Thursday 27 October 2011

VirusTotal - Free Online Virus, Malware, and URL Scanning

I found out about VirusTotal today.

It's run by a Spanish company, and offers free, online virus checking.

The best part in my mind?  It's crowd-sourcing your anti-virus.

You submit a suspect file, it's scanned by 42 different anti-virus applications, and the results get displayed to you.  If the file is picked up by at least one of the 42 anti-virus programs, then they each get a copy of the file to test to improve their products.

By you testing a file, you're potentially helping keep everyone safe.

Tuesday 25 October 2011

Reading List for 24 Oct 2011

A few good articles I read today:

Tool lets low-end PC crash much more powerful webserver
Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations.


Down the Rabbithole Podcast Episode 4 - Effective Small Business Security


Pocket Guide To Securing Mobile Devices
With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device


Stay Cool, Nobody is Calling Your Baby Ugly
Conversations for developers and information security specialists.


Six Security Assessments You’ve Never Had But Should

Friday 21 October 2011

Electronic Communications Privacy Act targeted by Internet Rivals

Both Facebook and Google have also come out against the ECPA to protect information entrusted to them by their users.

CNet: Google, Facebook go retro in push to update 1986 privacy law

Ars Technica: The Shocking Strangeness of our 25-year-old Digital Privacy Law

Electronic Communications Privacy Act and the Cloud

Electronic Communications Privacy Act and the Cloud

Great article from Threat Level.   Worth the read, and giving some thought to how you or your company may be affected, especially if you are a foreign company with cloud services in the United States.
ECPA allows the government to obtain, without a warrant, any content stored in the cloud — such as files in a Dropbox account, if it’s older than six months. It goes without saying that there was no such thing as cloud-storage services available for the average Joe Sixpack when Reagan was president. Now those services have become mainstream, yet the Reagan-era law applies.

Thursday 20 October 2011

Running a Security Program without a Budget

I've been thinking more and more about small businesses and security recently.   Most small businesses don't have the budget to run their own security program.   These organizations, that employ many, many people, are often left vulnerable.   Larger organizations have the budget to fund a security program, while most small businesses don't.

I've pointed out before that most small businesses don't have an information security program.

I spotted a great article earlier today that dealt with the concept of security below the poverty line, and it contained both a podcast, and a link to a research paper published by the 451 Group.   I'm not going to link directly to the research, as the 451 group decided to make it available for free through The Ashimmy Blog, and not through my site.  Credit where credit is due.

As a small business owner, what 4 steps can you take to drastically improve your security?

  1. Introduce an acceptable use policy.  Let your employees know what is, and what isn't acceptable.  Teach them what to watch for, and why, and who to advise when something looks wrong.

  2. Implement forensic accountability.  Do away with shared passwords and shared accounts.  You want to make sure that should something go wrong, you can determine who did what.

  3. Purchase legitamate software.  Downloading pirated software can often introduce backdoors and other malware into your system that your anti-virus won't detect.

  4. Maintain physical security.  Make sure that no one can just walk into your office, pick something up (or drop something off) and walk out.

Wednesday 19 October 2011

SANS Ouch! - October 2011

The latest edition of SANS Ouch! is out.

Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or your parents.

This month's newletter deals with a critical step in protecting your data.  Backups.

I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that.

It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.

You can now follow Securing the Human on Facebook and Twitter too.

Friday 14 October 2011

Conference Call Systems and Security

I found a very interesting article talking about the security surrounding conference call systems, and the ease there is with some systems to allow you to eavesdrop in on calls.
Your competitors are simply dialing into insecure conference call lines and silently listening in. This happens at all levels … from the executive team making bajillion dollar decisions all the way down to those of us in the trenches talking shop on the technologies we use to build solutions. And the problem is only going to get worse as the workforce continues to migrate to more distributed environments.

It's a great article, and a really good read.   I even mentioned it to an acquaintance, and told me of a time it happened to him.

The Vulnerability We All Love to Ignore - NovaInfosecPortal

Scary.  (And not in a good Halloween-type scary...)


Thursday 13 October 2011

Trade Magazines: eWeek

I've been reading eWeek on and off for quite a few years now.

They bill themselves as:

Enterprise IT’s trusted source for product information in an actionable context, including expert labs analysis and practical tools for evaluating, acquiring, installing, configuring and maintaining technology products and services.

It's a trade magazine for Enterprise IT professionals.  If you qualify, you can get a free print or digital subscription if you live in the US or Canada.

They have fairly timely news and opinion pieces, both of which are rather high level overviews.   Not alot of depth to the articles.   I find it rather advertiser heavy, and content lacking, but it is free, which means that the advertisers pay for it.

RSS Feeds:

Domino not starting on Windows 2008 R2

If you are like me and setup your Domino server on one IP address and move it to another, under Windows 2008 R2, you may end up in a situation where the server refuses to start after you change the IP address.

To fix it, add the following line to your notes.ini file, replacing with the IP of your server:


Thursday 6 October 2011

Facial Recognition on Spark

There are many privacy concerns about facial recognition.

Imagine being able to identify someone by taking their photo with your phone.   What about combining that with cloud computing to determine someone's address, and date of birth?   Or perhaps their Social Security Number?

Worse yet, who is already using facial recognition?   What if the police were using it in conjunction with CCTV feeds to track you, or someone you know?   What if criminals were instead?

There was a great piece on Spark, a radio show on the CBC that shows how technology affects our lives.  I encourage you to have a listen.

Wednesday 5 October 2011

Published: Securing Lotus Domino For the Web - Email Relay

Due to issues I had with Scribd, I'm posting my paper entitled "Securing Lotus Domino For The Web - Email Relay" here on my site.


Securing Lotus Domino for the Web - Email Relay