You can't secure what you don't acknowledge.SM

Thursday, December 18, 2008

My latest security content

Here's a webcast on IM/VoIP/P2P I just recorded for
The Challenges and Solutions of Realtime Communications

Here are two articles I wrote for the latest issue of Security Technology & Design magazine:
Mobile Security - Is anyone listening?

Wireless Security: Does it still matter?

Be sure to check out for all of my information security articles, podcast interviews, webcasts, screencasts and more.

Wednesday, December 17, 2008

What, employees exploiting the new Windows flaw???

I've been talking about (and exploiting in my internal security assessments) this very thing for a long time and it's finally reaching the "mainstream media". Never ever underestimate the intentions of rogue insiders to exploit a Windows flaw like this.

It's not just this Windows exploit....It's a whole slew of them. And Metasploit's cheap and very easy to use.

Monday, December 15, 2008

Think of this guy as your corporate lawyer

Here's an enlightening interview with a tech-savvy lawyer, Chris Wolf, regarding data breach laws. The question posed to Chris is: what would you advise companies when it comes to data breach?

In a nutshell, his response is: Get ready in advance.

The $64,000 question: Would you tell your corporate lawyer no to this?

A new channel for data leakage/breaches?

I just had a flashforward moment a minute ago. I was dragging and dropping a file on my Windows desktop and it "landed" on the Skype window I had open. It didn't do anything because I caught it in time but I thought: Oh no! What if I accidentally transmitted a file to someone in my phonebook? Perhaps someone that didn't need to see that file.

But then I thought - nah you couldn't do something like that. Maybe in applications down the road. Well, sure enough you can - today! I tested it again and it works. It's like dropping a piece of jewelry down a well that ends up on the other side of the earth... but it could be much worse. You send a file to someone over Skype (or whatever) that they shouldn't see - and you can't get it back.

Keep this in mind when training your users about the security issues associated with P2P/IM/Social Network/whatever applications. I know, you don't allow those apps. But they're using them anyway! Seriously, this could be an exposure waiting to happen and would be a tough one to explain.