Tuesday, February 21, 2006
Bypass Windows Activation?
Technology Updates
1) How to bypass WPA (Windows Activation) on Windows XP. - by FittMunken
Tested on Windows XP Professional SP2 and Windows Server 2003 R2.
First, click "Run..." on your start menu, type "regedit" and press enter.
The Registry Editor opens up, and you are presented with a long list of keys on the left.
Browse through the list to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents.
(If you can't find this key, you're screwed!)
On the right, you should see a stringz value named OOBETimer.
This is the activation stuff. If you change it, Windows will change it back within a few seconds.
Whatever its value is, change it to FF D5 71 D6 8B 6A 8D 6F D5 33 93 FD.
(At first I thought this was different for each machine/serial number, but it's always the same if windows is activated...LOL)
After you've changed it, right-click WPAEvents and choose "Permissions..."
A little window opens up with a list of user names. Click SYSTEM, and in the list below ("Permissions for SYSTEM") check every box under "Deny". Click OK to own windows. You don't even have to reboot lol.
If you're too slow windows might change it back, so just hit F5 to refresh and make sure it got saved.
If not, just try again. Microsoft owns for making it so easy to hack their software.
So, just keep on enjoying an activated version of windows. FittMunken over and out!
And if you need to download windows, here are a few places to get it:
You obviously need a bittorrent client, and you might as well make sure to download the best one!
www.utorrent.com owns all other bittorrennt clients. in fact, all other clients suck.
www.mininova.org
www.piratebay.org
www.2torrents.com
www.torrentleech.org
www.torrentbytes.net
www.powerbits.org
www.filelist.org
A good release is Microsoft.Windows.XP.Professional.SP2.Final.Integrated-PMM.English
It doesn't even require any activation. It's pre-release, but it's build 2600 so it's the same as final.
2)ONLY WORKS WITH SP1
- Go on regedit
- Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
- go on OOBETimer and Change the last Value from 00 to 97.
- The activation screen shld appear.
- Then go on phone activation and type in 401111 for every box.
It should work (Until you install SP2, which resets it.)
To check if it is activated
C:\WINDOWS\system32\oobe\msoobe.exe /a
3)Open note pad copy and paste the following text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
"OOBETimer"=hex:ca,82,b8,55,d4,04,b5,cf,cc,5b,24,00
save the text as de.reg onto your desktop so you can find it.
- Double click on the de.reg on your desktop and say yes and add it to the registry.
- Click "Start" and go to "Run..."
Type in %systemroot%\system32\oobe\msoobe.exe /a and click "OK"
This will bring up the "Activate Windows" window.
- Check the option for "Yes, I want to telephone a customer service representative to activate Windows" and click "Next"
Then click "Change Product Key" (don't enter any information on that screen)
Type in a product key, I mean your product key.
and click "Update"
- The activate Windows by phone window will reappear at this point, just JUST CLOSE THE WHOLE THING DOWN BY CLICKING "X" in the upper right hand corner
- Activate Windows by copying the following text into a new notepad and save it as up.reg on you desktop, once again so its easy to find.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
"OOBETimer"=hex:ca,82,b8,55,d4,04,b5,cf,cc,5b,24,97
- Double click on up.reg on your desktop and say yes and add it to the registry.
- Ready to see if it worked
Click "Start"and go to "Run..."
Type in %systemroot%\system32\oobe\msoobe.exe /a and click "OK"
4) For those of you stuck in "limbo" there's a cheap way to run programs while windows is prompting you to activate (usually right after login)
Push Win+U to bring up utilities (and the narrator)
On either the narrator or the utilities control, click Help
Click Options | Internet Options...
Click the Privacy tab
Click Import
this will pull up a file browser from which you can run any program
locate the program you want to run (it often helps to select All Files under Files of type) then right-click on the .exe you want to run and select Open. NOTE: double-clicking will cause an error, you must right-click | Open.
1) How to bypass WPA (Windows Activation) on Windows XP. - by FittMunken
Tested on Windows XP Professional SP2 and Windows Server 2003 R2.
First, click "Run..." on your start menu, type "regedit" and press enter.
The Registry Editor opens up, and you are presented with a long list of keys on the left.
Browse through the list to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents.
(If you can't find this key, you're screwed!)
On the right, you should see a stringz value named OOBETimer.
This is the activation stuff. If you change it, Windows will change it back within a few seconds.
