Dennis Fisher

Dennis Fisher talks to Adam Shostack of Microsoft, about the evolution of thinking around “The New School of Information Security,” his new group blog and what surprised him most when he went to work at Microsoft.

From Educated Guesswork (Eric Rescorla)

The received wisdom in the security industry is that trying to qualitatively assess the security of a given piece of software is an incredibly difficult task. Some of the sharpest minds in software security–Gary McGraw, Brian Chess and Michael Howard among them–have spent years trying to nail down a framework for this task, with varying degrees of success. Not to worry, though. As Eric Rescorla writes, the government has now joined the fray with a proposal to develop standards for software security.

From Purdue University’s CERIAS
The economic crisis has affected virtually every facet of society, and information security is no exception. In a new report titled Unsecured Economies: Protecting Vital Information, researchers from Purdue University’s CERIAS security center lay out the fairly bleak view of what the tough times have done to corporate IT security.

From The Register (Dan Goodin)
Overlooked design weaknesses in a widely used type of wireless network are seriously jeopardizing the network security of the retailers and manufacturers [theregister.co.uk] that rely on them, a security expert has determined.
So-called FHSS, or frequency-hopping spread spectrum, networks are an early form of the 802.11 wireless data standard. Although transmission speeds, at about 2 Mbps, lag far behind more recent 802.11 technologies, they remain widely used by many Fortune 1000 companies, particularly those with large warehouses or factory floors.  Read the full story [theregister.co.uk]

From Arbor Networks (Danny McPherson)

The DNS system is one of the key underpinnings of the Internet, but because the system isn’t owned by any one entity, no one is responsible for the security of the entire network. The owner of each DNS server secures it as he sees fit, but as the discussions at the recent Global DNS Security, Stability and Resiliency Symposium showed, there is a clear need for some leadership on DNS security.

The experts at SRI International, who have been tracking the Conficker worm as closely as anyone, have released the source code to the scanner they wrote to detect the active P2P scanning that Conficker-infected machines perform.

Dennis Fisher talks with Rich Mogull, founder of Securosis, about the behind-the-scenes effort by the Honeynet Project and others to identify Conficker-infected PCs, as well as the hype surrounding the DLP market and the level of DLP adoption.