Free Information Security Training (and it is good!)

FEMA, the people we think of when disaster strikes in the US, has a lot of good emergency preparedness training resources- which you would expect.  Check out their Emergency Management Institute for the course catalog of on-site and self-study courses for disaster prep; you can find general purpose training for individuals here.

What you might not expect is that FEMA would offer Cyber Security training- but they do, and it is good.  Information is at the Act Online site, including schedules for on-site training and the list of self-study courses.  From the site:

"ACT Online is an evolution of the Information Assurance program offered by the University of Memphis Center for Information Assurance. A partnership with Vanderbilt University and SPARTA, Inc. expands the proven classroom instruction into a fully capable web based method of instruction.

ACT Online provides a unique combination of expertise and capabilities and we leverage the background of a successful academic program in information assurance uniquely recognized by US Department of Homeland Security.  Our nationwide program uses a comprehensive approach to prepare professionals in identifying assets, recognizing vulnerabilities, prioritizing assets and implementing protection measures in cyber infrastructure."

They currently have four courses up and five more are in various stages of development.  The course catalog lists courses for General/non-technical, IT technical/professional and business professionals- from basics to ethics and forensics.

Note: You must be a US citizen to take advantage of this training.

NAISG Presentation online

Slides and video of my presentation to the Boston Chapter of NAISG on 201CMR17.00, the new Massachusetts data protection law, are now online at the NAISG presentation archive page.

 

Jack

Julie Amero Case is finally over.

The infamous Julie Amero case is finally over. You remember, the poor substitute teacher who allegedly exposed her students to pornography- on a school PC which did not have up to date anti-virus software on a network without web filtering- and has spent years battling a felony conviction over the incident.

In this case, the unforeseen consequences of failing to secure the network and systems have been dramatic.  There really is a lot more to web content control than just keeping people from visiting inappropriate sites, and this case proves how wrong things can go if you ignore the basics.

The story is here, and more from Rick Green on Julie Amero's case here.  Alex Eckelberry at Sunbelt has been involved, here is his take on it.

Discussion of new Mass. data protection law at Boston NAISG meeting

I will deliver a presentation and then lead a discussion on the new Massachusetts data protection law, 201 CMR 17.00, at this month's meeting of NAISG's Boston chapter.  The presentation and discussion will explore the new law, its impact on businesses, and approaches to compliance.  Details of the meeting are at the NAISG Boston website.

Massachusetts "201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth" is one of the most far-reaching and specific state laws governing the protection of personal information.  It is important to note that the law applies to

"persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts"

So you do not have to be in Massachusetts for this law to apply to you.

NAISG Boston meets at Microsoft's offices in Waltham, MA, directions here.  Please join us if you are in the area.  Meetings are free and open to the public, but we would appreciate an RSVP so that we have enough pizza for everyone.

Jack Daniel

Security Bloggers Network

Missing your Security Bloggers Network feed this morning?  Blame Google's assimilation of FeedBurner and abandonment of blog networks.

Alan Shimel has the story here. Don't worry, it will reappear.

A Short Reflection on Voting Security

As Americans head to the polls today, here is another perspective on voting and security in America:

We all know about the darker side of voting: voter fraud, vulnerable electronic voting systems, social engineering among others.  There is one topic that is very often overlooked in the United States - Personal Security.

My wife and I left for the polling station mid-morning toting my one year old son.  The biggest things that we were thinking about were "where is the carton of Fishies[tm]" and "we need a copy of the lease to register, where is it?"  We left the polling station after 15 minutes, successfully registering and voting.  I dropped my small family off and headed for work.  On the way to work, while listening to a history lesson on NPR, I began to reflect on what I had just done. 

In less secure and stable parts of the world, people have to vote in makeshift bunkers for fear of bombings.  People are shot, maimed or worse for voicing their opinion.  This is not even a second thought in the US.  The worst thing that I was looking forward to was finding a parking space. 

My reflection: Among all of the normal topics of discussion, I would like to add a congratulations to the people that make the process safe for US voters.  I would Also like to reflect on the fact that as a security buff, I know that this has not been, nor will it always be the case - Vote with pride and care.

Please take a moment to reflect on this and other issues for a moment if you are frustrated with the banter on the major networks.

