Block Javascript in Adobe Acrobat
Simple how-to instructions for blocking Javascript in Adobe Acrobat Reader in Windows, Linux, and Mac systems.
Reducing the attack surface in Adobe reader is an important step in reducing malware attacks. The vast majority of all PDFs do not contain Javascript, but Javascript-embedded PDF files is a well known method used to attempt to compromise end user systems. This can occur in phishing scams where e-mail messages contain infected PDF files, or links point to infected PDF files hosted on web sites.
Adobe Reader on Mac. Click for full size image.
Here is how to block Javascript in Adobe Acrobat 10 for Mac. Go to Acrobat > Preferences > Javascript and uncheck Enable Acrobat Javascript. Then click OK.
Similarly, in Adobe Reader X on Windows, go to Edit > Preferences > Javascript and uncheck the Enable Acrobat Javascript, then click OK.
Likewise, for Adobe Reader 9 on Linux, go to File > Properties > Javascript and uncheck Enable Acrobat Javascript, then click OK.
Adobe Reader on windows. Click for full size image.
Click the thumbnails to view screen shots for Mac, Windows, and Linux.
Adobe Reader in Linux. Click for full size image.
Why Disaster Recovery Requires a Plan
Why Disaster Recovery Requires a Plan
Guest post from Casper Manes on behalf of IT Channel Insight
Whether you are a commercial pilot, an astronaut, a submarine weapons officer, or a Cylon, you know the importance of having a plan. There are certain tasks that, no matter how repetitious they may seem, are so important to get right the first time, and every time, that they have been boiled down to a checklist which any reasonably skilled and trained individual can walk through, step by step, in order, to accomplish the task. They are designed to be easy to follow, to spell out exactly what needs to be done, and the order in which it must be done, to get things going, and to require a minimum of creative thinking. Tasks are performed by rote, and verified each step of the way. That’s the perfect way to approach disaster recovery, and in this article we’ll discuss why you need a disaster recovery plan that is a little more detailed than “don’t panic!”
What is a disaster?
Let’s consider what, in business terms, can constitute a disaster. Sure, things like hurricanes and blizzards come to mind, perhaps even fires in the datacenter, but a disaster is more than just a weather phenomenon or catastrophic loss; it’s anything that significantly disrupts the normal operations of your business. If we limit ourselves to an IT perspective, that can include prolonged Internet outages, a severe flu epidemic that takes out half the staff, a virus that shuts down key servers, or a SAN failure. It can also include HVAC failures, power outages, or hardware failures on critical, but not redundant, systems. Anything that causes a significant and protracted impact to normal operations may be enough to declare a disaster situation, and require that you implement your recovery plan.
Disaster declared, now what?
In the best case disaster, you have experienced a hardware failure that will eventually be corrected by the vendor. But while systems are down, your phone is ringing off the hook, you’re getting pinged on email and IM, and someone is probably sticking their head in your cube every 30 seconds asking if it’ fixed yet. In the worse type of disasters, you and your colleagues are probably more worried about your family and your own property more so than the company’s, and that’s assuming all your team even made it into the office. Hurricanes, blizzards, and other region impacting events can leave you with only a skeleton crew, and most of them are going to be worried about more than just how to get the website back online and email working. That’s why you want to work the plan.
By the numbers
Think back to how this article opened. When failure is not an option and there are countless distractions going on, you want people to have something to anchor themselves with, and to keep the need for creative thinking to a minimum. You also need to make sure that things are done in a certain order, and that nothing is missed, because most things have dependencies. A plan is the guide that your team will use to enable them to focus on specific and discrete tasks, without having to make it up as they go along. Make use of checklist; I mean actual paper documents on clipboards with check marks that each step is complete, so that;
a) If something distracts you, it is easy to pick up where you left off without missing anything,
b) You can hand off to someone else and they know exactly where to start
c) Someone can audit that each step was done.
Paper checklists also have the distinct advantage of not relying on technology. I once saw an organization who kept all their DR procedures online; which looked great until they couldn’t get to them while the datacenter was down!
