Save info   Get password
Home Submit your blog Edit Account Rules RSS-Archive Contact
Show All




Free image upload Blog forum


shorten url


5 rules to Protecting Information on your Laptop
2008-05-01 14:27:00
Business laptops are a treasure for every hacker or corporate spy. The average corporate laptop is full of business email, confidential documents and more often then not, the user of the laptop has the same passwords on the laptop as on his corporate application and e-mail.Here is a truly bizarre example of what could happen: Lifetime of FREE BEER for Laptop Private laptops are also very interesting (especially those of celebrities)And yet, the security awareness of the owners of laptops is somewhat lacking. So here are 4 simple rules that can help you keep your laptop safe:Do not leave a laptop unattended in areas accessible by the general public - Leaving a laptop anywhere where it can be seen and picked up by another person is a very bad idea. This includes the table in your favorite caf
Read more: Protecting

Information Security and Strategy Carnival - Issue #1
2008-05-01 01:59:00
For the first issue of the Information Security and Strategy Carnival , I am happy to present the following texts:Paul Wilcox at Security Manor has published three great articles on information security and data protectionThe Three Things You Need To Protect Against Internet Security RisksKeeping Children Safe On The InternetA Brief Look At The Critical Types Of Internet Security SoftwareNathan McFeters at ZDnet revisits a very well known but still not sufficiently prevented vulnerability: SQL InjectionDevelopers at fault? SQL Injection attacks lead to wide-spread compromise of IIS serversPhil B. at Phil for Humanity writes about interface consistency in productsGoogle's ProblemJimson Lee at CRM HELP DESK SOTWARE makes an excellent analysis ofData Breaches Set Record in 2007, Identity Theft


Hardware Security Module for Dummies
2008-04-30 08:02:00
Following my publication of a the design for Personal Data Protection in a database , I have received emails asking to elaborate on the proper protection of Secure Keys in the infrastructure.I'll describe it through the following example:You want to secure some information, therefore you encrypt it. The encrypted data is stored on some computer readable/writable media. For the entire excercise to be useably fast the actual encryption and decryption is done through a computer program, residing on a general purpose computer. This program needs a decryption key in order to recover the data into a useable form.If you need the encrypted data only for archival purposes, and acces it only very infrequently, you can set up a situation where you have an isolated (non-networked) computer system in a
Read more: Hardware , Module , Dummies

Application security - too much function brings problems
2008-04-29 08:45:00
In the past 5 days i came across 3 examples which proved that too much function al complexity can backfire in terms of business competitiveness and security :The car example - I read an AutoBild 100,000 km test of the BMW series 7. Their biggest complaint was the iDrive system (no relation to Apple). The idea of BMW was that a single computer interface will replace the arrays of buttons and dials on the central console of the dashboard (from radio to suspension setting). The initial version of the iDrive system was so complex that it became a nightmare for the driver to use it. The end result-a very expensive car that is a difficult to use, and sometimes even dangerous since the driver is focusing on the iDrive instead of the roadThe phone example - My 2.5 year son loves to play with my cell
Read more: Application , problems

Corporate Skype Wishlist
2008-04-24 09:56:00
I already blogged about the things that make Skype a poor choice for a corporate environment. But, facing reality, the penetration of Skype for the home user is excellent, and a whole lot of persons are quite familiar with the interface and the usage. So, if there is a way to make Skype more corporation friendly, it becomes a very easy tool to be adopted by the employees.Now there is talk that Skype may be sold Without knowing what will be the business model of the new possible owner, here is a wish list that will make Skype the killer of all corporate IM applications.Enable autonomous functionality - Effectively, the organization should be able to run skype in an autonomous mode, without contact to outside skype servers. This would probably require integration to Active Directory or some
Read more: Wishlist

