http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-10-05 03:26:06 - Zen One : TL DR ----- Last week I wrote about Markov Chains in a post titled, Using Python to Sound Like a Wine Snob Yesterday morning, while laying in bed, I thought it would be a fun exercise to take this idea further How about creating a Python script that automatically generates, and posts, humorous tweets in the voice of Yoda, combined with the wisdom of Zen masters I created and tested the code, and thus the creation of the Yoda parody twitter handle, YodaUncut A day later I felt it would be valuable to write a blog post sharing what I coded This code is like Burger King, have it your way, but don't go crazy Please, don't abuse this with Twitter see Twitter's Terms of Service I'm sharing this as educational material that hopefully inspires some people to pursue, or continue learning, coding or at least provide some answers for anyone who's stuck with their existing code, searching the web for some answers else, for your amusement Be original ----------- In my example I blend quotes from Yoda and various Zen masters If you go through this exercise, pick something different For example, how about combining quotes from Warren Buffett and Darth Vader, or 50 Shades of Grey and Mother Teresa Criteria -------- Here's the initial criteria I came up with 1 Purpose Generate amusing Yoda'esque tweets using Markcov Chains 2 The tweets would blend the wisdom of Yoda with the koans of various Zen masters 3 The generated tweets would need to be 140 characters, or less, in length 4 Create a random latitude and longitude in North America for Yoda's geolocation 5 Post the tweet on Twitter with Yoda's geolocation Requirements ------------ In order for the Python script to work, I used the following third party libraries oauthlib 103 requests 270 requests-oauthlib 050 The above libraries were installed with ----- easy_install pip Searching for pip Best match pip 608 Adding pip 608 to easy-installpth file Installing pip script to tmp test bin Installing pip34 script to tmp test bin Installing pip3 script to tmp test bin Using tmp test lib python27 site-packages Processing dependencies for pip Finished processing dependencies for pip pip install requests oauthlib requests-oauthlib Collecting requests Using cached requests-270-py2py3-none-anywhl Collecting oauthlib Using cached oauthlib-103targz Collecting requests-oauthlib Using cached requests_oauthlib-050-py2py3-none-anywhl Installing collected packages requests-oauthlib, oauthlib, requests Running setuppy install for oauthlib Successfully installed oauthlib-103 requests-270 requests-oauthlib-050 ----- The code was written for, and tested with, Python version 279 It hasn't been tested in with Python 3 ----- python --version Python 279 ----- Generate Twitter API and token keys secrets ------------------------------------------- You will need to get your Twitter API and token keys secrets If you haven't already 1 Go to https appstwittercom 2 Create a new app 3 Once created, scroll down to Application Settings and click on manage keys and access tokens 4 Copy you Consumer Key API Key and Consumer Secret API Secret 5 Scroll down to Token Actions and click on Create my access token 6 Copy your Access Token and Access Token Secret Save your keys secrets Don't share them Don't upload them to your git repository For the sake of this example, put them in a file called keystxt The syntax of keystxt will look like the following ----- cat keystxt client_key client_secret token token_secret ----- Imports ------- Starting our Python code with the imports We want urllib for proper encoding of our tweets We import choice from random so that we can randomly choose text as part of the Markcov Chain We also want to import randint from random for generating some random numbers for geolocation latitude and longitude The two remaining imports require third party libraries to first be installed To post our tweet over HTTPS to Twitter's API, we'll need requests We also need OAuth1 from requests_oauthlib for authentication with Twitter Let's start with the Python code Local libraries import urllib from random import choice , randint Third party libraries import requests from requests_oauthlib import OAuth1 Taking about geolocation --------------------------- In order for the latitude and longitude geolocation to show up in the tweets, geolocation needs to be enabled for the Twitter account To enable geolocation sharing 1 Go to your Twitter account settings 2 On the left side, click on Security and privacy 3 Scroll down to Privacy Tweet location and check Add a location to my Tweets 4 Click on Save changes Preparing the environment ------------------------- Adjust the following filenames to whatever you're using In my example, I have a file that has Yoda quotes, and a second file that has various Zen master quotes Quotes filenames quote_filename1 'yoda_quotestxt' quote_filename2 'zen_quotestxt' The format of both quote files looks something like the following Each quote is on a new line For example ----- tail -n 25 yoda_quotestxt head -n 5 size matters not look at me judge me by my size do you so certain are you always with you it cannot be done hear you nothing that I say strong am I with the Force, but not that strong twilight is upon me, and soon night must fall that is the way of things the way of the Force that is why you fail the boy you trained, gone he is, consumed by Darth Vader tail -n 25 zen_quotestxt head -n 5 no yesterday, no tomorrow, and no today nothing is exactly as it seems, nor is it otherwise one falling leaf is not just one leaf it means the whole autumn the Force is not some kind of excitement, but merely concentration on our usual everyday routine the Force is selling water by the river ----- Twiter's API base URL --------------------- Here we define the base URL for Twitter's API endpoints Base URL for Twitter calls base_twitter_url https apitwittercom 11 Create a function to get your Twitter API and token keys secrets from keystxt --------------------------------------------------------------------- def get_twitter_credentials This function reads in the Twitter credentials and organizes them in a dictionary return Return the twitter credentials as a dict f open 'keystxt' , 'rb' raw_credentials f readlines f close credentials for credential in raw_credentials key credential split ' ' 0 value credential split ' ' 1 strip ' n ' credentials key value return credentials Reading in the quotes --------------------- We also need a function that will read in the quotes from our quotes files def get_quotes filename This function read the quotes in from a file param filename The filename of the file that contains the quotes return A string with the quotes concatenated together Newlines are removed f open filename , 'rb' quotes f readlines f close quotes_list for quote in quotes quotes_list append quote strip ' n ' return join quotes_list Create a dictionary for use with the Markcov Chain -------------------------------------------------- This is the function used last week in Using Python to Sound Like a Wine Snob def create_markcov_dict original_text This function takes the quotes and creates a dictionary with the words in Markcov chunks param original_text The plaintext to chunck up return Return the dictionary with Markcov chunks original_text original_text split_text original_text split markcov_dict for i in xrange len split_text - 2 key_name split_text i , split_text i 1 key_value split_text i 2 if key_name in markcov_dict markcov_dict key_name append key_value else markcov_dict key_name key_value return markcov_dict Generating the tweet, 140 characters, or less, using the Markov Chain --------------------------------------------------------------------- This is a modified version of the function used from last week's wine snob example def create_markcov_tweet markcov_dict This function creates the Tweet using the Markov Chain param markcov_dict The dictionary with the text in Markcov chunks return Return the tweet Pick a random starting point selected_words_tuple choice markcov_dict keys markcov_tweet selected_words_tuple 0 capitalize , selected_words_tuple 1 Generate the Markcov text, ending the Markcov text when we create a key that doesn't exist while selected_words_tuple in markcov_dict next_word choice markcov_dict selected_words_tuple if len join markcov_tweet next_word 140 if markcov_tweet - 1 endswith '' markcov_tweet append next_word capitalize else markcov_tweet append next_word selected_words_tuple selected_words_tuple 1 , next_word else tweet join markcov_tweet strip if tweet endswith , tweet tweet rstrip ',' '' elif not tweet endswith or tweet endswith or tweet endswith or tweet endswith or tweet endswith tweet tweet '' return tweet Create a random latitude and longitude in North America ------------------------------------------------------- This is dirty, but works fine our purpose def get_geolocation This function generates a random latitude and longitude, somwhere in Northern America return Returns a dict with the lat and long latitude 07d format randint 28 , 69 , randint 0 , 999999 longitude 07d format randint - 128 , - 64 , randint 0 , 999999 return 'lat' latitude , 'long' longitude Create function to post our tweet via HTTPS using Twitter's API --------------------------------------------------------------- This is how we'll upload our tweet to Twitter def post_tweet markcov_tweet This function posts the tweet to Twitter param markcov_tweet The text to tweet return Return the response from requestspost Setup authentication credentials get_twitter_credentials client_key credentials 'client_key' client_secret credentials 'client_secret' token credentials 'token' token_secret credentials 'token_secret' oauth OAuth1 client_key , client_secret , token , token_secret Get latitude and longitude for the tweet coordinates get_geolocation Make the URL api_url statuses updatejson format base_twitter_url api_url status format urllib quote markcov_tweet api_url lat long format coordinates 'lat' , coordinates 'long' api_url display_coordinates true tweet response requests post api_url , auth oauth return response Tying it all together --------------------- Now that we have everything in place, let's take this out for a test drive We're going to generate a tweet and post it to Twitter We begin by reading in, and concatenating, all of the quotes from both quote files quotes get_quotes quote_filename1 get_quotes quote_filename2 For the sake of this example, let's do a quick test to see the first 1000 characters loaded print quotes 0 1000 I cannot teach him the boy has no patience I hear a new apprentice you have, Emperor or should I call you Darth Sidious Master Obi-Wan, not victory the shroud of the dark side has fallen begun, the Clone War has Qui-Gon's defiance I sense in you need that you do not agree with you, the Council does your apprentice young Skywalker will be Yoda I am, fight I will a labyrinth of evil, this war has become a trial of being old is this remembering which thing one has said into which young ears and well you should not for my ally is the Force and a powerful ally it is life creates it, makes it grow its energy surrounds us and binds us luminous beings are we, not this crude matter you must feel the Force around you here, between you, me, the tree, the rock everywhere even between the land and the ship around the survivors, a perimeter create at an end your rule is and not short enough it was awww, cannot get your ship outeh-heheheh careful you must be We'll feed text into our Markcov dictionary creation function ------------------------------------------------------------- markcov_dict create_markcov_dict quotes Let's also see how many chunks of text we have in our newly created dictionary as a quick test print len markcov_dict 1595 Generate the tweet ------------------ We'll generate the tweet with our Markcov function and quotes markcov_tweet create_markcov_tweet markcov_dict Let's see what we'll be tweeting and the number of characters of the tweet print Tweet format len markcov_tweet , markcov_tweet Tweet 140 Of evil, this war has become A trial of being old is this remembering which thing one has said into which young ears And well you should Ready aim FIRE ----------------------- Finally, let's post the tweet and get a status of whether or not the tweet was posted successfully response post_tweet markcov_tweet if response status_code 200 print Tweet posted successfully else print - Tweet post failed Tweet posted successfully Back to this world --------------------- The tweet has now been posted on Twitter You can also schedule your script to run via cron at random times throughout the day For example, let's say we want to post three tweets a day at random times You can setup a cron entry like the following ----- SHELL bin bash m h d m w -- minute - hour - day of the month - month - day of the week 0-6, Sun-Sat 0 8 bin sleep usr bin expr RANDOM pourcents 28800 python myscriptpy ----- I hope you found this useful Please share suggestions, improvements, and any additional features you've created to enhance the code IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/585635.shtmlhttp://www.secuobs.com/revue/news/585635.shtml Secuobs.com : 2015-10-02 06:27:57 - Zen One - Web Scraping with Beautiful Soup Using Markov Chain to Create --------------------------------------------------------------- Wine Snob Gibberish Written by Steve Zenone on 2015-10-01 Inspired by Tony Fischetti's blog post, How to fake a sophisticated knowledge of wine with Markov Chains Some Background --------------- The term, Markov chain, is named after Russian mathematician, Andrey Markov 1871 - 1897 In mathematics, a Markov Chain is a discrete random process with the Markov property According to Wikipedia, A stochastic process has the Markov property if the conditional probability distribution of future states of the process conditional on both past and present states depends only upon the present state, not on the sequence of events that preceded it This process changes randomly throughout each iteration in discrete steps Saaaay what Jason Young has a video on YouTube that better explains what a Markov Chain is Markon, Markov, Markon, Markov - Mr Miyagi not really ---------------------------------------------------------- Our lives have all graced by Markov Chains Think about those websites websites you've come across with nonsensical text These pages are often generated by the use of the Markov Chain Why do these pages exist They're used to optimize search engine rankings the darker side of SEO Bummer Fun with the Markov Chain ------------------------- While researching Markov Chains, I came across Tony's tonyfischetti blog post It inspired me to create a Python script that emulates essentially what his example does, but with using the BeautifulSoup library to scrape the initial website content Requirements ------------ beautifulsoup4 This is for extracting the data we want from the downloaded web content requests This is for downloading the web content Steps ----- Download initial webpage from winespectatorcom and determine last page number The idea behind web scraping is to get raw content from a wbsite and extract from it usable data This is where the python library, BeautifulSoup, comes in handy Let's Begin ----------- We'll start by importing the modules we'll need to download a website and extract the data we want import requests from bs4 import BeautifulSoup from random import choice We want to pick a random webpage from the website for to feed into our Markov Chain First, let's find out how many pages this site has at http wwwwinespectatorcom dailypicks category catid 1 page Now we'll download the HTML source from a wine website and generate a Beautiful Soup object using the BeautifulSoup function base_url http wwwwinespectatorcom dailypicks category catid 1 page r requests get base_url soup BeautifulSoup r text Next, we'll take a look at a section of the website's HTML to figure out what element we want to extract in order to get the last page number print soup prettify 44750 45750 items -- 1 2 3 4 5 6 7 Last 814 86 points, 12 Light, firm tannins support a pleasingly plump texture in this fresh red, which offers black cherry, leaf and tobacco notes, with a smoky finish Drink now through 2013 50,000 cases imported â Thomas Matthews Jan 11, 2011 STANDING STONE Chardonnay Finger Lakes 2009 85 points, 11 Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made â James Molesworth We can now begin looking at the text that Beautiful Soup Extracted Each element section can be called by its index verbiage 0 4070 Daily Wine Picks found in this category We'll probably want to ignore verbiage 0 later verbiage 1 Light, firm tannins support a pleasingly plump texture in this fresh red, which offers black cherry, leaf and tobacco notes, with a smoky finish Drink now through 2013 50,000 cases imported â Thomas Matthews Nice - this looks like some content we want to extract Ok, we know we don't want verbiage 0 , so we'll start iterating through the entries starting at index 1 ie, 1 We'll also encode the text to UTF-8 Next, we'll want to remove any newlines and tabs that are in the text then remove any leading trailing spaces and then split the line so that we ignore the em element we don't care about who wrote the comment on the website We'll combine all of the sanitized text into a string called scraped_text scraped_text for entry in verbiage 1 entry entry get_text encode 'utf-8' entry entry replace ' t ' , '' entry entry replace ' n ' , '' entry entry strip entry entry split 'â ' 0 scraped_text format entry replace 'Back to Top' , '' scraped_text str scraped_text split 'Featured ' 0 Let's see what we got by printing scrapted_text print scraped_text Light, firm tannins support a pleasingly plump texture in this fresh red, which offers black cherry, leaf and tobacco notes, with a smoky finish Drink now through 2013 50,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made Tasty, showing citrus, pear and apple flavors that have a pleasant ripeness and a floral quality Balanced and juicy Drink now 40,000 cases made Vibrant and mouthwatering, with a laser beam of lemon, lime, grapefruit and apricot flavors Hints of fresh herbs and flowers add to the complexity Drink now 250,000 cases imported Syrah-like, with layers of plum, spice and violet flavors framed by a fine layer of tannins, followed by a focused, tar-tinged finish Drink now 60,000 cases made Browse our exclusive lists of the world's top wine values, top value producers and easy-to-find wines Yawn I like wine Well, I like to drink wine At this point, we have the text we want to work with Let's create the Markcov Chain and generate some new text We'll define a function that splits text passed on to it into a dictionary of Markcov Chain chunks, returning the new dict once it's done For example, take the sentance, I love walking cats in New York City The sentance is first chunked into bi-grams I love love walking walking cats cats in in New New York York City With Python, we'll make these immutable keys in a dictionary dict 'I', 'love' '', 'love', 'walking' '', We'll then need to add values to each of the keys The values will consist of the word that comes after each instance of the bi-grams So, in the case of I love , the third word is walking If we feed more data into our function, there may be multiple instances of I love For example, I love walking cats in New York city I love eating pizza The words walking and eating both come after I love there are two instances of I love The value we assign to the 'I', 'love' dictionary key is a list consisting of 'walking', 'eating' Our dictionary begins to look like 'I', 'love' 'walking', 'eating' , Once completed, we return the dict def create_markcov_dict original_text original_text original_text split_text original_text split markcov_dict for i in xrange len split_text - 2 key_name split_text i , split_text i 1 key_value split_text i 2 if key_name in markcov_dict markcov_dict key_name append key_value else markcov_dict key_name key_value return markcov_dict Let's send the above function our scraped text from the website markcov_dict create_markcov_dict scraped_text print markcov_dict 'top', 'wine' 'values,' , 'lime,', 'grapefruit' 'and' , 'wine', 'values,' 'top' , 'Hints', 'of' 'fresh' , 'laser', 'beam' 'of' , 'add', 'to' 'the' , 'and', 'mouthwatering,' 'with' , 'which', 'offers' 'black' , 'green', 'apple,' 'melon' , 'violet', 'flavors' 'framed' , 'notes,', 'with' 'a' , 'value', 'producers' 'and' , 'tobacco', 'notes,' 'with' , 'imported', 'Up' 'front,' , 'made', 'Vibrant' 'and' , 'and', 'easy-to-find' 'wines' , 'mouthwatering,', 'with' 'a' , 'tannins,', 'followed' 'by' , 'of', 'tannins,' 'followed' , 'Tasty,', 'showing' 'citrus,' , 'flavors', 'framed' 'by' , 'of', 'plum,' 'spice' , 'of', 'lemon,' 'lime,' , 'a', 'pleasingly' 'plump' , '40,000', 'cases' 'made' , 'and', 'apple' 'flavors' , '250,000', 'cases' 'imported' , 'values,', 'top' 'value' , '2013', '50,000' 'cases' , 'flavors', 'that' 'have' , 'butter', 'hints' 'Just' , 'ripeness', 'and' 'a' , 'lists', 'of' 'the' , 'and', 'butter' 'hints' , 'of', 'the' world's , 'finish', 'Drink' 'now', 'now' , 'now', '60,000' 'cases' , 'Drink', 'now' '1,184', '40,000', '250,000', '60,000' , 'and', 'apricot' 'flavors' , 'Syrah-like,', 'with' 'layers' , 'honest', 'Drink' 'now' , 'that', 'have' 'a' , 'front,', 'with' 'green' , 'fine', 'layer' 'of' , 'top', 'value' 'producers' , '1,184', 'cases' 'made' , 'and', 'flowers' 'add' , 'all', 'honest' 'Drink' , 'cases', 'imported' 'Up', 'Syrah-like,' , 'apple,', 'melon' 'and' , 'Up', 'front,' 'with' , 'floral', 'quality' 'Balanced' , 'texture', 'in' 'this' , 'the', 'complexity' 'Drink' , 'plum,', 'spice' 'and' , 'to', 'the' 'complexity' , 'now', '40,000' 'cases' , 'a', 'fine' 'layer' , 'flavors', 'Hints' 'of' , 'juicy', 'Drink' 'now' , 'fresh', 'herbs' 'and' , 'tar-tinged', 'finish' 'Drink' , 'hints', 'Just' 'tangy' , 'and', 'tobacco' 'notes,' , 'pleasingly', 'plump' 'texture' , 'framed', 'by' 'a' , 'Light,', 'firm' 'tannins' , 'now', '1,184' 'cases' , 'of', 'fresh' 'herbs' , 'with', 'green' 'apple,' , 'grapefruit', 'and' 'apricot' , 'melon', 'and' 'butter' , 'have', 'a' 'pleasant' , 'leaf', 'and' 'tobacco' , 'cherry,', 'leaf' 'and' , 'beam', 'of' 'lemon,' , 'smoky', 'finish' 'Drink' , 'red,', 'which' 'offers' , 'keep', 'it' 'all' , 'showing', 'citrus,' 'pear' , 'the', world's 'top' , 'offers', 'black' 'cherry,' , 'now', 'through' '2013' , 'in', 'this' 'fresh' , 'now', '250,000' 'cases' , 'complexity', 'Drink' 'now' , 'a', 'laser' 'beam' , 'made', 'Tasty,' 'showing' , 'Balanced', 'and' 'juicy' , '60,000', 'cases' 'made' , 'our', 'exclusive' 'lists' , 'this', 'fresh' 'red,' , 'firm', 'tannins' 'support' , 'Drink', 'now' 'through' , 'flowers', 'add' 'to' , 'pleasant', 'ripeness' 'and' , 'imported', 'Syrah-like,' 'with' , 'producers', 'and' 'easy-to-find' , 'Just', 'tangy' 'enough' , 'apple', 'flavors' 'that' , 'with', 'layers' 'of' , 'cases', 'made' 'Tasty,', 'Vibrant', 'Browse' , 'focused,', 'tar-tinged' 'finish' , 'enough', 'on' 'the' , 'to', 'keep' 'it' , 'followed', 'by' 'a' , 'pear', 'and' 'apple' , 'quality', 'Balanced' 'and' , 'plump', 'texture' 'in' , 'a', 'pleasant' 'ripeness' , 'black', 'cherry,' 'leaf' , 'finish', 'to' 'keep' , 'Browse', 'our' 'exclusive' , 'it', 'all' 'honest' , 'layer', 'of' 'tannins,' , 'on', 'the' 'finish' , 'exclusive', 'lists' 'of' , 'a', 'floral' 'quality' , 'the', 'finish' 'to' , 'made', 'Browse' 'our' , 'a', 'smoky' 'finish' , 'with', 'a' 'smoky', 'laser' , 'through', '2013' '50,000' , 'lemon,', 'lime,' 'grapefruit' , 'apricot', 'flavors' 'Hints' , world's , 'top' 'wine' , 'and', 'violet' 'flavors' , 'Vibrant', 'and' 'mouthwatering,' , 'and', 'a' 'floral' , 'tangy', 'enough' 'on' , 'citrus,', 'pear' 'and' , 'fresh', 'red,' 'which' , '50,000', 'cases' 'imported' , 'by', 'a' 'fine', 'focused,' , 'a', 'focused,' 'tar-tinged' , 'and', 'juicy' 'Drink' , 'tannins', 'support' 'a' , 'layers', 'of' 'plum,' , 'support', 'a' 'pleasingly' , 'spice', 'and' 'violet' , 'herbs', 'and' 'flowers' We'll create a new function that we can feed this Markov'ian dictionary to and have the newly generated test we want returned def create_markcov_text markcov_dict Pick a random starting point selected_words_tuple choice markcov_dict keys Get the first three words for our new Markcov story poem text first_word selected_words_tuple 0 title second_word selected_words_tuple 1 next_word choice markcov_dict selected_words_tuple Begin our Markcov test with the three new words from above markcov_text format first_word , second_word , str next_word Grab the next tuple of two words using second_word, next_word from above selected_words_tuple second_word , next_word Generate the remainder of the Markcov text, ending the Markcov text when we create a key that doesn't exist while True if selected_words_tuple in markcov_dict next_word choice markcov_dict selected_words_tuple markcov_text format str next_word selected_words_tuple selected_words_tuple 1 , next_word else break Return our newly generated Markcov poem story text return markcov_text We'll pass markcov_dict to the above function markcov_text create_markcov_text markcov_dict Drumroll let's finally print our newly generated wine'snobbery text print markcov_text Tobacco notes, with a laser beam of lemon, lime, grapefruit and apricot flavors Hints of fresh herbs and flowers add to the complexity Drink now 250,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made Tasty, showing citrus, pear and apple flavors that have a pleasant ripeness and a floral quality Balanced and juicy Drink now 40,000 cases made Vibrant and mouthwatering, with a smoky finish Drink now 250,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made Tasty, showing citrus, pear and apple flavors that have a pleasant ripeness and a floral quality Balanced and juicy Drink now 250,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made Tasty, showing citrus, pear and apple flavors that have a pleasant ripeness and a floral quality Balanced and juicy Drink now 250,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 250,000 cases imported Up front, with green apple, melon and butter hints Just tangy enough on the finish to keep it all honest Drink now 1,184 cases made Browse our exclusive lists of the world's top wine values, top value producers and easy-to-find wines Cheers IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/585446.shtmlhttp://www.secuobs.com/revue/news/585446.shtml Secuobs.com : 2014-12-03 15:04:35 - Zen One - I've been searching for a reliable method to automate the synchronization of events from Oracle Calendar formerly CorporateTime to my Google Calendar, iCal on my Mac, and internal iPhone calendar on my iPhone Slide1png Recently I learned of a promising iPhone app available at iTunes called Todo Cal Sync that could do most of what I was looking for with synchronizing calendars However, I didn't want to fork over 1499 for an application that, instead of importing Oracle Calendar events into the native iPhone calendar, added an additional calendar application on my iPhone Synthesis AG, the developer of the Todo Cal Sync application, is required to do this because of limitations imposed by Apple's iPhone software development kit SDK In other words, Apple does not allow 3rd part applications, such as Todo Cal Sync, to access the internal iPhone calendar, nor sync with iCal This is a risk benefit that Apple needs to manage is the benefit of restricting access to the internal iPhone calendar worth the impact it has on the development of 3rd party applications and subsequent ripple effect Until Apple's iPhone SDK allow such access, I did not want two calendar applications and continued looking for something that would better match my needs After digging around and tinkering with different solutions, I worked out a method that did exactly what I wanted To make this solution even better, it cost 0 - in other words, FREE Below are the steps that I came up with to make the calendar sync work for me Steps 1-3 are also useful for those who do not necessarily have an iPhone or iTouch but want to sync their Oracle Calendar with other devices and or calendar apps that support Google Calendar's CalDAV sync 1 Begin by changing your password for your Oracle Calendar user account Make it a unique password that you are not using anywhere else In other words, your new Oracle Calendar password should not be the same password as you're using for other email accounts, online banking, eBay, PayPal, etc This new password should also comply to any password policies that may exist for users of the Oracle Calendar system 2 Create a magic URL using SyncML2iCalcom This URL will be used in step 3 You will want your magic URL to look something like the following Example - Oracle Calendar supporting https on port 443 http syncsyncml2icalcom serverurl https YOURORACLECALENDARCOM 443 ocas-bin ocasfcgi sub syncml user USERNAME pass PASSWORD eventsdb Calendar Events dr -7,30 SECURITY WARNING - There is an increased security risk with this method It's up to you to determine if this is a risk you are willing to accept and that it doesn't violate any policies or restrictions imposed by the organization running the Oracle Calendar service that you are using The risks include Unauthorized interception of your password from the URL as it's being transmitted to SyncML2iCalcom or from SyncML2iCalcom SyncML2iCalcom itself becoming compromised and allowing an attacker to intercept your password In my opinion, the likelihood of the above risks happening are medium to low You can keep this risk on the lower end by never connecting to untrusted networks or using insecure wireless, which includes wireless networks that use WEP encryption Additionally, you will need to determine if the impact of an unauthorized user obtaining your Oracle Calendar password would have a significant impact or not In most instances, I would imagine the impact would be low This is why doing step 1 above is critical in helping minimize the impact if your password was compromised Anyone using an application that syncs using the SyncML functionality of Oracle Calendar should take the same precautions irregardless if he or she are using SyncML2iCalcom as a proxy to convert SynchML to iCal format 3 Go to Google Calendar and add a new calendar by selecting Add by URL You will use the URL you created from step 2 You may also want to change the display name and color of this new calendar on Google Calendar AddCalpngDo note that Google has stated that external feeds added via the Add by URL method should be refreshed every 24 hours 4 Download and run Calaboration from Google Code This will allow you to add your Oracle calendar to your Mac's iCal application Before you can add the new calendar, click on preferences within Calaboration and enable allowing read only calendars to be added Make sure your new calendar is selected and let Calaboration do the setup work for you Your Oracle calendar will then sync with iCal Calaborationpng 5 Use iTunes to sync Oracle calendar from iCal to your iPhone iTunes-Calendarpng One minor annoying issue I came across was with how day events and day notes from Oracle Calendar were handled by the time they showed up in iCal Day events and notes from Oracle Calendar showed up in iCal as being a blocked all-day event from 0000-2359 As a quick temporary solution I simply denied day events and notes within Oracle Calendar and re-synced This temporary approach was acceptable for me since I use Google Calendar to manage my daily notes and I can look at a user's Oracle calendar if I need to know if he or she is on vacation, on-call, etc As for effectively managing tasks using your iPhone, see my previous article titled, Tools To Get Things Done Steve IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/548273.shtmlhttp://www.secuobs.com/revue/news/548273.shtml Secuobs.com : 2014-12-03 15:04:35 - Zen One - By Judi Lynn Lake I am a die-hard Mac user Have been for over twenty years and it only gets better The PC certainly has its place but for creative projects well the Mac is superior and the good news is is that Mac's do not get viruses My partner is a die-hard PC user If you ever viewed the recent Mac commercials then you can imagine our relationship I have recently added creative video production to my advertising agency's services and my partner began to feel a bit competitive I have always thrived on competition and believe it to be good even if it is with your partner My first video was a Creative Director's dream -- my client gave me complete creative carte blanche My partner, who is a copywriter, had recently bought PC video software and well, he was just dying to use it and prove that it would triumph over the Mac Once I completed all the storyboards, I sent a crew out to shoot on location As I passed my partners office, I peaked in his office and I could see sweat dripping from his forehead He was struggling and I silently laughed, wishing we had made a bet Two weeks later the video was completed fully edited and designed on my Mac The client approved the video and it was a 'go' My partner, on the other hand, was still trying to learn the software and his final product was 'the homegrown version' clip It is comical, but seriously our differences actually are our strengths An experienced Mac user tends to be 'cocky' at times because there really are no limits to what our little machines can do, and I am no exception -- I rarely see any limits There was, however, a disadvantage I experienced recently that unfortunately is nondiscriminating towards neither a Mac nor a PC Identity Theft This week I became victim to Identity Theft and therefore a statistic in the wonderland of technology No longer holding the 'it could never happen to me' mentality because it did and it happens to millions of people a day without some consumers ever realizing it Technology is incredible and we can do things today that were never imagined twenty years ago But as technology juices up the creative sector, it also feeds the larcenists and opens up a world of crime unheard of years ago Once considered a protection, our social security number has actually transformed into the very bait that perpetrators look for to steal identities Who is walking around with my name Who is walking around with my numbers and personal information Is it someone reading this article Is it someone I do business with Is it my neighbor This is a form of terrorism, which stalks our daily lives in the twenty-first century and ruins lives I have been 'Judi Lynn' all of my life and 'Lake' for the past eleven years and am very happy to be me How dare a stranger invade my life and steal it from me I have heard nightmare stories of people haunted for years through Identity Theft and to quote the 1970s movie Network, I am mad as hell and I am not going to take it anymore Unfortunately, in this day and age, high security precautions must be taken both personally and professionally The best defense against this heinous crime is education and guidance but 'the damned if you do' fact is that skilled identity thieves will use a variety of methods to gain access to your data There are many websites available on the Internet that educates people on steps to protect themselves before and after Identity Theft occurs One such site I recommend is The Federal Trade Commission For The Consumer Some Steps To Take Today Before You Fall Victim 1 Place passwords on all of your credit card, bank, and phone accounts Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers When opening new accounts, you may find that many businesses still have a line on their applications for your mother's maiden name Ask if you can use a password instead 2 Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in your home 3 Ask about information security procedures in your workplace or at businesses, doctor's offices or other institutions that collect your personally identifying information Find out who has access to your personal information and verify that it is handled securely Ask about the disposal procedures for those records as well Find out if your information will be shared with anyone else If so, ask how your information can be kept confidential Don't think that identity theft can not happen to you, expect that it will so that it won't -- stay informed and stay educated so you do not become a statistic Article Source Articles Engine IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/548272.shtmlhttp://www.secuobs.com/revue/news/548272.shtml Secuobs.com : 2012-02-07 01:36:33 - Zen One - Image representing iPhone as depicted in Crunc Image via CrunchBase Within 53 hours I was able to get a stolen iPhone safely into police custody Here's a rough timeline of the steps I went took to get the phone back to the rightful owner Saturday, 2 4 2012 8 45 AM -- iPhone was lost ie, stolen Called stolen iPhone and it rang four times before going to voicemail, suggesting that it was powered on and had reception Used the Find iPhone app to locate the phone using the Apple ID credentials of the stolen iPhone, but it was unable locate the phone Using the Find iPhone app, sent lock code to stolen iPhone to ensure that it was locked and required an unlock code to access the phone Using the Find iPhone app, sent messages with sound to the stolen iPhone stating that the phone was lost and to call - - my Google Voice number No response Shortly thereafter the iPhone was powered down by the someone who had possession of the phone I had the owner of the stolen iPhone change passwords to accounts accessed by the iPhone eg, Gmail, Dropbox, etc Opted not to report the phone as stolen with AT T yet since I wanted to be able to continue tracking the phone Also opted not to remotely wipe the iPhone via the Find iPhone app for the same reason Sunday, 2 5 2012 10 00 AM -- the iPhone was powered on by someone and the location of the phone was identified Used both the Find iPhone and Find Friends iPhone apps by Apple to track the location of the phone Another option was logging into iCloud with the Apple ID and password