Addressing the Canny Investor

It is a well-known fact that in the Internet-connected world network perimeter vulnerabilities do exist that allow unauthorized individuals access to networks and provide the ability to disrupt business continuance. Well-prepared companies do know about many of these vulnerabilities and they correct them whenever appropriate. However, there are a large number of new, as well as older vulnerabilities that the average company is just not aware of. If these vulnerabilities are known, companies usually, and I emphasize usually, allocate resources to them. Unfortunately, too many companies either do not have the resources to track such security-related matters or do not have the trained internal personnel to allocate towards identifying and remediating the vulnerabilities. Obviously knowing about or being able to detect the vulnerabilities is half the battle, but not acting on the known issues for any reason is almost a guarantee to lose the battle.

An alarming fact is that many companies do not prioritize information security because it does not generate revenue for the company. However, as we have seen in the headlines and trade journals, the lack of a proper security program can and does affect the bottom line. Some organizations are now investing larger budget dollars and resources into information security, and they’re starting by assessing their present level of risk with an audit. If your company relies on the Internet and was one of vast number that missed the vulnerability used by the Code Red virus, you know how the lack of an active security program can affect the bottom line. In addition to unknown vulnerabilities, there are many stories of technicians performing routine network maintenance and unintentionally leaving credit card database or other proprietary information open for would be hackers. Finding the vulnerabilities in your environment is vital to the success of your security program, but knowing how to prioritize and perform proper remediation is often impossible without properly trained personnel. Lets concentrate on the value of the audit process and deliverables for a moment.

Whenever we think of audits, the first thing that comes to mind is the financially related IRS visit. They are looking for holes in the integrity of income and expense reporting for individuals and companies. These audits are required because if the system, in this case the tax system, has enough vulnerabilities, then the whole system fails. The audit acts as the police to either deter the vulnerabilities or find them so they can be eventually removed. Removing vulnerabilities in your information network is just as key, but can you find them, which are important, and how do you remove them efficiently. Much like the IRS audits, finding information network security vulnerabilities requires a trained professional. Most commonly, the security professionals trained in auditing are full time in-house employees of only the largest companies. For the majority of companies who want thorough periodic audits, this requires the use of outside security experts as the most cost-effective choice. Outsourcing to security professionals offers many advantages over in-house testing, such as having a team of experts dedicated to current security matters, armed with proven best practices or entire methodologies, and equipped with a suite of security auditing products instead of a single commercial tool.

Companies must also consider the value of the audits deliverables/results. Deliverables must not only detail all of the current vulnerabilities, but also prioritize what issues are important, document proven methodologies for remediating the vulnerabilities, and provide cost-effective methods to mitigate the risk. The majority of companies cannot afford to maintain the staff and application software necessary to conduct an audit at this level. Even those companies that do have such a significant security budget often use an outsourced firm to validate their own efforts.

Some additional benefits of a professional outsourced audit are: recording an objective baseline and changes on a periodic basis, having a trusted security partner to turn to as issues arise, and the ability to meet industry requirements for objective third-party auditing. For those companies outsourcing audits as a secondary check, it also assists in justifying security budgets, by validating the current security-related expenditures.

Although it was mentioned that companies are sometimes challenged with prioritizing security matters, based on our own experience there is a trend with technology executives, to place a higher priority on network security. The newfound emphasis applies to both internal and external audits and really comes into play with those companies that have a great reliance on the Internet and business continuance.

Finding all of your vulnerabilities is increasingly difficult without a full suite of auditing tools, but remember, finding the vulnerabilities is only half the battle. In order for audit deliverables to be truly effective they have to include professional feedback on what issues are important, remediation efforts detailed and prioritized, as well as describe how all of the effort and expense will affect the level of risk.

If you feel your systems environment could pass a security audit, but haven ‘t had one, our experience shows you might be surprised by a failing grade. If you have had an audit and the vulnerabilities were exposed, hopefully you have an action plan you are utilizing to eliminate the vulnerabilities. Once the action plans are complete, you might consider outsourcing your next audit to validate your efforts.

Comments Off

If you’ve been on the internet for any length of time, you’ve collected about a zillion accounts and their associated passwords. Personally, I have over 500 different active accounts all over the web and probably a thousand more inactive or unused accounts.

