The Security Catalyst

Here are some of the recent — and thought provoking — conversations of the Security Catalyst Community (SCC):

• Anonymity of criminal activity
• Anyone try Microsoft SteadyState?
• Automated Binary Analysis
• Hardware SSL Tunnel Device
• Sharing With Others

Opportunities to meet, network and join together

• Global Security Week 2008
• RSA Europe
• Black Hat/DefCon

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Greetings from Sierra Vista, Arizona with a long overdue update. While I may have been quiet (rare, I know), I have not been idle.

A few months ago I was focused on tracking down security fundamentals - and how they need to be applied; last week I was able to craft an intense training section that brought a group of professionals through a unique training class designed around that very concept. It was a great week and really has me energized (despite the need for sleep).

I also shared some insights from Into the Breach with a group at Fort Huachucha yesterday. The best part - for everyone, myself included - was the hour-long conversation that ensued after the keynote. We talked about current challenges and how we can face them by addressing the true problems (not the symptoms) and how to engage people to take responsibility while increasing our ability to hold them accountable.

We are going to take some time today to visit Bisbee, AZ before heading up to Tempe, AZ tomorrow. This is our final “pre-tour” trip as we work out the kinks of driving cross-country in the RV multiple times a year, running the business and spending time as a family. This trip was much smoother than the spring “expedition” and we are already looking forward to the onTour launch in September!

As we make our way back to NY, here is our schedule for the next two weeks:

Phoenix, AZ

I love Phoenix and look forward to catching up with a lot of good clients, friends and even some new faces.

Arrive: Wednesday, August 20, 2008

Depart: Friday, August 22, 2008

Staying here: http://www.apachepalmsrvpark.com/

Dallas, Texas

We have a lot of friends that we hope to see while we stop in Dallas. The best part of traveling by RV is the complete flexibility to see clients, potential clients and friends (most of whom were once clients or will be clients). We really enjoy life as a family and seeing the country in a way that allows us to work with people we would chose to spend time with!

Arrive: Saturday, August 23

Depart: Monday, August 25

* we have not yet picked a park, but these are the top three options - have experience or insight? Drop me a line *

http://www.treetopsrvvillage.com/

http://tradersvillage.com/en/grandprairie/rv

http://www.cowtownrvpark.com/

Atlanta, Georgia

** Will be meeting some friends and potential clients to discuss how Into the Breach influences “Awareness that Works”; I love the opportunity to discuss my passions and share research. I’m really pumped about this!

Arrive: Tuesday, August 26

Depart: Thursday, August 28

Staying here: http://atlantasouthrvresort.com/

Potential other stops on the way “home”

•       Considering a brief stop in Charlotte, NC
•       May take one more trip to Hershey Park (need to find a connection at the Hershey Chocolate company - we’re there so much!)

Are you along our path?

If you are along our path or in one of the cities where we are touching down, I would love to meet, say hello and can offer you a preview copy of Into the Breach!  I am currently tweaking the onTour website in time for our September launch and will be announcing the 6-week onTour Fall leg in about a week or so.

Other Quick Updates

•       Four podcasts are lined up, including the Pop Culture Security, Breach Breakdown and Security Roundtable!
•       Despite my compressed schedule, my brain has not stopped; I have been working on a series of articles to share
•       I have a special report on “freeware” that I will be releasing next week; this was a real change in thinking for me and I look forward to sharing what I learned with you.

Book Updates

•       The kindle book should be available this month
•       The eBook should be available this month
•       The hardcover book will be available September 16, 2008 (we’ll be picking up 500 copies on our way to Nashville, TN)
•       The book can be pre-ordered here: http://atlasbooks.com/marktplc/02353.htm

If you enjoyed this post, make sure you subscribe to my RSS feed!

Patrick Romero, CIPP

It appears that Congress is finally going to get involved in the regulation of behavioral targeting by internet companies. Representative Edward Markey (D-Mass.), head of the House Energy & Commerce Committee, says he and others plan to introduce comprehensive online privacy legislation in the coming congressional session. The law would require companies to collect the share the surfing habits of consumers only if individuals opt-in to the monitoring.

The issue of online behavioral tracking by online search engines, such as Google and Yahoo, for advertising purposes has been gained significant attention. Earlier this year, the FTC held an open forum on how to develop industry best practices in order to ensure the privacy of online consumers. While there was hope that the industry would police itself, it appears that eventually there will be some Congressional oversight as to what information can be collected from users online.

The lack of transparency that is the current model among online advertisers has proven to be problematic. Consumer and privacy organizations have stated that individuals should always have to opt-in whenever their personal information is being gathered and they should always be aware of any monitoring of their online activity. Recent incidents have proven this to be true. Facebook recently faced public backlash when it set up its beacon program through an opt-out policy. The company was forced to issue a public apology and is currently being sued by its members for violating their privacy.

Industry leaders have been hoping that federal legislation will not be needed. However, companies continue to expand their ability to collect and monitor the information of internet users without clear policies protecting consumer privacy. It appears now that Congress will finally get on the bandwagon and clear the fog on the rules of online surveillance.

If you enjoyed this post, make sure you subscribe to my RSS feed!

As I wrap up my week in Las Vegas and prepare to head to Sierra Vista, AZ, I will be offering preview copies ofInto the Breach. I’m going to wander down to the Vegas strip this afternoon/evening - if you’d like to get your hands on a copy, please send me an email (michael at this domain) or direct message me on twitter: http://twitter.com/catalyst

We are heading out from Vegas Saturday morning and will stop briefly in Phoenix around noon. We’re hoping to meet some friends for a quick bite to eat and then head on down. We’ll be coming back through Phoenix on the 18th and tentatively sticking around for a day or two.

I have a “Protect Your Business by Managing People, Information and Risk” keynote on the morning of the 18th - and would be happy to explore working with your team as we work our way back across the country. I have an intense 10 days in front of me - but continue to develop content for the blog, have some special reports I look forward to sharing and more awareness and breach podcasts coming up.

I am also working to publish the updated fall speaking schedule - which will see us criss-cross the country, providing many opportunities to meet, work with companies and families around the country and have some fun!

If you enjoyed this post, make sure you subscribe to my RSS feed!

By David E. Stern, CISSP

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.

If you enjoyed this post, make sure you subscribe to my RSS feed!