There was a lack of news on the blogosphere the past few days due to the July 4th holiday in the U.S. so I’ve decided to hold off until today to post my suggested blog reading.

Here’s the list:

Don’t think about it, just get on the plane – Wow, this made my morning. Kind of goes hand in hand with my earlier post on lack of due diligence at the airport. Thanks Mike!

I came across this unbelievably funny YouTube video and had to share it. If you ever travel, especially if you travel frequently, you’ll ROFL (roll on the floor lauging) watching this. I still laugh each time I watch it. As the saying goes, you just can’t make this stuff up. Truth is funnier (as well as stranger) than fiction most of the time.

Video: Geeksquad caught copying personal files from PC – I had a feeling that deploying under trained, fresh out of school kids with their CompTIA A+ certification was a bad idea. Now I know that feeling was justified.

Do you expect privacy when you’re computer is repaired? Trust your technicians?

You shouldn’t. In this case it’s porn. This video is a great argument for keeping your data on a high capacity external hard drive.

Security Views Case Study #3 – The long-time employee threat – Another good case study from Scott.

The individual, a senior database administrator who had worked at the company for seven years, saw the opportunity, didn’t think he’d get caught, and took the chance.

1) Either there were no confidentiality safeguards on the client’s information, or the safeguards that existed were weak enough for a single person to exploit.

2) Access logging and/or audits of access logs were not being done. (If they were, the thief would have known he would get caught, unless he was the only one responsible for the audits. But then the theft might never have been detected.)

7 Deadly Sins of Website Vulnerability Disclosure – Good post…only Jeremiah forgot to post a “7th Deadly Sin”

Someone you don’t know, never met, and didn’t give permission to informs you of a vulnerability in your website. What should you do? Or often just as important, what should you NOT do? Having security issues pointed out, “for free,” happens to everyone eventually (some more than others). People unfamiliar with the process often make poor judgment calls causing themselves more harm than good. We witness these missteps regularly, even amongst security vendors who should know better. I figured that if we document some of these mistakes, maybe we’d start learning from them. Then again, the original seven deadly sins certainly haven’t vanished. 🙂

Email encryption with GPG and Mail.app – I’m still new to my Mac but I’ve been searching for a way to leverage the power of GPG. Now I can 🙂

Email is sent across the Internet as plain text, which means that almost anyone can read your private emails and sensitive information. We’ve already covered before how to send encrypted emails with Mozilla Thunderbird, and while Thunderbird is a cross-platform email client that will work on Mac OS X, it just might not be your favorite email application.

If you’re concerned about your email’s security, this hack shows four easy steps to configure Apple’s Mail.app email client to send and receive encrypted emails.

Top 11 Reasons to Look at Your Logs – Another great post by Anton. The excuse I typically hear is “I don’t have time to look at ALL my logs”. Unfortunately this just isn’t going to cut it anymore with so many powerful tools out there to assist you in collection and analysis.

As promised, I am following my Top 11 Reasons to Collect and Preserve Computer Logs with just as humorous and hopefully no less insightful “Top 11 Reasons to Look at Your Logs.”

Malicious insider sells Fidelity

National customer data

– Still don’t think the insider threat is something to worry about in your organization?
Fidelity National Information Services Inc. admitted this week that Certegy Check Services Inc., a Fidelity subsidiary that provides check processing services, was “victimized” by a database administrator who stole and sold bank and credit card data on up to 2.3 million customers.

Fidelity said in a statement that the St. Petersburg, Fla.-based administrator misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. The incident does not involve any outside intrusion into or compromise of Certegy’s IT systems, the company added.

The “Insider Statistic”, Good Data, & Risk – Pursuant to my previous entry above 🙂

One of the most hallowed statistics quoted by consultants and analysts alike is what I like to call the “Insider Statistic”. You know the one – a few years back somebody, somewhere, released a study that said 60% (I’ve seen quoted as high as 80%) of all attacks come from the inside. I’m not even going to bother going into the history here, as I don’t feel like spending the 20 min. Googling for the source.