Most people don’t have anywhere near that number, but I’ll bet you have at least a couple of dozen. Let’s see, you’ve probably got an account at your bank’s website, a few credit cards, egroups, perhaps a few webrings, your ISP, email, hotmail, perhaps AOL, and a few others that you don’t use as often.

If you are like most people, you cannot even come close to remembering it all. In fact, a lot of people simply create the same account name and password everywhere … and that’s extremely dangerous.

Let’s say a hacker figures out your AOL account and password. If every other account that you own has the same username and password … well, you get the idea. Now all he has to do is figure out where you have accounts … but he could just try it at a number of say, banking sites or credit card sites, and perhaps he will get lucky. You may make it even easier for him by mentioning your sites in your AOL emails or on your web site.

So how do you protect yourself? First, make sure your passwords are all different. Don’t use the same password on all of your accounts … and try and use a few different usernames if you can.

Next, be sure and choose some password that are not so easy to guess. Avoid names (husband, wife, kids, cats and so on), social security and phone numbers, addresses and anything else that someone could figure out if they knew anything about you.

Also avoid some common words. Did you know that the most common password is simply “password”. “God” is also common, especially amoung system managers. Avoid common words such as these.

All right! Now you’ve got all of your 30 or so accounts set up with different account names and different difficult-to-guess passwords. How are you going to remember them all?

Rule number one is be prepared for disaster. Write down all of your usernames and passwords in a notebook (yes, on paper). No, really. You need to do this because computers sometimes die, and when they do it’s at the worst possible time. You may not even have a backup, and if you loose all of your passwords you could lose a lot.

Keep this notebook safe, perhaps locked in a drawer. It’s probably a good idea to keep a copy in your safe deposit box - so someone can get to your accounts after you die, perhaps, or if you are in the hospital or something else happens.

Now keep a computer record also, which you will maintain more up-to-date. I like using a program called Password Tracker, although you could just as easily use Excel or even notepad. The idea is to record all of your account information as you create or change it. Password Tracker is great because it also gives you tools to enter the data for you.

A product to avoid is Gator (I use both Password Tracker). This program is handy for saving passwords and filling in forms, but it is spyware and transmits details of your surfing habits to a corporate database.

Be sure and keep backups of the Password Tracker database … believe me, you don’t want to lose this information if you can avoid it.

By the way, I’ve learned to avoid the automatic account and password features of Internet Explorer. Why? Because there is no way to save, print out or get to the information. Thus, if the computer dies I lose my passwords with no way to recover. I don’t use Netscape much, but I would guess the same thing applies.

To conclude, use different account names and passwords for your various web sites. Record them on paper and store that somewhere safe. In addition, you can use programs link Excel, Gator and Password Tracker to save all of this information for you. Finally, and very importantly, be very prepared for disaster.

Comments Off

Some time ago, I was one of the most prolific contributors to one of the most popular newsgroups on Usenet. The newsgroup’s purpose was to provide fraudulently-obtained, but valid, passwords for websites.

The process there is fairly straightforward: someone posts the web site address of a site that they want (free and illegal) access to. Several group members with colorful nicknames then “run” the site. If a valid username/password is found, it is emailed to the requestor, who in turn publicly heaps praise on the grantor, thus inflating his or her ego. My colorful nickname was “PassBandit”.

Here are some tips to ensure that your account is not the weak account that the other “PassBandit”s of the world compromise:

1. The password is more important than the username. Do not assume that because you have an unusual username (including e-mail addresses), you can choose a simple password.

2. Make your reminder question tough and unique — something such as “What was my first pet’s name?”.

3. Do not use your username as the password. Similarly, do not use a password that “fits” with the username. The may be cute, clever, and easy to remember, but username:password combinations such as intel:inside, moody:blues, hewlett:packard, or foghorn:leghorn will be compromised very quickly.

4. Make every password AT LEAST 6 characters long.

5. Use a mix of upper- and lowercase letters, and numbers — and, if allowed, include symbols, i.e., “Hammer*shreW” or “booKbuicK-720″. The more variety your password contains, the less likely that it will be guessed.

6. Do not use a single word as your entire password. At several hundred guesses per second, my software could (and often did) go through entire unabridged dictionary files, many megabytes in size, and in several languages in no time. Combine two unrelated words, such as bookbuick or hammershrew.

