The Christmas shopping season is upon us, and despite the poor economy, people will still be shopping. And a lot of them will be doing so online. Even as retailers are crashing and burning around us, online shopping is still increasing. IT managers, CIOs and security officers must realize too, that much of this shopping is going to take place in the office, whether they like it or not. The urge to shop will invariably transcend company policy, and too often, common sense as well.

There are risks. According to a survey from ISACA, a non-profit association of IT professionals, employers are at risk because too many employees do not understand the risks involved–and the workplace is more vulnerable to spam and viruses as a result.

According to a recent ISACA survey, forty percent of Americans between the ages of 18 and 24 will spend up to five hours shopping online using a work computer this holiday season. Unfortunately, this same age group is the least worried about vulnerability to the work computer. Overall, 63 percent of people of all ages plan to shop online from work this holiday season. The younger audience tend to pay more attention to the security of their home computers, and are less concerned with workplace security. Clearly, it’s time to take some of these youngsters to school on the matter of security.

Read more »

Besides protecting your incoming email, authenticating your users and authorizing access you will also worry about how to secure your servers. One of the ways of securing your servers is to build a moat around them, to make it difficult for entry or otherwise hinder access to your servers.

To do this you can build a Demilitarized Zone (DMZ) within your network. The first Demilitarized Zone created was the strip of land between North Korea and South Korea after the cease fire of July 17, 1953. 

In a computer environment, a DMZ is an area of your network that sits between your secured protected internal LAN and the unprotected unsecured internet.

Read more »

Living in a world that’s ruled by laws and regulations it’s not surprising that our technology and data also falls under the jurisdiction of the legal system. Email archiving is rapidly being implemented in all organizations because of eDiscovery regulations and compliance legislation. All data must be traceable and recoverable, that’s the bottom line. However there are other reasons why email archiving, and email management in general, is an important investment for an organization, even in a country where legislation does not yet instruct that emails are to be stored.

Email archiving is used by administrators to maintain an archive of all corporate correspondence thus reducing the dependency on PST files which used to store Microsoft Outlook data on a local computer. These files are known to be unreliable and problematic from a compliance and usability perspective, yet are still widely used. The setbacks with PST files stem from both hardware and software issues, thus the chances of Outlook PST files getting corrupted, and therefore unusable, are rather high.

Read more »

President-Elect Obama has made little secret of how much he loves his Blackberry. Staffers say that like many owners of the popular email device, Obama makes sure it’s at his side at all times. He receives emails from a large network of friends and supporters. However, due to the Presidential Records Act, which mandates that all presidential correspondence be entered into the official record, and if requested be made available for public review, he may be forced to give it up. In fact presidents are advised not to use email for communicating at all due to the risk of hackers accessing it.

“They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked,” said Diana Owen, head of the American Studies program at Georgetown University, who has studied how presidents communicate in the Internet era. “The nature of the president’s job is that others can use e-mail for him.”

Read more »

Share and Enjoy:

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

How many of you remember your Greek mythology?

Remember the three-headed dog with the serpent tail and the heads of snakes along its back?  Its name was Cerberus and his purpose was to guard the gates of Hades.

That is where the authentication and authorization system known as Kerberos gets its name from – Cerberus.

Kerberos was developed for MIT’s project Athena and has been around since the 1980s. Kerberos works by exchanging secret keys between servers, users, applications and services. Kerberos is currently shipped with all major operating systems and uses a system known as Key Distribution Center (KDC). This KDC could be a domain controller in Windows or a server setup on the network. Once a KDC server is setup it is then up to the clients to authenticate to the KDC server.

I don’t know if it is still the case but when you set up a Kerberos server on Red Hat Linux you had to ensure that the Kerberos server and its clients were time synchronized. If there was a discrepancy of greater than five minutes then the Kerberos clients would be unable to authenticate to the Kerberos server.

Read more »

My old wired router has seen its better days, and periodically stops working for no reason and I have to reset it. And besides that, once in a while our dog, who likes to sit at my feet under my desk, gets tangled up in the mess of wires back there. My wife and I decided it’s time to install a wireless network at home, which would give us more flexibility, the ability to work in different rooms easily, or even sit in the back yard and surf the Net. It sounded like a good idea until I read about the crack in WPA, which was recently reported by security researchers.

