Kevin Beaver's Security On Wheels Blog

$25 billion for information security gaffes?

2008-07-23T15:21:00.005-04:00

What if the government could come running to protect us every time we or one of our colleagues made a bad security decision - intentional or not? Imagine:

setting an Allow All rule in your firewall
making all of your databases accessible via the Internet
revoking any and all password policies
never testing your systems for vulnerabilities

....or,

avoiding data backups because, well, you just can...

Everything we do in life - every choice we make has consequences (well, almost)...Make a dumb mistake with information security and really bad things can happen: people have their identities stolen, employees get fired, businesses get fined - even entire companies go away. But make a dumb mistake by buying more house than you can afford or lending money to people who aren't qualified and you get rewarded. Wow...

Well, I guess I was right in my other post about the housing bailout. This time it's "only" $25 billion that the U.S. Taxpayers are having to fork over to bail out Fannie Mae and Freddie Mac - two agencies the government itself created...but what the heck. That's what this country's all about anyway: punish achievement and reward failure.

Funny how the politicians want to impose all these information security laws and regulations all the while they ignore the basic Rule of Law themselves. Shame on our so-called leaders.

Got a kick out of this "Worry-Free Online Ordering" policy

2008-07-23T15:12:00.003-04:00

I just stumbled across this "worry-free" policy located on an e-commerce site. Very cute...yet sad that a lot of people think SSL and "trust seals" are all that's needed to secure sensitive information in Web apps.

***
Your information is safe with us.
SOME~ONLINE~STORE ensures your safety and security by employing the highest level internet security system available. All information you provide us via this web site is encrypted using an SSL (Secured Sockets Layer) connection making it inaccessible to unauthorized persons. For more details, simply click the "Entrust® Secured" internet trust seal located in the bottom left corner of every page.
***

So, is my information safe with you or just on it's way to you? ;-)

Video resume?

2008-07-21T16:10:00.001-04:00

I actually think this is a pretty good idea. We have the technology...why not use it to stand out?

Video resume nice, but probably won't land you CIO job

What's wrong with this picture...Circuit City?

2008-07-21T10:55:00.005-04:00

I just stumbled across this "file sharing" site featuring my book Hacking For Dummies...for free download of course. I know, I know, they're not doing anything illegal - they're just providing a way for people to share files. Yeah right. The interesting thing I noted was the "legitimate" companies advertising on the site. WOW...I'm sure the executives at Circuit City would be so proud to know that they're helping sponsor criminal - I mean legitimate file sharing - activity.

I wonder if someone in marketing at Circuit City was doing some illicit (I mean legitimate) surfing at work, came across this site, and clicked the "Advertise Here" link. I'm sure their IT folks had a security policy against this type of computer usage.

Just damn. I think I'll write Circuit City a letter.

You can't control this "file sharing"...It's the "free" market after all, right? Capitalism at its worst? In the end these people doing this stuff have to live with themselves and their actions.

Do you provide 'decent' customer service?

2008-07-21T05:55:00.001-04:00

I've experienced two things in the past week that have reminded me that it doesn't take much to really tick off your customers with bad customer (no) service.

1) I ordered some automotive parts 2 weeks ago. Needed them by this past weekend. Never received them. The vendor claimed that UPS lost the package...come to find out the package was apparently addressed to someone else. [don't know for sure since I still haven't received it!]. Lots of finger pointing and nothing that could be done. Not even the willingness to overnight me what I needed. I didn't ask for any of these problems yet I'm the one that had to deal with someone else's issues.

2) Took my new vehicle in for warranty service at CarMax - you know the people with the motto "The way car buying should be." Told them the exact issues and the exact solutions. The first issue they didn't trust what I was telling them. Said that the dealer would have to diagnose it. Got a call later that day from the service advisor telling me the dealer said I should come work for them...I knew exactly what the problem was. Uh, yeah, that's why I told them in the first place. It only took me 3 minutes to find the problem/solution on the Web. With the second problem, they said they fixed it. They didn't. I now have to take it back and waste at least 2 hours of my time dropping it off and picking it up.

Moral of the story:
If you want to really stand out in your business, it's simple: do what's expected. You don't even have to go above and beyond these days...just do the basics. Sad but true.

My security content from this week

2008-07-18T15:44:00.005-04:00

OK, we're back into the swing of things. Here are two information security articles of mine that were published this week:

AJAX Security - Is anyone listening?

Cross-site Scripting 102 - How it actually works

And here's a recent podcast as well:
The latest on convergence and network standards

As always, for my past information security content be sure to check out www.principlelogic.com/resources.html.

Enjoy!

Crack the darn password!

2008-07-18T12:10:00.004-04:00

Here's an interesting story about a network admin working for the city of San Francisco who's refusing to give up a password. He won't give it up, then why not just crack it? It's probably a shared password anyway quite possibly stored/used somewhere else on his computer. There are TONS of password cracking tools out there by Elcomsoft and others. This could be an easy task.

