Archive for the 'Uncategorized' Category

Jun 26 2008

The Internet is a public place

Published by under Uncategorized

Some time in the distant past, or maybe just a couple of years ago, I signed up for the US-CERT Cyber Security Tips mailing list. Every week they send out an email concerning online security, targeting the average home user with a simple concept they should be able to digest fairly easily. It’s not something that’s going to educate most of the professional paranoids who hang out and read a blog like this one, but it is usually a subject your parents or non-technical friends can learn from.

This week’s mailing is “Guidelines for Publishing Information Online“. To quote their own synopsis,

Remember that the internet is a public resource. Avoid putting anything online that you don’t want the public to see or that you may want to retract.

If you’ve reading the blog or listening to the podcast, you’ll probably have seen me use words very similar to that a number of times. Especially when Uncle Mike Rothman tries to get me going on a subject like privacy. Privacy isn’t dead, but the vultures are gathering and it’s up to each and every one of us to safeguard our own privacy by being aware of what we put on the Internet. ‘Cause once it’s out there and Google’s indexed it, you’ll never get that piece of information back in the bottle.

Isn’t it funny when someone who blogs as much as I do says be careful what you put on the Internet?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 15 2008

xkcd: Security Holes

Published by under Uncategorized

Not to be outdone by Dilbert, xkcd has it’s own Debian related humor today. Who ever thought that the words “encryption” and “humor” would apply to the same blog post.


[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

May 14 2008

WP Security Scan

Published by under Uncategorized

I don’t care if you’re a security blogger or just plain vanilla blogger, you owe it to yourself to check out WP Security Scan. This plugin will scan your WordPress installation and give you suggestions on how to make it more more secure. It found a number of permissions on my blog that had been set incorrectly (now fixed) and gave me other suggestions such as changing the names of the directories from the easily guessed defaults. I know that a lot of people have a hard enough time just keeping their blogs up to date, but given the rash of WordPress compromises I’ve heard of recently, this is something everyone running a WP installation needs to do.

Another plugin in the same vein worth checking out is WordPress Automatic Upgrade. No more waiting for your service provider to get around to the upgrade or mess with all the funky files yourself. The only problem I have with it is re-enabling the plugins after an upgrade, which is a relatively minor issue. I run the plugin occasionally just to get a backup of the blog. See, I do learn from my mistakes occasionally.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Apr 25 2008

Bill Brenner leaving SearchSecurity.com

Published by under Uncategorized

Just got an email update from SearchSecurity.com: Bill Brenner has announced that he’s leaving the company to ‘pursue a new challenge’. That usually means he got a better offer somewhere else, which bodes well for Bill. I’ve talked to Bill a few times for different articles he was writing and he seems like a pretty nice guy, so I wish him the best of luck in his new adventure. Hopefully he tells us all what it is sooner rather than later. For some odd reason I couldn’t find the update on the SearchSecurity site yet.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 15 2008

Network Security Podcast, Episode 101

Published by under Uncategorized

Rich and I review some of the events that went on at RSA, including Rich’s Analyst panel and Thursday morning’s ‘Avoiding the Security Groundhog Day’ panel. Neither of us were all that impressed with the showroom floor or the keynote speeches given at RSA, but we both enjoyed getting reacquainted with the security professionals we tend to only catch up with at events like this. Finally we talked about what events we’d go to in pursuit of furthering a burgeoning security career. And just in case you’re wondering where Episode 100 is, it was the live video we took last week at the Security Bloggers Meetup. Not that anyone could have missed it, given the amount we’ve been talking about it lately.

[display_podcast]

Tonight’s Music: Pride by Paula Toledo

Network Security Podcast, Episode 101, April 15th, 2008

Time: 42:26

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 15 2008

Network Security Podcast, Episode 90

Published by under Uncategorized

Martin is flying solo on the podcast tonight, sort of.  Rich is at Macworld this week and phoned in a two segments, one on Steve Jobs keynote address and one on security vendors at the show.  Add to that one Mac-related security item and we’ve got a pretty Apple heavy show this week.  Everyone else in anything related to tech is covering Macworld, so why not us?

