One of the things you should know is that it's pretty common around the end of October to get pitches from vendors on security topics with a Halloween theme. You can imagine the titles: 'The 10 Scariest Security Flaws,' and so forth. We're not going to do that here today for several reasons. First, I find Halloween terribly boring. Second, I don't like candy, especially chocolate candy, so I'm not tempted by the treats that flow in via FedEx. Third, and most important, no one seems to have decided that a nice Chateau Margaux is an appropriate Halloween treat.
With that in mind, I'm immediately suspicious of press releases that reach me, and talk about scary IT topics in a Halloween context. But I sometimes read them because when I cut through all of the bogus spookiness, there might be a kernel of truth. I found one of those in a blog written by Marc Maiffret, CTO of eEye Digital Security. eEye makes products that look for and remediate vulnerabilities on enterprise networks and attached devices including things like Windows computers which, as we have learned, sometimes have problems with vulnerabilities.
The most frightening thing about Maiffret's blog entry is a photo of eEye employees dressed in Richard Simmonsesque outfits and drinking J�ger. I may have nightmares after that part of his blog. But in reality, the most unsettling part, once you get past the employee photos, is a list of five things that you should not worry about, but address. The list includes security vulnerabilities that eEye told everyone about years ago, and has been telling everyone about many times since.
The part that makes it most unsettling is the fact that Maiffret isn't the only person who has been saying these things. And the five things he mentions aren't the only security holes we see perpetrated by network administrators who should know better. Steven J. Vaughan-Nichols writes in his blog about the panic caused by a Firefox add-on called 'Firesheep,' which makes it easy for people to sniff passwords and other information from Wi-Fi connections.
As Vaughan-Nichols correctly points out, the only thing that Firesheep does is make the sniffing activity easier to accomplish. It doesn't bring anything new to the table in terms of security. By now virtually everyone who reads this has heard, more than once, the advice that you must secure your wireless network. Open Wi-Fi is an invitation to those who would steal everything visible on your network. If you have an open access point, and your name isn't Starbucks or Panera, then whoever you work for should be giving serious thought to this year's performance review. There is simply no excuse.
There are few excuses for any of these many vulnerabilities to sneak up on a security administrator who is even marginally alert. Yet these vulnerabilities continue to persist. Perhaps its time to start thinking of hiring a security auditor for your company to see if the person in charge of your security is doing their job. Clearly, education isn't working. Maybe accountability will have a greater effect.