The Astaro Security Blog

Please check out the Astaro Security Blog at http://securityblog.astaro.com/

Free Information Security Training (and it is good!)

FEMA, the people we think of when disaster strikes in the US, has a lot of good emergency preparedness training resources- which you would expect.  Check out their Emergency Management Institute for the course catalog of on-site and self-study courses for disaster prep; you can find general purpose training for individuals here.

What you might not expect is that FEMA would offer Cyber Security training- but they do, and it is good.  Information is at the Act Online site, including schedules for on-site training and the list of self-study courses.  From the site:

"ACT Online is an evolution of the Information Assurance program offered by the University of Memphis Center for Information Assurance. A partnership with Vanderbilt University and SPARTA, Inc. expands the proven classroom instruction into a fully capable web based method of instruction.

ACT Online provides a unique combination of expertise and capabilities and we leverage the background of a successful academic program in information assurance uniquely recognized by US Department of Homeland Security.  Our nationwide program uses a comprehensive approach to prepare professionals in identifying assets, recognizing vulnerabilities, prioritizing assets and implementing protection measures in cyber infrastructure."

They currently have four courses up and five more are in various stages of development.  The course catalog lists courses for General/non-technical, IT technical/professional and business professionals- from basics to ethics and forensics.

Note: You must be a US citizen to take advantage of this training.

NAISG Presentation online

Slides and video of my presentation to the Boston Chapter of NAISG on 201CMR17.00, the new Massachusetts data protection law, are now online at the NAISG presentation archive page.

 

Jack

Julie Amero Case is finally over.

The infamous Julie Amero case is finally over. You remember, the poor substitute teacher who allegedly exposed her students to pornography- on a school PC which did not have up to date anti-virus software on a network without web filtering- and has spent years battling a felony conviction over the incident.

In this case, the unforeseen consequences of failing to secure the network and systems have been dramatic.  There really is a lot more to web content control than just keeping people from visiting inappropriate sites, and this case proves how wrong things can go if you ignore the basics.

The story is here, and more from Rick Green on Julie Amero's case here.  Alex Eckelberry at Sunbelt has been involved, here is his take on it.

Discussion of new Mass. data protection law at Boston NAISG meeting

I will deliver a presentation and then lead a discussion on the new Massachusetts data protection law, 201 CMR 17.00, at this month's meeting of NAISG's Boston chapter.  The presentation and discussion will explore the new law, its impact on businesses, and approaches to compliance.  Details of the meeting are at the NAISG Boston website.

Massachusetts "201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth" is one of the most far-reaching and specific state laws governing the protection of personal information.  It is important to note that the law applies to

"persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts"

So you do not have to be in Massachusetts for this law to apply to you.

NAISG Boston meets at Microsoft's offices in Waltham, MA, directions here.  Please join us if you are in the area.  Meetings are free and open to the public, but we would appreciate an RSVP so that we have enough pizza for everyone.

Jack Daniel

Security Bloggers Network

Missing your Security Bloggers Network feed this morning?  Blame Google's assimilation of FeedBurner and abandonment of blog networks.

Alan Shimel has the story here. Don't worry, it will reappear.

A Short Reflection on Voting Security

As Americans head to the polls today, here is another perspective on voting and security in America:

We all know about the darker side of voting: voter fraud, vulnerable electronic voting systems, social engineering among others.  There is one topic that is very often overlooked in the United States - Personal Security.

My wife and I left for the polling station mid-morning toting my one year old son.  The biggest things that we were thinking about were "where is the carton of Fishies[tm]" and "we need a copy of the lease to register, where is it?"  We left the polling station after 15 minutes, successfully registering and voting.  I dropped my small family off and headed for work.  On the way to work, while listening to a history lesson on NPR, I began to reflect on what I had just done. 

In less secure and stable parts of the world, people have to vote in makeshift bunkers for fear of bombings.  People are shot, maimed or worse for voicing their opinion.  This is not even a second thought in the US.  The worst thing that I was looking forward to was finding a parking space. 

My reflection: Among all of the normal topics of discussion, I would like to add a congratulations to the people that make the process safe for US voters.  I would Also like to reflect on the fact that as a security buff, I know that this has not been, nor will it always be the case - Vote with pride and care.

