My latest security content (finally!)

I can't believe it's been this long! I've been so busy writing and haven't made the time to post my links. No excuses. Anyway, here's my latest information security content - some good stuff on politics and careers that can help you get off to a nice start in 2010.

Networking with the bigwigs to gain support for IT

Dos and don'ts when serving on an IT committee

Five things you need to know about politics in IT

Much, much more to come...Enjoy!

In the meantime, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, Twitter updates, and more.

Read More

"Top Blogs" list & some home security considerations

I think I may have found the first sign that my blog is growing and gaining some traction. I've made it to the Top 20 Home Security Bloggers list. Many thanks to Adrienne Carlson for this. There are some other interesting blogs on her list so check it out.

Speaking of home security here's something to consider while home with your family over the holidays. Many believe we have a "right" to self defense and that the police will be there when we need them. In fact, when seconds count the police are only minutes away. I think deep down most people know this.

Our courts have ruled we have no right to police protection and time and again 911 centers around the country prove that we are, by and large, on our own when seconds count - like what happened in this recent incident in Atlanta.

Don't get me wrong. I'm 100% behind law enforcement officers - I've worked in the field and have friends and family in it as well. But like teachers in government schools, it's not the individuals, it's the system. Our government at work. Make your own decisions and stay safe!

Read More

How Tiger Woods' marriage is like risk management

In the seemingly unavoidable media drone tirades hammering Tiger Woods and his marital situation I realized the tie-ins that such high-profile marriages have with what we do in the information security field. It boils down to two things:

1. It's all about the money
2. The focus going in is on who can get the most out of it - "what's in it for me?"

We see this all the time when it comes to information security - executives, legal counsel, and CFOs flexing their muscles pushing back on security initiatives until they're gone for good. I worked on a project where this very thing happened and it ultimately led to tens of thousands of computers being "0wned" by the bad guys. Funny how some people assume that heads buried in sand is a good risk mitigation strategy.

Sadly so many people go into marriage this way. It's all about the contracts, the lawyers, and the selfishness. Meanwhile the very essence of marriage is ignored. Obviously not a viable long-term strategy for marriage or information security...but people will continue on in their same old ways and thus the cycle will continue on.

Read More

Another file/folder security option

One of the biggest vulnerabilities I come across in my security assessments is sensitive information scattered about unprotected drives/shares. Solutions to this dilemma include locating/classifying different information types, locking down shares and file permissions, and encrypting information on mobile devices. If the latter option interests you there's a new company I stumbled across called New Softwares.net that sells very reasonably-priced software that can help. I haven't tried it out yet but it's worth a look-see.

Read More

Funny thing about notices of privacy practices

I just received a "notice of insurance information practices" from my health insurance provider that says something to the effect of:
"ALL INFORMATION CONFIDENTIAL. We're required by law to keep your information confidential. It will be seen only by our employees and authorized business associates."

Really? Pretty gutsy statement from any business but especially one who's already been listed on the Chronology of Data Breaches.

Read More

I need your help *today* Friday Nov 20th

You may already be aware of TechTarget's IT Knowledge Exchange. It's a great place to ask questions and/or establish yourself as an expert.

Anyway, I just realized that today's the last day to nominate another member [subliminal message]Kevin Beaver[/subliminal message] for their Panasonic 42" TV giveaway. Someone you know [subliminal message]Kevin Beaver[/subliminal message] is in the running and could really use your help.

So what's in it for you? When you nominate someone [subliminal message]Kevin Beaver[/subliminal message], you get a chance to win one of five $20 Amazon gift cards they're giving away. Hardly anyone has voted so your odds of winning are really good! And, by signing up you can become part of a good community of folks - good for networking, good for your career.

Thanks!

Read More

"Computer glitch" always to blame for someone's bad choices

Here's my two cents on the people failure - I mean "computer glitch" - at Atlanta's Hartsfield airport yesterday. Gotta blame something...

Hartsfield outage: "Computer glitch" or FAA "people failure"?

Read More

I could've sworn we had this thing called HIPAA

Remember way back in April of 2005 when the HIPAA Security Rule went into effect? Well apparently some healthcare providers didn't get the memo. Big blow to Health Net.

