Kyle Northcutt posted this question on LinkedIn:

Who and what should the web filter block?

Obvious malicious, lewd and illegal content aside.... should mental diversions be limited or blocked from users? Social networking, youtube, gaming, news, etc can be very distracting and hamper production, but when used sparingly can boost morale, enhance creativity and act as an employee perk in the organization.

My question is, which(if any) of these activities should be blocked? Should everyone be affected by this policy or should engineering and executives be excluded? As a bonus, how does your company handle web filtering?

There are many interesting answers to his question - ranging from "Block them all, and only open those you need", to answers like Angelos Karageorgiou, who says:


I like Angelos answer because it points to where the challenge really is - the humans. With the technology, we can do everything we can imagine. But humans. Now, that is a totally different manner. It takes a very non-technical manner to deal with those people.

In all my humbleness (right), I post my own answer below (as it is found on LinkedIn).


My LinkedIn answer:

In my experience, blocking access to internet resources soon turn your employers into a negative, less-productive bunch of unhappy sheep (lots of negativity in there, huh?)

Nothing is obvious when it comes to humans, and just blocking whatever one person finds obvious may very well upset someone else. As long as we are using technology to deal with human behaviors, we need to teach the same humans the reasons we choose to use technology instead of juts enlightening them.

There are only a few occasions I suggest using these kinds of controls:

* in controlled / secure environments where you must ensure 100% control of what is entering and leaving the area (then I always advice to set up a set of computers with access - as Internet now is a vital part of our communications)
* in restricted areas like jail and schools where motivation to follow policies are not that evident. But - this is also a very narrow path, as many kids today outsmarts the local IT-resource.
* in short time frames in departments dealing with sensitive information like annual results. Then we may close down all communication within a particular time - but never forget that there are phones, facsimiles and other techs you cannot control (that easy)

I am not a fan of closing down access. I believe that most employees are going to do their job as expected - as long as they get their perceived value in return. And face it - in today's workspace, most people will expect access to the Internet at their discretion.

Now, I am an advocate for employer controlled work environment - ie. the company set's the rules, and when you sign your contract, you agree to follow those very rules. But. As long as we are dealing with humans, we will reach much better results by understanding how psychology and organizations work and function. By using a mixture of positive incentives and negative incentives, and doing this in a clever manner, you will see much better results over time.

Face it, if you force a block, someone will be unhappy. You will start see people trying to work around those barriers. Your management will scream and expect totally different rules. Your day will become a nightmare. And what do you achieve? Less motivated, less productive employees.

I suggest the following approach that has worked a dream in the past:

* set up a QoS on your network, and on your outbound link. Tune down everything you do not like entering (streams, P2P, Skype etc). Set it so low that it is still possible to use it, but not practical anymore.
* Inform your employees regularly about how computers is a time thief (I mean, even for me now - I spend time writing this on the Internet instead of doing any productive work...), and give them tips on how to deal with it. Consider them humans and grown up, and it is amazing what you can get them to accept.
* Set up a network monitoring device, analyzing and capturing data traffic. These devices are able to tune in on, and capture only relevant data - triggered by rules and patterns you can define. Use this to figure out what is really going on, and to find that one or two rouge employees that you know are out there. Now you have evidence you can use to force this person to either follow the rules, or to kick him/her out of the organization.

In the end, you have a very efficient setup that does not intervene with day to day business, that does not make you vulnerable to updates and new "things to block", and that as a bonus makes you the hero of everyone in the organization (except the rouge ones, though...)

I have very good experience with this type of setup. Just keep in mind that you are dealing with humans - so treat them like humans to get the to do what you want!

----

What are your thoughts on webfiltering?

LinkedIn, web filtering, security

I have a strong interest in entrepreneurship. As my followers know, I am a long-time member of JCI, and I am a serial entrepreneur myself. I developed companies in both Norway, and in France, and I have had my share of success and failures.

I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.

By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:

• vendor or service provider, focusing on promoting their own products/services
• (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
• IT-security, focusing on technology, hacking, and "geek" stuff

I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)

But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!

On a side note, I have also established a new blog, focusing on another area I love - trainings!

Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!

entrepreneurship, jci, security

Russia is moving in to Georgia. Is the Big Bear securing it's oil reserves? Are they trying to close the West's access to the Caspian sea? Where will Putin head after Georgia? Is Putin the new Stalin?

These and many other questions have surfaced around the world for a while now. To many of us, Georgia is far away, thus the news are easily downgraded on our scale of importance. And this might very well be Putin's exact calculations - that Russia can go out and grab Georgia with little or no reactions from the international communities.

I hope that reactions will come. That the international community will raise it's voice and tell Russia and Putin that theft is not acceptable. That Georgia will receive support and help on their path to independence and democracy.

In our globalized market, we are all interdependent. That should also mean that we are equally responsible for each other, that we should care and that we need to voice our concerns.

Larko opened my eyes - by pointing my radar to the incident. Thus, I changed the filter mode in my brain, and interesting bits of information started to appear. Some of them are listed below.

I encourage you to spend a few seconds (as a minimum) to consider the questions I pose above. By spending that little investment of your time, you may find that you need to do something more. If you do, please go ahead! Thanks!

• Russian Business Network blog (follows the RBN, also on the cyber warfare on Georgia)
• Huffington Post - interesting considerations from the US Security Advisor for President Carter
• Swedish Foreign minister Carl Bildt on the case
• EU consider reactions

Please feel free to air your voice - and submit other interesting stories on this potentially global security threat! (Yes, I may exaggerate on a short term - but what are the long term damage that may occur?)

The TJX case, one of the largest ID- and CC-theft cases so far, has finally gone to court.

The Feds rolled up a large, international circle of criminals who are charged for hacking their way to access a wide array of personal data. According to Attorney General Michael Mukasey, this is the single largest and most complex identity theft case that's ever been charged in the US.

Companies that got hacked include major brands like the OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."

The TJX Senior Vice President Sherry Lang ensures that TJX has gone a long way in order to assist the investigation:

"With our customers always being our primary focus, TJX has gone to great lengths to secure its customers' data," Lang said. "However, broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together, including installing the proven card security measures in the U.S. that are already in use throughout much of the rest of the world."

I like Lang's request - there is no doubt in my mind that the more we integrate and consolidate technology, solutions and tools - into what we consider efficient communication - the easier it is to exploit those tools. Remember - a few years back, you had to hack into each shop. A little later, you could reach the HQ, as the shops started to interconnect. Today, you can reach almost anything, anywhere - just using your brains and a computer.

Compliance is one thing that may help, better understanding of the technology and it's potential is equally important. From a business point of view, I think it is very important to consider the upside of adopting new (young) technology against the potential damage the new technology may inflict.

I am looking forward to following this case!

Other TJX related information

• TJX – you have done a great job!

• TJX gives CC advice to their customers!!!

• TJX update and "How it was done"
  

• TJX economics - the price it is easy to calculate
  

• TJX - the Wall Street Journal article
  

• All posts tagged: TJX

According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.

A couple of his comments are good, though:

"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."

I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.

Another point, made by David Weinberger is particularly interesting:

"Younger people violate older people's idea of proper behavior when it comes to privacy,"

Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?

----

More on Facebook:

• Facebook open to ID-theft
• Howto use Facebook to gather Intelligence, Part 1
• Howto use Facebook to gather intelligence, part 2
• Facebook exploited

 

If you are in need of root password to the LiveCD *nix distro you just downloaded, this resource may be of help for you.

I know I need them from time to time, and usually when I do, I miss a "one-stop-shop" like this one :)

Thank you Benny!

I have created a LinkedIn group called NorSec. The group targets security professionals in the Nordic, with particular focus on Norway.

The group is not publicly available. To be accepted you will comply with the following:

• Located in Norway (or the Nordics)
• Currently working within the security industry

The benefits of joining the group are:

• Join and meet other security professionals
• Develop a forum for discussions
• Find job opportunities
• Find candidates
• Get answers

Please note - if you are not located in the area, or not in the security industry, you will not be accepted as a member of this group. There are other groups available for you!

To apply: http://www.linkedin.com/e/gis/111057/40E1791B6B9D

You may consider letting me know about your request using the contact form or my e-mail.

In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.

This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!

Warning: This work is tedious, and requires attention to detail and long-term persistency.

BONUS: Build a complete victims profile, not only e-mails and names!

1. Make people add themselves to your group

Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.

 

Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.

2. Start investigating your group members

This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!

 

Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!

Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.

3. Invite and collect

If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!

Now you have full access to all the stuff this person shares with friends.

4. Harvest info

With full access, start to add to your database the following data:

• interests
• books read / enjoyed
• favourite quotes
• marriage status, birthday, age
• friends, and particularly those who communicate using Wall and similar applications

If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.

5. Use the info

You still in there, are you?

Why would you want this kind of information about someone you do not know?

These are some of the reasons we know others use when they do this kind of exercise:

• Looking for “easy” offers for sex or violence. Just read the newspapers.
• Finding out when you leave your home (vacation, work hours), and pay you a visit when you are not there. This is not a house calling, but a house clearing.
• Selling the information (spammers, criminals)
• ID-theft – the more I know, the easier it is to learn more about you
• Intelligence – companies, criminals and countries collect information that might be useful in the future
• Research (my excuse) – see how much you can learn without warning the victim

One example, found on the Register today, is lax control in banks and financial institutions:

“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”

See where I am getting? The more I know, the more I get. Now I got your money too!

Warning: Keep in mind that in some countries, what you are doing may be considered illegal.

Note: You do know what YOU share on your profile, right?

I have made money on this blog! 

I have just reached a milestone I never expected when I started blogging. I have made money directly off my blog!

I know this is off topic - but I wanted to share it with you. It is not a hole lot of money - and I don't see myself quitting my job for the blog - but it is fun! 

Still - my biggest thrill is the feedback I get from you - my readers - when you post your comments, and send me mails! I could quit my job for that (but I'd still have to buy food...)

To all of you, from all of me - Thank you!!!  

This Friday it is time to introduce you all to one of my favorite blogs out there. The warrior who runs this blog just calls himself shrdlu. In his own words: 

"I'm an IT security manager who has worked in various places around the world and in the US. If I told you more, well ... you know."

 

He has humor. And he is able to use his everyday experiences and turn them into the funniest stories.

His blog simply rocks! 

And since it is early Friday - you have all day, plus the weekend to laugh your way through his stories.