MailWall - Mail protection, security and redundancy service
 

 Some quick links to Testing your system's security - CLICK HERE

Spyware Dissected: The Worst Spyware Programs on the Internet
Rather SCARY -- but a must-watch e-seminar!

Home PC Firewall Guide Personal firewall guide)
Firewall Leak Tester
Matousec's Comprehensive List and Analysis of Personal Windows Firewalls

File Research Center -- Free File and Process Information
Provides a free scanning service to identify what is running on your computer, plus free information about safe and unsafe files, processes, services, spyware, adware, malware, trojans, and other programs that may be on your computer.

10 things you should do to a new PC before surfing the Web

The top 10 security land mines

• Inside the Windows Vista Disk Encryption Algorithm - Windows Vista Enterprise and Ultimate editions use Bitlocker Drive Encryption, which encrypts all data on the system volume. At the heart of Bitlocker is the AES-CBC + Elephant diffuser encryption algorithm.
• The Long-Term Impact of User Account Control (in Windows Vista) - What UAC appears to be, what it is, and what it is not.
   
• The top 10 reasons Web sites get hacked
• The short life and hard times of a Linux virus - "Why aren't the existing Linux viruses anything more than a topic for conversation? Why don't they affect you in your daily computing in the way that MS viruses affect Windows users?"
• 5 ways to win the PC security battle
• BD-BrandProtect - Protect your precious marketing brand online
   
• Protecting Australian Families Online
  NetAlert is part of the Australian Government's ongoing commitment to providing a safe online environment for all families, especially children.
  • Advice about protecting children online - Internet content filters are only one part of online safety. NetAlert provides practical information and advice on how to keep children, and your family, safe online
  • Information about free internet content filters - how to choose the best internet content filter for you and your family.
• Safe online havens for kids - At a time when cyber stalking is daily news, it's no wonder parents are often confused about which websites they should let their children visit. But if you want to stay on top of what kids are doing online without being too intrusive, and be able to make occasional cool suggestions, read this article.
   
• 10 Things Everyone Should Know About Bank Errors - Whether money is accidentally put in your account or taken out, this article can help you know what to do so your finances and those of others remain secure.
   
• OpenID ...
• Beginner's guide to OpenID phishing - OpenID is a web-based, distributed authentication protocol set to become a standard way of signing in to websites. OpenID enables you to keep control over your own identity by separating identity 'providers' and 'consumers'. You register your 'identity' or 'account' at a single OpenID provider and then you have instant access to a vast array of service providers that are OpenID consumers. However, OpenID is also highly susceptible to phishing attacks in the way it is currently used.
• The Identity Corner >> The problem(s) with OpenID - "OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID consumer."
  
• Security or Compliance? - The current regulatory environment is strongly impacting their organizations, the majority of departments are not conducting annual security-related compliance activities. An overly heavy focus on compliance can weaken the overall security posture.
• Most Damaging Attacks Rely On Stolen Log-ins - Attacks based on logging in with stolen or hijacked credentials cost businesses far more, than the typical worm or virus assault. More than 8 out of every 10 computer attacks against businesses could be stopped if enterprises checked the identity of not only the user, but also the machine logging onto its network.
• Security and Privacy: Twins of Different Mothers - This article discusses how security and privacy professionals can get beneficial results by closely aligning their work.
   
• How to Save the Internet
• ICT Security Standards Roadmap
  
  
• Escaping email hell - "Outside of the sex trade, Viagra is probably not considered an essential daily ingredient for promoting workplace productivity. But that doesn't stop most of us having to sift through countless emails each day, offering us the virility miracle-drug at a low price or enticing us to receive large deposits in our bank accounts from former African despots. Email promised to make business faster, cheaper and more efficient. Yet increasingly Australian businesses and their employees are frustrated by the amount of time email and other "time-saving" technology is taking."
   
