Microsoft was apparently so concerned about Windows Vista passing the test of IT security and being useful in as many applications as possible that they called in probably the most proficient group of professionals they could find: The National Security Agency (NSA). Microsoft wanted Vista to meet Department of Defense (DoD) and federal standards for IT security, so they enlisted the help of the National Security Agency (NSA) to make sure that Vista would be up to the challenge. Whether or not Vista really is significantly more secure, or secure enough to meet DoD standards is a different issue entirely, but its likely as secure as its going to get, considering the bulk of security-related issues come from lapses in network security, patching, user education, or security policy.

Regardless, it’s rather impressive that Microsoft went to the effort of getting the help of America’s codewriters and codebreakers to help fortify its technology:

“Our intention is to help everyone with security,” Tony W. Sager, the NSA’s chief of vulnerability analysis and operations group, said yesterday.

The NSA’s impact may be felt widely. Windows commands more than 90 percent of the worldwide market share in desktop operating systems, and Vista, which is set to be released to consumers Jan. 30, is expected to be used by more than 600 million computer users by 2010, according to Al Gillen, an analyst at market research firm International Data.

Microsoft has not promoted the NSA’s contributions, mentioning on its Web site the agency’s role only at the end of its “Windows Vista Security Guide,” which states that the “guide is not intended for home users” but for information and security specialists.

The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system.

The NSA also declined to be specific but said it used two groups — a “red team” and a “blue team” — to test Vista’s security. The red team, for instance, posed as “the determined, technically competent adversary” to disrupt, corrupt or steal information. “They pretend to be bad guys,” Sager said. The blue team helped Defense Department system administrators with Vista’s configuration .

Red Teams and Blue Teams are nothing new to anyone who knows much about penetration testing, white-hat hacking, and security auditing and testing-the red team is the “adversary” or the “enemy,” the black-hat hacker or team of crackers looking to intrude on your network and collect information from your systems and networks. The blue team can either be the responding team, or the team that does the analysis once the red team has done its work, or can be as innocuous as the tech support folks who help set up and configure the network for the penetration test. The red team is where the action is.

It’s rather amusing that both parties are eager to discuss the fact that they helped the other, but neither is willing to discuss exactly how. Ah well, secrets will be secrets, I suppose.

[ For Windows Vista Security, Microsoft Called in Pros ]

PC World’s security report for the year highlights some of the biggest threats to personal and network security we saw online this year, including new kinds of spam engineered to evade common filters, a more phishing attacks, crackers extorting site owners and companies by holding their data or websites for ransom. Among some of the most worrying issues this year were the increasing professional nature and complexity of the kinds of attacks against corporate and business targets, more and more phishing and the beginnings of business attempts to combat it, and more new spam-an issue that many technology analysts were already calling a fixed problem.

In the analysis, PC World looks at five of those top threats in more detail, from profitable cybercrime all the way to the perils of Windows Vista.

[ PC World :: 2006: The Year in Security ]

There’s nothing new about this, but in the end, human beings really are the weak link when it comes to keeping sensitive information safe online. Where it comes to keeping critical information safe, most people are both horribly naive and also admirably trusting of the source of a phishing expedition. For example:

That’s what the U.S. Military Academy at West Point did in 2004 to a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus e-mail that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).

“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”

More than 80 percent of the cadets clicked on the link, according to a report on the experiment.

Worse still, even after hours of computer security instruction, 90 percent of freshmen cadets still clicked on the link.

Ouch. That’s pretty bad. Still, phishing attacks are hard to prevent, and can be easily done with even the slightest bit of information about the subject. The article discusses several attempts to protect people from their own, and where the application developers like Microsoft and others have to catch up in the process of making their products safer and offering the kind of information to the user that they can use to tell if someone is out to trick you or not.

[ Humans Called Weak Link in Tech Security ]

Over at ZDNet Australia, blogger Munir Kotadia points out that Symantec made the prediction 18 months ago in their last Internet Threat Report that by this time Mac OS X would be riddled with spyware, viruses, and security threats. Symantec quietly released their most recent report this week, and after it was released and made absolutely no mention of Mac OS X or any security threats to the operating system, quietly said later that it was wrong about the prediction, and that in the past 18 months there have been no viable, serious security threats to Mac OS X. Mac users can breathe a sigh of relief, but should still and always be on guard to new security threats, and to stand against the kind of security threats of which no operating system is immune-the kind that target the user through social engineering like phishing and password stealing.

Kotadia points out that his query to Symantec to get them to own up to their botched prediction was misconstrued by Apple fanatics at MacDailyNews [ http://macdailynews.com/ ] as dissapointment that Symantec didn’t include Mac OS X in their threat report-which is a sad, sad thing. It’s good news for Mac users, but the fanboy reaction isn’t warranted, and I think Kotadia settles the matter rightly. Still, it’s big news that even as many security analysts predicted that OS X would be the next big target on the horizon, it just hasn’t happened yet.