Rebranding a free E-mail domain - strategic blunder
2008-04-22 06:04:00
I am using several free e-mail services, mainly for reasons of insufficient quotas. But for more then 7 years, my primary e-mail address hasn't changed.It is a free service hosted by a local telco provider, with only 100 MB quota and relatively poor spam protection. I have maintained it simply because a huge number of my contacts and registrations on different sites on the Internet is bound to this address. It is like maintaining a mobile phone number on an expensive mobile telephony provider simply because it is the number that everyone knows. Yesterday i received a memo by the telco provider, that it will go through a rebranding process. This rebranding process will include the change of the domain name of the free e-mail service. All incoming emails to the original domain will still be


DHCP Security - The most overlooked service on the network
2008-04-21 04:59:00
DHCP Service is the service which a lot of you use, whether you are aware of this or not. That is the service that delegates an IP address to hosts on the network when they are set-up for auto configuration. This service is extremely frequent on large corporate networks, but with the advent of Wi-Fi in So-Ho networks the DHCP service becomes more and more present in these environments.Short description of DHCPThe Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateway, and other IP parameters. The DHCP protocol operates at the MAC sublayer of the Data-Link layer of the TCP/IP protocol stack. The only distinguishable identifier of the client computers at this level is the network interface MAC address.When a DHCP client connects to


Reminder - Information Security and Strategy Carnival
2008-04-21 01:38:00
Reminder - only 4 more days to submit your blog post on the Information Security and Strategy Carnival Please submit posts on the following topics:information strategy information security network security database security data security vulnerability analysis penetration testingThe carnival will be published on the 1st day of every month. We will accept only original texts, which present a strategic opinion, review of event or product, or a HowTo on a relevant topic,Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot comor submit them through the Blog Carnival Web Portal
Read more: Reminder

The Cost of Datacenter Physical Security Blueprint
2008-04-20 15:47:00
I have received a couple of e-mails about the Datacenter Physical Security Blueprint with comments that my blueprint is too movie-like, and that it is way too costly to implement.So i did a little shopping around, and i requested budget prices for every element of my Blueprint (budget prices are usually higher then purchase prices, since they are a non-obligating quotes for budget estimation).Here is the math. All prices are in US dollarsSecurity equipment9 CCTV cameras with infrared sensors - 130$ a piece = 1,170$8 Glass break sensors - 45$ a piece = 360$8 Motion Sensors - 30$ a piece = 240$4 KeyCard readers (with combined electronic/mechanical lock and open/closed status sensor) - 150$ a piece = 600$2 KeyCard readers with Keypad (with combined electronic/mechanical lock and open/closed s


Datacenter Physical Security Blueprint
2008-04-18 09:11:00
A very important aspect of Information Security is physical security. A significant amount of security incidents are found to be performed utilizing some vulnerability of the physical security.So, here is a set of rules to create a blueprint of physical security of a IT department and data center for a company. The system room must not have windows. Ideally, it should be in the center of the building.All equipment that is not used must be stored in dedicated storage space, away from production environmentAll high security spaces should be monitored by CCTV cameras.Access control zones must be implemented, to create a security barrier as well as provide a log of access activities. These are created by doors opened by electronic key cards or multiple-factor authentication.All windows should
Read more: Blueprint

Secure data transfer - HOWTO for a poor man
2008-04-16 10:04:00
Today i had an interesting requirement for security of data transfer between organizations. The manager giving the request bolied his specs one essential request: Maximum security at minimal cost. The solution that we came up may help a few out there, so here goes:The criteria of the request are as follows: All communication will be established through cheap internet linksMaxumum possible security in transit must be achievedGuranteed security, non-repudiation and integrity of individual information must be achievedMinimal cost (licenses, equipment, training)Minimal modification to operational infrastructureA networks' designer first choice is to go with the proven concept:IPSEC VPN for the end-to-end encryptionDigital Certificates issued by a authorized PKI Infrastructure for signing and e
Read more: Secure , HOWTO

