You can't secure what you don't acknowledge.SM

Friday, July 25, 2008

My security content from this week

Well, again, there is none but I've just written several pieces that'll be out soon. Have a great weekend!

Until later...

Saved by using multiple Web scanners...again.

I'm in the middle of a project analyzing the security of an e-commerce system. I found a lot of good stuff using WebInspect including one cross-site scripting flaw. However, the cross-site scripting issue was a little lame and next to impossible to re-create. So I decided to turn Acunetix Web Vulnerability Scanner loose on it just to see what it could find. Low and behold...four more cross-site scripting vulns! Wow.

Like I've said before, if you're going to uncover the most Web security flaws you've got to use multiple tools.

Wednesday, July 23, 2008

$25 billion for information security gaffes?

What if the government could come running to protect us every time we or one of our colleagues made a bad security decision - intentional or not? Imagine:
  • setting an Allow All rule in your firewall
  • making all of your databases accessible via the Internet
  • revoking any and all password policies
  • never testing your systems for vulnerabilities
....or,
  • avoiding data backups because, well, you just can...
Everything we do in life - every choice we make has consequences (well, almost)...Make a dumb mistake with information security and really bad things can happen: people have their identities stolen, employees get fired, businesses get fined - even entire companies go away. But make a dumb mistake by buying more house than you can afford or lending money to people who aren't qualified and you get rewarded. Wow...

Well, I guess I was right in my other post about the housing bailout. This time it's "only" $25 billion that the U.S. Taxpayers are having to fork over to bail out Fannie Mae and Freddie Mac - two agencies the government itself created...but what the heck. That's what this country's all about anyway: punish achievement and reward failure.

Funny how the politicians want to impose all these information security laws and regulations all the while they ignore the basic Rule of Law themselves. Shame on our so-called leaders.

Got a kick out of this "Worry-Free Online Ordering" policy

I just stumbled across this "worry-free" policy located on an e-commerce site. Very cute...yet sad that a lot of people think SSL and "trust seals" are all that's needed to secure sensitive information in Web apps.

***
Your information is safe with us.

SOME~ONLINE~STORE ensures your safety and security by employing the highest level internet security system available. All information you provide us via this web site is encrypted using an SSL (Secured Sockets Layer) connection making it inaccessible to unauthorized persons. For more details, simply click the "Entrust® Secured" internet trust seal located in the bottom left corner of every page.
***

So, is my information safe with you or just on it's way to you? ;-)

Monday, July 21, 2008

Video resume?

I actually think this is a pretty good idea. We have the technology...why not use it to stand out?

Video resume nice, but probably won't land you CIO job

What's wrong with this picture...Circuit City?

I just stumbled across this "file sharing" site featuring my book Hacking For Dummies...for free download of course. I know, I know, they're not doing anything illegal - they're just providing a way for people to share files. Yeah right. The interesting thing I noted was the "legitimate" companies advertising on the site. WOW...I'm sure the executives at Circuit City would be so proud to know that they're helping sponsor criminal - I mean legitimate file sharing - activity.

I wonder if someone in marketing at Circuit City was doing some illicit (I mean legitimate) surfing at work, came across this site, and clicked the "Advertise Here" link. I'm sure their IT folks had a security policy against this type of computer usage.

Just damn. I think I'll write Circuit City a letter.


You can't control this "file sharing"...It's the "free" market after all, right? Capitalism at its worst? In the end these people doing this stuff have to live with themselves and their actions.

Do you provide 'decent' customer service?

I've experienced two things in the past week that have reminded me that it doesn't take much to really tick off your customers with bad customer (no) service.

1) I ordered some automotive parts 2 weeks ago. Needed them by this past weekend. Never received them. The vendor claimed that UPS lost the package...come to find out the package was apparently addressed to someone else. [don't know for sure since I still haven't received it!]. Lots of finger pointing and nothing that could be done. Not even the willingness to overnight me what I needed. I didn't ask for any of these problems yet I'm the one that had to deal with someone else's issues.

2) Took my new vehicle in for warranty service at CarMax - you know the people with the motto "The way car buying should be." Told them the exact issues and the exact solutions. The first issue they didn't trust what I was telling them. Said that the dealer would have to diagnose it. Got a call later that day from the service advisor telling me the dealer said I should come work for them...I knew exactly what the problem was. Uh, yeah, that's why I told them in the first place. It only took me 3 minutes to find the problem/solution on the Web. With the second problem, they said they fixed it. They didn't. I now have to take it back and waste at least 2 hours of my time dropping it off and picking it up.

Moral of the story:
If you want to really stand out in your business, it's simple: do what's expected. You don't even have to go above and beyond these days...just do the basics. Sad but true.