Please take a moment to reflect on this and other issues for a moment if you are frustrated with the banter on the major networks.

-Voter 1749, Ward 8 Nashua, NH.

Hackers for Charity and The Academy

Want an easy way to give a buck to Hackers for Charity without taking it out of your own pocket?  The Academy is donating a dollar to HfC for every registration (registration is free).  This post has the details.

Not sure about supporting something called Hackers for Charity? It is a great group, here's a synopsis:

"Hackers for Charity helps non-malicious hackers gain valuable job experience by putting them to work on projects for charity. They also build computer classrooms to help children and adults break the cycle of poverty through empowerment training, and feed children with funds raised by sales of Johnny Long’s books."

[Note: Astaro is a sponsor of The Academy.]

More states requiring data protection

Two more states, Nevada and Massachusetts have recently passed laws requiring the protection of personal information, joining several others with similar laws.  We can argue the validity of legislating common sense, but whether you protect confidential data because you should, or because you have to, there are now more states with laws that require it.  Obviously Astaro's email encryption can help with secure transmission, but in some cases there is a lot more to these laws than email encryption.  The detail and specificity of the laws varies widely, Nevada's is basically one sentence, Massachusetts' is three-plus pages- so you need to review the applicable laws and consult with your legal counsel to make sure you are covering yourself.

Web Filtering for the Pizza Guy?

In an article titled "Car shows porn on dashboard display"...

Nevermind, I can't add to that.  A new market for content filtering, the pizza delivery fleet.

Road Trip to Day-Con II

The Astaro-sponsored road trip to the Day-Con II is history, we saw a lot of great presentations and the whole thing was great fun.  Members of the Security Twits group and the Boston chapter of NAISG made the trip from Boston to Washington, DC, to Dayton, Ohio, and back- for a very good event.  There are lots of photos here, and more info on my personal blog.

There may be more such trips in the future, keep an eye out here for details.

Ohio Linux Fest and Road Trip update

Astaro is a proud sponsor of the Ohio Linux Fest, an outstanding event now in its sixth year.  The OLF will be held at the Convention Center in downtown Columbus, Ohio on October 10-11.

Since we will passing through Columbus on the 10th and 12th, we will be able to include people headed for the Ohio Linux Fest in the Astaro Road Trip to Day-Con II.  If you would like to join us or for more information on the trip , please let me know- jdaniel [at] astaro.com

Viscosity OpenVPN Client for Mac

I found an interesting blog post on using the Viscosity OpenVPN client on Mac computers for connecting to Astaro Gateways.  We often recommend Tunnelblick for Mac users who want a nice OpenVPN GUI client to use with their Astaro systems, but this looks like a good alternative for some users.

Note that Viscosity is a "public beta" project, so consider that when deploying it.  It is not Open Source, and it will probably cost about $9.00 when it is in general release, but it is free at this time.

Tunnelblick is both free and Open Source, it is now a Google Code project.

Aussie exposes online poker rip-off

Yet another reason to block gambling sites at work- an article in The Sydney Morning Herald reports "Aussie exposes online poker rip-off ".

So, besides preventing a waste of time and bandwidth, you may be protecting your employees' finances by blocking access to gambling websites.

Astaro Road Trip to Day-Con II

Astaro is renting an RV and taking some of the "Security Twits" and others on a road trip from Boston to Dayton for the Day-Con II hacker/security convention http://www.day-con.org/127.0.0.1.html. We have had a couple of people back out, so we have space for a couple more to join us. Interested in joining us for the trip?

We'll be leaving the Boston area Thursday 10/9 in the afternoon or evening and headed to the DC area, we'll leave the DC area on Friday morning for Dayton. Day-Con starts Friday evening and runs all day Saturday. The return trip kicks off Sunday morning 10/12, reversing the route back to DC and Boston. Astaro is covering the travel expense, you will need to cover your convention ticket (currently $150), hotel and incidentals. Tickets are still available for the conference, I think the conference hotel may be sold out, but I believe there are reasonable alternatives in the area.

Background and additional information:
http://blog.uncommonsensesecurity.com/2008/08/security-twits-road-trip.html
and http://blogs.zdnet.com/feeds/?p=255

If you would like to join us or for more information, please let me know- jdaniel [at] astaro.com