Now every.freakin’.time I’m in some meeting room somewhere and somebody brings that one up, it’s used to justify controls to reduce the probability of a technically sophisticated attacker within the perimeter who intends to harm. I always wonder if it matches reality. There are so many variables to consider that I always wondered what the “catch” was. Now I think I know.

New INFOSEC workbook now online – You may want to download this for research or bed time reading.

Regular readers of this column know that I give a graduate seminar to my MSIA students every year in June called “INFOSEC Year in Review” or “IYIR” for short. This year the 135 graduating students and about 50 more students who will graduate in December received a 453-page book with 1,240 abstracts (including introductory material such as the list of categories) dating from Jan. 1, 2006, through May 30, 2007, classified using 280 possible categories.

The workbook is a selection I made from a total of 3,532 abstracts in that period. The full database and a complete PDF listing of the contents will be posted on my Web site later after some volunteers and I finish adding keywords to the abstracts.

At least I know one thing I don’t want to do with my life – I was quite surprised when I saw that Martin was leaving his “dream” job. This is kind of a wake up call to me as I have often thought that I would like to be a product evangelist too. Maybe I need to put some more thought into it 🙂

Mitchell Ashley, Alan Shimel and the whole crew at StillSecure did everything they could to help me, but it turns out I’m just not built right to be in marketing. Obviously, I love spouting off my own opinions, but when it comes to representing a company and speaking on their behalf, my own instincts are my own worst enemy. I like to tell the whole, direct truth, and that’s not what marketing is about; it’s about shading the truth to put your company and your product in the most positive light possible. Not that marketing is a bad thing, it’s just not how my thought processes work.

I apologize for not updating the blog over the past few days but I took some vacation to visit with my in-laws. But now I’m back!

Here’s the list:

Paper On Log Management – Thanks to Dr. A I’ve got some more reading material.

Unusually good trade rag paper on log management.

Why There Is No Syslog in Windows – I was following this thread as well but Anton beat me to the blog post. I don’t agree with the reasoning behind not adding native syslog support AND I don’t care what you say….I like syslog 😛

Ever wondered why after all this years Windows still doesn’t support syslog? This is why; read a very comprehensive answer by Eric Fitzgerald, who “owns” Windows logging. There is also a very lively discussion that ensued, which includes things like “my blood boils and a halo of pink steam forms around my head, throbbing the the gnashing of my teeth and the kodo drum-like thudding of my overworked heart. ” 🙂 /guess who said this/

Configuring Granular Password Settings in Windows Server 2008, Part 1 – Looks like the Win2k8 (wow that feels strange to type) security articles are starting to come out.

In previous versions of Active Directory (AD) we had only one password and account lockout policy for the entire domain. Some companies had to use multiple domains to place different password policies on different users; others had to develop their own password filters or buy third party solutions. With Windows Server 2008 we have the option to specify different password policies for different users and groups “out-of-the-box”.

This first of two articles is a “walkthrough” on creating a password policy in addition to the usual one we have in the “Default Domain Policy” Group Policy placed on the domain level.

Homeland Security to host security forum in August – Will it be called “Don’t do what Donny Don’t Does? – Your guide to succeeding where we failed!”

The U.S. Department of Homeland security will host a invite-only conference two months from now that will bring together security experts from law enforcement, Internet service providers, and the technology industry.

The Internet Security Operations and Intelligence (ISOI) workshop will be held on August 27 and 28 at the Academy for Educational Development in Washington D.C. It is expected to draw about 240 participants who will engage in a frank discussion of the latest trends in cybercrime, said Gadi Evron, a security evangelist with Beyond Security who is one of the event’s planners.

Selenium – JavaScript Web Application Security Testing Tool – Not only does selenium protect you from aliens and dandruff….it also acts as a Web Application Security Tool 🙂 — bonus points to the one who guesses what movie that’s from 😉

Selenium is a test tool for web applications. Selenium tests run directly in a browser, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux, and Macintosh. No other test tool covers such a wide array of platforms.

Browser compatibility testing. Test your application to see if it works correctly on different browsers and operating systems. The same script can run on any Selenium platform.
System functional testing. Create regression tests to verify application functionality and user acceptance.