It’s a journey, not a destination
Disaster recovery planning is an ongoing process. Plans must be tested and revised as the company grows, new systems are brought into the environment, and old systems are deprecated. Real disasters don’t happen on schedule, so training must be thorough and testing must be performed to ensure that whoever is on the clock can handle the early steps of the process until more people can get online. Staffing changes will mean that this must happen frequently, and repeatedly. It’s just a part of the overall process, so accept it. And make sure that at least two people know how to perform any part of the disaster recovery plan since you have no way to know in advance whether everyone will be able to make it into the office when a disaster strikes. Redundancy of equipment is no more important that redundancy of skillsets, and a single point of failure could be the one guy who can’t get into the office because the roads are closed.
This article was written by Casper Manes on behalf of IT Channel Insight, a site for MSPs and Channel partners where you can find other related articles on how to setup a disaster recovery plan.
What does a network scanner bring to the company?
Guest post from Emmanuel Carabott of GFI Software Ltd.
Whenever someone does research on the best methods to secure a company’s network, they are sure to come across articles recommending network scanners. But what value do network scanners really provide any organization?
Network scanners generally provide two distinct important functionalities – information gathering on the network they’re scanning and information on any security issues found on that network.
Information on the network
Administrators need to keep up with the constant changes made to the network. Some might see change management as unnecessary, but this is an essential part of the process to keep a network in excellent shape. There are various reasons why administrators would want to know what software and hardware is running on their network, but the main reasons are security and the need to make sure that the changes administrators make will cause conflicts within the existent network infrastructure. When new software is installed, or updates are made to the existing installation through patching, certain configurations can make the system unusable (blue screens, for example) or unstable. To avoid this from happening, the administrator should keep a test environment which mirrors the network where these changes will be made before they’re pushed onto the live server. If users install new software on their systems without notifying the administrator, the test environments will not match the current network and therefore any pre-deployment tests will be inconclusive and not a true reflection of the current status.
Some hardware can pose a security risk to the network. It is imperative that administrators are immediately notified when a new device is connected to the network so that they can determine if there is a real risk to the company. The company’s security policy might specify that the administrator must be notified before any new hardware is connected to the network but that alone does not guarantee employee compliance. A network scanner, however, can periodically monitor the network for changes and notify the administrator as these happen.
Security issues on the network
A network scanner will also look for a number of security issues on the network it is scanning.
These generally include:
- Vulnerabilities
- Missing patches
- Unwanted open ports
New vulnerabilities affecting the network can arise on a daily basis, often due to changes in configurations, new exploits being discovered, and because of new software being installed on the network. For these reasons alone, an administrator needs a network scanner that can monitor the network for any vulnerability on a regular basis.
Next on the list is patch management. Vendors continuously fix security issues in their software and then, release patches for the end user to install. Keeping track manually of all patches released can be a daunting task, but a network scanner helps the administrator to stay on top of the problem and apply any patches that are required.
Finally there are applications that communicate through the internet, such as web servers’ open ports for others to connect to. Every open port is a potential security risk because malicious persons will try to find exploits in these connections. It is highly recommended ports that are not in use are closed immediately. An administrator should be informed as soon as a new port is opened on a network machine. This usually happens when an employee may have installed a new application or due to a malware infection. Since the network administrator cannot be everywhere or see everything happening on the network all the time, a network scanner is an essential tool.
A network scanner is a very useful tool for administrator, making his life a lot easier. Having a ‘virtual consultant’ is a much better option that having to check each and every machine manually.
Companies that use network scanners will save time and money, while administrators can focus on more important issues that require manual intervention. Why add more work when tasks can be automated using a network scanner?
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.
All product and company names herein may be trademarks of their respective owners.
Threats
Threats.
Not just hypothetical ideas, but real: spam, malware, botnets, hackers, and organized crime. They want to own your systems, steal your data, and use your systems to attack tomorrow’s victims.
A generation ago, firewalls were enough for this. Today, alone, they hardly make a difference. Instead, a plethora of defenses are needed to repel the variety of attacks that bombarding every corporate network more rapid than the frenzied spattering of a Geiger counter next to a Chernobyl souvenir.
- excerpt from an upcoming book (someone owns the copyright, but I can’t tell you who)
Healthy Skepticism Required When Using Online Storage
When online backup solutions such as box.net, idrive, and dropbox came on the scene, I was skeptical. Store my data on some service provider’s system? Only with caution.