• Rootkits ...
  • The Doomsday Machines of Malicious Software (about rootkits)
  • Rootkits: Invasion of the Windows Snatchers - "A rootkit is a malicious program that uses system hooks to conceal its presence on the system. For instance, it monitors if the user opens the Windows Task Manager in order to keep itself out of the list of processes. It filters directory listings to remove its own files from them. The rootkits could be everywhere, living among us, and we wouldn't know!"
  • Sophos Anti-Rootkit (Version 1.0, August 2006) - a FREE tool to eliminate "rootkits" (potentially malicious hidden applications and processes) >> Sophos Anti-Rootkit user manual
     
• Fundamental Computer Investigation Guide for Windows - discusses processes and tools for use in internal computer investigations. It also presents an applied scenario example of an internal investigation that uses Windows Sysinternals
• Sysinternals - provides advanced utilities, technical information, and source code related to Windows NT/2000/XP/2003 and Windows 9x/Windows Me internals "that you won't find anywhere else." (Mark Russinovich and Bryce Cogswell alone write and update everything on this site.) ... [Webmaster: SysInternals was purchased by Microsoft in August 2006]
  • RootkitRevealer - an advanced Rootkit detection utility. (The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.)
     
• Nessus - "the world's most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. The Nessus Project was started in 1998 to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner."
   
• The 10 Most Common Internal Security Threats - While external threats are as virulent as ever and need to be guarded against with firewalls and other defences, it is very important to pay attention to internal weaknesses.
   
• InternetPerils. - offers products for Internet business risk management ... "to quantify and visualize heretofore invisible perils and anomalies in the Internet, giving risk managers in IT and finance departments the ability to identify, track and analyze adverse performance episodes and service interruptions beyond the firewall and thus beyond their direct control."
   
• Security expert recommends 'Net diversity - the latest security threats and what network executives can do to mitigate them. "The whole enterprise is no longer an island; it's an archipelago of islands that need to be protected individually, even down to the single-machine level. This means that you have to treat all of those machines as outside your perimeter for purposes not only of protecting them but of protecting your other machines from them. So when somebody comes back in with a laptop after they've been off-site, you can't trust it simply because it's a company-issued laptop unless you have applied specific control measures. This mode of thinking has to go down to the individuals who are using the systems.... With network diversity, they won't have to reboot the entire enterprise. In fact, if they have diversity and appropriate alarms in place, they may detect the attack sooner."
   
• Microsoft Security Corner, for Various Types of Organization ...
  • Six Easy Pieces for Computer Security - This article from Microsoft presents six easy steps that every company should take to enhance computer security in terms of getting the proverbial biggest bang for the security buck. Each suggestion is described in some detail with links to more in-depth treatments, templates, and tools.
  • Security Guidelines for Professional Services Firms - When it comes to security, professional services companies are hampered by tight IT budgets, an ever-increasing amount of content, and a lack of dedicated security personnel. Protecting data at services firms may require a melding of technology and services to get the job done. This article offers some guidelines to help midsize professional service firms.
  • Key Steps to Protecting a Financial Services Company - Few organizations face more or greater security threats than financial services companies. Here are the first and most important steps every financial services business should take to safeguard its customers, protect its assets, and comply with regulations.
  • How to Evaluate Your Supply Chain's Security - Is your IT network's security at risk from outside partners and suppliers? Learn how you can help protect your business.
  • Government Security Computer Checklist - This checklist outlines the seven security matters that every government organization should address in attempting to protect its computer systems.
  • Government's Big Security Challenge: Keeping Data Private - The realm of government IT security is expanding into the realm of secure and reliable communications in times of citizen crisis. IT teams must guard against security failures that will erode public trust. This article outlines the key components that comprise the ever-growing task list of government IT teams and provides three areas those teams should focus on when it comes to security -- both now and in the future.
  • Security Guidance Center for Education - Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that's right for your school or university.
     