associated with the stolen iPhone which I did Location of the phone tracked to a residential address Used Google maps and street view to look at the house Identified the owner of the house using PropertyShark Gathered information about the owner using Intelius Again, sent messages with sound to the stolen iPhone stating that the phone was lost and to call - - my Google Voice number No response The phone was powered down by the someone who had possession of the phone roughly five minutes after it was powered on Checked AT T for any unauthorized calls There were no unauthorized calls A police report was submitted online to the police department where the phone was stolen The police department where the phone was currently located different city than where the phone was stolen would not accept a report directly since the theft occurred in a different city Monday, 2 6 2012 10 46 AM -- the iPhone was powered on and left on Using both the Find iPhone and Find Friends apps, the GPS location of the stolen iPhone was the same address as the address that was identified on Sunday A police report was submitted online to the police department The location of theft was intentionally left vague, implying that the theft occurred in the city where the phone was currently being tracked to The police department was willing to accept the incident report Monday, 2 6 2012 1 04 PM -- Called the records and dispatch departments of the PD from the city where the stolen iPhone was currently located Gave the incident report tracking number to dispatch After a lengthy conversation, dispatch agreed to send an officer to the house and that the officer would call me back if I needed to cause the stolen iPhone to make a sound Monday, 2 6 2012 1 36 PM -- Received a call from the responding officer The police officer stated that he went to the residential address The officer stated that the owners of the house were at the residence The police officer gained possession of the phone The police officer asked me for the unlock code and some contact data that was on the phone to verify ownership The officer relayed the convoluted story that the individual who had stolen the iPhone told him We agreed to check the phone into the police department's chain-of-custody and the stolen iPhone will be picked up by the rightful owner soon Called the police department from where the phone was stolen, stated that the iPhone was retrieved by another police department, and the case was closed and that's a happy ending Apple has more information about locating a lost or stolen iPhone here Related articles NYPD meets FMI Cop nabs iPhone thief in NYC tuawcom Home invasion suspects caught with iPhone's help tuawcom Find my iPhone iPad2 in iCloud phobe2philewordpresscom IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/356295.shtmlhttp://www.secuobs.com/revue/news/356295.shtml Secuobs.com : 2012-01-17 21:58:09 - Zen One - Today Facebook announced that it will share the data it has collected about the group of people behind the Koobface virus Facebook didn't provide any details about the Koobface gang However, in a separate blog post independent researchers Jan Drömer and Dirk Kollberg of SophosLabs did provide details of their analysis I found the SophosLabs article a very interesting read in that it details the painstakingly slow process investigators must endure to piece security incidents together and that given enough time and resources cybercrimes can be solved Up until now, Drömer and Kollberg's research has been a closely-guarded secret, known only to a select few in the computer security community and shared with various law enforcement agencies around the globe At the police's request we have kept the information confidential, but last week news began to leak onto the internet about Anton 'Krotreal' Korotchenko - meaning the cat was well and truly out of the bag -- Graham Cluley, Sophos analyst Link to Analysis http nakedsecuritysophoscom koobface Related articles Twitter worms ggl Web Gang Operating in the Open - New York Times nytimescom IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/352554.shtmlhttp://www.secuobs.com/revue/news/352554.shtml Secuobs.com : 2011-12-20 00:53:53 - Zen One - WASHINGTON - JANUARY 08 The Department of Ho Image by Getty Images via daylife A couple of interesting items within the information security world I The Department of Homeland Security has released a new cybersecurity strategy document with a two-pronged approach 1 Protecting critical infrastructure today 2 Building a more secure cybersecurity ecosystem for the future Link to Blueprint for a Secure Cyber Future document PDF II California Attorney General Kamala D Harris has announced the creation of a new eCrime Unit to investigate and prosecute technology crime The primary mission of the eCrime Unit is to investigate and prosecute multi-jurisdictional criminal organizations, networks, and groups that perpetrate identity theft crimes, use an electronic device or network to facilitate a crime, or commit a crime targeting an electronic device, network or intellectual property READ MORE Related articles Blueprint for a Secure Cyber Future The Cybersecurity Strategy for the Homeland Security Enterprise bespacificcom DHS Releases Blueprint for Cybersecurity govsellingsolutionscom California targets cybercrime, identity theft sfgatecom State attorney general launches eCrime Unit sfgatecom California unveils new unit to fight cybercrime newscnetcom California Creates Special Unit to Fight Computer Crimes bitsblogsnytimescom California Forms Cyber Crime Unit informationweekcom IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/348104.shtmlhttp://www.secuobs.com/revue/news/348104.shtml Secuobs.com : 2011-12-15 02:56:56 - Zen One - Interesting approach to computer security Image by formalfallacy Dublin Victor via Flickr During my commute to and from work I recently began listening to the audiobook, America the Vulnerable New Technology and the Next Threat to National Security by Joel Brenner, narrated by Lloyd James The audiobook was downloaded from Audiblecom I m currently half-way through the unabridged audio and am enjoying it The book is an eye-opening reminder of what many of us within the InfoSec industry are already aware of as we analyze security events on a daily basis American national security, our economy, physical and energy infrastructure, financial system and our own privacy are at risk and that if security isn't built into our systems, our systems won't be secure From what I ve listened to so far, Brenner does a good job of laying out the cyber-threat facing the United States I hope to finish the audiobook by the end of this week as I m interested in hearing what Brenner has to prescribe as a solution to the problem Though I have yet to finish the audiobook, I recommend it as a must read for anyone interested or with career in cybersecurity Related articles Normative Cyber Security bloginfoseccom America the Vulnerable csmonitorcom IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/347271.shtmlhttp://www.secuobs.com/revue/news/347271.shtml Secuobs.com : 2011-12-13 02:47:55 - Zen One - CISSP Logo Image via Wikipedia I just posted a reader poll that's now viewable on the right-hand column of this blog I want to get opinions from those of you that have your CISSP certification There are two questions in the poll 1 If you are a CISSP, did your employer at the time encourage you to take the CISSP exam Yes No 2 If you are a CISSP, did your employer pay for you to take the CISSP exam, or did you Employer paid you paid The poll can also be accessed directly from here As for the value of a CISSP vs other certifications that's for yet another posting IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/346769.shtmlhttp://www.secuobs.com/revue/news/346769.shtml Secuobs.com : 2011-12-12 09:34:51 - Zen One - Is the glass half empty or half full The pess Image via Wikipedia I recently came across a humorous, yet insightful, joke You may have heard it before It's the pony in the dung heap Last week I read it for the first time within, How Ronald Reagan Changed My Life , by Peter Robinson Here's an exert from the book containing the joke -----BEGIN EXERT------ Chapter One The Pony In the Dung Heap When Life Buries You, Dig Journal Entry, June 2002 Over lunch today I asked Ed Meese about one of Reagan's favorite jokes The pony joke Meese replied Sure I remember it If I heard him tell it once, I heard him tell it a thousand times The joke concerns twin boys of five or six Worried that the boys had developed extreme personalities -- one was a total pessimist, the other a total optimist -- their parents took them to a psychiatrist First the psychiatrist treated the pessimist Trying to brighten his outlook, the psychiatrist took him to a room piled to the ceiling with brand-new toys But instead of yelping with delight, the little boy burst into tears What's the matter the psychiatrist asked, baffled Don't you want to play with any of the toys Yes, the little boy bawled, but if I did I'd only break them Next the psychiatrist treated the optimist Trying to dampen his out look, the psychiatrist took him to a room piled to the ceiling with horse manure But instead of wrinkling his nose in disgust, the optimist emitted just the yelp of delight the psychiatrist had been hoping to hear from his brother, the pessimist Then he clambered to the top of the pile, dropped to his knees, and began gleefully digging out scoop after scoop with his bare hands What do you think you're doing the psychiatrist asked, just as baffled by the optimist as he had been by the pessimist With all this manure, the little boy replied, beaming, there must be a pony in here somewhere Reagan told the joke so often, Meese said, chuckling, that it got to be kind of a joke with the rest of us Whenever something would go wrong, somebody on the staff would be sure to say, There must be a pony in here somewhere' -----END EXERT------ It's a great joke to tell ourselves when we're feeling buried under heaps of work and life responsibilities as a reminder to persevere and make the best out of any given moment For me, it'll take a lifetime to fully grasp, and even then, I might not have made it an automatic process and I'll still see the glass half empty at times IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/346595.shtmlhttp://www.secuobs.com/revue/news/346595.shtml Secuobs.com : 2011-12-09 15:28:57 - Zen One - Class 1 Explosives Image via Wikipedia Today's post concludes the series of five posts whereby I wanted to give you links to 25 security awareness courses and videos that are publicly available I strongly believe that security awareness training is an essential component to good security Throwing money and technology at the security problem might be worthwhile in the early stages of maturity of an originzatzion's information security program However, the problem with this approach is that there are diminishing returns more technology becomes less and less effective at improving security Something needs to improve beyond installing and patching technology on a daily basis, forever running around attempting to deal with security incidents and emerging threats and doing work simply for work's sake The human dimension is a critical part of this, and security awareness training helps sharpen this human component the HumanOS 1 Analytical Investigative Tools Multijurisdictional Counterdrug Task Force Training 2 What Every Law Enforcement Officer Should Know About DNA Evidence Investigators and Evidence Technicians DNA Initiative 3 Food Security Training US Food and Drug Administration 4 Explosives, Booby Traps and Bomb Threat Management Multijurisdictional Counterdrug Task Force Training 5 HAZMAT Transportation Security Awareness Training Dangerous Goods International Related articles Free Security Awareness Training - Part 1 of 5 zenoneorg Free Security Awareness Training - Part 2 of 5 zenoneorg Free Security Awareness Training - Part 3 of 5 zenoneorg Free Security Awareness Training - Part 4 of 5 zenoneorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/346320.shtmlhttp://www.secuobs.com/revue/news/346320.shtml Secuobs.com : 2011-12-08 15:12:58 - Zen One - A US Coast Guardsman searches for survivors Image via Wikipedia This week I'm sharing with you links to 25 security awareness training sites The training links are being broken up into groups of five, published within five separate postings Today we reach the forth set of training links for an accumulative total of 20 The 2008 information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security s value, such as 1 many of the critical business and security processes that support technology, and 2 the people who administer them Security awareness training helps address the second item The security discipline has so far been skewed toward technology - firewalls, ID management, intrusion detection - instead of a risk analysis and proactive intelligence gathering Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy We have to start addressing the human element of information security, not just the technological one it i only then that companies will stop being punching bags - PricewaterhouseCoopers Below is the next set of security awareness training links 1 The History of Bio-Terrorism Center for Disease Control and Prevention 2 Detecting Bio-Terror Center for Public Health Preparedness 3 Radiological Terrorism Just in Time Training for Hospital Clinicians Center for Disease Control and Prevention 4 Nuclear Terrorism Pathways Prevention Center for Public Health Preparedness 5 Preparedness Community Response to Pandemics Center for Public Health Preparedness Related articles Free Security Awareness Training - Part 1 of 5 Zenoneorg Free Security Awareness Training - Part 2 of 5 Zenoneorg Free Security Awareness Training - Part 3 of 5 Zenoneorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/346101.shtmlhttp://www.secuobs.com/revue/news/346101.shtml Secuobs.com : 2011-12-07 15:38:27 - Zen One - The flood in Pirna Image via Wikipedia This week I'm passing on to you links to 25 free security awareness training sites Why is security awareness training important Fundamentally, security is about people Having worked within the information security world for the past 15 years, it's become very clear that the best defense to internal and external threats is not technology by itself Rather, people need to have the mindset that helps them to automatically take actions that support security, not circumvent or undermine it Security awareness training helps raise awareness so as to begin making this a natural mindset that influences behavior No one wants security they want the benefits of security A homeowner does not want the finest deadbolt on the front door because of the excellence of its engineering they want a comfortable, happy place in which to live - Steve Hunt Below are the next five training links This now brings us to a total of 15 trainings out of the 25 I promised to give you by the end of this week 1 OPPSEC United States Marine Corps 2 Intelligence Analysis Web-based Training Anacapa Sciences 3 SAEDA 553G-NG0001-A Espionage Awareness United States Army 4 Are You Ready An In-depth Guide to Citizen Preparedness FEMA EMI Course IS-22 FEMA 5 Personal Preparedness Center for Public Health Preparedness Related articles Free Security Awareness Training - Part 1 of 5 Zenoneorg Free Security Awareness Training - Part 2 of 5 Zenoneorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/345844.shtmlhttp://www.secuobs.com/revue/news/345844.shtml Secuobs.com : 2011-12-06 22:57:28 - Zen One - United States House Permanent Select Committee Image via Wikipedia The House Intelligence Committee held a closed-door markup of a bill HR 3523 with the intention to improve cybersecurity through enabling the federal government to share classified cyber threat information with businesses To quote two of the primary proponents There is an economic cyber war going on today against US companies There are two types of companies in this country, those who know they've been hacked, and those who don't know they've been hacked Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property -- Chairman of The Permanent Select Committee on Intelligence, Congressman Mike Rogers R-MI We simply can't stand by if we have the ability to help American companies protect themselves Sharing information about cyber threats is a critical step to preventing them This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems The bill maintains vital protections for privacy and civil liberties without any new federal spending, regulations or unfunded mandates -- The committee's ranking member, Congressman Dutch Ruppersberger D-MD Related articles Article Homeland Security Today Text of the Bill Library of Congress Track status of the Bill GovTrackus Press Release, Repr Mike Rogers House of Representatives Press Release, Repr Dutch Ruppersberger House of Representatives IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/345715.shtmlhttp://www.secuobs.com/revue/news/345715.shtml Secuobs.com : 2011-12-06 20:24:37 - Zen One - Poster produced in the US warning the public a Image via Wikipedia As a security profesional I believe it's essential that we maintain security awareness and an understanding of the threats we face Education often isn't cheap and the reality is that for many employers funding for training and education is very limited Fortunately, we're entering into the holiday season, which is a time of giving, and what I'm giving you are 25 security awareness courses and videos that are publicly available Okay - maybe not the most exciting gift, but it fits the budget I will publish a series of five posts and each post will have links to five training resources The security awareness courses may be completed online or on CD-ROM and are provided without cost to you This study program is designed to provide you with a broad security awareness There will be overlap in training that will help you to build depth of knowledge and to emphasize important areas I emphasize broad The material covers many of the domains within security, some of it IT Security, and some of the material may seem a bit Rambo'esque or even doom-and-gloom There are several separate agencies and organizations that are offering the courses Certificates of training can be printed following completion of the courses You can enroll in any individual course, or if you're more highly motivated, aim for completing all of them Personally, I believe that anyone who completes all of the courses will become a much more valuable security asset to their employer as well as their community Bring out the leftover turkey, stuffing and cranberry sauce it's time to cram in some free security awareness classes 1 Phishing Awareness -- http iasedisamil eta phishing Phishing launchPagehtm 2 Personally Identifiable Information PII -- http iasedisamil eta pii pii_module pii_module indexhtml 3 National Institute of Health Information Security Privacy Awareness Training -- http irtsectrainingnihgov 4 DoD Information Assurance Awareness -- http iasedisamil eta iaav10 indexhtm 5 Information Assurance Awareness -- http iasedisamil eta ia-awareness-shortsv2 INFOSEC_Shorts launchPagehtm IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/345677.shtmlhttp://www.secuobs.com/revue/news/345677.shtml Secuobs.com : 2011-12-06 20:24:37 - Zen One - A graphic representation of the four phases in Image via Wikipedia This week my goal is to pass along to you links to 25 free security awareness trainings The trainings are being divided up into groups of five and published in a series of five separate postings The first set of training links was published yesterday As promised, below is the second set of five trainings 1 Anti-Terrorism Awareness Level-1 -- https atlevel1dticmil at 2 The Seven Signs of Terrorism -- http wwwyoutubecom watch v R8atNS7U5Qg 3 AWR-187 Terrorism and WMD Awareness in the Workplace -- http wwwruraltrainingorg training online awr-187-w 4 Kentucky Terrorism Response Preparedness -- http wwwkiprcukyedu flash2 indexhtml 5 Prevention and Deterrence of Terrorist Acts -- http wwwncbrtlsuedu elearn Related articles Free Security Awareness Training - Part 1 of 5 zenoneorg IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/345676.shtmlhttp://www.secuobs.com/revue/news/345676.shtml Secuobs.com : 2011-11-29 19:52:36 - Zen One - English A candidate icon for Portal Computer Image via Wikipedia The FCC has launched a Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans in conjunction with DHS, NCSA, NIST, The US Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others The online tool is available at FCCgov cyberplanner The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber-threats Even a business with one computer or one credit card terminal can benefit from this important guidance The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide Then a customized PDF is created that will serve as a cybersecurity strategy template for a small business This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies The tip sheet is available at FCCgov cyberforsmallbiz Related articles FCC Launches the Small Biz Cyber Planner bespacificcom Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/344400.shtmlhttp://www.secuobs.com/revue/news/344400.shtml Secuobs.com : 2011-11-25 15:55:14 - Zen One - Texting on a keyboard phoneImage via Wikipedia One of the issues I ve been struggling with over the past ten or so years is how to protect kids online The Internet offers a world of opportunities People of all ages share photos and videos, build online profiles, text each other and create alter egos in the form of online avatars These ways of socializing and communicating can be fulfilling, and yet, they come with risks Inappropriate Conduct The online world can convey a false sense of anonymity and kids sometimes forget that their online actions have real-world consequences Inappropriate Contact There are people out there that have bad intentions predators, bullies and scammers Inappropriate Content Kids can easily come across pornography, violence or hate speech online Some questions to ask yourself as an adult 1 Do you think your child knows more about the Internet and technology than you do 2 Do you think you know more about communicating respectfully off-line than your child does parents don t have to be tech-savvy to know a lot that s relevant to this topic 3 How much time do you think your kid spends online each day Each week That includes time on their phones 4 What are your kids favorite websites or online games 5 Do your kids have their own computers Do they have cell phones 6 Do you supervise what your kids do while online and offer guidance, or are they allowed free rein 7 What are your main concerns about online safety 8 Do you text Do you text with your children It s also a good idea to talk with your kids about online safety To kick things off, here are some questions you can ask your kids 1 How much time do you spend online 2 What do you like to do online 3 Do you sleep with your cell phone in reach 4 Do you post pictures online 5 Have you every posted or sent anything you later regretted 6 Have you or one of your friends ever received a text message that was hurtful or mean-spirited 7 Have you ever talked to your parents about something that bothered you online 8 Have you ever talked to another adult bout something that bothered you online Make your conversation interactive Ask your kids how they might have handled an incident that involved sharing too much information, cyberbullying, posting embarrassing photos or sexting For more information, the US Government has created OnGuardOnlinegov, a site that provides practical tips from the federal government and the technology community to help you guard against internet fraud, secure your computers and protect your privacy The project is managed by the Federal Trade Commission, the nation s consumer protection agency, and includes more than a dozen federal agencies Additional Resources OnGuardOnlinegov - Practical tips from the federal government and the technology community to help people be on guard against Internet fraud, secure their computers and protect their privacy FTCgov idtheft - The Federal Trade Commission's website has information to help people deter, detect and defend against identity theft StaySafeOnlineorg - The National Cyber Security Alliance seeks to create a culture of cyber security and safety awareness by providing knowledge and tools to prevent cyber crime and attacks CommonSenseMediaorg - Common Sense Media is dedicated to improving the lives of kids and families by providing trustworthy information, education and voice they need to thrive in a world of media and technology GetNetWiseorg - A project of the Internet Education Foundation, the GetNetWise coalition provides Internet users the resources to make informed decisions about their and their family's use of the Internet CyberBully411org - CyberBully411 is an effort to provide resources for youth who have questions about or have been targeted by online harassment ConnectSafelyorg - ConnectSafely is for parents, teens, educators and advocates for learning about safe, civil use of Web 20 together iKeepSafeorg - iKeepSafe educational resources teach children of all ages, in a fun, age-appropriate way, the basic rules of Internet safety, ethics and the healthy use of connected technologies NetFamilyNewsorg - A nonprofit news service for parents, educators, and policymakers who want to keep up on the latest technology news and commentary about online youth, in the form of a daily blog or weekly email newsletter NetSmartzorg - The NetSmartz Workshop is an interactive, educational safety resource from the National Center for Missing Exploited Children WiredSafetyorg - WiredSafety provides help, information and education to Internet and mobile device users of all ages Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/343828.shtmlhttp://www.secuobs.com/revue/news/343828.shtml Secuobs.com : 2011-11-25 09:07:23 - Zen One - IMAGE Image via Boomerang for Gmail I have happily been a Gmail and Google Apps account holder for several years A feature that I felt had been lacking was the ability to schedule emails to be sent at a later date I've searched for various solutions all of them disappointing until recently when I came across Boomerang for Gmail which does just that it lets you write an email now and schedule it to be sent automatically at a scheduled time There are both Google Chrome and Firefox plugins for Boomerang The plugin adds a Send Later button in Gmail It doesn t get much easier than that to schedule emails for sending at a later date If you're interested in using Boomerang for free, here's the link Boomerang for Gmail Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/343779.shtmlhttp://www.secuobs.com/revue/news/343779.shtml Secuobs.com : 2011-11-21 18:37:22 - Zen One - Clean drinking waternot self-evident for evImage via Wikipedia Last week a disclosure was made about a public water district SCADA system hack There have been several reports in the press concerning the attack on control system of the city water utility in Springfield, Illinois and the resulting burn-out of a pump Law enforcement is investigating Related articles Feds Investigating Water Utility Pump Failure As Possible Cyberattack yroslashdotorg Feds investigating Illinois 'pump failure' as possible cyber attack cnncom Hackers Attacked US Water Utility Destroy Pump wiredcom Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/341802.shtmlhttp://www.secuobs.com/revue/news/341802.shtml Secuobs.com : 2011-11-18 22:25:50 - Zen One - InfraGardImage via Wikipedia The FBI is seeking victims in a DNS Malware Investigation for the case of UNITED STATES v VLADIMIR TSASTSIN, ET AL Specifically, the FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software related to the defendants As you know form the news blurbs that I've been sending out, this malware modifies a computer s Domain Name Service settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants On your own systems, and the systems you manage, I recommend you check the DNS settings and register as a victim of the DNSChanger malware if the DNS entries have been modified to point to he defendants' DNS servers Complaints can be filed here https formsfbigov dnsmalware For more information, including steps on how to check your DNS settings, go to http wwwfbigov news stories 2011 november malware_110911 DNS-changer-malwarepdf Related articles FBI's Operation Ghost Click takes out operators of DNS Changer malware network nakedsecuritysophoscom Operation Ghost Click DNSChanger Malware Ring Dismantled garwarnerblogspotcom FBI's Operation Ghost Click Busts Operators of DNSChanger Malware techie-buzzcom Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/341514.shtmlhttp://www.secuobs.com/revue/news/341514.shtml Secuobs.com : 2011-11-16 23:07:27 - Zen One - The Pentagon, looking northeast with the PotomImage via Wikipedia The Pentagon published their most explicit cyberwarfare policy to date The report states that, if directed by the president, the DoD will launch offensive cyber operations in response to hostile acts Hostile acts may include significant cyber attacks directed against the US economy, government or military, Here's a link to the report http wwwdefensegov home features 2011 0411_cyberstrategy docs NDAApourcents20Sectionpourcents20934pourcents20Report_Forpourcents20webpagepdf Enhanced by Zemanta IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/341095.shtmlhttp://www.secuobs.com/revue/news/341095.shtml Secuobs.com : 2009-07-11 23:03:45 - Zen One - While working on a forensic investigation that involved a Blackberry 8310 I ran into an issue that just didn't settle right with me I wanted to ensure that, beyond a reasonable doubt, the EXIF time stamp embedded within a photo taken by the Blackberry device was written accurately by the device Before signing off on the validity of the EXIF time stamp, something just didn't seem right After digging around and doing countless tests, I was surprised that I was able to consistently recreate a failure whereby the incorrect time stamp was written to the original date time EXIF field Here are additional details DEVICE Blackberry Curve 8310 smartphone EDGE VERSIONS v45055 Platform 27068 v450110 Platform 27090 PROVIDER AT T DATE TIME SOURCES Blackberry Network ADDITIONAL ENABLED SETTINGS WORTH NOTING PASSWORD options security options general settings password BACKLIGHT TIMEOUT value of 30 seconds options screen keyboard backlight timeout SECURITY TIMEOUT value of 1 minute options security options general settings security timeout OBSERVED BEHAVIOR The EXIF original date time embedded within a photo taken by the Blackberry 8310 had the incorrect time stamp Consistently and repeatedly I was able to have the Blackberry device write the incorrect time stamp to the EXIF field The EXIF original date time was inconsistent with the actual date time that the photo was taken in addition to the Last Modified time displayed by the Blackberry device SCENARIO REPRODUCING THE PROBLEM 1 I take a photo with the Blackberry at 0600 on 1 22 2009 The image name is IMG00001 Using the Blackberry and looking at the properties of photo IMG00001 I see the correct Last Modified date and time of Jan 22, 2009 6 00AM Emailing the photo to my email address I then view the EXIF data of the photo on a separate forensics system and see the correct original date time of 2009 01 22 06 00 00 2 An hour passes I delete IMG00001 from the Blackberry and then take a photo at 0700 on 1 22 2009 The image name is IMG00002 Using the Blackberry and looking at the properties of photo IMG00002 I see the correct Last Modified date and time of Jan 22, 2009 7 00AM Again, I email myself the photo and view the EXIF data of the photo on a separate forensics system However, this time I see the incorrect original date time The EXIF field shows 2009 01 22 07 02 00 3 update 1 23 2009 I can also reproduce this EXIF incorrect time stamp issue without deleting photos This issue presents itself only with the first photo taken after the phone has automatically locked, requiring a password to unlock before the said photo with the incorrect EXIF time stamp can be taken by the device Subsequent photos taken before the security timeout locks the device have the correct EXIF time stamps IMPLICATIONS An assumption is made that the Blackberry device is writing the correct date time within the EXIF data when a photo is taken with the device EXIF data within photos could potentially be used as evidence to support what an individuals recorded statement eg, whereabouts at a given time From my tests there s reasonable doubt that the EXIF time stamp of a photo taken by a Blackberry 8310 device and perhaps others may be incorrect Therefore, EXIF time stamps from photos used as evidence becomes highly questionable and ultimately, and likely, could be rendered irrelevant ADDITIONAL NOTES QUESTIONS Blackberry and RIM have been contacted to investigate and confirm the issue I was able to reproduce this issue on a single Blackberry Curve 8310 which was initially running v45055 Platform 27068 I was also able to reproduce the failure after upgrading the same Blackberry Curve 8310 to v450110 Platform 27090 I viewed the EXIF data on a Mac using both EXIF Viewer and Preview I viewed the EXIF data on a Windows XP system using InfranView with the EXIF plugin installed Can others reproduce the same issue on 8310 s running similar and or different firmwares Can others reproduce the same issue on non 8310 Blackberry devices update 1 23 2009 Could this be a residual artifact of the security lockout feature will need to test after disabling the security timeout Blackberry8310_300x343shkljpg Steve IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/119554.shtmlhttp://www.secuobs.com/revue/news/119554.shtml Secuobs.com : 2009-06-01 02:29:56 - Zen One - On Friday May 29, 2009 President Obama announced the nation’s planto defend against attacks on the nation's computer networks; a“strategic national asset” This plan includes appointing aCyber-Security Chief, whom he has not yet chosen, in the White HouseObama will sign a classified order within the coming weeks that willcreate the military cybercommandHe stated that cyber-criminals have cost US citizens over $8 billionworth of stolen data and that the figure worldwide was up to $1trillionThe announcement came with the release of the Cyberspace SecurityReview, a 76 page document that had 60-days to be completed from thedate of the initial request The Cyberspace Security Review explainshow the US intends to secure its critical network infrastructure Itwas stated that the review was necessary because, “America's failureto protect cyberspace is one of the most urgent national securityproblems facing the new administration”, and that, “our digitalinfrastructure has already suffered intrusions that have allowedcriminals to steal hundreds of millions of dollars and nation-statesand other entities to steal intellectual property and sensitivemilitary information”The Cyberspace Security Review made the following 10 recommendationsfor near-term action:1 Appoint a cybersecurity policy official responsible forcoordinating the Nation’s cybersecurity policies and activities;establish a strong NSC directorate, under the direction of thecybersecurity policy official dual-hatted to the NSC and the NEC,to coordinate interagency development of cybersecurity-relatedstrategy and policy2 Prepare for the President’s approval an updated national strategyto secure the information and communications infrastructure Thisstrategy should include continued evaluation of CNCI activitiesand, where appropriate, build on its successes3 Designate cybersecurity as one of the President’s key managementpriorities and establish performance metrics4 Designate a privacy and civil liberties official to the NSCcybersecurity directorate5 Convene appropriate interagency mechanisms to conductinteragency-cleared legal analyses of prioritycybersecurity-related issues identified during thepolicy-development process and formulate coherent unified policyguidance that clarifies roles, responsibilities, and theapplication of agency authorities for cybersecurity-relatedactivities across the Federal government6 Initiate a national public awareness and education campaign topromote cybersecurity7 Develop US Government positions for an internationalcybersecurity policy framework and strengthen our internationalpartnerships to create initiatives that address the full range ofactivities, policies, and opportunities associated withcybersecurity8 Prepare a cybersecurity incident response plan; initiate a dialogto enhance public-private partnerships with an eye towardstreamlining, aligning, and providing resources to optimize theircontribution and engagement9 In collaboration with other EOP entities, develop a framework forresearch and development strategies that focus on game-changingtechnologies that have the potential to enhance the security,reliability, resilience, and trustworthiness of digitalinfrastructure; provide the research community access to eventdata to facilitate developing tools, testing theories, andidentifying workable solutions10 Build a cybersecurity-based identity management vision andstrategy that addresses privacy and civil liberties interests,leveraging privacy-enhancing technologies for the NationWhat is promising about the Review is that there's repeated focus onoutcomes as opposed to the inputs Too often forward progress ishindered by the inefficient efforts of trying to define process beforegoals and objectives are clearly defined and understood Rather, theReview consistently attempts to make it clear what the strategicoutcomes are, and from those objectives, the development of processwill be guidedThe Review also states, “Other structures will be needed to helpensure that civil liberties and privacy rights are protected” Theinclusion to help protect our privacy and civil liberties is anindication of the balanced intention of the planMoney will also be set aside for research and development of securitytechnologies, from which there will be significant opportunityWhat I'm not certain about is the overall effectiveness theCyber-Security Chief will have Specifically, the position will nothave direct access to the president As a result, this position maynot be high-level enough to prevent the almost certain bureaucraticnonsense, internal bickering and games that could wastemillions/billions of dollarsThough the Review solely focusses on defensive measures, I'm alsocurious what efforts are underway, if any, towards the development andpotential use of cyberweaponsOverall, the document doesn't suggest that there will be any majorchanges that will affect the private sector within the near term TheReview recommends specific changes to the direction of future USpolicies Within the mid-term I imagine that lawmakers will developregulations that will require the sharing of security incident datafrom the private sector with the government, presumably tempered withthe commitment to ensure civil liberties I anticipate that we willalso see more emphasis put towards penetration testing and incidentresponseSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/104295.shtmlhttp://www.secuobs.com/revue/news/104295.