June 2010 ~ Tech Support For Dummies

Monday, 28 June 2010

Secure your home Wi-Fi or forever hold your peace

Posted on 09:40 by Unknown

Google has provided us with yet another reason to keep our home wireless networks secure. Speaking of that, in case you're wondering where things stand, here's a great tool for finding out just how vulnerable your wireless network utilizing WEP and WPA-PSK can be.

Our society's continued privacy invasion never ceases to amaze me. And we, by and large (especially with Google), just blow it off and move on.

Posted in privacy, scary stuff, stupid security, wireless security | No comments

Mobile security problems & solutions: our podcast from Gartner

Posted on 07:23 by Unknown

Eric Green has put together a very-well produced podcast from last week's Gartner conference where Larry Ponemon, Stan Gatewood, and I discussed mobile security risks and metrics on the show floor.

Also, check out Eric's other podcasts on his site...very sharp guy.

Posted in laptop security, metrics, mobile security, podcasts, risk analysis | No comments

Thursday, 24 June 2010

Responsibility & action come from individuals not government

Posted on 05:08 by Unknown

Being in DC and Chicago this week watching local news and observing all the bumper sticker slogans reminds me of the saddening enormity of how all this change we can believe in is impacting our country and the future of our families. The thing that stands out the most is the lack of personal responsibility and the dependence on government to handle all our woes - both in our personal lives and as it relates to information security. It's always someone else's problem....and the government can come to everyone's "rescue" such as Joe Lieberman's ridiculous "Cybersecurity (Government Growth) Bill" government growth bill. [I haven't even gotten started this...more to come].

Well, I was reading in USA Today today about how locals in Orange Beach, AL are NOT waiting on Obama or BP to protect their coastline. Instead, the local government hired engineers themselves to fix the problem. And it's working! You've got to read the story. It's very inspiring and it shows that there is hope in mankind - like these people who take the initiative to fix what's happening in their area. No big government needed to do that.

Posted in cybersecurity bill, government regulations, PCNAA, personal responsibility | No comments

Wednesday, 23 June 2010

Dario Franchitti and I

Posted on 14:11 by Unknown

As many of you know I'm a motorsports nut -both as a driver and a fan. This provided the influence for my Security On Wheels logo. Well, after my speaking session at Gartner yesterday I headed out of DC early this morning. Unfortunately, we had a long flight delay heading over to Chicago where I'm taking a class but the wait and the hassle were worthwhile. I got to meet and briefly chat with Indy Car driver Dario Franchitti (this year's Indy 500 winner and super nice guy) at O'Hare:

I've had the pleasure of meeting Bob Varsha, now Dario. Who will I run into next? I'm kinda hoping for Scott Pruett or Michael Schumacher. :-)

Posted in message from Kevin | No comments

Sunday, 20 June 2010

Like Metasploit? You've gotta check out Metasploit Express.

Posted on 05:01 by Unknown

Here's a piece I just wrote for SearchEnterpriseDesktop.com where I talk about Rapid7's new Metasploit Express. It has its kinks and was a bit finicky to use but Metasploit Express will no doubt provide a breath of fresh air for pen testers - and now, less technical auditors - all around.

Posted in cool products, ethical hacking, penetration testing, security testing tools | No comments

Thursday, 17 June 2010

Ethical hacking and Windows

Posted on 07:40 by Unknown

I recently recorded a podcast with my esteemed editor at SearchWindowsServer.com, Brendan Cournoyer, where we talked about ethical hacking, finding the things that matter in your environment, testing tools and my new book Hacking For Dummies, 3rd edition. Check it out:

How ethical hacking fits into Windows security tests

Posted in ethical hacking, Kevin's security content, penetration testing, Windows Vista | No comments

Looking under the hood of the new OWASP Top 10 for 2010

Posted on 05:55 by Unknown

While I'm on a roll posting some recent content I thought I'd list this one as well:

The new OWASP Top 10 for 2010 – Risk and Realities

In this piece I wrote for Acunetix's blog I talk about what the new OWASP Top 10 for 2010 is about, what it's not, and some considerations for leveraging it to help you minimize your business risks.

Posted in Kevin's security content, owasp, risk analysis, web application security | No comments

Using Windows 7's virtual machine for security testing

Posted on 05:48 by Unknown

Outside of those executives who have their heads in the sand over security there's hardly anything that can keep you from getting your work done more than a Windows system junked up with a bunch of security testing tools.