• Blasting away security myths - Roger A. Grimes is always amazed by security myths -- like "security by obscurity" not working -- that are propagated as fact by readers, instructors, leaders, and writers. He says: "Too many computer defenses and books concentrate on the wrong problem -- the hackers instead of the malware. How can anyone give you the correct defense if you don't understand the correct problem?" and he points out the biggest security threat to any environment, plus the single best thing you can do to prevent malicious e-mail attacks.
  • 100+ Potentially Malicious Windows File Extensions
    
    
• Deconstructing Common Security Myths - Security is everyone's responsibility, and there are things that we all can do to create a safer computing environment. This article from Microsoft discusses common security myths, major new security technologies, and best practices for improving security in your infrastructure.
   
• Security is Easier — And Crooks Are Dumber — Than You Think - "Most people just don't make use of the technology they have available. They could prevent 95 percent of their problems by making a few simple changes in the way they do things with what they have already. ... You will still have problems, but with the basics in place you can start to deal with defense-in-depth measures, ... We have so much sitting in front of us that we ignore. Tools like access controls, which limit user and remote access to networks, are available but don't get used."
   
• Is encryption really crackable? - For a secure E-Commerce transaction, the data being transmitted is moot after a few decades which is why 128-bit encryption is perfectly suitable since it's considered unbreakable for the next few decades.  For top secret classified data that needs to remain secret for the next 100 years.
• TrueCrypt - FREE open-source disk encryption software for Windows XP/2000/2003 and Linux.
• Kruptos 2 - a FREE, powerful 128-bit file encryption utility for Windows XP/2000/200 that allows you to secure any sensitive files stored on your PC or portable storage device, including a file shredding utility and the ability to generate self decrypting files.
• Encrypt your files to keep them safe - When using a computer, privacy is paramount. And even more so if you run your own business. Discover how you can help protect private customer and financial information by using its Encrypting File System (EFS) with Windows XP Professional.
   
• A  Day in the Life of an Information Security Investigator - Follow an Information Security Investigator as he recounts his unique experiences working with federal, corporate, and military institutions and provides his perspective on the security issues impacting the IT industry today.
   
• NITRD - U.S. National Coordination Office for Information Technology Research and Development
  • PITAC - President’s Information Technology Advisory Committee
    • Cyber Security - A Crisis of Prioritization (28 February 2005)
       
• Top tips for security staff - every worker should be aware of these security practices
  
  
• A Taxonomy of Privacy - "Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from "an embarrassment of meanings." Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of "privacy" do not fare well when pitted against more concretely-stated countervailing interests. ... Privacy seems to be about everything, and therefore it appears to be nothing."
• The Right to Privacy (by Warren and Brandeis) - "The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury."
   
• Eight Ways to Defend Against Pretexting (acquiring of personal information under false pretences)
• Pretexting (from Wikipedia, the free encyclopedia) - "Pretexting is the act of pretending to be someone who you are not, by telling an untruth, or creating deception. The practice of pretexting typically involves tricking a business into disclosing personal information of a customer, with the scammer pretending to be the customer."
   
  
• Patterns: IT Systems Management and Security (an IBM Redbook) - reviews the basic concepts of security component design, following the Method for Architecting Secure Solutions (MASS), and introduces the security system management service view together with Patterns for IT security management.
   
• Microsoft Expert Lays Down 7 Laws of ID Management - "The public is suspicious of most computerized identity verification systems because they are based on a jumble of policies and technologies that in many cases leave them vulnerable to identity theft. ... The computer industry shouldn't be surprised that the public has a fundamental distrust of computer passwords and log-on procedures because they provide so many opportunities to expose personal information and assets. ... Part of the problem is that companies ask people over and over again to provide personal information to gain access to essential services."
• Microsoft Identity and Access Management - a series of papers provides numerous identity and access management concepts, techniques, and solutions for use in heterogeneous IT environments.
• It’s Me, and Here’s My Proof -- Why Identity and Authentication Must Remain Distinct - this Microsoft article explores the concepts of identity, authentication, and authorization, helps you understand their important distinctions the increasingly common tendency to combine the first two.
• Kim Cameron's Identity weblog - "about identity in a virtualizing world" >> The 7 Laws of Identity
  
