So what do you hate about SOPA?

Really, what is it that you hate about SOPA? Is it the blocking of trafficking in inherently dangerous goods or services or is it protecting U.S. businesses from foreign and economic espionage.

Or is it that your best friend’s sister’s boyfriend’s brother’s girlfriend heard from this guy who knows this kid who’s going with the girl who knows something about DNS that told you it will force YouTube off the internet. I guess it’s pretty serious.

The truth is that bill does have some obtuse language that if twisted around and ran through enough Outrage Enhancement Filters™ could lead you to believe that if you have a link to a Jay-Z MP3 on your blog that it will get taken off the internet and you’ll never be able to get it back.

That needs to be fixed and the House Judiciary Committee is going to have to a hearing in February to mark up the bill (read: re-write it) to clean up some of the language.

This bill is obviously about large scale pirating sites like the pirates bay. The fact companies like Wikipedia, Reddit, Tumblr, OpenDNS and Thinkgeek are standing up for these pirate websites has to have them feeling like they won a huge battle.

Hackers steal 24 million users’ information from Zappos

This weekend Zappos announced they were hacked and lost a DB that had your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number and/or your cryptographically scrambled password.  For some reason it was also important to let people know their server was in Kentucky?

Ok? So what does this mean to someone with a Zappos account?

It shouldn’t mean anything unless you reuse your online passwords. Then you NEED to change your passwords on all sites that share your Zappos password.  

It is really important to stop reusing passwords on the internet. It’s the fastest way to go from a small incident like this to someone having access to your email, banking, corporate and social media accounts.

Here is how I stop password reuse. Its simple, cheap and effective.

Crossing the Rubicon and Decision Making Skills

Today is the 2,061st  anniversary of the crossing of the Rubicon by Caesar.

It got me thinking about how it is recorded in history and what it can teach us about decision making skills. 

I know of two places it is prominently recorded:

The Life of the 12 Caesars has it recorded like this:

When he came to the river Rubicon, which parts Gaul within the Alps from the rest of Italy, his thoughts began to work, now he was just entering upon the danger, and he wavered much in his mind, when he considered the greatness of the enterprise into which he was throwing himself. He checked his course, and ordered a halt, while he revolved with himself, and often changed his opinion one way and the other, without speaking a word. This was when his purposes fluctuated most; presently he also discussed the matter with his friends who were about him, (of which number Asinius Pollio was one,) computing how many calamities his passing that river would bring upon mankind, and what a relation of it would be transmitted to posterity. At last, in a sort of passion, casting aside calculation, and abandoning himself to what might come, and using the proverb frequently in their mouths who enter upon dangerous and bold attempts, “The die is cast,” with these words he took the river. Once over, he used all expedition possible, and before it was day reached Ariminum, and took it.

Plutarch’s Life of Caesar has it recorded like this:

Then, overtaking his cohorts at the river Rubicon, which was the boundary of his province, he paused for a while, and realising what a step he was taking, he turned to those about him and said: “Even yet we may draw back; but once cross yon little bridge, and the whole issue is with the sword.”

Caesar showed his true decision making and leadership skills here (while deciding to start a civil war).

Caesar did the three things it takes to make a good decision:

  • He took time to himself to think about his choices and the consequences of his actions.
  • He inquired of his mentors and advisors.
  • He calculated the odds and decided the risk was worth the reward.

When it came down to it Caesar didn’t have a clear answer if crossing the Rubicon was 100% going to work but he had put enough thought and time into the decision making process that he knew it would gain him more than doing nothing. It ended up gaining him the world.

Your passwords should never have a birthday party.

How old is the password to your online banking?  Could you throw it a 1st birthday party and invite any of its friends over (Facebook, Email, Amazon, Etc.)?

 

The sad truth is a good password should never live to see its first birthday.  Please help me end birthday parties for passwords in 2012 by changing your online passwords today.

The Capitol looked so cool coming in this morning.

How to “FIX” BSIDES in 3 steps.

If you are in the security community you have seen this scathing criticism of the way BSides is ran and the response.

I wasn’t asked but I have an opinion on how I would like to see BSides fixed:

The forming of a national council of 10 BSides Coordinators who would be responsible for setting guidelines for how new events are brought online and how money from the BSIDES organization is distributed.

Election of an executive officer for a two year term who would be supplied with a modest travel budget to attend as many events as possible to help mentor coordinators.  (My personal vote would be for Jack Daniel to steer the boat for the first two years.) 

The deemphasizing of the two big events in LV and SF as $100,000+ events and the emphasizing of smaller events.  I think the smaller events are going to be the driving force of keeping BSides alive and companies will quickly stop wanting to support parties in Vegas.

What can security professionals learn from Santa?

Santa has a naughty list and checks it twice.
I know “blacklisting” is a naughty word in the security community but Santa does it and so should you.

 

There is no reason that if you are charged with protecting a network you shouldn’t have a list of naughty people you don’t want on your network.  A blackhole DNS server along with ip geolocation blocking can save your network by helping keep known bad people out. 

Everyone loves Santa.
Security people have a bad habit of not being the most liked person in their company and many have taken on the persona of the Grinch and love it.

“No, You cant use your new IPAD on the network”

The bad news is no one likes the Grinch and they aren’t going to check with you when they want to do something. On the other hand everyone loves Santa and will even give you cookies.

Santa does very little work and gets most of the credit.
Santa gets a lot of credit for the mayhem caused on Christmas night but actually does very little of the actual work.


 
As security professionals we spend a lot of time trying to stop “Santa” when we really need to worry about more realistic threats.

Shopping Safely Online.

Last year Cyber Monday sales topped $1 billion for the first time making it the busiest online shopping day ever.  Shopping online can be convenient and save you a bunch of money but here are some easy rules to follow to make sure that you are shopping safely.

Don’t Use Debit Cards Online.
If a website should lose your information to hackers or the website mischarges you that money is coming straight out of your checking account.  You will likely be able to get all your money back but
the time of trying to get money put back into your bank account during the holiday season is a stress that isn’t needed.

Check your credit card statements.
Log in to your credit cards website after purchases and verify that you have been charged the correct amount and check for suspicious activity.

Use Good Passwords.
Your passwords should be as long as possible. Longer than 15 characters is a great place to start.   its not that hard. “its not that hard” is an example of a good password. It is 17 characters long and isn’t easily guessable.

Use Different Passwords.
You should never use the same password on multiple websites. That way if someone hacks one website and steals your password they are not able to access all of your online accounts.  

Protect your computer.
Your computer should always have the most recent updates installed and you should be running up-to-date ant-virus.  I always suggest installing Secunia PSI on your PC and if you don’t have current anti-virus Microsoft Security Essentials is free and does a good job. Also OpenDNS is a great way to make sure your computer can’t access known bad websites.

Pass up deals too good to be true.
A website you never heard of is not selling an IPAD2 for $99. It is a scam to get your credit card information. I promise.

Shop at home.
Wireless networks at your local coffee shops are easy to “eavesdrop” on so the guy in the corner might be writing a paper or he may be waiting for you to type in your password and credit card number so he can steal it.  It is much safer to do all your online shopping at home. 

If you don’t like change, you’re going to like irrelevance even less.

General Eric Shinseki, Chief of Staff, U. S. Army

Site Footer