-Voter 1749, Ward 8 Nashua, NH.

Hackers for Charity and The Academy

Want an easy way to give a buck to Hackers for Charity without taking it out of your own pocket?  The Academy is donating a dollar to HfC for every registration (registration is free).  This post has the details.

Not sure about supporting something called Hackers for Charity? It is a great group, here's a synopsis:

"Hackers for Charity helps non-malicious hackers gain valuable job experience by putting them to work on projects for charity. They also build computer classrooms to help children and adults break the cycle of poverty through empowerment training, and feed children with funds raised by sales of Johnny Long’s books."

[Note: Astaro is a sponsor of The Academy.]

More states requiring data protection

Two more states, Nevada and Massachusetts have recently passed laws requiring the protection of personal information, joining several others with similar laws.  We can argue the validity of legislating common sense, but whether you protect confidential data because you should, or because you have to, there are now more states with laws that require it.  Obviously Astaro's email encryption can help with secure transmission, but in some cases there is a lot more to these laws than email encryption.  The detail and specificity of the laws varies widely, Nevada's is basically one sentence, Massachusetts' is three-plus pages- so you need to review the applicable laws and consult with your legal counsel to make sure you are covering yourself.

Web Filtering for the Pizza Guy?

In an article titled "Car shows porn on dashboard display"...

Nevermind, I can't add to that.  A new market for content filtering, the pizza delivery fleet.

Road Trip to Day-Con II

The Astaro-sponsored road trip to the Day-Con II is history, we saw a lot of great presentations and the whole thing was great fun.  Members of the Security Twits group and the Boston chapter of NAISG made the trip from Boston to Washington, DC, to Dayton, Ohio, and back- for a very good event.  There are lots of photos here, and more info on my personal blog.

There may be more such trips in the future, keep an eye out here for details.

Ohio Linux Fest and Road Trip update

Astaro is a proud sponsor of the Ohio Linux Fest, an outstanding event now in its sixth year.  The OLF will be held at the Convention Center in downtown Columbus, Ohio on October 10-11.

Since we will passing through Columbus on the 10th and 12th, we will be able to include people headed for the Ohio Linux Fest in the Astaro Road Trip to Day-Con II.  If you would like to join us or for more information on the trip , please let me know- jdaniel [at] astaro.com

Viscosity OpenVPN Client for Mac

I found an interesting blog post on using the Viscosity OpenVPN client on Mac computers for connecting to Astaro Gateways.  We often recommend Tunnelblick for Mac users who want a nice OpenVPN GUI client to use with their Astaro systems, but this looks like a good alternative for some users.

Note that Viscosity is a "public beta" project, so consider that when deploying it.  It is not Open Source, and it will probably cost about $9.00 when it is in general release, but it is free at this time.

Tunnelblick is both free and Open Source, it is now a Google Code project.

Aussie exposes online poker rip-off

Yet another reason to block gambling sites at work- an article in The Sydney Morning Herald reports "Aussie exposes online poker rip-off ".

So, besides preventing a waste of time and bandwidth, you may be protecting your employees' finances by blocking access to gambling websites.

Astaro Road Trip to Day-Con II

Astaro is renting an RV and taking some of the "Security Twits" and others on a road trip from Boston to Dayton for the Day-Con II hacker/security convention http://www.day-con.org/127.0.0.1.html. We have had a couple of people back out, so we have space for a couple more to join us. Interested in joining us for the trip?

We'll be leaving the Boston area Thursday 10/9 in the afternoon or evening and headed to the DC area, we'll leave the DC area on Friday morning for Dayton. Day-Con starts Friday evening and runs all day Saturday. The return trip kicks off Sunday morning 10/12, reversing the route back to DC and Boston. Astaro is covering the travel expense, you will need to cover your convention ticket (currently $150), hotel and incidentals. Tickets are still available for the conference, I think the conference hotel may be sold out, but I believe there are reasonable alternatives in the area.

Background and additional information:
http://blog.uncommonsensesecurity.com/2008/08/security-twits-road-trip.html
and http://blogs.zdnet.com/feeds/?p=255

If you would like to join us or for more information, please let me know- jdaniel [at] astaro.com

Keeping current

If you are a network administrator you probably have a couple of must-have tools installed on your systems.  Personally, I can't imagine working without Wireshark and Nmap on every computer I use.

