Finally the iPhone is coming to Canada! Yes, I know I could have a cracked one. I’m just glad to see it officially released here. A question that remains. What kind of data rates are Ted Rogers and company going to charge?

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to all of our new subscribers yesterday! Thanks for joining!

And now, the news…

1. Bug exposed in web security standard | vnunet
2. How safe is instant messaging? A security and privacy survey | CNET
3. Bush widens immigration checks | LA Times
4. Apple QuickTime Multiple Vulnerabilities | Secunia
5. FBI Charges Blind Phone Phreak With Intimidating a Verizon Security Official | Wired
6. Exploiting VoIP vulnerabilities to steal confidential data | SC Magazine
7. Security holes in Linux kernel closed | Heise
8. Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules | Windows Security
9. VA promotes teamwork on cybersecurity (-10 points) | FCW
10. Another bug your tools won’t find and your WAF won’t prevent | ZDNet

Tags: News, Daily Links, Security Blog, Information Security, Security News

From Tech Herald:

So who reads your email at the office? Apparently more people than you think. Forty-four percent of the companies responding to the study said that they investigated an email leak of confidential information in the past year. Forty-one percent reported that they employ staff to read or otherwise analyze the contents of outbound email. In addition, twenty-two percent said they employ staff primarily or exclusively for this purpose.

There are several cases where someone has been terminated over the contents of email. Most are fired under a clause in the company’s Internet Usage Policy. The debate is a huge one, with people expecting privacy when they send email, often personal, from a work account or access personal accounts at the office. Simply put, you have no privacy at the office, and if you get any at all, you should expect very little. Some companies will offer some “personal time” and allow internet usage, but mostly everything you send is logged and monitored, and yes even read by someone else.

Mostly? Try damn near everything for most firms. Email was read only at the behest of legal or HR. Thankfully, those requests seldom arrived.

When people start a new job more often than not they are handed a copy of the acceptable use policy for their respective firm. It is staggering how often people glance over it while pondering dinner plans Then sign off that they read and accept. It’s like people that click on EULA’s mindlessly.

Later, they potentially pay the price for that lack of attention to detail.

Article Link

Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does.

In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape.

The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats.

Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world.

All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing.

What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on.

So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.

Problem 1- We forget to KISS IT. In the frenzy to understand and implement these hot new products, we’re losing sight of some basic security functions and overlooking some really important security fundamentals. Remember to KISS IT and keep your basic security solutions simple- then layer on top of that. Your hot new NAC or DLP solution won’t seem so impressive if your basic firewall rules haven’t been properly configured.

Problem 2- We forget thy layers. After you KISS IT, you need to start layering responsibly. That means having a CLEAR understanding of what each solution does- or does not- do. You wouldn’t believe how many customers call and want to hear about Widget A for a certain solution that Widget A is not designed to fix. I deal with it daily and I blame (for the most part) vendors for mis-advertising their product as a fix-all. Whether its hardware or software- know what each piece of your security solution is designed to do, what it’s actually doing, and keep that information documented. Documented- I’m going to say it again. Your firewall/UTM may offer content filtering and gateway AV, but are you using it? Are you using a WAN optimization product to stop prohibited applications, or is your web filter doing that? Do you even know?

Solving the Cube. Layered security is like solving a Rubik’s Cube. You may think you’re on the right track after you get one side solved… but the other 5 are just a huge mess. There are patterns and algorithms you must follow to solve all sides together. Your layered security solution is no different. Understand what each piece is doing, how it fits in, and when to twist one layer here to implement a solution as part of a different layer over there.

# # #

I have been manning the NOC help desk for the past week and it has been a complete blast working with a world class team of engineers to set-up the “largest Temporary network in the world!”

First you start with the problem.

The problem was how to collect and real-time graph the aggregate inbound and outbound bandwidth from 4 Enterasys core network routers (Enterasys XSR 3250 Routers) on 42” & 52” flat screens used in the NOC at Interop Las Vegas.

(more…)

ShareThis

What are the telltale signs that your company is already Computing in the Cloud?

Is it when the CIO makes a big announcement at the monthly IT meeting?

Is it when the IT newsletter drops a reference to pilot testing of some ‘web based’ software?

Or, is it when the secretary whips out the boss’s Corporate Credit Card and signs up to a Cloud Service?

Here are 12 indicators that your company is *already* part of the Cloud:

1. Your internal helpdesk reports fewer password resets.
2. Finance contacts you to confirm all the DVD readers are disabled - they are puzzled by the number of recurring credit card charges for Amazon (are the secretaries spreading out their orders for “Lost” DVDs again?).
3. You are asked to authorise a network change ticket to send all outbound network traffic via the perimeter firewall, before being routed back to the internal server room (for performance reasons). 
4. You walk into the Data Center and it feels cooler than usual.
5. When the builders next door accidentally saw through the company Internet connection, people complain there must be a DoS attack going on as they can’t get to their files.
6. During physical inspections, you notice unexplained gaps in server cabinets.
7. Login failures go down, in fact login “attempts” in general go down but the company car park is full.
8. As you walk through the office, you notice all the “Security Awareness” posters have been replaced with pictures of Jeff Bezos (!)
9. You are asked to authorise a visit from the local environment group.  Fearing protesters, you are surprised to learn that your company has won a prize for reducing its Carbon Footprint
10. Your Intrusion Prevention System is preventing the call center from uploading contracts stored as GIF files.
11. You detect the presence of ‘malware’ in the form of unexplained ‘Machine Images’ on IT’s desktops.
12. You stop finding Windows passwords under keyboards, instead you find random hex digits next to the words ‘Access Key’ and ‘Secret Key’.  You sigh, but at least they are setting difficult to guess passwords now!

If you are charged with IT security in your company, you may want to start checking your web proxy logs for telltale signs that people are talking to the Cloud…or just talk to finance.