When news of the dropbox scandal was made public, I was not surprised. The promise, “only a customer has access to their own data”, evaporated. Not that it was ever a promise that could ever be kept.
Recommendation: if you insist on storing your data on someone else’s system, encrypt it locally and store the encrypted data on the other system. That is the only way to truly guarantee that no one else can see your data.
Reference:
http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/
Classification of data center reliability
The Telecommunications Industry Association (TIA) released the TIA-942 Telecommunications Infrastructure Standards for Data Centers standard in 2005. The standard describes various aspects of data center design, including reliability. The standard describes four levels of reliability:
- Tier I – Basic Reliability Power and cooling distribution are in a single path. There may or may not be a raised floor, UPS, or generator. All maintenance requires downtime.
- Tier II – Redundant Components Power is in a single path; there may be redundant components for cooling. Includes raised floor, UPS, and generator. Most maintenance requires downtime.
- Tier III – Concurrently Maintainable Includes multiple power and cooling paths, but with only one path active. Includes sufficient capacity to carry power and cooling load on one path while performing maintenance on the other path. Includes raised floor, UPS, and generator.
- Tier IV – Fault Tolerant Includes multiple active power and cooling distribution paths. Includes redundant components, including UPS and generator. Includes raised floor.
In the early 1990s, client-server computing was all the rage. But it sucked, because networks were too slow and because updating client software was unreliable. Then the web happened, and soon, applications were we written for web browsers. It was a great time, for a while.
Client server is back, and it’s now – arguably – the dominant computing model today.
I’m talking about smartphones (iPhone/iPad, Android, Blackberry, etc) with their app stores.
Smartphones are outselling laptops. And while web surfing is popular among smartphone users, app stores is where it’s at.
Smartphone apps are the new client server model. The protocols are better (POX – plain old XML) and more efficient, HTTPS for security, and bandwidth is better. The entire mechanism for updating smartphone apps is reliable, semi-automatic, bandwidth friendly, and easy to use.
I’m not knocking web browsers, really. They are great and getting better. But the differences between them is making the development of web applications that work across all of the web platforms and versions increasingly difficult. The web is great for lightweight application interaction, but it’s difficult to get it right in complex applications. Making web apps work across the popular browsers, versions, and OSs is not unlike the unenviable job Microsoft has of making Windows work on everyone’s Intel-based system. In the early days of the web, you wrote HTML and it worked everywhere. Not so any more. The bloom is off the rose.
So, what about app stores for laptops / desktops? Since app stores are accepted by smartphone users, it makes sense that we’ll see them on laptop and desktop operating systems (Windows, Mac, Linux). If you use OSX (Mac), it’s already here. Microsoft is late to the party. Again.
I believe we will see a resurgence of client-server computing in the form of app stores for all major computing platforms, and that serious business applications that were previously web based will be app-based. Just like in the old days, only better.
Taking a Wider View of Application Security
As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from the Open Web Application Security Project (OWASP), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.
Wrong.
OK, sorry about that. I put that trap there for you, but I didn’t really expect you to step into it. I want to help you expand your thinking about application security.
Read rest of article here (redirects to softwaremag.com)
Compliance risk, the risk management trump card
Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).
GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.
The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.
Excerpt from CISA All-In-One Study Guide, second edition
Car hacking, the crime of the future
Several years ago, when Microsoft announced its intention to have its software installed in automobiles, my immediate gut reaction was, oh great, now we will have bug fixes, patches, crashes, reboots, updates, blue screens of death, and car hacking. Such has been the experience of millions of users of Windows software for decades – why would the user experience in cars be any better – or different? (and it if would be better, why are those improvements not yet present in desktop / laptop computers?)
Fast-forward to May 2010, when the New York Times ran an article that described the extent to which computer systems are at the heart of a modern automobile’s control systems. I am not talking about the navigation system here, but engine, brakes, lights, and other basic functions. A team of computer scientists from UCSD and UW demonstrated the ability to hack into a car and remotely control its basic functions, including starting, stopping, engine control, instruments, and steering.
Why hack a car
Hacked Instrument Display
Your next question might be, why would someone wish to hack into someone’s car? Some reasons include:
- Theft. An intruder may wish to steal the car by hacking into its systems to disable the alarm, start the car, and maybe even remotely drive it for a short distance.
