Wednesday, 21 December 2011
One of the things they are removing from the emergency rooms is the paper that lays across the examination tables.
An emergency room doctor explained that the paper doesn't really contribute to the infection control program at the hospital, it's only really there for patient peace of mind. You know, so it looks clean and fresh, and through its use, convinces us that the room is clean.
Sounds a lot like security theatre.
Thursday, 24 November 2011
Friday, 18 November 2011
Usually, the performance bottleneck I run into is disk access. Today, I'm trying some new hardware to see if we can eliminate that bottleneck.
Here are my first results:
This spike was the result of starting a compact -C on a database with a size of 1.6GB and 150,000 documents. It took 2 minutes to complete.
I'll let you know how performance continues.
Thursday, 17 November 2011
Is that what happened? Was it a process issue, or a policy issue?
I wonder if we'll ever know?
Wednesday, 16 November 2011
I read that in an article from SC Magazine. He really couldn't say anything else, but I wonder if he really believes it. I also wonder what City of Toronto CIO David Wallace is thinking... After large takedowns of Sony and the like by Anonymous, he's probably not as confident.
Tuesday, 15 November 2011
I have a client who wants to use their email address to log in to a Domino web application.
My memory tells me that there is/was an issue with this and using Groups in the ACL of the Domino database.
Can anyone point me to any resources on how to do this, or that it can't be done, or anything along those lines?
Friday, 4 November 2011
THC-SSL-DOS is a tool to verify the performance of SSL.
Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.
THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.
This problem affects all SSL implementations today. The vendors are aware
of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature
to trigger thousands of renegotiations via single TCP connection.
Its also been covered in various places on the web, like here or here.
While it doesn't look like there is much that can be done to mitigate it, you may get some relief for your Lotus Domino servers (and other software that uses Domino as a platform) by disabling SSL Renegotiation.
It's an option available in the following releases of Lotus Domino:
- Lotus Domino 8.0.2 Fix Pack 6 +
- Lotus Domino 8.5.1 Fix Pack 4 +
- Lotus Domino 8.5.2 +
- Lotus Domino 8.5.3 +
This Notes.ini parameter was originally released in response to CVE-2009-3555 which detailed a Man-In-The-Middle attack that would allow the attacker to insert data in HTTPS sessions, and possibly other sessions secured by SSL. (I'm looking at you LDAP, SMTP, and POP3)
Wednesday, 2 November 2011
Tuesday, 1 November 2011
I suspect that if that occurs, there will be a rather public hack of Greece's infrastructure, taking advantage while they are down. Quite possibly, it will be an inside job, by someone disgruntled that they are broke.
Thursday, 27 October 2011
It's run by a Spanish company, and offers free, online virus checking.
The best part in my mind? It's crowd-sourcing your anti-virus.
You submit a suspect file, it's scanned by 42 different anti-virus applications, and the results get displayed to you. If the file is picked up by at least one of the 42 anti-virus programs, then they each get a copy of the file to test to improve their products.
By you testing a file, you're potentially helping keep everyone safe.
Tuesday, 25 October 2011
Tool lets low-end PC crash much more powerful webserver
Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations.
Down the Rabbithole Podcast Episode 4 - Effective Small Business Security
Pocket Guide To Securing Mobile Devices
With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device
Stay Cool, Nobody is Calling Your Baby Ugly
Conversations for developers and information security specialists.
Six Security Assessments You’ve Never Had But Should
Friday, 21 October 2011
CNet: Google, Facebook go retro in push to update 1986 privacy law
Ars Technica: The Shocking Strangeness of our 25-year-old Digital Privacy Law
Electronic Communications Privacy Act and the Cloud
ECPA allows the government to obtain, without a warrant, any content stored in the cloud — such as files in a Dropbox account, if it’s older than six months. It goes without saying that there was no such thing as cloud-storage services available for the average Joe Sixpack when Reagan was president. Now those services have become mainstream, yet the Reagan-era law applies.
