Yet another URL shortening services...

I've commented on other posts on this site about the security issues with URL shortening services.  My main issue is that you don't know what clicking that link could mean from a security stand point.  With all the client side attacks going on, clicking on anything should make you weary.

When I learned of ShardyURL.com on Twitter a few days ago I thought it was great.  ShadyURL is yet another URL shortening service but with a "suspicious and frightening" naming convention.  For example I created a link to this post and it came out as http://5z8.info/toosexyfortv.mov_x4a8y_stalin-will-rise-again

Now if I need to use a shortening services(which this doesn't really shorten it might actually make the new URL longer than the original one)I'll use ShadyURL.

Buzz Killer (Disable Google Buzz)

Google has now added a way to disable Buzz from the settings area in your Gmail account.  Once in the settings area select the last tab Buzz and click on the red "Disable Google Buzz" link.

A confirmation window opens asking if you would like to "unfollow" on Buzz, Reader and other Google services.  This option is enabled by default so be careful.

I didn't notice that and now I've lost all the folks I was following in Reader. Maybe its time I find another RSS reader. :/

Moved my blog to a new host.

If you noticed a change on the site or had some DNS issues the last 24 hours, it was due to me moving my site.  Everything should be working now although some posts where hurt in the migration of this blog.  If you find something broken please let me know.

It's been a while since I made the time to write.  But I'm starting to cut back on all the extra stuff that has been eating up my time the last several months.  I plan to start writing more frequently and also post some more video tutorials.

If you have any tips on how I can make this site better please feel free to email Thomas at Nicholson Security and thanks for stopping by...

What does being a "security professional" have to do with security?

Yesterday I read this article on CSO Online entitled "7 Ways Security Pros DON'T Practice What They Preach." I knew by the title that I was going to have issues.  Information security is about the confidentiality, integrity and availability of data NOT job titles.  This is like pointing out oncologist doctors who smoke or law enforcement officers who get speeding tickets.  People are people not job titles.  When I read through the "7 ways" I didn't see anything that didn't apply to everyone else.  The article read as if someone who is a security professional is different then another employee with security awareness training.

Also when discussing security you need to remember that nothing is 100% and so we have to pick our battles.  My favorite was the hit on URL shortening services.  These services are very popular with the Twitter crowd due to the limited number of characters allowed.  They seem to think that clicking on a hyperlink that says "tinyurl.com/83jd9" is less safe than clicking on an hyperlink that says <a href="evilurl.example.com">Free Windows 7</a>.

The issue that I've written about several times has to do with educating everyone "Security Pro's" and "Joe/Jane User."  Also knowing what data we need to protect and how to protect it.  Maybe the person clicking on the TinyURL link is running a browser in a sandbox on a hardened host.  Odds are even a malicious link won't cause any harm.

Complicated fads and false promises are not the solution.  I think we have all learned that security professionals are human and creatures of convenience like the rest of us.  As its been said time and time again.  Security that is anything but simple and transparent isn't going to work.  If you want us to encrypt our storage devices then you'll  need to make it work like the unencrypted storage devices we have today.  If you want us to use strong authentication.  It will need to be easier then the passwords we use today.

Bottom line is that like everything else security should make our lives easier not harder.  We shouldn't need two sets of standards one for security professionals and one for none security professionals.  Security should be "built in" and an effect not a cause.

It's about the data not the technology.

I was asked about the best way to secure a computer yesterday and caught myself going into a list of security software, hardware and best practices, when my answer should have been a follow up question. What kind of data do you want to protect? We so often get caught up in all the cool security technology that we forget the reason for the technology is to support the goal of protecting our information.

When I started in computers in the 90’s I built a few custom systems for various people and businesses. My first question was always the same to both groups. What do you plan to use the computer for? After I got that question answered, I could ask the right questions about software and hardware to give them the “solution” they needed.

I think we need to make more of an effort to get back to that. I think the first question that should be asked of anyone, individual or business, is what kind of data do you plan to store, process and transmit? After knowing the answer to that question can we then start to ask the right questions about software, hardware and recommend the right “solution” to customers.

I know that sometimes the right questions are asked. I know that many businesses and individuals are doing the right things when it comes to security. My question is how do we get everyone else on board? Vendors sell solutions. The problem as I see it is nobody bothers asking the right questions, thus nobody knows the right "solution" for the customer.

Let me know what you think in the comments.