To make your life easier, here is how I did this. In my exim configuration file, under acl_check_rcpt, I had a block that originally looked like this which says to omit all verification checks for authenticated users:
accept authenticated = *
control = submission
I changed it to this:
accept authenticated = *
add_header = X-Pdx-Authenticated: Yes
control = submission
What that does is to add a new header to authenticated messages called "X-Pdx-Authenticated: Yes". The next step was to find the section of the same exim config file for "remote_smtp" - remote delivery. I changed that section as follows:
remote_smtp:
driver = smtp
headers_remove = ${if eq{$h_X-Pdx-Authenticated:}{Yes} \
{Received:X-Pdx-Authenticated:X-SA-Exim-Connect-IP:X-Spam-Report:X-Spam-Score:X-SA-Exim-Mail-From:X-SA-Exim-Scanned} \
}
Basically the idea is to add a line right underneath the driver entry that says "If we see a line called X-Pdx-Authenticated (which in our case was added for authenticated users), strip out the Received lines and a bunch of the other SpamAssassin headers." You could just as easily leave it as "Received:X-Pdx-Authenticated".
Hopefully this will save someone time in the future.
]]>Admob Mobile Metrics
Mobile Device Information
WAP Development Considerations
WAP 2.0 User Identification for Secure Services
Mitigating Cross-site Scripting with HTTP Only Cookies
HTTP Only Cookies
Morgan Stanley Technology & Internet Trends
WURFL
iPhone for the Enterprise
OWASP
Barclays Tightens Mobile Banking Security
Mobile Banking - Is it Ready for Prime Time
Cross-domain Cookie Provider
mFoundry
Firethorn
MShift
iPhone User Interface (CSS Library)
Microsoft ActiveSync Deployment Guide
For whatever reason, the last linked Microsoft document was very difficult to locate. Most ActiveSync instructions are on blogs or other sites but this is the real MS deployment guide.
]]>Before you begin, make sure you have the latest BIOS from Tyan. They don't distribute it on bootable media, so you probably have to hack around placing the BIOS files on a bootable CD image from www.bootdisk.com.
With FreeBSD 7.0, the first thing I saw was that the boot process hung and did not complete when starting from a CD on the PATA/IDE chain. It does successfully complete the bootup and launch sysinstall for FreeBSD 8.0 (200812 snapshot) but that's another story since I want to run 7.X for now.
My goal was to run the root disk as a 500GB PATA/IDE drive. I had this on the PATA interface with a DVD-ROM, both using cable select. After research and testing with 8.0 as well as Linux to get a better feel for the hardware, the first thing to know is that the PATA (IDE) controller uses an ITE 8213 chipset. This has not been supported in FreeBSD until a commit to the 7.0-STABLE branch after release (in October 2008).
Given the recent support for this I figured there was an issue with the DVDROM that was on this controller. I also have an external Plextor PX-716UF. I figured USB support would be better so I booted the 7.1-RC1 install CD from this drive instead. I launched all the way into sysinstall this time and was able to successfully start the installation from the Plextor. I am still unsure of why this did not work from the PATA DVD-ROM but I'll troubleshoot and file a bug after a bit of time getting the OS up and running. I thought I was out of the woods... but was foiled by many cd0 read errors and a failed installation. I re-burned the distribution CD in case my media had a problem but it didn't help so perhaps there is ALSO a USB problem.
I couldn't give up at this point so I figured that I would try the BOOTONLY CD and install via the network to minimize information reads from the CD. I booted successfully, configured the network, and installed without any read/write errors. I went with the minimal install just to be safe. After a reboot the OS booted properly with no other issues. This was cause for celebration.
All of this took many hours to figure out. The short of this is that if your FreeBSD install hangs somewhere, try installing from a USB DVD/CD drive instead of one on the PATA chain. If that still doesn't work, try the bootonly and an install from the network. That turned out to be the key to at least getting to a bootable multiuser system.
]]>Note that you may have to update the font paths. The /windows font directory represents a copy of the C:\windows\fonts directory from a Windows XP system. This enables all of the Windows fonts to be available to FreeBSD. The other font directories were all installed via the FreeBSD ports system.
xorg.conf]]>1. *** IMPORTANT *** If you did not previously work for PwC, PW, or C&L, you are not eligible for the group. This includes all of the recruiters who regularly request group access and are denied. Please don't click the link if you didn't work for the firm.