Well, if VMware or VirtualBox haven't been a good fit, perhaps Windows XP Mode in Windows 7 will be. It's a cheap and seamless way to run your security testing tools in an isolated environment while maintaining the integrity of your host computer. Check out this piece I wrote for SearchEnterpriseDesktop.com:

Using Windows XP Mode for security testing in Windows 7

Posted in Kevin's security content, penetration testing, security testing tools, virtual machine security, Windows 7 | No comments

Got Domino? Don't forget about security.

Posted on 05:30 by Unknown

Like Novell NetWare, there's plenty of Domino still running out there so we certainly can't be lax on security for that platform. Here are a couple of pieces I wrote regarding Domino security that you may be interested in:

Domino security vulnerabilities to watch for

Getting started with hardening Domino

Posted in domino, Kevin's security content, web application security | No comments

Wednesday, 16 June 2010

Data Protection and Compliance in Complex Environments

Posted on 06:15 by Unknown

Here's a new guide I just completed aimed at C-level information protection professionals:

The three CREDANT-sponsored pieces cover:

Primary Concerns of Regulatory Compliance and Data Classification
Finding, Classifying and Assessing Data in the Enterprise
Data Protection Reporting and Follow up

Simply click the image above or browse to Realtime Publisher's landing page for this CSO Executive Series and download from there.

By the way, Realtime has a ton of free content practically anyone in our field can benefit from. Check it out the other stuff they have while you're on the site.

Posted in compliance, data protection, Kevin's security content, metrics, security management | No comments

Should Windows users have full admin rights?

Posted on 06:02 by Unknown

Here's a piece I wrote recently for SearchWinIT.com where I cover the never-ending debate about whether or not users should have administrative rights on their computers:

Should Windows users have full administrative rights?

If you have additional insight, please let me/us know. It's something every business can benefit from.

Posted in malware, policy enforcement, Windows, windows security | No comments

Tuesday, 15 June 2010

Oil rigs now, Internet later?

Posted on 14:25 by Unknown

Obama shuts down oil rigs - $330 million in lost wages per month. What's going to happen when he shuts down the Internet?

Who gave this guy such power!?

...elections have consequences.

Posted in government regulations, stupid security | No comments

Monday, 14 June 2010

Survival of the weakest?

Posted on 08:21 by Unknown

I just heard Neal Boortz discussing this Wall Street Journal piece about how people with the least amount of economic knowledge are making all the rules in America right now. Very interesting insight.

Totally reminds me of management and other non-technical people making all the rules for information security and privacy.

Something's backwards here folks. Why is it the tail wags the dog in so many critical situations such as these affecting so many people long term? Is there some sort of reverse Darwinism at work?

Posted in government regulations, stupid security | No comments

Thursday, 10 June 2010

iPad "breach" - another sensationalistic Web flaw

Posted on 11:48 by Unknown

NewsFactor has a nice piece on the recent AT&T iPad "breach" that tells the story of how a code on AT&T's site was cracked exposing email addresses of iPad users. So, some criminals gleaned some email addresses from a telecom provider...In the grand scheme of things: big deal.

I agree with Sophos' Paul Ducklin - I think this is being overblown...just like the sensationalism brought forth by my recent bit on CSRF.

Sure, it's an exploit and shame on AT&T for not finding it before someone else did. But, in the end, it's about priorities and level of exposure - you know, all that boring behind the scenes stuff that no one bothers to mention.

Posted in csrf, stupid security, web application security | No comments

Monday, 7 June 2010

Oil and infosec, a marriage made in heaven?

Posted on 13:20 by Unknown

Here's a funny - and ironic - pic a friend of mine just forwarded me.

Need I say more?

Also, I have on my desk the March 8, 2010 edition of InformationWeek (great mag by the way) that has BP as its cover story. A call out quote says:

"Two years ago, BP CEO Tony Hayward laid some very tough love on his 500 top managers. Despite revenue of about $300 billion, the energy company had become "a serial underperformer" that had "promised a lot but not delivered very much." Here's how CIO Dana Deasy responded."

Promise a lot a not deliver very much - the security mantra of all too many businesses!

I'm sure Obama and his government minions will be able to fix it all. Seriously, I hope someone does. This oil mess is a pretty big blow to Newt Gingrich's Drill Here Drill Now Pay Less that I was so pumped up about. Really a cruddy situation all around.

Posted in government regulations, information security quotes, security management, stupid security | No comments

Tech Support For Dummies