Philosophically Secure

This is a great little article on the various tools/add-ons you can get for Firefox to do web security assessments. In the past I’ve had to hunt for stuff like this myself, so having it all in one list is handy. Here are the tools mentioned in the article:

Tamper Data

Web Developer

User Agent Switcher

Firebug

SwitchProxy

And the two most popular web security tools, not limited to Firefox: Paros and Burp. If anyone has any comments, or knows of some good add-ons that this list is missing, please post them!

Update: A new Firefox add-on is on the way: ExploitMe.

Apparently, Cisco has decided it doesn’t need to invest that much into security research. It has closed the doors on its Critical Infrastructure Assurance Group. CIAG was focused on research in some really critical areas, such as the security of SCADA systems, DNS attacks, VOIP threats, and the Common Vulnerability Scoring System.

Considering how important protecting the nation’s critical infrastructure is, I think shutting down CIAG was the wrong decision. We need all the help we can get to keep our networks secure, and Cisco is a huge part of that process, simply because their products are so widely deployed.

Also, I doubt this move will help reduce the number of vulnerabilities discovered in Cisco hardware.

This short article in Wired recalls a story from 1983, when a Soviet military officer helped avert a war with the United Sates. He was monitoring the ICBM early warning satellite system, when it alerted him that the US had launched ballistic missiles at Moscow. Following his gut feeling, he nervously decided that it was just a false alarm, and did not start the retaliation process.

The warning system was by now showing five missile launches in the U.S., headed toward the Soviet Union. The “START” command Petrov was expected to give would have started an irreversible chain reaction in a system geared to launch a counter-strike without human interference.

“The main computer wouldn’t ask me [what to do] - it was made so that it wouldn’t even ask. It was specially constructed in such a way that no one could affect the system’s operations.” All that was up to Petrov was analyzing the available information and either saying the alarm was false or giving the computer the go-ahead, as per the directive he himself wrote.

Since it was, in fact, a false alarm, Petrov can be called a hero. But on the other hand, what good is a system like this if the operator just goes on his gut reaction? The real problem seems to be that he knew how unreliable the early warning system really was, and this lack of trust is what prevented him from acting on the alert.

I can’t help but be reminded of modern day network intrusion detection systems. Except that they can spew out thousands of false alarms a day, especially when they’re not properly configured and tuned. What network security operator would react to an incident based solely on an IDS alert? I doubt any would, not without first manually validating that something actually happened. These systems would be a lot more valuable and efficient if we could trust them.

There is an insightful article in the Economist titled “Learning to live with Big Brother”. It makes some interesting points about the state of government (and commercial) surveillance as it stands today, and how it might evolve over the next several years. Here are some choice quotes that I liked:

Britain used to pride itself on respecting privacy more than most other democracies do. But there is not much objection among Britons as “talking” surveillance cameras, fitted with loudspeakers, are installed, enabling human monitors to shout rebukes at anyone spotted dropping litter, relieving themselves against a wall or engaging in other “anti-social” behaviour.

Ross Anderson, a professor at Cambridge University in Britain, has compared the present situation to a “boiled frog”—which fails to jump out of the saucepan as the water gradually heats. If liberty is eroded slowly, people will get used to it. He added a caveat: it was possible the invasion of privacy would reach a critical mass and prompt a revolt.