Our government at work...

Great quote to think about over the weekend

2008-07-18T10:57:00.004-04:00

Remember the Law of Attraction that says we become and achieve what we think about the most? Here's a bit about the one thing - tenacity - that will help you keep driving for what you want in your information security career:

"Let me tell you the secret that has led me to my goal. My strength lies solely in my tenacity." - Louis Pasteur

Do your users do online banking at work?

2008-07-16T15:55:00.000-04:00

Here's a good reason to not do online banking at work or an untrusted computer. When there's a will there's a way...this is why we'll always have work to do in this field.

The key to moving up and career success

2008-07-16T12:29:00.003-04:00

Here's a little snippet I thought of when developing my latest audio program - Certifications, Degrees, or Experience - What's Best for Your Security Career?. I thought it'd make for a good blog post.

Working in the field of information security, never ever forget that you get paid for what you do and contribute to your employer - not for the letters and acronyms that come after your name in your email signature or on your business card. I think security certifications and college degrees CAN benefit you IF you really make the best of it. But there's more to the story...

Click here and here to get some more insight.

Good news and bad news about Webroot

2008-07-15T08:19:00.003-04:00

The good news:
I finally gotten so fed up with my previous bloatware anti-virus product (I was a 15+ year loyal customer) that I had to move on to something leaner and meaner. I chose Webroot's Spy Sweeper with Anti-Virus. It has received good ratings over the years from PC Magazine and seems to work pretty well. PLUS, I can actually use my computer now without tons of hang-ups and delays. What a concept...

The bad news:
The founder of Webroot, Steven Thomas, (who subsequently sold the business) was found dead two days ago in Hawaii. Awful situation.

Can you imagine a 4-day work week?

2008-07-14T13:47:00.005-04:00

The state of Utah is calling for businesses to adopt a 4-day work week. Not a bad idea. *IF* something like this were put in place, employers would save on operational costs and employees can save on gas. And morale goes up too. A win-win. But can you imagine those controlling and ignorant managers!?....Woooweee. What would THEY DO if their employees were allowed to work from home...

Control - it's a good thing and a bad thing - it all depends on the intent.

My security content from this week

2008-07-12T09:35:00.002-04:00

...well, there is none. Two weeks in a row! I have written several articles recently, though, that will be published soon.

BTW, sorry for being out of touch recently. Vacation and playing catch-up has set me back a bit!

Until later...

Interesting stats from Information Security Breaches Survey 2008

2008-07-08T09:03:00.004-04:00

First of all, for those of you reading this in the U.S., welcome back from the 4th of July holiday!

I just came across some statistics in the U.K.-based Information Security Breaches Survey 2008 that provides some insight and clarity into why we still (and always will) have security breaches:

98% of respondents scan for spyware...55% have a documented security policy.
97% filter for spam...40% provide security awareness training.
Only 6% have suffered a confidentiality breach...as far as they know.
52% do NOT carry out formal risk assessments...while 81% believe their board believes security a high or very high priority. Ha!
78% had computers stolen that didn't have encrypted drives. I still don't get this one!!
84% do not scan outgoing email for confidential data...this is where (and why) the bad guys focus their efforts.

Oh, and 84% are heavily dependent on their IT systems...The other 16% just don't realize their dependence. Yet.

Funny view of ridicously unsecure Web apps

2008-07-02T07:05:00.000-04:00

My colleague Mike Rothman has a great post at SecurityIncite about Web application security and the "beta" mindset. I couldn't agree more....Just slap a beta tag on everything like Google does and you're off the hook!

Getting the IT blues because of gas prices...watch this.

2008-07-01T14:09:00.001-04:00

So many of us here in the U.S. are being affected - both personally and professionally - but these outrageous gas prices we have....I'm seeing stories about IT job losses and IT budget cuts in the name of ridiculous fuel costs. This is especially true when you have ignorant and controlling managers who won't let you telecommute. Heck, I'm cutting back on the number of networking events and lunch meetings I attend because of it...they're often not worth the money.

I figured this would be a good time to help spread the word that we CAN do something. Watch this video:

Just another public service of mine.... ;)

Happy (Energy) Independence Day!

My new Security On Wheels audio program is out

2008-06-30T21:00:00.001-04:00

I wanted to let you know that my new Security On Wheels mini audio program is now produced and ready to go. It's called Certifications, Degrees, or Experience - What's Best for Your Security Career? This audio program (which comes packaged in a 24 minute MP3 file) addresses what you need to focus on in order to properly educate yourself and stay sharp so you can work more effectively, earn more, and become a security leader.

In Certifications, Degrees, or Experience - What's Best for Your Security Career? you'll learn:

* The various types of security certifications
* How hiring managers view certifications
* What to expect with certifications
* Whether college degrees are worth the time, money, and effort
* Ways that college degrees have helped me in my work
* Great ways to get good hands-on experience
* The negative aspects of hands-on experience and how to avoid them
* The answer to the question regarding what's really best for your information security career

You can even listen to a 55 second sample clip from this audio program here.

