Tuesday, December 22, 2009

President Obama Introduces the Nation's New Cyber Security Czar: Howard Schmidt

Today President Obama Introduced the Nation's New Cyber Czar, Howard Schmidt. This appointment is in line with President Obama's commitment to protect the Nations Critical Cyber Infrastructure as well as National Security objectives.

Howard Schmidt is a leading authority on Information Security with over 40 years of experience in government, business and law enforcement.

President Obama & White House Cyber Security Chief Howard SchmidtHoward Schmidt appointed White House cybersecurity coordinator

His Qualifications:
  • Chief Security Officer for eBay
  • Chief Security Officer for Microsoft
  • Chief Security Strategist for CERT.org
  • U.S. Military
  • Police Officer
  • FBI
  • Appointed by President Bush in 2001 as Vice Chair of the Critical Infrastructure Board and as special advisor for Cyberspace Security for the White House.
  • Howard Schmidt is also a CISSP and CISM.
  • Professor at Georgia Tech
  • Adjunct Distinguished Fellow at Carnegie Mellon
  • Distinguished Fellow at Ponemon Institute
  • Professor of Research Idaho State
  • President of the Information Security Forum.
His New Responsibilities:

Howard will be responsible for coordinating the cyber security initiatives set forth by the White House administration. Additionally, he will have regular access to President Obama and will be a key member of the Presidents National Security Staff.

In His Own Words:

President Obama's 10 Point Cyber Security Plan
For more see: http://www.bankinfosecurity.com/articles.php?art_id=1503
In May of 2009, President Obama laid out the following 10 Point Cyber Security Plan; The appointment of Howard Schmidt allows him to check off another initiative of the plan.

In his White House speech, Obama said he plans to:

  1. Appoint a cybersecurity policy official responsible for coordinating the nation's cybersecurity policies and activities; establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council, to coordinate interagency development of cybersecurity-related strategy and policy.
  2. Sign off on an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities and, where appropriate, build on its successes.
  3. Designate cybersecurity as one of his key management priorities and establish performance metrics.
  4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
  5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the federal government.
  6. Initiate a national public awareness and education campaign to promote cybersecurity.
  7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
  8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
  9. In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
  10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

"The task I have described will not be easy," Obama said. "Some 1.5 billion people around the world are already online, and more are logging on every day. Groups and governments are sharpening their cyber capabilities. Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.

"But we need to remember: We're only at the beginning. The epochs of history are long - the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy. We're only at Web 2.0. Now our virtual world is going viral. And we've only just begun to explore the next generation of technologies that will transform our lives in ways we can't even begin to imagine."

My Thoughts:

I am glad to see someone with the extensive 40 year background that Howard Schmidt has, just maybe more people will start to take IT security issues a bit more seriously. I wish him the best luck.



Thursday, December 17, 2009

BDPA Supports S.T.E.M Initiatives

I think these commercials are so cool! Kudos to Time Warner for their Connect a Million Minds education campaign. The BDPA focuses on STEM education.

Support STEM Initiatives:

  • Science
  • Technology
  • Engineering
  • Mathmatics

Tuesday, December 15, 2009

My Take5! Interview with BETF Education Foundation

I would like to share with my blog followers my recent Take5! interview with BETF Education Foundation Executive Director, Wayne Hicks. Please connsider giving to the BETF to support our causes to narrorw the "Digital Divide" and becoming a member of the BDPA - Information Technology Thought Leaders!



I must admit that I'm excited to see the the future evolution of the BDPA chapter in Charlotte, NC. The chapter is about to be energized by the youthful intensity and integrity of the incoming president --
Julius Clark

...Julius is part of the new generation of African American leadership that is beginning to take control of our BDPA chapters around the nation.

Julius participated in our Take Five interview series:

  1. How did you get involved in working with BDPA? - I am a native of Boston and first heard of BDPA while living there, but I never had the opportunity to attend a meeting. I built a good IT employment network in Boston and after moving to Charlotte in 1999 it was very important for me to establish my employment network in this city. In 2000 I discovered that BDPA had a Charlotte chapter. I attended my first BDPA Charlotte meeting and was delighted to be in the company of African American brothers and sisters who all shared a passion for Information Technology like I did. Being new to Charlotte I made sure I attended every monthly meeting. At that time Archie Lucy was president. He followed up with me each month after I had attended a few meetings, which made me feel very connected with the local BDPA organization. The board asked if I would like to talk to Johnson C. Smith College students about the Information Technology profession, and soon after that they asked me to become Coordinator for our High School Computer Competition program.
  2. What is the most rewarding aspect of working with BDPA? - Being able to help introduce high school students to the Information Technology field and mentoring adults in the field is the most rewarding. Since I graduated from high school, I always wanted to give back to the African American community in a huge way. The BDPA allows me to give back to my community with something I love; technology!
  3. Tell us about a defining moment in your life? - One defining life moment was when I received my BS in Electronic Engineering, with both of my parents in the audience; I was the first person in my family to earn a college degree.
  4. Who is your hero and why? - Besides my parents, Malcolm X became my hero. After reading the Autobiography of Malcolm X by Alex Haley at the age of 21, my perspective on my life and community changed; It’s like a light switch got turned on in my thinking and I instantly knew how to be a strong Black leader for my community.
  5. Any advice for people considering donation to BETF? - My advice is to give what you can afford, and just don’t allow it to only be monetary-- get involved with your local BDPA Chapter or the BETF and donate Thought Leadership to make it more personal and share your experience and excitement about our cause with others.