[ ZDNet Australia :: Symantec's OS X Spyware Prediction in Flames ]

HP announced that its chairwoman, Patricia Dunn, will resign her position as chair of HP’s board to smooth things over over the scandal that has embroiled the company for the past several weeks. The scandal started when someone at HP, presumably someone on the board, leaked sensitive company information to the press. In order to find out exactly what was said and to whom, a technique called “pretexting” was used to obtain phone records of the reporters who published the information, and the phone records of several people on the board at HP.

“Pretexting” is a technique that involves using some easily obtainable personal information, let’s say the last four digits of a social security number and a spouse’s last name (both of which were allegedly used in this situation) to obtain a great deal of personal information by pretending you’re the person for whom the information is about. Here’s how it works; I call the phone company with the last four of your social security number. I have your address, which is available easily from the phone book, per say. I call your phone company and pretend to be you. They ask me to verify your address, which I got from the phone book, and the last four digits of your social security number for security purposes, which I happen to have. With this information, I’ve opened the floodgates of personal and private information, including calling records, billing information, and more-I can find out who you called and who called you as far back as the phone company cares to tell me. This is the process that privately hired investigators used to obtain the calling information of board members at HP and the reporters involved.

The problem with this process is that it’s illegal and counts as “deceptive trade practices,” which is explicitly illegal, and it reeks of identity theft-when identity thieves do it, they do it to pretend they’re you and take your money, and this situation, although it involved no financial theft, is no better. Additionally, federal authorities are poking their nose around this story to see if any additional laws have been broken. The investigation and subsequent press storm has been much much worse for HP than the actual scandal was; and as a result the chairwoman on whose watch this all took place, Patricia Dunn, has been forced to step down, although she’ll retain a seat on the board-she just won’t be chair any longer. HP CEO and President Mark Hurd will take her place, but the investigations go on.

[ PC World :: HP Chairman to Step Down Amid Scandal ]

Businessweek, of all places, has an excellent expose of spam and spyware king company Direct Revenue, which was one of the pioneering companies to design software that would monitor what you do on your computer and where you go on the internet and call home to report your behavior back to advertisers and other companies, and one of the first companies to start processing and collecting personal data on internet users in order to send them spam and unsolicited email. Direct Revenue claims no wrongdoing in any case, but has suffered significantly in the wake of both complaints from spyware victims and a lawsuit files in April by New York Attorney General Eliot Spitzer.

The story goes behind the scenes of Direct Revenue’s plan to hijack and monitor and use the computers of people like you and I, the rise of the company and the clamoring of many companies and clients to obtain and use the kinds of information that Direct Revenue promised them, the successes of the company, and the eventual downfall as the company and its behavior came into public light and the company and its employees were summarily eviscerated verbally and legally by bloggers, pundits, reporters, victims, and anyone else who had something to say about their behavior. From pop-up ads to spam to spyware, the article uncovers the plot to hijack YOUR computer and obtain YOUR personal and nonpersonal information, and summarily sell it for profit.

[ BusinessWeek Online :: The Plot to Hijack Your Computer ]

Insecure.org [ http://www.insecure.org/ ] has published its 2006 list of its top 100 network security tools, it’s first since 2003. Among the winners are expected high profile (and high powered) tools like Nessus, Snort, TCPdump, and Ettercap, to name a very small few. What many security fans and community members consider the definitive list of tools for anything and everything network security related, the Insecure.org list has tools both commercial and free, open-source and proprietary, and that work in Windows, Mac OS, Linux, BSD (and other variants) and are all labled with where the applications run natively, whether there’s a point-and-click GUI for the tool or whether it runs completely at command line, and whether the tools cost money or are free to download and use.

By the by, NMAP Security Scanner itself wasn’t counted because well, according to Insecure.org, the poll was taking on an NMAP mailing list, so no fair there. Anyway, if you’re looking for tools to help secure your network, whether its your home network and only a few computers, or its a corporate network with 10, 50, or 1000 users that you help keep locked down, this list is a valuable resource.

[ Sectools.org :: Insecure.org's 2006 Top 100 Network Security Tools ]

(image courtesy of the Electronic Frontier Foundation)

Wow. Not only did AT&T (now the megacompany that includes SBC and Bell South and what was AT&T) collaborate freely and without court order with the NSA’s spying program of eavesdropping on both the phone calls and possibly the internet traffic and activity of American citizens, but now they’ve changed their own privacy rules to get around that whole “confidential information” and “personal privacy” thing. I know, I know, it’s pretty pesky from AT&T’s standpoint, so why not just get around it entirely by saying that AT&T owns your personal and confidential data, not you, and they can use it for whatever they choose?

No, I’m not kidding. From today’s SFGate:

AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers’ personal data with government officials.

The new policy says that AT&T — not customers — owns customers’ confidential info and can use it “to protect its legitimate business interests, safeguard others, or respond to legal process.”

