Tech on Tech

25 More Tech Tips and Tricks by David Pogue

noreply@blogger.com (rdauman) — Sat, 04 Jun 2011 22:23:00 +0000

David Pogue is at it again and we would be remiss not to listen.

Enjoy!

Easy Steps to Improve Your PC's Performance

noreply@blogger.com (rdauman) — Sat, 13 Mar 2010 20:14:00 +0000

This article is from AOL and does recommend some AOL products; however, the majority of the content is informative - and easily overlooked!

Easy Steps to Improve Your PC's Performance

OWASP Top 10 - #1 - Cross Site Scripting (XSS)

noreply@blogger.com (rdauman) — Sun, 18 Oct 2009 23:00:00 +0000

In another post, I said I would talk about the OWASP Top 10, which is a list of the 10 most dangerous current Web application security flaws. This list, interestingly, is built into both the PCI DSS standard as well as Shared Assessments.

#1 on the OWASP Top 10 is Cross Site Scripting (XSS), which, per OWASP is:

whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows
attackers to execute script in the victim's browser which can hijack
user sessions, deface web sites, possibly introduce worms, etc.

For more information on XSS, check out this nice FAQ.

In the next post we will cover #2 on the Top 10.

DID YOU KNOW? Shared Assessments' Application Vulnerability Assessment actually contains 11 attributes. Can you name #11?

Cisco Tip: ip default-gateway

noreply@blogger.com (rdauman) — Sat, 17 Oct 2009 23:17:00 +0000

The ip default-gateway command is used when you need to configure a default router and IP routing is either disabled or not available (on the 2960, for example).

Aside from looking through the configuration (show run | inc default-gateway), how can you check to see that your default router has indeed been configured?

Use the show ip redirects command to see your just configured default router. Give it a try!

What is the best method for baselining your control environment?

noreply@blogger.com (rdauman) — Sat, 17 Oct 2009 19:27:00 +0000

CobiT combined with ITIL and ISO27001/2? CobiT in combination with another standard?

What are your thoughts?

Using 1Password & RoboForm can keep you safe.....cont'd

noreply@blogger.com (rdauman) — Sat, 17 Oct 2009 13:38:00 +0000

If you need further convincing about the importance of good password management, check out this recent article.

After reading this article and the Newsweek article mentioned here, it is no small wonder that 1Password is the solution to this over 30-year-old problem.

Securing your password.....and your wallet! (Using 1Password & RoboForm can keep you safe)

noreply@blogger.com (rdauman) — Fri, 16 Oct 2009 13:13:00 +0000

What do you think of when you think of security? Still thinking, right? Exactly. No surprise, then, that functionality and utility have taken the front seat when it comes to application development. Today, however, with the rampant spread of cross site scripting and sql injection attacks, not to mention the already inescapable viruses and malware that live and breathe on anything running Windows, things are starting to change.

One of the most important facets of security is your password - the key to the castle. Newsweek just came out with a great article on building a better password. But, for my money - and that's what we are really trying to protect a lot of the time when we are online - there is no better solution than 1Password. For those of you still in the unfortunate position of having to use a PC (and that is how I look at it), you can turn to a good solution like RoboForm. But, for those in the know, we use a RoboForm for the Mac, if you will.

I have written about 1Password before, so will let you read my other posts to find out about it. My point in this post is that if you want to be secure online you need to have good (at a minimum) password management. By this, I am talking about a password that is not easily going to be hacked by a brute-force attack - something not easily guessed. With 1Password, you get all of this. And, further, 1Password automatically fills all of your forms for you.

I will be writing more about security soon, but you can find out more about how to secure your Mac now with 1Password here.

Locking Down Your Switch.....Cont'd

noreply@blogger.com (rdauman) — Fri, 18 Sep 2009 04:36:00 +0000

I have been talking here and here of the importance of locking down your switch (indeed your network in general) and why this is so important. It seems to me that the most basic controls are often the most overlooked. It is not surprising that most best practices call for basic network physical security and, on the same note, it is not surprising that basic security is often overlooked.