Whatever its value is, change it to FF D5 71 D6 8B 6A 8D 6F D5 33 93 FD.
(At first I thought this was different for each machine/serial number, but it's always the same if windows is activated...LOL)
After you've changed it, right-click WPAEvents and choose "Permissions..."
A little window opens up with a list of user names. Click SYSTEM, and in the list below ("Permissions for SYSTEM") check every box under "Deny". Click OK to own windows. You don't even have to reboot lol.
If you're too slow windows might change it back, so just hit F5 to refresh and make sure it got saved.
If not, just try again. Microsoft owns for making it so easy to hack their software.
So, just keep on enjoying an activated version of windows. FittMunken over and out!
And if you need to download windows, here are a few places to get it:
You obviously need a bittorrent client, and you might as well make sure to download the best one!
www.utorrent.com owns all other bittorrennt clients. in fact, all other clients suck.
www.mininova.org
www.piratebay.org
www.2torrents.com
www.torrentleech.org
www.torrentbytes.net
www.powerbits.org
www.filelist.org
A good release is Microsoft.Windows.XP.Professional.SP2.Final.Integrated-PMM.English
It doesn't even require any activation. It's pre-release, but it's build 2600 so it's the same as final.
2)ONLY WORKS WITH SP1
- Go on regedit
- Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
- go on OOBETimer and Change the last Value from 00 to 97.
- The activation screen shld appear.
- Then go on phone activation and type in 401111 for every box.
It should work (Until you install SP2, which resets it.)
To check if it is activated
C:\WINDOWS\system32\oobe\msoobe.exe /a
3)Open note pad copy and paste the following text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
"OOBETimer"=hex:ca,82,b8,55,d4,04,b5,cf,cc,5b,24,00
save the text as de.reg onto your desktop so you can find it.
- Double click on the de.reg on your desktop and say yes and add it to the registry.
- Click "Start" and go to "Run..."
Type in %systemroot%\system32\oobe\msoobe.exe /a and click "OK"
This will bring up the "Activate Windows" window.
- Check the option for "Yes, I want to telephone a customer service representative to activate Windows" and click "Next"
Then click "Change Product Key" (don't enter any information on that screen)
Type in a product key, I mean your product key.
and click "Update"
- The activate Windows by phone window will reappear at this point, just JUST CLOSE THE WHOLE THING DOWN BY CLICKING "X" in the upper right hand corner
- Activate Windows by copying the following text into a new notepad and save it as up.reg on you desktop, once again so its easy to find.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
"OOBETimer"=hex:ca,82,b8,55,d4,04,b5,cf,cc,5b,24,97
- Double click on up.reg on your desktop and say yes and add it to the registry.
- Ready to see if it worked
Click "Start"and go to "Run..."
Type in %systemroot%\system32\oobe\msoobe.exe /a and click "OK"
4) For those of you stuck in "limbo" there's a cheap way to run programs while windows is prompting you to activate (usually right after login)
Push Win+U to bring up utilities (and the narrator)
On either the narrator or the utilities control, click Help
Click Options | Internet Options...
Click the Privacy tab
Click Import
this will pull up a file browser from which you can run any program
locate the program you want to run (it often helps to select All Files under Files of type) then right-click on the .exe you want to run and select Open. NOTE: double-clicking will cause an error, you must right-click | Open.
Friday, February 17, 2006
World 1st Mac Virus
Technology Updates
Experts at Sophos have announced the discovery of the first virus for the Apple Mac OS X platform.
The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called "latestpics.tgz" to contacts on the infected users' buddy list. When the "latestpics.tgz" archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.
Graham Cluley, senior technology consultant for Sophos, said,
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real. Mac users shouldn't think it's okay to lie back and not worry about viruses."
Experts at Sophos are continuing to examine OSX/Leap-A and will issue further information shortly.
"This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."
Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.
One question currently being asked, "Is Leap-A a virus or a Trojan?"
Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside). However, this is not the definition of a Trojan horse.
A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a web site, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.
Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do. OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform.
Worms are a sub category of the group of malware known as viruses. Therefore, it is correct to call OSX/Leap-A a virus or a worm, not a Trojan horse.
Source taken from: http://itvibe.com/news/3941/
Experts at Sophos have announced the discovery of the first virus for the Apple Mac OS X platform.