[display_podcast]

Show notes:

Network Security Podcast, Episode 90

Time:  27:41

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 04 2008

Web server fall down, go boom!

Published by under Uncategorized

I woke up this morning with a long list of things to do, but the Gods of Computing had other ideas. One of the first things I noticed when I logged into email was a lack of new emails, which is odd considering I usually get several hundred spams a night if nothing else. My brain was still fuzzy from lack of caffeine, but this set up some alarm bells in my head. A quick surf to the web site showed that my server was down, and a few pings got now response, and SSH wasn’t responding either. After a few words I was glad my children weren’t awake to hear, I got a cup of coffee and started troubleshooting.

Turns out that somewhere in the middle of the night, the PCI bus on the server’s motherboards decided to bite the dust. It shows memory errors where there were none before. The system comes up, and even though the NIC responds, it’s not allowing connectivity in any way shape or form. I can get on the server locally, but no network connections are being established.

Taking this as a sign from above that maybe it’s time to switch from hosting the site and my email at my house, I’ve switched all of my DNS, email and web services over to BlueHost. And since I have to rebuild everything anyways, I’ve switched from Movable Type to WordPress, something I’ve been thinking about doing for over a year now. And despite an earlier resolution to backup the entire database on a regular basis, the latest backup I have is from the end of August, so I’ll be losing a number of posts and comments until I take the time to recover them from the now defunct server. Luckily I’ve hardly been posting the last few months, so it’s probably no more than a couple of dozen posts lost.

I am not a happy camper, especially since I already had a full days worth of work ahead of me. I’ll probably take some more time this morning to at least get a better looking page up, but most of the real work is going to have to wait until another time. And since I have a report dues Monday, it looks like I’ll be working all weekend. And to top it all off, I managed to spill coffee on my sound board while trying to reach around to the back of the dying server. It seems to be okay so far, but I said more words the kids shouldn’t hear when that happened.

At least mail is working and the site is back up, even though it’ll take a day or two to have the DNS changes to propagate throughout the Internet. If you haven’t already changed over to the Feedburner feed, now would be a good time. As soon as I get that pointed to the new RSS feed that is. Speaking of which, I’ll be back once I’ve fixed that too

Edit: The FeedBurner feed is http://feeds.feedburner.com/MartinMcKeaysNetworkSecurityBlog

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

May 29 2007

PCI (and compliance) are just tools

Published by under Uncategorized

Michael Dahn started an interesting conversation with his post, “Putting an end to compliance via continuous security“.  He wonders why he and other auditors come back to companies and find the same problems year after year.  Why can’t a company stay compliant over the course of a year?  The reason, or at least a reason is because the technologies might be changing, but the mentality that created the problem in the first case is still there. 

I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA.  She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again.  Policy might change the perception of security measures, education works better and sometimes people have to be replaced.  But until you can instill a proper security mindset in your users, problems will continue.

I always thought of PCI and compliance in general as a lever to promote change in the corporation.  People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets.  But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’.  There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.

I also view becoming complaint as a secondary goal to becoming secure.  If you keep your priorities in that order, it should make doing both much easier in the long run.  I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do.  Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure. 

There are a lot of good comments on this thread.  I like the idea of a continuous approach to security, but it will be a change to the way people think.  If PCI or some other compliance framework is the tool you need to effect that change, use it.  But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Apr 17 2007

I only wish Greg Dean was right

Published by under Uncategorized

Unluckily, given what’s been happening in Florida the last couple of months, I think Greg Dean of the Real Life cartoon is wrong and the premise of “Man of the Year” is closer to reality than the thinks.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 11 2007

Hacking the Cisco NAC

Published by under Uncategorized

Mirko from (In)Secure Magazine and Help Net Security sent me a link to a video they recently published from Black Hat Europe.  Two researchers presented a paper there on how to hack Cisco NAC.  I think many people already realized that client side controls for NAC are circumventable, but this is the first time I’ve heard of that someone actually created an exploit.  The two researchers had just given a talk and while they haven’t posted the exploit code yet, it probably won’t be too long before it becomes available.

Technorati Tags: , , , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Next »

7ads6x98y