Looking through PCI DSS, for example, you will see a requirement both for WAFs (Web Application Firewalls), which operate at Layer 7, and for restricting physcial access at OSI Layer 1. Indeed, it doesn't make sense to put 3 deadbolts on the front door if the back door or a window is still open.

Shared Assessments is a member-driven industry standard used to "inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process." This standard also requires that physical ports be locked down (disabled) as referenced in:

I.3 Secure System Hardening Standards: Unnecessary physical access ports disabled or removed.

On another note (and I will discuss in another post), it is interesting to note that both PCI DSS and Shared Assessments include OWASP Top 10 as requirements.

Cybersecurity Act of 2009

noreply@blogger.com (rdauman) — Sun, 13 Sep 2009 22:20:00 +0000

The Cybersecurity Act of 2009 is something to keep your eye on.

Here 's what you need to know.

MasterCard's Security Changes and its impact on PCI Compliance

noreply@blogger.com (rdauman) — Sun, 13 Sep 2009 19:58:00 +0000

Over the past few months, MasterCard has made some major security changes that, seemingly, will impact PCI compliance now and in the future for quite a number of businesses.

First, MasterCard advised all Level 2 merchants (those processing between 1 - 6 million payments cards annually) that Self-Assessment questionnaires would no longer be sufficient for compliance; thus, Level 2 merchants would now be required to have a third-party perform an on-site assessment. This new change "can cost $10,000 - $30,000 per year for a merchant already PCI-compliant and more for a retailer meeting the standard for the first time."

Not too surprisingly, merchants are looking for alternative payment methods (i.e. PayPal) in order to reduce the number of card transactions.

MasterCard, with their second big security change, has decided to disallow merchants' use of RKI (remote key injection) services to install new encryption keys on POS systems. This new rule by MasterCard jeopardizes the on-going Triple DES compliance efforts for all POS terminals: merchants have until July 2010 to upgrade their POS terminals from DES to Triple DES. If this upgrade now has to be done manually, as opposed to automatically with RKI, it could make meeting the July 2010 deadline quite difficult for businesses with a large number of POS terminals.

More on Locking Down Your Switch.....

noreply@blogger.com (rdauman) — Sun, 13 Sep 2009 19:10:00 +0000

In my last post I talked about the importance of locking down (disabling) physical access on your network switches to only those with authorized access. I discussed how, along with being a best practice, it is also a requirement of such standards as PCI DSS and ISACA.

Let's add another standard to that list today and that's NERC. Indeed, NERC CIP 007-1: R2 states that "The Responsible Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled."

More to come.....

Lock Down Your Switch, or Else!

noreply@blogger.com (rdauman) — Sat, 12 Sep 2009 18:33:00 +0000

Locking down your switch is one of the most important steps to do (for the network engineer) or verify (for the IT auditor). Indeed, restricting physical access to your network to only those authorized is paramount. Further, it is a requirement of PCI DSS (9.1.2. Restrict physical access to publicly accessible network jacks) and ISACA (P8 Security Assessment—Penetration Testing and Vulnerability Analysis - 6.1 Rogue Access Jacks)

Looking at this from both an operational and assurance mindset, it is equally important to ensure physical access control. But, as I am sure you are aware, importance is relative. How often is PCI DSS 9.1.2 given a checkmark for compliance on either your Self-Assessment Questionnaire or on-site assessment?

From an audit, and even an engineering perspective, it is really a best practice to lock down your switches and disable any ports not in use, especially those going to areas where people may have easy, unattended access to the network.

Of course, for those in site support who may have to set up new user connections, it is quite cumbersome if the ports they need to plug their patch cables into are disabled. Indeed, instead of patching their cable and being on their merry way they now need to create that dreaded change request!

When you are on the operational side - and are feeling the pain - it is hard to see the merit of going through these processes. But, when you realize that there is a reason why the change request asks for business impact and, in many cases, will need business approval you start to see a pattern. The work we do is not in a vacuum - it supports the business. To that end, we need to be cognizant of what we are doing and what the risks are to the business.