7. Change your password frequently if the site gives you that option.

8. Do not use the same username/password combination at multiple sites.

I’ve grown out of “PassBandit”, and it no longer holds a thrill for me. Instead, I’ve hopped the fence and teach loss prevention topics. But there are thousands of “PassBandit”s out there looking to get your into your website stash. Don’t make it easy for them.

Comments Off

As you know, this time the virus under the name Sobig.F has wreaked quite havoc! No doubt, many of us have suffered from this recent virus outbreak. According to an online poll conducted by CNN: 32% of respondents were infected with this malicious virus. At the pick, each of every 17 emails contained sobig.F! Internet service provider AOL says it scanned 40.5 million emails and found the virus in more than half of them. Sobig accounted for 98 percent of all viruses found in these emails. What is Sobig.F virus? This is a worm type of virus. Which means it is an executable program that installs enhancement to your Windows operating system. The ?F? implies that it is the sixth of the family of Sobig viruses. The first one was launched in the beginning of this year. The latest attack was started on August 19. According to some experts, Sobig.F was first posted to a porn Usenet group and spread from there. It is timed to deactivate itself on September 10. The pre-built deactivation mechanism itself is a worrisome factor. Most experts think this means there are more to come! How it works?

Sobig.F comes along with an email with subject headers like Your details, Thank you!, Re: Thank you!, Re: Details, Re: Re: My details, Re: Approved, Re: Your application, Re: Wicked screensaver or Re: That movie. The body of the message is quite short and usually contains either “See the attached file for details” or “Please see the attached file for details.” Once the file is opened, Sobig.F resends itself using a built-in mailing program to e-mail addresses from the infected computer. As a sender is address it shows one of the e-mails randomly selected from the computer’s address book. The worm was also supposed to attempt to retrieve an URL from a predetermined list of 20 master servers on a certain date and time. The content of that URL was to be downloaded and executed on the infected machines. Luckily those servers were identified right away and shut down. How to protect yourself against it? If your computer is infected or you have doubts, first thing you should do is: to check and clean up your computer from this virus. Although, it is set to deactivate on September 10, which means it will no longer multiply itself, however, left untouched, it might attempt to update itself, once the newer version of the virus comes out. Suggestion One:

1. If you do not have latest version of anti-viruses installed, go to the Symantec?s following page: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html,

2. Down load the Sobig.F removal tool for completely free of charge. 3. Install and run it by strictly following the steps described on the page.

Suggestion Two: Download the latest security patches for your version of Windows and install them.

Suggestion Three: If you are using Microsoft Outlook, follow the steps below to stop them appearing in your inbox: - Open Outlook - Click on ?Tools? from main menu - Choose Rules Wizard from the drop down menu - On the page ?Apply changes to this folder?: Click on ?New? - Select ?Start creating a rule from Templates? - Choose ?Move messages based on content? - Click on ? specific words? link from the box at the bottom - A small window will appear, add each and every phrase scrupulously from the list below: Re: Thank you! Thank you! Your details Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movie And your_document.pif document_all.pif thank_you.pif your_details.pif details.pif document_9446.pif application.pif wicked_scr.scr movie0045.pif - Once finished click on ?OK? to close the window. - Click on the link ?specified? at the same box - Open a new folder by clicking on the ?New? button under the name ?Virus Spam? - Click on ?OK? - Click on ?Finish? - From now on all emails with the above mentioned phrases and attachments will be moved to the ?Virus Spam? folder. - All you have to do is delete the emails, which will appear there. A few more cautions: Don?t open any executable attachment in an email, unless you are hundred percent sure that this is a legitimate file that you have been expecting. Install an anti-virus program and update it on time, at the end, this might be the best possible solution to protect ourselves from these ugly online creatures!

Comments Off

Mobile Adult Entertainment market grows. The value of mobile adult content is expected to rise by more than 50 per cent to $990m in 2005, according to a report from Juniper Research. Is it really going to happen this way? Lack of quality mobile sites (for WAP and I-Mode) is seen with naked eye.

On the other hand, adult services have proven to be a constant driver of new technologies adoption over the last decades. Mobile services are now being introduced to the mobile platform via text, voice, images and video.

