Second Show on WIIT

I was back on WIIT tonight as The IT Security Guy. I spoke about identity theft, how it affects students, how to protect yourself and where to get more information.

I'll be back on the air on January 18 to talk about spam.

We're looking at making it a regular show.

Security Outlook for SMBs for 2007

My thoughts on the security outlook for SMBs for 2007 came out in TechTarget's SearchSMB newsletter today.

The article is entitled IT security: The 2007 outlook.

New Anti-Censorship Tool

A new tool to allow web surfers to evade web censorship is expected to come out this Friday. The product, Psiphon, is an open source tool for use in countries that censor web sites.

Are RFID Credit Cards Safe?

The debates goes on about the security of RFID credit cards. I had an article come out today on TechTarget's SearchSecurity web site about the issue.

The article, RFID security issues endanger companies and consumers, ran in today's issue of their Network Security newsletter.

Bruce Schneier had a great entry recently on RFID credit cards in his blog on November 7.

Microsoft Secure Messaging Software

I got this disc in the mail with my monthly issue of TechNet magazine from Microsoft. It had a sample of their secure messaging software with some white papers thrown in.

Microsoft has an entire web site devoted to its secure messaging products and how to integrate them with Exchange Server.

There's a lot of information on the site about Microsoft's approach, in general, to e-mail security.

Article on Purdue Security Awareness Program

There was an interesting article this month in CSO magazine about security awareness programs, and how to make them successful. I had another post on November 20 from the article, Create a Winning Strategy for Your Awareness Program, about the MS-ISAC web site.

This piece was about a real interesting cybersecurity awareness program set up by Cherry Delaney at Purdue University in West Lafayette, Indiana. The program is called SecurePurdue and has an interesting web site with lots of cybersecurity and identity protection tips.

I added the link to my web site in the Awareness section.

SearchSecurity Data Leakage Article

My article on data leakage came out today in SearchSecurity's Network Security Tactics newsletter.

The article is entitled Data leakage detection and prevention.

V1.5 of Microsoft Anti-XSS Library Now Available

Microsoft has just released for download the latest version of its Anti-XSS Library on their MSDN web site.

Cross Site Scripting (XSS) continues to plague many web sites and is used by malicious users to get into web sites and application servers. User credentials can be stolen and then used to gain unauthorized access to a user's online bank account, for example, to drain funds, transfer accounts or create other financial havoc on the unsuspecting victim.

The approach to fighting XSS is equally as simple: validate and sanitize. A web developer should never trust ANY input from a user or a web site, even from hidden fields and less-obvious places like radio buttons and check boxes. Even these seemingly inocuous fields can contain application security land mines.

XSS is cross platform, meaning it's not just a Microsoft problem. But Microsoft's approach expands on the validate-and-sanitize approach with what it calls the "principle of inclusions." The application accepts valid input, meaning acceptable characters, but everything else is encrypted, blocking it from causing damage or malicious access.

Here are some other comments on the new library:

ACE Team blog

Channel 9 Forums

Kevin Lam's blog

The XSS-Proxy is a great web site devoted entirely to XSS, and I have links to other sites with XSS information on my web site. Click on Programming. There's sites listed in both the Programming and More Code sections.

SearchSMB VoIP Security Article

My article on VoIP security came out in SearchSMB today. Secure VoIP in simple steps reviews the strengths and weaknesses of VoIP in an SMB and some tips for handling security.


VoIP is nice in that it uses a company's existing Internet connection for phone calls. This can save a lot of money both in the cost of calls themselves and infrastructure costs. But, at the same time, VoIP can be another entryway into a company's network for malicious users from the Internet.

Buyer beware! This article explains it all.

Multi-State Information Security Web Site

Now that it's the holiday, and I have some time to relax, I'm getting caught up on some of my back reading.

I came across this interesting web site in a CSO magazine article about setting up a successful security awareness program.

It's the Multi-State Information Sharing and Awareness Center (MS-ISAC) web site. It's a nice portal with tons of links to useful information on state government initiatives to secure cyberspace.

I added a link on my personal web site under Awareness.

Review of Bradley's Essential Computer Security

I had mentioned in prior post that I would review Tony Bradley's new book, Essential Computer Security.

I just posted a review on Amazon. Here's an excerpt:

There's real meat in here that goes into surprising detail that's easy to follow that I've haven't seen in other recent books.Tony does a good job of covering setting up Local Security policies on Windows machines, for example. This is something I've only seen in hardcore techie manuals that probably wouldn't normally be seen by most home users.

There's a great chapter on disaster recovery, how to follow security bulletins from Microsoft and apply patches regularly. And, for the daring home use, even a chapter on setting up Linux.

WIIT Radio Appearance Tonight

I was interviewed tonight on WIIT about computer security. Introduced as The IT Security Guy, I spoke during a 15-minute segment about general computer security issues affecting universities and students.