Thursday, 20 October 2011
I've pointed out before that most small businesses don't have an information security program.
I spotted a great article earlier today that dealt with the concept of security below the poverty line, and it contained both a podcast, and a link to a research paper published by the 451 Group. I'm not going to link directly to the research, as the 451 group decided to make it available for free through The Ashimmy Blog, and not through my site. Credit where credit is due.
As a small business owner, what 4 steps can you take to drastically improve your security?
- Introduce an acceptable use policy. Let your employees know what is, and what isn't acceptable. Teach them what to watch for, and why, and who to advise when something looks wrong.
- Implement forensic accountability. Do away with shared passwords and shared accounts. You want to make sure that should something go wrong, you can determine who did what.
- Purchase legitamate software. Downloading pirated software can often introduce backdoors and other malware into your system that your anti-virus won't detect.
- Maintain physical security. Make sure that no one can just walk into your office, pick something up (or drop something off) and walk out.
Wednesday, 19 October 2011
Every month they publish a newsletter directed at the typical web user. Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or your parents.
This month's newletter deals with a critical step in protecting your data. Backups.
I encourage you to take a look, and disseminate it to your staff. In fact, they even encourage you to do that.
It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.
You can now follow Securing the Human on Facebook and Twitter too.
Friday, 14 October 2011
Your competitors are simply dialing into insecure conference call lines and silently listening in. This happens at all levels … from the executive team making bajillion dollar decisions all the way down to those of us in the trenches talking shop on the technologies we use to build solutions. And the problem is only going to get worse as the workforce continues to migrate to more distributed environments.
It's a great article, and a really good read. I even mentioned it to an acquaintance, and told me of a time it happened to him.
The Vulnerability We All Love to Ignore - NovaInfosecPortal
Scary. (And not in a good Halloween-type scary...)
Thursday, 13 October 2011
They bill themselves as:
Enterprise IT’s trusted source for product information in an actionable context, including expert labs analysis and practical tools for evaluating, acquiring, installing, configuring and maintaining technology products and services.
It's a trade magazine for Enterprise IT professionals. If you qualify, you can get a free print or digital subscription if you live in the US or Canada.
They have fairly timely news and opinion pieces, both of which are rather high level overviews. Not alot of depth to the articles. I find it rather advertiser heavy, and content lacking, but it is free, which means that the advertisers pay for it.
RSS Feeds: http://www.eweek.com/c/a/Enterprise-Applications/Ziff-Davis-Enterprise-RSS-Feeds/
To fix it, add the following line to your notes.ini file, replacing 192.168.100.50 with the IP of your server:
Thursday, 6 October 2011
Imagine being able to identify someone by taking their photo with your phone. What about combining that with cloud computing to determine someone's address, and date of birth? Or perhaps their Social Security Number?
Worse yet, who is already using facial recognition? What if the police were using it in conjunction with CCTV feeds to track you, or someone you know? What if criminals were instead?
There was a great piece on Spark, a radio show on the CBC that shows how technology affects our lives. I encourage you to have a listen.
Wednesday, 5 October 2011
Friday, 30 September 2011
Air traffic control data found on eBayed network gear
Turns out this fellow in the UK bought a Cisco switch on Ebay for £20. When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around.
He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching. Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic.
My first thought after reading this article? How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this? After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service lifecycle.
The changes are part of a proposed bill that died on the floor of parliment when Canada went to the polls to elect a new government this past May.
"Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy. Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace." - Industry Minister Christian Paradis
Organizations would be required to inform individuals if there had been a breach that might result in 'significant harm' to an individual. Significant harm could be defined as identity theft, fraud or risk to a person's reputation.
Other changes that could be made to the Personal Information Protection and Electronic Documents Act (PIPEDA) could include:
- Clarifications that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order. The change would prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.
- Changes to the Act would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.
- Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.
- Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.
Tuesday, 27 September 2011
The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits. The vulnerability has been known for quite a while.
The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods. The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher.
Interestingly enough, Google websites don't use CBC based encryption. They use the RC4 encryption cipher instead.
Domino Server BEAST Mitigation - With Internet Site Documents
- In the Domino Administrator Client, open the 'Configuration' tab and expand 'Web' and 'Internet Sites'.
- Open the Internet Site Document for the server.
- Click on the 'Security' tab.
- Under 'SSL Options' section, change the 'Protocol Version' to 'V3.0 only'.
- Under the 'SSL Security' section, modify the list of SSL ciphers so that only the following ciphers are selected:
- RC4 encryption with 128-bit key and MD5 MAC
- RC4 encryption with 128-bit key and SHA-1 MAC
- RC4 encryption with 40-bit key and MD5 MAC
- Save the Internet Site Document.
- Restart the HTTP task.
As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.
Overall guidance for risk assessment for information security can be found in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39).
If you're using a version of Windows prior to version 7 or Server 2008 R2, your system doesn't even support TLS 1.1. Your only hope is that server admins fix the SSL/TLS problem on their web servers.
Interestingly enough, the RC4 cipher suite is unaffected. Only encryption based on CBC (cipher block chaining) is affected. RC4 is a streaming cipher, which is not affected.
Monday, 26 September 2011
Misha Glenny: Hire the hackers! http://www.ted.com/talks/
Friday, 23 September 2011
The affected hard drives have been shipped to a Norwegian company to attempt to recover the information lost in the crash that occurred on August 22, 2011. (Almost a month ago as of the publication of this post.)
The cause of the crash is still under investigation, and the extent of the data loss is still unknown.
”We have never before lost so much information,” Mette Marklund, director of the National Board of Health and Welfare’s Southern Region, told DN. ”It can be a great risk to patient safety when we do not have access to adequate information. But, we do not know yet what to rebuild.”
Interestingly enough, Region Skåne is scheduled to launch a central medical record system for the entire nation in 2012.
Ed. Note: I'm not certain how a health organization in a first world country could have started a project so large and so far reaching and not have given any thought to data backup or disaster recovery, especially when you consider the risk to human life that the loss of medical records might entail.
Thursday, 22 September 2011
Here is the article list for issue 31:
- The changing face of hacking
- Review: [hiddn] Crypto Adapter
- A tech theory coming of age
- SecurityByte 2011: Cyber conflicts, cloud computing and printer hacking
- The need for foundational controls in cloud computing
- A new approach to data centric security
- The future of identity verification through keystroke dynamics
- Visiting Bitdefender's headquarters
- Rebuilding walls in the clouds
- Testing Domino applications
- Report: Black Hat 2011 USA
- Safeguarding user access in the cloud with identity governance
Wednesday, 21 September 2011
I wasn't ready for what I found.
As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server. There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino. All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.
So... As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy. Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.
Duffbert's Lotus Jobs
Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.
Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.
What does this mean for us, the security practitioners? It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon. Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.
Still unsure about what SSL/TLS is? Here's a good reference.
(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit. It harkens to fear mongering to me.)
Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit. It may be related to this paper.
Tuesday, 20 September 2011
Despite choosing one month to bring public awareness to cybersecurity, most security professionals recommend practicing cybersecurity year round, not just in October.
You'll probably want to think about things on the list below during October.
- Software Updates
Monday, 19 September 2011
Friday, 16 September 2011
Thursday, 15 September 2011
Check it out!
Every month they publish a newsletter directed at the typical web user. Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or parents.
This month's newletter, appropriately called 'OUCH!', deals with privacy and security surrounding social networking.
I encourage you to take a look, and disseminate it to your staff. In fact, they even encourage you to do that.
It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.
Thursday, 11 August 2011
As a result, I always enjoy when I find a comic that I can use as part of a training I am giving, or a presentation I make. I found one of those yesterday, and I wanted to share it.
Post it in your lunchroom, post it on a bulletin board. Post it where people will read it, and hopefully learn from it.
Wednesday, 10 August 2011
There were numerous items including a Spam Sentinel t-shirt, some IBM bottle openers, IBM bottle sleeves, and the best part, a copy of the Mastering XPages book.
Gotta love it!
Update: I just got a note from one of the organizers asking if I got the mugs. Yup, I did. Two shiny IBM mugs as well. I'll snag a photo of it all tonight.
However, search as I did, I couldn't find the field in the server document.
As you know, the server document uses the server form (server) in the address book (names.nsf). I opened Domino Designer, opened the form, found the field I was looking for, checked the 'hise when' value, and discovered what I had to do to make it visible.
Could only happen in Domino, and for that I love it.
Wednesday, 27 July 2011
Here's what they found:
22% of US, 29% of Australian and almost half of British (48%) employees who have access to their employer's or client's private data, and who answered the question, indicated they would feel comfortable doing something with that data, regardless if that access was intentional or accidental
10% of American, 12% of Australian and 27% of British employees with access admitted they would forward electronic files to a non-employee
9% of Americans, 8% of Australians and 24% of Britons of these same groups admitted they would copy electronic data and files to take with them when they leave a company
While only 5% of American and 4% of Australian employees with access who answered the question selected this response, an alarming 24% of British employees with access said they would feel comfortable selling data.
15% of American, 29% of British and 18% of Australian employees use their mobile devices to access their company's private Intranet or portals
Ed. Note: At those levels in Britain, I would think twice about storing more data than absolutely required in Britain if I didn't have to.
Tuesday, 26 July 2011
The Privacy Commissioner's office is still investigating the status of 11 other reports that could jeopardise the PHI of another 5,440 individuals.
The records contain information such as names, birth dates, gender, health card numbers and cancer screening test information. The whereabouts of the documents has been unknown since their being sent to doctors during the February - March 2011 time frame.
"Medical test results rank among the most sensitive personal information about an individual," said Commissioner Cavoukian. "I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that this type of breach doesn't happen again.
Notification to potential victims will be sent in the coming weeks.
Ed. note: It's rather scary that at the moment, we don't know if the data has actually been lost in transit or simply misplaced upon being received. What we do know is that the information lost pertains to individuals ranging in age from 50 to 75 years old. That is a prime target age range for scammers and fraud artists.
Wednesday, 20 July 2011
Packet Storm is reporting a Lotus Domino Denial of Service issue...
# Exploit Title: Lotus Domino SMTP router, EMAIL server and client DoS - all 3 may crash
# Date: July 16, 2011
# Author: None - looks like a malformed Kerio generated calendar invitation was the reason this was discovered -http://forums.kerio.com/index.php?t=msg&th=19863&start=0
# Software Link: none - cut/paste the malformed meeting invitation show below, send into some Domino shop as a mime type text/calendar with a filename.ics
# Version: 8.5.3 and very likely all 7.x and 8.x
# Tested on: W2K3, W2K8, XP running 8.5.3
# CVE : none - but IBM has patches for this and other
Particularly ugly in that the rest of the page has the cut and paste code for making the attachment that will crash the server...
This is a great tool to see if an email you send a client, colleague or even your buddy will be transmitted as open text. It's also a great tool for troubleshooting your Domino mail server.
Check it out here: http://www.checktls.com
Wednesday, 29 June 2011
Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence, which are a great read for anyone looking at updating or auditing your policies for completeness.
The SANS top 20 controls are a must for any organization:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on the Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
If you are missing policies dealing with any of these, this would be a great time to look at implementing them, especially with such a great resource now available.
Tuesday, 28 June 2011
I think DAOS is great, and why? Because of the screenshot below. A database a quarter of that size would make most admins cry, but with DAOS, it hums along beautifully.
Makes me wonder if this type of scenario is what IBM had in mind when they designed DAOS.
Oh, and the size is not an error. Logically, it actually is 140GB in size, with about 53,000 attachments.
The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.
The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.
Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.
On a side note, this is the same Daniel Grzelak who created, as a side project, shouldichangemypassword.com, a website that allows you to search a database of known-compromised e-mail address and password pairs to see if your password has been compromised.
