[SecurityRatty] tag: stalls

Can Azulstar Make WiMax Work without Buying Spectrum?

Fri, 09 May 2008 06:58:59 +0000

Azulstar once pinned its fortunes on city-wide Wi-Fi, but now looks to a special licensed spectrum band to make WiMax work where Wi-Fi failed: Azulstar has been the also-ran in Wi-Fi for some years, I'll just state bluntly and upfront. They built a network in Grand Haven, Mich., in 2003 that's one of--if not the--longest running metro-scale Wi-Fi networks in the world designed for public access. The mayor of Grand Haven since 2003, Roger Bergman, told me, "I got on board personally right away, and I am still on."

Azulstar soon answered several RFPs and partnered up with major firms to bring Wi-Fi to Rio Rancho, N.M., Winston-Salem, N.C., Sacramento, Calif., and most notably Silicon Valley--a set of dozens of cities along with county government and private enterprise all wanting some kind of tiered Wi-Fi across 1,500 sq mi.

While EarthLink, MetroFi, and even Kite Networks (with their extensive Arizona buildout in Tempe launched a bit before any other large competiting network) seized the headlines, and later made news about their stalls, failures, and exits, Azulstar seemed quietly to sink into the sand. The Wireless Silicon Valley deal fell apart, as did Sacramento after efforts to get stakeholder and outside investment seemed to fail to materialize, and the marquee partners--Cisco, IBM, and Intel--just wouldn't step up to the plate to make the project move forward. Azulstar was the lead techology firm, but the money just didn't come. (Both California projects are moving forward with a different set of partners and expectations now.)

Rio Rancho was perhaps one of the biggest letdowns. City manager Jim Payne explained in an interview a few weeks ago, "They had a number of things that were going against them from the start, and they did make an attempt to meet the requirements of the contract." But Rio Rancho voted to not just terminate the contract after years of attempts to make the network work, but rejected a proposal from Azulstar a few weeks ago to switch over equipment on the poles. Azulstar now has to remove all its devices.

All of this might make the typical company head a bit depressed about his firm's future, and less than sanguine about the potential for wireless broadband to work at all. Not so for Tyler van Houwelingen, Azulstar's chief, and I have to admit that he convinced me that the wireless provider has a fighting chance, due to a good combination of timing, spectrum policy, and a large dollop of can-do spirit.

Software error stalls validation of winning lottery tickets

Wed, 07 May 2008 20:00:00 +0000

A mysterious software bug in 17 lottery machines used by the D.C. Lottery and Charitable Games Control Board in Washington left several dozen winning instant ticket holders unable to immediately cash their prize tickets last week.

What's holding back NAC?

Fri, 21 Mar 2008 22:39:00 +0000

We’ve all been watching some of the pioneering NAC vendors domino down over the past several months. The Lockdown tumble has some questioning the industry again, and as Alan notes, these happenings fuel the fires of NAC’s nay-sayers. (In my opinion, it’s like throwing metal onto open flame… may affect the metal, won’t feed the flame, makes for great steaks).

Chris, an ex-Lockdowner, gives his take on the NAC industry in his recent post-Lockdown blog and I’m in general agreement, but perhaps for different reasons.

I don’t see NAC going away. It definitely has some growing to do, but it will grow and it will be successful. The truth is, NAC has the potential to solve several customer problems and ease a variety of pain points, both for IT and management. If done right (and for the right reasons), it’s both a great technological tool and a business asset.

So, what’s holding back NAC?

Vendors, in a large part, are to blame. Sorry guys, but it’s true. Vendors are causing NAC to be lost in translation, most often because the vendor… a) doesn’t understand the technology themselves (sales reps), b) is erroneously pushing their product as a solution to today’s top issue, c) has overestimated the solution and underestimated the project and d) is ultimately trying to make a sale, and so is willing to squish their round peg into your square hole. (okay, no comments on that one).

Vendors will have to start showing they understand when and where their product fits (and when it doesn’t). Until then, I don’t think they’re going to garner enough trust to walk in the door with a solution and close the deal without the customer first exploring (at length) other options and getting other opinions.

Misinformation. Whether it’s due to vendor misinformation or lack of self-education, what I’ve learned is that most organizations have heard of NAC and have a partial understanding of what it does, and really no idea of how. They’ve heard vendor pitches of the wonder-drug cure-all that will solve guest access, or remote access security, endpoint protection, user accounting, etc but they really don’t understand where the technologies came from, what their purposes are, and which pieces of solutions are standard, and which are proprietary.

When I talk about NAC, I find myself constantly apologizing for the industry. We’ve done a great job telling people why they need NAC, but so far we’ve failed horrendously at educating them as to how it’s all supposed to work. Personally, I revamped all my presentations, tabling the technical dives and replacing them with technology primers.

