Monday, October 30, 2006

Second Podcast and SearchCIO Article

My second podcast came out on SearchCIO last week. It's about justifying the cost of an ID and access management system. It's meant to accompany an article coming out in the November issue of their magazine, CIO Decisions. But the article is already online on the magazine's website,

I also had another Ask The Expert question posted on SearchSecurity:

Can a security administrator be granted exclusive access to a Windows 2000 security log?

Stay tuned. I have more coming in the next few weeks!

Friday, October 27, 2006

Aladdin -- A Company to Watch

Every time I go to a trade show with information security products, I'm overwhelmed by the number of companies all selling the same thing. Everybody claims to be a firewall -- application or otherwise -- an authentication product, an IDS, an encryption tool. Everybody wants to be a one-stop shop, but few achieve it. Most are good at one or two things. Few are outstanding in everything.

With the wave of consolidating continuing this year, I'm sure half the companies at these shows will disappear, swallowed up by larger companies.

One company that's interesting is Aladdin. They were at Information Security Decisions this month in Chicago and at RSA 2006 in San Jose earlier this year.

At RSA, they debuted an interesting biometric product scheduled for release in 2007 that builds an electrophysiological profile of someone. There are details in an article I wrote after RSA for SearchSecurity.

Two of their products of note include eSafe, which is a suite of tools for protection against web attacks, including content security, web browsing security, anti-spyware and spam and e-mail management.

The other product, eToken, is their two-factor authentication suite. It includes token and Smart Card products that interface with PKI, VPNs and Windows network logons.

Saturday, October 21, 2006

My SearchSMB Article on MSSPs

I had an article come out this week about managed security service providers (MSSP) on SearchSMB: Managed security services: What's right for you?

TechTarget's annual Information Security Decisions conference was in Chicago this week. As usual, it was well attended and informative. They hold the conference twice a year, once in Chicago and once in New York.

A lot of companies there called themselves MSSPs. It seems like everybody's in the game now. Shop carefully!

Thursday, October 19, 2006

Security and Your Offshore Operations

I wrote an article about security and offshore operations for the Compliance Counselor newsletter on TechTarget's SearchSecurity web site.

The article, Privacy and your offshore operations, went up on their site yesterday too.

Wednesday, October 18, 2006

Microsoft Privacy Guidelines for Developers

Microsoft came out last week with Privacy Guidelines for Developing Software Products and Services.

Interesting stuff. The 49-page document reads like a non-technical guide to secure software coding. There isn't a single line of code in the whole thing, but the recommendations could apply to any software developer.

Computer World
had some interesting commentary today on the subject too.

Microsoft has come along way in its approach to security, particularly in the area of software development. They've integrated secure coding practices into their development lifecycle. The privacy guidelines just mentioned are part of Microsoft's Security Development Lifecycle (SDL). Microsoft also has a book on the subject, The Security Development Lifecycle, by Mike Howard and Steve Lipner.

And I'm not just saying that because I'm a Microsoft MVP in developer security.

Tuesday, October 17, 2006

Interesting Identity Theft Sites

Here's an interesting blog post on Your Credit Advisor about protecting your identity. The post is titled The Ultimate Guide to Preventing Identity Theft. It's a nice summary of all the moving parts and details of someone's identity and how to protect them.

Another site I like, also a concise summary of the highlights of identity theft, is Get Safe Online. The site covers protecting your PC, yourself and your business. The presentation is well organized with links to lots of other identity theft resources. There's also a nice blog, which is a little hard to find since it isn't linked directly to the site. The blog had a post recently on, of all things, blogging safely.

Along the same theme, MySpace has a guide on safely using their site -- always an issue with the unwary.

Monday, October 16, 2006

Here's an interesting article in Computer World about storage security.

I wrote something in September on the same subject for SearchSMB.

Sunday, October 15, 2006

TechTarget Recent Ask The Expert Posts

Autumn 2600 Hits Newstands

I picked up the Fall issue today of the hacker quarterly, 2600, at a local Barnes and Noble. I always look forward to picking it up on the newstand, and it was two weeks early this time.

Anyways, as always, there was some interesting stuff in there. This issue included interesting articles about hacking two popular web sites, MySpace and Flickr.

There was a piece about hacking Pep Boys terminals. They've had several articles in past issues about similar vulnerabilities at other retailers, which shows how security at public terminals and kiosks in these places could be upgraded a bit.

There was also the usual story about getting free wireless, and then something really thought provoking about identity theft. They provided some suggestions about altering your address information slightly to throw off identity thieves, and some other ideas on how to avoid giving your social security number out. The article offered what could be offered in lieu of providing an SSN to a service provider requesting it.

2600 is always a good read, and this issue was no different. I highly recommend picking it up.

Sunday, October 08, 2006

Proxies, Hacking and Privacy

I've always been fascinated by proxies because of their versatility for both good and bad. They're an integral part of bastion host firewalls, but can also be used for Man-In-The-Middle attacks and web hacking and testing with tools like Paros Proxy.

But lately, there's been a lot of discussion about proxies because they can used to protect a web surfer's privacy. Again, the dual nature of their use for good or evil. They can protect both innocent web surfer's just wanting to be left alone and criminals, who also want to be left alone, but obviously for different reasons.

I was thinking about proxies again this week after a tip from Kim Komando about two software proxy tools for home users. Her tips -- on hiding your IP address and online privacy -- mentioned two products: PHProxy and Privoxy.

I've added this to a list of proxies, and related tools, on my web site. Click on Tools in the left-hand navigation bar and then on Proxy Servers, on the Tools I page that appears.

I also did an article on SearchSecurity about protecting enterprises from the malicious use of anonymizers, a type of proxy, by employees.

Thursday, October 05, 2006

Interesting New Anti-Phishing Site

An interesting new anti-phishing site, PhishTank, was launched this week. It's approach is a little different than the Anti-Phishing Working Group, another well-known site battling phishing.

Viewers can submit phishing sites directly to PhishTank for exposure to the world. A great idea. I still like the Anti-Phishing Working Group site, though, and would recommend bookmarking both in your anti-phishing library.

The PhishRegistry is similar to PhishTank -- and another site I recommend -- but isn't as exhaustive. Users of the PhishRegistry can also track down recent phishes.

Details were in an article on SearchSecurity today.

Sunday, October 01, 2006

All My TechTarget Stuff to Date

Here’s a collection of links to all my articles to date for TechTarget on their SearchSecurity, Ask The Expert and SearchSMB web sites.

I’ve been at this for a little over a year and will add new articles going forward as they’re published. I wanted to post what I’ve done so far.

The articles on SearchSMB may require registration to TechTarget. Go ahead. It’s a great site with loads of fantastic information about not just SMBs but every aspect of enterprise IT, large and small, and up-to-the-minute hot news.

My first podcast from SearchSecurity came out recently. It was a lot of fun to make. I just recorded a second one, this time for SearchCIO, on Friday but have no date when it’ll be up on their site. I’ll post it here, when it’s ready. I have a piece in their magazine, CIO Decisions, coming out in November.

And now for the articles: