Midway through 2010 the recovery in the corporate governance recruitment market that was evident at the start of the year is now firmly established. As recruitment consultants we have been genuinely surprised at the strength of the recovery. The recovery is focused on the financial sector and is a result of both renewed growth in the sector and greater regulatory oversight. Investment in corporate governance has clearly become a priority.Technology
Playing with old computers
And as many of my colleagues and peers, I am still getting my hands dirty from time to time. I guess it is the masochist in me.
Last night I was playing around with battered, old computers. Except. They where not that old. One where only 6 months old. And it should not be experiencing hick-ups, halts and driver problems. Usually.
This particular computer was residing in the reception. Many different users - non with any special computer related abilities - would use it over the week. And it had one major, business critical application inside - the booking system.
They had experienced hick-ups over some time now, and although I usually prefer not to get my hands dirty anymore, I decided to step back in time and sniff the dust. And I did the good'ol trick of removing everything (including the mainboard), and blow it all clean. Well, at least I would have if I had had some pressurized air at hand. After giving the components and the box itself a nice clean, the bits and pieces was put back in.
And to no surprise, there where a few things left over. I am a minimalist, and do not believe in using the computer cases as storagerooms, so I removed unused cards and other bits that no longer was of any use.
As I suspected, the computer came back to life, and works a dream. At least for now. Because this very computer was bought by people with no clue when it comes to computers. They had a need, went to the nearest superstore, and just bought a computer. Now, they did decide that this was a business critical computer, and thus made sure not to buy the cheapest one in the store...
But. They had no clue what-so-ever when it came to what makes a good business computer. And as you may have guessed allready, they came back with an overpriced piece of hardware, in combination with Microsoft XP Home edition. I repeat that. Microsoft XP Home edition. For a business critical computer.
I have made them all write one houndred times on a board: "I will never, ever again buy MS XP Home Edition."
And why is that? Why should you not use the home edition for business? It is all in the name. Home is not Business. Not even if you run a home-based business. The Home edition is a cheaper, less reliable and less sturdy OS than its brother XP Pro. Pro == Professional. Business == Professional.
Let me put this into monetary terms for you.
By choosing a cheaper OS like Home Edition, you may save a few bucks. In Norway, you save say 70$. But you buy yourself a large amount of it-related troubles, and will have to rely on an IT-consultant to help sort out all the troubles (face it, if you had the knowledge reqiured in the first place, you would never buy Home Edition. Period). And that IT-consultant does not come cheaply (if he does, he is not worth the money. Another period.). So the calculation I use in Norway is that you save $70, and that will be spent on the first half-hour of your IT-consultant.
By investing in a more sturdy OS, you may have to pay more to get going, but you will save money in the long run as you will not be required to dish out cash to IT-consultants every week.
Particularly when it comes to environments where there are a number of people involved would you do wisely to ensure that you get advises from people who understand the technology, and that can help you make the right decisions. It may cost a bit more to get going, but doing it right the first time is a huge cost and time saver in the long run.
Lets get back to the computer for a second. This computer was bought in February 2008 - so it is what I would call new. But during these months, it has already cost way more to operate and to keep it operating than the cost to buy it. And I have not even considered the cost of lost business when it was not operating, the stress on the not-so knowledgeable users and so on and so forth.
My advice to you if you are considering buying computers for your business are as follows:
- get someone who KNOWS for real to help you choose the right solution (ie. do not just pop down to the nearest superstore - pay a bit more and use a specialized IT-supplier)
- Saving up front usually only serves to increase the costs in the long run. See the first bullet...
- It is not enough to not buy the cheapest thing in the store - you need to understand what you are getting. See bullet 1.
- Give the users propper training. People who unpluggs the power to get the computer to shut down is a clear indication of the need for training. See bullet 1.
- Have a backup solution at hand. That means that you need a second computer available so you can use that if the main one decides to die in your hands. See the first bullet. Yes, again.
- Restrict the computer. That means someone who knows how to deal with computer (see the very first bullet) should enforce system policies (if you do not know what that means, see bullet one. If the people in bullet one have no clue, then you did not read bullet one, and just picked someone you know/from the top of Yellow pages.). The policies should enable the users to do what they need, and nothing more.
- Before you do this, you need not to worry about virus, spam and other security threats, as you already have your hands full. It will not help to buy a firewall, a nice antivirus solution or a security scanner. You need the basics first. See bullet 1.
- See bullet one.
What do you think about entrepreneurs?
I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.
By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:
- vendor or service provider, focusing on promoting their own products/services
- (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
- IT-security, focusing on technology, hacking, and "geek" stuff
I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)
But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!
On a side note, I have also established a new blog, focusing on another area I love - trainings!
Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!
Windows 3.1 is dead - so what?
One should think that using a software that was designed only 15 - 20 years ago should be quite possible today. After all, a PC is still a PC, right?
Not so. A PC of today (2008) is based upon the same principles as back in the early 1990's, but the technology has reach a maturity point where backwards compatibility hardly exists.
Yes, you may get WfW to actually work, if you like many others keep an old 486, or even a P1/P2 in a closet nearby. The challenge will be to render it useful, as John realises:
And IE 5 is not 15 years ago - it is more like 5.
Now, why should you, a security minded reader, care about the fact that John failed this project?
Several reasons comes to mind:
- From a continuency point of view - if you rely on some old hard-/software, make sure you have the tools and systems available in case of a failure.
- From a data storage point of view - if a software can become totally obsolete in less than 5 years, you need to make very sure that your backup systems; long-time storage; and other data you may require access to in the future; uses technology you are able to access.
- From a compliance point of view - if you are obligued to store information for a periode of time - 3, 5, 7 or 10 years - you are also obligued to be able to access the same data in the future. It is your responsibility, and it is usually a good idea to plan the technology at the same time you plan what and where to store your data.
Yes, XP, 2000 and many others will be out of date. 2000 actually did this summer, when MS pulled the support for it. Anyone remember OS/2? DOS I guess most still remember, but only hardcore, old-guys still uses it to some extent. The world (and the technology with it) moves on.
To keep up with changes, you need to keep track on what is going on, as well as on your own requirements. You are required to update once in a while, but you do not need to jump on the latest versions of everything - unless you have special requirements. It is simply a matter of balancing your needs.
Live skin fingerprint scanner
This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access.
The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side...
Andy is in trouble!
My blogging buddy Andy IT-Guy is in trouble! Please pop on over to help him!
Facebook open to ID-theft
Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours).
I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services.
One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested, as well as rewrite the application to be more aggressive in it's harvesting.
The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.
---
In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth.
Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..."
Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved.
---
Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".
---
I gotta run.
Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!
See you in a bit!
---
Ka-zing.
---
(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)
House of hackers - a new community
Gnucitizen established a new community project called House of Hackers. The purpose is to create an area where
"...support the hacker culture, mindset, way of life, ideologies, political views, vision, etc."
If you are into hacking, and interested in keeping with the community, I suggest you pop over and take a look.
Airport evacuated!! Found handgrenade in luggage!
Just a few hours ago, the Tromsø airport in Norway was evacuated due to a hand grenade found in the luggage (Norwegian link).
The hand grenade was found in the hand luggage of a passenger moving through security. I can only imagine the eyes of the security clerk who discovered it.
Eyes Wide Open comes to mind. Certainly, the Big Red Button was very close indeed.
ALARM!
The hole airport was evacuated, secured and shut down.
Only to be reopened 25 minutes later, when the Grenade was discovered to be a belt buckle!
I got a feeling that the security clerk would wish to move forward and dismiss this event as an error. I for one will go on and order a couple of belts. Imagine the disorder to be created if these buckles keeps trying to enter the airports around the world!
Obviously, when it becomes customary to wear and carry grenade look-a-likes as belt buckles, it will be much easier to bring actual grenades hidden as a buckle. So, sometimes soon, I predict the politicians to enforce a
"No Grenade look-a-like Belt Buckles allowed on Airports!"
---
Edit: Just read about the complete opposite experience at the Digital Soapbox! Thanks, Rafal!
ID theft – Facebook and MSN exploited
Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.
Yes, yes, I know, I am a bit too paranoid!
Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.
One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.
I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.
The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?
I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.
She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.
It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:
“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.
(Emphasized by me)
And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.
I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).
And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.
We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?
SQL-injection attack walk-through
Have you ever wondered how to learn how to do SQL-injection attacks? Rescue is here!
You are now able not only to read about attacks and try to understand their logics, you can now set up your own lab and start doing injections directly. Thanks to Gerasimos Kassaras (I had a hard time spelling that, and will not even try to pronounce it), who have written this excellent walk-through on the topic!
He will even walk you through setting up IIS and the other tools required!
Still not into SQL-injections?
Well, you should be. Security now and in the future will be about two things - information management on one hand, and application security on the other hand.
Recent comments
1 day 18 hours ago
3 days 1 hour ago
3 days 1 hour ago
3 days 1 hour ago
3 days 1 hour ago
3 days 1 hour ago
3 days 1 hour ago
3 days 2 hours ago
1 week 2 days ago
1 week 2 days ago