AO Security Discussion Roundup
April 20, 2007
Catch up on the latest AntiOnline security and tech discussions. This week: using TOR; the regulatory compliance implications of attaching a personal PC to a corporate network; and a handy list of informative security podcasts.
Using TOR and other proxy servers
Just a little FYI, Tor uses SSL to encrypt all data, and doesn't even leak DNS requests, unlike some proxy servers. As long as it's configured properly and using an appropriate proxy (such as Privoxy, which comes in the bundle).
TOR cannot offer 100% total anonymity so if the connection to the website is not secure (e.g. https) then the last gateway will be able to see (and potentially sniff) all traffic.
Personal PC Attached to Work Network
This is a nightmare for an admin as well. "Joe Employee" brings his home computer in and connects to the corporate network and who knows what wonderful "goodies' he can spread on the corporate LAN.
Not to mention the corporate espionage he can do. Not that a 4 gig thumbdrive wouldn't be sufficient.
Attempted hack through wireless?
Enable auditing on your workstations and keep an eye out for unauthorized login attempts. Be sure to password protect your user accounts. I also recommend that you change your passwords to passphrases. Use different passphrases for your computer login than your online accounts. Its also wise to use different passphrases for each online account. I know this can be a bit of a pain to remember all those passphrases, but I've managed to come up with a scheme that relates to the specific service or site.
Recovering overwritten data - can software alone do it?
There have been rumors of more exotic methods of data recovery post-overwriting (they involve imaging the platters with scanning microscopes and/or analyzing the raw signal output from the read heads), but actual attempts to do this by researchers have usually only succeeded under some pretty strict assumptions, such as already knowing the data to be recovered, knowing the overwrite pattern and only one overwrite pass.
The Silver Bullet Security Podcast is a nice interview style show (updates irregularly) by Craig McGraw of Cigital. He interviews different InfoSec pundits, curmudgeons, and gods. Good stuff.
Cyber Speak is an AWESOME digital/computer forensic focused show, I'm new to it but the few I've heard are VERY good.
Share your Test-Hack strategies in this thread. Can you get to the end?
More AntiOnline Spotlight Discussions
Also, be sure catch up on today's posts
. Not a member? Join today!