So, the next time you need to patch in a new user and the port is disabled. Don't get mad (and, please, don't get even!) - just be glad that someone out there is doing what he/she can to keep your business secure. Now it is your turn.

SAS 70 vs. ISAE 3402

noreply@blogger.com (rdauman) — Sat, 12 Sep 2009 03:41:00 +0000

This article from PWC touches on some of the key differences. One of note is that service organization management are now required to provide a formal assertion acknowledging responsibility for their controls.

More to come.....

More thoughts on PCI DSS

noreply@blogger.com (rdauman) — Sat, 12 Sep 2009 03:35:00 +0000

Network Solutions, whose recent security breach exposed almost 600,000 cardholders, said "We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant." Here again is another example of the mindset to which I referred in my last post: PCI compliance does not equal security.

If PCI compliance doesn't equal security, does it equal culpability? Indeed, Heartland's CEO blamed the PCI QSA for the breach. Interestingly, Nevada in June passed a law that mandated PCI compliance for businesses that accept payment cards and provides that compliance will shield such businesses from liability for damages from a security breach.

As the breaches continue, let's recall Visa's statement after Heartland:

PCI DSS remains an effective security tool when implemented properly - and remains the best defense against the loss of sensitive data. No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. [emphasis added]

Good to know.

Thoughts on PCI DSS

noreply@blogger.com (rdauman) — Fri, 11 Sep 2009 04:36:00 +0000

Of the Ten Common Myths of PCI DSS, Myth 4 is surely the one most in need of debunking. Indeed, PCI compliance in and of itself will not make you secure. If an organization is to ensure compliance AND security, there must be a "continuous process of audit and remediation."

As one who has worked in change control, I can appreciate the fact that quite a number of PCI requirements pertain to this area.

Perhaps the most important command you can use on a router is "wri mem" - to save any changes you have made. It is nice to see the importance of this concept (saving your work) memorialized in PCI DSS:

PCI DSS Requirements
1.2.2 Secure and synchronize router configuration files.

Testing Procedures
Verify that router configuration files are secure and synchronized—for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are re-booted), have the same, secure configurations.

How to Audit your Network - FOR FREE!

noreply@blogger.com (rdauman) — Sat, 08 Aug 2009 19:52:00 +0000

Quality expert Philip Crosby talked of the price of nonconformance and its related expenses. Too, he talked of the price of conformance and the savings that would result from such conformance. But how do you achieve these savings and to what are you conforming?

Well, when it comes to your data network, you need to make sure it is secure and configured per corporate and any other applicable standards (e.g. HIPAA, SOX, PCI, etc.).

How do I know if my network is secure? How do I know if it is standards compliant? Good questions!

Before you can begin to correct and, subsequently, prevent problems in your network you need to detect them. One such detection tool is Nipper. Nipper is an open source tool that allows you to perform security audits of your network from the command line. Nipper works on multiple platforms (Windows, Mac) as well as reads configuration files from a variety of different vendors (Cisco, Juniper, Nokia, etc.)

Nipper's HTML reports are excellent (note: you can customize Nipper and have it output to other formats such as CSV if you prefer) and they make spotting problems in your network easy and understandable.

Anyone looking to audit their own network (or someone else's) can't go wrong with Nipper.

Through the Looking Glass: How to Brush Up on BGP

noreply@blogger.com (rdauman) — Mon, 26 Jan 2009 20:25:00 +0000

As someone who himself is looking for employment, I can't stress the importance of keeping your skill set sharp. Of course, unless you are working for a Tier-1 service provider, it may not be possible to keep skills such as BGP as sharp as they need to be for today's job market.

Fortunately, as is usually the case, there is a solution in looking-glass and route servers.

Just do a search for "looking-glass server" and you will come across sites such as traceroute.org, which will provide you with a list of servers to which you can connect.

