Security symposium wrap-up; day 1

I started off the morning with YET ANOTHER fall, this time on my outside steps which were icy, but much shorter than the basement steps I fell down last month. Besides a honkin’ big bruise on my hip, I’m all right.
The conference began with a keynote which I’ve already summarized and posted about, so I won’t do that to you again – other than to note that keeping a machine that is used *only* for online banking duties is a great idea, but I’m wondering about the software we use and if a Linux machine (which we could keep safe) will work with the software. Something I need to check into when I get back home.
I also blogged about the morning’s session – centralized logging with Windows – so I won’t go into that either.
Lunch was excellent – just sandwiches and cole slaw, but I was ready for it when it came – and the conversation at my table was better. We began with discussions of the state of cartoons and the fact that cartoons today are so much worse than those of years ago (and I think someone actually said “get off my lawn” at one point, too… Even though it may be considered violent, who can forget Elmer Fudd singing about killing a rabbit to the tune of Wagner’s operatic compositions? This segued (somehow) into the #hcod (the issue of Harper Collins capping ebook checkouts at 26 – do a quick search on the #hcod tag if you aren’t familiar) problem and then into the fact that librarians often act as the copyright police, even when we often disagree with the rules (this last bit may just be my opinion…). It was an excellent discussion that ran into the next session, so I ended up missing that one.
The geek out at the conference session has also been blogged about here, so I won’t say much other than it was an interesting idea – get everyone into a single room to discuss any issues they are having while a very knowledgable MORENet employee (Randy Raw) introduced us to people who could help us with that issue or were going through the same thing and would commiserate with us. It was assisted networking and it was a really good idea!
The exhibit/reception was nice – I got to talking to Lee Cushing during the geek out session and we continued the conversation in the exhibit hall. We decided to sign up for a “librarian issues” roundtable tomorrow night as a way to get the few library types who come to this conference together to talk about the stuff that effects us. I’m looking forward to it. Mike showed up during the reception and we walked around the exhibits together before heading outside to talk and wait for Jason Long – the IT person for the local library system – to join us.
Jason is just starting to offer Overdrive (as in, it goes live on Monday) and he had questions. He’s been using Centurion for a while and I had questions. It was a great conversation and a nice way to catch up on what we’ve been doing since last chatting at MLA (though he reads this blog – Hi, Jason! – so he has some idea of what I’ve been doing).
Now it’s time to start to hunt down dinner, as soon as Mike finishes his meeting with his co-presenters and wind down for the day – ready to start all over again at the 7am breakfast tomorrow!


Geek out at the conf

Geek out – short talks, comments on what’s going on at our orgs, questions to geeks who are doing the same sort of stuff.
First – thin apps on VMWare View for virtualized desktops
New MS licensing for edu, not sure about libraries
Moodle – provisioning second pipe to Morenet to keep from using all the bandwidth of main pipe for hosted stuff like Moodle
Discussion of burstable bandwidth from Morenet
Talked about what’s coming from Morenet -lots of cool stuff…
Replacements to illuminate – Morenet is looking at big blue button, an open source adobe connect type of content presentation software
Moving from Novell to Windows
Question about filtering mergers and how it’s going to work
Discussion of packet shaping vendors
IPv6 issues – remember logging software (and other software) needs to be able to parse it, too, so check both hardware & software purchases.


Centralized logging with alerts for windows

With Steve Massman and Travis Reddick

KiwiSyslog and SNARE client as well as Logcheck & other open source utilities.
Could get emails every 30 mins that you have to read. Download and read OS security guides!
Log everything – everything. Success and failures both.
Use 2003 or 2008 and use an existing machine if it’s not heavily used, use a software firewall allow only your machine to RDP, lock down ports to only logging servers. No virus software necessary.
Kiwisyslog -$300ish – separate log files by machine
SNARE – free, log sys and security, domain controllers add directory service, DNS and file replication logs, look for new events in Kiwi
Log check – for 2003, logcheck.ignore is what you use to filter your logs to keep from being overwhelmed, examples of what goes into logcheck.ignore file, Case matters, be specific
Configuring scheduled task – in 2008, disable “network access: do not allow storage of passwords and credentials for network authentication” or the task won’t run.
Splunk? Can manage ASA files – useful for us!
Downloads – FTP://

Demo time!

