Security for Google Apps with Postini

With Postini Solutions, you can secure all of your electronic communications - email, instant messaging and the web – and manage your company’s communication policies from one central location. Postini Solutions can also make it easy to meet your archiving and encryption needs.

More here. 

We realized that we needed a more complete way to address these information security and compliance issues in order to better support the enterprise community. That’s why we’re excited to share the news that we’ve agreed to acquire Postini, a company that offers security and corporate compliance solutions for email, IM, and other web-based communications.

Google Blog post on Postini

Popularity: 1% [?]

Security Now Episode #95

Steve Gibson and Leo Laporte talked about OpenID on Episode 95.  OpenID would provide a single-sign on verification for site logins.  This would not replace something like SSL (which is mutual authentication), but it would be better for simple site logins to sites like del.icio.us, digg.com and others.

BYU professor Philip J. Windley, explains how OpenID works on his site.

Popularity: 4% [?]

There is no such thing as Security

I’ve noticed that there are two types of security people: anal “type A personalities” who live every moment by the rules, and those that realize that there is no real security.  Please understand that these two mindset don’t seem to have anything to do with talent.  I’ve met talented people with both mindset.  A talented security professional is mindful, aware, and always pays attention to detail.  The very best seem almost psychic in their ability to spot wrong doing, security breaches and even malicious intent.

Type A security people seem to thrive on “catching bad guys”.  Its like they are kids playing cops & robbers.  These people thrive on structure, order and regulations.  In information security they know how important it is to have lots of centralized control and a stardard configuration for all systems.  In the Meyers-Brigg’s personality test, these people are ESTJ’s (Extraverted Sensing Thinking Judging).  The thought of any getting away with breaking the law (ANY LAW) is unacceptable.  These guys make great Directors of Security, CSO’s and other policy creators as long as they don’t micromanage their people.  Their employees will either love them as a great mentor or hate them with every fiber of their being.

Those who realize that there is no such thing as security are hackers.  They are many times INFP’s (Introverted iNtuitive Feeling Perceptive).  Unlike the ESTJ’s they don’t care about structure and rules because the realize that rules are only suggestion to keep an acceptable level or order.  For them the most important rules are in a persons heart.  ESTJs will usually see these people as lazy and don’t really care but these people are just trying to find an easier way to do things.  If they don’t enforce certain rules or cut corners, it because the sincerely believe that the rule or enforcement (in that particular situation) is not needed.  Employees will usually love INFP’s unless they happen to be ESTJ’s.

I am a bit biased because I am in the second camp, INFP.  I don’t believe there is a such thing as “security”.  No one is ever completely safe.  All a malicious intending person needs is the element of surprise, time, and pressure an they can get away with anything they want.  Further, anyone at anytime can have malicious intent: employees, kids, bosses, friends, family not just random strangers.

Security is just an illusion.  The one good thing security does is ensure you are faster than the slowest person, organization, network or whatever on the block.  Those with malicious intent will typically go for the easiest target. 

Since many crime happen from people that the victims know all we can really do is not worry about it.  Life is too short to waste too much time fretting about every possible thing that can happen to you.     

I guess that is what Ben Franklin meant when he said:

“Those Who Sacrifice Liberty For Security Deserve Neither”  

If you worry so much about security that you can’t enjoy the fruits of your labor, then what is the point of the living and if you can’t enjoy living whats the point of protecting ANYTHING. - elamb

Popularity: 4% [?]

Information Security Gurus: Say Goodbye Mr. Network Geek

“Information Security workers have found themselves caught up in this wave of change. Originally, it was an important and vital job to track down the current virus threats, manage the Service Packs in [Pick your Windows flavor here], install the few hotfixes needed and call it a day. The rest of our time was spent on the important matters - defining”

The “wave of change” keeps me employed, but I must agree with Karn at Security-Guru.blogspot. There is a lot of times that I’m just playing “wack a mole” with security problems. The root of the problem needs to be taken care of.

There is a movement of more proactive security instead of the old losing reactive security:

- At Defcon Rick Wesson of Support Intelligence, LLC introduced a method of tracking botnets, and black listed malware server globally and in real-time.
- Microsoft is heading up a proactive security project called Strider HoneyMonkey Exploit Detector. It is a kind of active honeypot that follows the links of malicious sites to find new exploits.

read more | digg story

Popularity: 3% [?]

Written by elamb · Filed Under Computer Security, Internet and Information Technology Security, Main Digg, Security Awareness 

What is a Hacker?

September 14, 2006

“A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
The above is a quote from crypto living legend Bruce Shneier’s book, Beyond Fear.  This is exactly how I feel about hacking.  Hacking is a major asset to Information System Security… if fact is THEE only real asset.  I’ve had arguements with some of my peers about this.  Information Security Pro vs. Hacker.  If the typical information system security pro doesn’t get smart on hacking (security/programming) techniques, security will continue to be a losing battle.  Cyber criminals have no problem learning the latest exploits, they have no boundaries and this gives them a “superpower” against security professionals.  Some Information security professionals, on the otherhand, restrict themselves by categorizing hacking as bad.  They see it as unethical and not responsible. 

It is unethical and not responsible to NOT know hacking techniques that might exploit a customers system.

Thanks for the post Bruce.  I hope you will make another appearance at the Defcon. 
read more | digg story

Popularity: 4% [?]

Written by elamb · Filed Under CEH, Computer Security, Defcon, Internet and Information Technology Security, Main Digg, hackers, hacking 

Security Forums Directory

July 21, 2006

Easily locate forums and newsgroups related to security. Why isn’t elamb.org on there? Oh, well.

read more | digg story

Popularity: 4% [?]

Written by elamb · Filed Under Computer Security, Computer Security/Home Computer Security, Internet and Information Technology Security, Main Digg, Security Awareness, Security Management, personal computer security 

McAfee Reveals 'OneCare' Competitor, Falcon

May 31, 2006

McAfee announced today an all-in-one security subscription service codenamed Falcon. Falcon will contain all major security suite components as well as PC backup and tune-up tools. It's essentially a competitor to Microsoft's Windows OneCare, expected soon, and Symantec's Genesis (also a codename), due out this fall.

Symantec has a lawsuit against Microsoft based on allegde “misappropiation of intellectual property.”

<sarcasm>

It seems so uncharacteristic to steal ideas from other companies:    Netscape Navigator
Eudora Pro
Stacker (as mentioned above)
Quarterdeck QEMM and Max386

</sarcasm>

What blows my mind is how Microsoft continues to get away with this. 

Microsoft Innovator's Copy & Conquer

read more | digg story

Popularity: 2% [?]

Written by elamb.security · Filed Under Computer Security/Home Computer Security, Internet and Information Technology Security, security 

18 Days of Reckless Computing

May 31, 2006

Someone over at wired gives tests his new Dell to see how many viruses and how much malware it takes to get the Geek Squad to call it a total loss.

read more | digg story

Popularity: 6% [?]

Written by elamb.security · Filed Under Computer Security, Computer Security/Home Computer Security, Computer Security/Home Computer Security/Home Computer , I got hacked, Internet and Information Technology Security, Malware, personal computer security 

10 Security Suite Reviews : Who's Got Your Back

May 30, 2006

All-in-One Security

Suites of antivirus, antispyware, and firewall software can provide convenient, solid protection against today's worst threats. Our tests of ten contenders show who's got your back.

read more | digg story

Popularity: 4% [?]

Written by elamb.security · Filed Under Computer Security, Computer Security/Home Computer Security, Computer Security/Home Computer Security/Home Computer , Internet and Information Technology Security, personal computer security, tutorials/tools/Auditor 

Computer Viruses Monitored via Dynamic Worldmap

May 30, 2006

You'll be able to view Previous Hour, Previous Day, Previous Month, This Year, and Previous Year. Color Coding has 6 Ranges (No Data, Quiet, Low, Medium, High, and Epidemic)

read more | digg story

Popularity: 3% [?]

Written by elamb.security · Filed Under Computer Security/Home Computer Security, Computer Security/Home Computer Security/Home Computer , I got hacked, Internet and Information Technology Security, Malware, Malware/Virus, personal computer security 

Next Page »