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Maintaining a healthy balance between work and our personal livesrequires ongoing attention and dedication Think back over the pastweek, or month, and you'll see that there were probably days wherethings seemed to have been in perfect harmony, and then there werealso days where it felt as if everything was happening a bitchaotically and out of control We then end up labeling theseexperiences as either good or badThis week's Sunday Post is a quote from Alan Weiss, author of "GettingStarted in Consulting" The quote below continues to remind me aboutmy goal of fulfilling my ambitions and dreams, and that the path tothe realization of this goal requires balanceand awarenessPhoto: Steve Zenone, Creative Commons License"As you become more successful, you'll have the opportunity totransfer some of the intensity, passion, focus, time, andperseverance that you've invested in your business -- andnecessarily so, to launch and sustain it successfully -- to yourprivate interests, family, community, and friends Ironically,that transfer to a greater balance of life and work will actuallyaccelerate your business growth still more"-- Alan Weiss, PhD: "Getting Started in Consulting", page 4IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102839.shtmlhttp://www.secuobs.com/revue/news/102839.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Recently I learned about the entertaining subculture of manualism Ithappened by complete chance, I swear You believe me, don't youWhile searching YouTube for "Cantina Band", there was a video that Icouldn't resist watching Without skipping a beat I moved my mouseover the video and clicked play As I began watching the video of amanualist playing the Star Wars “Cantina Band” song with his hands,distant memories from my past started to emerge It had nothing to dowith rice and beans PleaseAs I was saying, we were just about to take a stroll down memorylanedream sequenceI remembered my sophomore year in high school; I was sitting in mydesk during Spanish class I should have been conjugating verbs, butinstead I was attempting to squeeze air through my hands whilepressing them together, firmly Minutes passed and I kept trying tomake sound with my hands Suddenly, and quite unexpectedly, there wasa hush in class, and it was during that silence that my hands made“the sound” If I recall correctly, the moment my hands made the soundof bodily relief, my face grew bright red I had no idea if myclassmates thought I had uncontrolled flatulence or if my hands madethe sound/dream sequenceFast forward twenty years, and there I was watching a guy play “TheCantina Band” using his hands I wondered how much the musician musthave practiced to be able to play the song as well as he didInterestingly, according to Wikipedia, “Some manualists practice foras much as 30 years before finally reaching a presentable level ofproficiency” Apparently the first individual that was documented tohave made musical parody with his hands was Cecil Dill He claims tohave learned how to play “Yankee Doodle” using his hands back in 1914Now, isn't that a gasVideo of manualist playing "The Cantina Band" linkVideo of Cecil Dill and his Musical Hands linkWikipedia article on Manualism linkUPDATE 6/13/2008: My piece aired this afternoon If you missed it,you can download the two minute segment here link to mp3IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102838.shtmlhttp://www.secuobs.com/revue/news/102838.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I've recently upgraded several of my systems to Ubuntu 804 HardyHeron While poking around, figuring out what has changed since 710Gutsy Gibbon, I came across the 'ufw' command, which is an acronymfor Uncomplicated FirewallPersonally, on my linux systems I've preferred working with iptablesdirectly Several years ago I started using 'fwbuilder' to manage myiptables Nonetheless, I'm still interested in playing around with ufwto see what value it hasHere's an ifw example using OpenBSD's PF syntax:* Let's assume I want to allow all ssh traffic 22/tcp from the101010/24 subnet to my host at IP 1010210:sudo ufw allow from 101010/24 to 1010210 port 22* Is there a single host that's bothering you and you want to blockitsudo ufw deny from {IP address}If you're interested in testing ufw, the Ubuntu Unleashed Blog linkhas a useful guide on using the tool Of course, you can always usethe man pages as well `man ufw` IMAGEIMAGE IMAGE IMAGEIMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102837.shtmlhttp://www.secuobs.com/revue/news/102837.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I won't go into all the details since majority of the security mailinglists and blogs are covering the issue -- however, I'm blogging thisas a reminder The recent Debian/Ubuntu OpenSSL random numbergenerator vulnerability is very serious, especially if you hadgenerated any keys on Debian or Ubuntu systems running vulnerableversions of OpenSSL eg, ssh keys, OpenVPN keys, etcThere's an excellent detailed summary regarding this issue on HDMoore's web site hosted on Metasploit link below To quote from thewebsite:"All SSL and SSH keys generated on Debian-based systems Ubuntu,Kubuntu, etc between September 2006 and May 13th, 2008 may beaffected In the case of SSL keys, all generated certificates willbe need to recreated and sent off to the Certificate Authority tosign Any Certificate Authority keys generated on a Debian-basedsystem will need be regenerated and revoked All systemadministrators that allow users to access their servers with SSHand public key authentication need to audit those keys to see ifany of them were created on a vulnerabile system Any tools thatrelied on OpenSSL's PRNG to secure the data they transferred maybe vulnerable to an offline attack Any SSH server that uses ahost key generated by a flawed system is subject to trafficdecryption and a man-in-the-middle attack would be invisible tothe users This flaw is ugly because even systems that do not usethe Debian software need to be audited in case any key is beingused that was created on a Debian system"Per the standard recommendation, patch all vulnerable systems as soonas possible In addition you will need to generate any keys that werecreated previously using vulnerable versions of OpenSSLHD Moore's Website linkOfficial CERT Advisory link IMAGEIMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/102836.shtmlhttp://www.secuobs.com/revue/news/102836.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - As those of you in the IT Security world know, last week there was aserious vulnerability in Debian's/Ubuntu's OpenSSL random numbergenerator linkThe vulnerability in OpenSSL was announced by the Debian Project onThursday, May 13th, 2008 link That same day updated OpenSSLpackages were released for Debian, Ubuntu and Debian-baseddistributions eg, link Shortly thereafter code was being postedto Full Disclosure and other lists to exploit this vulnerability onunpatched systemsI was very surprised by people's reaction regarding thisvulnerability In particular, there was a noticeable amount of OSbashing; discrediting the affected operating systems That irony isthat majority of this negative publicity came from from other *NIXcentric individuals who simply stood back while proudly saying, "look,my superior OS wasn't affected" It's funny that the elitist OS warsof past still continue continue today It's also entertaining - butthat's besides the point Unfortunately, this type of negativepublicity doesn't contribute to building and strengthening thecommunities that are working so hard to build incredible flavors oftheir OS of choice In one way or another, some requiring morecreativity than others, the family of *NIX operating systems share acommon ancestry see UNIX family tree image belowClick on above image to enlarge image: ZwahlenDesignFor a more complete timeline, see Eric Levenez's UNIX History linkI can imagine Rodney King, while waiving a black flag with a the Linuxpenguin mascot, now saying, "People, I just want to say, you know, canwe all get along Can we get along"I agree, it's too bad that the code that made the latest OpenSSLvulnerability a reality existed It also highlights the blind trustpeople generally place into the operating systems that they useHowever, what I also clearly see is how the community quickly workedtogether and released fixes prior to exploit code being widelydisseminated Now, that's awesome There was no Patch Tuesday to waitfor Rather, the fixes were created, tested, and distributed as soonas possibleWithout a doubt I'm very glad to have moved my desktop OS of choice toUbuntu two years ago Sure, I'd be happy with SUSE, Fedora, RedHat,FreeBSD, OpenBSD I've used them all However, for reasons that workfor me I've settled on Ubuntu for now IMAGEIMAGE IMAGEIMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102835.shtmlhttp://www.secuobs.com/revue/news/102835.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Where does one begin saying "Thank You" to all those who have giveneverything so that we may have our freedomPhoto: Steve Zenone Golden Gate National Cemetery"That from these honored dead we take increased devotion to thatcause for which they gave the last full measure of devotion that we here highly resolve that these dead shall not have died invain"-- Abraham Lincoln, spoken at Gettysburg in 1863Walking through the cemetery, contemplating, I was in awe Eachtombstone not only represents a single serviceman/servicewomanRather, every tombstone also represents the family and friends whoselives were interwoven so intimatelyin addition to the lives thefamily and friends touched Clearly, we're all affected and connectedIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102834.shtmlhttp://www.secuobs.com/revue/news/102834.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I recently learned that all Approved Scanning Vendors ASVs arerequired to use version 2 of the Common Vulnerability Scoring SystemCVSS Starting July 1, 2008, version 2 will be the new industrystandard and all scans will be scored using this systemMany of the ASVs that I have experience with continue to fail scansbased upon false positives Although PCI DSS requirement 1131necessitates a network-layer penetration test to be performed at leastonce a year and after any significant infrastructure upgrade ormodification, the automated quarterly vulnerability scans will stillshow a compliance failure even if the flagged vulnerability is a falsepositiveIt'll be interesting to see how many merchants will move fromcompliance status of compliant to non-compliant after July 1IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102833.shtmlhttp://www.secuobs.com/revue/news/102833.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Several weeks back, on May 12, I posted a blog entry about Manualism;the art of making music with one's hands as the instrument I'veedited the piece down to half its original size and then edited itsome more This past Sunday I went down to the radio station to recordthe piece and had the producers do their magic It will air on KUSPthis Friday 6/13 at 7:33am and 5:33pm in the First Person SingularsegmentUPDATE #1 6/13/2008: I believe my piece on KUSP is being delayed aweek I listened to the station this morning and someone else's FirstPerson Singular was airedand I would imagine the same piece will beaired this afternoon I will update this post once I learn of the newair dateUPDATE #2 6/13/2008: I received confirmation from the radio stationthat the piece will air this afternoon at 5:33pmUPDATE #3 6/13/2008: My piece aired this afternoon If you missedit, you can download the two minute segment here link to mp3IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102832.shtmlhttp://www.secuobs.com/revue/news/102832.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I came across an article in USA Today titled, Some employees buy ownlaptops, phones for work The article reports that more and moreprofessionals are buying their own electronic equipment to get theirwork done This includes equipment like cell phones and even laptopsNearly 40% of professionals recently surveyed by researcherIn-Stat paid for a laptop that they regularly carried Cellphoneusers often picked up their bill And company-provided personaldigital assistants PDAs, cameras and Global Positioning SystemsGPS are relatively rare, says the survey, released MondayAs many organizations start to withdraw spending on materials andequipment, professionals are having to take matters into their ownhands and purchase their own equipment This reminds me of researchdone by Buckingham and Coffman Their research paper summarized thetwelve key factors in retaining star employees there's a connectionhere - question #2 relates to employees having to purchase their ownequipmentIn a nutshell, if employees can answer the below questions in theaffirmative, then the work environment is probably very strong andproductive:1 Do I know what is expected of me at work2 Do I have the materials and equipment I need to do my work right3 At work, do I have the opportunity to do what I do best everyday4 In the last seven days, have I received recognition or praise forgood work5 Does my supervisor, or someone at work, seem to care about me asa person6 Is there someone at work who encourages my development7 At work, do my opinions seem to count8 Does the mission/purpose of my company make me feel like my workis important9 Are my co-workers committed to doing quality work10 Do I have a best friend at work11 In the last six months, have I talked with someone about myprogress12 At work, have I had the opportunities to learn and growAs a manager, the above points are worth reflecting uponUSA Today Article link### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102831.shtmlhttp://www.secuobs.com/revue/news/102831.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Steve Zenone looking at Tondelayo - girls were always coolApparently,geek is becoming sexy We've all known that geek was chic pronouncedsheek for those who think I'm saying chickbut sexy, that's justhot I think I've been waiting for this since the late seventies:"The Nerd Girls may not look like your stereotypicalpocket-protector-loving misfits—their adviser, Karen Panetta, hasa thing for pink heels-but they're part of a growing breed ofyoung women who are claiming the nerd label for themselves Indoing so, they're challenging the notion of what a geek shouldlook like, either by intentionally sexing up their tech personas,or by simply finding no disconnect between their geeky pursuitsand more traditionally girly interests such as fashion, makeup andhigh heels"Newsweek, "Revenge of the Nerdette", 6/9/2008As I sit here I get mini flashbacks of typing away on my TRS-80 inelementary school, writing my first snippets of code in BASIC, knowingthat in the eyes of the masses I wasn't being cool Then, in juniorhigh, I graduated to the the Apple II, on which platform I launched myfirst BBS Soon after I added multiple phone lines and had sistersystems throughout the US Ahh, the good 'ol days of the lawless wildwest, shortly before William Gibson coined the term cyber in his 1982book, Burning ChromeNewsweek Article link-Steve Zenone### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102830.shtmlhttp://www.secuobs.com/revue/news/102830.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - The good folks from Google have released a freely availableopen-source web application security assessment tool called RatProxyThe tool, which is still in beta, is designed to identify securityvulnerabilities within web based applicationsQuoting from the RatProxy project documentation page:"Ratproxy is a semi-automated, largely passive web applicationsecurity audit tool It is meant to complement active crawlers andmanual proxies more commonly used for this task, and is optimizedspecifically for an accurate and sensitive detection, andautomatic annotation, of potential problems and security-relevantdesign patterns based on the observation of existing,user-initiated traffic in complex web 20 environments"Earlier this afternoon I downloaded the source code and compiled it torun on Ubuntu 804 After posting this blog entry I'll beginexperimenting with RatProxyRatProxy Documentation Page linkSteve Zenone### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102829.shtmlhttp://www.secuobs.com/revue/news/102829.