HNS - The Threat Within - Why Businesses Need To Manage And Monitor Employee Email Usage: "The Threat Within - Why Businesses Need To Manage And Monitor Employee Email Usage
by Jamie Cowper - Senior Technical Consultant, Mirapoint - Monday, 14 February 2005.
In a few short years, email has become a major part of the national psyche and a business-critical tool of communication. However, while companies have been more than willing to embrace the business benefits of email, they continue to remain oblivious to many of the responsibilities this new form of communication brings, particularly as it affects their employees.
"
Security starts with policies, but those policies must have sharp teeth in the form of technology and defined IT processes. And while technology can help with the monitoring and enforcement of your policies, you still need periodic user education and proof that those policies are enforced without prejudice (in law enforcement, wars, and streetfighting this is called "a show of force"). Just make sure that your show of force can survive a wrongful termination suit by having properly executed policies in the first place. -Bryan
Wednesday, February 16, 2005
HNS - A Simple Guide to Securing USB Memory Sticks
HNS - A Simple Guide to Securing USB Memory Sticks: "A Simple Guide to Securing USB Memory Sticks
by William Lynch - Senior Consultant for CTG's Information Security Services Practice - Wednesday, 2 February 2005."
This is a great article for every end-user who uses ANY portable media: CD's, USB, MicroDrives, etc. As well, any data on the local drives would be well protected using this same, free method.
by William Lynch - Senior Consultant for CTG's Information Security Services Practice - Wednesday, 2 February 2005."
This is a great article for every end-user who uses ANY portable media: CD's, USB, MicroDrives, etc. As well, any data on the local drives would be well protected using this same, free method.
Tuesday, February 15, 2005
Ping Identity Announces Risk-Free Trial, Pilot & Production use of PingFederate --Advanced Federation Software for Simplified Identity Federation - Pi
Ping Identity Announces Risk-Free Trial, Pilot & Production use of PingFederate --Advanced Federation Software for Simplified Identity Federation - Ping Identity Corporation: "Ping Identity Announces Risk-Free Trial, Pilot & Production use of PingFederate --Advanced Federation Software for Simplified Identity Federation"
Federated identity management across domains, sites and organizations....and the server is free until 100,000 transactions. Plenty of time to get it running and realize its value. -Bryan
Federated identity management across domains, sites and organizations....and the server is free until 100,000 transactions. Plenty of time to get it running and realize its value. -Bryan
Monday, February 14, 2005
Welcome to SmartWater Technology
Welcome to SmartWater Technology
SmartWater will provide your commercial property with a unique 'forensic fingerprint', which whilst being virtually invisible to the naked eye, glows under UV light and is practically impossible to remove entirely. SmartWater will protect individual items, especially mobile items such as laptops and phones, but it also protects the whole of your business or organisation from burglary and theft. It’s a chilling thought that the majority of theft for most organisations comes in the form of pilferage. So whilst you will be letting burglars know you’re protected by forensic coding, your staff can also be taking the message on board.
Now this is cool...permanent microdot watermarking for anything that you can imagine! Stealthily applied or overtly advertised....many possible uses. See this link for a real-life example of this in action:
http://www.met.police.uk/pns/DisplayPN.cgi?pn_id=2005_0007
-Bryan
SmartWater will provide your commercial property with a unique 'forensic fingerprint', which whilst being virtually invisible to the naked eye, glows under UV light and is practically impossible to remove entirely. SmartWater will protect individual items, especially mobile items such as laptops and phones, but it also protects the whole of your business or organisation from burglary and theft. It’s a chilling thought that the majority of theft for most organisations comes in the form of pilferage. So whilst you will be letting burglars know you’re protected by forensic coding, your staff can also be taking the message on board.
Now this is cool...permanent microdot watermarking for anything that you can imagine! Stealthily applied or overtly advertised....many possible uses. See this link for a real-life example of this in action:
http://www.met.police.uk/pns/DisplayPN.cgi?pn_id=2005_0007
-Bryan
Artists Against 419 - Is this a legit bank or company?
Artists Against 419 - Is this a legit bank or company?: "Is this a legit bank or company?
Online search tools
Have you received an offer from a bank or a security or off-shore company, or perhaps a winning notification from a foreign lottery? Want to know if they're real? If you can't find your bank on our list of 419 fake banks and lottery websites, that doesn't mean it's legit! New fakes come online every day. The following tips and tools can help you identify and avoid fraudulent banks and other fake web sites. If you're suspicious about a site, contact the artists!"