Monday, 27 June 2011
The email looked like this:
We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an abundance of caution, we have disabled your legacy Account. To create a new account please visit social.bioware.com.
We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your Neverwinter Nights account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.
If you have questions, please visit our FAQ at
http://support.ea.com/app/answers/detail/a_id/5367/ or contact Customer Support at the phone number above.
Studio GM, BioWare Edmonton
VP, Electronic Arts
Now, to be honest, I didn't even realize that I had an account at the Bioware forums. I haven't actually played Neverwinter Nights in almost 7 or 8 years. As a result, I'm not even sure what my username or password would have been.
I suppose that's the first lesson for me, I should be more diligent about logging where I have accounts. I've started that recently by beginning to use LastPass, but prior to that, the odd email that arrived often reminded me that I had an account with a given service provider.
The breach was discovered on June 14th, 2011. The first place they notified customers was on the forum itself. Which is great for people who still use the resource, but doesn't do much for the rest of us.
My email came on June 23rd, 2011. It contained a link to the EA customer support site. (I wasn't even aware that EA had purchased Bioware.)
I'm not concerned about it taking a week to let me know about the breach. First of all, the accounts compromised got locked down according to EA. And they notified current users via their forum. As a past user, there isn't much that I could have done to protect myself, and I make sure that I have unique passwords on each site I use so my other accounts shouldn't be at risk. (You do that too, right?) I'd much rather a bit of a delay in warning me, than a constant back and forth about what data was actually taken.
So, in the end, the attackers have my:
- user name
- encrypted passwords
- email addresses
- mailing addresses
- phone numbers
- CD keys
- birth date
The username, email address, encrypted password and CD key I'm not as worried about, I've moved a few times since I registered the account, so my address or phone numbers don't bother me. I am concerned about my birth date and real name, but I can't easily change them...
Friday, 24 June 2011
There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada. Each company took a different amount of time to notify customers, but that is because they are allowed to. There are no laws that specify how quickly they must advise you that your private information may have become public.
Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers.
Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered.
Honda Canada, who suffered a breach in March, didn't notify people until May.
Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public. The current version of the bill states that companies don't have to tell the public until 48 hours AFTER the investigation of the breach is complete. Hopefully that gets strengthened, as an investigation can drag on for a very long time.
Thursday, 23 June 2011
Most small businesses are more concerned with their day-to-day operations and where the next client is coming from than they are around spending the time to creating policies and processes to manage security.
Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data.
With any small business there is only so much time and so much to get done. Most processes exist, but are usually non-documented, and quite often verbal.
“Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more”
Without a training program, and documented procedures, what are the chances that something like this may happen more and more often?
Tuesday, 21 June 2011
The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale. Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records.
This brings a few questions to mind.
Who are these individuals who would return a device to a store, and blindly trust that the store will do what is in their best interest, rather than in the store's best interest.
The privacy commissioner stated that:
...although Staples generally has good privacy practices, it had not met its obligations under Canada's private-sector privacy law with regard to returned data storage devices.
How many organizations have a policy regarding data storage devices, and the safeguards around their disposal? I would imagine that most do, but that won't protect the individual consumer.
Personally, I'd like to know the policies of a store before returning data storage hardware, such as cell phones (did you wipe the address book before you returned it?), smartphones (same goes for emails), USB drives, laptops, external hard drives, internal hard drives, computers, or memory cards to them.
I'd want to know if they wipe them, a little bit about how they wipe them, and as a purchaser of previously purchased goods, I'd want to know if the device had been checked for viruses and other malware.
And the next time I return hardware to a store, or purchase a previously purchased device, I will ask.
Friday, 17 June 2011
Founded on the 'free' conference ideal, IamLUG has offered more than 25 sessions each year with the optional 'TackItOn' full day of training on specific subjects.
This year's session list looks great, and the speakers rock. It's happening on August 1st and 2nd, with the 'TackItOn' day being Aug 3rd.
You can find more detail here.
