Today Congress will ask the
President
for an update on National Strategy for Pandemic Influenza. This reminded
me of an article I read in the December 2006
issue
(pp 36-43) of Information Security Magazine. One of the feature stories,
Don't Wait for
Disaster,
looks at what some security managers are doing to address the risk of an
avian flu pandemic. A nation or even worldwide pandemic poses a risk to
some organization's ability to operate, and one many of us overlook when
creating a business continuity plan.
"You have to start planning," Klahn says. "Everything I've read from
the Centers for Disease Control (CDC) and the World Health
Organization (WHO) characterizes it as a real threat."
The warnings from experts about the possibility of an avian flu
pandemic are certainly ominous. According to WHO, the H5N1 virus--a
strain of avian influenza--has "considerable" pandemic potential. If
the virus becomes fully transmissible between humans, it will spread
throughout the world in three months, the organization believes.
There are ways organizations are planning for such pandemics, but their
solutions may introduce new problems on larger scales. Having employees
telecommute via VPN can raise support costs for IT, who may need to
improve current VPN capabilities, increase bandwidth and address
privacy, security and regulatory concerns. How will paper processes be
handled? And how about critical functions that need to be performed
onsite?
...companies need to plan for how they'll take care of employees who
must come into the facility to perform critical functions...
The article also raises economic issues a pandemic may present, such as
food and other critical infrastructure. The study recognizes a
possibility for increased demand in online shopping and home delivery;
how will distributors get food to grocery stores and then to people?
If anyone has been involved in creating/maintaining a business
continuity plan, what are your thoughts on this? Has your organization
addressed the risk of a pandemic? Does your organization even have the
resources or ability to even function in case of an outbreak?
Posted by Marcin on Thursday, January 11, 2007 in
Security.
Thank you very much InformationWeek! I was reading an IW article, Adobe
Patches Acrobat And Reader XSS Bug, 3 Other
Flaws,
hoping to get some useful information from it. The article contains 15
links, two of which are other IW articles and three direct to Adobe's
website. The rest are "techweb" definitions for words like: PDF, bug,
computer, OS, Linux, server, patch, download. What the hell!?! I know
these might generate some advertising revenue, but seriously, defining
bug? computer?
After hovering over several of the links, I almost gave up. The two most
important links in the entire article, are easy to miss. They are:
I have noticed this with every article InformationWeek puts out, and
it's incredibly annoying. I hope they read this. :mad:
Posted by Marcin on Wednesday, January 10, 2007 in
News and
Security.
I see Michael Farnum has
responded
to Terry Sweeney's blog
post on
Phishing your own
users. I would
just like to remind everyone that while intentions may be good, to
remember the times people have tried this tactic with viruses. How many
times did we hear about someone writing a virus that removes viruses or
one that enables a security feature? Or how about testing the
effectiveness of an anti-virus solution by distributing to users a file
(containing a virus) that says "DO_NOT_OPEN_ME" ? Edit: see How
not stop a virus
attack.
I feel there are much better ways to measure the effectiveness of your
security awareness training. In my opinion, this method of testing users
by fake phishing will only confuse them. A couple suggestions for
measuring effectiveness:
- Question and answer testing
- Spot the fake
- A "What would you do?"
Simply coming up with a test would be a much better and less riskier way
to measure results than seeing who clicks on your phishing scam and who
doesn't. To sum it up, I edited a quote from one of the best movies ever
made: Office Space.
Tom: What do you say we set up fake sites that entice our users
to enter their personal information to measure the effectiveness of
our security awareness training program? Michael: That's the
worst idea I've ever heard in my life, Tom. Samir: Yes, this is
horrible, this idea.
Posted by Marcin on Monday, January 8, 2007 in
Security.
I came across this today, a Multiple Vendor PDF Document Catalog
Handling
Vulnerability
over at MOAB. I was curious, so I decided to check it out and download
the POC exploit
code.
The document failed to open on my Windows XP workstation using Foxit
Reader version 2.0 build 0922. I ran it through Visual C++ Express to
see what I can get from debugging it, (unfortunately not much due to not
having Foxit source code or the symbols) and got this:
First-chance exception at 0x0042a266 in FoxitReader.exe: 0xC00000FD: Stack overflow. Unhandled exception at 0x0042a266 in FoxitReader.exe: 0xC00000FD: Stack overflow.
I'll post updates as they become available.
Posted by Marcin on Monday, January 8, 2007 in
Security.
I'm at the airport right now, after having gone through an extensive,
supposedly random TSA security screening and came across this article at
dheera.net. In summary, the
article states blurring sensitive text in photos is a bad idea. The
reason being, through trial and error anybody can derive the information
that was blurred. I've had that same idea in my head for awhile now;
it's interesting to see that the method works.
To mitigate this risk, black out text in an image or use the "smudge"
tool in Photoshop. In a document, don't just set the text background to
black... black text on black background is still text. A simple
copy/paste into vi or notepad will show the
text.
Posted by Marcin on Sunday, January 7, 2007 in
Security.