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I recently had a colleague ask me about the inherent risks in usingInstant Messaging IM for business Certainly, IM is an extremelyeffective way to communicate with team members and customers who maynot be in close physical proximity However, if used incorrectly,negative impact to the business can be massiveThere's consumer grade and business grade IM solutions Services suchas Yahoo IM are considered consumer grade All text based IMs caneither be routed through a core set of central servers and then on tothe recipient, or through peer-to-peer connections When you combineconsumer grade IM services with traffic flowing in the clear ie,unencrypted through central servers outside of the organization'scontrol, you end up with a significantly elevated set of risks Arethese risks worth acceptingHere are some of the more obvious risks that I see with using consumergrade IM for business:* Vulnerable Clients -- advisories for vulnerabilities in chatclients are announced fairly often Many of these vulnerabilitiesallow for the remote execution of code on the vulnerable clientsystem* Traffic can be viewed "sniffed" -- by default, consumer grade IMclients send all of their traffic in the clear There are pluginsto provide encryption for some clients, however, all partiesinvolved in the chat will need the crypto plugin enabled andconfigured correctly* Data theft -- a nefarious employee could potentially movecritical/restricted data to a location offsite* Identity Theft -- The mechanism for consumer grade IM userauthentication is weak Grab the weak authentication traffic andan attacker now has valid login credentials The stolencredentials can then be used to impersonate the victim and be usedas a launch pad to further identify theft* Provides IP info to attackers -- if an employee decides to go toan external chatroom with their IM client, their IP is now knownto anyone else in the chatroom who may be interestedincluding apotential attacker With the IP the attacker can focus theirattack to a specific system* Privacyor lack thereof -- see all points above* Social Engineering -- more likely to happen if an employee engagesin conversations in non-business specific chatroomsAnother risk is in employees using IM for business on their homecomputers Imagine, for just a moment, that an employee commits acrime against the business from their home and used IM to enable themto commit the crime Your business won't have the authority or rightto confiscate their home computer for investigation - your hands aretied behind your back I'm sure you can start seeing where the dangersand risks start to go upAdditionally, many chat clients will log all conversations to diskWhat if confidential or restricted data is logged and stored on anindividuals home computer Other family members, or friends, may haveaccess to that system, or perhaps the home computer is alreadycompromised and under someone else's control think botnet Now theattacker can pull the chat logs and have unauthorized access toconfidential or restricted data The impact could be titanic to thebusiness Of course, confidential or restricted data should never besent over IM in the first placeIn addition to having policies, procedures, and perhaps evenguidelines on the proper use of IM for business, I believe the returnon investment by providing an internal and redundant IM service toenable business is compelling and certainly worth consideringstrategicallySteve Zenone### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102828.shtmlhttp://www.secuobs.com/revue/news/102828.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - While on a quick trail run before work this morning, I was thinkingabout yesterday's announcement of a serious vulnerability in the DNSprotocol For those that don't know, yesterday Dan Kaminsky announcedthat there's a fundamental flaw in the DNS protocol Shortlythereafter the United States Computer Emergency Readiness Team US-CERTissued a security advisory titled, "Multiple DNS implementationsvulnerable to cache poisoning"Since we're talking about a fundamental flaw within the DNS protocolitself, many implementations of DNS are considered to be vulnerableDNS, in a nutshell, is what translates human readable and memorizablenames, such as wwwblackhatcom, to IP addresses that can get routedthrough the Net, such as 6624020690BlackHat has made available a recording of the press conference atwhich Karminsky made the public announcement Karminsky has also madeavailable an online tool to check whether or not the primary DNSserver you're using is vulnerable A recent post on NANOG has a linkto a perl script that allows one to run Karminsky's DNS checkeragainst any nameserverI've heard a few individuals state that this latest vulnerabilityisn't critical in nature We do know that Karminsky will be releasingfull details of the vulnerability at next month's BlackHat in LasVegas It is also possible that exploit code could emerge prior sinceKarminsky did narrow down the area in which the DNS design flawexists Though Karminsky has stated, "This is not enough informationto reverse engineer the flaw," I believe it's an extremely riskyassumption for businesses to base delaying the patching of theirvulnerable name servers uponLooking at a risk matrix, I see the this DNS vulnerability as a highrisk:Likelihood of exploitation: LOW/MEDIUM within 30 daysImpact of exploitation: HIGH-----------------Risk Rating: HIGHOne individual I know had stated, "In terms of DNS, the world isn'tany more dangerous today than it was yesterday" However, we're notjust dealing with randomization of source ports which had been knownpublicly for several years back in 2005 We're also dealing with theweak entropy in the DNS transfer id DNS XID I believe that therisk, or danger, has increasedIn some uncomfortable way, this latest issue with DNS reminds me ofthe levees in New Orleans that were known to have severevulnerabilities Eventually the threat heavy rain exploited brokethe vulnerability failing levees resulting in negative impactflooding, financial loss and loss of life Ignoring thevulnerability with the levees didn't remove the risk or make thingsany "safer"I'm interested to see what Karminsky produces at the upcomingBlackHatSteve Zenone###UPDATE - 7/10/2008: Yet another option to test your nameserver is touse the dig hack from Duane Wessels; from a unix shell type 'dig+short @nameserver-to-be-tested porttestdns-oarcnet TXT'A vulnerable nameserver will display the following output:zyxwvutsrqponmlkjihgfedcbaptdns-oarcnet"nameserver-you-tested is POOR: 22 queries in 06 seconds from 1 portswith std dev 000"In turn, a better maintained nameserver will return the following:zyxwvutsrqponmlkjihgfedcbaptdns-oarcnet"nameserver-you-tested is GOOD: 22 queries in 06 seconds from 1 portswith std dev 000"IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102827.shtmlhttp://www.secuobs.com/revue/news/102827.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Aaron, of the Dumb Little Man blog, just posted a helpful reminderthat includes eight tips we all should intuitively know in order tokeep meetings focussed and useful I think we've all experienced"those" types of work meetings; whereby hours pass and very littleprogress, if any, has been made The result is wasted time, wastedmoney, and often frustration and confusionAaron writes:The phenomenon of chronic, pointless meetings is also known as theDilbert Meeting in some circles Dilbert Meetings happen everyday, wasting people's time and patienceMeetings can be quite productive, but most organizers simply don’ttake the steps to guarantee that a meeting will be usefulAaron then lists and expands upon the following eight points:* Have a clear agenda* Make sure that only attendees are people who need to be present* Establish objectives for the meeting* Have the attendees prepare in advance if necessary* Keep it short* Record key points and decisions* Create action items and assign them* Report progress and follow-upI believe it's important for all of us who propose meetings toincorporate the above points into how we organize and run ourmeetings The result will be better for the business, and better forthe development and morale of those attendingSteve Zenone### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102826.shtmlhttp://www.secuobs.com/revue/news/102826.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - The Blackhat Trainings just wrapped up and now everybody here isgetting ready for the Blackhat BriefingsAfter today's training I picked up my official annual Blackhat swagbag While picking up my bag there were slews of people wanderingaround the Caesar's Palace Convention Center for the briefings Thenumber of people seems to have doubled since the trainings, which istypicalLast week I had looked online at the list of presentations and hadwritten down what I wanted to attend This afternoon I reviewed mylist against what was shown within the printed brochure Assumingthere's room, my plan is to attend the following presentations at theBlackhat Briefings for the next two days:Day 1 - August 6* 0900-0950 - Keynote: Complexity in Computer Security - Ian Angell* 1000-1100 - Nmap: Scanning the Internet - Fyodor Vaskovich* 1115-1230 - DNS Goodness - Dan Kaminsky* 1345-1500 - Client-Side Security - Petko D Petkov* 1515-1630 - Xploiting Google Gadgets: Gmalware and Beyond - TomStracener* 1645-1800 - MetaPost Exploitation - Val SmithDay 2 - August 7* 0900-0950 - Keynote: Natural Security - Rod Beckstrom* 1000-1100 - Satan is on My Friends List - Shawn Moyer et NathanHamiel* 1115-1230 - Visual Forensic Analysis and Reverse Engineering -Greg Conti et Erik Dean* 1345-1500 - Hacking and Injecting Federal Trojans - Lukas Grunwald* 1515-1630 - The Internet is Broken - Nathan McFeters, Rob Carter etJohn Heasman* 1645-1800 - Pushing the Camel Through the Eye of a Needle - HaroonMeer et Marco SlavieroFor those of you in Twitterland - tweet me if you're going to any ofthe same presentations and want to say "hi" twitterSteve Zenone### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102825.shtmlhttp://www.secuobs.com/revue/news/102825.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Years back I made the switch from Windows to RedHat as my desktop OSof choice I wasn't too impressed with it as a Desktop OS andeventually migrated over to Ubuntu, which I immediately fell in lovewith Last week I finally made the move to using a Mac as my preferred"desktop" operating system After traveling from Singapore, to Alaska,and then to St Louis, I finally have my PowerBook Pro I didn't dothe traveling - rather, my Mac was shipped from Singapore and made thejourney halfway around the worldEvery time I'm on my MacBook I find myself very impressed with howsmooth and fully integrated the system is Simply put, the system isawesome I've also installed VMware Fusion so that I can virtually runWindows from my BootCamp partition, allowing me to still run theWindows dependent programs necessary for me to get my work done asefficiently as possibleThis morning I installed a blogging client called "ecto", which I'mtrying out for the first time with this postingSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102824.shtmlhttp://www.secuobs.com/revue/news/102824.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - Microsoft recently issued an out-of-band security advisory for avulnerability in the server service that could allow remote codeexecution MS08-067 Due to the criticality of the vulnerability,Microsoft has released a fix out-of-band ie, not on the regularPatch TuesdayIt is strongly recommended that patches be tested and applied to allvulnerable systems you administrate as soon as possible According toone source, targeted attacks using this vulnerability to compromisefully-patched Windows XP and Windows Server 2003 systems have beenseenAdvisoriesMS08-67SecurityFocusAdditional InformationTechnet BlogSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102823.shtmlhttp://www.secuobs.com/revue/news/102823.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - “Give us the tools and we will finish the job” ~ WinstonChurchillManaging tasks and keeping notes readily accessible and easilysearchable has been an ongoing challenge for me In 1997 I took aFranklin Time Management class and clearly understood the necessity toeffectively manage my tasks and time However, carrying an awkwardorganizer with me wherever I went wasn't convenient, and I often foundit annoying to pull my organizer out when I needed review my scheduleand often difficult to quickly locate notes that I had takenpreviouslyFortunatelythrough need, advances in technology and the synergy ofcreative minds, many electronic productivity tools have surfaced inthe market over the years to help with staying organized and gettingthings doneTask ManagementOver the past several years I've used tools such as Jott and RememberThe Milk RTM to help me with managing my tasks Over a period oftime I found myself growing more and more frustrated with the twoproductivity tools Jott started charging money for a service that dida mediocre job with converting speech-to-text I tethered RTM withJott for adding tasks through speechin other words, I was using twoproductivity tools to do what one should have been able to doindependentlyI can't expect to meet the challenges of today with yesterday's toolsand expect to be in business tomorrow Fortunately, I found a verypowerful yet easy to use productivity tool that has been workingextremely well for me Several months ago I started using ReQall as areplacement for both Jott and RTM What exactly is ReQall Accordingto the marketing blurb on the ReQall website:"ReQall is the best memory tool you may ever have, connecting allthe ways you communicate in one easy-to-use reminder system Useit on the web no software to install or download it into youriPhone or BlackBerry smartphone By integrating voice input,speech-to-text transcription, automatic organization andmulti-platform reminders, ReQall goes beyond typical to-do andreminder applications"I've been using ReQall to manage my tasks and shopping lists From myexperience ReQall does a much better job with speech-to-textconversions than with Jott ReQall's web interface to manage tasks issimpler to use I'm able to add tasks via the following; web text,iphone app text and voice, firefox plugin text, phone voice, andinstant messaging text Plus, I appreciate now having a singlesolution ReQall to do what I had been doing with two Jott and RTMReQall also allows me to add meetings and schedule tasks for specificdates and times For example, on my iPhone I can launch the ReQall appand say the following note:"Meet with Mike on Friday at 3pm"The above voice note gets converted to text by ReQall Adding myReQall meeting feed to my Google Calendar I then see a meeting onFriday at 3pm with Mike I also synch my iCal with Google Calendar sothat my schedule stays current and easily accessible no matter whereI'm accessing itIf I want to add an item to my shopping list, all I have to do is say"buy" and whatever it is I need to pick up at the market Whoala, theitem gets converted to text and shows up in my shopping list Myshopping list can be accessed and individual items checked off from myiPhone while at the storeThough ReQall is currently a very useful productivity tool, there'sroom for improvement that will increase ReQall's value Features Iwould like to see include:* A ReQall desktop widget for Mac RTM already has a desktop widgetfor Mac OS X* Ability to view all To-Do's and shopping list items via theFirefox extension* Ability to check items off as completed via Firefox extension* Ability to check items off as completed via the IM interface* iPhone app: Have shared shopping list entries show up in myshopping list AS WELL as my recipient's shopping list* iPhone app: Auto refresh when starting app, making changes toitems, and at specified time intervals eg, every 15 mins* iPhone app: Ability to change user/pass from the ReQall appinstead of having to go through the standard iPhone settings appI look forward to seeing what ReQall will rollout throughout 2009“Computers are magnificent tools for the realization of ourdreams, but no machine can replace the human spark of spirit,compassion, love, and understanding” ~ Louis GerstnerNote Taking, Journaling and RetrievalOver the past six months I've been using Journler to record and searchthrough my notes Journler was great so long as I had my laptop nextto me when I needed to retrieve notes Ultimately, what I needed was asolution that would allow me to securely access my notes from myiPhone as well as from the web I also wanted a productivity tool thatwould let me take photos with my iPhone, or other camera, ofwhiteboards at the conclusion of a work meeting and would place thephoto into my notes and preferably convert the words on the whiteboardfrom the photo into searchable text OCRLast month a co-worker of mine asked about Evernote Simply put,Evernote is incredibly useful According to the Evernote website:"Evernote allows you to easily capture information in anyenvironment using whatever device or platform you find mostconvenient, and makes this information accessible and searchableat any time, from anywhere"I've now migrated all of my Journler entries into Evernote It goeswithout saying, I don't store anything sensitive in Evernote unlessPGP'd I can access my notes from the web browser on my laptop, theEvernote application, and from my iPhone Imagine I was in a meetingthis morning and I took a picture of the whiteboard where the word"Monkey" was written Evernote will convert the writing into text andmake it searchable Therefore, I can search my Evernotes for the word"Monkey" and the picture of the whiteboard will be a returned resultThat's awesomeIMG_0001_200x300shklPNGScreenshot: Evernote iPhone AppAdditional features I would like to see in Evernote include:* Strong crypto that can be applied to specific notes requiring aseparate password to encrypt/decrypt for enhanced security andprivacy - see next bullet point regarding two-factorauthentication;* Two-factor authentication with support for one-time-passwords seePayPal Security KeyOverall, I see productivity tools finally getting to a point wherethere's a noticeable benefit in my productivity in using them ReQalland Evernote are two such productivity tools“When you write down your ideas you automatically focus your fullattention on them Few if any of us can write one thought andthink another at the same time Thus a pencil and paper makeexcellent concentration tools” ~ Michael LeboeufSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102822.shtmlhttp://www.secuobs.com/revue/news/102822.