Living on the Razor edge

I went to a local meeting of the Information Systems Audit and Control Association (ISACA) to hear a presentation by Mark Loveless, who heads up Razor research for BindView. It promised to be an enlightening evening.

BindView develops business policy compliance, vulnerability management, and directory administration software for large corporations; the company's Razor team develops the vulnerability checks, best practices, and compliance algorithms behind BindView's products. Basically, they keep up (or attempt to keep up) with the hackers and computer security troublemakers out there.

Loveless is a fairly well-known name in the security community. He is the founder of the Nomad Mobile Research Centre  (NMRC), a large virtual lab that conducts independent -- very independent -- research on computer security issues. To say that Loveless is out on the edge in computer security would be an understatement. Browse the NMRC site long enough and you will quickly see that Loveless is a bit of a rebel. "To catch a hacker, you have to think like a hacker," is one of his mottos.

Wandering around the NMRC site or hearing Loveless speak, you quickly get the idea that this guy knows what he's talking about and seems to eat, drink, breathe, and generally live this stuff 24-7. In other words, when you're looking for a go-to guy in computer security, you could do a lot worse that Loveless, and probably have.

So what did Loveless tell this ISACA group? For the home user, he recommends running Linux and using Mozilla FireFox and OpenOffice instead of the usual Windows, Internet Explorer, and Word. No surprise there, security-wise.

But Loveless is not blind to the fact that many people must use Windows (hey, not everyone can be a big-time Linux geek). He recommends using Microsoft's SP2, which includes Microsoft's Security Center, if you are running Windows XP, but still suggests FireFox in lieu of Explorer. He also believes Microsoft's Security Center is, or at least will be, a good thing in the long run. 

For people and companies using wireless technologies, he suggested using Wireless Equivalent Privacy (WEP) for at least minimal protection. He also advised against dual tunneling -- which allows users to attach to the corporate network and the Internet at the same time -- when using a VPN to connect with headquarters. This feature allowed hackers to break into Microsoft's own corporate datacenter by way of a remote worker and steal Windows source code several years back, Loveless noted.

As another security measure, Loveless also advised companies using VPNs to turn off access from some countries, such as Korea, where there are many compromised machines. "If you don't have any workers in Korea, turn off access and limit your exposure," he said.

For the corporate user, Loveless has a more complicated story. He advises corporations to enforce security policies and standards such as HIPAA, Sarbanes-Oxley, and Federal Information Security Management Act (FISMA) on all servers and workstations, not to mention covering all points of access on the network.

Loveless was also adamant about the dangers of hotels and hotel networks. "When I was at one conference, I connected up to the hotel network and found three people out looking to find a vulnerable system," he explained. Loveless said that because many mobile systems are the last to be updated, they are often the weakest link in the security chain -- but also the most vulnerable. If you do need to connect through these networks, Loveless suggests making sure your systems are updated with the latest patches and using a firewall to minimize risk.

Next week, I will give you the lowdown on what Loveless told the group about who the hackers and computer security troublemakers are. Here's a hint: Hackers are probably making more money than you.