For these and many other programs, the core functionality may not seem very different than it did a few years ago- so there's no need to update regularly, right?

Wrong.  I was reminded of this in last week's Pauldotcom Security Weekly podcast, they interviewed Fyodor (creator and lead developer of Nmap).  He observed that he gets a lot of feature requests and bug reports...for things which have been added/fixed years ago- but people are still using "vintage" versions of Nmap.  If you aren't using Nmap 4.76 you may have missed the fact that the Zenmap GUI now includes a topology mapping utility.  That's right, Zenmap can now literally draw you a picture of your network.  There are also multiple performance enhancements in the latest version, many based on developments made during Fyodor's "Scan the Internet" project.

The same happens with Wireshark, I see it frequently on the maillist.  Besides the obvious bugfixes and security patches, you are often missing new features- if you are not using Wireshark 1.0.3 you don't have access to the thousands of per-protocol fields now supported (including hundreds of MIBs), nor do you have all of the 935 protocols and packet types now supported.  You may not even have the "firewall ACL rules" function which can write a variety of packet filter/ACL rules for many different system for you based on the packet selected.  (Of course, with an Astaro you don't need that kind of arcane rules).

What tools do you need to update now?

McAfee to acquire Secure Computing

McAfee announced today that it is acquiring Secure Computing Corporation.  Interesting timing- just last week Astaro moved from the SurfControl content filter database to Secure Computing's database.

Is that bad for Astaro?  No, actually is is good in a couple of ways-

First, Astaro has used three different content filter catalogues since first offering content filtering, all selected because they were industry leaders at the time they were selected.  Everyone claims to work with "industry leaders", but how do you prove who has real value?  One approach is to ask the market, valuable companies often  get acquired by the big players in the security market- and all three of the content filter providers used by Astaro have been acquired by larger players in the security field:

Cobion was used in ASG Version 6, they were acquired by ISS, which was later acquired by IBM.

SurfControl was used in ASG version 7 systems prior to last week's 7.302 update.  Their value was obvious to WebSense, which purchased SurfControl.

McAfee has now seen the value in Secure Computing, and we wish our new partners the best.

Second, McAfee isn't buying SC just for bragging rights- they want to continue to develop the product line (with the added resources a giant like McAfee offers), which is good for Astaro and our customers.

Up2Date 7.302 Released

Astaro Up2Date 7.302 is now available for download and installation. This Up2Date introduces a new Web Content Filter engine for faster and more accurate classifications. The new system offers 97 categories that have been fully integrated into WebAdmin and the previous categories have been imported.

To take full advantage of the new abilities of this Up2Date, administrators should review their Web Security categories after installation is complete.

Remarks:
Web Security Categories will be updated
System will be restarted

News:
- HTTP Content filter subcategories will be extended, please check your configuration
- Improved URL Filter for HTTP Proxy
- Increased Web Security Classification Categories to 97 (Up from 60)
- Improved device agent for ACC 1.9
- Added option to flush authentication cache
- Fixed clamav vulnerabilities CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

Full update information is available at http://up2date.astaro.com/2008/09/up2date_7302_released.html#more

NAISG, the National Information Security Group

The National Information Security Group is a great resource for anyone with an interest in security, regardless of experience level.  Founded in 2002 as a Boston-area user group, NAISG has grown into an international organization with 18 chapters and more coming.  Unlike some security groups, NAISG is a very open and approachable group, meetings are free to attend and there are no prerequisites for membership.

Porn nightmare at 37,000 feet?

That headline from this Network World article maybe be a little melodramatic, but they do raise a valid question: what should be done about controlling Internet access to potentially objectionable content now that American Airlines is offering Wi-Fi Internet access on some of their flights.  The Network World article and a preceding one at Bloomberg discuss a problem with inappropriate content being viewed in flight.  While some express opinions like:

"It's a tricky door to open,'' said Marc Rotenberg, executive director of the Electronic Privacy and Information Center in Washington. 'Where do you draw the line o nce you start policing the information your customers can access?''