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I've recently been asking myself how to most effectively structureInformation Security InfoSec within an organization Here are somethoughts I've had while trying to answer thisAs with any "structure" there needs to be some form of integralsupport, whether it's a frame for a house or honeycomb for a beehiveThis is also true with organizational structures - there needs to besupport In order for InfoSec to be successful it must have the fullsupport of senior or executive management This support would beactualized as a sincere commitment by senior management to achieve thefollowing:* Develop high standards of corporate governance* Treat InfoSec as a critical function that enables an organizationto do business* Create an environment that understands the importance of, andembraces, InfoSec* Consistently show 3rd parties that InfoSec is vital and willalways be handled in a professional manner* Ensure that controls being implemented by InfoSec are appropriateand proportionate to risk being addressed* Stay informed and accept ultimate responsibility andaccountabilityThe first bulleted point in the above list, "Develop high standards ofcorporate governance", is where the necessary framework is built fromwhich InfoSec can flourish At a minimum, an effective governanceframework includes:* An all-inclusive security strategy that links to clearly definedand documented business objectives* Security policies that address the multiple facets of securitystrategy, regulatory compliance and controls* Standards for each of the policies to make sure that proceduresand guidelines comply with policy* An organizational structure void of conflicts of interest withsufficient resources and authority* Metrics and monitoring processes to ensure compliance and providefeedbackAgain, I want to emphasize that It is imperative that anorganization's top management sees InfoSec as a critical businessfunction and is fully committed to stand behind InfoSec Without thecomplete assurance from top management we will continue to seesecurity functions getting moved around the organization whileadequate resources are never obtained and conflicts of interest areprogressively createdTo limit conflicts of interest and actualize the benefits frominvesting within InfoSec, the Chief Information Security OfficerCISO/ISO or Information Security Manager ISM must report directlyto the top of the organizational structure, or an independent branchsuch as Audit The trend in the past was to embed central InfoSecwithin Information Technology IT, that is, until organizations beganrealizing that this structure kept InfoSec's hands tied behind theirback, significantly reducing InfoSec's overall effectiveness In otherwords, organizations were self-limiting their return on investmentROI from InfoSec To resolve this issue and improve the ROI fromInfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO'sand CIO'sSlide11pngOk, great, so the ISO should report to the CFO then whatWhat we want to avoid is a structure with the fragmentation that iscommonly seen today Rather, create a tighter integration of theduties and activities performed by IT Security, Operations, Policy etCompliance, Risk Management and Audit To anticipate the trends of thefuture, it’s very likely that individuals and departments taking oncentral InfoSec duties will also have various risk managementresponsibilities that extend beyond IT This can include anything fromphysical security, business continuity and disaster recoverySlide1pngFact is, too often in industry the security discipline ismisdirected by technology instead of using a risk analysis andproactive ‘intelligence’ approach To add to the vicious cycle, whenmajority of the investment is being put into technology then most ofthe return comes from there too This reinforcement perpetuates thedestructive spiralSo, how does a business avoid this technodazed shortsightedness Itcomes down to strategy, making the conscious shift to be morestrategic This means moving away from the predictabletechnology-centric and tactical security operation seen in theindustry since the golden days of the dot-gone era At a high level,for InfoSec to more closely align with and help business achieve itsobjectives, InfoSec will need to become more focussed on 'intelligence';gathering information, ability to comprehend, ability to developpolicy and plans at a high level, using a methodology of risk analysisand risk mitigation, having the knowledge about an organization'sbusiness environment that has implications for its long-term viabilityand success, thinking long-term, and being both pragmatic andvisionaryThinking strategically while taking into account anticipation offuture trends and using proactive 'intelligence', I believe the wiseCISO, or equivalent, who's in a healthy organizational environmentneeds to start planning for incorporating some of the non-IT specificrisk management responsibilities before it's thrust upon them withinthe next three to five years There will need to be coordinationbetween IT Security, Operations, Policy et Compliance, Risk Management,Audit and Physical SecurityWhat this boils down to is that a very effective way to structureInfoSec within an organization involves having the CISO, orequivalent, reporting directly to the senior/executive level of theorganization while having their full support, commitment andinvolvement This top level commitment includes the development ofhigh standards of corporate governance and actively limiting conflictsof interest so that InfoSec will be effective and provide a high ROIby enabling the organization to do businessSlide2png Steve ### IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102821.shtmlhttp://www.secuobs.com/revue/news/102821.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - I've been searching for a reliable method to automate thesynchronization of events from Oracle Calendar formerlyCorporateTime to my Google Calendar, iCal on my Mac, and internaliPhone calendar on my iPhoneSlide1pngRecently I learned of a promising iPhone app available at iTunescalled Todo+Cal+Sync that could do most of what I was looking for withsynchronizing calendars However, I didn't want to fork over $1499for an application that, instead of importing Oracle Calendar eventsinto the native iPhone calendar, added an additional calendarapplication on my iPhone Synthesis AG, the developer of theTodo+Cal+Sync application, is required to do this because oflimitations imposed by Apple's iPhone software development kit SDKIn other words, Apple does not allow 3rd part applications, such asTodo+Cal+Sync, to access the internal iPhone calendar, nor sync withiCal This is a risk/benefit that Apple needs to manage; is thebenefit of restricting access to the internal iPhone calendar worththe impact it has on the development of 3rd party applications andsubsequent ripple effect Until Apple's iPhone SDK allow such access,I did not want two calendar applications and continued looking forsomething that would better match my needsAfter digging around and tinkering with different solutions, I workedout a method that did exactly what I wanted To make this solutioneven better, it cost $0 - in other words, FREEBelow are the steps that I came up with to make the calendar sync workfor me Steps 1-3 are also useful for those who do not necessarilyhave an iPhone or iTouch but want to sync their Oracle Calendar withother devices and/or calendar apps that support Google Calendar'sCalDAV sync1 Begin by changing your password for your Oracle Calendar useraccount Make it a unique password that you are not using anywhereelse In other words, your new Oracle Calendar password should notbe the same password as you're using for other email accounts,online banking, eBay, PayPal, etc This new password should alsocomply to any password policies that may exist for users of theOracle Calendar system2 Create a "magic" URL using SyncML2iCalcom This URL will be usedin step #3 You will want your magic URL to look something likethe following:Example - Oracle Calendar supporting https on port 443http://syncsyncml2icalcom/serverurl=https://YOURORACLECALENDARCOM:443/ocas-bin/ocasfcgisub=syncmletuser=USERNAMEetpass=PASSWORDeteventsdb=/Calendar/Events/dr-7,30SECURITY WARNING - There is an increased security risk with thismethod It's up to you to determine if this is a risk you arewilling to accept and that it doesn't violate any policies orrestrictions imposed by the organization running the OracleCalendar service that you are using The risks include:* Unauthorized interception of your password from the URL asit's being transmitted to SyncML2iCalcom or fromSyncML2iCalcom* SyncML2iCalcom itself becoming compromised and allowing anattacker to intercept your passwordIn my opinion, the likelihood of the above risks happening aremedium to low You can keep this risk on the lower end by neverconnecting to untrusted networks or using insecure wireless, whichincludes wireless networks that use WEP encryptionAdditionally, you will need to determine if the impact of anunauthorized user obtaining your Oracle Calendar password wouldhave a significant impact or not In most instances, I wouldimagine the impact would be lowThis is why doing step #1 above is critical in helping minimizethe impact if your password was compromisedAnyone using an application that syncs using the SyncMLfunctionality of Oracle Calendar should take the same precautionsirregardless if he or she are using SyncML2iCalcom as a proxy toconvert SynchML to iCal format3 Go to Google Calendar and add a new calendar by selecting Add byURL You will use the URL you created from step #2 You may alsowant to change the display name and color of this new calendar onGoogle CalendarAddCalpngDo note that Google has stated that external feeds addedvia the "Add by URL" method should be refreshed every 24 hours4 Download and run Calaboration from Google Code This will allowyou to add your Oracle calendar to your Mac's iCal applicationBefore you can add the new calendar, click on preferences withinCalaboration and enable allowing read only calendars to be addedMake sure your new calendar is selected and let Calaboration dothe setup work for you Your Oracle calendar will then sync withiCalCalaborationpng5 Use iTunes to sync Oracle calendar from iCal to your iPhoneiTunes-CalendarpngOne minor annoying issue I came across was with how day events and daynotes from Oracle Calendar were handled by the time they showed up iniCal Day events and notes from Oracle Calendar showed up in iCal asbeing a blocked all-day event from 0000-2359 As a quick temporarysolution I simply denied day events and notes within Oracle Calendarand re-synced This temporary approach was acceptable for me since Iuse Google Calendar to manage my daily notes and I can look at auser's Oracle calendar if I need to know if he or she is on vacation,on-call, etcAs for effectively managing tasks using your iPhone, see my previousarticle titled, Tools To Get Things DoneSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102820.shtmlhttp://www.secuobs.com/revue/news/102820.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - According to section 41 of the the Payment Card Industry DataSecurity Standard PCI-DSS v12, merchants handling credit card dataare required to “use strong cryptography and security protocols suchas SSL/TLS or IPSEC to safeguard sensitive cardholder data duringtransmission over open, public networks”What does this mean In order to validate your PCI DSS compliance inthis area you will need to ensure that your relevant servers withinyour PCI environment are configured to disallow Secure Sockets Layer SSLversion 2 as well as "weak" cryptography You are also required tohave quarterly PCI security vulnerability scans conducted against yourexternally facing PCI systems Without disabling SSLv2 and weakciphers you are almost guaranteed to fail the scans In turn this willlead to falling out of compliance along with the associated risks andconsequencesThe SSLv2 ConundrumDoes your server support SSLv2How to test:You will need to have OpenSSL installed on the system that you willperform the tests from Once installed, use the following command totest your web server, assuming port 443 is where you're providing httpsconnections:# openssl s_client -ssl2 -connect SERVERNAME:443If the server does not support SSLv2 you should receive an errorsimilar to the following:# openssl s_client -ssl2 -connect SERVERNAME:443CONNECTED00000003458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshakefailure:s2_pktc:428:How to configure Apache v2 to not accept SSLv2 connections:You will need to modify the SSLCipherSuite directive in the httpdconfor sslconf fileAn example would be editing the following lines to look similar to:SSLProtocol -ALL +SSLv3 +TLSv1Restart the Apache process and ensure that the server is functionalAlso retest using OpenSSL to confirm that SSLv2 is no longer acceptedHow to configure Microsoft IIS to not accept SSLv2 connections:You will need to modify the system’s registryMerge the following keys to the Windows registry:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT10Server"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL20Server"Enabled"=dword:00000000Restart the system and ensure that the server is functional Alsoretest using OpenSSL to confirm that SSLv2 is no longer acceptedThose Pesky Weak SSL CiphersDoes your server support weak SSL ciphersHow to test:You will need to have OpenSSL installed on the system that you willperform the tests from Once installed, use the following command totest your web server, assuming port 443 is where you're providing httpsconnections:# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXPIf the server does not support weak ciphers you should receive anerror similar to the following:# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXPCONNECTED00000003461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshakefailure:s23_libc:226:How to configure Apache v2 to not accept weak SSL ciphers:You will need to modify the SSLCipherSuite directive in the httpdconfor sslconf fileAn example would be editing the following lines to look similar to:SSLCipherSuiteALL:aNULL:ADH:eNULL:LOW:EXP:RC4+RSA:+HIGH:+MEDIUMRestart the Apache process and ensure that the server is functionalAlso retest using OpenSSL to confirm that weak SSL ciphers are nolonger acceptedHow to configure Microsoft IIS to not accept weak SSL ciphers:You will need to modify the system’s registryMerge the following keys to the Windows registry:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES56/56"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC240/128"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC256/128"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC440/128"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC456/128"Enabled"=dword:00000000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC464/128"Enabled"=dword:0000000Restart the system and ensure that the server is functional Alsoretest using OpenSSL to confirm that weak SSL ciphers are no longeracceptedAt this point have your Approved Scanning Vendor ASV scan yourexternal facing PCI environment to validate Making the above changesshould cause the ASV scans to not tag and fail you on the followingvulnerabilities:* SSL Server Supports Weak Encryption* SSL Server Allows Cleartext Encryption* SSL Server May Be Forced to Use Weak Encryption* SSL Server Allows Anonymous AuthenticationSteve###IMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102819.shtmlhttp://www.secuobs.com/revue/news/102819.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - By Judi Lynn LakeI am a die-hard Mac user Have been for over twenty years and it onlygets better The PC certainly has its place but for creative projectswell the Mac is superior and the good news is is that Mac's do notget virusesMy partner is a die-hard PC user If you ever viewed the recent Maccommercials then you can imagine our relationship I have recentlyadded creative video production to my advertising agency's servicesand my partner began to feel a bit competitive I have always thrivedon competition and believe it to be good even if it is with yourpartnerMy first video was a Creative Director's dream -- my client gave mecomplete creative carte blanche My partner, who is a copywriter, hadrecently bought PC video software and well, he was just dying touse it and prove that it would triumph over the MacOnce I completed all the storyboards, I sent a crew out to shoot onlocation As I passed my partners office, I peaked in his office and Icould see sweat dripping from his forehead He was struggling and Isilently laughed, wishing we had made a bet Two weeks later the videowas completed; fully edited and designed on my Mac The clientapproved the video and it was a 'go' My partner, on the other hand,was still trying to learn the software and his final product was 'thehomegrown version' clip It is comical, but seriously our differencesactually are our strengthsAn experienced Mac user tends to be 'cocky' at times because therereally are no limits to what our little machines can do, and I am noexception -- I rarely see any limits There was, however, adisadvantage I experienced recently that unfortunately isnondiscriminating towards neither a Mac nor a PC: Identity Theft Thisweek I became victim to Identity Theft and therefore a statistic inthe wonderland of technologyNo longer holding the 'it could never happen to me' mentality becauseit did and it happens to millions of people a day without someconsumers ever realizing it Technology is incredible and we can dothings today that were never imagined twenty years ago But astechnology juices up the creative sector, it also feeds the larcenistsand opens up a world of crime unheard of years agoOnce considered a protection, our social security number has actuallytransformed into the very bait that perpetrators look for to stealidentities Who is walking around with my name Who is walking aroundwith my numbers and personal information Is it someone reading thisarticle Is it someone I do business with Is it my neighbor This isa form of terrorism, which stalks our daily lives in the twenty-firstcentury and ruins livesI have been 'Judi Lynn' all of my life and 'Lake' for the past elevenyears and am very happy to be me How dare a stranger invade my lifeand steal it from me I have heard nightmare stories of people hauntedfor years through Identity Theft and to quote the 1970s movie Network,"I am mad as hell and I am not going to take it anymore"Unfortunately, in this day and age, high security precautions must betaken both personally and professionally The best defense againstthis heinous crime is education and guidance but 'the damned if youdo' fact is that skilled identity thieves will use a variety ofmethods to gain access to your data There are many websites availableon the Internet that educates people on steps to protect themselvesbefore and after Identity Theft occurs One such site I recommend isThe Federal Trade Commission For The ConsumerSome Steps To Take Today Before You Fall Victim1 Place passwords on all of your credit card, bank, and phoneaccounts Avoid using easily available information like yourmother's maiden name, your birth date, the last four digits ofyour SSN or your phone number, or a series of consecutive numbersWhen opening new accounts, you may find that many businesses stillhave a line on their applications for your mother's maiden nameAsk if you can use a password instead2 Secure personal information in your home, especially if you haveroommates, employ outside help, or are having work done in yourhome3 Ask about information security procedures in your workplace or atbusinesses, doctor's offices or other institutions that collectyour personally identifying information Find out who has accessto your personal information and verify that it is handledsecurely Ask about the disposal procedures for those records aswell Find out if your information will be shared with anyoneelse If so, ask how your information can be kept confidentialDon't think that identity theft can not happen to you, expect that itwill so that it won't -- stay informed and stay educated so you do notbecome a statisticArticle Source: Articles EngineIMAGEIMAGE IMAGE IMAGE IMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/102818.shtmlhttp://www.secuobs.com/revue/news/102818.