Legal: Privacy Lessons from the Twitter Breach

Earlier this year Twitter was hacked. Below are three recommendations from the FTC that would apply to most businesses.

Three Steps to Protect Your Business

What can you do to protect yourself from the FTC and claims by your users?

Read your privacy policy. Many website owners do not know what their privacy policy requires them to do. You must understand what your privacy policy says and what it is requiring you to do.

Develop an internal policy. You should have an internal administrative policy that all employees should follow that address storage, use, types, and periodic changes of passwords. Also, it should address use and access of personal information collected from the users and where that information is stored.

Disclose uses of data collected. Address in your privacy policy how you plan on using data collected, including the following points:

Individuals should be clearly advised of the type of personal data being collected;
The intended uses and users of personal data should be identified;
Describe the security measures intended to protect the personal data from unauthorized access;
Describe a means through which users can review their personal data and correct or contest it;
Special measures need to be included for personal information of children if it is collected. Companies that collect data from or about children should provide a means through which parental authorization will be obtained.

This is not an exhaustive list of items and you should review your privacy policy with “standard reasonable security practices” in mind. You should periodically review and audit your procedures to see what is working and what is not working. You should determine if you are continuing to consistently do what you said you would do in your privacy policy. Also, if you share any user information with other companies, you should have contracts with those companies requiring that user information be protected at a minimum under your privacy and security measures, and limit use of the information.

You can read the full article here at Practical eCommerce: http://www.practicalecommerce.com/articles/2321-Legal-Privacy-Lessons-from-the-Twitter-Breach-

SecurityTube.net - Metasploit Megaprimer- 300+ mins of video tutorials

Vivek has posted a megaprimer on Metasploit on his video blog SecurityTube.net. The info below was taken from The Ethical Hacker Network form found here: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6158.0/

Note that this series is still in progress and you can keep checking for the latest videos on SecurityTube http://www.securitytube.net

Below are the video links and a short description:

1. Metasploit Megaprimer (Exploitation Basics and need for Metasploit) Part 1

http://bit.ly/b2Y2pE

2. Metasploit Megaprimer (Getting Started with Metasploit) Part 2

http://bit.ly/bLgTOm

3. Metasploit Megaprimer Part 3 (Meterpreter Basics and using Stdapi)

http://bit.ly/9sjqqH

4. Metasploit Megaprimer Part 4 (Meterpreter Extensions Stdapi and Priv)

http://bit.ly/97f1U3

5. Metasploit Megaprimer Part 5 (Understanding Windows Tokens and Meterpreter Incognito)

http://bit.ly/anbODH

6. Metasploit Megaprimer Part 6 (Espia and Sniffer Extensions with Meterpreter Scripts)

http://bit.ly/c4A4Eg

7. Metasploit Megaprimer Part 7 (Metasploit Database Integration and Automating Exploitation)

http://bit.ly/bT1uD5

8. Metasploit Megaprimer Part 8 (Post Exploitation Kung Fu)

http://bit.ly/dicJzI

9. Metasploit Megaprimer Part 9 (Post Exploitation Privilege Escalation)

http://bit.ly/asr1ML

10. Metasploit Megaprimer Part 10 (Post Exploitation Log Deletion and AV Killing)

http://bit.ly/bvCudb

11. Metasploit Megaprimer (Post Exploitation and Stealing Data) Part 11

http://bit.ly/auwtBm

12. Metasploit Megaprimer Part 12 (Post Exploitation Backdoors and Rootkits)

http://bit.ly/a7n8nw

13. Metasploit Megaprimer Part 13 (Post Exploitation Pivoting and Port Forwarding)

http://bit.ly/9mOztm

14. Metasploit Megaprimer Part 14 (Backdooring Executables)

http://bit.ly/bZxwgK

15. Metasploit Megaprimer Part 15 (Auxiliary Modules)

http://bit.ly/du779R

16. Metasploit Megaprimer Part 16 (Pass the Hash Attack)

http://bit.ly/d7bdZi

Please do let me know your feedback!

Everything you wanted to know about getting and keeping security clearance.

How many times have you found an actual security related job posted on the Internet only to read in the following requirements:

"Currently hold a Secret Security Clearance or higher"

or

"Candidate must be a U.S. Citizen and have the ability to obtain a Security Clearance if one is not currently held. Current Ts/SCI Security Clearance is a plus."

If you're ex-DoD, you might meet that requirement. If you're an experienced security professional, you might have had a company pay for you to get security clearance along the way. But if your a transplant or new grad you're stuck.

This isn't just a requirement for DoD, which is one of the largest employer in my area, but also for private industry. For example we have a lot of Pharmaceuticals and High Tech companies that require security clearance as well.

The question I get from frustrated friends and students is how do I get clearance? My usual answer is find a company to sponsor you, as it isn't cheap. But this morning I found a handbook that explains how to obtain, keep and re-activate (if you had it and let it lapse) security clearance. You're still better off finding a company sponsor but this will give you an idea of the process.

This Security Clearance Handbook 2010 (pdf) was assembled by the University of Fairfax. I would go into more detail about the contents of the handbook, but then would would be the point of linking to it. This handbook should answer most of the questions you have about security clearance.

If you have experience obtaining, maintaining, or re-activiating your security clearance and you would like to share your experience, please post in the comments.

Programming Paradigms at Stanford

Ever wonder what happens when you assign a value to a variable? No, I mean like where is it in memory. What does the binary string look like? What is the difference between an int and a short that are assigned the same value? Well, I guess I'm the only one that does but if you do to check out the Programming Paradigms class lecture video's from Stanford. They're really good and cover all the details. It's a little fast paced for me so I usually play the videos over two or three times but they have lots of great information in them. Not anything language specific but they cover stuff relevant to Assembly, C/C++, Python, etc.

Yet another URL shortening services...

I've commented on other posts on this site about the security issues with URL shortening services.  My main issue is that you don't know what clicking that link could mean from a security stand point.  With all the client side attacks going on, clicking on anything should make you weary.

When I learned of ShardyURL.com on Twitter a few days ago I thought it was great.  ShadyURL is yet another URL shortening service but with a "suspicious and frightening" naming convention.  For example I created a link to this post and it came out as http://5z8.info/toosexyfortv.mov_x4a8y_stalin-will-rise-again

Now if I need to use a shortening services(which this doesn't really shorten it might actually make the new URL longer than the original one)I'll use ShadyURL.