Monday, February 26, 2007

Belarc Tool for Checking Your Desktop

A useful tool for checking the security of your desktop is Belarc. Unlike Shields Up, another fine product from Gibson Research, Belarc is a download that must be installed on the desktop.

Other scanning tools, like Shields Up, remotely scan your machine without having to download anything.

Some of these tools are Firewall Leak Tester and DShield. For checking browser security, go to Scanit, which also remotely tests your browser's security. Be prepared for lots of pop ups, since that one of things it tests for.

Zaba on ZabaSearch and Privacy

I was looking for ZabaSearch the other day and accidentally typed in, instead of

What I found was an interesting site by Stefak Zaba, who works for Hewlitt-Packard in the UK in privacy and security, of all things. He has some comments about the people search site that shares his name.

A similar site, PublicRecordsNow, also allows displays basic information about people, but to get more requires a fee. But what's unsettling about ZabaSearch is that it displays addresses of people even if they're unlisted in the telephone directory. And, according to Stefak, there's no way to opt out.

Saturday, February 17, 2007

Free Encryption Tools

There was an interesting article this week in Information Week about encryption tools. The article was about protecting PC data, in general, both physical and otherwise. But a good chunk of it was about encryption of hard drives and files.

There was a link in the article with a list of free encryption tools and about PGPdisk, another free tool.

I have another list of other free encryption tools -- mostly for full disk or file encryption -- on my web site. Click on Tools, then click on Tools II at the bottom of the page that appears.

They're also listed here:

Wednesday, February 14, 2007

LaptopLock: An Online Lock for Laptops

Among Chris Pirillo's picks yesterday was a post about LaptopLock, an online service for protecting against laptop theft. The pick was called Recovery help for lost or stolen laptops.

A laptop owner can create an account on the site for their laptop. They then install a client, which follows the user's instructions. If the laptop is lost or stolen and a malicious user tries to access the Internet, they'll be asked to authenticate. Without the valid user ID and password, a malicious user is locked out.

I added an entry on my web site for LaptopLock. Click on Hardware in the left hand navigation and the page with the link will appear.

Tuesday, February 13, 2007

Correction to Enigform Post

In a recent post about Enigform, I mistakenly said that it digitally signed e-mails.

In fact, it's about HTTP POST signing with OpenPGP, which is something different.

The project is being developed by Arturo "Buanzo" Busleiman. See his comments in the post for details and on Buanzo's Blog for even more details.

Sunday, February 11, 2007

IT Audit Checklist

I recently came across this checklist from the IT Compliance Institute about IT audits that was an extensive list for those going through an internal information security audit.

I also added a link to the checklist on my web site. Click on Awareness then More Awareness at the bottom of the page. Click on IT Audit Checklist on the page that appears.

There's also a new book, IT Auditing, from McGraw-Hill along a similar theme. The book is an exhaustive list of controls sought for by auditors. It's available on Amazon.

Saturday, February 10, 2007

Microsoft Threat Modeling Tool Updated to v2.1.1

Microsoft released this week an updated version of its Threat Modeling and Analysis Tool. The updated version has some bug fixes.

More details are also on the Microsoft Application Threat Modeling Blog:
Here's a list of some of the specific fixes:
  1. Updates to the Import/Export functionality
  2. Fixes to the reports issues
  3. Added a new custom report
  4. Couple of other UI fixes

December ATE Questions Posted on SearchSecurity

Wednesday, February 07, 2007

Enigform for Authenticating E-Mail

There was a post today on Buanzo's blog about a Firefox extension he's developed for authenticating e-mail.

This is real interesting. What the extension does is provide OpenPGP digital signing of e-mails.

More details and documentation about Enigform are on his web site.

IT Security From a Canadian Perspective

I came across two interesting sites recently that cover the IT security scene in our northern neighbor, Canada.