Among the top visited sites on mobile adult entertainment is SEXOBILE.COM - the world famous mobile adult photo search engine. Patent pending SEXOBILE search engine allows its visitors to search millions thumbnails directly from their mobile phone. This site also demonstrates sophisticated blend of new technologies used to deliver quality services to mobile users.

With new technologies at SEXOBILE.COM mobile users are able to search and view millions image thumbnails found on the web using their mobile phone. Site automatically tailors images to appropriate phone model for best view. “Our visitors never get the same thumbnails whenever they visit us because our system is updated constantly. Price for using our mobile technology is very attractive. This is a unique offer for mobile users.” - said Richard Snook, General Manager of SEXOBILE.COM.

Today famous mobile adult entertainment site has launched affiliate partnership program for mobile phones. The program is oriented for adult webmasters and owners of mobile sites. This program allows all webmasters and wapmasters to earn money from selling mobile technology on their WAP/I-Mode or Web sites and receive commission for verified sales. “We offer commissions for purchases made by mobile visitors from more than 15 countries including UK, Finland, and USA!” - said John Gosh, Affiliate Manager of SEXOBILE.COM.

Those interested in learning more about SEXOBILE.COM, its services and affiliate program can visit http://www.sexobile.com

Comments Off

Alarm System Window Screens- Window screens are the ultimate perimeter device. The windows in your home look as if they have normal screens on them, however the actual screen mesh is an alarm circuit. The frame also has a contact point in it, so the screen can’t be cut or removed without violating the system if it is armed. The window can be opened for ventilation and protected at the same time. Now that’s a great perimeter device!

(INSIDE SCOOP!)
Have your screens put on a 24- hour zone. (always on even if the system is off) You will not be able to bypass your always on zones from your keypad. You will need to call in with your password when you remove them for cleaning.

Screens are very expensive, (often $125.00 to $200.00 each) for each opening, but you don’t have to do every window. You can do one on each side of the house or in the master bedroom only if you like the concept of ventilating the house with fresh air while your system is armed. More importantly think about putting one in your children’s rooms if you can afford it. The peace of mind you will get from having your most precious concern protected will be well worth the expense.

Some alarm companies will measure your windows and create a brand new screen. More often they will mark your existing screens as to which window they came from and bring them with them to be re-built. This assures a correct fit and saves a step so that you will save time and hopefully money. Screens come in different frame and mesh shades and colors so be sure to review this with your security consultant when you order them.

Screens take some time to have built. Alarm companies will often wait for them to be returned to them before scheduling your install. Be advised that the screens may slow your install start time down by a couple of weeks. If your alarm company is willing to install the rest of your system, and return at a later date with your screens I would do just that. Could you imagine how hard you would be on yourself if you were burglarized while you were waiting for your screens to be built and an alarm to be installed?

(INSIDE SCOOP!)
Hold back a substantial portion of your screen money until the screens are installed. No matter how noble your alarm company’s practices are, nothing seems to put a spring in a for profit company’s step, like money.

When I think of protecting your window with a screen in the same room that is protected by a glass break detector, while a motion detector looks on at the whole thing, I think of an elderly gentleman who wears a belt along with his suspenders. It is not a bad idea to overlap your security layers, but you still want to be aware of where to draw the line. A cunning salesperson can run the register up in a New York minute if you’re not on the studious prowl for redundancies.

Matthew Francis Alarms@expertsknow.com

22 year veteran of the alarm industry
Installer, salesman, licensed alarm company owner, monitoring station designer, promotions and marketing director with one of the worlds largest security dealers. He now works as a consumer advocate, teaching consumers how to buy or get systems for free (without being taken). He is committed to being unbiased.
His web site is http://www.expertsknow.com