Julius is taking over a chapter that is the 15th largest in the nation. I suspect his leadership team will have BDPA Charlotte chapter in the Top 10 before long! What say u?

Wayne Hicks
BETF, Executive Director

Friday, December 4, 2009

Mac Security: How to Harden the Mac Operating System

Mac Security Recommendations

After my previous two blog posting about Macs having the most security vulnerabilities and Windows 7 being more secure than Apple's Snow Leopard OS for the Mac, I received requests for advice on how to secure the operating system. I compiled recommended security information that will help individuals harden their Mac OS, based on the level of security for their needs.

First thing, you must understand why we safeguard the operating system and where to find information on the most severe and common computer risks. After you become aware of the risks associated with your Information Technology, you then harden the system for your needs.

SANS Top 20 Internet Security Problems, Threats and Risks
The SANS Top 20 Internet Security Problems, Threats and Risks, lists the top 20 security vulnerabilities across a wide array of Information technology platforms.

Make your self familiar with vulnerabilities in the SANS Top 20. It contains vulnerabilities and their mitigating controls for the most widely used Information Technology.
For more go to: http://www.sans.org/top20/

Vulnerability Catagories:

Server-side Vulnerabilities in:
  • S1. Web Applications
  • S2. Windows Services
  • S3. Unix and Mac OS Services
  • S4. Backup SoftwareS5. Anti-virus Software
  • S6. Management Servers
  • S7. Database Software

Security Policy and Personnel:
  • H1. Excessive User Rights and Unauthorized Devices
  • H2. Phishing/Spear Phishing

Application Abuse:
  • A1. Instant Messaging
  • A2. Peer-to-Peer Programs

Network Devices:
  • N1. VoIP Servers and Phones

Zero Day Attacks:
  • Z1. Zero Day Attacks

Client-side Vulnerabilities in:
  • C1. Web Browsers
  • C2. Office Software
  • C3. Email Clients
  • C4. Media Players
The S3. section "UNIX/ MAc OS Services", addresses the countermeasures to safeguard the Mac OS.

S3. Section - UNIX/Mac OS Services

S3.1 Description

Most Unix/Linux systems include multiple standard services in their default installation. Mac OS X often suffers from the same vulnerabilities as Unix systems, since it is based on Unix. Unnecessary services should be disabled, and all servers facing open networks should be protected by a firewall.

For services which provide remote login and/or remote service, traffic cannot be simply blocked by firewalls. Buffer overflow vulnerabilities and flaws in authentication functions can often allow a vector for arbitrary code execution, sometimes with administrative privileges, so gathering vulnerability information and patching rapidly are very important. Every year, buffer overflow vulnerabilities in Unix/Linux services are found.

These services, even if fully patched, can be the cause of unintended compromises. Brute-force attacks against remote services such as SSH, FTP, and telnet are still the most common form of attack to compromise servers facing the Internet. Over the last couple of years a concerted effort has been made by attackers to recover passwords used by these applications via brute-force attacks. Increasingly worms and bots have brute-force password engines built into them. Systems with weak passwords for user accounts are actively and routinely compromised; often privilege escalations are used to gain further privileges, and rootkits installed to hide the compromise. It is important to remember that brute forcing passwords can be a used as a technique to compromise even a fully patched system.

Security-conscious administrators should use SSH or another encrypted protocol as their method of interactive remote access. If the version of SSH is current and it is fully patched, the service is generally assumed to be safe. However, regardless of whether it is up to date and patched SSH can still be compromised via brute-force password-guessing attacks. Use public key authentication mechanism for SSH to thwart such attacks. For the other interactive services, audit passwords to ensure they are of sufficient complexity to resist a brute-force attack.
Minimizing the number of running services on a host will also make it more secure. Many services have been used to further exploits.

The Most Exploited Mac Vulnerabilities of the Last 6 Months
SANS Top Cyber Security Risks, For more information go to:

The graphic below highlights the SANS Top Risks and Vulnerabilities being exploited on Macs now!

SANS Top Cyber Security Risks
Attacks on Critical Apple Vulnerabilities (last 6 months)

How to Harden the Mac Operating System

Now that you understand the treats, risks and countermeasures needed to safeguard your Mac system, we go on to implement control changes based on the level of security you want for your needs. Read through the following Mac OS X Security Guides to determine the level of security rigor for your needs. Additionally, I included some links from other sites that offer other hardening tips and recommendations.

Mac OS X Security Configuration Guides - Taken from apple.com

The Security Configuration Guides provide an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer.
The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer.
To use these guides, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts.
Certain instructions in the guides are complex, and deviation could result in serious adverse effects on the computer and its security. The guides should only be used by experienced Mac OS X users, and any changes made to your settings should be thoroughly tested.

Mac OS X v10.5 (Leopard)

Mac OS X v10.4 (Tiger)

Mac OS X v10.3 (Panther)

Other Mac Hardening Reference Sites

National Security Agency (NSA) Mac Hardening Tips
University of Texas at Austin - Mac OS X Server Hardening Checklist
Corsaire Research provides the latest security intelligence
Macshadows - Advice on Mac System Harding
Sign Up For Mac Security notifications - Taken from apple.com

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below.

Mailing list

The Security-Announce mailing list is provided to obtain product security information from Apple.
You can subscribe via http://lists.apple.com/mailman/listinfo/security-announce, also available via RSS.
Notifications developed by Apple are signed with the Apple Product Security PGP key. We encourage you to check the signature to ensure that the document was indeed written by our staff and has not been changed.


Check the Apple Security Updates page for released updates.


Hopefully you will find the security recommendations presented here helpful. My desire is to help ensure that you have pleasant computer and Internet experiences.



Thursday, December 3, 2009

Windows 7 Has Better Security Than Apple's Mac Snow Leopard

Windows 7 Bests Snow Leopard Says Mac Hacker

An infamous white hat hacker after his penetration testing found that the Microsoft Windows 7 operating system has better security than Apple's Mac in overall operating system security.


The improved Windows 7 security advantage has to do with a security approach called:

Address Space Layout Randomization (ASLR)

According to Wikipedia
ASLR has the following effect and benefits on security:


Address space randomization hinders some types of security attacks by making it more difficult for an attacker to predict target addresses. For example, attackers trying to executereturn-to-libc attacks must locate the code to be executed; while other attackers trying to execute shellcode injected on the stack have to first find the stack. In both cases, the related memory addresses are obscured from the attackers; these values have to be guessed, and a mistaken guess is not usually recoverable due to the application crashing.


Address space layout randomization relies on the low chance of an attacker guessing where randomly-placed areas are located; security is increased by increasing the search space. Thus, address space randomization is more effective when more entropy is present in the random offsets. Entropy is increased by either raising the amount of virtual memory area space the randomization occurs over, or reducing the period the randomization occurs over; the period is typically implemented as small as possible, so most systems must increase VMA space randomization.

This methodology is known as Entropy, which basically means the multiple way that you can rearrange something. Its a good security measure to employ because memory space is constantly rearranged. Malicious code and hackers often take advantage of certain flaws in software which must reside in the same static memory space.

This is sure to shake many Mac owners up who confuse better Mac Performance with better Mac Security as well. It's Apples and Oranges; performance does not mean security!



Fact Check: Apple's Mac Operating System has the Most Security Vulnerabilities

"Hey, I'm a Mac...and I have the Most Vulnerability Risks!"

You see the brilliant marketing of Mac computers by Apple, but most people are surprised and shocked to learn that Apple's Mac operating system has the most security vulnerabilities disclosed; they have had the most vulnerability discloses for the last 3 years. The commercials tout the Apple Mac as the worry free computer, but with more security vulnerabilities than Windows, which someone can take advantage of and steal control of your computer.

According to IBM's 2008 XForce Risk & Trends report, Apple's Mac Server and Mac OS products top the list as the most vulnerable OS. Microsoft's operating systems don't appear until 5th place after Linux and the Sun OS.

TOP 10 Most Vulnerable Operating Systems

Now it’s true that Microsoft's Windows operating systems have more individuals targeting it to do a bad things, which is due to Windows products running on over 80% of the worlds computers; it's basically similar to having more robbers determined to rob you than your friend, but your friend has more weaknesses. Apple's Mac operating systems have about 3X more disclosed attack weaknesses than all the variations of currently supported Microsoft Windows products.

Keeping them honest!

Complete 2008 IBM XForce Security report


Julius Clark

Get Expert Advice!