One is a blog, IT Security - Canada, and had a recent post about a Canadian bank losing data on 470,000 customers. That's a big data breach by any standard, but considering that Canada is one tenth the size of the US in population, it magnifies that number even more.

The blog has a feed to another Canadian security site, ITWorld Canada, which also reports IT security news from a Canadian perspective.

Tuesday, February 06, 2007

Podcast of My SearchSecurity VPN Piece

SearchWinComputing, part of the TechTarget group of web sites I write for, ran a podcast recently of one of my pieces about VPN security.

NYT Article on Weak Security of Bank Web Sites

The New York Times ran an article yesterday critical of security on some banking web sites.

The focus of the article was on SiteKey, developed by PassMark security about two years ago specifically for Bank of America. This technology really only authenticates the user's machine rather than the user.

But BoA, as well as, other banks bought into it as a psychological cushion. Unfortunately, the cushion has deflated.

With automated MITM attacks now possible against One-Time Password (OTP) tokens, it's only a matter of time before new authentication methods for web sites will have to be dreamed up. Obviously, two-factor authentication didn't do the trick.

My SearchSMB Article on E-mail Security

I had an article come out yesterday on SearchSMB about e-mail security.

It was called Email security buying decisions.

Sunday, February 04, 2007

StolenID Search Web Site

This site was mentioned in an article in Computer World this week. It's called StolenID Search, and a user can enter their credit card number or Social Security Number (SSN) to check their database of credentials reported stolen.

It's an interesting concept but after having it drummed into me not to enter my SSN on a web site -- unless absolutely necessary -- this is one I have to think about.

The site has some background information about TrustedID and is worth a visit, at least.

CAN-SPAM Article for Threat Monitor

My article about the third anniversary of the CAN-SPAM Act came out this week in SearchSecurity's Threat Monitor newsletter.

The article was titled Is the CAN-SPAM Act a help or a hinderance?

RFID Guardian

A group called the RFID Guardian Project won the Best Paper Award at USENIX Lisa 2006 for a paper about an RFID personal firewall.

Details are on their web site.

I wrote in article in November about RFID security for SearchSecurity.

US DOJ Forensics Guide

The US Department of Justice came out last week with a 137-page guide to forensics and computer investigations.

The guide is titled Investigations Involving the Internet and Computer Networks and is in PDF format.

Saturday, February 03, 2007

InfoWorld Article about Security Convergence

InfoWorld ran a thought provoking article this week, IT security gets physical, about the convergence of IT and physical security.

This is one of those great philosophical questions of the information security universe. While a lot has been said about this subject -- and I agree it's a good thing -- it's still a pipe dream at many companies. The bureaucratic barriers at most companies are too great.

But all hope may not be lost. The US government HSPD-12 initiative, which requires all federal facilities to have uniform access by Smart Card, could lead the way for the same in private industry. So, what's the big deal with physical access? The big deal is that the same systems can be integrated, eventually, into an access management system.

That means both physical and logical access to computer systems would be linked as part of the same multi-factor authentication system. This would provide seamless auditing. logging and tracking of users both through facilities and their access to computer systems.

Yes, yes, I know. Just like Single Sign-On (SSO), it's a single key to the whole store. That means that, if compromised, a malicious user would have access to both the facilities and their system. More on that later. Let's see step one implemented first.

Thursday, February 01, 2007

An Unspamable E-mail Link

Mitch Keeler who writes for Lockergnome had an interesting link to a site with Javascript code for creating an unspamable e-mail link.

The article was in Lockergnome's Web Developer newsletter.

Bootable Linux from USB Pen Drive

There was an interesting item on Chris Pirillo's web site about a live Linux distro that can boot from a USB drive. The distro is available for free from Sourceforge.

Chris runs the outstanding Lockergnome web site, which features newsletters dedicated to various fields of IT: Windows and Linux, and web development, to name a few.

Bootable Linux isn't new. Knoppix has been around for a while, and I have a list on my web site. Click on Linux in the left hand navigation pane.