So, no reasonable security controls to meet the HIPAA requirements much less no encryption of mobile storage devices? Seriously people: what is it going to take to encrypt mobile drives!!??

I'm not a fan of BitLocker in the enterprise and not sure how big Health Net is but, heck, they could've at least considered it!

Golly...I think I get so fired up about this stuff because it affects us all so personally. Furthermore it's, um, common knowledge that big security breaches will and do occur on a daily basis.

Read More

So, certification is what's best for your career, huh?

Per Microsoft Learning's director: "We see the trend increasing that individuals are making the decision that what is best for their careers is to be certified"...Completely disagree. Read the news column...Can you see the hidden message?

Here's what's best for your information security career...substance, not certification. Ooh, maybe I should trademark that. ;-)

Read More

BitLocker and Windows 7 – Things you need to consider

I was recently asked to write a whitepaper on considerations for Bitlocker in Windows 7. While doing my initial research I learned a lot about BitLocker and discovered some new ideas and approaches for managing sensitive data. In this whitepaper I cover:

• Why data encryption matters
• BitLocker’s new features in Windows 7
• Operational concerns you need to think about
• Usability issues that can create problems
• Potential compliance and security gaps you don’t want to overlook

…and more.

We know the security threats we’re up against. We understand the value of data encryption. And odds are Windows 7 is going to be the next big operating system at the desktop. Taking these things into consideration, we’ve got a long way to go in order to get our arms around protecting sensitive data – especially on mobile devices such as laptops, netbooks, and external drives.

Knowing how the marketing beast tries to pull us in one direction and seemingly critical technical issues in the other, we often overlook which way is best for the business. After all, that’s what security decisions need to be based on. You have to look at your business operations, politics, staff expertise and so on with a critical eye and ask yourself what’s going to be the best data encryption solution overall.

I’m a big advocate of using what you’ve got before you go out and spend even more money on third-party security products to gain the control and visibility you need. I see it all the time. Managers complain that security’s too difficult or expensive all the while they’re not even using their built-in operating system controls – controls that can go a long way towards keeping things in check. But just because something is built in and “free” doesn’t mean it’s the best fit or suitable for the business.

I’ve come to the conclusion that many businesses – arguably the majority – are not anywhere close to being where they need to be with security and especially data encryption at the workstation. Microsoft isn’t necessarily coming to the rescue with BitLocker in Windows 7 either.

Some good old-fashioned research and planning is in order if you’re going to get your arms around data encryption and truly minimize your business risks in this compliance-driven world we work in. This means understanding the facts and thinking long term about how your decisions on emerging technologies will impact your business both now and down the road. My whitepaper Considerations for BitLocker in Microsoft Windows 7 will help you get the ball rolling.

Read More

Responsibility becoming a thing of the past?

Here's a great post from Neal Boortz regarding holding people responsible for their choices. It's very simple to blame something inanimate instead of fixing the real problems. Like blaming malware for security breaches...

Practically everything in life and business can be traced back to choice - that's why we have to use it wisely.

Read More

M-W's Word of the Day very fitting

I subscribe to Merriam-Webster's "Word of the Day" and saw today's word is rectify. Here's the example sentence they used:

"The night before the Web site was to go live, the programmers worked frantically to rectify several unresolved security problems."

Too funny! ...and sadly, all too common. Hey, at least they were working to fix the security issues before it went live! ;-)

Read More

Have you thought about business continuity metrics?

Either way, here's a good set of business continuity metrics worth checking out. Something that's sorely missing from many plans...that is, where plans even exist.

Read More

The real deal with the SSL/TLS flaw

Over the past few days Twitter, security blogs, and news columns have been going crazy with the newly-discovered SSL/TLS flaw. Man, you'd think it's the next WEP exploit discovery. The security sky is falling...we must retreat.

Seriously, is this thing a big deal? Not in my opinion - at least not in all but 99.9% of any given situation. But what do I know? I'm just the security guy that sees network shares sharing out entire drives full of sensitive files, firewalls with default configurations and no passwords, smartphones without a trace of security enabled, laptops with supposedly "nothing of value" that end up having thousands PII records yet no semblance of drive encryption, database servers without passwords, physical security cameras and data center control systems with default passwords that anyone on the network can mess around, operating systems missing critical patches that are easily-exploited using free tools, Web sites/apps with gobs of XSS and weak authentication controls, and on and on and on and on.

