You can't secure what you don't acknowledge.SM

Friday, April 4, 2008

Got VoIP? Better get patched...

Well, in standard fashion VoIP security issues are emerging again. Apparently most of the the major players are vulnerable. Again. This is really nothing new. I've always said that as long as something is addressable over a network, people are going to find a way to hack it. Speaking of that, are you aware of that the free Cain tool can capture voice traffic and convert it to a nifty .wav file for playback? By anyone on your network....Pretty scary stuff.

I'm outta here for Spring Break. Woohoo. No RSA for me this year. Bad timing.

Until later...

My security content from this week

Here's my one article from this week....shifting gears to Windows Mobile smart phones/handhelds:

Windows Mobile OS security: Get it locked down

For all of my past information security content be sure to check out www.principlelogic.com/resources.html.

Enjoy!

Thursday, April 3, 2008

Upcoming keynote I'm giving for IDC

If you find yourself in Milan Italy on April 16, come by and join me! Here's the press release:

Kevin Beaver, independent information security expert with Atlanta-based Principle Logic, LLC, will be keynoting the IDC Security Conference 2008 in Milan, Italy. Kevin will apply his practical and no-nonsense approach to security in his discussion titled Real World Security Problems You Can't Afford to Overlook. He will outline information security risks that many professionals haven’t considered or are viewing from the wrong perspective and Kevin will make his case for information security issues that he believes need attention now.

“I’m very honored to have been invited to speak at a conference with such high visibility.” says Beaver. “The general message of the IDC show is indicative of what’s going on worldwide. There are serious business problems associated with the lack of information security that need more direct attention than they’re getting now.”
"IDC believes that information protection and control will be a major area of investment over the next five years.” says Alessia Massari of IDC Southern Europe. “Reasons at the bottom line are that IPC is needed to protect sensitive information. We expect to see more examples of high-profile incidents in which customer records, confidential information and intellectual property are leaked. The Conference in Milano will give an updated overview on what is going on in one of the key markets in EMEA".

For more information visit the IDC Security Conference site at www.idc.com/italy/events/security08/security08_keynote.jsp and Principle Logic’s Web site at www.principlelogic.com.

About Principle Logic, LLC and Kevin Beaver
As the sole-proprietor of Principle Logic, LLC, Kevin Beaver performs security-related keynote speaking engagements, expert witness services, independent security assessments of networks and Web applications, and information security pre-audits and gap analyses. Kevin has authored/co-authored seven books on information security including Hacking For Dummies, Hacking Wireless Networks For Dummies, Laptop Encryption For Dummies, Securing the Mobile Enterprise For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance. He is a regular contributor to SearchWindowsSecurity.com, SearchSoftwareQuality.com, SearchSQLServer.com, and Security Technology & Design magazine. Kevin is also the creator and producer of the Security On Wheels audio programs and blog providing security learning for IT professionals on the go (securityonwheels.com).

Wednesday, April 2, 2008

FTP bad for sensitive information...and lives?

When I first saw this headline, I thought to myself: Who's the detective that figured this out!? [tongue in cheek]
FTP Sites Vulnerable to Data Breaches

FTP poses risks?? Uh, yeah! It's just like another technology or host on the network. If it's software, addressable via IP, and has a user login prompt - then, it's undoubtedly going to have holes that are exploited eventually. Especially when network admins and security managers ignore it for the most part. And, in the case of this article, when employees are managing it on their own. [side note: I'm not sure how employees are able to setup their own FTP servers unless the firewall is wide open. I can't even get legitimate FTP to work through my firewall most the time!]

So, Tumbleweed now has a new freeware tool that will monitor the network for FTP traffic (didn't they used to make an email filtering product?) and shows on what's going on. Wooo.... A new tool that looks for FTP traffic, analyzes the data and then creates a pretty report outlining who did what. Um...there's been a tool to do this that's been around for a loooong time - a couple of decades. It's called a network analyzer. Oh, and there's the free Cain tool that'll do this as well. It even has a handy password capture tool so you don't have to goto the trouble of setting up a filter in a network analyzer. Tamosoft has had their tool NetResident out for a long time. It does this same stuff.

I've been telling people to monitor their network traffic just inside or outside the firewall to see what's going on for a long long time. It provides unbelievable insight into protocols in use, top talkers, policies being violated - you name it! Now, a product vendor is using the RSA conference to debut their new technology/solution to this problem. Nothing new here except for the marketing types trying to reposition old technologies and old vulnerabilities. I could kick myself...I guess I've missed the boat - again.

Monday, March 31, 2008

Great networking, security, and forensics resource

Speaking of Laura Chappell, if you're not familiar with her work, I recommend you check it out. As far as I'm concerned, she's the original networking guru/goddess/queen. She knows a lot about a lot when it comes to networking protocols, security, and forensics....If you've never been to one of her sessions or classes, you haven't lived (or learned) all you can about this field. Laura's got some great material - some free stuff too. Check it out at packet-level.com. She also contributed to my book Hacking For Dummies. Check it out too!

Defining "Power Users"

I was cleaning my office recently and found something that made me laugh. I don't remember exactly where I got it from for credit purposes but it *may* be from one Laura Chappell's BrainShare sessions way back when NetWare was cool. It defines those users that we've all had to deal with at some point in our careers:

Power Users: Pc Operators Who Eventually Ruin, Unload, Screw up, Erase, and Remove Software

I love it!!!

BTW, sorry my posts have been light as of late....been out sick.