Before you spend years of your time and potentially tens of thousands of dollars, learn just what you need to know to get ahead in this field...And it's only $9.95.

Check it out at http://securityonwheels.com/cde.html if you're interested...and tell others about it too.

More good stuff to come...

All the best!

What does "qualified third party" mean in PCI 6.6?

2008-06-27T07:01:00.001-04:00

There's been a lot of hoopla surrounding the PCI DSS requirement 6.6 compliance next week. Even with all the noise, there is some good news for both covered entities and independent security professionals such as yours truly. In the PCI DSS requirement 6.6 Information Supplement document, the first sentence at the top of page 3 states "Manual reviews/assessments may be performed by a qualified internal resource or a qualified third party."

But nowhere - anywhere - have I been able to find out what "qualified third party" means....until today. Yep, straight from the horse's mouth (PCI Security Standards Council) told me:

"Req 6.6 it is any independent, qualified security organization with expertise in application security."

Excellent....so don't dealing with all those high-end "QSAs and ASVs" (the whole process of which I think is a ridiculous sham) who may have questionable quality is not necessary! Any little old security peon like me could do these types of assessments. I feel honored.

Wow, a free market concept where everyone wins...There are some good snippets coming out of the regulatory world every now and then after all I suppose.

BTW, in case you haven't seen the links I posted in the past couple of weeks, here are two reality-check articles I wrote regarding the PCI requirement 6.6 code reviews and web application firewalls that you'll enjoy:

The realities of PCI DSS 6.6 application code reviews
The realities of using WAFs for PCI DSS 6.6 compliance

Does FACTA really exist? Send up a Red Flag!

2008-06-26T21:18:00.004-04:00

I spoke recently for a group of technically-savvy accountants. Out of the 120 or so people in the audience, 2 raised their hands when I asked if anyone was aware of the impending FACTA requirements for identity theft protection measures for financial institutions. Two people folks! OUCH.

Sign of the times in information security I suppose...

Good management yet bad results? No way!

2008-06-26T08:27:00.004-04:00

I was watching my favorite TV channel yesterday (SPEED) and heard well-known racer Tommy Kendall say something that struck a cord. He was actually quoting Carlos Ghosn, head of Renault, who said:

"There's no such thing as good management with bad results."

I immediately thought, hey, this ties into what I do for a living.

Many, many people believe they have information security under control yet time and time again they come up short in their security assessments - or worse - they have a breach. This stuff happens and they're up in arms. They don't understand what happened. They claim to have firewalls, a good network admin, and formal security policies...what gives, they ponder.

Folks, good security is not merely the presence of firewalls, a good network admin, and formal security policies. It's about making these things and others all work together in the right way day in and day out. This means management pulling their heads out of the sand and realizing that security is a business issue that needs their attention. This thing called information security takes leadership and hands-on management thoroughly and consistently every day of the week.

Ignorance is bliss when it comes to patching database servers

2008-06-25T16:44:00.003-04:00

I just saw this bit today on SearchSecurity.com about admins not patching database servers. So, it's not just me that sees ignorance in action when it comes to admins not wanting to patch their database servers. I can't tell you how many times I've found database flaws directly-exploitable from the inside all because an admin didn't want to patch the system. I'm talking about full command prompt access to database servers in a matter of minutes using nothing but free tools. You can't tell me everyone on the network can be trusted!

I wrote an article about this VERY thing for SearchSQLServer.com...Like to hear it, here it go:
SQL Server patch pros and cons

Wow...it doesn't much more bury-your-head-in-the-sand ridiculous than this. Oh wait, why am I complaining! This is the kind of stuff that keeps me employed. :)

Good security resource worthing checking out

2008-06-24T05:46:00.001-04:00

If you haven't been over to NIST's National Vulnerability Database site lately, it's worth checking out. There's tons of good info on system hardening, vulnerability research, and more. If you're here in the U.S., you helped fund it so you might as well use it, right?

You don't say...A new Mac Trojan?

2008-06-23T15:43:00.000-04:00

They haven't had one in a while....so it's about time again.

New Mac Trojan Disables Security, Steals Passwords

My security content from last week

2008-06-23T14:39:00.002-04:00

I was out the latter part of last week so I missed my 'deadline'. Here's an article hot off the press that you may be interested in:

The realities of using WAFs for PCI DSS 6.6 compliance

Enjoy!

As always, check out www.principlelogic.com/resources.html for all of my past articles, webcasts, podcasts, and more.Publish Post

One more thing Representative Wolf...

2008-06-17T15:48:00.003-04:00

In regards to my post yesterday about your calling out for better computer security at the Federal level, you may want to consider hardening your systems with the OMB Federal Desktop Core Configuration Checklists found at the following link:

http://nvd.nist.gov/ncp.cfm?fdcc_chklst

Us taxpayers have funded this and other great security documents for people just like you.