If you want to pick nits and chase the rabbit down the infinite path of limited return, sure, it's a big deal. Otherwise, chances are you've much bigger issues on your hands.

Read More

Good dictionary to use for password cracking

Here's a pretty comprehensive password dictionary I recently came across that you may want to use in your security testing...there may be "friendlier" download link but I haven't searched for it.

If time is a factor, this dictionary may be too big for its own good given the time it'd take to run through everything but at least you know you're using a good dictionary. After all, your dictionary-based password cracking results are a direct reflection of the quality of your dictionary. Happy cracking!

Read More

1 day left for 50% discount on current audio programs

Final call for the 50% discount on my current Security On Wheels audio programs. Just enter OCT09 as the discount code when checking out!

Read More

You'd think Twitter would have the means to fix this

Seems like I get it more often than not these days...Ahh, the growing pains of an Internet startup.

Read More

Disaster recovery is dead?? Not hardly!

In this recent SearchCIO.com bit, the executive director of the Disaster Recovery Institute International says that disaster recovery is dead. He goes on to say that "disaster recovery (DR) and business continuity have become synonymous" and (here's the kicker) "We don't do recovery anymore, because what everybody wants is continuous operations...We have auto failover now. We have redundancy in data. We do have more continuity. And that is because recovery is almost impossible..."

Really!? Where is he seeing this? Maybe in the largest of large corporations? Perhaps government agencies with unlimited budgets or maybe it's some Utopian society where every business can justify to have every control in place necessary to keep the business running at whatever cost?

That's not what I'm seeing...That's not reality. Amazing how people see what they want to see and nothing more.

Read More

Metasploit as we knew it going bye bye?

The day I never thought I'd see has come. Once HD Moore announced "Metasploit is hiring" I knew something was going on. Metasploit has been acquired by Rapid7...huh!? Too bad Qualys - maker of my favorite OS/network vulnerability scanner - missed this opportunity!

According to the Rapid7 acquisition FAQ Metasploit will remain open source but with a commercial twist. I hope it only gets better...fingers crossed.

Hey at least Capitalism prevailed...it's dying slowly but surely in this country but I'm glad to see this kind of stuff is still happening. Kudos to HD Moore and company!!

Read More

Email business continuity - this is funny...and ironic

As I reported a couple of days ago, my email security provider stopped working. Maybe they took a hiatus...a sabbatical...an extended vacation - and didn't tell me. Seriously, I did end up calling them a few times trying to work things out. I got what seemed to be a knowledgeable tech rep trying to help me. The problem was he never could. He said he'd call me back two different times. He made several promises to get "development" involved so they could release my 2, no 3, days worth of emails stuck in their queue. Care to guess the outcome?

No emails recovered. No call back. I'm stuck on my own. The tech rep said they were sent. I never received them...That's a tough one prove but the fact of the matter is that I lost over 100 emails. Odds are only 10-15 were legitimate emails that matter to my business, but that's not the point. The very thing I've depended on for business continuity in the event my email server or Internet connection was down - their email queue - ended up creating a business continuity problem for me. I wanted to give them the benefit of the doubt. No such luck.

The vendor is St. Bernard. Their service is iPrism. I've had a "free" account with them since the Singlefin days back in 2003. Another case of you get what you pay for?

The funny thing is that Google is apparently having similar email delivery problems of their own. Postini had an outage and people went 20 hours without email....woooo, big deal! How about several days worth like I experienced? The ironic thing is that I'm considering moving to Postini. Who would've thought...

I'm telling you folks, you have to be careful hopping on this "cloud computing" bandwagon...as in St. Bernard's case and apparently in Google's case as well (with Postini and the recent Gmail outages), these "SaaS" providers don't always have our best interests in mind. Free service or not, customer no-service is always an option so you'd better plan for it advance.

Read More

The fastest vendor acquisition I've seen

This has to be the fastest security startup/acquisition I've ever seen. I'm pretty sure the company - which is here in my neck of the woods - was less than a year old.

You know how I feel about SaaS and "the cloud" but kudos to Paul Judge, Chris Tilton, and those guys for growing and turning this thing around so quickly. Capitalism at its finest!!