- Fun. Immature but technically talented individuals may derive enjoyment from their ability to take over the controls of a running automobile in order to alarm its driver.
- Harm. An individual or team may be intent on causing harm to the driver and/or passengers of a car by wrestling control of the car from the driver and causing the car and its occupants to crash.
The development of the Toyota loss-of-control matter has demonstrated to the public that automobile computer control systems are prone to malfunctions that can cause safety issues. Whether Toyota’s specific problems were proven to be related to onboard computer systems is irrelevant; the point is, that the crisis demonstrated that it is plausible that computer malfunctions can indeed result in potentially lethal safety issues.
Unsecure by design
The car hacking experiment conducted by UW and UCSD researchers was a proof-of-concept that was very time consuming to perform. The experiment proved that security controls installed in automobiles to prevent hacking are weak at best. Consistent with many other new technologies, computer systems in automobiles were designed with functionality in mind, and security given little or no consideration.
Easy to hack
Will car hacking always be difficult. Certainly not, and the firesheep tool is proof of this. Soon (perhaps already a fact for some readers of this article) there will be tools available for novice computer users who will be able to select from an array of nearby vulnerable cars, and be able to easily take over control of the car’s instruments, engine, brakes, climate control, navigation system and, indeed, practically everything in the car. There will probably even be an iPad version of this tool for hip hackers.
Improvements needed
Toyota [allegedly] has proven that automobile electronics can fail all by themselves. UW and UCSD has also proven that automobile electronics have weak defenses. Firesheep has proven that easy-to-use hacking tools will quickly be developed and used. Automobile manufacturers need to adopt a secure-by-design principle in the development of all on-board electronic systems in order to minimize the threat of car hacking.
Hack-proof Miata
I think that I’ll stick with my 1991 Miata for the time being.
Social media safety during the holidays
The late-year holidays (Thanksgiving, Hanukkah, Christmas) are known for travel, visiting with friends and family, and gift giving and receiving. Any time of year is a time for sharing some details of our lives with others through social media outlets such as FaceBook, Twitter, MySpace, and personal blogs.
During this time of year, it is especially important that you protect yourself from online threats, some of which are caused by others, and some of which are caused by you! Follow these steps to keep your property and your online presence safe during the holidays:
Don’t announce your travel in advance. If you post something like, “leaving home for Philadelphia for five days”, you are announcing to the world that your home may be vacant for extended periods of time, inviting burglaries. Make your posts more vague, such as “spending Christmas with brothers and parents”, which might be where you live, or not.
Don’t gloat about your gifts. Similarly, if you talk about your new Kinect, Wii, or iPad online, you may be sharing news of your loot with too many outsiders. Instead, be more discrete and share news about your new things more privately.
Limit FaceBook exposure. Check your privacy settings in FaceBook. Consider setting up one or more groups of family and friends, to limit how wide your announcements are sent. My wife and I have “immediate family”, “family”, and other groups of highly-trusted individuals with whom we may share things about travel, gifts, and other personal matters, so that the entire world doesn’t know that we might not be home at the moment. Similarly, limit the FaceBook applications that you allow to access your personal data. Some FaceBook applications are malevolent and are designed to steal your information and use it against you.
Get a security tune-up. Follow easy steps to ensure that your anti-virus and firewall are working, and that your patches and browser are up to date. Do this before you shop online, to limit the chances that your credit cards will be compromised.
Secure your home Wi-Fi. Find the instructions to improve the security of your home router or Wi-Fi access point. Change from no security to WEP, or better yet, WPA. While WEP is not as secure these days, it’s better than nothing. WPA or WPA2 are far better, and most PCs (and even gaming consoles) supports WPA and WPA2 these days.
Limit use of public Wi-Fi hotspots. From road warriors to housewives, we roam with our laptops from hotspot to hotspot at our favorite coffee shops and other public venues. While it’s okay to check the news and get shopping information, it is not okay to check e-mail, log on to FaceBook or Twitter, or perform high-value activities such as online shopping from an open WiFi hotspot. Easy to use tools are widely available that permit even the unskilled to hijack your session and compromise your personal information.
Check your credit. U.S. consumers can check their credit three times per year for free (once per year for each of the three credit bureaus). Check your credit report carefully, looking for any accounts that you may not have opened, or for changes in accounts you may not have authorized.