Snort and the IT Appliance Fixation – Having worked as a consultant I completely agree with Bill on this one. The unfortunate reality is that people want the shiny, slick looking car by the company with the huge marketing machine behind it that convince them to buy it in the first place…not the one with the best gas milage and helps protect unladen African or European swallows — Another bonus point to the person who guesses that movie 😉

Assume that a Vendor supplied IDS will cost $50,000 just to purchase. Factor in the time spent finding the right product. Now consider that an organization could easily spend that time configuring a Snort sensor baseline image, and roll that out on computers that are past the end of their life cycle – see where I’m going? Now factor in the open source nature of Snort’s rule sets, and you could easily save money in implementation, and use the money to hire a decently paid IDS analyst.

The bottom line here is that the best solution is not always the newest one, or one that comes with vendor support. If you are in a position to do something useful on a network, it does not always have to cost money.

Paper on Identity Theft – from the SANS Information Security Reading Room

Anton Logging Tip of the Day #11: But These Are OUR Logs! – Another good post by Anton. I completely agree with his statement that “the only way to truly to resolve such control issues is to deploy log management tools across the entire organization and then provide limited access to the logs to all the stakeholders on the “as needed” basis” – this is why soldiers are put on sentry duty have been deployed this way for thousands of years!

A common and unfortunate situation that occurs when dealing with logs is not technical, but political: not being able to get the logs you need due to political, cultural, egotistic, or other “corporate” reasons. In this tip we will try to present a few situations and solutions for those trying to wrangle logs from whatever hostile (or ambivalent – sometimes worse!) entity at your organization and thus to break the siloed approach to log management.

The One Minute Security Manager – Good “quickie” to review every now and then.

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.
For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

tcpxtract – Extract Files from Network Traffic AKA Carving – Good way to see exactly what your [employees/colleagues/kids/friends] are downloading that is sucking up your [bandwidth/sanity/resources].

tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique. Tools like Foremost employ this technique to recover files from arbitrary data streams. tcpxtract uses this technique specifically for the application of intercepting files transmitted across a network.

Building a better security events system – I’m not sure what Tate’s looking for as everything he has described is available in many vendors offerings. Or some sort of SEIM/Skynet hybrid 🙂

Capture an alert fired from an IDS, check netflow for a session, note a “first-time” event recorded in a syslog message, mix in statistical data mining and learning techniques – and do it all in near real time. This is how things get interesting.

Unfortunately it’s hard to get complete visibility (i.e. get all syslog, all netflow, all application logs, etc.). There must be a point though where I can get enough information to successfully prioritize interesting events. I’m not sure exactly where that’s at, but it’s a fun problem to work on.

Office 2007 Event Logs – I really enjoy posts that detail analysis of an incident in some way. I wish there were more out there.

A coworker walked into my office today and asked if I’d take a look at a drive to see if I thought the former owner had tried to tamper with the contents. After a little “pokin’ ’round” I exported the event logs and opened up my event viewer to look at them when I noticed another log on my box. Not the ones I’d exported, but a new event log that comes with a default installation of Office 2007. So naturally, I discarded the investigation that I was supposed to be doing and began investigating what interested me. My proclivity for doing things like this is the reason that my desk is a shambles, but that’s a tale for a different day, on to the new event log!

Antiforensics: When Tools Enable the Masses – Good article…very low ‘fluff factor’ 🙂

Once again, the bad guys are lining their arsenals with new tools to use against you. Computer forensics is an emerging field of study and anti-forensics is certainly developing right alongside. Some say anti-forensics is developing faster. Why? Because what was once only possible for the elite has now washed downstream in the form of automated tools. More or less, anyone can throw trashcans in the path of forensic investigators now that the tools are there to make it all possible…

Security Mentoring – I was lucky enough to have an understanding wife support my self study and employers that fostered my quest for knowledge.

How do you become a “Security Expert”? You can take classes in high school, college and trade school. You can attend “vendor training” or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and “security” websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.