Comments Off

For the average homeowner it may not seem necessary to
worry about having spy gadgets. However, there are three spy
gadgets that can serve to help you better protect your family
and your home. These gadgets are indispensable, and they allow
you to know what is going on inside your home, as well as what
your family is up to. You can monitor the safety of your
children and protect your property when you make use three
pieces of spy electronics. Surveillance cameras. Protect your
home inside and out with surveillance cameras. They may not seem
like spy gadgets per se, but they really are. Innocuous objects
in your home, such as clocks or pictures, can hide cameras that
can watch to make sure sitters are treating the kids well, help
you be aware of whether your kids are having parties while you
are away, and keep an eye on valuables so that you can protect
them from people with access to your home. Outdoor cameras allow
you to capture people who come near your home, allowing you to
identify vandals and thieves. GPS tracking system. Spy gadgets
in the form of GPS trackers are immensely useful. You can keep
them in cars so that if you know where your kids are driving.
They are also helpful in the event of your car being stolen. You
are much more likely to recover the vehicle if you can track
where it is. And today there are GPS tracking systems that are
small enough to be carried on a person. They even come in cell
phones. Know that your kids are where they should be (and safe)
with trackers. Listening devices. These are especially necessary
if you are afraid that someone may try to take advantage of a
conversation you have had. Recording your own conversations with
the help of covert listening devices can help you protect
yourself. Additionally, if you have these devices in the form of
phone taps and cell phone bugs, you can keep tabs on teenager
conversations that might tip you off to unsafe behavior. Devices
planted around the house can provide useful audio to go with the
visual images from your hidden cameras. These spy gadgets are
quite useful for any home owner. (c) 2005 Copyright
www.spyassociates.com. This article is about: Spy Gadgets.

Comments Off

Hurricane Katrina, one of the most powerful hurricanes in our nations history, Hurricane Wilma and Hurricane Rita’s left behind catastrophic damage. Families were displaced, homes destroyed, and now comes the task of trying to put the puzzle together. This task remains difficult even today. For those who aren’t in the effected areas, you have no idea how hard the day-to-day struggles are. You long for life to return to normal, but everyday brings new challenges of the devastation caused by these disasters. And it’s not just hurricanes that can cause this damage. The mideast recently got hit with record number of tornados, over 100 in one day. The nation has experienced floods, mudslides, wildfires, and then the constant threat of a pending terrorist attack. Are you ready?

Diana Ennen, co-author of Home Office Recovery Plan: The Disaster Preparedness Guide for Your Home Business, was hit by 8 hurricanes since last August. Hurricane Wilma left catastrophic damage in her city of Margate and her home suffered tremendous damage. Without power for two weeks and facing the stress of trying to run a family and business, she advises, “Being prepared for a hurricane or any natural disaster takes away the stress and anxiety. When timing is critical, I want to focus on the safety of my family, not on taking an inventory of my business, or deciding where I need to go. I also need to know that my family members will know how to find me after the disaster.”

Dr. Paulo J. Reyes, a First Responder in California and author of the fiction thriller Sledgehammer has firsthand disaster recovery experience and participated in various disaster relief efforts in California including the Air Mexicana crash in 1986, the last major earthquake in L.A. in 1994, and the influenza epidemic 1997-1998. He advised, “Loss of lives can be greatly reduced if everyone has a complete plan of action prior to the event. Not only with the reduction of heart attacks and stress related illnesses, but people tend to get to safety quicker if they have already planned ahead and know what they are going to do.”

Here are some steps you can take to prepare:

Step One — If you do not already have flood and windstorm insurance, you should consider getting it. Keep in mind that windstorm insurance policies are not sold when a storm threatens, so you need to think far enough ahead. You can find out about the National Flood Insurance Program through your local insurance agent or emergency management office. Homeowners polices do not cover damage from the flooding that accompanies a hurricane. Find out everything you can about your coverage now. Ask questions. You need to know this information now, before it’s too late and you discover you aren’t covered when you thought you were.

Step Two - Identify a safe place for everyone to meet. This pre-determined place should be discussed with family members prior to an emergency. Depending on the type of emergency you are planning, you might want to consider establishing a second location in case the first is inaccessible. Tell out-of-state family members where this meeting place is.

Step Three - Have a safe place in the home that you can go. During Hurricane Wilma we found firsthand how critical this was. One room of our house was badly damaged and winds of 110 mps were blowing through. Under the extreme stress we faced at that time, our pre-planning allowed us to be safe and secure in a room with no windows and all the essentials we needed. With the kids screaming, I knew at the time that I had done everything I could to ensure the safety of my family. That advance planning is priceless.