The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called "latestpics.tgz" to contacts on the infected users' buddy list. When the "latestpics.tgz" archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.
Graham Cluley, senior technology consultant for Sophos, said,
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real. Mac users shouldn't think it's okay to lie back and not worry about viruses."
Experts at Sophos are continuing to examine OSX/Leap-A and will issue further information shortly.
"This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."
Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.
One question currently being asked, "Is Leap-A a virus or a Trojan?"
Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside). However, this is not the definition of a Trojan horse.
A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a web site, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.
Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do. OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform.
Worms are a sub category of the group of malware known as viruses. Therefore, it is correct to call OSX/Leap-A a virus or a worm, not a Trojan horse.
Source taken from: http://itvibe.com/news/3941/
Thursday, February 16, 2006
Technology Updates
Technology Updates
10 MYTHs about IT Security
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler--allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.
MYTH #3: External consultants know more about information security than in-house personnel do. People believe consultants--whether they work for a consulting firm or independently--have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house--all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to provide additional support to existing staff--in other words, to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Memberships in professional organizations and certifications are helpful, although some certifications are more useful than others. Outside consultants can provide a good business partnership even beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help the staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective. At first glance, you may think keeping information security people together in one department is a good idea. After all, infosec professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters--most notably physical security, IT security and disaster security preparedness. If you keep your infosec professionals in one group, you risk alienating the business groups they'll need to work with to conduct security awareness and training programs.
Top-level management must realize that information security and infosec policies must fit into all facets of the organization. Information security is not solely the responsibility of IT but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprisewide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure. No one would argue that a password of 12 to 16 characters, with mixed upper- and lowercase letters, numbers and special characters, is hard to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Consider having users create easy-to-remember passphrases, such as "HotDogWithMustard," "8YearsOldToday" or "Please,Hold theMayo." Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Remember that passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe. This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted. It doesn't mean the Web site itself is safe. Web site certificates are text files of information--such as to whom the certificate belongs, who issued it, a unique identifier and valid dates of use--that's used by SSL protocols to establish secure connections. Five conditions must be met for a browser to accept a certificate. If any condition isn't met, the browser should display a warning to the user, who then decides whether to start a connection. The first condition is that the certificate is issued by a trusted certificate authority, which creates and manages security credentials and public keys for messaging encryption. Certificates and keys are regularly stored on the hard drive of the local computer being used. Second, the certificate must be within the validity period. Third, if a user is connecting to www.etrust-bank.com, then the certificate common name must be for www.etrust-bank.com. Fourth, the certificate must validate that it hasn't been altered, and finally, it must not be revoked. Unfortunately, most users don't bother to check site certificates when there is a problem. To check the Web site's certificate, double click the padlock icon in your browser window while you're active on the site. A pop-up window will show the name of the site and its certification information. Smart users will validate that the information matches that of the site and the organization with which they're conducting a transaction.
In addition, keep in mind that data sent isn't stored on the Web site but on a server, and you have no way of knowing if the data you sent is encrypted on that server. How well an organization safeguards its server is a bigger security risk than the communication transmission itself (see "Keeping Online Transactions Safe," page 32). Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure. Although Internet Explorer commands the majority of the browser market, Firefox is steadily gaining ground. But if a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic. The December 2005 Microsoft WMF vulnerability should re-emphasize the fact that users must still be trained not to accept or execute files or links from untrusted or unknown sources. As the download popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem--after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for admins to control how the browser is used. Second, if your company has several Web-based applications built around IE, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. In the long term, switching back and forth between browser vendors isn't cost-effective or efficient. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it." It's a time-consuming administrative task, but teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security. This is false. Organizations often use some sort of metric (or measurement tool) to justify their security spending within an IT budget. This can result in spending more money for security products but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire infosec budget on hardware and software technologies. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers in how their actions can result in a major network security breach. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure. Wireless is one of the hottest technologies around, but, like other new technologies, it has suffered from a bad reputation. Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, there are security methodologies and technologies that can be used in place of WEP, such as secure forms of key exchanges and encryption, VPNs and authentication servers. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. The IEEE 802.11i wireless security specification has been finalized and products are shipping with this support built in. Although wireless is more susceptible to security problems than wired networking, smart IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will make increase security. The media portrays Linux as a secure alternative to Windows, but will Linux make your enterprise that much more secure? Not really. With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. The CERT database lists the most recent flaws and fixes issued for Linux. But in fact, all operating systems have flaws. An improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While the Linux interface continues to improve, Windows is still better. And while more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix--testing applications to see if they function properly on the platform and retraining users--makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best--as the underlying OS on appliances and powering high-end workstations and file servers.