Read More

Cloud computing & customer no-service - match made in heaven?

I never thought I could be so productive. This week I've had less pressure to deliver. I've been able to turn "things" off. All while I'm attending a conference when I usually get even more behind. Well you see, my email isn't working. My email security "application service provider", I mean "managed service", dang it, actually my "cloud computing" provider delivering "software as a service" has apparently decided to take a break from things. I haven't received but 1 or 2 emails in the past two days...I normally get 75+ per day. It's actually been a nice break - especially from all the spam. But it's not what I was looking for.

This outage is actually nothing new with my provider...It's actually an ongoing issue I've had over the years. But the problem usually corrects itself within a few hours. Not this time. So I emailed the company last night using a personal email account and actually got a quick response. Impressive. I thought we were going to be able to have a dialog but apparently their support team decided that leaving for the day was more important. I've followed up with them twice since then...nothing. No response. But I'm going to give them the benefit of the doubt and not mention any names. It's probably something simple. Likely something stupid on my part - I am the "dumb customer" after all.

Side note: I know I can set my MX record to point directly to my email server and get my email back running again...or I could choose another provider. The problem is that I have over a day's worth of emails stuck in my email security provider's queue - likely several days worth since this problem started over a week ago. So I can't give up hope on them just yet...I have to get my emails out.

I'm telling you this story because you have a big, no grand, responsibility to make good IT and information security choices for your business. Buyer beware with cloud computing. Know that just because some cloud computing provider promises the moon that you're actually going to get the service you need. They don't know your business. They don't understand your needs. Cloud computing providers are in business to make money, not coddle you with loving support and bend over backwards to get you up and running. I know, I know, there are lots of good cloud computing providers out there...but how do you know who they are? You usually won't until you find out the hard way...as I am now. Just because your lawyers and their lawyers agreed upon certain terms in a contract doesn't mean some yahoo in tech support is going to care when the time comes.

I'm a one-man shop...imagine if this was a problem someone was having in a large corporation. Someone's rear end would be in a sling right now. His or her job on the line. Speaking of cloud computing gone wrong, was your business affected by the Sidekick debacle? Maybe you're already looking for work because of that...

Don't lose sight of the fact that security and managing information risks is about control and visibility. If you don't have those because of some customer no-service situation then no matter how "cool" cloud computing is at the moment this hype over substance the marketers are pushing is probably not worth the risk.

Enough said, I've got to get back to work and fix this...

Read More

In case you're trying to email me...

...my lovely email security provider has chosen to work part-time apparently. If you need to reach me, email my full name (1 word) at gmail dot com.

Read More

Latest version of LANguard worth considering

Have you seen the new - OK, it's not that new any more - version of LANguard (formerly LANguard Network Security Scanner)? It's certainly a tool worth checking out if you do vulnerability scanning.

I've been using LANguard for years for share finding and authenticated scanning and it does both very well. The biggest change in the latest version is the user interface. I've never been a big fan and I'm still not, but I'm getting used to it. Many of the improvements in the latest version involve authenticated scans. The quick-view dashboard is a nice improvement and I really like the scan progress.

When performing untrusted/unauthenticated scans I've found that LANguard won't find nearly the number of vulnerabilities than QualysGuard especially with regards to missing patch vulns that are exploitable via Metasploit. Hopefully that'll continue to evolve. But it does a very good job with this during authenticated scans (as would be expected if you have login credentials).

I'm still waiting for the ability to test your authentication credentials like what Sunbelt Network Security Inspector offers - at least used to, haven't used it lately. You have to plug in your credentials and hope that your login works. It'd also be nice to be able to sort through the network share finder results and filter based on permissions found (i.e. shares where Everyone has full access).

Here's a screenshot of the main interface:


In the interest of getting you hooked on good tools, here's a link to GFI's free version of LANguard. Hope this helps!

Read More

Proper password length

Probably late to the game but just had to post this:

During a recent password audit, it was found that a blonde was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofy

When asked why such a big password, she said that it had to be at least 8 characters long.

Read More

Cool tool for cracking/resetting SQL Server passwords

Elcomsoft has a neat - and relatively new - tool called Advanced SQL Password Recovery I thought you may be able to benefit from. It can be used to change any SQL Server databases protected by a password included SQL Server 2000, 2005 and 2008. All you need is access to the master.mdf file. SQL Server optional.