Thursday, 16 June 2011
apparently the advent of 3D projectors is severely cutting the amount of light that reaches the screen because projectionists are not changing out the 3D lenses for 2D screenings as they should
Would you believe that a poorly planned security process is at fault of our enjoyment of 3D movies? With more and more thought being given to security, and protecting the intellectual property of the organization, it is possible for those controls to go too far.
Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly.
While it is a great idea to make sure that the business is protected, making security too much of a challenge for people to do their jobs results in poor returns for everyone.
Opening the projector alone involves security clearances and Internet passwords, 'and if you don't do it right, the machine will shut down on you.'
when the designers developed the projector's security, they failed to consider who would be using it, their level of technical capabilities, and their own internal risk model ("If I do this complicated and difficult thing and make a mistake the projector will lock up and the screening will have to be canceled and I'll probably get fired.") The upshot is poor design that defeats the purpose.
When you are designing your next security model, give lots of thought to the business and its ultimate goals. Make sure you are not a hindrance to the bottom line.
Reference: When Threat Models Collide
Wednesday, 8 June 2011
Update: @LulzRaft is not connected to @LulzSec.
I entered an article in the Wikimania contest last year, and I even won a book, and a number of other small items.
I've entered again this year, on the very day the contest opened. I suspect that I was even pointed out for it.
Sharing with the community is a great way to develop friendships and share information. (And win prizes. After all, who doesn't want to be recognized for their work.)
The Conservative Party of Canada site was the target of such an attack this week, as were many branches of the Sony empire. The Kingston Police department just got their website back online on Tuesday following a breach.
It's no surprise then that Vermont Democrat Senator Patrick Leahy has introduced a bill that would set a national standard for notifying consumers of breaches, and would make it a crime to conceal a data breach.
Is there any doubt why Canadian companies are wary of the cloud?
As a result, Canadian firms tend to experience fewer security lapses. On average, 43% of global companies reported a breach within the last year versus 38% in this country.
Tuesday, 7 June 2011
In fact, it was an attack by hackers targeting the Conservative Party website.
The CBC has more details.
Fast forward to the fall of 2010 when Communications Security Establishment Canada (Canada's electronic eavesdropping agency) started looking for signs that Canada's governmental networks had been compromised.
Fast forward to January 2011, when a hack was discovered in three Canadian government departments including the Department of Finance and an agency of the Department of National Defence.
A memo written at the end of January 2011 states:
"Indications are that data has been exfiltrated and that privileged accounts have been compromised,"
Moving on to February 2011, when Prime Minister Stephen Harper says that the government has a strategy to protect computer systems, but admits that cybersecurity is a "a growing issue of importance."
And now in June 2011, through a memo that the CBC received through an access to information request, that hackers stole classified information.
So, what's happened in the interim?
Departments have set up workstations on each floor where employees can go to access the Internet for work purposes. And what happens when those are busy? They take their laptops down to the local coffee shop and access needed resources there.
So, now that the secure corporate environment has been breached, the next target will be the coffee shop wireless connection. My guess is that the wireless connections at coffee shops probably don't undergo the same rigorous security that goes into a typical corporate network. But in this case, whoever the hackers are that infiltrated the government networks, they have definitely flushed the game out of the woods.
Wednesday, 1 June 2011
Tuesday, 31 May 2011
- Laws & Regulations
Laws & Regulations
These are the compulsory rules, with sanctions, declared by the government for all citizens.
Here in Canada, the laws are passed by elected members of parliament. In the United States, laws are passed by elected members of Congress, and then ratified by the Senate. The president signs the law into being.
A policy is "a high level statement of enterprise beliefs, goals, and objectives and the general means of attainment" (Peltier). Another way to look at it is that "policy is the articulation of the intentions of management". (Fites/Kratz)
It's a course of action or a principle taken by a group of individuals used to govern themselves.
Standards could be defined as required activities that provide a support structure and direction on how to carry out policies.
"A document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context." (Standards Council of Canada)
A procedure is a set way to perform a task. It is a series of instructions to be completed in a particular order or manner.
Guidelines are "general statement designed to achieve policy". (Peltier)
They could also be classified as a forceful recommendation to achieve a certain goal.
Monday, 30 May 2011
Friday, 27 May 2011
This IBM Alert addresses an issue with the ~notetmp.reg file on UNIX or LINUX servers running Domino 8.5.2 FP1.
AbstractIn certain cases on a Domino 8.5.2 FP1 server, the contents of the Domino data directory can be deleted during shutdown on UNIX and Linux platforms. This does not happen frequently or on all Domino servers. However, if this does happen, a backup restore of the data will be necessary.
This is what happens:
The problem occurs if ~notetmp.reg points to the Domino data directory as the temp directory and also contains an empty string filename. In that case, Domino sees everything in the data directory as temporary and all files will be deleted at server shutdown.More information can be found on the IBM support site. Reference is SPR# DWON8FVMYS.
Thanks to Gunawan T. Wicaksono for pointing this Alert out.
Tuesday, 24 May 2011
I'm taking on more 'security' type duties at work. This is something that falls under both my hats.
IBM Support has released a Flash Alert regarding some vulnerabilities discovered in Lotus Notes.
More information can be found on the IBM Support site.
I do like the fact that they have provided work around information all the way back to Lotus Notes 5.x.
Thursday, 19 May 2011
"Lookup of IP address for host xxxxx.xxxxx.xxx failed"
Take a look at your Internet Site Documents, chances are one of them (a non-website one) has an invalid domain name.
Wednesday, 11 May 2011
1360 René Levesque Blvd West, 13th floor, Conference Room
Local Host: Angela Caruso, firstname.lastname@example.org
340 Albert St, Room 100
Local Host: Connie Triassi, email@example.com
120 Bloor Street East Suite 104
Local Host: Rosie Seth, firstname.lastname@example.org
227 - 11th Avenue SW, 2nd floor, Room 2-045
Local Host: Don Gillis, email@example.com
4611 Canada Way, Burnaby, BC, Queen Charlotte Room
Local Host: Jayne Johnson, firstname.lastname@example.org
Montreal/ Ottawa/ Markham
Topic & Speaker
Meet & Greet
Welcome and Agenda
Lotus Notes 8.5.3 –How to set up Notes 8.5.3 for former outlook users
Mary Beth Raven – IBM
Senior Technical Staff Member - Responsible for UI Design
DraganRAD– DragonRAD is a mobile enterprise application platform that empowers developers without specialized mobile development skills to create data-driven enterprise applications that run across multiple smartphones and tablets including BlackBerry®, BlackBerry PlayBook™, Android™, iPhone®, iPad®, and Windows Mobile™.
Gord Graham – Seregon Solutions
How I got started in XPages development! – My first steps into XPages were daunting because of how much I felt I didn't know, how far behind I thought I would be and how steep I was afraid the learning curve was. I am happy to report that I am glad I took those first steps and am quite excited about using XPages. I will explain my background in Notes, the resources I have used to become familiar with XPages and then demonstrate some XPages features and discuss the things that I find really powerful in XPages compared to traditional Lotus Notes development.
Graham Acres – Brytek Systems Inc
TLCC - The Leader in XPages TrainingPaul Della-Nebbia will take a few minutes to tell us about TLCC’s Introduction to XPages Development 8.5 Workshop coming soon to a city near you!
8.5.x Domino Server Availability and Tuning
Do you want to keep your Domino servers available 99.999% of the time? Is part of that goal to minimize cost and take economic advantage of what's new in Domino for Release 8.5 on? There are capacity planning and administrative actions, design decisions as well as a lack of ongoing and proactive tuning practices that threaten those goals. Gleaning from the struggles, successes and failures of several enterprise deployments using the latest Domino features and configuration options, this session will yield a vital list of items that may need
correction as well as procedural changes going forward.
John Curtis – IBM
Senior Technical Staff Member – Domino Development
End of Meeting