Step Four - In addition to a safe place, each person should have a list of phone numbers for your immediate neighbors and family members not living with you. We suggest using 3X5 index cards and laminating them. If my family were to be displaced, I want relatives and friends to be able to contact them immediately.

Step Five — For businesses - You should have client contact phone numbers and email addresses in a safe place so that you can notify them immediately of the situation. Also, prepare a disaster recovery plan and have someone you trust keep a copy of it. This should include vital information including medical information, family and friend’s names, your complete contact information, where valuable information such as wills and trusts and legal documents are kept, serial numbers for equipment and names of equipment and household and business supplies, and a disaster escape route in the event you need to evacuate. Make sure you have back-up all data and keep off site. This would be beneficial even if you home suffered a theft. Get a generator if possible. If you are without power, that can greatly affect the livelihood of your business.

To prepare your home and business now is the time to write a Disaster Recovery Plan. Prepare now for the peace of mind that comes with knowing you’ve done everything you can to protect your home and business.

***
Diana Ennen is the author of numerous books including Virtual Assistant -The Series: Become a Highly Successful, Sought After VA, Words From Home, Start, Run and Profit from a Home-Based Word Processing Business and the Home Office Recovery Plan (http://www.virtualwordpublishing.com). She also is the publisher of the science fiction thriller, Sledgehammer, http://www.pauloreyes.com

Free to reprint article as long as author’s bio remains intact.

Comments Off

Two Whales

“Two whales” are two basic ways of fighting against spyware/malware/adware. In this short article we will tell you about the “two whales” of mankind’s confrontation with the misfortune called “spyware”. So, from this point on, talking about spyware/malware/adware we will mean software which is installed (launched) at a user’s computer without the user’s knowledge, impedes their work and of which the user certainly wants to rid themselves to return to their normal full life.

Whale One - protecting the territory

The first thing you need is to prevent the enemy from getting to you territory. To locate it just when it crosses your border and to destroy it. To understand how to do this, it’s necessary to learn all paths that the enemy can use to cross the border and set there your traps. This method of protection is called Real-Time Protection (sometimes you can also come across the term IDS - Intrusion Detection Software). Many producers of anti-spyware build real-time protection mechanisms into their products to a greater or lesser extent. Such a mechanism tracks key settings of the operating system and informs the user of any attempt to modify them (Arovax Shield is one of such products). Then the user decides if the modification should be allowed or denied. However, there is one big drawback. Not only spyware applications change these settings but normal programs also do. If the software producer uses a signature base and blocks only what is known to them, they risk letting through a new, unknown enemy. If the software blocks all modifications (like Arovax Shield does), then the right to decide is passed to the user, but not all the users deeply understand all system settings (and besides, they do not have to). Probably, the best solution would be a combined mechanism. At the moment when the system is modified, you not only issue a notification to the user but also indicate if the corresponding spyware is found in the signatures base.

Whale Two - cleaning the territory

This is like a cold war. Both parties are constantly increasing their military potential. Producers of anti-spyware software are improving their fight methods while producers of spyware are looking for new insidious ways to get in the user’s PC and dig in deeply. And it’s not always that the formers outdo the latters. And when the first frontier is broken and the enemy crossed the border, the Weapon Number Two appears on the scene - a spyware remover. Remover (or Cleaner) is the program which will help to remove already installed spyware. First of all, it includes a reliable scanner which will scan the user’s computer, detect saboteurs (the installed spyware) and eradicate them. The most important thing at this stage is a good spyware base. The more signatures it includes, the more the possibility to detect the enemy.

Here are the mandatory components of such a product:

* Scanner which performs the PC scan and spyware detection by the known signatures.

* Remover (or Cleaner) which is responsible for eradication of the detected spyware.

* Quarantine. If a user is in doubt if the detected spyware should be removed, they can place it in quarantine before the removal and then remove. Later they will have the possibility to restore the removed information.

* Ignore List. Sometimes the scanner detects something that the user does not consider spyware/malware/adware or does not want to remove. Then such records are placed on a special list and will be ignored during the following scans.

Concerning selection of a spyware remover we recommend to pay your attention not only to the availability of the above four components but also to the quality of the signature base. A very important issue is how quickly the producer responds to the new threats appearance and updates the base.

(c) Arovax, LLC

Comments Off