Use a separate online shopping credit card. Rather than using your primary credit/debit card for online shopping, open a second account and use only that one. Keep a low balance to minimize your exposures.
Choose “credit” when using debit/credit cards. Whenever you are making purchases with your debit/credit card, choose “Credit”. Then, if your credit card number is later compromised, you may enjoy additional protection (such as the $50 liability limit) on your account. Many banks do not offer the same protection for compromised debit card numbers.
Preventing browser hijacking
Browser hijacking occurs when an intruder is able to successfully exploit a vulnerability in a user’s browser program. When a browser is hijacked, the intruder is able to control how the browser operates. Examples include changing the default home page, as well as other settings.
Why is this a problem?
Some browser settings can cause all of the traffic between your browser and Internet web sites to be routed through the intruder’s system. This allows the intruder to follow your every move, and it may also allow the intruder to capture passwords you enter at sites such as online banking and e-mail.
Are you concerned yet? You should be! If your browser has been hijacked, you could become a victim of fraud or identity theft.
Quick Fixes
(assumes you have a Windows computer)
- Turn on Automatic Updates. This will cause your system to automatically download and install all the latest security patches for Windows and Internet Explorer
- Install Microsoft Security Essentials or other anti-virus program. AVG has a very good free anti-virus program.
- Scan your computer for malware using your on-board anti-virus program.
- Scan your computer for malware using one of several good web-based anti-virus programs, such as: Panda, Symantec, Trend Micro.
- Turn on Windows Firewall.
- Update to the latest version of Internet Explorer, which has a better design and better security controls.
- If you don’t want to update Internet Explorer (or if you already have the latest), reset your IE settings.
- Manage and disable add-ons. A lot of browser hijacking is the result of add-ons.
Even after you do these things, you’ll still be running a combination of software that is vulnerable by design and requires constant vigilance. Read on.
Long-Term Fixes
If you are running Windows, I highly recommend you stop running Internet Explorer altogether. Use it ONLY for running Microsoft Update, online virus scans (from step 4 above – most require IE), and those occasional website that do not render well in other browsers.
For greatest security when browsing on Windows, use Firefox with the NoScript and FlashBlock add-ons. This combination is the safest possible browsing when using Windows. You’ll still have to run anti-virus and automatic updates, though.
Paradigm Shift
Most people use Windows, but few people HAVE to. There are two excellent alternatives:
- Linux. The “ubuntu” release of Linux is highly reliable, easy to use, and secure. If you have a good PC, you can download ubuntu, burn it onto a CD, and try it out on your own computer. If you really, really like it, you can install ubuntu Linux onto your computer and say goodbye to Windows forever. We have done this on two systems here. Linux runs so much faster on a PC than Windows that you will think you got a hardware upgrade!
- Linux in a virtual machine. If you *have* to run Windows (because of that expensive software that runs only on Windows), then I recommend you download VirtualBox and install Linux as a guest. Then, do all of your Internet browsing from the Linux machine (running Firefox, Noscript, and Flashblock as described earlier). You can run it in full screen mode, which is the next best thing to running Linux on your hardware. Another nice thing about this method is that if you do get malware on your Linux system, you can reset your Linux system back to an earlier state (I have never had this happen, but if I did mess something up in the Linux system, reverting to a recent snapshot is still a nice feature).
- Mac OS. If your PC is not that great and you want to upgrade to new hardware, this is a great time to buy a Mac. While they may initially seem more expensive, you get excellent value and performance. On Mac OS, you can download Open Office, which is free and compatible with Microsoft Office. We have three Macs at home (a Mac Mini, a MacBook, and a MacBook Pro) and are totally satisfied with them. They are great computers.
Note regarding purchasing a Mac computer: do not get caught up in feature comparisons (e.g. a Windows system with a larger screen for less money than a Mac). A Windows system is still just a Windows system, vulnerable by design and more expensive in the long when when you consider all the time you have to spend to keep it secure / make it secure. These videos say it better than I can:
Showcase your cloud security knowledge with a CCSK cert
There are risks associated with the use of any new technology. Moving applications and data to the cloud has its economic benefits, but there are potential risks that organizations need to be aware of. Security professionals need to do their part and identify any risks associated with an organization’s desired move to the cloud, and manage those risks through the usual risk treatment.
