March 2009
25 posts
Is Comcast Pulling Wool →
Reports of data breaches aren’t uncommon. And explanations are typically slow in coming, but most large organizations fall on the proverbial sword and admit their security controls played a role in…
PCI DSS Compliance Made Easier, but Upside Down →
Most companies required to jump on the PCI DSS wagon are SMBs. So implementing security controls to protect cardholder information is not an easy task. And the difficulties begin when business owners…
Maybe we should use the threat of space aliens... →
Now security researchers and vendors are using the threat of cyber-warfare to push vulnerability mitigation. Maybe we should try space aliens next.
Risk Mitigation Drives Breach Prevention Costs →
Remember the objective of breach risk mitigation is to increase the effort necessary to successfully breach a network, system, etc. beyond the value gained by a successful attack. Most…
New Centralized Storage for SMBs →
Keeping all your sensitive information in a centralized location helps with security. However, SMBs with large storage needs (or home users with way too much audio-video gear) may find the new D-Link…
The DoS Still Does Not Get It →
The DoD not only doesn’t protect national defense secrets like they’re, well, national defense secrets. It simply doesn’t follow basic security practices.
Penetration tools continue to improve, how about... →
Developers of tools used to penetrate networks seem to have unlimited resources to draw upon as they continue to improve ways to crack through your network and device defenses. Your defense should…
5 tags
“Juniper is set to launch software to allows security products from competing...”
– Juniper offers multi-vendor threat management, Tim Greene, Network World, 9 March 2009
Cyber profiling benefits and pitfalls →
Cyber profiling provides deeper insights into a prospective candidate character. It can also send the wrong message.
Vet employees, vet employees, vet employees →
Placing new employees in positions of trust requires establishing how far new people can actually be trusted. This seems like common sense, but a recent incident demonstrates just how little some…
Windows Mobile Protection on a Smart Card →
Smartcard protection on an SD card, easy and pain free.
“A senior Democratic lawmaker said on Thursday he would push to pass legislation...”
– Online Gambling Ban May Get Nixed, Reuters
Cyber-terrorism: Private organizations have... →
Reports of corporate and government database breaches aren’t new. Neither are reports of Chinese and Russian efforts to find ways of compromising the national infrastructure, and therefore the…
5 tags
AV software doesn't protect against bots... duh!
I’ve written several times about the need for extrusion detection systems to track bots on networks. At home, personal frewalls configured to block unwanted outgoing traffic are usually sufficient. And the large number of articles, blog posts, tweets, etc. about the global botnet problem should make any security manager anxious. However, a security company claims 3 to 5 percent of company...
“For the first time, scientists have successfully teleported information between...”
– Long-distance Teleportation Between Atoms
Windows 7: Mobile Data Protection with Bitlocker... →
Still looking for an easy, affordable solution for encrypting USB storage? Working on a limited budge while trying to figure out how to force encryption of mobile data? Your problems may be over if…
3 tags
4 tags
Forensics: Reassembling fragmented digital images
A new, inexpensive product can piece together deleted or fragmented digital images.
Unleash Retriever to track down and protect... →
Retriever is an easy to use, inexpensive solution to locate, lock, and report lost or stolen personal or SMB laptops. However, it may not be for everyone.
3 tags
New release of free HIDS
Need a host intrusion detection system? OSSEC might be for you, especially if budget is a problem.
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting...
Computer Ethics
Interesting computer ethics site with a free online computer ethics manual.
February 2009
65 posts
Can you demonstrate business continuity readiness? →
If a customer, auditor, or regulator asks for your business continuity plan, what will you hand them? Will it be enough?
“Companies looking to reduce their IT costs and complexity by tapping into cloud...”
– Beware Privacy Gotchas in Cloud Computing, Group Warns, Jaikumar Vijayan, Computerworld
5 tags
3 tags
“Contradicting previous reports, a US Army electronic-warfare colonel has...”
– The Register, Lewis Page, 12 Feb 2009
Application Security: Is being 'AGILE' enough?
Analysis of strengths and weaknesses of Agile approach to secure application development.
Enough to stop whining about carrying a token?
Most reasons I get for businesses not wanting to implement multi-factor authentication, other than cost, is employee resistance to carrying a token of some kind with them. Also high on the list is organization resistance to imposing sanctions on employees who frequently forget their tokens. Maybe using the iPhone or iPod Touch as a second factor will help eliminate some of the...
Find your laptop and yell at the thief
Retriever is an inexpensive solution for individuals or organizations to track or recover stolen/lost laptops. You can also embarrass someone who obtains and uses your laptop without your permission…
I put it on my list of products to test. Stay tuned.
5 tags
Bitlocker easy to use in Windows 7
Windows 7 may contain the answer to the problem of sensitive information escaping on lost USB devices. Bitlocker is apparently easy to turn on for mobile storage connected to the new OS.
“A gentleman I know, science fiction author, EMT/first responder, and former...”
– Comment by Ian Osmond to Maine Man Tries to Build Dirty Bomb, No One Cares.
Yubikey Potential and Possibilities →
The Yubikey provides the opportunity for an inexpensive and easy to use OTP solution. It also allows entry of long static passwords without typing them character by character.
TinyURL, phishing, and TNO →
Vet shortened URLs before following them to target sites, and do not impose opaque short-links on your friends or customers.
3 tags
Use TinyURL wisely
I use TinyURL all the time. However, I am also set up to force a review of the underlying URL before proceeding to a site represented by an abbreviated URL I receive from others. This can be done via the TinyURL site?, which requires placing a “review cookie” on your computer.
Don’t want to preview the link first? Then you might end up a victim.
6 tags
“In order to implement a robust set of superuser privilege management processes...”
– Superuser Privilege Management: It’s Not About Trust, Tom Kemp, TechNewsWorld, 25 Feb 2009
4 tags
Microsoft's Gazelle: The world's most secure...
Microsoft researchers are working on a new browser constructed on a secure kernel The browser, currently named Gazelle, will be more secure than any browser currently in use, according to Microsoft.
For Gazelle design specifications, see The Multi-Principal OS Construction of the Gazelle Web Browser (PDF).
4 tags
The customer again in the middle
You have to love what appears to be legal-speak from the most current credit card firm to be breached. On one hand, financial institutions claim they can see evidence of the breach as the bad guys use stolen information. On the other is the payment company (thus far unidentitified) which is saying there is no “forensic evidence” that information was stolen. The customers are caught...
4 tags
Fired workers are not your friends...
The results of a new Ponemon Institute survey shows fired employess steal data on the way out the door… big surprise.
A survey of 945 individuals who were laid off, fired or quit their jobs in the past 12 months shows that 59% admitted to stealing company data and 67% used their former company’s confidential information to leverage a new job.
That’s according to the...
Coffee photos
I apologize for the repetitive postings of my wife drinking her morning coffee. I was testing the Tumblr mobile capabilities and had some technical difficulties with my phone.
Restless data: Diffusion via virtualization →
Left on its own, data will find its way to the farthest recesses of your data center. But when helped along by implementation teams, there’s no limit to data diffusion.
FBI cyber division fraud video
http://www.fbi.gov/multimedia/internet022009/internet022009.htm
