October 2011 Archives

I've just learned that a quiet pillar in the security community has suffered a massive stroke while attending Hacker Halted and remains in a coma. I first met Brad at Black Hat in 2009, where we immediately got to talking about Montana, his beloved home state, and a place I was proudly able to call "home" for a while. He immediately invited me to participate in his own conference, CIScon, up in Helena, which I immediately agreed to do. He's a good dude who "got it" and was doing everything he could to help others, too. Much of his efforts were employed on a shoestring budget, whether it be providing first aid support to hacker cons, working with various orgs in the Northern Rockies to better secure their environments, or providing top-notch training opportunities and speakers to his local security community.

Please join me in sending positive thoughts, energy, prayers, or whatever your belief system may condone toward his full and speedy recovery. I also encourage you to join me in donating to the fund that Social-Engineer.org has setup to help defray out-of-pocket expenses.

Donate here: http://www.social-engineer.org/bradsmithdonation/

Interested in working for a strong up-n-comer in the GRC space? LockPath officially launched 1.0 of it's product on 10/10/10 and is now up to 2.0. We're growing quickly, and we need some top-notch folks to help us on our journey. Specifically, we're looking for:

• Support (2 people - based in KC)


• .net Devs (3 people - based in KC)


• Infrastructure/Data Center (1 person - flex location, KC might be helpful)


• Sales (1 regional sales, 1 international sales, 1 federal sales, 1 sales engineer - remote is possible)


• LPS (2 consultant/training people - remote is possible)

If you're interested, then please feel free to email me, leave a comment to follow-up, hit me up on Twitter, or hit the LockPath Careers page.

Thanks!

If you haven't heard already: Barnes & Noble is buying the Borders database. However, you have the option to opt-out of the data transfer. It's a 2-step process, and I was frustrated recently that I wasn't getting the second-step email. But, I figured it out, and I thought you might find the information to be useful - especially since you only have until November 2nd to opt-out.

Step 1: Go to http://www.bn.com/borders and enter the email address that Borders has/had on file for you. In theory you should have received an email with this info, but if not, there ya go.

Step 2: When you receive the confirmation email, click on the link contained within to confirm your opt-out selection. Failing to do this will almost certainly negate your effort in Step 1. You should get the confirmation email within a few minutes. If you don't, then it's time to do some sleuthing, which is what led me to write this post.

Are you a Google gMail user? If so, then login to the web interface and go to "All Mail" and see if the message is there. For some reason, gMail seems to be filtering out the confirmation message, preventing it from showing up in the main Inbox.

If it's not there, or you're not a gMail user, then the other likely culprit could be your spam filters. The emails appear to be coming from "borders@e.borders.com" with a uniq'd reply-to address that goes to "support-[some-random-string]@e.borders.com." You might need to add "borders@e.borders.com" to your allowed list or some such thing, depending on how your spam filter behaves.

Still stuck? That sucks, and I'm out of ideas. Maybe try submitting the request again to make sure you didn't typo your email address.

My attention was drawn this morning to an ISC Diary "guest post" by Dr. Eric Cole ("What are the 20 Critical Controls?"). In it, he points to the SANS "20 Critical Security Controls - Version 3.0," which was released in August. In the ISC Diary post, Cole talks about using these controls for "quick wins" and in the controls list itself SANS says "These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer."

Unfortunately, while the list isn't technically inaccurate in terms of capabilities available, there are a few problems. And, contrary to their assertion that compliance and security people can finally agree on something, I don't think these controls are actually controls, let alone a source of true consensus.