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - By: Nick PegleyHave you ever thought about the best ways to be negatively affected bya disaster, get hacked, or otherwise part with data stored on yourcomputers Here are some of the best ways to lose system security, inno particular order:1 Security GuardWhen an employee quits or is let go, leave hisnetwork log ins and e mail accounts enabled You never know whenhe might want to check in on things2 Rely solely on technology Firewalls, encryption and antivirussoftware are all you need to protect your information3 Completely outsource your information security initiativesThere's no need for anyone inside your organization to worry aboutsuch matters4 Leave your operating systems and software applications with thedefault settings System hardening is for the birds5 Don't train your users on your security policies and what to lookout for, such as unsolicited e mail attachments and common hackeractivities Your users can't be burdened with more training6 If you do happen to have a security policy, never refer to it,enforce it, update it or do what it says7 By all means, don't take an inventory of your information systemsor document your network8 Don't pay attention to or even bother to understand what you'retrying to protect9 Don't patch your software or update your virus signatures, andnever, ever, run vulnerability assessments to detect newlydiscovered software flaws and system misconfigurations It s justtoo time consuming10 Respond to hacker attacks, viruses and other intrusions as theyhappen don't be proactive in dealing with them11 Ignore all known best practices and international informationsecurity standards from the International Standards Organization,Internet Engineering Task Force, SANS Institute, and your localinformation security consultant, to name a few12 Leave your databases, especially those containing credit card orother confidential information, unencrypted And be sure to storethem on publicly accessible servers13 Run your business without disaster recovery and businesscontinuity plans After all, you can think clearly and makecritical decisions under pressure, right14 Don't monitor your systems They'll be fine running bythemselves, and if anything major happens with the integrity oravailability of your information, you'll be notifiedautomatically, won't you15 Don't back up your data, but if you must, don't test yourbackups Also, leave your backup media on site preferably sittingon top of an uninterruptible power supply16 Don't create any security policies that document how you resafeguarding your information to protect your organization andclients from information disasters and legal liabilities17 Apply the principle of greatest privilege Give all users thegreatest amount of access to your information systems Everyoneshould have access to everything it's only fair, right18 Don't subscribe to security bulletins and mailing lists, anddon't ever read information security trade magazines19 Don't, under any circumstances, get upper management involved ininformation security initiatives They're business focused andshouldn't be bothered or even care about technology or theliabilities associated with their information, right20 Use passwords that consist of your pet's name, your name, yourmom's maiden name, or your birthday That way, you won t forgetthem Better yet, just use "password" for your passwords Also,don t forget to write them down and post them on your monitor orkeyboardAnd, last but not least:21 Leave your servers and network equipment in a room to whicheveryone, including outsiders off the street, has accessBy following these practices you can be sure that your computers willbe an easy target for viruses, disgruntled employees, hackers, andothers You can show up to work each day with the pride of knowingthat there's an excellent chance that your business data will bemissing when you arrive It's just a matter of time, and it s alleasily achievedAuthor Resource:- Nick Pegley is VP Marketing for All Covered:Technology Services Partner for Small Business, providinghttp://wwwallcoveredcom/locations/denver/ disaster recoverysolutions and technology services in 20 major US metro areasArticle From Zing Articles - Best Free Articles on all topicsIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102817.shtmlhttp://www.secuobs.com/revue/news/102817.shtml Secuobs.com : 2009-05-28 21:34:38 - Zen One - By: Steven WeilIntroduction------------ITIL - the Information Technology Infrastructure Library - is a set ofbest practices and guidelines that define an integrated, process-basedapproach for managing information technology services ITIL can beapplied across almost every type of IT environmentInterest in and adoption of ITIL has been steadily increasingthroughout the world; the numerous public and private organizationsthat have adopted it include Proctor et Gamble, Washington Mutual,Southwest Airlines, Hershey Foods, and the Internal Revenue ServiceIn addition to the often touted benefits of ITIL - aligning IT withthe needs of the business, improving service quality, decreasing thecosts of IT service delivery and support - the framework can aid theinformation security professional both directly there is a specificSecurity Management process and indirectlyThis article will provide a general overview of ITIL and discuss howITIL can improve how organizations implement and manage informationsecurityITIL overview-------------ITIL began in the 1980s as an attempt by the British government todevelop an approach for efficient and cost-effective use of its manyIT resources Using the experiences and expertise of successful ITprofessionals, a British government agency developed and released aseries of best-practice books, each focusing on a different ITprocess Since then, ITIL has become an entire industry oforganizations, tools, consulting services, related frameworks, andpublications Currently in the public domain and still evolving, the44-volume set of ITIL guidelines has been consolidated into 8 corebooksWhen most people discuss ITIL, they refer to the ITIL Service Supportand Service Delivery books These contain a set of structured bestpractices and standard methodologies for core IT operational processessuch as Change, Release, and Configuration Management, as well asIncident, Problem, Capacity, and Availability ManagementITIL stresses service quality and focuses on how IT services can beefficiently and cost-effectively provided and supported In the ITILframework, the business units within an organization who commissionand pay for IT services eg Human Resources, Accounting, areconsidered to be "customers" of IT services The IT organization isconsidered to be a service provider for the customersITIL defines the objectives, activities, inputs, and outputs of manyof the processes found in an IT organization It primarily focuses onwhat processes are needed to ensure high quality IT services; however,ITIL does not provide specific, detailed descriptions about how theprocesses should be implemented, as they will be different in eachorganization In other words, ITIL tells an organization what to do,not how to do itThe ITIL framework is typically implemented in stages, with additionalprocesses added in a continuous service improvement programOrganizations can benefit in several important ways from ITIL:* IT services become more customer-focused* The quality and cost of IT services are better managed* The IT organization develops a clearer structure and becomes moreefficient* IT changes are easier to manage* There is a uniform frame of reference for internal communicationabout IT* IT procedures are standardized and integrated* Demonstrable and auditable performance measurements are definedITIL details------------ITIL takes a process-based approach to managing and providing ITservices; IT activities are divided into processes, each of which hasthree levels:* Strategic: An organization's objectives are determined, along withan outline of methods to achieve the objectives* Tactical: The strategy is translated into an appropriateorganizational structure and specific plans that describe whichprocesses have to be executed, what assets have to be deployed,and what the outcomes of the processes should be* Operational: The tactical plans are executed Strategic objectivesare achieved within a specified timeA description of each of the numerous IT processes covered by ITIL isbeyond the scope of this article What follows are brief, generaldescriptions of the ITIL processes that, along with the SecurityManagement process, have a significant relationship with informationsecurity Each of these areas is a set of best practices:* Configuration Management: Best practices for controllingproduction configurations for example, standardization, statusmonitoring, asset identification By identifying, controlling,maintaining and verifying the items that make up an organization'sIT infrastructure, these practices ensure that there is a logicalmodel of the infrastructure* Incident Management: Best practices for resolving incidents anyevent that causes an interruption to, or a reduction in, thequality of an IT service and quickly restoring IT services Thesepractices ensure that normal service is restored as quickly aspossible after an incident occurs* Problem Management: Best practices for identifying the underlyingcauses of IT incidents in order to prevent future recurrencesThese practices seek to proactively prevent incidents andproblems* Change Management: Best practices for standardizing andauthorizing the controlled implementation of IT changes Thesepractices ensure that changes are implemented with minimum adverseimpact on IT services, and that they are traceable* Release Management: Best practices for the release of hardware andsoftware These practices ensure that only tested and correctversions of authorized software and hardware are provided to ITcustomers* Availability Management: Best practices for maintaining theavailability of IT services guaranteed to a customer for example,optimizing maintenance and design measures to minimize the numberof incidents These practices ensure that an IT infrastructure isreliable, resilient, and recoverable* Financial Management: Best practices for understanding andmanaging the cost of providing IT services for example,budgeting, IT accounting, charging These practices ensure thatIT services are provided efficiently, economically, andcost-effectively* Service Level Management: Best practices for ensuring thatagreements between IT and IT customers are specified andfulfilled These practices ensure that IT services are maintainedand improved through a cycle of agreeing, monitoring, reporting,and reviewing IT servicesThere is also a Service Desk function that describes best practicesfor establishing and managing a central point of contact for users ofIT services Two of the Service Desk's most important responsibilitiesare monitoring incidents and communicating with usersFigure 1 depicts the above processes, showing how the Service Deskfunction serves as the single point of contact for the various servicemanagement processesFigure 1Figure 1 ITIL Service Management ProcessesMore detailed information about the above processes and Service Deskfunction can be found in the references listed at the end of thisarticleITIL and information security-----------------------------ITIL seeks to ensure that effective information security measures aretaken at strategic, tactical, and operational levels Informationsecurity is considered an iterative process that must be controlled,planned, implemented, evaluated, and maintainedITIL breaks information security down into:* Policies - overall objectives an organization is attempting toachieve* Processes - what has to happen to achieve the objectives* Procedures - who does what and when to achieve the objectives* Work instructions - instructions for taking specific actionsIt defines information security as a complete cyclical process withcontinuous review and improvement, as illustrated in Figure 2:Figure 2Figure 2 Information Security ProcessAs some organizations look at Implementation and Monitoring as asingle step, ITIL's Information Security Process can be described as aseven step process:1 Using risk analysis, IT customers identify their securityrequirements2 The IT department determines the feasibility of the requirementsand compares them to the organization's minimum informationsecurity baseline3 The customer and IT organization negotiate and define a servicelevel agreement SLA that includes definition of the informationsecurity requirements in measurable terms and specifies how theywill be verifiably achieved4 Operational level agreements OLAs, which provide detaileddescriptions of how information security services will beprovided, are negotiated and defined within the IT organization5 The SLA and OLAs are implemented and monitored6 Customers receive regular reports about the effectiveness andstatus of provided information security services7 The SLA and OLAs are modified as necessaryService level agreements------------------------The SLA is a key part of the ITIL information security process It isa formal, written agreement that documents the levels of service,including information security, that IT is responsible for providingThe SLA should include key performance indicators and performancecriteria Typical SLA information security statements should include:* Permitted methods of access* Agreements about auditing and logging* Physical security measures* Information security training and awareness for users* Authorization procedure for user access rights* Agreements on reporting and investigating security incidents* Expected reports and auditsIn addition to SLAs and OLAs, ITIL defines three other types ofinformation security documentation:* Information security policies: ITIL states that security policiesshould come from senior management and contain:* 1 Objectives and scope of information security for anorganization2 Goals and management principles for how information securityis to be managed3 Definition of roles and responsibilities for informationsecurity* Information security plans: describes how a policy is implementedfor a specific information system and/or business unit* Information security handbooks: operational documents forday-to-day usage; they provide specific, detailed workinginstructionsTen ways ITIL can improve information security----------------------------------------------There are a number of important ways that ITIL can improve howorganizations implement and manage information security1 ITIL keeps information security business and service focused Toooften, information security is perceived as a "cost center" or"hindrance" to business functions With ITIL, business processowners and IT negotiate information security services; thisensures that the services are aligned with the business' needs2 ITIL can enable organizations to develop and implementinformation security in a structured, clear way based on bestpractices Information security staff can move from "firefighting" mode to a more structured and planned approach3 With its requirement for continuous review, ITIL can help ensurethat information security measures maintain their effectiveness asrequirements, environments, and threats change4 ITIL establishes documented processes and standards such as SLAsand OLAs that can be audited and monitored This can help anorganization understand the effectiveness of its informationsecurity program and comply with regulatory requirements forexample, HIPAA or Sarbanes Oxley5 ITIL provides a foundation upon which information security canbuild It requires a number of best practices - such as ChangeManagement, Configuration Management, and Incident Management -that can significantly improve information security For example,a considerable number of information security issues are caused byinadequate change management, such as misconfigured servers6 ITIL enables information security staff to discuss informationsecurity in terms other groups can understand and appreciate Manymanagers can't "relate" to low-level details about encryption orfirewall rules, but they are likely to understand and appreciateITIL concepts such as incorporating information security intodefined processes for handling problems, improving service, andmaintaining SLAs ITIL can help managers understand thatinformation security is a key part of having a successful,well-run organization7 The organized ITIL framework prevents the rushed, disorganizedimplementation of information security measures ITIL requiresdesigning and building consistent, measurable information securitymeasures into IT services rather than after-the-fact or after anincident This ultimately saves time, money, and effort8 The reporting required by ITIL keeps an organization's managementwell informed about the effectiveness of their organization'sinformation security measures The reporting also allowsmanagement to make informed decisions about the risks theirorganization has9 ITIL defines roles and responsibilities for information securityDuring an incident, it's clear who will respond and how they willdo so10 ITIL establishes a common language for discussing informationsecurity This can allow information security staff to communicatemore effectively with internal and external business partners,such as an organization's outsourced security servicesImplementing ITIL-----------------ITIL does not typically start with IT - it is usually initiated bysenior management such as the CEO or CIO As an information securityprofessional, however, you can add value by bringing ITIL to theattention of senior management With the framework's rapidlyincreasing adoption, your organization might already be talking aboutITIL; letting your management know specifically about ITIL'sinformation security benefits can help spur its adoptionImplementing ITIL does take time and effort Depending on the size andcomplexity of an organization, implementing it can take significant upfront time and effort For many organizations, successfulimplementation of ITIL will require changes in their organizationalculture and the involvement and commitment of employees throughout theorganizationCritical factors for successful ITIL implementation include:* Full management commitment and involvement with the ITILimplementation* A phased approach* Consistent and thorough training of staff and management* Making ITIL improvements in service provision and cost reductionsufficiently visible* Sufficient investment in ITIL support toolsConclusion----------Information security measures are steadily increasing in scope,complexity, and importance It is risky, expensive, and inefficientfor organizations to have their information security depend oncobbled-together, homegrown processes ITIL can enable these processesto be replaced with standardized, integrated processes based on bestpractices Though some time and effort are required, ITIL can improvehow organizations implement and manage information securityAuthor Resource: Steven Weil, CISSP, CISA, CBCP is senior securityconsultant with Seitel Leeds et Associates, a full service consultingfirm based in Seattle, WA Mr Weil specializes in the areas ofsecurity policy development, HIPAA compliance, disaster recoveryplanning, security assessments, and information security managementHe can be reached at sweil@slacomArticle From: SecurityFocusIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/102816.shtmlhttp://www.secuobs.com/revue/news/102816.shtml