To be effective, security professionals need to be acutely aware of the technologies involved, so that they may effectively identify and manage risk. Like so many specialties, there is now a certification available, Certified in Cloud Security Knowledge, or CCSK. This certification is offered by the Cloud Security Alliance, the same organization that published its seminal Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (PDF download).
Candidates who wish to earn the CCSK must take a 50 question, one hour exam as a test of their knowledge about cloud security. More information on earning the certificate is available here.
I’m back, after a year off
After teaching the UW Information Systems Security certification course for two years, completing CISSP For Dummies (3rd edition), CISA All-In-One Exam Guide and CISSP Guide to Security Essentials, I was burned out and needed a year off. I didn’t do any public speaking either, which means interrupting an eight year run speaking for SecureWorld Expo 
in Seattle and other cities. But, I needed time for my family and for me.
Earlier this year we purchased an RV and spent about 40 nights in it all over Washington State, including American River, Whidbey Island, Vasa Resort, Ames Lake, Alder Lake, Riffe Lake, and Kitsap Memorial State Park. We spent much of this time with good friends whose company we enjoy very much.
My wife and I went on several motorcycle rides, although none were overnight trips as I had hoped. Still, we were blessed with great weather and safe riding.
One one particularly nice weekend day, I took a very early morning ride up Mt. Rainier, arriving at Paradise Lodge at around 8am. There was practically no traffic on the way up the mountain – the entire two lane highway was mine.
After writing twenty-two books in ten years, my list of honey-do’s around the house was growing, and I got a lot of things done in this department.
We have also become parents – of four lovely society finches that are the offspring of a mating pair we purchased last year. We also have zebra finches, parakeets, quail, and an african weaver. None of these others have had chicks yet, but we’re still hopeful.
We also had an exchange student from the Czech Republic stay in our home for a year. She arrived in mid August 2009 and returned home in July 2010. This was a great experience for everyone. She was a member of our family and she participated in everything we all do together.
Today I completed the draft manuscript for a book on security technology that will be published in December or January. This was a short project that took just a few weeks. Today I met with my literary agent to plan the next five years of my writing. My business manager and I are both quite excited about the next few years.
While I took the year off of bookwriting, I was still involved in some other things. I’m a member of the Cloud Security Alliance and contributed to its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, and am a member of the Cloud Security Alliance Certification Board. I also earned the CRISC (Certified in Risk, Information Security, and Control), a new certification offered by ISACA (Information Systems Audit and Control Association), which I’ve been a member of since 2002.
Certification and Experience: Putting the Cart Before the Horse
When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.
In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.
These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.
What I believe they fail to understand is that they do not have the required experience.
The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.
Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.
I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.
To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.
How to opt out from advertising tracking cookies
The truth is, I’ve been irritated about tracking cookies for over ten years. Ever since I was an advisor on a corporate privacy project, I learned just how extensively our Internet browsing habits and patterns are being recorded. I don’t appreciate that kind of “over your shoulder” scrutiny and personally consider it an invasion of my privacy. The ad agencies defend their position of tracking cookies as their way of enriching my browsing experience. Whatever. I turn a blind eye to most ads anyway, but the idea of tracking where I go puts us on a slippery slope of Internet usage tracking that is not unlike what I believe occurs in communist China today.
Don’t misunderstand me. I don’t surf to sites I don’t want anyone to know about. While I am at work I am implicitly accountable to my employer for all of my usage of corporate owned assets – Internet access and personal computer included. And when I’m at home or on the road with my MacBook, I use OpenDNS that records where I go and blocks access to unwanted sites. My accountability partner is free to see those records on request.
Anyway, back to my main point – those tracking cookies. There is a way to opt out from nearly all of them. Before you spring into action, however, you will want to read this article all the way through, as there are several notes at the end.