The policy also indicates that AT&T will track the viewing habits of customers of its new video service — something that cable and satellite providers are prohibited from doing.

Moreover, AT&T (formerly known as SBC) is requiring customers to agree to its updated privacy policy as a condition for service — a new move that legal experts say will reduce customers’ recourse for any future data sharing with government authorities or others.

Amazing. I’m sure the lawsuits will flow over this one, but in the time it takes for them to run their course, AT&T is essentially being allowed to do whatever it chooses with whatever data they can get from their customers, without any promise of privacy, security, or confidentiality-a new low for any American company, much less a company as large and massive at AT&T.

[ SFGate :: AT&T Rewrites Rules: Your Data Isn't Yours ]

(image courtesy of CNN)

A 14 year old girl, who was allegedly sexually assaulted by a 19 year old who lied in his MySpace profile to gain her trust, has filed a lawsuit against MySpace for failing to take sufficient steps to protect its underage members from sexual predators and those who shop around MySpace profiles looking for someone to con, kidnap, or assault. The article itself is pretty short, essentially a statement from the girl’s lawyer and the subsequent response statement from MySpace, but this is one of those situations where both of them are absolutely right.

MySpace doesn’t do nearly enough to protect its members, especially its underage members who likely don’t know any better, but at the same time, MySpace is right in that safety online is a shared responsibility, and MySpace can’t be expected to police the profiles of its members in the stead of parents who should talk to their children about the people they speak to on the internet, talk to them about being safe online and who they speak to online, and taking steps to be a part of and monitor their child’s internet usage and habits, including putting the family or kids’ computer in an open area like a living room or den, or an office where the parent can supervise them, and teaching kids limits on internet usage and access, and for crying out loud, not buying them a webcam.

MySpace claims that no one under 13 is allowed to join their site, something easily falsified with a click of a drop-down menu (I mean honestly, people can just lie about their age) but beyond that, I’ve seen very little protections and warnings to children and teens and well, anyone else for that matter, about the dangers of mingling with questionable folks on the internet, and how to be responsible when talking to someone you don’t know, or even how to be responsible if you’d like to meet them.

At the same time, while I think that in most cases safety on the net is the responsibility of the user to stay informed and develop and practice safe online habits, I think this lawsuit has legs; it’s about time MySpace took this seriously, before someone else is killed or sexually assaulted by someone they met on MySpace. MySpace is obviously the shopping ground of choice for all manner of deranged and sick criminal and sexual predator, and it’s about time MySpace did something about it. If it takes a lawsuit to help MySpace urge its users into getting better informed and practicing safe habits, then so be it-AOL had to go through the same growing pains.

[ CNN :: Teen Sues MySpace Alleging Sexual Assault ]

In better news however, the New York Times reports that MySpace is planning such security enhancements, and will be adding them soon.

[ New York Times :: MySpace to Add Restrictions to Protect Younger Teenagers ]

Looking to make sure your emails are protected from prying eyes, whether those eyes be government “data miners” or just anyone who might be spoofing your identity and looking for juicy information with which to open a credit card in your name? Or maybe you’re just one of those folks who doesn’t want strange eyes (like your boss) reading the tasty messages you and your significant other send back and forth to each other? Well then, this Lifehacker [ http://www.lifehacker.com/ ] special is for you! Okay, okay, I haven’t really sold you on it, but try this scenario, put forth in the article, on for size:

Sam wants to send Jane a secret email love letter that he doesn’t want Joe, Jane’s jealous downstairs neighbor who piggybacks her wifi, to see. Jane uses PGP, which means she has a PUBLIC key (which is basically a bunch of letters and numbers) which she’s published on her web site for anyone who wants to send her encrypted email messages to use. Jane’s also got a PRIVATE key which no one else – including Joe the Jealous Wifi Piggybacker – has.

So Sam looks up Jane’s public key. He composes his ardent profession of love, encrypts it with that public key, and sends Jane his message. In sending, copies of that message are made on Sam’s email server and Jane’s email server – but that message looks like a bunch of garbled nonsense. Joe the Jealous Wifi Piggybacker shakes his fist in frustration when he sniffs Jane’s email for any hint of a chance between them. He can’t read Sam’s missive.

However, when Jane receives the message in Thunderbird, her private key decrypts it. When it does, she can read all about Sam’s true feelings in (pretty good) privacy.

You too can get PGP set up in a few simple steps.

And they’re right, too! The special takes you through the process of obtaining and setting up PGP, which stands for Pretty Good Privacy [ http://en.wikipedia.org/wiki/PGP ] and setting it up in Mozilla Thunderbird, [ http://www.mozilla.com/thunderbird/ ] one of the hottest mail clients on the block. I, for one, had always wanted to configure my email to be as secure at home as we keep it at the office, but never really knew a great way to do it, and then this how-to comes along. Thanks, Lifehacker!

[ Lifehacker :: How to Encrypt Your Email ]