  
• Do you trust your administrators? - It’s a serious question, and it deserves serious thought. Can you trust the very people you hire to build, manage and keep intact the mission-critical networks upon which your business successes -- and even its very survival -- depend?
• Viruses: The New Weapon of Choice for Workplace Violence Offenders - in today's era of increased outsourcing, corporate downsizing, salary reductions and failed pension-plan promises, company networks are increasingly being attacked by disgruntled employees. In this hostile environment, searching for the source of sabotage should start inside. This article offers about workplace violence-prevention skills

• The Ponemon Institute (privacy specialists)
  • Ethical Information Managmement - "a process for ensuring trust and confidence in how a company’s leaders conduct business. Specifically, it has to do with the alignment of the privacy preferences of key stakeholders -- such as consumers, employees, the general public -- with business, data and technology management practices within the organization.
   
• Follow the dollars to IT security jobs - While some headlines might scream about a drop in job ads they don't reflect what's happening in the IT security sector. In the next five years guardians of IT security will almost double.
  
  
• The Australian Spam Act in Profile (Part 1) - looks at the Australian Spam Act, which came into force in April of 2004 ... how the Act is structured and how it is's already making significant progress in the ongoing battle against spam.
  
  
• Internet Telephony / VoIP ...
  • Can 9 Million Skype Users Be Wrong? - Corporate benefits, and security concerns. (The positives for, and negatives against, using Skype for VoIP, instant messaging and file transfer.)
  • SPIT Into This, Please ... SPAM over Internet Telephony - "Picture the world of voice traffic on the Internet as a dark and forbidding place, rife with mobsters, con artists and shadowy sellers of dubious products. ... Low costs brought on by outsourcing and offshoring, coupled with VoIP communications that are essentially free, can bring hundreds of calls from these people every day."
  • 'Severe' Vulnerabilities Are Possible in VOIP, Official Warns - The growth of VOIP technology brings with it some significant risks that users need to be prepared to address: open source eavesdropping tools, digital phone calls could be edited by digital voice editors (to add, remove or change words without any possibility of detection), bugging a room using on-hook audio (a technique in which hackers or spies can turn on the microphone in a VOIP handset while it remains on its cradle -- the phone would appear to be operating properly while actually transmitting every sound within its range to a remote site), vulnerabilities related to soft phones (software that works like a phone, running on a PC and therefore vulnerable to worms, viruses and Trojan horses, and that could spread these problems throughout the voice network(, and SPIT (spam over Internet telephony).
  • Privacy Guru Locks Down VOIP - Phil Zimmermann, creator of the wildly popular Pretty Good Privacy (PGP) e-mail encryption program, is debuting his new project, which he hopes will do for internet phone calls what PGP did for e-mail. ... The Public Switched Telephone Network (PSTN) is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum," Zimmermann said. "To move all of our phone calls from the PSTN to the internet seems foolish without protecting it."
  • Skype Security Evaluation - by Tom Berson of Anagram Laboratories ... "This paper contains the first authorized description of the Skype cryptosystem. Skype P2P sessions are encrypted end-to-end at the session layer. Session keys are created using a key-agreement protocol which provides each peer with proofs of freshness and authenticity, and which allows each peer to contribute bits toward the session key. Authenticity and identity are rooted in the Skype Certificate Authority. We analyze the cryptosystem as of Skype Version 1.3. We conclude that is is generally well-designed and correctly implemented."
  
  
• Ten Not-So-Simple Rules For Using The Internet - "Even technically sophisticated users lose perspective on security at times. We all want breaches of security to be someone else's fault and we don't want to have to deal with the inconveniences of running a secure system."
• Reduce Your Risk: 10 Security Rules To Live By
• 10 Immutable Laws of Security
   
• The dangers of reactive security - Reactive security fails to protect, fails to respond in time, doesn't meet compliance regulations and is an example of overspending while under-protecting assets. ... "It's a malware world and we need to protect our systems from it. ... 24x7 data centers, VoIP, next generation PDAs, "smart" phones and P2P's expanding reach. ... Such technology creates increasingly complex systems that need a more proactive approach to security." The article offers six steps for organizations wanting to move toward a more strategic, proactive security model.
   
• Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks - "In the absence of countermeasures, a system’s security and survivability will degrade over time. Changes in the environment or usage of a system, or changes to the elements that compose the system, often introduce new or elevated threats that the system was not designed to handle and is ill-prepared to defend itself against. ... It is essential that significant risk management resources be devoted to the ongoing evolution of any mission-critical system. The successful evolutionary design of a secure and survivable system is dependent on the continual monitoring of the system and its environment to detect changes that may affect the risk management assumptions on which the system’s security and survivability are founded."
   
• Dealing with worst-case scenarios - "Imagine a natural disaster the likes of Hurricane Katrina or a terrorist attack on a major city wipes out business operations. In the mad dash to get back online as quickly as possible, security protocols and procedures take a back seat to regaining business continuity. And that's when a second catastrophe occurs: Information systems are vulnerable to attackers, who see an opportunity in the chaos as companies are forced to rely on backup operations (or even pen and paper). ..."
   
• Corporate focus on compliance could hurt security - "Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it. ... Therefore, it's better to make compliance a by-product of a broader corporate security strategy -- not its sole end objective."
  
  
• To Convergence (and Back) ... Security convergence -- that is, the true meshing of physical and cybersecurity along with business continuity management -- is one of the most logical concepts that's been introduced to the security world in a very long time.
• Using Threat Analysis to Design More Secure Systems - See how to design and build more secure systems by evaluating threats and selecting technologies to counter those threats.
   
• CIOs Learn Very Little From Security Audits - Security experts agree that audits are only as strong as the instructions the auditors are given. Many are executed under such tight restrictions that they reveal little that the CIO didn't already know. ... A vulnerability assessment is in no way an audit. Vulnerability tests are generally about 13 to 15 percent as effective as an audit. ... "A lot of companies are spending money to pass the audit because they have to. They don't want to be secure. They don't care about being secure. You can be incredibly vulnerable and still pass an audit or assessment."
   
• ISACA - Information Systems Audit and Control Association - "a pace-setting global organization for information governance, control, security and audit professionals." ... ISACA has more than 47,000 members in 170 local chapters worldwide.
  • COBIT - "a generally applicable and accepted standard" for good IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
• COSO - The Committee of Sponsoring Organizations (of the Treadway Commission, USA) - "a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance."
   
• Net visionary urges e-mail ID standard - Making mass e-mailers identifiable is the first step toward curing the epidemic of spam, said Vint Cerf, one of the architects of the Internet.
• How to Stop Spam - how AOL stops spam, and how they recommend that other ISPs should do it.
   
• Will Passphrases Foretell the Death of Pa55.W0rd5?  (Passwords) - How long and complex should a password be? At what point is it effectively uncrackable?
• Bill Gates predicts death of the password and Password imperfect
• Finding a replacement for passwords - As online scams get more sophisticated, passwords are becoming hopelessly outmoded ... Yet many businesses and nearly all consumers still rely on passwords as the primary means of verifying who they say they are.
   
• What Two-Factor Authentication will do and won't do - Bruce Scheier explains: "Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over. ... Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. ... What two-factor authentication won't do is prevent identity theft and fraud. It'll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. ..."