Tutorial: Making a Web Server
2008-04-11 08:54:00
I was contacted by several readers of my previous post, Creating Your Own Web Server , with comments that it's lacking an actual tutorial on how to create the web server.Again, I am very weary of creating a tutorial that will favor only one web server or platform, so I am including a generic checklist that covers the creation of any web server, regardless of platform.STEP 0 - Find a computer that will become the web server. For excersise purposes, an older PC lying around or a Virtual Machine is more then sufficient.STEP 1 - Install an operating system on the designated Web Server computer. Operating System Elements - Minimize the number of other services. If possible, avoid GUI installation, and leave only the Web server service, and the secure remote management service of your choice (NOT
Read more: Tutorial

5 Rules to Home Wi-Fi Security
2008-04-10 04:57:00
The philosophy of security is to strike the delicate balance between cost of protection and usability. Making something very secure is very expensive, but making something very usable means that the bad guys can use it.The same philosophy goes for a hacker attack - the cost of the attack should always be less then the value of the prize.Here are 5 rules that maintain a very reasonable level of usefulness of a home Wi-Fi network, while increasing the cost of an attack to the hacker beyond the value of the prize.Always choose a non-default non-broadcasting SSID - this will not stop a more efficient attacker, but it will avoid a good number of script-kiddies). A good name is one which contains both letters and numbers, and cannot be deducted from the personal info of owner of the network.Alwa
Read more: Rules

Creating Your Own Web Server
2008-04-07 09:00:00
I got a question, What do i need to I create my own web server?At first it seemed like a very curious and redundant question, since web hosting is already quite mature, and there is a wealth of both free and commercial web hosting services to choose from. But, i am compelled to follow through on this topic, since my beginnings are in an ISP, and there are still a number of good reasons to have your own web server.First, a short definition: In the simplest form, a web server is nothing more then a program running on a computer, which accepts requests via the HTTP protocol and returns the requested web content (HTML, javascript, flash, video, audio...) to the requesting browser for rendering. More often then not, part of this content is kept in a database.So in essence, all you need to run a
Read more: Creating

Information Security and Strategy Carnival
2008-04-07 02:01:00
I am proud to announce that the ShortInfoSec Blog will be hosting a regular carnival on the following topics:information strategyinformation securitynetwork securitydatabase securitydata securityvulnerability analysispenetration testingThe carnival will be published on the 1st day of every month. We will accept only original texts, which present a strategic opinion, review of event or product, or a HowTo on a relevant topic, Please send submissions by the 25th each month to e-mail: shortinfosec _at_ gmail dot comor submit them through the Blog Carnival Web Portal
Read more: Strategy

Security risks and measures in software development
2008-04-05 15:32:00
Following up on my post about security challenges in software development , i would like to present the risks that arise from these challenges, as well as short introduction on the preventive measures to mitigate such risks.Product related risks Security flaws of the deliverable product – the most feared of risks and usually one with most dire consequences. The product THE principal source of reputation and income for the company. At the same time, the product is the tool that a customer uses to manage his information and data. A security flaw in the delivered product can result in loss of integrity, confidentiality or availability of customer’s information. Any one of these results would mean loss of client, loss of reputation and even legal action against the development company. Sec


Security challenges in software development
2008-04-04 10:28:00
With the time i spent at Medic ACME gave me an insight into the workings of a rising software development company. All the items i am presenting here are already presented to the Medic ACME management, as Pro Bono work on my other engagement.So, with their consent, i would like to present my conculsions. In the rush to achieve a good brand and reach the heights of profitability, any typical software development company has the following characteristics:Get things done mentality – “This will be the largest contract in the history of our company. We must be prepared to deliver in 2 weeks/2 months. So get it working ASAP. A variant of this monologue is very frequent in most software development companies. Anyone telling you different is either lying, or not working as a developer for a li