If you have time to visit a lot of sites to opt out, go here to the World Privacy Forum and click on each link to opt out of each of the sites (there are, at least count, 46 of these):
http://www.worldprivacyforum.org/cookieoptout.html
I went through each link and opted out of each site. It took me about 15 minutes (I’m a fast typer and clicker). You’ll also want to go to Google to opt out from their advertising (I don’t know whey they are not listed on the World Privacy Forum opt out page) cookies as well:
http://www.google.com/privacy_ads.html
If you want to do this the quick way, go here to the Network Advertising Initiative to opt out from many ad agencies in one single action:
http://www.networkadvertising.org/managing/opt_out.asp
Notes
Whichever option above you choose, know this: you will need to perform this on each browser (that is, Internet Explorer, Firefox, Safari, and so on) on your computer. Your computer’s cookies are managed separately by each browser, so you’ll have to go through the above procedures for each one you use. I use primarily Firefox on my Mac systems, and I’ve opted out of all of the sites I could find. I’ll have to do this later with Safari (which I use only occasionally).
You will need to do this on each computer you use.
Turning off cookies?
You may be thinking, why not just turn off all cookies (or at least all tracking cookies) on your browser. Certainly that would block all tracking cookies, present and future. Sure. But you would also certainly hamper the functionality of many of the websites you visit, particularly those you log in to in order to use the site’s services. But if you are into extreme measures and a little experimentation, I invite you to turn off cookies and see how things go. I will bet, however, that you will soon be turning them back on so that the important sites you use will keep working the way you want.
References
World Privacy Forum (http://www.worldprivacyforum.org/)
Electronic Privacy Information Center (http://www.epic.org)
Connection? TSA Breach + airliner bomb attempt
This writer suspects a link between the 2009 breach of TSA airport security procedures and the Christmas Day 2009 bombing attack on a U.S. airliner.
Image Courtesy CNN
CNN and the other news agencies (New York Times, Washington Post) are covering the developing story of the Christmas Day airline bombing attempt by suspect Umar Farouk Abdulmutallab who is allegedly acting on behalf of Al Qaeda.
There has been no mention whatsoever of the recent breach of airport security procedures by TSA and the possible connection between that event and this airline bombing attempt.
The potential for a connection is obvious to me: could this suspect have boarded the plane, confident that the amounts of materials he was bringing on would be undetected? The TSA airport procedures breach provided details on screen procedures and screening capabilities, including the amounts of liquids and other agents that could be brought through airport security undetected.
It is thought that TSA is in the process of modifying and improving airport screening procedures and capabilities as a result of the procedures breach, but I believe that those changes will take time to implement. The only short term change in procedures that can be implemented right away is increased pat-downs and body scanning in order to try and detect unwanted substances that will evade detection by magnetometers.
If the suspect’s device had a minimal amount of metal, it would not have been detected by the airport magnetometers. Short of a random pat-down (possible anywhere) or an image scan (not likely in Africa in my opinion, where the suspect reportedly entered the airline security perimeter) to detect liquids or powders, security procedures are not terribly effective at detecting liquids carried by a person.
Time Magazine – Google Earth mystery solved
Time Magazine Google Earth mystery photo
Time Magazine recently ran a “Top Ten Everything” series of articles. One of the series is entitled “Top Ten Finds on Google Earth“.
Finding number three is an interesting array of geometric shapes within a rectangular area on the ground, shown here.
Time Magazine reports that this was found on a military base in England. Military officials called it a motorcycle range and is apparently not saying any more about it.
I immediately recognized the pattern.
It is the standard template used by the Motorcycle Safety Foundation for its rider training drills. Various parts of the painted patterns are used to guide riders through different maneuvers that simulate different situations while riding on roads and highways.
The course shown in the Time Magazine article is the same layout as the course I took at Cheney Stadium’s parking lot a year ago, and also the same as the course used at the Church of the Nations in Tacoma. “On the ground” photos of an MSF training course with the same layout can be seen below.
E-mail security problems and the Canadian ISPs that are ignoring them
Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.
I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider. It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them. I also complained to Eastlink.ca, and heard nothing from them.
I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada. I complianed to ica.net, several times, and never received a response. I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!
I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.
Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox. Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence. I don’t read these messages.
Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.
I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.
I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.
This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me? I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.
I’m also worried about my own liability in this matter. I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?
There are several possible causes for this inadvertent e-mail forwarding:
- Malware, tampering, or compromise of ISP e-mail server.
- Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
- Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.
There may be other potential causes, but I cannot think of any more.
If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away? If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them. If the intent is to harm me, I don’t see how this harms me.