Reports say that two reserachers discovered a flaw in WPA encryption, and were able to crack it in about 15 minutes. WPA is still seen as the more secure alternative to WEP. The undisclosed mathematical crack breaks the TKIP key, which is used to encrypt data that runs between the wireless router and the wireless clients. The only other way to attack a WPA connection is through a brute force attack, but for the most part, the latter can be prevented with good passwords that are long, use random characters, and are not easily guessed. Those who have wireless networks are now encouraged to upgrade to WPA2.

Read more »

This week, a federal judge ruled against the Bush administration over the dispute about the White House email system. The Citizens for Responsibility and Ethics, and the National Security Archive, will now be allowed to pursue their case in court to force the administration to recover missing email messages. The administration had argued that the court didn’t have the authority to force the issue, and petitioned to throw out the lawsuits by the two groups–a typical response for this administration, which has consistently held that they are above both domestic and international law.

The missing emails deal with White House business during Bush’s first term, when the Republican National Committee had a policy of purging emails, including emails to and from White House officials, after 30 days. Earlier this year, the RNC announced that it “had no intention of trying to restore the missing White House e-mails.” During that time, it was common for former presidential advisor Karl Rove, as well as other officials, to use RNC email accounts for government business, contrary to rules that business should be conducted through official government channels. Sarah Palin caught flak for doing the same thing, conducting state business through her personal Yahoo account. Besides using the RNC system, there are also allegations that other Bush administration emails have gone missing. The administration scrapped an archiving system that had been put in place by former president Clinton.

Read more »

According to Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft Corp., the Internet has had a positive impact on many, many aspects of our society, but greater global connectivity combined with the increasingly valuable information stored online has resulted in a new array of threats and an increase in cybercrime.   Prior to the 2008 RSA conference, Scott’s lead up article “Creating a More Trusted Internet“, highlights that it has become increasingly clear that if cyber criminals remain anonymous and untraceable, there will be no meaningful accountability for online crime and little by way of deterrence. In the physical world, we have effective proactive measures (locks and keys, community watch, law enforcement patrols) and effective reactive measures (arrests and prosecutions). Many crimes are prevented, and many crimes are solved. But the Internet is different. Despite improvements in effective proactive.

If we want the Internet to reach its full potential, we need a safer, more trusted online environment.  To that end Microsoft and other companies continue to make progress on security and privacy issues. For six years, and as a result of our focus on Trustworthy Computing, Microsoft has made significant progress toward improving the security and privacy of our products and services. We embraced the Security Development Lifecycle, as well as defense in depth and threat mitigation technologies. Along with our industry partners, we continue to build a more secure, private and reliable computing experience. But Microsoft and the technology industry alone cannot create a trusted online experience. For that to happen, industry must not only band together but must work with customers, partners, governments and other important constituencies on a road map for taking Trustworthy Computing to the Internet.

Read more »

We do pay a lot of attention to filtering out spam, and rightly so. The vast majority of all email traffic is spam, and while some of it is merely annoying, some also contains dangerous malware in the form of attachments, or links to malicious web sites. It drains bandwidth and saps productivity. Constant vigilance and strong protection is called for.

At the same time though, email has become a vital part of business, and a vital part of marketing and customer relations. Where does spam stop and valid email-based marketing begin? It’s not as clear as one might think. Some take the position that anything whatsoever related to a commercial product is spam, which is actually a bit shortsighted. Companies whose products you use, for example, may create a periodic email newsletter, to keep you and other customers informed of changes, updates, and industry information.

Read more »

In the world of Certificate Authorities and digital signatures there still exist questions about who gave the authority to the CA’s to authorize the certificates? And although a certificate has been granted, how should we treat a private key that is suspected as having not come from the authorized owner?

In order for the digital signature trust relationships to work you have to be able to protect your private key. You could keep your private key in a digital safe or build a digital fortress around it. But how do you protect those passwords which allow entry past your digital sentries into your digital safe or digital fortress?

What if you keep your private key in a thumb drive or a smart card with memory? Then you have to protect against loss or theft of those devices. But what if they are stolen and then someone were able to locate and use your private key to send out malicious messages or even to promote illegal activities, how can you be protected?

Read more »