• Which is more secure - Windows or Linux? (Microsoft scores well on security analysis) ... Which platform will save you from the nasties?
• Why Linux Is More Secure Than Ever
• Linux is insecure. Open source is insecure. Windows is insecure. All software is insecure. Deal with it.
   
• Microsoft's Security Response Center - How Little Patches Are Made - how Redmond handles the creation of software patches—and an explanation for long delays in fixing known vulnerabilities.
• Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP - This guide is intended primarily for consultants, security specialists, systems architects, and IT professionals who are responsible for the planning stages of application or infrastructure development and the deployment of computers that run Windows XP or Windows Server 2003 in enterprise environments, not for home users. (The guide is a companion to the Windows Server 2003 Security Guide and the Windows XP Security Guide )
  
  
• Security Protocols - catching security bugs in software products
• An Applications View on Security - the only completely protected machine is one that's disconnected from the network and preferably turned off. ... Two factors intensify the hazards facing enterprise development professionals. First, the growing dominance of Web-enabled applications exposes developers' finished products to a vastly larger army of attackers. Second, the rapid development cycles of customer-facing or supply-chain-partnering software mean that most new code is never really finished at all.
• SPI Dynamics - a leading provider of Web application security testing products. A suite of application security products and services that support the entire Web application lifecycle, from development and quality assurance to deployment, ongoing operations management and auditing.
  
  
• Microsoft says: Firewalls are leaking - ""We are all bloody lucky that something hasn't obliterated IT on earth. ... Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside."
• Home PC Firewall Guide - access to basic information about and independent, third-party reviews of Internet security and privacy products for home, telecommuter, and SOHO (small office, home office) end-users.
• You Need a (properly configured) Firewall - A firewall's wizards are helpful but can't make every decision. A wrong choice can create a false sense of security.
• The Need for Internal Network Security (webcast) - Recent findings indicate that between 50 - 80% of all network attacks originate from inside the enterprise. Hear what steps can you take to address the security challenges unique to internal networks.
• Firewalls a distraction (says a security researcher) - a preoccupation with firewalls for information security is dangerous because it can divert attention and resources away from locking systems down.
  
  
• Spyware: IT's public enemy No. 1 - What's the biggest threat to business networks in 2005? Front-line IT managers and security firms increasingly peg spyware as public enemy No. 1.
• The Chaotic World of Defining Spyware - Anti-spyware vendors each use different criteria for classifying spyware applications, leading to chaos, confusion and a drastic increase in legal threats. "Today, the industry uses different approaches, definitions and types of criteria for identifying and categorizing spyware and other potentially unwanted software, which limits the industry's ability to have a broad, coordinated impact in addressing the problem."
   
• Tech companies feel the heat - Spyware problems have become especially pernicious, leaving tech companies [hardware, software and service providers] scrambling to respond to customers who don't necessarily realise they have spyware. ... The companies are concerned about the cost of dealing with such calls. But perhaps more worrisome, they fear customers will wrongly blame them. .. Forrester Research said a spyware-related support call can cost $US15 to $US45, and companies may lose business.
   
• New Scam Tactic Hits Online - In the escalating clash between online scammers and security vendors, the attackers have once again developed new tactics that give them the upper hand in bypassing filters and infiltrating corporate networks, experts say. The new techniques involve the use of a process called steganography, or embedding or hiding text in an image. In some cases, the image files include hidden code designed to exploit known vulnerabilities in e-mail clients and Web browsers.
  
  
• Enemies in Disguise - be wary of portable storage devices such as iPods and USB flash drives. ... These devices can present serious security threats: Not only could disgruntled employees use them to download massive amounts of sensitive corporate data, but they could also be used to introduce viruses into the network.
• Device Trails - How Windows Remembers Your Connections ... Modern hardware devices contain information that assists the operating system in finding appropriate drivers  — and intruders in finding out who was doing what when. This article explains how via Plug-and-Play (PnP) works for Vista and earlier versions of Windows, device forensics, and the related security exposures.