I get so many questions about suspected fraudulent emails in this category. A danger in these sites is not only from the fraudsters themselves, but from the danger of their sites being cracked and that data getting into even more criminals hands. I investigated a site recently and found several security flaws that could have been used to crack the site and potentially gain fraudulently gathered bank account data. The banks, FED's and the ISP's simply do not have enough personnel to properly attack this growing problem. See my full-disclosure post regarding this incident and the resulting discussion thread:
http://www.networksecurityarchive.org/html/FullDisclosure/2005-01/msg00893.html
Online search tools
Have you received an offer from a bank or a security or off-shore company, or perhaps a winning notification from a foreign lottery? Want to know if they're real? If you can't find your bank on our list of 419 fake banks and lottery websites, that doesn't mean it's legit! New fakes come online every day. The following tips and tools can help you identify and avoid fraudulent banks and other fake web sites. If you're suspicious about a site, contact the artists!"
I get so many questions about suspected fraudulent emails in this category. A danger in these sites is not only from the fraudsters themselves, but from the danger of their sites being cracked and that data getting into even more criminals hands. I investigated a site recently and found several security flaws that could have been used to crack the site and potentially gain fraudulently gathered bank account data. The banks, FED's and the ISP's simply do not have enough personnel to properly attack this growing problem. See my full-disclosure post regarding this incident and the resulting discussion thread:
http://www.networksecurityarchive.org/html/FullDisclosure/2005-01/msg00893.html
Institute for Information Infrastructure Protection
Institute for Information Infrastructure Protection: "The I3P Knowledge Base has been developed to support the I3P's mission to protect the information infrastructure of the United States. This web-based resource provides access to events, funding opportunities, experts in the field, and I3P initiatives. As the I3P Knowledge Base matures, we will be integrating tools for online collaboration, and other services to support the work of the I3P Consortium."
A good place to find upcoming security conference events (see the event calendar) and to see what some of the security community is thinking up for the future.
-Bryan
A good place to find upcoming security conference events (see the event calendar) and to see what some of the security community is thinking up for the future.
-Bryan
SecurityFocus HOME Infocus: Penetration Testing IPsec VPNs
SecurityFocus HOME Infocus: Penetration Testing IPsec VPNs: "Penetration Testing IPsec VPNs
by Rohyt Belani and K.K. Mookhey
last updated February 9, 2005
1. Introduction
As companies expand their presence globally, there arises a need for secure electronic communications between geographically dispersed locations. Virtual private networks (VPNs) provide an economically viable option to address this need."
All IT managers need to understand the points made in this article. The VPN can be the single most exposed point on the corporate network. Given a list of usernames, cracking the VPN is a great way to get ownership of the whole corporate LAN since most are configured for unfettered access to all devices in the LAN. And if there is a site to site VPN in aggressive mode with PreSharedKeys (PSK), then it is trivial to force the VPN server to send the PSK HASH, from which you can easily bruteforce the PSK at leisure on your own system. This can all be done without triggering any major alerts or doing noisy/detectable scans. -Bryan
by Rohyt Belani and K.K. Mookhey
last updated February 9, 2005
1. Introduction
As companies expand their presence globally, there arises a need for secure electronic communications between geographically dispersed locations. Virtual private networks (VPNs) provide an economically viable option to address this need."
All IT managers need to understand the points made in this article. The VPN can be the single most exposed point on the corporate network. Given a list of usernames, cracking the VPN is a great way to get ownership of the whole corporate LAN since most are configured for unfettered access to all devices in the LAN. And if there is a site to site VPN in aggressive mode with PreSharedKeys (PSK), then it is trivial to force the VPN server to send the PSK HASH, from which you can easily bruteforce the PSK at leisure on your own system. This can all be done without triggering any major alerts or doing noisy/detectable scans. -Bryan
Tuesday, February 08, 2005
Loren Bandiera's weblog � sussen
Loren Bandiera's weblog � sussen: "Loren Bandiera's weblog"
Loren Bandiera's weblog...some interesting NASL and other network probe and vuln experiments going on here. -Bryan
Loren Bandiera's weblog...some interesting NASL and other network probe and vuln experiments going on here. -Bryan
Wednesday, February 02, 2005
WASC Articles: The 80/20 Rule for Web Application Security
WASC Articles: The 80/20 Rule for Web Application Security: "...we'll look at a few techniques anyone can use to decrease the risk of their website being hacked. And to make it really easy you won't have to alter a single line of code!"
Some good points made in this article to quickly improve security while other improvements are being made as well. Just applying these rules does not create a healthy security implementaion.
-Bryan
Some good points made in this article to quickly improve security while other improvements are being made as well. Just applying these rules does not create a healthy security implementaion.
-Bryan
Subscribe to:
Posts (Atom)