You can't secure what you don't acknowledge.SM

Thursday, August 12, 2010

Apple's iPad - a forensic investigation in the making?

Here's a new piece I wrote for SearchCompliance.com on regarding the realities and risks of iPads in the enterprise.
Enterprise iPads: Compliance risk or productivity tool?

Simply put, they're not all that different that other mobile computing devices but they do bring something unique to the table...

Speaking of "i" devices in the enterprise, here's a great read I saw recently in Information Week that outlines a scenario that's at the root of this problem:
Secret CIO: Deliver Strategic IT ... And My iPhone On Monday

Metasploit enters the Web arena

OK, Metasploit has had several Web-related exploits for years but HD and company are now getting serious about taking Web application scanning and exploitation to the next level.

As with Metasploit and Metasploit Express, there's only so much you can do with scanner and exploit tools so the verdict is still out. I love this innovation nonetheless.

Wednesday, August 11, 2010

Is car hacking the next big thing?

For years I've been telling close friends who share my motorsports passion that we're going to start seeing cars getting hacked. I believe this to be especially true once cars are online and communicating with the "smart highway" system we're slowly approaching.

Well, we're now starting to see the beginning of such hacks. Some research was uncovered earlier this year on how a car's ECU (electronic control unit) can be manipulated in ways ranging from merely annoying the driver all the way to making them crash. The latest car hack uncovered involves the wireless tire pressure sensors in 2008+ automobiles (something the government mandated because of irresponsible drivers ignoring the maintenance required of their vehicles).

As with any computer system, if there's a hardware port, a wireless signal, or an IP address, then it's going to be exploitable/exploited. I just hope it doesn't start happening to me and my colleagues and on the racetrack! Wouldn't that be a fine how do you do?...

Can't wait to see the evolution of this. Sure, car hacking doesn't involve sensitive information...instead it involves something of much greater value: people's lives. I think this is going to be big, really big. Stayed tuned for more.

Great information security quote (don't believe the hype)

There's a Japanese proverb that fits nicely into infosec:

"If you believe everything you read, perhaps it's better not to read."

Be it F.U.D., vendor hype, or "experts" who claim the sky is falling with every new exploit they uncover - you ultimately need to focus on doing what's best in your environment under your terms.

Avoid the temptation to go nowhere

The cancellation of Tony Robbins show after just two episodes underscores how many people aren't interested in learning more about getting ahead in life. Instead, mindless drivel is the "norm" of today.

If you want to make things happen, dare to be different.

Monday, August 9, 2010

How you can get developers on board with security starting today

Some people - including a brilliant colleague of mine - think security is not the job of software developers. In the grand scheme of things I think such an approach is shortsighted and bad for business. It's kind of like an auto assembly line worker not being responsible for the quality of his work or citizens not being responsible for their own healthcare (oh wait!) or why the bottom 50% of income earners in the U.S. shouldn't be responsible for paying their fair share. It's always someone else's problem. Sadly, "responsibilities" without ramifications is the way things are in most societies today.

Getting back to the point, getting developers on board with security - as we've seen over the past decade - is most certainly NOT one of those things that's going to magically happen. So is it even possible to get developers on board with security? I think so. But you have to be smart about it. You can't just say "You! Write secure code!" Ha, if it were only that easy. There are many gotchas along the way so you have to come up with a solid game plan. I wrote about the problem and some solutions in a new piece you may want to check out:

Getting developers on board with security – once and for all

Speaking of developers and security flaws, here are some more articles I've written recently for TechTarget's SearchSoftwareQuality.com that you may be interested in:

Application security checklist: Finding, eliminating SQL injection flaws

Finding cross-site scripting (XSS) application flaws checklist

Happy reading and most of all, good luck!

A bit of inspiration

I'm back from my last break of the summer and thought I'd share this quote I came across for a bit of inspiration:

"A successful life is one that is lived through understanding and pursuing one's own path, not chasing after the dreams of others." -- Chin-Ning Chu

This reminds me of another great quote which says "If you don't have goals for yourself you're doomed forever to achieve the goals of someone else."

Whether you're in need of some focus for your career or for your internal information security initiatives, here are some other pieces I've written on goal setting that may help...studying this subject has certainly helped me.

Eight steps to accomplishing your IT career goals (can be applied to all types of goal setting)
My blog posts on goal setting and IT and information security careers
Related articles I've written on IT and information security careers
My Security On Wheels audio programs providing security learning for IT professionals on the go