All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is “guided experience”. I must agree. You can learn a lot from experience but if you don’t have someone there to help you understand all that the experience has to offer then you are missing out. If you don’t have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.

Apparently I have my own “style”. Thanks for the mention Marcin 😉

Also, there looks to be a cage match in the works between Thomas “The Animal” Ptacek of Matasano Security and Joanna “The Lovely Lady of Security” Rutkowska over how hypervisor-based rootkits are not invisible and the detector always has the fundamental advantage. The problem is that Joanna claims that hypervisor rootkits are “100% undetectable”. I wish I could get ring side seats but I don’t have the funds for Blackhat this time around.

Here’s the list:

Schools Lack Cybersecurity Training As Students Grow Cybersavvy – I’m sure this comes as no surprise to anyone. The question is…how do we fix it and not look like a bunch of lame old folks trying to bestow wisdom?

The School Safety Index indicates that while 95% of districts surveyed are blocking Web sites, only 38% have a closed network that lets them control the content students can access.

HIPAA Growing Teeth? – This is good to see.

“An audit of Atlanta’s Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.”

Microsoft Product Keys & XML Fun – Good check to see if any unauthorized Microsoft software was added to a system 🙂

It’s an XML file called Product_keys.XML, the root XML tag is
and it contains a list of Product Keys for
Microsoft products.

When you have an Microsoft MSDN subscription, you have access to a
website with product keys for your subscription. There is a button on
the site to export these keys as an XML file, and the file I
discovered has exeactly the same format.

Some questions to ask yourself when assessing reported security breaches in Windows Vista – Probably not all of the questions you need to be asking but definitely some good ones.

Most anyone who has been in the security industry for a while is familiar with the term ‘security theater’. It’s a term used for security that is about show, rather than substance.

Since I became the Product Manager for Windows Vista security I have noted that the same concept seems to increasingly apply to the world of vulnerability disclosure – let’s call this ‘vulnerability theater’.

Take5 (Episode #3) – Five Questions for Jeremiah Grossman, Founder/CTO of Whitehat Security – Good interview with Jeremiah Grossman.

Jeremiah Grossman is the founder and CTO of WhiteHat Security,
considered a world-renowned expert in Web security, co-founder of the
Web Application Security Consortium, and recently named to
InfoWorld’s Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker
at industry events including the BlackHat Briefings, ISACA, CSI,
OWASP, Vanguard, ISSA, OWASP, Defcon, etc. He has authored of dozens
of articles and white papers, credited with the discovery of many
cutting-edge attack and defensive techniques, and co-author of XSS
Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

If you tell a fact in forest and you haven’t written a security book, is your fact wrong? – Looks like Michael Farnum got slammed by an angry Computerworld blog follower. Good for you Michael for not backing down. You were right by the way 😉

OK, I was going to leave this one alone, but it is just bothering me so much. A couple of weeks back, I wrote a blog post about a comment I had left on a post by Douglas Schweitzer’s at his Computerworld blog. Douglas said in his post that a bot was “essentially just another term for an infected computer.” I took issue with this and wrote a comment as such, then I posted the comment on my blog. I also noted that I wasn’t slamming Douglas in any way. I just felt the error needed to be corrected. Douglas argued on his blog that it was semantics, and that is probably true to a degree, but oh well. I let that go (actually I tried to post another comment on Douglas’ blog, but I think I put too many links in to prove my point because it never popped up – probably looked like spam).

3Com will be 2 com’s – This just in from the “a blind man could have seen it coming” department…

I guess they finally had enough at 3Com. Enough of the dual, schizophrenic personality. Or maybe it’s better described as the petulant teenager who just wouldn’t stop railing against being a part of the family. Tipping Point will get it’s way and be spun out on an IPO by years end according to an announcement from Edgar Masri, 3Com’s president and CEO.

It never was a fit. TippingPoint always saw themselves as the real acquirer in the deal, or maybe as Ty Pennington leading the Extreme Makeover – Home Edition of 3Com. The next generation to take over the company. And lets face it, the integration of 3Com and TippingPoint never did happen, starting with TippingPoint being identified as a “3Com company”.