Web 2.0

Security symposium keynote

Brian Krebs ( talked about bank fraud and security. This generally starts with an email attachment (ZeuS) and ends with a company’s money in the Ukraine or Russia. Brian talked about both the computer issues and the human issues – with a fascinating discussion of the mules used to move the money.
Some of the common attacks (in Europe, at least, not seeing it in the US yet) include form field injection, session riding, balance manipulation, and attacks hitting consumers, rather than heavily secured commercial accounts.
Red flags for banks – 10-20 new employees added to payroll, IP address weirdness.
Advice – disallow batches that deviate from standard format (revise banking contract), request low-tech verification, access accounts only from non-windows machine (excellent idea-get a dedicated Netbook with Mac or Linux installed), get involved and write your lawmaker, require 2 signoffs for wire transfers.
What’s coming? more litigation between banks & victims, lots of smaller cases coming up, guidance from FFIEC on transaction monitoring/analysis guidelines, Bill from Rep. Schumer -S3898 to offer schools & consumers same protections as companies.
Online banking is not secure for small organizations. Banks need to inform customers of risks and sell risk mitigation services.


Quick update to Security 2.0 post

Reading through Bill’s comment on my previous post, I was reminded that I meant to tell you all about a very cool, and very related, compendium of information that the folks at the MuniGov 2.0 organization have compiled. The Web 2.0 Security page is basically an annotated collection of reports and “thought pieces” from all over the web, put together and given to us for free! There are positive and negative pieces included – you can read through them and make up your own mind, but as Bill so nicely stated in his comment – our job as IT people is to *support* business use, not stand in the way of our internal customers as they try to do their jobs. If we can do that and maintain security, we’re golden!
Update to the update – I just found a link (via the privacyala Twitter account to an article on Facebook & privacy. The sentence that makes it relevant to this post is:

Policymakers cannot make Facebook completely safe, but they can help people use it safely.

I’m headed off to read the article now, but thought I’d post a quick update here first, to let others know about it!

security Web 2.0

Your Web 2.0 App is a Security Threat

Read/Write/Web today has a story on the dangers of Web 2.0 behind the firewall. They are profiling a company called FaceTime that gives IT departments a way to add web application scanning to their network. Most IT departments do some scanning, at least at the firewall, for malicious applications and sites, but few do any kind of searching for web applications (think Facebook apps, Google’s Team Sites, unsupported IM capabilities, etc.). This company is offering a way to do that. RWW’s take on the matter, in the post Your Web 2.0 App is a Security Threat – ReadWriteWeb is:

Of course, when users become their own I.T. department, they’re unknowingly introducing inherent risks into the previously hardened network infrastructure. Just because a web app is easy to operate, that doesn’t make it safe and secure for enterprise use. As users upload and share sensitive files through these unapproved backchannels or have business-related conversations through web-based IM chatrooms, they might not only be putting their company’s data at risk, they could also be breaking various compliance laws as well.

And this is completely true. The problem isn’t really with the apps, though, it’s with IT departments that refuse to allow *safe* networking practices in their networks. User education, coupled with some monitoring of public sites for confidential information, along with sanctions for misuse of Web 2.0 tools (after the users are educated on proper use, of course) can make Web 2.0 apps part of the IT infrastructure and, consequently, much safer than if the users are off in the “wild west” of web applications, doing things themselves.
I’ve been working on a Tech Report for ALA discussing just how to use these Web 2.0 tools to collaborate with others – and one of the issues that I discuss is the fact that these are publicly facing tools with risks for unintentional leaks of data or confidential information. If your IT department is on the ball and willing to work with you, however, those leaks can be stopped and all of your data can be kept safe – even while you are using these tools to their best effect.
Want more about this? You’ll have to buy the Tech Report next year… until then, however, educating your IT department about the benefits of Web 2.0 applications in the organization will really help to make these things available – in a sanctioned way – for you!

Relation Browser
0 Recommended Articles:
0 Recommended Articles: