| Power Lunch and ... |
a Power Lunch*
and a feature story
- on you - in Backbone
and an iPhone or a BlackBerry
To enter...
Fill out a readership survey
(confidential)
*with Dave Chalk, technology expert and our editor, Peter Wolchak |
|
|
| Backblog—Vaclav Vincalek |
|
| Website |
http://www.pcis.com/vaclav
|
|
Vaclav Vincalek is the founder and president of Pacific Coast Information Systems Ltd. Under his leadership, PCIS evolved into a leading technology consulting services organization with a team of quality-focused professionals representing a broad range of technical and management expertise. PCIS client-base spans virtually every industry in both public and private sectors. In 2007, Vaclav brought to fruition PCISs new products division, Boonbox. The division was established in response to growing demand from businesses trying to remain competitive while faced with a shrinking talent pool, decreasing budgets and an increasingly complex I.T. landscape.
|
|
|
So You Followed Proper IT Security Procedures and Still Got Burned? (Part 2 of 2)
Continued from Part 1 of So You Followed Proper IT Security Procedures and Still Got Burned?
My innocent laptop computer was stuck in a dreamless sleep because my password no longer worked – even though I had followed the manufacturer’s own procedures when setting up and updating security on the machine. According to the tech wizards at the manufacturer, the only thing that could awaken the computer from the dead was a $1,300 motherboard.
I didn’t believe them. I went online and instantly found a company that specialized in just this kind of problem: Datronics Custom Computers. They said they could fix it, and for a lot less than the manufacturer was asking for a new motherboard. They had hundreds of glowing testimonials from people all over the world.
It looked legit… but how could this be? The manufacturer insisted the only thing they could do for me was provide a new motherboard. But if Datronics had enough clients to justify a full-time business, that meant two things: the password protection was next to useless (since it can be removed by a third party at no significant cost), and the manufacturer was not offering this effective and much cheaper solution to the hundreds and potentially thousands of customers affected by this bug.
I gave Datronics a call. They confirmed everything on their website. I was still a little leery because of what the original manufacturer was saying, but for $75 Datronics quoted to fix the problem, I’d give it a try.
I shipped them the computer. In about a week, I had it back – working just fine. My password with the unusual characters that the patched BIOS had rejected was erased from the motherboard. Now I could set up my computer’s password again.***
But I’m left feeling unsettled. The password on this laptop (and possibly on many other brands) will only protect my information from being accessed by my kids, or someone in my office who might want to snoop on my work. It does not stop a tech-savvy thief from stealing my laptop and sending it off to a legitimate company to remove the password.
Three morals to my true story:
1. Improving IT security is still a reasonable goal for all organizations and claims by vendors that their technology solution will improve security may still be trusted (after undertaking due diligence). But be wary of any business claims of having an “unbreakable” security solution. According to Datronics’ Ali Dabiri, they could read and replace my supposedly unbreakable password in minutes using their own technology solution.
2. Password security is just one part of an overall security strategy to ensure your data is protected. See my tips on laptop security and the value of website security.
3. Your IT security technology and procedures may not work the way you think it should. This is the sad truth that most IT experts won’t want you to hear.
But as my loyal readers know, I am concerned with the current state of the IT industry, which allows some vendors to get away with products that don’t work the way they should.
Vaclav Vincalek
Vaclav's Blog
So You Followed Proper IT Security Procedures and Still Got Burned? (Part 1 of 2)
I got my laptop computer shipped back to me today and its working perfectly fine – which upsets me a great deal. You see, the computer isn’t supposed to be working.
The manufacturer’s finest customer service reps assured me repeatedly that the only fix for my password-locked machine was replacing the motherboard. For the price they quoted me for that critical piece of hardware, I could have just bought a brand-new laptop. They thought they had me over a barrel.
How did I get into this mess? Ironically, it happened because I did exactly what I was supposed to do to ensure proper security on my laptop. While setting up the computer, I created a complex password with numbers, upper and lower case letters and a punctuation mark to block unauthorized access. To use my computer for anything at all, you had to have the proper log-in password.
It was working fine. Then I downloaded updates and patches, to ensure optimum performance and security. The computer restarted and… my password didn’t work anymore.
I typed in my password. No good. I tried again. No dice. Fine, let’s try something fancy.
But my usual techie work-arounds had no effect. That’s when I called the manufacturer… and they told me that since my warranty had expired, they couldn’t help me reset the password. I had to go through their channel partners. All they could do was offer their sympathies, and a motherboard for $1,300. They told me there was no other solution. So no computer, no encrypted data.
I contacted the business partners and they exhibited absolutely no interest in helping me. F $#%# s
You guessed right. This got me mad. I had done exactly what I was supposed to do according to the manufacturer’s own procedures for setting up their computers. And now I had to pay through the nose because they hadn’t tested properly for this bug back in development.
I wasn’t going to give in to the manufacturer’s shakedown. I made a phone call…
Part 2
Vaclav Vincalek
Vaclav's Blog
How To Protect Your Information On Your Laptop From Being Stolen
Pretty much everyone and their dog has a laptop, Macbook, Blackberry or some other kind of portable computing device (all hereafter referred to as "device"). Protecting your information on that device from cyber thieves (or just plain ordinary thieves) isn't easy. But it gets easier if you take security precautions.
A recent case of government actually doing something right when it comes to security highlights one security solution. The Canadian federal government recently confessed that a laptop with the private information on 32,000 farmers was stolen a little while back. (Winnipeg Free Press).
But there is a slim ray of hope that the information might not be compromised: the laptop was reportedly password-protected and secured with biometric fingerprinting, even if the data itself was not encrypted.
As identity management blogger Dave Jevans (Thieves Steal Canadian Laptop With 32,000 Farmer’s Personal Information) has noted, the biometrics security measure doesn’t stop the thieves from simply removing the disk in the computer and inserting it in another computer to get access to all of the information. But it’s better than nothing.
There are other steps one can take for better security -- some are just common sense, while others require a technology solution:
1. Never share your device with anyone. "But we were going out! I thought I could trust her!" -- doesn't cut it when high-resolution images of your hairy butt end up in all your relatives inboxes.
2. Don't turn your back on your device, particularly in a public place. Would you leave your wallet full of all your ID on a desk at the library, even eight steps away as you answered your cellphone? Thieves can snatch your stuff in an instant.
3. Use a remote data storage backup solution. This may not prevent thieves from looking at your information, but at least you won't have lost all of your data. You'll be able to access all your data even if your device is nowhere to be found.
4. Ensure your data is encrypted and password-protected. To the thieves, your device will be about as valuable as a lump of plastic and copper.
5. Use a laptop security tracking device. Not all portable computing devices may have this capability built in, but you can get it for laptops.The thieves are going to be awfully sad when the cops show up at their door fifteen minutes after they turn on your computer -- and you may just get it back before the goons have even had a chance to go on an on-line shopping spree with your credit card number.
If you have any other tips for protecting your info from thieves, feel free to share. People need this info.
Vaclav Vincalek
Vaclav's Blog
How to Calculate Return On Investment (ROI) for Web Security
Calculating ROI on web security doesn’t have to be tricky. Actually, it can be pretty straightforward. And it's critical for organizations to do the calculation, since we can reasonably assume that unprotected web applications will get hit eventually.
Industry analysts suggest just one in 30 websites may be secure and security breaches get reported virtually every day. Big or small, locally-hosted or run from China, all those websites are vulnerable. So we know that the likelihood of your organization getting hacked is much higher than the probability of pretty much any other kind of business disaster, from arson to a robbery or an earthquake.
So it's safe to assume that your web app is open to abuse from hackers using cross site scripting and other tactics. Now it's time to do an ROI calculation for web security.
Now let’s imagine a medium-sized company does $1 million in sales or donations every year through its website. Every day, the website brings in about $2,740. Finally, let us assume an initial investment of about $10,000 for regular web security scanning and IT consulting over one year to fix hacker vulnerabilities.
If this security solution prevented a security breach (or several) that forced a shutdown of the website for just four days out of an entire year, the investment will have more than paid for itself (Security investment = $10,000, Retained revenue = $10,960).
This doesn't even include the money saved from not having to deal with legal costs and crisis management (potentially millions of dollars). In this calculation, ROI is similar to that for purchasing insurance.
Then there's the added value web application security ROI calculation. Looking at the same business as before, we'll add on a 15 per cent extra revenue from web trafffic conversion (Ask Dave Taylor) that a security solution can add if publicized properly (which is negated in the event of a well-publicized breach).
In this case, the extra 15 per cent means an extra $150,000 in revenue per year. This means that every day, this organization earns $410 per day extra from the web application security solution, even if there is no security breach all year long.In 24 days, the solution would pay for itself..
As we've seen, the ROI of web security can be easily demonstrated.
Other resources and ROI tips that an IT manager, marketing manager, sales manager or CFO may find helpful:
Calculating security ROI is tricky business. A Computer World article about the metrics of calculating security ROI.
WSI Website Traffic Conversion Rate Calculator. Use it to calculate how much your website traffic is worth – and how much your organization will lose if a hacker takes you down.
Hopefully, this example will help you get started on some long-overdue web security ROI number-crunching.
Vaclav Vincalek
Vaclav's Blog
Would You Give Me Your Password For A Candy?
