on moving targets

From: InfoSec News <alerts_at_infosecnews.org>
Date: Tue, 20 May 2008 03:30:51 -0500 (CDT)

http://www.itweek.co.uk/itweek/features/2216974/hackers-concentrate-moving-4001798

By David Neal
IT Week
19 May 2008

In a long and illustrious career in both the public and private sectors,
Howard Schmidt has earned a reputation for being one of the world’s
foremost authorities on computer security.

Schmidt first made a name for himself as an expert in computer crime
while working for the FBI. As head of the Bureau’s Computer Exploitation
Team, he gained recognition as a pioneer in computer forensics and
computer evidence collection. Next he headed up the US Air Force’s
Computer Forensic Lab and Computer Crime and Information Warfare
Division.

His involvement with national security continued with his appointment in
December 2001 as the vice chair of the President’s Critical
Infrastructure Protection Board and as the Special Adviser for
Cyberspace Security for the White House.

Schmidt has also worked in the private sector. He served as chief
information security officer at online auction giant eBay, and as chief
security officer for Microsoft, where his duties included forming and
directing the Trustworthy Computing Security Strategies Group.

Today, Schmidt divides his time between his role as chief executive of
R&H Security Consulting, delivering keynotes and writing. One of his
main messages is that the IT industry has to take more responsibility
for security. “We have a huge dependency on applications these days, and
our expectation is that the suppliers will do more to secure them,” he
said. “Or, you can look at the infrastructure that we use, and ask, ‘Why
don’t the ISPs just block infections, or bad networks?’.”

But while vendors and service providers have a responsibility to provide
security, this does not get users off the hook. “As consumers we have to
do things to be better protected. We have to follow through on the work
being done by the vendors, and the applications,” he said.

Schmidt said he has been impressed by the steps the industry has taken
to combat online threats. “Look at phishing, for example. I have
multiple email accounts, but phishing mails only ever end up in my spam
folder, not my inbox. Should one get through and I click on the link, I
am presented by a warning, and then, should I ignore that, it is likely
that my browser will block my access anyway,” he said.

But the threat landscape is constantly changing, Schmidt warned, with
mobile applications likely to be the next prime target for hackers. “I
don’t carry a laptop around much anymore, but I do carry two mobile
devices. Companies are releasing SDKs for developers to use so there are
lots of mobile applications out there, but this also means that there
are lots of applications for the bad guys to exploit. I don’t know if
the industry has put much focus on protecting them,” Schmidt said.

Another problem he has with mobile devices relates to the increasing
amount of storage they offer. As business users have come to rely on
these devices more and more, so the amount of potentially sensitive data
stored on them has increased. “What do you do about encrypting that?” he
asked. “Very few manufacturers make software protection for mobiles.”

Schmidt believes organisations are far too reliant on patching to secure
their systems ­ a situation that he feels simply cannot be allowed to
continue for much longer. “Patching is frustrating, but as we get better
at secure coding the need to do this will become less. But now, we have
to work in a much more reactive way, applying fixes as and when they are
released. Often it can cost more to run a software solution than it does
to buy it. We need to be looking forward. Looking for ways to prevent
things from happening in the first place, not after they become an
issue,” he said.

Asked whether new regulations such as a breach notification law would
help to improve standards of system security, Schmidt agreed ­ up to a
point. “Breach notifications would be of benefit, but the requirement
must be consistent. In the US, individual states make their own [rules]
and there is a lot of complexity, which makes things difficult to
manage,” he said.

But for Schmidt, the one sure-fire way tominimise online threats is the
adoption of two-factor authentication ­ a form of logging on that
requires both a password and some form of physical token.

“I said two years ago that passwords and logins should have been
declared dead already. People use the same password with their bank and
their email accounts, despite the fact that these may not be as secure
as each other. [If bad guys get hold of a password] they will try them
against all of your accounts,” he said. “If we move away from the
log-in/password method a lot of the low-hanging attacks would be
reduced.”

_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Received on May 20 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]