You can't secure what you don't acknowledge.SM

Saturday, March 27, 2010

Windows DirectAccess - VPN killer or not?

Here's a new piece I wrote for on Windows 7's/2008's new DirectAccess app:

Using Windows 7's DirectAccess to enhance the mobile user experience's actually pretty cool and worth checking out.

Friday, March 26, 2010

Why the rich keep getting richer and the poor keep getting poorer

Contrary to what Senator Max Baucus (Democrat) recently said about the forthcoming healthcare deform that's being forced upon us:
“Too often, much of late, the last couple three years the mal-distribution of income in America is gone up way too much, the wealthy are getting way, way too wealthy, and the middle income class is left behind. Wages have not kept up with increased income of the highest income in America. This legislation will have the effect of addressing that mal-distribution of income in America.”

The rich keep getting richer because they keep doing the things that make them rich. The poor keep getting poorer because they keep doing the things that make them poor. It's basic logic just like the "secret" to losing weight: eat less, exercise more. People just don't get these basics of life. It's why so many people buy into the nonsense the diet companies and politicians "feed" us. This mindset explains why this book and its philosophy make so much sense.

Everything in life is a personal choice. Where we are in life today is the exact sum of all the choices we've made up to this point.

Interestingly, information security is no different - you choose the behavior (i.e. ignoring the problem) you choose the consequence (i.e. security breach).

I do not like it Uncle Sam

Here's a good one going around the Internet that I just love:

I do not like it Uncle Sam, I do not like it Sam I am. I do not like these dirty crooks, I do not like how they cook books. I do not like when Congress steals, I do not like their secret deals. I do not like this Speaker Nan, I do not like this 'YES WE CAN'! I do not like this kind of hope, I do not like it, nope! Nope! Nope!

Great tool to check for weak Web passwords

I've always been a fan of Acunetix Web Vulnerability Scanner. It's a lesser-known tool that packs a big punch. One of its most redeeming qualities is its password checking. As I mentioned in this post, Acunetix Web Vulnerability Scanner took what was going to be a basic assessment of an Outlook Web Access system with very few findings up many notches into a true penetration of the system...all thanks to the built-in password checks it does by default.

I've since had other scenarios where it has done the same thing and left me wondering why are other scanners finding these holes!?

The following screenshot shows some of the Acunetix Web Vulnerability Scanner password check policy settings.

The scanner not only checks for weak Web passwords but also weak FTP, POP3, SMTP, and telnet, and others as well.

I'm still waiting for some good brute-force checks built into these tools (a la Brutus) and - especially - better handling of login forms. If/when this occurs I honestly think we could eliminate a huge chunk of the directly-exploitable Web flaws out there. In fact, I'm really surprised that other scanners aren't doing more in this area.

I'm confident that many - if not most - Web sites/apps that are deemed "secure" are just one weak password away from getting hacked...the weak passwords are there, they're just being overlooked. Unless and until we start seeing better password-cracking capabilities built into all mainstream Web vulnerability scanners this flaw will remain and surface its ugly head in any given system. It's just a matter of time.

What's the biggest Web vulnerability?

Here's a new piece I wrote called The Top Web Vulnerability We Face. It's something I suspect will be around for a long, long time. I'm curious if you agree?

Tuesday, March 23, 2010

Users *have* to start locking their screens when working remotely

To continue on with the message in this previous post about users locking their screens while away from their computers I'm amazed at how naive people are with their computer usage in public places.

I see it practically every time I'm at a coffee shop - someone leaves his/her laptop sitting at the table while he/she goes out to take a phone call, use the restroom, smoke a cigarette, talk with an employee across the store and provides someone with ill-intent enough time to snatch the computer away or, in some cases, sit there and monkey around with the computer.

All it takes is about 60 seconds for someone to hop onto an unsecured computer, access sensitive files stored locally or via the corporate VPN and then delete them or email them out.

Combine this vulnerability with unencrypted hard drives and Microsoft's new always-on mobile intranet connection called DirectAccess and you've got yourself a big problem on your hands.

Check out my new Web application security ebook

Hot off the press...OK, hot off the computer - I've written an ebook on Web application security threats published by - a great application development/QA site that's part of the TechTarget family.

Download it and learn more about:

  • New Web application security challenges
  • Assessing your Web application security
  • Beating common Web security attacks
  • Hacking your own applications
  • Web application security best practices
It's free - just sign up for it at

Great quote on business and career success

Harold Geneen once said "In business, words are words, explanations are explanations, promises are promises, but only performance is reality."

Reminds me just how cheap talk can be when the marketing machine gets its way - especially with "cloud computing". Look more at the actions of businesses and people and less at the words. There you'll find what they're made of.

Monday, March 22, 2010

Our power of choice has been stripped

No need for us to think any more. Here's a great excerpt from a WSJ piece that underscores the issue:

"In our world of infinite wants but finite resources, there are only two ways to allocate any good or service: either through prices and the choices of millions of individuals, or through central government planning and political discretion."

You hear me say a lot that those in control of information security have a choice in the matter...and, as Dr. Phil McGraw says, you choose the behavior you choose the consequences. So be it.

But we individuals in our own personal lives here in America are losing our ability to choose. It's our new reality with Obamacare and, I suspect, many many other things to come. The politicians know better than the people...and it's all our fault.

I'm going to miss the days when we were in control of ourselves...when we were free.

You probably think I'm crazy. I really don't believe I am...I just see what has happened since the beginning and understand what all of this government control will lead us to. The decisions made this weekend will change our country deeply forever. Everyone will understand sooner or later.

Are you destroying your backup media the right way?

Here's a recent podcast I recorded on backup media data destruction...better be sure you're doing it the right way:

Ensuring proper data deletion or destruction of backup media

A sincere "Thanks!"

Frederic Bastiat once said "When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that justifies it."

In the same spirit, I want to send out a sincere and heartfelt Thanks! to all my fellow Americans who voted for "Hope" and "Change" putting a Marxist-loving community organizer into power that has led to the passing of this healthcare "reform"monstrosity.


  • I want to thank all the people who cannot think long term.
  • I want to thank all the people who do not take responsibility for their own choices and actions.
  • I want to thank all the people who vote for a living.
  • I want to thank all the people who use the police power of government to mooch off of others who actually work for a living.
  • I want to thank all the people who believe that government can solve all their problems.
  • I want to thank all the people whose selfish dependence on government takes top priority above all.
  • I want to thank all the people for supporting politicians who want to force their ideals upon us for the sole reason of gaining control of us and maintaining their own political power.
  • I want to thank all the people for supporting politicians who could only pass a bill by manipulating and cheating a well-defined set of rules and procedures.
  • I want to thank all the people who believe that Socialism and Communism are "other people's problems" - things that America could never evolve into.
  • I want to think all the people who voted for George W. Bush and all the other spineless Republicans who have played a big part in where we're at today.
And finally,
  • I want to thank all the people whose desire for "Hope" and "Change" have helped diminish the opportunities this country had to offer my kids and my future grandkids and, instead, created a scenario for everyone to work harder with less payoff.

I'm just furious at what we've let this country become. The wars that have been fought...the lives that have been lost...the toil our Founding Fathers endured....All of that to end up like this.

Shame on us.

Email security - using content filtering and incident response to round things out

Here are some recent bits I wrote for and to help you flesh out the security of your email environment:

The state of email content filtering - and what you can do

Solidify your Exchange email server incident response plan