Let me state that again because it is regularly ignored.
If you did not previously work for PwC, PW, or C&L, you are not eligible for membership in the group. This includes recruiters, HR managers, people who try to join every possible LinkedIn group, etc.
Assuming you worked at one of the firms, and ONLY if you worked at the firm, click on this link. You will now be listed in the system as having a pending membership to the group.
2. Make sure your PwC work experience is on your LinkedIn profile and is visible. Some people have elected to keep it private which is fine, but you definitely need to send me an email if I can't see PwC somwhere on your profile.
3. If you do not have PwC listed on your public profile, send me an e-mail to rjb .a.t. robertjbrown .d0t. com. You will have to manually insert the @ and the . in my address - otherwise spammers will find me. Mention that you wish to join the group and also provide the name of the partner you worked with most frequently.
It will take a minimum of a few weeks to approve membership to the group. The volume of requests has grown from a few per week to close to 20 per day. There are over 3000 group members as of this post and it is becoming a very valuable resource for reaching out to former colleagues. The time it takes for approval is increased when non-PwC alums request membership in the group which is why the wording above has been highlighted.
It will not increase the speed of your approval by sending additional e-mails. All approvals are tracked in the system, so if you see it in your profile as 'pending' your request for membership has been added to the pending queue.
]]>I'd like to outline why I think what Consumer Reports did was a good thing and why I am in support of their efforts.
The major virus software developers, including McAfee and Symantec, have an enormously profitable business selling software and virus definition updates. It's a great business idea - people keep paying for the software over and over because it is licensed and not sold outright. The challenge from a security perspective is that antivirus software is more reactive than proactive - it has similarities to the traditional issues with a pattern-based intrusion detection system. They are both great for stopping specific known threats, but do not work as well against unknown threats.
To understand why this is an issue, let's think about how an attacker works. Look no further than 9/11, Richard Reid, or the recent case in London of the liquid bomb plot. The attackers analyzed the security controls in place at the airports and attempted to exploit vulnerabilities in those defenses. They did not try to pack a suitcase with a bomb and check it in because they knew that this was not as likely to work and may be caught in the security scanners. In the same manner, an attacker wishing to distribute a virus can test their new code against the top products in the market just by downloading them. The bad guys are analyzing the defenses to find a hole. It's an endless arms race and the only way to get better is by improving the products to better defend against new attacks.
Focusing on this specific class of product - antivirus - how do you defend from a situation where the bad guys can see your controls and create tactics to evade them? One way is to improve the products in such a way that they are self-defending. McAfee even claims to have done this on their web site: "<VirusScan's> advanced heuristics and generic detection even finds new, unknown viruses."
I'm glad the product is able to do that. As an informed consumer, I'd like to know how well the product stacks up to those claims. As a CISO, it's my business to identify and mitigate risks to my company. I want to know what product can best protect me from both known and unknown threats.
Moving back to Consumer Reports, they figured (rightly so) that the only way to validate the product claims was to modify existing viruses and test them against the software. So they created new variants of known viruses and reported the results. Did their new viruses "escape" and infect anything other than their testbed? To date, nothing has been reported. No damage was done because they appear to have employed care in how they conducted the test. I would expect this from an industry leading product evaluation company that brought in competent security consultants such as Dr. Avi Rubin.
What's the bottom line? Consumer Reports obtained an independent test result that I am very interested in - which products were best able to cope with new and evolving threats. This information is valuable to me because it was created by a credible not-for-profit institution and provides details to help me choose the best product for defending against both existing and new threats.
How does it find the server? It uses a DHCP configuration setting or DNS to search for the entry "wpad.yourdomain.com" where yourdomain.com is your local domain as served up by your DHCP server. If that host resolves, it looks on that server for a wpad.dat file - a small bit of javascript that tells the browser what the proxies are. If that file is there, the browser blindly trusts it and executes the javascript to obtain the proxy settings right from that file - even if you have completely disabled Javascript in the browser. The next logical question for me was "where is the authentication for this?" and the answer is: there is no authentication.
