There have been some interesting discussions taking place in the security community on issues associated with smart phones. In security nirvana, smart phones would just be seen as another network device that is on the network and would be treated accordingly; that is, it would follow the same security guidelines as other network aware devices. Unfortunately, this is not the case.

Some e-discovery firms are making tons of money since the new Federal Rules of Evidence came into affect last year. With a little due diligence, prior to bringing in your consultant, you or your client can save some cash.

Hire the right person:

Encryption has gotten a bum rap for years in the industry. It is too hard. It is too slow. I will lose all my data. I have nothing to hide. I can’t see what my employees are doing. Bunk.

It is time to start encrypting; and not just encrypting in the business world, but it is time to encrypt your home machine too. Sure encryption can cause issues, but as anyone familiar with computers can attest, turning on a computer can cause issues. Planning is the key to minimizing the impact of introducing encryption into your corporate network.

The typical home user gets their new computer home and has the cable guy come out and hook them up to the internet. They are amazed at how fast their new machine can get stuff from the web. What they don’t know is that the bad guys are looking for them. Automated scripts are constantly searching the internet for new machines to come online, and exploit them. I did an experiment once where I took a new Windows XP machine right out of the box and plugged it directly into the internet.

Researchers at Newcastle University in the UK are working on a project they call 'Draw a Secret'. Instead of using traditional textual passwords, 'Draw a Secret' allows users to draw a picture as their password. Originally this project was focused on providing a password alternative for users of handheld/mobile devices, for which pen input is easier than text input.

I recently read a white paper put out by Sybase that tries to answer the age-old question (or at least help define the question) of how to ensure that the people you trust the most with your corporate data are NOT the ones who are ripping you off. The target audience is the commercial IT manager or CIO. The paper talks a lot about Sarbanes-Oxley, as you might imagine.

Most system and network administrators are very familiar with brute force attacks against their devices.  Every day, thousands of script kiddies and worms scan the Internet attempting to guess passwords for SSH, FTP, telnet, and other services.  A typical signature of these attacks is to see hundreds of failed attempts but only a few attempts per account.  In this case, the account is simply being tested for the simplest of passwords such a blank password, username as the password, or 'password' for the password.  Although typically futile on a properly administered network, these attacks are annoyances and create noise which may conceal real suspicious activity or even worse, successful intrusions.  

Have you ever been developing something requiring a connection to a development server over SSL?  Was the server not under your control?  And you had either an invalid, corrupt or possibly no cert at all to add to your trustStore?

We won't go into why this scenario may occur... but I know there are quite a few people out there asking how to bypass the cert validation for HTTPS and LDAP over SSL (LDAPS) connections.

The place to start is the SSLSocketFactory and more specifically the TrustManager you use. 

Anyone in information security will tell you that no operating system is completely invulnerable from security attacks and viruses, only that some operating systems are more secure than others. For the last 5 years, applications running off of the J2ME on mobile devices have done so without any problems until now.   

First introduced to the Java community by Sun Microsystems in June 1999, the Java 2 Micro Edition (J2ME) was part of a broad initiative to better meet the diverse needs of Java developers.  Designed for machines with limited hardware resources such as PDA’s (Personal Data Assistants) and cell phones, it can run on machines with as little as 128KB of RAM and with processors a lot less powerful than those used on typical desktop and server machines. At its core are a set of profiles which are defined for particular devices: cell phones, PDAs, microwave ovens, etc.  Each profile consists of a minimum set of class libraries which are required for the particular type of device and a specification of a Java virtual machine required to support the device.

With dozens of vulnerabilities and hacking tools released every week, it is difficult for a security professional to keep up with the latest, greatest news and tools.  One of the most popular security websites is SecurityFocus which provides great news and tech articles relating to security and the ever popular Bugtraq vulnerability mailing list.  It also has great primers on security technologies.

While SecurityFocus also has newsletters, mailing lists, and Bugtraq (read information overload), I use SecuriTeam's mailing list to feed me important security updates without flooding my inbox.  SecuriTeam's website provides an excellent searchable database of security articles, tools, exploits, and vulnerability notices collected from a variety of sources.  You can signup for these notifications via email or use the RSS feed.