I was going to show a screenshot but there's not that much to show...you load the program, you point it to the master.mdf file and it'll crack the passwords - simple as that. Very cool.

Yet another reason to keep your Windows systems patched and your share/file permissions in check.

Read More

My latest security content

Here are a couple of new articles of mind that were just published. Many more to come. Enjoy!

Balancing Windows security with reasonable password policies

Storage encryption essentials

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, Twitter updates, and more.

Read More

Asking the right questions

One of the elements of being successful in security is asking the right questions - and not being afraid to do so. As information security professionals we can, and should, question the funding of security projects, management being on board with the business risks at hand, and so on.

I recently came across two great quotes regarding questioning. First, Anthony Robbins said "Quality questions create a quality life. Successful people ask better questions, and as a result, they get better answers." Second, Albert Einstein said "The important thing is to not stop questioning."

We don't have to be pests and we certainly need to be careful and not do more harm than good when getting people on our side. But if you approach your security initiatives with enough finesse and confidence and show how you're concerned about the business your questioning might be just what the doctor ordered.

Read More

Don't give up

Napoleon Hill once said "The majority of men meet with failure because (they don't create) new plans to take the place of those that fail."

I see this a lot: people with big plans who are met with a setback, they get discouraged, and give up. If you feel strongly about doing something - writing a book, changing careers, getting a degree, whatever - don't be this person.

Read More

Good info on hardening Windows XP

I've written various articles on hardening Windows XP over the years and am always seeking out new nuggets since XP's going to be around a while. Eric Shultze has a neat list of 5 registry keys you can use to further harden your Windows XP systems that you may not have heard about. Enjoy!

Read More

10 Ways to Become Indispensable at Work

Here's a good piece on keeping your job and growing your career:

10 Ways to Become Indispensable at Work

I'd also add network to build your relationships, focus on your communications skills, and always, always - put things in terms of the business - what's in it for them. Here are some IT and security career tips (that can apply to anyone) I've written that dive into these areas and more.

Read More

National Archives does it again!

You may recall my appearance on CNN television earlier this year when a hard drive went missing from the National Archives and Records Administration. Well, apparently some lessons don't sink in. This time around the National Archives folks sent an unsecured hard drive containing personal info on 70 million+ veterans to a vendor for "repair and recycling" (huh?). Apparently an employee subverted a policy then had to go on leave and one thing led to another...Interesting story - I'm not surprised at the outcome.

In the spirit of our current govern-by-reaction mentality in Washington maybe a few new laws can be passed to keep this from happening. Oh wait, it's the government failing to listen to itself in the first place. Unbelievable.

Read More

My latest security content

Here's my latest information security content. Enjoy!

Are you earning what you're worth in information security?

Understanding the politics of information security

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, Twitter updates, and more.

Read More

This is really cool and really scary

Researchers at Duke University have found out how to use the basic features of cell phones to determine specific traits of the "space" you're in. Big Brother tracking at its finest. Once mainstream, it'll be at this point when I stop using a cell phone.

Read More

The deal with my Security On Wheels audio programs

If you've been following me for any length of time you've probably noticed that development of my Security On Wheels audio programs has slowed way down. Let me explain why.

In a nutshell, I'm practicing what I preach: "focus on your highest payoff tasks". With this economic mess we're in I've had to really buckle down and focus on billable work this year to keep my momentum up and ride out this storm. Existing sales are good but I'm striking a balance between time/costs associated with developing and producing new content with the reality that so many people aren't buying much right now. Being self-employed I don't have a choice. That said I will return! I'm putting together my next audio program now.

Mega thanks to those of you who've provided such positive feedback on my existing audio programs. It confirms that I indeed have a good thing going here.

If you're not currently on my Security On Wheels mailing list and wish to be notified of new audio programs and special offers you can sign up on the home page at securityonwheels.com.

If you're interested in trying out either of my existing audio programs, I'm offering a 50% discount on any purchase to get you on board...and get you hooked. Just enter OCT09 as the discount code when checking out. It's good through the end of October.

Thanks for your patience and stay tuned for great new things with Security On Wheels in the near future.