The human factor can make identity management a tough challenge. There’s a classic scene in the popular TV sitcom Seinfeld where Kramer tries to figure out George’s secret password. Through a process of deduction, Kramer starts getting very close to the secret word (“Bosco”, a chocolate sauce George likes to pour on his cereal). “Ovaltine! Hersheys! Nesquick!” Kramer shouts, as George flees from the apartment.
Kramer probably should have just offered George some candy for the password and saved himself the trouble. I was reminded recently of a survey that showed more than 70 per cent of people would reveal their computer passwords in exchange for a bar of chocolate (BBC News). Over a third of respondents didn’t require any kind of inducement and happily blurted out their password, no strings attached. And nearly four-fifths of the population would volunteer significant clues to their passwords in casual conversation.
http://www.youtube.com/watch?v=YY03ymgskNI
And even if you are the type of person who is vigilant enough not to give away your password for a Hershey bar, remembering passwords is tough. Just looking at the average computer user using passwords to access email, blogs, newswire subscriptions and social media applications like Facebook and MySpace, remembering passwords can start to get awfully frustrating. And we haven’t even gotten to the office, where you may need numerous passwords, including odd spelling, numbers and symbols, just to use all of your work applications.
So, it's too easy to give away passwords and it's too hard to remember them. But there may be a solution that can deal with both of these problems.
Humans are natural at pattern recognition. We remember pictures better than words, and much better than nonsense words containing odd punctuation marks and numbers. Instead of typing in passwords, we could just choose pictures.
Imagine a series of four screens showing pictures on different themes -- let's say, mountains, buildings, animals and fruit. On each screen, you select the picture that you like the best from fifty or so examples (eg. the craggy mountain with the orange moon behind it and pine trees at the base). Four screens later, you've got a password that you will always remember. Not only that; it would be extremely difficult to casually give away your password, since there would be far too many variables to describe except in a very long and involved conversation.
So, are we stuck with awkward uppercase-lowercase-letter-number-punctuation based passwords? More importantly, would you want to use this type of image-based password?
Vaclav Vincalek
Is Your Website Safe?
Well, is it? It seems like a simple question. But as I said in a presentation about web security last week, when it comes to this question, far too many IT professionals are reduced to shrugging their shoulders, turning to their clients or bosses and nodding their heads. “Sure, it’s safe.
“We’ve got a firewall. We’ve got virus scanners. Our spyware zaps anything that looks remotely suspicious. Oh, yeah, it’s safe. You wouldn’t believe how safe it is…”
If that’s true, then how come we see headlines like "Major Security Sites Hit By Cross-Site Scripting Bugs" (Computerworld)? Or “ Hackers Target the Financial Gazette Website” (AllAfrica.com)? How about “Hacker Tries to Set Off Epileptic Seizures in Web Users” (Citynews.ca)?
We see stories like this virtually every day. So is it really safe?
As the video below demonstrates, hackers can be awfully persistent and try a range of techniques to get what they want. Only the toughest pro-active defence can keep them at bay.
http://youtube.com/watch?v=YzfTzge8Tjc
When I speak to audiences like the one last week, I like to remind them that firewalls and other well-known security measures are useless against web-based attacks at the application level. But that's where 75 per cent of the attacks occur. Hackers love this target-rich environment of insecure websites that allow them to exploit the information of every user who visits the site.
Some web developers will throw up their hands and wonder aloud why it’s their problem if their clients get hacked through their websites. After all, so long as hackers aren’t actually preventing e-commerce transactions to the company or trashing the company website, why should they care?
Aside from wanting to comply with security compliance regulations, organizations have a real incentive to protect their website users from being hacked: earning the trust of their users.
To demonstrate, let's try to look at this issue from a simpler perspective. Imagine two grocery stores right next to each other. In one, they’ve taken measures to protect your safety and security so that the place doesn’t burn down while you’re shopping. The perishables are refrigerated at the right temperature, you won’t have to deal with shady criminal types at the cash register. You definitely won’t have to worry that when you check out, your credit card information will end up in the hands of thieves.
In the other grocery store, the store manager decided to cut corners and didn’t install any measures to protect his product or customers.
Where would you go to pick up your groceries? Now imagine that there are thirty grocery stores in the city, but again, only one grocery store is known for at least trying to look out for their customers’ safety. This corresponds roughly with the fact that around one in thirty websites is protected from cross-site scripting (XSS) hacks (Data Protection).
Worldwide, there may be around 70 million websites that aren't safe. These sites could have implemented the security solutions that would check for vulnerabilities on an ongoing basis and provide suggestions for a fix.
And if website developers implemented these security solutions during development before websites even went live as a standard procedure, every organization and user on the Internet would benefit. Organizations that use web security applications to protect the clients who use their websites are ultimately protecting themselves.
