An Information Security Place

Sometimes I don’t know whether or not to worry about these. I know it can be a problem, but it very rarely seems to turn into much.

Vet

When will people ever learn? I find the following statement dubious at best:

“The application was running on a temporary license,” the Fidelity spokeswoman said. “The license has expired. Since the expiration of the license, the scrambled data would be difficult to interpret, and generally unusable.”

Sounds like a lie written up for the media’s benefit. More than likely the laptop has been wiped and sold to buy some crack, but you never know. That laptop should have been totally encrypted, at the very least. At the most, figure out a way NOT to carry sensitive employee data on a portable, easily stolen laptop! With Internet availability today, when would you need to pack that much info on a laptop? I am assuming that this was a demo or benefits type of event for HP, but I really don’t know when or where HP would not have an Internet connection available. I would think Fidelity has a secure site to connect to for the needed information.

Oh well. They didn’t ask me.

Vet

OK, I haven’t posted in a while, and I am writing this to say that I won’t be posting much (if at all) for the next month. I am working on a DR test for April, and it is with a brand new environment, so it is killing me. Plus I have to have the Risk Assessment report reviewed this week, and I have to meet with one of the assessors to go over some other stuff, then I have to finish creating a security awareness powerpoint and video. Crazy. Anyway, I’ll post when I can, but I don’t have a lot of time right now to look at mags, newsletters, blogs, etc.

I’ll be back when I can.

Vet

Thought this was pretty good.

Vet

Go see this if you haven’t already.

The jist is that Symantec has dropped it’s lawsuit against Hotbar, and they have changed the recommended action when Hotbar is detected on your computer.

Excerpt: “Symantec acknowledged that although its security software will continue to detect Hotbar’s products as adware, it has changed the recommendation it gives to customers. Previously, Symantec recommended that users delete Hotbar; now, says Symantec, it’s reclassified Hotbar’s toolbars as “low-risk” and recommends that users ignore the software and let it be.”

No big surprise. This is one flaw with these large companies offering these types of security products. They are just too political. It is why I continue to use Spybot at work and at home, even though I am also using products from CA (home) and Symantec (work).

I don’t know much about Ben Edelman, but read this excerpt:

“They just don’t get it. Whether software gets consent from users to install isn’t the only thing they should be looking at.” He questioned whether users of Hotbar understood they would get pop-up, pop-under, and auto-opening ads when they consented to the installation, and criticized the company for targeting kids with come-ons to download and install their toolbars.
“Children may be less able to assess the merits of an Hotbar offer,” Edelman wrote on his Web site in an analysis of Hotbar done last May. “[They're ] less able to determine whether Hotbar software is a good value, less likely to realize the privacy and other consequences of installing such software, less inclined to examine a lengthy license agreement.”

Thank you, Mr. Edelman. In fact, children cannot enter into binding contracts. Correct me if I am wrong, but it is illegal even if they click a link that says they are 18.

Vet

Rim settles. Wow. $612.5 million. Still think NTP are a bunch of crooks, but it’s legal. Shouldn’t be, but it is.

Vet

http://www.us-cert.gov/cas/techalerts/TA06-062A.html

You want to be mainstream? This is what you get. This just cracks me up…

Vet

I ran across this article, and I thought it really pointed out what I talked about in my last post. I am up to my eyeballs in work this week, so I don’t have time to really go into this now, but I wanted to post it.

Vet

I ran across an online article at SC Magazine this morning. This is one trend I forgot to mention in my RSA post. There is a definite trend of hackers being hired by organized crime and targeting specific institutions for monetary gain. This has been a trend for at least the last year. It looks like, at least for now, that the days of major outbreaks from new email worms are slowing way down. They are hitting very specific targets, and they are hitting them hard.

I am not a doomsayer or a fearmongerer that preys on peoples anxiety to sell anything. So I am speaking truth when I say I believe this is more threatening to the very fabric of our economy than anything I have seen thus far, and it has me worried.

I was at this particular session at RSA, and I enjoyed it tremendously. David Perry, global director of education for Trend Micro, was very entertaining, and he was very well versed in malware history.

I heard the following statement that the reporter quoted: “Now organized crime is making more money from internet crime than they are from drugs.” There is something the author of this article did not point out, but I’m not sure if we should take hope from it or not. During the question phase, someone from the audience (if I recall correctly, he seemed to have some rapport with Mr. Perry) challenged his assertion in the quote by pointing out some fairly specific numbers of drug trade dollars. Mr. Perry backed away from the statement when faced with this, but it did not seem like a direct challenge or hostile exchange, so I never fully grasped the effect of the episode. It has been a couple of weeks since the conference, so I am sorry that I can’t recall the exchange more vividly. But it sparked my interest, and it seemed to be a glaring hole in the article.

Vet

I want to give some insight on what I plan on doing with this blog. First, I plan on writing about current events in security, like the AOL / Goodmail issue that my last entry discussed. Second, I plan on giving some practical advice about security. I will probably be learning as much from you and your comments as you do from my posts. That is what I want - a place of learning and mutual respect.

Having said that, I will lay down some ground rules:

1. No trolling. When I discover a troll, I will post-haste kill the comment. For now, comments are open to all, but I will enforce registration if things become unbearable.
2. No cursing or flaming. I can’t stand rudeness. It makes my skin crawl and my temper boil, so have respect.
3. If a comment is blatantly false or just plain stupid, I do reserve the right to point the fact out in no uncertain terms. Hard truth is not the same as rudeness. There is often a fine line, but they are not the same.
4. I also respect the right of commentors to tell me when I am full of crap. I am human, so I can’t say I will always get things right. If I post something stupid, let me know.
5. This is an information security forum, not a debate engine on religion or politics. If you don’t like a politician, that is your right. But if a law directly or indirectly affects infosec, we will discuss the merits of the legislation, not the sexual preference of the legislator or the cult to which he/she belongs. That is not relevant as far as I am concerned. If you think it may be relevant, then let me know in a comment, but I doubt I will agree, and that is as far as it will go.
6. This is my little kingdom. I don’t control much, but by golly, this one is mine. I set the rules. If you don’t like ‘em, let me know. But be prepared for rejection. I’m not close-minded; I’m just sure that these rules are right.
7. I reserve the right to add or delete rules.

OK, that’s my soap-box rant. I look forward to people coming in and smacking my opinions around.

Vet

Many of you have probably heard about the Goodmail scandal at AOL. Basically, they are trying to implement a system where people / organizations can pay to get better email service. They may not sum it up in some people’s minds, but that is essentially what it comes down to.

Now, I am a security person, so I am paid to be paranoid. That means I am essentially skeptical of anything I hear and read (I know, it is sad, but it is something life has taught me, and it makes for good security as well). In other words, I should have been born in Missouri (leave a comment if you don’t know what that means). That also means that when I see sites popping up like http://www.dearaol.com/, which is slamming AOL for this whole thing, I don’t take their word as truth (believe me, my inclination is to jump on the “stomp on AOL” bandwagon - the initial proposal by AOL made my hackles rise REAL high).

But, in the interest of fairness, justice, the American Way, etc., etc., etc., I have decided to do some more digging. I went to AOL’s site, but there was nothing immediately apparent that was discussing this. So, I went to Goodmail’s site. They have a “Get the Facts” page at http://www.goodmailsystems.com/certifiedmail/index.php. Again, I am cynical, so I can’t take this page for the its face value either. But I have to say that much of their argument is sound. They have stringent criteria for getting certified from what I can see on the page. That is located at http://www.goodmailsystems.com/senders/qualifications.php.

Even with these two sites, their FAQ pages, and many arguments from many people, I have not completely made up my mind on this. As an argument against AOL, I can see phishers duplicating this certified insignia and putting it in their emails, so it might actually make phishing more effective. And with the advent of spear phishing, this could really get dangerous. However, I am not as concerned that AOL might make a business decision to not keep anti-spam, etc. up to date for your general user. I can see the fallout if they at all slack on this, especially since this uproar has risen. Also, there is an argument that this will make some people have a “non-guaranteed” email system. OK. Since when has email been guaranteed? Just because a provider says it doesn’t mean it is so. Anyone with half a technical brain knows the Internet itself is not guaranteed, much less email to your grandma. Sheesh.

Anyway, I can’t just sit back and start arguing, fuming, and screaming like like so many are doing. I am not saying http://www.dearaol.com/ is doing this. What I am saying is don’t make a knee-jerk reaction. Take a look and make and informed decision. Don’t read troller comments. If you still come down against AOL, then so be it. If not, so be it. Just don’t be ignorant.

Vet