Even if the customers are paying for access, I think this one is a no-brainer- the airplane is a workplace and the airlines are required by law to prevent a hostile workplace, display of obscene content has been found to create a hostile work environment- so it needs to be filtered.

The airlines are already filtering to block VoIP, so they have proven that they are willing and able to filter some traffic.  Sure, it can be taken too far, but I think the airlines should filter traffic- and they should clearly define what is and is not allowed when you sign up for in-flight Internet access.

Astaro is now sponsoring Pauldotcom Security Weekly

Most people know that Astaro sponsors Security Now with Steve Gibson and Leo Laporte, and many know that ours is the longest-running sponsorship in the podcast industry.  Security Now's target audience is the security conscious "power user", but it is a great podcast for anyone interested in security regardless of experience or skill level.

Some may remember that Astaro also sponsored Martin McKeay's Network Security podcast and the Pauldotcom Security Weekly podcast for a while.

I am happy to report that Astaro and Pauldotcom have renewed their ties, we are once again sponsoring Pauldotcom Security Weekly.  PSW is a podcast "by security professionals, for security professionals"; hosted by Paul Asadoorian and Larry Pesce- with a mix of technical topics, the latest security news, interviews, and topical discussions.  And beer.  At http://www.pauldotcom.com/.

I want one!

I want need one of these , the first-generation Android phone from T-Mobile and HTC.  I want need  one to play with test, because I'm a geek and like toys I need to develop guidelines and tutorials for connecting to Astaro VPNs with the new device.

Now, to craft my request to corporate IT.

SPAM may be protected by the First Amendment, but not by Astaro.

A convicted spammer's conviction was recently overturned  by the Virginia Supreme Court on First Amendment grounds.  Details from this PC Magazine article include this:

Friday's ruling found that the Virginia law is "unconstitutionally overbroad because it prohibits the anonymous transmission of all unsolicited bulk e-mails including those containing political, religious, or other speech protected by the First Amendment."

Given the details of the ruling, I understand the justification- but I still don't want spam in my inbox.  Regardless of whatever happens with laws and regulations, I expect the spam filters on my Astaro will do more to keep my inbox clean than anything coming from government.

Happy Birthday Snort!

Happy Birthday to everyone's favorite Intrusion Detection and Intrusion Prevention system, Snort!  Snort is ten years old, and Astaro has been supporting the Open Source project for many years- and integrating Snort into the Astaro Security Gateway with an easy to use and intuitive web interface.

 

Here's to ten more years of protecting our networks, thanks Snort.

Better late than...

So, Black Hat and DefCon were great.  But you probably know that by now.  Kaminsky, DNS, BGP, and so on.

What you don't know is that I got to meet some customers face-to-face.  I know, a lot of folks think DefCon is full of evil hackers- but in truth, the vast majority of attendees are hard-working IT and security pros like these two Astaro customers.

As far as future conferences, I'm headed to Day-Con next month, then we'll be at Shmoocon and SOURCE Boston next year.

NFL season kicks off, employees slack off

Over at CIO, the article 20 amazing, amusing and alarming IT "facts" has a few interesting tidbits in it.  This quote caught my eye:

"A new report warns that the cost from lost productivity at work related to the new NFL season could add up to $10.5 billion."

(the article is originally from Network World, but they have that annoying "page turn" ad on their version).

Not sure I buy their math:

"The average fantasy sports player earns about $38 per hour and based on an average of nearly 1.19 hours per week dealing with their team during work hours, companies lose about $45.22 in wages per worker each week"

In my experience, folks who earn ~$80k a year and can get away with spending unsupervised time in the Internet put in a lot more than 40 hours a week- so the number is questionable- but it still points out a lack of control of employee web surfing.

iPhone iMania iContinues

Apple's iPhone and iPod continue their media and marketplace juggernaut.  Hot on the heels of last week's new iPod Nano ("the funnest iPod ever"), this week brings news that Kleiner Perkins has started an iPhone blog called iFundVC.  Not sure what to think about it yet, but the iPhone continues to gain market share and buzz.

As far as Astaro and the iPhone and iPod, remember that we offer easy to configure VPN solutions for all Internet-connected iPhones and iPods.

Check Point Marries Virtual, Physical Security -or- why PR annoys us.