Getting back to the original question – “Is it safe? -- the clear answer is “Yes, it can be safe.”
Sticking one’s head in the sand and hoping that your website is the lucky one in 30 that is safe or that it won't get discovered by hackers is a gamble with the odds stacked against you.
So, what have you done to make your website safe?
Vaclav Vincalek
If you are over 50, we can’t let you die
As our technology changes, the challenge of storing data and later accessing original records gets more complicated. We’ve been using paper for thousands of years. But how long have we been maintaining records as PDF files?
After transferring information from a tape to 8-inch floppy, to 3-inch floppy, to a memory stick, are we really dealing with an original document? If the content has been pasted from WordPerfect to MS Word, how can we be certain the information hasn’t been modified?
What happens to the information’s status when the software goes through an upgrade from version 2.4 to version 2.5? When can electronic scanned versions of paper documents even be considered “official” records, for the purposes of legal trials, financial audits?
These questions aren’t exactly new, but given the rapid multiplication of hardware and software technology for storing information, they’ve become awfully important.
Individuals and organizations can have professional or legal obligations to store records for five, 10, 50… sometimes 100 years. It affects financial institutions, insurance agents, investment brokers, law enforcement professionals, any kind of company, homeowners… OK, pretty much everyone.
There is an awfully cumbersome solution to the problem. Save every record in its original format. Keep every version of software you’ve ever used. Keep all the hardware you need to display it.
But of course, if you’re going to keep all that stuff, you’ll need to know how to use it. Do you remember how to use WordStar, XyWrite, Sprint (if you never heard of these go on Wikipedia)? Will anyone know how to use it 50 years from now to access original documents?
After all, if no one knows how to use the technology to access the information, all that dusty hardware you’ve kept in your closet for the fateful day when you need the original record of your insurance contract or business partnership agreement… is worthless.
So, what’s the solution? Do we fight a losing battle to keep all the geezers (not the one from Black Sabath) alive as long as possible so we can run Windows XP in 2058?
Data storage isn’t just about filing your documents away and forgetting them. It requires long-term planning. Right now, every upgrade and new development in software and hardware is just taking us further into uncharted territory with no record to show us the way.
If anyone thinks they've got an idea for the way ahead on this critical problem, I'd be glad to hear your thoughts.
Vaclav Vincalek
eMail is for Losers
For many years I have been saying 'email is for losers'. The way email is used and the way email systems have been designed—I felt there is something fundamentally wrong with the picture.
Some examples that highlight this are:
- people/organizations do not know how to use email—or how to manage it over the long-term (i.e. where to file it, how to store it, etc.)
- the folder structure inherit to email systems in general is inadequate for effective information management
- there is no reasonable retention mechanism—unless you consider a call from the IT department announcing 'you have too much email, please delete immediately' effective
Recall the 'good old times' when there was no email system and we relied on a simple system of ink/paper for sending mail. One cannot dispute that the correspondence/communication had clear structure as well the documents themselves. If this was possible for paper-based communication then why it can't be extended to electronic communication—and to any document created today?
We already have the capability to send a document within an application (MS Office, StarOffice, OpenOffice, etc.). What is lacking is the capability to store the communication ('email') in the same manner as we are able to store the other documents. Also lacking is the ability, tools, and structure to enable the inclusion of meta data on these types of documents.
What we should have is:
- an open standard for all types of documents including email, which you can say is a document with routing properties
- a common repository for documents—a storage architecture/database rather than relying on the file system and directory structure
It would then be possible to have a (database) engine to facilitate creation, access, and retrieval of the stored documents/data—independent of the client in use.
Benefits:
- For End-users—No need to manage folders. Automated retention. Automated/assisted association between related documents
- For IT departments - Centralized storage for all documents. More efficient and complete backup and disaster recovery processes.
- For Business - More manageable retention policies, security and compliance.
Additional systems accessing the storage—data mining, search, collaboration, contextual association, workflow.
What it would it mean to you:
- getting rid of systems like GroupWise, Exchange or Domino on the back end
- keeping software which allows us to manage documents.
Here you can see the diagram of email 2.0
Vaclav Vincalek
|
|
|
| Top 300 Issue |
 
|
| Gadget of the Week (Canadian) |
|
Small. Really small
Creative Zen Stone Plus with Speaker
This MP3 player has a lot of features: 500-song capacity, 20-hour battery, an alarm clock, FM radio, voice recorder, stopwatch and—rare in an MP3 player—a built-in speaker. And it packs all that in a tiny space: check out the paperclip in the photo.
more>>
|
| Gadget of the Week (Japanese) |
Sounds of Japan
Why record just the visual when you can capture the sounds as well.
more>> |
| Backblog RSS feed |
Click to subscribe  |
|
sponsored by 