For example, choosing the route server CerfNet Route Server (AS1838) will open a Terminal session on a Mac (on a PC, however, it will open whatever telnet program you are using). Once you click on the link to open the route server, Terminal (or your telnet program) will open with the following prompt:

route-server>

From this prompt, you can now begin to look at the BGP configuration of this device:

route-server>sho ip bgp summ
BGP router identifier 12.129.193.235, local AS number 1838
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd
12.129.192.1    4 17233       0       0        0    0    0 never    Active
12.129.192.2    4 17233       0       0        0    0    0 never    Active
134.24.13.2     4 64512 1287988 1287776        1    0    0 11w1d           0
134.24.13.3     4 64512 1287990 1287784        1    0    0 16w4d           0
route-server>

You can try different commands, either from the route servers or the looking glass servers and KEEP YOUR BGP SKILLS SHARP!

How to Backup and Restore your Mac

noreply@blogger.com (rdauman) — Sun, 11 Jan 2009 05:40:00 +0000

For many people, having a hard disk failure on their Mac is tantamount to Armageddon; indeed, should such a tragedy occur without the protection of backup it would truly be the End of Days!

I have spoken in the past about routine backups and you should, at minimum, back up your data monthly regardless of whether your own a Mac or PC.

If you are looking for a good backup solution for your Mac, I strongly recommend the LaCie Rugged drives. The LaCie drives are small, portable, external drives, which, as their name implies, can withstand some wear and tear and moving around. The LaCie drives are Time Machine compatible and support multiple interfaces (USB 2.0, FireWire) as well as speeds up to 500GB.

While I would recommend using Time Machine for your backups, I will make mention that the software that comes with the LaCie drives, SilverKeeper, works pretty well. Of course, for those looking for alternatives to Time Machine and who may want a more robust backup solution than SilverKeeper, you can't go wrong with SuperDuper!

I know Time Capsule is a popular option for many; however, it would not easily fit into my current environment so I have not had the opportunity to test it out and provide any feedback. Of course, I would like to do so at some point. (Apple, are you listening?)

My best recommendation to you is to do your monthly (at least) backups with an external drive (such as the LaCie) using Time Machine (again, since I have not used Time Capsule I can't comment one way or the other about it). But, before you even do your first backup, the FIRST thing you need to do is make your external drive BOOTABLE by installing the Mac OS X installation DVD onto the drive.

When you are setting up the drive in Disk Utility, you need to make sure that you format the drive as "Mac OS Extended (Journaled)" Make sure you choose the option with "Journaled." Also, you need to make sure you go into "Options" and choose GUID Partition scheme.

Once the drive is formatted and partitioned, you can verify the drive is bootable by restarting your Mac and then holding down the Option key as it boots. What this will do is present you with two (2) boot options, one being your current hard disk and the other being your external disk. Choose the external disk for your test.

You should now be prompted to choose a language, as this is the Mac OS X installation DVD. From here, you can now restore from a previous backup, such as a Time Machine backup stored on your external drive.

Depending on how often you do your backups, the amount of data you lose will be minimized proportionally. Of course, you may be that lucky person who does monthly backups and has their Mac crash the day after having done a backup, thus losing not even a day's worth of data. Or, you could be the one who does weekly backups and has their Mac crash the day before their next backup, thus losing 6 days of data! From what I have read about Time Capsule it does appear to be the "perfect" solution - after one really long, monstrous backup, your Mac is incrementally backed up every time it is on, wirelessly, seamlessly - without thinking about it! In practice, however, Time Capsule is not just a backup device it is a full-fledged wireless router and needs to be the PRIMARY wireless device in your environment for backups to work effectively. Further, while it does have 10/100/1000 ports to connect your LAN devices, it only has 3. You need to have 4 ports. If I get the chance to try Time Capsule I will write more.

Good luck with your backups!

Apple pulls antivirus advice from its Web site

noreply@blogger.com (rdauman) — Fri, 05 Dec 2008 14:40:00 +0000

After much brouhaha, Apple has pulled the 2007 81-word document which advised:

"Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus-writing process more difficult,"

Apple, in the same document, recommended antivirus programs from McAfee, Symantec and Intego.