This is scary for a number of reasons. If you can set a proxy for someone, that means you can force them to connect to a proxy YOU control. This is a man-in-the-middle attack and you can now obtain login credentials or anything else - including for SSL sites. Now, this gets even better if you combine it with a DNS cache poisoning attack or a second/fake DHCP server. How about you go to the local wireless hotspot and redirect WPAD to a server you control (even prior to asking for the credit card input)? You can now intercept their browsing sessions. How about you check into a local hotel? Do you suspect that a number of executives will be staying there with browsers preconfigured to look for a local proxy? I do. Oh, and the best part of this is that this is 100% transparent to the user - no pop-up box or other warnings are provided.
Allowing an unauthenticated network device/file to modify your behavior without your knowledge or consent is bad security. Although there have been published exploits for this in the past (and Microsoft fixes such as MS99-054), this remains as a vulnerability - especially combined with DNS cache poisoning or a second DHCP server controlled by an attacker. In today's world, the assumption must be made that computers are not stationary. They move around, and hence their security environment changes with them. Long-standing "features" like WPAD should be either secured or eliminated based on risk. The world has changed since this was introduced and our products should also change based on the updated risk profile.
You can subscribe to the Podcast via the orange icon at the right side of the page. Drag that icon to your iTunes Podcast menu and it should automatically subscribe you.
]]>I will be posting an enhanced podcast of my 2006 WesCorp CFO Forum presentation on information security. Here's how to use it in iTunes.
1. Open iTunes and click on the "Podcast" link on the left side.
2. Drag-and-drop the enhanced podcast link to iTunes. It should properly download and import the file.
3. Click the "Edit" menu at the top and "Show Artwork" to view the slides. A small window should open up on the left side of iTunes.
4. Start playing the podcast. If you wish to jump between chapters, there is a small icon that appears at the top of iTunes just to the right of the presentation window and left of the search box. You can select the drop-down menu to navigate the presentation.
5. If you copy the file to the iPod, the controls to jump back and forth should just work. The slides will be shown if you have a video iPod.
Hopefully this will be of help to others that wish to view enhanced podcasts. I will upload future presentations in this format as well.
Ask yourself this question: do you like to receive unsolicited calls at home during dinner time? I don't either because I have that time set aside for family. There is a reason that a national do-not-call list exists. Daytime product/service sales calls tend to fall in the same category. A typical cold call conversation with me goes like this:
Caller: "Hi, is this Robert?" <I also get a lot of calls asking for the previous person in my job - that's another big no-no. I'm not new to my position - update your phone list before calling.>
Me: "Yes. What is this in regards to?"
Caller: "I'm so-and-so with such-and-such company. We have x y z and here's why it is great." OR "How are you addressing X Y Z law that you must comply with?"
Me: "Thank you for your interest in our company, but we are not looking for additional vendors."
Caller: "Can I follow up with you with more information?"
Me: "No thank you."
That's it. Every conversation is the same and they happen all the time. The first thing to realize when calling someone out of the blue is that they receive many other calls from vendors offering similar services. If you employ the tactics described above, you are using the same conversation that every other rep or inside salesperson uses when calling. It's not that I don't want/need your product but I don't appreciate the distraction from the work I am focusing on for the same reasons you don't like to be called during dinnertime. Leaving a cold voicemail is even worse - you will not receive a reply.
How about a different approach?
Take a longer-term view focused on development of a relationship rather than trying to interest me in your product. Here are a few tips to start with:
1. Know who you are calling. People will generally tell you who is responsible for a certain area - start with the admin assistants and ask questions. Make sure you have the name and general area of responsibility correct.
2. Know the company you are calling. I have many people that call me asking for a different credit union that has a similar-sounding name.
3. Know the industry and regulations. I am not subject to Sarbanes-Oxley; a quick review of the law and my company will tell you that. Don't try to sell me a product that answers that regulation because it's not applicable. You will lose credibility with that approach and that is a killer when you are contacting someone that you do not know.
4. Find someone that knows me or something about me. You have other clients and vendor contacts - find a mutual relationship. This would be a much better way to introduce yourself. Either ask your contact for an introduction or mention that person directly. I'm also involved in ISACA and ISSA - perhaps you belong to the same chapter. I have a web site and blog - perhaps you have read it. I am an active member of LinkedIn - send an invitation to join your network. Find something that gives you a connection to the person you are calling beyond the product/service you are selling. Give it some thought and put Google to work and you will quickly find the right information.
