Thursday, June 28, 2007

Web 2.0: The Machine is Us/ing Us

This video illustrates the power of Web 2.0 and its many features available to developers and non-developers alike. According to Wikipedia, "Web 2.0, a phrase coined by O'Reilly Media in 2003...refers to a perceived second generation of web-based communities and hosted services — such as social-networking sites, wikis and folksonomies..." In short, Web 2.0 is a term to describe a framework of various technologies which facilitates the collaboration and sharing of applications, reusable components as well as data between users. Enjoy!

Wednesday, June 27, 2007

InfoWorld Video on Web 2.0: Mashups in the Enterprise

Eric Knorr of InfoWorld interviews the CEOs of Kapow, StrikeIron, and Teqlo. They discuss their use of mashup technology and its value to their respective enterprises. (April 18, 2007)

Friday, June 22, 2007

Layer 2 Encryption

From Tech Republic (June 20, 2007): "OSI Layer-2 Encryption: Security goes one layer deeper"

Take away: "Encryption over Ethernet is emerging as a new solution for powering secure networks. Increasingly being adopted for military and critical networking infrastructures, Layer-2 encryption helps offload complexity and reduce maintenance charges...Now, networking companies are offering solutions that encrypt data right down at the packet level. 256-bit Advanced Encryption Standards and other cryptographic algorithms are being used to secure data packets traversing across sites (i.e. Metropolitan Ethernet and Wide Area Networks)."
Short post with more information: http://blogs.techrepublic.com.com/tech-news/?p=687

From Tech News World (June 19, 2007): "Ethernet's New Security Layer"

Take away: "The ability to apply the Advanced Encryption Standard (AES) across every data packet traversing a network is a powerful attraction of Layer 2 data encryption, particularly as stringent information security standards have now been mandated by a variety of legislative actions...In addition to 256-bit data encryption, one of the biggest benefits of the latest generation of Layer 2 encryption standards is the low impact they have on network performance." Full story here: http://www.technewsworld.com/rsstory/57910.html

Thursday, June 21, 2007

Wireless Security

Many of the wireless security problems we hear about have to do with the use of weak encryption standards such as WEP. Although the newer WPA2 standard has made a significant improvement in wireless security, additional weaknesses in wireless devices do exist and remain a security issue if not patched such as the vulnerability in Wi-Fi device drivers. Aruba Networks has released a free Wi-Fi driver vulnerability assessment tool that helps you determine how secure your wireless devices are and which Wi-Fi clients need to be patched. The tool will search your PC or the entire network using the WMI (Windows Management Instrumentation) API and identify every PC with a vulnerable wireless LAN device driver. For more information: http://labs.arubanetworks.com/projects/wifidenum/

Additional free tools and information for assessing wireless vulnerabilities:

To check for SSID broadcasts and open or rogue access points, use NetStumbler: http://www.netstumbler.com/

A more powerful tool is Kismet, a wireless network detector, sniffer, and intrusion detection system all in one: http://www.kismetwireless.net/

Ethereal (now called WireShark - http://www.wireshark.org/) is also for testing wireless traffic but must be used in conjunction with AirPcap: (http://www.cacetech.com/products/index.htm)

Bluetooth devices (mobile phones, PDAs, wireless keyboards, etc.) are susceptible to eavesdropping and attacks. To test the security of your devices, consider using BlueScanner for Windows (http://www.bluescanner.org/) or BlueSniff for Linux (http://bluetooth.shmoo.com/).

For penetration testing, auditing, and patch management, security managers should be aware of the Metasploit Framework, which is a collection of tools, libraries, modules, and user interfaces that automates testing or exploitation (depending on which hat you wear): http://metasploit.com/

For more information on security, check out the SANS Institute (http://www.sans.org/). They have an extensive collection of free resources (white papers, video/podcasts, RSS feeds) and they offer a variety of security training classes. For example, their GSEC class discusses most of these tools.

One final note...this article, "Practice 'safe surfing' with public Wi-Fi signals," will help you assess the risks of using a public Wi-Fi and more importantly, it provides a step-by-step guide for configuring your laptop and limiting your risks when connecting to a wireless hotspot: http://WindowsSecrets.com/comp/070614

Stay safe!