According to an Apple spokesman, "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box,"

What is the best Smartphone?

noreply@blogger.com (rdauman) — Wed, 03 Dec 2008 15:38:00 +0000

What is the best smartphone? I am probably one of the only people, if not the only one, in NYC who doesn't own a smartphone. Still, when conformity finally sinks in I want to ensure I make the best decision. To wit, what is the best smartphone?

Is it any of these major players?

iPhone (do I even need to say 3G?)
BlackBerry Storm (or, perhaps, the Pearl, Curve or Bold?)
Treo (yes, they are still around!)
HTC G1 (AKA, the Google phone)
Nokia E71
AT&T Tilt
Samsung Omnia

What is the best smartphone?
Did I miss any?
Should I even bother with a smartphone?

What do you think?

RoboForm for Mac and iPhone

noreply@blogger.com (rdauman) — Tue, 25 Nov 2008 20:32:00 +0000

Along with the quite popular 3G iPhones, Apple's newly designed Macbooks are making quick exits off store shelves. As many of these purchases will be by "first-timers," it is a good time to re-visit 1Password.

1Password is a "RoboForm for the Mac and the iPhone." Indeed, it is a password-manager (and lots more!), which can be used on both the Mac and the iPhone (and iTouch, even). If you are familiar with RoboForm on the PC, you will know that it is a program you really can't live without once you have started to use it. Similarly, once you have used 1Password for the Mac or the iPhone you will see that 1Password is really more than just a "RoboForm for the Mac" or a "RoboForm for the iPhone." Instead, it is truly a unique program that has no peer either in Mac OS or Windows.

You can download 1Password for FREE to see if this is something you might like - what have you got to lose?

Still not sure? Check out the short 3-minute movie to see 1Password in action!

Microsoft drops bid for Yahoo

noreply@blogger.com (rdauman) — Sun, 04 May 2008 05:20:00 +0000

Microsoft dropped its bid for Yahoo just after increasing its offer to $33 per share.

Don't count out Microsoft. Indeed, third time may be the charm for Microsoft if Yahoo's stock tanks.

Top 5 Gadgets You Shouldn't Buy

noreply@blogger.com (rdauman) — Sat, 12 Apr 2008 13:40:00 +0000

Check out this article; I can't argue with #5.

Walt Mossberg: Laptop Buyer's Guide

noreply@blogger.com (rdauman) — Fri, 11 Apr 2008 12:19:00 +0000

Fresh off the presses, Walt Mossberg's Laptop Buyer's Guide.

Best CCNP Study Guide: Hop On Board This Train!

noreply@blogger.com (rdauman) — Fri, 04 Apr 2008 14:59:00 +0000

My last post on this subject was almost a year and a half ago. And, in that time, I have not found a better choice for Cisco instruction than Chris Bryant. In fact, things have only gotten better for those with aspirations of becoming certified networking professionals. Indeed, Chris Bryant has partnered with Train Signal to produce, in my opinion, the best Cisco training available today. Period.

The CCNP training, for example, consists of 3 separate courses: BSCI, BCMSN & ONT. Each course contains 2 DVDs, which provide you with both the theory and application of that theory. From the moment you play that first DVD, you are instantly engaged by Chris Bryant's warmth and "Southern Hospitality." The whiteboard lessons are clear, concise and to-the-point; printing them out makes for an excellent guide.

Perhaps the most enjoyable aspect of the training is the feeling that Chris Bryant is actually in the room with you at that very moment. During the lab sections of the video, where Chris Bryant connects into real switches to demonstrate the concepts he has just discussed, you can actually hear him typing away at the keyboard in the background. And, further emphasizing my point above that you feel as though Chris Bryant is there with you, he occasionally "fat fingers" a command and has to backspace - this is what happens in the real world and you are watching it live!

Whether you need to brush up your Cisco skills to study for certifications, or to help you get a better understanding of what you are doing at work day-to-day, Train Signal will get you to your destination.