Nikon Image Authentication vulnerability

The fine folks at @Elcomsoft have discovered yet another security flaw in digital cameras. First it was Canon. This time it's Nikon - specifically Nikon's Image Authentication Software.

Elcomsoft researchers found that the way the secure image signing key is being handled in the camera is flawed. This allowed them to extract the original signing key and then produce manipulated images that appear to be legit. I could see this being a huge deal in computer forensics and expert witness work.

Read More

The mobile device free-for-all dilemma

From @ECIOForum, can you envision enterprises giving workers any desktop or mobile device they want to do their jobs?

I think an important follow-up question is: does it really matter?

People are going to do what they're going to do. Those of us in IT and infosec can scream No, No, No this or that mobile devices on the network at the top of our lungs; until eternity...But you know what? People are going to use them anyway. It's all a matter of how you set your networ, your users and your business up for success and deal with it on the back end.

Read More

Novell, Utah and the Libertarian Party

Some new news out today was about Novell completing its sale to Attachmate. Wow, the end of an era...

Novell really does have a special place in my heart - NetWare was the first network operating system I learned, way back in the version 2.15c days. Anyone remember those? Then I moved on to v2.2, 3.12, 4.0 and then 4.1. I obtained my first IT certification - the CNE - that was all about NetWare. I even wrote/sold my own patch management application for NetWare before patch management was cool.

Another great thing about Novell was their BrainShare conference. I see that they've moved it from March to October; glad I got my skiing in when I did! Going to BrainShare every year I not only got to know NetWare like the back of my hand but I also discovered the beauty of Utah - in particular its microbreweries and its snow skiing. Absolutely lovely.

To my final point, I was having lunch with a close friend recently who shared my Novell bigotry back in the day and shares my love for limited government right now. We were talking politics and about how the Tea Party mindset consists of regular guys like him and me who are fed up with Republican and Democrat politicians alike so keenly focused on government expansion and intrusion into our lives. I told him the Tea Party mantra used to be called the Libertarian Party. The Tea Party, like Microsoft, rose out of nowhere and grabbed all the attention. I told my friend how sad it is that the Libertarian Party, like Novell, has consistently failed to market itself as a viable option and, thus, we are where we are today. Just damn.

Novell, Libertarian Party or whatever - lots of excellent products and great ideas are/were out there for the taking. Logic sales but who's buying...?

Read More

What's this "firewall" you speak of??

It seems that #firewalls are making a comeback. Of course, I felt compelled to throw in my two cents worth so here are some new pieces I wrote for the fine folks at SearchNetworking.com on firewalls and firewall management:

Firewall change management and automation can curb human error

Do Web application firewalls complicate enterprise security strategy?

Planning a virtualization firewall strategy

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security books, articles, whitepapers, podcasts, webcasts and more.

Read More

The positive side of infosec

"Have you ever, even once, stopped to marvel at just how often things go right? It's amazing." -Richard Carlson

With all of the smack talk and negative approaches so many of us (myself included) take regarding IT and information security, this'll make you realize that it's not all bad. I we could all benefit from stopping to smell the roses and seeing the bright side of our field every now and then.

Read More

Tidbits on enterprise mobile security

Here are some recent pieces I wrote for SearchEnterpriseDesktop.com on the subject of mobile security that you may be interested in:

Securing the new desktop: enterprise mobile devices

Security tools that can boost Windows Mobile and Windows Phone 7 security

Whole disk encryption gotchas to look out for

Enjoy!

As always, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, whitepapers, podcasts, webcasts and more.

Read More

Amazon's cloud outage - does it change your perception of the cloud?

Everyone (okay, many; especially the vendor marketing types) keeps swearing by the "cloud"...and then Amazon's EC2 goes down today. How does that affect how you view the cloud?

I've been a skeptic and I'm still a skeptic...beware the cloud bandwagon.

Read More

Holy Cow: Police seizing info from phones during traffic stops

Here's some big time scary stuff personally and something that'll no doubt lead to big time security problems for the enterprise. Michigan State Police are copying data off of smartphones during minor traffic stops using the Cellebrite Universal Forensics Extraction Device. Images, address books, files, whatever...it's now fair game for the police (Gestapo?) in Michigan to take whatever whenever.

Is this government out of control or what!?

I know we've all but forgotten about the Constitution in this country but if this happens to me, I guarantee you they'd get nothing - I mean nothing - without probable cause and a warrant.

Yet another reason to force users to put passwords on their smartphones....Oh, and a control that wipes the phone after X number of failed password attempts.

Wow, crazy stuff...what's going to be next?

Read More

Legalese in email footers is useless

Ever get annoyed by those email footers telling you what you can or cannot do with the email you just received? Yeah, me too. Here's an interesting bit from Consumer Reports that talks about how those legal disclaimers in email footers may be legally useless.