5. Lead with technology - not telephone. Phone calls are very disruptive and e-mail is not. Send a personalized e-mail to introduce yourself and mention something from #4.
6. Offer value / ask opinions. Perhaps your CTO gave a recent presentation at a conference and you'd like to discuss. Perhaps you are encountered a problem at a different client that we may have solved and would like more information. These are all good ways to get a foot in the door. In my previous employment I was very successful with this - I read a CSO Magazine article about a CISO and called to talk to him about the article. I got the meeting and won the relationship because I didn't lead with an attempt to sell something.
7. Look long-term. People change jobs from time to time. Perhaps you can't help me today, but you might be at a different company tomorrow. If you have a relationship you can take that with you and have an easier time getting a return call or meeting.
These are a few simple suggestions that you can use to improve your success rate - not just with me but with your other prospects and targets. Hopefully you will find them of value.
Of course, the first thing that came to mind was the fact that this would make an excellent on-stage demonstration for a presentation. I picked up a set of keys from eBay for $10 shipped. The 5 bump keys will open most of the commercial locks on the market. That's a scary thought and is a huge vulnerability.
I see this issue as being similar in nature to that of the DVD decss issue of a few years ago. The encryption keys that are used to prevent theft of content on DVDs were cracked and made public. Instead of fixing the vulnerability (which would be next to impossible given hardware in the field), the DMCA law was used to try to make the source code illegal. In the case of bump keys, it looks like we are moving down the same path - a South Dakota attorney is pushing to make it a crime to ship bump keys via the mail.
Wouldn't a better approach be to increase awareness of the vulnerability so consumers can make intelligent decisions about the type of locks they purchase? The goal is to remediate the vulnerability and close the hole. In this case, a determined attacker will be able to acquire a bump key regardless of a law preventing their sale or distribution - all they need is a standard key cutting machine. If you draw a parallel to software vulnerabilities, it would be similar to trying to make the Metasploit Framework illegal. It won't get to the root of the issue which is risk mitigation and remediation of a known vulnerability.
There are many lessons to be learned here - not just for airport security but also for information security. The important point is to analyze the threats, categorize them appropriately, and align your defenses where they make the most sense. We all have a limited amount of resources to deploy when protecting information and lessons such as this go a long way to refining our risk assessment methodologies.
]]>
1. Join LinkedIn and establish your profile. The profile MUST include your position at PW/CL or PwC in the experience section.
2. Send me a connection request to my email address: rjb AT robertjbrown D0T com. This can be done via the big yellow button in the upper-right corner of the LinkedIn site.
3. When sending the connect request, indicate that you are a PW/CL or PwC Alumni, the years you worked at the firm, your office location during your time with the firm, and the name of the Partner you reported to. Incomplete applications will be denied.
Note: I am the only administrator for the site and it sometimes takes me a few days to get back to you. I do reply to all connection requests and group additions.
]]>Many professionals advance their business goals by counting on professional groups, alumni groups and workgroups to make vital new business contacts which will enhance their trusted connections. To support this important type of networking, LinkedIn? for Groups enables existing groups to get their members “Linked In” — bringing their members extra features for networking and strengthening interconnections between each other.
Benefits for group members:
-- Accelerate your career through referrals from group members
-- See a list of all your fellow group members
-- Search within your group for vital new contacts
-- Use special contact settings to communicate directly with fellow members
LinkedIn is an online network of more than 5 million experienced professionals from around the world, representing 130 industries. When you join, you create a profile that summarizes your professional accomplishments. Your profile helps you find and be found by former colleagues, clients, and partners. You can add more connections by inviting trusted contacts to join LinkedIn and connect to you.
Your network consists of your connections, your connections’ connections, and the people they know, linking you to thousands of qualified professionals. Through your network you can:
-- Find potential clients, service providers, subject experts, and partners who come recommended
-- Be found for business opportunities
-- Search for great jobs
-- Discover inside connections that can help you land jobs and close deals
-- Post and distribute job listings
-- Find high-quality passive candidates
-- Get introduced to other professionals through the people you know
LinkedIn is free to join. They also offer paid accounts that give you more tools for finding and reaching the right people, whether or not they are in your network.
]]>