In the article "Check Point Marries Virtual, Physical Security" over at CSO Online, there are some truths:

"Running virtual machines is easy. It's managing and securing them that's the problem, according to both users and analysts."

No arguments there.  It is when we get down to:

"Check Point claims that it's the "first company to provide unified security management for both physical networks and virtual applications".

That seems like a stretch.  And then there's this:

"The VPN-1 VE is a VMware-certified virtual application, which is designed to secure VMware virtual servers and applications by making them act as if they were on separate physical servers."

Act as if they were on separate physical servers?  Isn't that what the virtualization platform already does (or at least is supposed to do)?

In fairness, the author, Steven J. Vaughan-Nichols, seems a bit skeptical, too.  What do you think?

 

Jack

Podcasters Meetup at DefCon 16

The Podcasters Meetup at DefCon 16 was a lot of fun, and we're glad Astaro had the opportunity to sponsor the event. The all-star panel included podcasters from Sploitcast, Securabit, PaulDotCom, Network Security Podcast and Security Justice.

Astaro's sponsorship of Security Now with Steve Gibson and Leo LaPorte is now in its third year (the longest running sponsorship in podcasting), and we have also sponsored other podcasts- this event was one more way for Astaro to support the Security Podcast community.

Special thanks to Rob Fuller (aka Mubix) for organizing the event.

LinuxWorld, BlackHat and DefCon

Several members of the Astaro team will be attending LinuxWorld at the Moscone Center in San Francisco.  Please stop by and say hello if you are going to LinuxWorld.

I'll be attending BlackHat and DefCon16 in Las Vegas this week, if you see me please stop me and say hi.  The good folks at i-Hacked.com are providing Skybox 208 for the Podcasters Meetup on Saturday at DefCon and Astaro is providing sponsorship for the event, I'll be there for the live event and probably the after party.

Jack

Astaro Sponsoring the Podcasters Meetup at DefCon 16

Astaro is sponsoring the Podcaster's Meetup at DefCon 16 on Saturday, August 9.  If you're going to DefCon, swing by Skybox 208 in the evening for the live show and more, full details and schedule here.

Jack

The Astaro Linkedin Group

If you are a Linkedin user and would like to connect with other Astaro users, customers, partners and employees of Astaro- please join us in our new Linkedin group.

Don't worry, we aren't going to spam you or share your information with anyone, we just want to help connect members of the Astaro community.

 

Jack

DC401, Providence, RI

This is the first in a series of posts about security communities and groups, there are many more to come and I encourage you to let me know about others.

DC401 had their July meeting last night.  On a nice summer evening almost 30 people turned out to hear a great presentation on SCADA security.  Don't be fooled by the size of the state, there are a lot of very sharp security pros and hackers in Rhode Island.

About DC401:

DC401 is the local Defcon Group for Rhode Island. DC401 is a gathering for folks interested in the alternate applications of modern technology, referred to properly as 'hacking'. DC401 is not intended to compete with any other computer group, such as Providence Geeks, 2600 or Linux User Groups, but rather to provide yet another gathering place for the discussion of technology and security topics. DC401 meetings are open to anyone, regardless of their skill, age, job, gender, etc. DC401 is here to help you learn new things, meet new people, mentor others in areas you may be strong in, and provide some cohesion within the hacker culture and it's members.

 

Jack

iPhone 2

The hype around the second-generation iPhone is spiraling out of control- maybe not as much as the first time, but it is still impressive for a refresh of an existing device.

Next week we should have some useful information on the new iPhone, but for now you will have to be satisfied with this look back at a classic:

 

Jack

Hi! Thanks for stopping by.

This is a blog primarily about three topics:

• Astaro
• Information and Internet Security
• Communities interested in the above

So, what's here?

• Photos from our Flickr stream (mostly security events and people in the community).
• A calendar of security events and meetings
  • There will often be someone from Astaro at these, probably me*
• A calendar of IT and Security events where Astaro is participating and/or has a booth
  • At least one person from Astaro will be at these events
• Our YouTube Videos

There will be some product and "marketing" materials posted here, but this is not a sales site.

*I am Jack Daniel, one of the Support Engineers from Astaro's US headquarters.

So, thanks for stopping by,

Jack