All the best,
Kevin

Read More

Great quote to help motivate you

I just came across a great quote by "The Donald" (Trump) that contains a great little nugget to inspire us to do the best we can in our careers:

"As long as you're going to be thinking anyway, think big."

Practice this over and over and you'll eventually become what you think about. Sure, small and large annoyances will get in your way (like my rants here and on my Twitter page) but just get them out of your system and move on to bigger and better things. Let the joke be on someone else.

Read More

My latest security content

Here's my latest information security content...many more to come soon! Hope these prove to be of value to you.

Finding cross-site scripting (XSS) application flaws checklist

The Windows Report - Analyzing the IT Job Market (podcast)

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more.

Read More

XSS in my article on XSS!?

I "tweeted" about this but I had to post it here as well. I just realized that my new article for SearchSoftwareQuality.com on XSS actually executes JavaScript when loading because of some sample code I inserted into it!! It's not actual XSS but looks like it! Ahh the irony.

Finding cross-site scripting (XSS) application flaws checklist

BTW, I'm working on getting it resolved...

Read More

Know of anyone who is "ignorant of the facts"?

British prime minister Benjamin Disraeli once said "To be conscious that you are ignorant of the facts is a great step to knowledge."

What a great quote related to information security...in the context of both users and management. There are people out there who understand the basics of information security risks. It's all the other people you need to focus on. Here's how you can build credibility and get others on your side with information security.

Read More

Do you have racy photos on Twitter too?

If you're on Twitter you may want to check out your followers - at least their pictures...I'm getting a lot of people with racy photos. Maybe I'm just developing a new fan base of people who feel really comfortable around me! ;-)

And to think that I could have a few hundred more followers on Twitter if I didn't filter out the junk!

Read More

Quoted in today's WSJ

If you can, check out today's Wall Street Journal - page A20. I talk about sensitive information being mismanaged on mobile devices. You may already know how I feel about mobile security...what's it going to take to fix this issue?

Read More

My latest security content

Here are a few new pieces just published. Enjoy!

The lowdown on PCI compliance

Testing rich Internet applications: 2009's best free tools

Big Brother or lowly minion - finding your role in IT

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more.

Read More

Swimming in Atlanta

We're getting completely drenched here in the South. Pouring rain nonstop for four days and it's not supposed to let up for another few days. Must be all that "global warming". Seriously we've been hearing about reduced sun spot activity as of late (just not so much in the mainstream media because that would go against their religion). Some scientists (likely the ones whose jobs aren't tied to taxpayer funding) believe sunspot activity affects weather here on earth...like the really cold weather we've been having over the past couple of years...and all this rain.

I've always thought that it's quite cocky of man to believe he's powerful enough to change the climate but this guy has beat me to the punch. Some food for thought. That said "man changing the climate" is not what "global warming" is about anyway. But you already knew that.

Anyway, lots of homes and buildings flooded here in my neck of the woods should remind us all that business continuity - even if you work from home - is not something to take lightly. Have a great week, stay dry, and wish us luck!

Read More

4 things you can do right now to find out if your business is at risk

Here's a link to a post I just made that you may be interested in:
4 things you can do right now to find out if your business is at risk

Read More

Reader's choice on best security products

In case you're looking around, here's a good overview of security products that our peers like.

Read More

My latest security content

Here's my latest information security content. Hope you enjoy!

Big IT Lessons Small Businesses Can Learn (an IncTechnlogy.com piece I contributed to)

How often should I change the passwords for my bank and other important online accounts? (a Women's Health magazine piece I contributed to)

Web 2.0 application security troubleshooting, testing tutorial

HIPAA-covered entities, business associates confront HITECH Act rules

Ten sure-fire ways to derail your career in IT

What you should know about cloud backup security (a podcast Q&A)

Be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more.

Read More

Third-party apps still a big security issue

A while back I wrote about the importance of patching third-party software on your enterprise desktops. Apparently third-party applications are still out of the security loop. It's a seemingly small problem but it can have pretty big consequences.

Read More

Parental software, is this where we're headed!?

Be careful which parental monitoring software you install on your kids' computers. Looks like some people think their content filtering software is a means to capture the text of IM chats for the purposes of marketing intelligence. Sickening.