It's funny, every time I see them (they're in about 60-70% of the non-spam emails I recieve) I think it's yet another representation of the American way to disclaim any personal responsibility. If anything goes awry when sending an email, it's someone else's fault.

Furthermore, as Consumer Reports mentions at the end of the article, the run-on sentences end up using more ink and paper when emails are printed...wonder what the "global warming" crowd thinks of that? Now there's an opportunity for the the anti-capitalism movement that I might consider buying in to.

Anyway, however you see this issue, be sure to speak with your legal counsel first before making any rash decisions (like reconfiguring Exchange to drop these email footers once and for all). ;-)

Read More

Learning is a choice

"If your intent is to learn, you almost always do learn." - Richard Carlson

Like when we see what we want to see, we learn what we want to learn. This is important for our careers in IT and infosec but also provides a great way for us to become better people.

Read More

Coffee shop laptop thefts in Atlanta a good reminder

Here's a good reason why you need to remind your employees of the risks of using laptops in coffee shops and other public places. Once the thief has it, it's all over...unless of course a brave (stupid?) coffee shop employee comes to your rescue.

A good rule of thumb is if you're setting up shop for a while then use a laptop lock to secure the system to the table. Most importantly, never, ever leave laptops unattended. I know, it does look a little goofy carrying your laptop into the john but, as in other aspects of life, substance (common sense) trumps style.

Read More

From each according to his ability to each according to his need

I thought this Marxist/Obama philosophy was very fitting for our symbolic day today here in the U.S. The general belief that the government should decide what the people need is what's driving our country...and the world. And we wonder why we can't get out of this economic mess! The reality is that the economy cannot be taxed into prosperity but that's what the politicians want to make us believe...especially if they can play on the emotions of the non-achievers - the other 50% of income earners who pay no taxes.

Speaking of this divide, here's a good read on how if the Feds seized all of the income of the top 1% of income earners they couldn't even run the federal government for a year! How can a $980 billion tax base possibly fund a $4 trillion government budget? It can't but no one talks about that. Instead the media and its myrmidon followers just want more taxes...As with government schools, just throw more money at the problem, that'll fix it.

Folks, we don't have a taxation problem, we have a spending problem. But as Obama and the other political elite want us to believe, government is the answer to everything.

On a related note, as Art Laffer wrote today in the WSJ, there's a 30% cost markup on every dollar paid in taxes. In fact, according to his piece: "Tax compliance employs more workers than Wal-Mart, UPS, McDonald's, IBM and Citigroup combined." Amazing...Just like the data breach problem, I know without a doubt that taxation and government growth is MUCH worse - impacting so many lives in a negative way - than most people it perceive it to be.

People largely want personal security over freedom. As with many information security issues people don't want to take personal responsibility for their choices and their actions. Sadly, it's the way of the world - apparently human nature...If you fall into the achiever class you've just got to figure out how to work your way through it. As for me, I can't wait to get the next two months over with so I can stop funding the government with what I earn and start keeping my own money for my own family.

Read More

Be wary of the well-certified IT pro

You may have read that Gartner projects IT spending to increase in 2011. It's great news that may lead to hiring new staff or at least new consultants for your IT and information security projects....Just proceed with caution and don't fall for the "I'm certified therefore I'm all you need" persona that's rampant in our industry.

There are a lot of people out there looking for work - many of which have added one, two, perhaps five or more IT/security certifications such as CCNA and CISSP to their names over the past year. But you have to be forewarned: just because someone has passed a certification testing regimen doesn't mean he or she is going to be 1) a disciplined worker, 2) a good communicator, 3) have goals, or 4) possess that sticktuitiveness required to succeed in IT.

Certification only goes so far. In fact, I've often found that the more certifications one has the harder he or she is "trying" to prove something to mask other deficiencies (likely the very things you're in need of). Ironically, some of the sharpest and most productive people in IT and infosec have no certifications at all.

It's a harsh reality but it is what it is. Buyer beware.

Read More

Have no fear and be free

"The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed." -Buddha

This is great for personal power, personal responsibility and, of course, information security - just be careful with that "reject all help" bit. ;)

Read More

Web security tidbits on developers, leadership, weak passwords & more

Here are a few pieces I've written recently on Web application security you may be interested in...things that affect each and every one of us working in IT and infosec:

I wouldn’t want to be a developer these days

Don’t overlook the importance of authenticated testing

You can’t change what you tolerate

Testing for weak passwords: a common oversight without a great solution

How often should you test your web applications?

Notable changes in the PCI DSS 2.0 affecting Web application security

Enjoy!

Also, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts and more.

Read More

Time management + getting over your job title in IT

Here are some IT career bits I wrote for TechTarget's SearchWinIT.com that you may be interested in:

Time management strategies for the IT pro

Your title is worthless; your value is priceless

This is the best time ever to focus on these things.

Enjoy!

Also, be sure to check out www.principlelogic.com/resources.html for all of my information security articles, podcasts, webcasts, screencasts and more.

Read More