Source taken from: http://securitypipeline.com/showArticle.jhtml?articleId=177102317&pgno=5
10 MYTHs about IT Security
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler--allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.
MYTH #3: External consultants know more about information security than in-house personnel do. People believe consultants--whether they work for a consulting firm or independently--have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house--all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to provide additional support to existing staff--in other words, to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Memberships in professional organizations and certifications are helpful, although some certifications are more useful than others. Outside consultants can provide a good business partnership even beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help the staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective. At first glance, you may think keeping information security people together in one department is a good idea. After all, infosec professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters--most notably physical security, IT security and disaster security preparedness. If you keep your infosec professionals in one group, you risk alienating the business groups they'll need to work with to conduct security awareness and training programs.
Top-level management must realize that information security and infosec policies must fit into all facets of the organization. Information security is not solely the responsibility of IT but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprisewide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure. No one would argue that a password of 12 to 16 characters, with mixed upper- and lowercase letters, numbers and special characters, is hard to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Consider having users create easy-to-remember passphrases, such as "HotDogWithMustard," "8YearsOldToday" or "Please,Hold theMayo." Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Remember that passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe. This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted. It doesn't mean the Web site itself is safe. Web site certificates are text files of information--such as to whom the certificate belongs, who issued it, a unique identifier and valid dates of use--that's used by SSL protocols to establish secure connections. Five conditions must be met for a browser to accept a certificate. If any condition isn't met, the browser should display a warning to the user, who then decides whether to start a connection. The first condition is that the certificate is issued by a trusted certificate authority, which creates and manages security credentials and public keys for messaging encryption. Certificates and keys are regularly stored on the hard drive of the local computer being used. Second, the certificate must be within the validity period. Third, if a user is connecting to www.etrust-bank.com, then the certificate common name must be for www.etrust-bank.com. Fourth, the certificate must validate that it hasn't been altered, and finally, it must not be revoked. Unfortunately, most users don't bother to check site certificates when there is a problem. To check the Web site's certificate, double click the padlock icon in your browser window while you're active on the site. A pop-up window will show the name of the site and its certification information. Smart users will validate that the information matches that of the site and the organization with which they're conducting a transaction.
In addition, keep in mind that data sent isn't stored on the Web site but on a server, and you have no way of knowing if the data you sent is encrypted on that server. How well an organization safeguards its server is a bigger security risk than the communication transmission itself (see "Keeping Online Transactions Safe," page 32). Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure. Although Internet Explorer commands the majority of the browser market, Firefox is steadily gaining ground. But if a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic. The December 2005 Microsoft WMF vulnerability should re-emphasize the fact that users must still be trained not to accept or execute files or links from untrusted or unknown sources. As the download popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem--after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for admins to control how the browser is used. Second, if your company has several Web-based applications built around IE, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. In the long term, switching back and forth between browser vendors isn't cost-effective or efficient. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it." It's a time-consuming administrative task, but teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security. This is false. Organizations often use some sort of metric (or measurement tool) to justify their security spending within an IT budget. This can result in spending more money for security products but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire infosec budget on hardware and software technologies. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers in how their actions can result in a major network security breach. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure. Wireless is one of the hottest technologies around, but, like other new technologies, it has suffered from a bad reputation. Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, there are security methodologies and technologies that can be used in place of WEP, such as secure forms of key exchanges and encryption, VPNs and authentication servers. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. The IEEE 802.11i wireless security specification has been finalized and products are shipping with this support built in. Although wireless is more susceptible to security problems than wired networking, smart IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will make increase security. The media portrays Linux as a secure alternative to Windows, but will Linux make your enterprise that much more secure? Not really. With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. The CERT database lists the most recent flaws and fixes issued for Linux. But in fact, all operating systems have flaws. An improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While the Linux interface continues to improve, Windows is still better. And while more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix--testing applications to see if they function properly on the platform and retraining users--makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best--as the underlying OS on appliances and powering high-end workstations and file servers.
Source taken from: http://securitypipeline.com/showArticle.jhtml?articleId=177102317&pgno=5
