What we're reading, week of 8/25

From Endpoint-Security.Info… Insider Compromises 2 million Private Records Agent Smith examines the tale of Countrywide Financial Corp., and an insider who sold customer information to competitors over the course of three years. Could Countrywide have prevented this by updating their security practices to include monitoring data transfers to portable devices? From Network Security Blog… Force Gmail to use HTTPS Martin McKeay explains how users can protect themselves from having Gmail login data stolen when using a  public network. “Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default.” It will be interesting to see how Google responds to this discussion – whether they’ll change the defaults ettings or offer some justification for not automatically running on SSL. From Amrit William’s Blog… The 11 Worst Ideas in Security Amrit calls out the top 11 banes of the security world, which include analysts, passwords, and yes – security...

What we’re reading, week of 8/25

From Endpoint-Security.Info… Insider Compromises 2 million Private Records Agent Smith examines the tale of Countrywide Financial Corp., and an insider who sold customer information to competitors over the course of three years. Could Countrywide have prevented this by updating their security practices to include monitoring data transfers to portable devices? From Network Security Blog… Force Gmail to use HTTPS Martin McKeay explains how users can protect themselves from having Gmail login data stolen when using a  public network. “Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default.” It will be interesting to see how Google responds to this discussion – whether they’ll change the defaults ettings or offer some justification for not automatically running on SSL. From Amrit William’s Blog… The 11 Worst Ideas in Security Amrit calls out the top 11 banes of the security world, which include analysts, passwords, and yes – security...

NAC: the good, the bad, the unnecessary?

We’re interested in getting readers’ opinions on NAC. For those who have taken it on in their organizations, what have you found to be the real advantages? Has NAC had a positive influence on your organization beyond what could be expected from adopting any other set of standards? Have you implemented associated tools, technologies, or consulting to augment your NAC initiatives? Overall, how has your experience been (especially as compared to the processes you previously had in place)? Please share your thoughts in the comments section. We’ll be posting some responses and discussion on this topic next...

More thoughts on LogMeIn

Last week we posted in response to this Download.com article about LogMeIn – a remote access utility that the author claims could replace his VPN. We decided to pose the question to industry peers using LinkedIn’s Q&A feature. We asked: Anyone using LogMeIn for Windows and Mac? CNET writer, Seth, posted something on his experience with it and sounds intriguing. Marcin Antkiewicz wrote: Using LogMeIn, or any other remote access relay service creates a few issues for us, the security folks. Such services extend the network perimeter to unknown locations, and sneak unknown and untested software to the service portfolio. The important change is not just minor administrative nuisance, but arbitrary changes to the risk profile. From a user’s perspective, LogMeIn is just an easy way to log in to their email, to me it means corporate secrets accessible on airports and coffee shops. In addition to exposing screen in strange places, such software might not conform to various security best practices with regard to privacy, implementation, and vendor security. Risk management issue again. While those standards might be restrictive and arbitrary, circumventing controls is a bad idea. You should request an easy remote control access instead, and IT Sec folks should be able to accommodate your request as it’s in their best interest. Quite a few nasty break-ins happened due to bridged security domains (desktop compromised while running admin/root sessions in screen/vmware console/rdp). You do not want such event to be traced to you machine, while running rogue software… Caveat – my experience is from the Security side of IT, and my answer assumes a user working for...

What we're reading, week of 8/18

From 360 Degree Security… Competitors Can Be Civil Tyler Reguly reflects on recent experiences at Blackhat and DEFCON, and discusses how competitive vendors in the security space find common ground.   From Emergent Chaos… Certifiably Silly Adam Shostack discusses the failings of SSL in a response to a post by Michael Barrett about Firefox 3.0 and self-signed certificates. In a later followup (I’m Certifiably Wrong), Adam responds to readers’ comments.   From Zero Day… Security vs. convenience: Apple chooses poorly Guest-blogger Oliver Day writes about Apple’s absurd practice of asking users to divulge their administrator passwords when bringing machines in for repair. Readers debate in the comments section over whether this practice is a) necessary, or b) a problem at...