Terminology Twists. The other hardship I see for organizations is the lack of standard terminology. A lot of vendors out there are touting a NAC product- but what does that really mean? It could mean anything- it could mean endpoint integrity or posture checking, it could mean quarantine automation, it could mean a solution for guest provisioning,or remote access checking. This makes it hard for organizations to parse out the various vendors’ features. Depending on whose Kool-Aid you’re drinking, an ‘enforcer’ could be a software agent, a switch, firewall, or even a computer.

In order for NAC to grow and find wide adoption, I think we’ll have to see some consistency and consensus in wording and terminology. NAC is a big undertaking, and when entering a commitment like that, organizations need to know exactly what they’re getting to have that warm and fuzzy feeling.

Standard Stalls. The ABC users are, for the most part, seeking standards-based solutions. I think we have a great answer to that, and we’re heading down all the right paths with the IEEE and IETF standards, as well as groups like TNC. But, the truth is, the 802.1X and NAC standards are in constant flux… in a good way… but still in flux. Although we have a great framework in place, some folks are waiting for the dust to settle on Planet NAC before committing.

Once the standards (ie new RADIUS attributes) start to solidify and the changes slow down a bit, I think that will add to the feeling of stability that customers are looking for in a NAC solution.

Migration Migraines. Last, but not least… most organizations that want to migrate to NAC just don’t know where to start, or how to proceed. They need help, either from their vendor, or from an integrator. (That’s where my company fits into the NAC picture). I’m actually working on a detailed migration white paper that will be delivered at a conference later this year.

If we (the industry) want to win the business, it’s up to us to hold our customers’ hands and provide a clear strategic and technical migration plan for them.

# # #

Mike R on "DLP"

Wed, 27 Feb 2008 14:04:00 +0000

Mike R makes a good point here when he says that "data leak prevention (DLP) stalls in 2008, continuing to be a solution looking for a problem. " He also predicts that DLP will suffer in the marketplace from "poor man's DLP" or "good enough DLP using other technologies."

I plan to outline just such a plan: poor man's DLP using logs. Yes, it will suck :-), but it will be free, not "$500,000". What can I say, 'Welcome to the world of "good enough technology!"'

Unauthorized access to University of Georgia server affects 4,250

Wed, 09 Jan 2008 12:32:57 +0000

Technorati Tag: Security Breach

Date Reported:
1/9/07

Organization:
University of Georgia

Contractor/Consultant/Branch:
None

Victims:
Current graduate students living in family housing AND former students and applicants.

Number Affected:
4,250

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Sometime between December 29th and December 31st, 2007 a "hacker" using a computer "with an overseas IP address" was able to access a University of Georgia server used to store confidential personal information belonging to certain current and former university students. 4,250 individuals are affected by this breach.

Reference URL:
Associated Press report on ajc.com
WNEG Channel 32 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

University of Georgia officials are trying to contact more than 4,000 current, former and perspective residents of a university housing complex after a hacker was able to access a server containing personal information, including Social Security numbers.

The security breach happened sometime between Dec. 29 and Dec. 31

a computer with an overseas IP address was able to access the personal information including Social Security numbers, names and addresses of 540 current graduate students living in graduate family housing and 3,710 former students and applicants
[Evan] These investigations are typically difficult to track to a specific source. We have seen "hackers" use insecure computers overseas as proxies. If a proxy is used in a country that does not cooperate with law enforcement in the United States, then the investigation typically stalls due to the fact that logs and other forensic evidence is not available.

University officials know what country the hacker was operating in, but would not comment on it, UGA spokesman Tom Jackson said.

Workers took the server off-line as soon they discovered the problem.

There was no evidence the hacker used or recorded the information, said Stan Gatewood, UGA's chief information security officer.

"It seemed to be one of those things where the door was opened, but no one walked in," Jackson said. "But still everyone needs to be notified."
[Evan] If "no one walked in", then why is there mention of a "hacker" using "a computer with an overseas IP address"? The two statements don't jive.

But notifying all the affected people could be difficult because many are former students from outside the country, Jackson said.
[Evan] Probably more difficult than it would have been to secure the information in the first place.

Commentary:
If we can't be reasonably certain that the attacker did not access the information, then we are left with the assumption that the attacker did. There is little chance that the university will find out who the attacker is with any certainty. It is easy to be anonymous with the use of proxy servers (bots, open proxies, etc.), especially going through foreign countries.

What was the purpose of storing this information on a server that was accessible through the internet? I also wonder what other controls were placed around access to this server.

This isn't the first time that an "overseas hacker gained access" to University of Georgia confidential information resources (see below). Same "hacker"? Food for thought.

Past Breaches:
February, 2007 - Overseas hacker accesses University of Georgia database