:::: MENU ::::
  • Halfpipe - Breckenridge

    Halfpipe - Breckenridge

  • Death Valley

    Death Valley

  • Mt Diablo - Tour of California

    Mt Diablo - Tour of California

Blog

  • Apr 03 / 2009
  • 3
Web Security

How to remove Conficker?

I don’t normally talk about this type of security but I have had a number of people ask me in the last week about the Conficker worm as well as you haven’t been able to escape the talk within the press. There are reports that anywhere from 1 million to 10 million computers are infected.   If you keep your Windows and antivirus up to date or use a Mac, I wouldn’t freak out.  Find out all the details from the Conficker Work Group here.  I thought I’d provide you a helpful list of tools (depending on what virus scanner you currently use)  that can remove it from your computer if you are infected:

Remember to keep doing your Windows and Antivirus updates! 🙂

  • Mar 23 / 2009
  • 2
Web 2.0, Web Security

HP SWFScan – FREE Flash Security Tool

swfscan_logo_small

Today we have released a FREE flash security tool, SWFScan (Pronounced “Swiff Scan”), that will help developers find, fix and prevent security vulnerabilities in applications developed on the Adobe Flash platform.  In the last few years, especially with the release of Adobe Flex (ActionScript 3), we have seen an explosion of web sites built on or containing Adobe Flash components. (Opera Developer Center Study in October 2008 found 30-40% of web sites contained Flash)  However, like with the explosion of any technology, there is also an explosion in discovery of ways that the technology has been exploited by hackers, too often developers building applications on the Adobe Flash platform leave unintended security vulnerabilities in their code. (eg.  Hard coding passwords and encryption keys into their applications)

Here’s a quick video of Billy Hoffman talking of a specific example called Billy ‘Wins’ a Cheesburger:


During the research and development of HP SWFScan, the HP Web Security Research Group tested about 4,000 SWF files and found the following issues to be the most alarming:

  • 16% of Flash applications using Flash 8 and below have XSS vulnerabilities
  • 77% of Flash 9 and 10 applications contain developer debugging information and source code file references
  • 35% of all Flash applications violate Adobe’s security best practices

So…How does it work?

HP SWFScan takes an application developed on the Adobe Flash Platform and decompiles it revealing the ActionScript source code.  The tool then takes the ActionScript and performs static analysis to understand the applications behaviors. SWFScan will then identify the vulnerabilities that lie under the surface of the application which are not detectable with traditional dynamic methods.  (It is also the first security tool to address both ActionScript 2 & 3)

It not only identifies the vulnerability within the code, but also describes how it can be exploited as well as suggested ways of remediating (Including Adobe’s Best Practices)

HP SWFScan can analyze any SWF file regardless of the version of Flash or ActionScript, and no matter whether it is located on your local computer or available via a URL.

The HP Web Security Research Group have developed HP SWFScan in the name of helping our customers and developers around the world make the web a safer place.

Download a FREE copy here: www.hp.com/go/swfscan

FAQs

swfscan-screen-shot-500

  • Mar 03 / 2009
  • 2
Random Thoughts

Death by PowerPoint

As many of you know I spend a lot of my time creating PowerPoint presentations either for sales presentations, conferences or sales enablement. (Just look at my App Tracker to see!)  One of my fellow product marketing managers brought this presentation to my attention today (via Twitter) and I couldn’t have agreed more. (Not that I am saying that my presentations are currently boring 🙂 )

It’s 61 Slides long but don’t worry, it takes only a few mins to watch.

Now, remember, bullets don’t kill people, people kill people and now go break all those rules!!

For those Sydney Kings (yes, he has moved on)) and Boomers fans, Brian Goorjian is on Slide 18 as an example of passion.

Happy PowerPoint creating!

  • Feb 12 / 2009
  • 1
Web 2.0, Web Security

Twitter Security Tip – ‘Hot Stove’ Theory

Following on from my most successful blog post last month, here is another internet security tip for all you Twitter users.  My buddy Jack Bauer was kind enough to share this with me:

jbauertwit

The Twitter folk are also onto it:

WARNING: If you see a link prefaced by “don’t click,” it is a trick
and you *really* should not click (we’re on it)

but I would back Jack Bauer anyday over anyone else.

If you do click these links (Even though they say “don’t”; A bit of the hot stove theory, ‘don’t touch the stove, it’s hot’ but you always touch it just to check for yourself and then get burnt as a result) you will probably end up with some form of malware on your computer.

Stay Safe

  • Jan 24 / 2009
  • 15
Web Security

Top 10 Ways to Protect Yourself on the Internet

Constantly in the media we are hearing of people’s personal information being stolen
and exploited from the web.  This week Information Week reported that 70 of the top 100 web sites  either hosted malicious content or contained hidden links designed to redirect users to malicious sites.

Whoa!  Is the Internet still safe to use? My number 1 tip for staying safe on the Internet was only use trusted websites…this isn’t quite accurate anymore!

Working in web application security I am privilege to work with some of the greatest minds in this field who really make you look at the Internet in a whole new way.  I decided to ask them, “What do you recommend to protect yourself and your activities on the Internet?” Here’s what they said:

  1. Get yourself a credit card with a low limit that you only use for Internet transactions;  Easy to track unauthorised use and if it is exploited, risk is minimized.  Also look for one with Fraud Protection & zero liability.
  2. Never click on a link you recieve in an email; You don’t really want that cheap viagra!  If you really want to visit the website, retype the url into the browser.
  3. Keep you OS, Browser and Virus Scanner patched and up to date; Don’t ingnore the warning messages from Microsoft and others in the bottom left of your screen.
  4. Use a ‘throwaway’ e-mail if I have to fill out a form on a site to download something;  create an extra account at Gmail, Hotmail or Yahoo.
  5. Keep individual passwords for the sites that really matter (ie. your banking sites, e-mail, etc…) ; You don’t want all your accounts to be compromised if one is exploited. Probably not a good idea to make your Facebook password the same as your internet banking one!
  6. Never enter any personal information over an unencrypted connection; No brainer!!  Look for that padlock (Although still proceed with caution!)
  7. Never accept unsigned or unknown certificates for sites that need your personal info;  You want to be careful who has your personal info!
  8. Turn off your wireless and Bluetooth on your Laptop when you are not using it;  A great way to invite unwanted vistors!
  9. Don’t leave your computer connected to a hotel network or public wifi more than you need to be;  People can find you and your personal info very easily!!
  10. Block browser popups; Not only are they annoying but a great way of transporting malware

To be totally safe and secure:

  1. Don’t turn your computer on
  2. When you must break (1), do not connect to the internet
  3. When you must break (2), telnet to port 80

Please leave your personal tips in the comments!

Thanks Erik, Pat & Joe

Stay Safe & Secure

  • Jan 14 / 2009
  • 2
Web 2.0

Wakoopa – Social Networking Your Applications

wakoopa_smAs you already know, I love discovering and trying out new cool applications. Last week I came across this application that literally feeds me new applications to try out. 

How cool?!!  This application is called Wakoopa (http://wakoopa.com).

Wakoopa tracks the software (both web and desktop) you are using and for how long.  You can measure your productivity?!? (I spend way to much time answering email) This information is also shared within Wakoopa community.  You can see what cool applications others are using and gives everyone a place to review them .  It also gives you a list of people who use similar applications and you can ’stalk’ out other apps you may like to try.  It even makes application recommendations that you may like!

It’s really simple to use:

mtomlins_dashboard1

  1. Sign Up
  2. Download and install the small (About 300kb) tracker that runs silently in the background.
  3. Configure settings (Username, password, proxy etc)
  4. Every 15 mins your software use information is uploaded to your online Wakoopa account and tabulated into dashboards and tables for your use and vieing by the community.

Another note, if you use more than one pc, it can handle your results from multiple sources. 

I fully understand this kind of application may freak some people out (Particularly those who spend too much time on Facebook!!) but has definately opened me to some other cool applications which I will share in the future.  For me this application is harmless fun!

See what I am using by clicking “App Tracker” above.

dashboard

  • Dec 23 / 2008
  • 4
Web 2.0

Digsby – My Favourite Application of 2008

digsby_100x100If you only could install one application on your computer in 2009, install Digsby!Have you also been caught up in the Web 2.0 world where IM and Social Networking have taken over you life like me?Previously I had about 4 IM programs running not to mention the browser constantly open with Facebook, Twitter and my webmail.  Digsby consolidates all your Instant Messaging, Social Networking and Email under one roof.  I had tried this previously with iGoogle but nothing has produced the success and ease of use of Digsby.It has support for the following:

Instant Messaging clients:

Email Accounts:

Social Networking:

It works, it is light on your system and life just got easier!  Download Now!

Unfortunately it isn’t available for Mac OS yet, but I’m sure it is not far off.

Installation Tips:  When the installation wizard comes up click ‘Accept’ for Digsby and then for the following pages 8 or so pages, click “Decline” otherwise you will end up with a whole lot more ‘advertising’ apps than your bargained for.  Once installed you never get any advertising!

Happy Digsbying!

  • Dec 11 / 2008
  • 0
Web Security

Hacking 101….It’s not that hard

Recently Caleb Sima, CTO of  HP Application Security Center, (Founder of SPI Dynamics) presented at the HP Software Universe in Vienna, Austria.

This video is very entertaining and in language anyone can understand.  You’ll see how easy hacking really is with a live demonstration.  He busts some of the Web Application Security Myths out there.  You will never look at a Web page in the same way.  It becomes clear that there is a lot that needs to be done by many to secure their web apps.

[media id=1 width=320 height=240]

Source: HP Videos
©2008 Hewlett-Packard Development Company, L.P.

  • Dec 08 / 2008
  • 1
New Toys

My Ears Love Me (And so does my wife)

One of the many great things about this move to the US for me was that I ‘had’ to buy a new home theatre system.  Damm!!

I always approached most things with the ‘bigger the better’ attitude but when it came to speakers this didn’t sit wellwith the wife.  She made it known quite clearly and set the number 1 criteria for the speakers that ‘they must not take over the living room’!  Mmmmm….I had to do some research.

After many hours researching and reading reviews;  If you are after compact, high performance and good value speakers  I can fully recommend Aperion Audio’ s Intimus 4B Harmony speaker set.  I never thought such compact speakers could produce such a quality sound.  The build quality is amazing. Each speaker box is made out of 3/4″ MDF!

Aperion Audio as a company to deal with were amazing.  They are the kind of company that goes the extra mile.  They are based out of Portland, Oregon.  3 days after ordering my speakers they arrived, packed securely in 1 inch foam, all in their own individual tailor made blue velvet, draw string bags.  Aperion also included an accessory pack which included a sound meter, cleaning cloth and to top it off White Gloves for handling your speakers.

Here is an extract from the delivery confirmation that topped it off:

“Your shipment is now on its way to you via FedEx Home Delivery. While Kelli was carefully hand-packing your shipment, we all sang a song of farewell and blew confetti about the warehouse. Then we packed your speakers on the truck, snapped to a smart salute and sent them on their way.

If any confetti remains on your box, please dispose of it carefully. One can never fully trust confetti.”

My ears love me and so does the wife!

  • Dec 01 / 2008
  • 0
Web Security

Web Application Security…..Why should we care?

As you can see, I spend most of my time thinking about Web Application Security and what is going on in the world to do with this. (It’s my job!)  Even if it isn’t your job,  just a little research into the web security and you will look at the WWW in a whole new way.  Everyday we are reading about new attacks on prominant websites, like yesterday we heard of the CBS website being attacked by Russion Hackers.  In this case they were able to distribute malware to vistors to the CBS website. (Read Article)

So why is it we have to do more about web application security?

Security risks are getting greater and greater everyday and they will continue to get greater as we go into 2009 and beyond.    7-10 years ago, hackers were out for a little individual fame.  They may hack into a site, change some text or maybe an image and then go boast to their underground friends.  The cost to the victim was minimal, more of an incovienience.  As we all know over the last few years what we can do on the web has become a whole lot more sophisticated and with this we entrust a whole lot more personal, confidential information to the web world.  We bank online, apply for credit, shop online and organisations we entrust all this information too transfer it internally across the web.  As we, end users, have changed our patterns and increased our use of the web, the cyber criminals have also increased at a greater rate the exploitation of the web.  Hacking is now an industry and it is growing.  The cost to an organization can not only be large on the money side but also a huge cost in loss of face.  Yes, there is an increase in regulations out there that require organizations to meet higher security standards, but there is a whole lot more we can do as organisations and  individuals.

For the last 15 years organizations have spent millions of dollars securing the perimeter of their organizations with firewalls and their servers with things like Intrusion Prevention Systems (IPS). Everyone has done a pretty good job of this and we could almost go as far as saying that the network and servers have been locked down. Millions of dollars well spent! However, the inherent architecture of the web opens holes in these systems. For example, you need to open port 80 or 443(SSL) to enable web traffic to come into your organizations. By allowing your trusted users to come it through these ports, you are also allowing hackers access to your systems also. (In fact hackers love SSL. It means they can hack undetected!) Organizations need to shift their focus and invest in securing their applications to combat this. With many shifting to Web 2.0, the perimeter has just shifted, putting more control in the hackers hands. (I think a future blog post is required here)

So, how do you secure your applications?

Almost all web application security vulnerabilities lie within the code itself. Yes, you guessed it (Well at least I hope you did), security vulnerabilities are a code defect. You need to write secure code! Simple! Not really….we have a problem here. We have a gap. Security specialists know security but they don’t know the code and Developers know the code but they don’t know security. This is where organizations need to mandate secure coding practices and build this as part of the Security Program. Educating about and eliminating the the OWASP Top Ten is a good start. To aid developers there are a number of solutions out there that developers can use to scan and validate their code and at the same time teach them secure coding.  (HP DevInspect is an example)

Address web application security at the development level is a good approach, but to ensure you organization is best protected and to compliment secure coding, your should also check your applications for vulnerabilities during QA as well as post production (New vulnerabilities are discovered everyday).  An organization serious about web application security should implement a combination of manual penetration testing and web vulnerability scanners (HP has one of these also :)) at these points.

Last year the Web Application Security Consortium did a study of almost 32,000 websites.   Over 85% of these websites had a vulnerability that coupld give hackers the ability to read, modify and transmit sensitive data.

Are you secure?  Do you actually know?

Pages:1234