Good reason to use a network analyzer to see what's being sent out of your computers/networks! Get an executive or IT admin on one of these computers talking about sensitive subjects and its (unsuspected) data leakage at its finest.

Read More

Have you seen this movie yet?

I took a couple of days off to celebrate the completion of my freshly-updated book Hacking For Dummies, 3rd edition. More on this to come...Anyway, during this time off I went to see the movie District 9 that was most excellent. One of the best flicks I've ever seen. Extremely creative with good acting too! You have to see it while it's still in theaters!!

Read More

Boston Beer a big let down

I heard a Samuel Adams beer commercial on the radio this morning that reminded me of the big let down I had from them recently. I was at a speaking engagement on physical / data center security on behalf of Anixter in Boston (pronounced Bahstun for those of you here in the South with me) and wanted to see some of the sights while I was there.

Being a fan of Sam Adams I hopped (like the pun?) onto their Web site to get tour information. Wasn't there. Seriously....I called their sales # and was told they don't handle tour information there. I was transferred to the "tour guy". No answer - had to leave a message. I kindly asked that he return my call with the basics. Never heard back.

Now, remember, I just wanted basic tour information (where, when, how much). Hey Jim Koch, you're obviously proud of your beer, how hard does it have to be to get tour information??? What a let down...

Now I have a negative association every time I hear a Sam Adams commercial or see Sam Adams beer in the store. Hey at least there's a handful of microbrew alternatives like Flying Dog. And, go figure, they actually have tour information on their Web site. Took me all of 4 seconds to find it. Next time I'm in Maryland maybe I'll pay them a visit.

Anyway, just had to get that off my chest.

Hope you have an excellent week...back in touch soon.

Read More

Loving BitLocker so far...

I recently wrote about Windows BitLocker's false sense of security and I've made it loud and clear that I'm a big advocate of encrypting mobile drives. Well, since I had to reload my laptop recently I decided to take the plunge into Windows 7 la la land and, at the same time, decided to try out BitLocker rather than reload PGP whole disk encryption. I don't know if I'm missing something but, golly, I sure do like it so far....It's seamless. I especially enjoy how it handles removable storage devices so conveniently. [fingers crossed]

Read More

Why Most PowerPoint Presentations Suck

That got your attention, huh? Mine too when I first came across this gem of a book by Rick Altman. It's pretty much all you need to know about what to do - and just as importantly, what not to do - with Microsoft PowerPoint. It has a no nonsense approach to making your presentations better. Mandatory reading for all college students, perhaps??




By the way, Rick Altman is bringing his show to Atlanta in October (the 11th through the 14th). For those of you here in my neck of the woods, Rick is graciously offering a two for one registration here. I'm really looking forward to it and hope to see you there!

Read More

My latest security content

My goodness - it's been over a month since I've posted my latest security content...I've been so busy writing the stuff that posting the links has gotten put on the back burner. Good problem to have! Anyway, here's my latest:

Networking to enhance your IT career

Toeing the company line – is it good or bad for your IT career?

Security and compliance can go together, when done in the right order

Making sense of regulatory compliance and data storage for SMBs

Run encryption the right way to ensure wireless network security

Free Windows security tools every admin must have

Nine common password oversights to avoid

Secure your Windows systems with proper password practices

Secure Windows XP before a Windows 7 upgrade

Essentials of static source code analysis for Web applications

Secure data destruction options for old backup tapes and disk (a piece I contributed to)

Whew...I think that's it for now!

As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts, my Twitter updates, and more.

Read More

Good info on balancing life and work

It's something I work on every day - trying to balance my personal priorities with my work priorities. Being an entrepreneur and a capitalist often conflicts with the responsibilities I have at home. But I've found that it can be done if you choose to do so. Here's a good bit on balancing life and work to get you rolling. Enjoy...and have a nice, long, relaxing weekend!

Read More

Interesting flaw in Sears' Web site all too common

Check out this bit about a security flaw recently revealed on Sears' Web site. As the researcher alluded to, hacking and security are way more than people exploiting known software flaws. There are so many other security issues with Web applications. I see it all the time when doing my manual analyses on Web sites/applications. The sky is the limit for these business logic vulnerabilities and I suspect it'll always be that way. I love being a consultant who performs Web security assessments - there's always something new and challenging!

Read More