From the online mail bag
In response to a June 18 news story, Security expert wants feds to recruit volunteer pen testers:
Private enterprises have been doing this for years (as the article mentions). Some countries even encourage “hackers” to help find vulnerabilities by offering programs and majors in hacking in colleges. With recent reports of breaches in critical infrastructure by hackers in Russia and China, I think it would be wise for the government and private infrastructure organizations to take this suggestion seriously.
[Jeremiah Grossman, CTO, WhiteHat Security] is an IT security consultant and must want his profession to continue and career opportunities to grow. The idea of volunteer pen testers is way corny. Not that the government doesn't need the help, this kind of effort is worth money. Volunteerism is great for cleaning up the neighborhood park, but I wouldn't trust any volunteer with my IT infrastructure.Why not call for equipping government IT systems managers with simple tools and processes so they can do the testing and monitoring themselves? Heck, there are lots of goodies out there for anybody with some time to download and try it out. And why not make the .gov IT manager responsible for their operations? Though it seems to be vogue for representatives in Congress to claim immunity/no responsibility for failed bank oversight, it shouldn't stop the IT folk from stepping up and setting a good example.
In response to a June 15 news story, New security standards for mobile payments coming:
If you want to be truly secure, don't buy anything on a mobile device. Period.
In response to a June 5 news story, Chrome for Mac, Linux is out, but Google warns of its dangers:
You are misusing the term “released.” These are pre-release builds for testing purposes only. When they are ready for release, I'm certain there will be a great deal more fanfare than one posting on a developer blog!
In response to a June 2 news story, Twitter hit with rogue anti-virus scams:
Knowing who you are following sounds like a good idea, but in reality even that can be difficult on Twitter. Given the nature of Twitter and the way people use it, I think it's going to be impossible to stop this kind of thing from happening. I know there will always be a bunch of people that will take absolutely no precautions whatsoever, and things will continue to spread.
I think that Twitter has just seen the beginning of this type of spyware/malware/viruses. I believe that Twitter users are going to be a fat, juicy target for scam artists via malicious software for a long time.
If you are an avid Twitter user or even just a user of the internet period, you are crazy if you don't have anti-spyware software installed on your computer. You should also have anti-virus and firewall software installed, but at least get anti-spyware installed considering you can get many of them for FREE!
In response to a May 29 news story, Nonprofit releases security configuration standards for iPhone:
I wish other administrators good luck with implementing security/policy requirements on the iPhone. One of the biggest challenges I have ever faced as either a consultant or contract employee for any firm was implementing policies for cellular phone users. I used to hear: “We have an iPhone, your policy won't work on our phones.” And many times when a security policy was rolled out, they would tell people who didn't like it: “Go buy an iPhone. They can't put policy restrictions on it.”
Of course, this is for companies which require an employee to have a phone, but don't supply one for them. I for one understand the importance of phone security, but many find it a real pain entering a password, or not having the ability to save certain documents, or only being able to communicate with their company's server. These people constantly complain about it.
Save a tree
In response to our new Digital Edition:
When on the move, I need a way to transport yours and other security magazines. It is with great satisfaction that we can now download this magazine for times when I am sitting at an airport – or any other mind-numbing situation – and get caught up on the latest news that truly helps to keep people like myself knowledgeable.
I like the format that simulates the magazine pages. It is also wonderful to know that we can cut down on the amount of paper required to get this information out to the people that need it. Many, many thanks.
Ken Muir, LCM Security
In addition to feature articles and columns from the print magazine being posted each month to the SC Magazine website, a Digital Edition of the magazine is now also available. A link to this interactive version of the magazine is blasted out each month to a subscriber list. To subscribe, go to SCMagazineUS.com, click on Subscribe in the top tab, and then click on "Sign Up for a Free Subscription to SC." You can then choose to receive either the Print Edition or the Digital Edition of SC Magazine.
The opinions expressed in these letters are not necessarily those of SC Magazine.