The Sys-Security Group

Tim Green over at NetworkWorld has interviewed me for an article with an interesting story. A sophomore student over at the University of Portland was recently suspended for a year since he managed to find a way to circumvent Cisco’s Clean Access NAC. The student managed to find several vulnerabilities with Cisco’s CCA circumventing it to believe its operating system and A/V adhere to the network access policy, where in truth they were not.

Some more information can be read at The Beacon, the students paper over at the University of Portland.

This story, and others, that were published recently, demonstrates how a questionable device, that is not trusted as is, may falsify information part of a posture validation check. This proves one of the points I have raised during my summer BlackHat 2006 presentation were I have raised these same issues.

The first lesson you learn with information security is that there is no such thing as client-based security.

It is not news that IDS/IPS vendors are trying to jump on the NAC bandwagon. The problem there is that usually some of these vendors tie between a specific functionality they might have with their product (like abnormality detection or intrusion detection) with enforcement to declare they are now doing NAC.

To me this seems as a non-complete product.

According to my definition, at its basis, a network access control solution must ensure that only authorized and compliant devices are allowed to access and operate on the enterprise network.

I do not think that just by providing the linkage with certain functionality (which may or may not be important to NAC) makes these vendors NAC players…

The folks over at Shmoocon have uploaded the video of my Shmoocon 2007 talk to their web site. You can find it here. I have much enjoyed the conference and I highly recommend it.

Apple announced on Thursday they will be delaying the release of Leopard (the next version of Mac OS X) until October. The original release date for Leopard was June.

Apparently this delay relates to the iPhone release:

“We can’t wait until customers get their hands (and fingers) on it and experience what a revolutionary and magical product it is… However, iPhone contains the most sophisticated software ever shipped on a mobile device, and finishing it on time has not come without a price — we had to borrow some key software engineering and QA resources from our Mac OS X team, and as a result we will not be able to release Leopard at our Worldwide Developers Conference in early June as planned.”

I still do not get this. Why announcing the iPhone so early without having the product release tied with it? and now saying that it is “the most sophisticated software ever shipped on a mobile device”? Does that hints the iPhone will be delayed as well?

Insightix was featured by Red Herring magazine as one of the 15 security startups to watch in their latest security special report.