Considering that WIIT is the official station of the Illinois Institute of Technology, here in Chicago, I thought the topic would be of interest.

A recording was made, which I'll post both here and on my web site, when it's available.

I'll be back on the air in two weeks, on November 30, to discuss how students can protect themselves from identity theft.

The plan is to host a regular show in the Spring.

New NIST Guide for Information Security Managers

The National Institute of Standards and Technology (NIST) has a new publication that came out in October. The Information Security Handbook: A Guide for Managers is another outstanding publication from NIST.

Typical of government publications, it's heavy reading and a bit obtuse, but it has a lot of gems and references to other NIST publications.

NIST is a good first place to stop when looking for information security reference materials. I have a link on my web site. Click on Awareness on the left, and it's at the top of the list of sites that appear.

Top Ten Ranking

I was pleasantly surprised this morning during my morning Google for my book to find that it was ranked by the Top Ten Reviews web site.

They had a page listing their top picks for Internet security books.

New WVE Sponsor

The Wireless Vulnerabilities and Exploits (WVE) web site has a new sponsor, Aruba Networks.

The WVE web site is a clearinghouse for wireless exploits. It's a joint effort headed by Network Chemistry, a leading wireless security consulting firm, and other groups listed on the WVE site.

The site is modeled after CVE and OSVDB, two leading clearinghouses for more general Internet and open source vulnerabilities. WVE focuses strictly on wireless issues. The US-CERT web site also has links to CVE and other online repositories about Internet security.

PCI and Credit Card Security

The Payment Card Industry (PCI) Data Security Standard was developed jointly by Visa and MasterCard to set standards for card issuing companies.

All merchants wanting to do business with the two cards must meet the PCI standards. Before PCI, it was up to merchants and issuers to implement security. What resulted was a hodgepodge of different requirements without a unified or standardized approach. PCI is meant to be that single standard.

There's a great web site, PCIStandard.com, that summarizes the standard and has a lot of links to resources about credit card security, overall.

I like the standard and find that it's pretty complete. But, on the other hand, it's heavily geared toward standard bread-and-butter network security practices that any company should already be implementing.

Fraud still continues to be the biggest threat to credit card security, and PCI doesn't really address that. Fraud can only be partially stopped by technical measures. Network security is only one part of that, because fraud is a people -- not a technical -- problem. But, hey, I'm not complaining. It's still the bare minimum that companies should be doing to protect their card customers.

Tony Bradley's New Book

Tony Bradley, a noted and prolific computer security writer, has just come out with a new book, Essential Computer Security: Everyman's Guide to Email, Internet and Wireless Security. I saw it at a local Border's over the weekend, but it's also available from Amazon and Bookpool.

Tony is very energetic. He runs the Internet/Network Security site on About.com and has written numerous books and articles, including for TechTarget, and recently became a Microsoft MVP in Windows security.

When I finish reading the book, I'll do a complete review on Amazon. What I've read so far is well written, entertaining and hits the key points of computer security for ordinary Joe and Jane home computer users.

Tor Cracked And Global Sites About Privacy

There was an interesting paper from FortConsult about breaching Tor to find out user IP addresses. That sort of defeats the whole purpose of Tor. The paper, Practical Onion Hacking, came out on Packet Storm in October.

I added two more sites to my web site about Internet privacy, censorship and filtering. The two sites, Privacy International and OpenNet Initiative, monitor privacy, censorship and Internet filtering issues around the world. They caught my attention because of their global focus.

Links to the two sites can be accessed from my home page by clicking on Privacy in the left-hand navigation on the home page and then clicking on the link in the page that appears.

November Issue of CIO Decisions Arrived

I just got the November issue of CIO Decisions in the mail yesterday. There's a blurb on page 63 about my recent article and podcast on their web site about figuring out ROI for identity and access management systems.

The theme of much of this month's issue is ID and access management. There's an interesting article starting on page 40 and a list of Do's and Don'ts on page 45. Good reading and worthwhile to pick up.

New Anti-Spam Web Site

The new StopSpamAlliance web site looks like an interesting addition to sites providing information about spam and combating it.

Identity Theft Survey by Capital One

Capital One, a credit card and financial services company, released a survey this week on identity theft. The statistics about the ignorance of these crimes, and how to protect against them, was quite astonishing.

The survey referenced MoneyWise, another interesting web site, one of many now, about how people can protect themselves from identity theft.

Article on Outsourcing Security Awareness Training

I had an article come out today in the Compliance Counselor newsletter of SearchSecurity about the pros and cons of outsourcing security awareness training:

Security awareness training: Stay in, or go out?

Information Security Decisions Presentations Now Online

The presentations from Information Security Decisions, SearchSecurity's premier event, is now online on their web site.

Information Security Decisions was in Chicago October 18-20. It's held twice a year, once in New York and once in Chicago.