Personal Data Protection - Anonymizing John Doe
2008-04-04 05:27:00
I got invited to attend a strategic meeting at a company specializing in medical software (For sake of confidentiality, let's call them Medic ACME).Medic ACME needed a strategic position on the requirements presented by a customer for very stringent data protection. According to the presented requirements, the customer wants all patients history in a common database, but insists on minimizing the possibility of a leakage of confidential medical histories. The requirements are as follows:Their general staff (non-MD) must track all procedures and all diagnosis for logistical purposes, but should not see the names, SSNs and addresses of patients corresponding to the diagnosis.IT personnel should have no access to patient personal data (names, SSNs and addresses of patients) even if they dump
Read more: Personal , Protection

9 Things to watch out for in an SLA
2008-04-03 02:24:00
I wasn't planning to touch the issue of the Service Level Agreement (SLA) for some time, but it appears that the incident report (Link to Blog Post) has stirred attention that merit a post on the subject.As i already mentioned, it is a very frequent occurrence that the SLA is just an afterthought when preparing a contract, and that the buyer is usually waiting for the supplier to produce the SLA agreement. Of course, this leads to the situation in which the SLA actually protects the supplier, not the buyer.So here are the items one must do to achieve at least a reasonable if not good SLARemember that any SLA is open for negotiation, but only in initial purchase- although the supplier may propose a very rigid position on the SLA (especially common in large companies), the SLA is part of the
Read more: watch

Why don't you like my network?
2008-04-02 06:22:00
I have a great respect for the network admins. It is their job to get the traffic form A to B, as fast as possible, and to do this while new requests for connectivity are piling up. I also have a great confidence in them, they do their job reliably and efficiently.However, in the past weeks I have had the opportunity to review certain relatively large networks, and found all of them lacking in one aspect or another. And always when I express my reservations, the network admin(s) asked the aforementioned question: Why don't you like my network?.Of course, It is only natural to be proud of your work and not accept criticism to it very well.Here are the top reasons why the responsible network engineer should permit a friendly but unbiased outsider to have a view of the network once in a while


The SLA Lesson: software bug blues
2008-04-02 05:43:00
I have been hugely busy in the past weeks with several projects, so the blogging got stuck... I Will try to avoid this in the future. Now back to my latest experiencePart of every Information Security Management System is the incident management process. It is as process in which the company identifies a problem which is occurring or has ocurred, and performs steps to contain it, minimize the impact, identify the root cause and take measures to prevent the incident from recurring.The incident in question is a dreaded application blocking - a company of 1000 employees uses a custom made fully integrated CRM/ERP system, which exibited complete or partial non-responsiveness of several minutes for a period of nearly two hours. This situation was identified at several departments, while the res


Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
2008-03-04 06:07:00
The second part of the Web server protection will focus on common Web site hacking methods. Since there are so many of them, this will be a several post job, but one has to start somewhereAttack name - SQL InjectionDescription SQL Injection is a type of attack which has a goal of creating a custom SQL query by inserting SQL commands into fields on the web site. It is very common web engine design that the content of an input field directly becomes a part of the backend SQL statement. For example, the input field is named UserNameField, and the SQL statement is "SELECT * FROM Customers WHERE name = '" + UserNameField + "';"An attacker places the following string in the input field: a' or '1'='1The resulting statement will become "SELECT * FROM Customers WHERE name = 'a' or '1'='1';"It proba
Read more: HOWTO , attacks , Web Site

Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
2008-02-27 02:35:00
What needs to be understood is that no one can achieve all the needed protection for a fully safe web site. Such a site is offline, on a powered-off web server in a closed and locked room in the basement.On the other hand, several options are available to a perspective webmaster to own a web site that is reasonably safe from hackers. Software protection measures will be discussed separately.For now, let's focus on things that do not need special knowledge on the user's side.Use an off the shelf product for the web engine - preferably an open source one. These products are very fast to develop functionalities as well as to patch vulnerabilities simply because they are open to public scrutiny.Upon installation of the web engine, remove all installation scripts contained within it - they are
Read more: HOWTO , Web Site

Is Skype a good Corporate Tool?
2008-02-26 05:51:00
The new age of information technology is strong in all corporations, and people understand that there are fast and easy methods of communication that haven't been available before. One of the most modern being the Instant Messaging tool, in any form possible. And the most popular form of the day is Skype .Furthermore, the modern corporate employees view the ability to use Skype at work as their constitutional right, not a corporate priviledge.But let's observe the pitfalls of Skype usage in corporate communciation:Skype is designed to be an Internet communication tool - This means that each SkypeClient MUST connect to a SuperNode somewhere on the internetThe Skype protocol is designed to enable communication between users via possibly blocking paths. It does this by using SuperNodes and Rou


Update: Recover the PC from Vista Stuck on Configuring Updates
2008-02-15 07:01:00
While my first priority was to recover the data from the laptop, i also looked into the actual machine recovery.I was able to boot into Vista System Recovery Options from the Vista DVD, and chose System Restore. Amazingly, Vista was responsible enough to create restore points before installing the updates that sent it crashing.So i chose the restore point before the installation of the updates, waited about 10 minutes, rebooted when the System Restore asked me to, and voila, a living and breathing Vista :)Although i am an advocate of secure computing, it seems that in this case an automatic update windows update caused all the trouble. The user didn't even saw the installation, which added to the panic of a failing system and lost data.With this respect, i would recommend to the users to c
Read more: Update , Stuck

TrueCrypt Full Disk Encryption Review
2008-05-02 09:33:00
My post 5 rules to Protecting Information on your Laptop finished with a recommendation to encrypt your hard drive. Today I am following up with a review of the TrueCrypt tool for full Disk Encryption . The review is performed on a VMware Virtual Machine, with the following configuration:1.6 Ghz Core2 CPU, one CPU core active in the VM256 MB of RAM allocated, fully allocated to RAM (No swap)8 GB of disk drive simulated in a fileUSBNo FDDWindows XP Pro SP2 operating systemAs you can see, it is a relatively slow machine for today's standard of laptops, but this is on purpose, since the idea is to conclude whether this configuration is useable with an encrypted drive. EncryptionThe installation of the TrueCrypt is very straightforward, and even the most inexperienced users should have no probl


Caveats of strong perimeter security
2008-05-08 09:18:00
Having a perimeter security is one of the imperatives of a well implemented information security policy. But having a too strong perimeter security can also backfire, and create a security hole for which the organization is rarely aware.The US customs officers have the right to search and copy all electronic devices if they deem the traveller as suspicious. Washington post did a great text on US border security Here i would like to include my favorite quote from Leon, the scene of the Fat Man assassination: "Somebody's coming up. Somebody serious." I can guarantee that this method will yield nothing on an expert attacker. Since the US customs started the laptop searches, a lot of companies require their employees to wipe their laptops prior to travel to the US, and to use VPN to access con


CEO's View on IT Outsourcing
2008-05-09 14:40:00
In the past weeks i heard two CEO's from different companies state the fact that having an in-house IT department is a large burden for them. I consider that to be ample reason to investigate the managerial view of outsourcing.I come from an engineering, IT focused background. In the engineering world the prevailing mentality is: "why let someone do something, when i can do it myself". But this is
Read more: Outsourcing

8 Tips for Securing from the Security experts
2008-05-13 07:57:00
Most companies have stringent security procedures. And in most companies, the security experts are usually exempt from these procedures in some way, under the pretext that this is needed in order for them to do their job as easy as possible. It must be understood that these experts are not superhuman or super honest, and restrictions also need to apply to them.This post is triggered by a recent ar


8 Golden Rules of Change Management
2008-05-13 03:30:00
Regardless of the size and complexity of infrastructure you are running, it is always very important to have an established process of change management to your resources. If you fail to establish or enforce such process, errors will inevitably start to creep but will largely go on unnoticed, until something bad happens.The exampleA small company I visited yesterday is running several high profile
Read more: Golden , Rules , Change , Management

Page 1 of 2 « < 1 2 > »
Copyright 2006 - 2007. TopBlogArea.com All Rights reserved. Created by SEOMinds.com
eXTReMe Tracker