Video and other interactive multi-media applications require more powerful CPUs (processors) and more and more RAM (memory). These days, anything less than 4GB of memory slows things down, except for the smaller and limited capabilities of Net Books.

The question becomes then, “what do I do with my old computer?”

Many people choose to use it for appli-ance applications. Perhaps you would like to add Netflix, Hulu or other legal on-line movie streaming to one of your TVs. An older computer is just fine for that. Even ‘G’ level wireless will work for all but the highest High Definition streaming. The best way to do this is to completely start from scratch. Reinstall your operating sys-tem with the original discs, update the ser-vice packs (Mac, PC, Linux) and add anti-virus, anti-malware and the other basic security software you need to protect your computer.

But what if it’s so old it’s not even worth keeping…

Here are some options:

• Sell it on eBay or craigslist and get a few dollars.
• Give it to a school or charity organization.
• Put it at the curb and let someone pick it up.

And then just forget about it.

Until… perhaps…SURPRISE! You find your bank account has been accessed or your credit cards maxed out, or other personal or business data has been compromised; all without your knowledge.

What went wrong?

You may have forgotten that while the box is no longer of any value to you, the real val-ue is the information on the hard drive.

But you deleted everything from the hard drive. Right?

Sorry. Delete is not the same as erase.

Data recovery programs and experts know exactly how to get that deleted data because it is actually still there on the drive.

Some operating systems, such as Mac OS X and Vista will perform a secure erasure, but the security aware person will take an extra step… just to be sure.

Just as it’s recommended to completely cleanse and reformat an older machine be-fore putting it to use elsewhere, as discussed above, it’s a modern-day necessity to reformat the drive and perform a complete data wipe or erasure - if you want to sell or give it away. If you are just throwing it away, you should physically destroy the drive.

The U.S. Department of Justice (to name only one of thousands of victims) discovered this problem the hard way. They disposed of older machines only to find that confiden-tial information from the Witness Protection Program was discovered by an honest (fortu-nately) buyer at a flea market. Countless law enforcement agencies, corporations and indi-viduals from around the world have all been victimized by their own carelessness or lack of awareness.

Simple Lesson: If you’re going to donate it, use a free secure erasure program from a safe site like www.download.com. Otherwise destroy the hard drive. It’s actually an interest-ing project to take a hard drive apart and see what makes it tick. Very few bad guys have the time, money, skill or desire to put a drive back together.

Just do a search on Google for destroying a hard drive. You will find many creative, effec-tive and surprising methods. Or, you could just use a sledge hammer. It’s quite effective!

For more information on Simple Security Awareness, check out my company site or one of my books.

SS: Cyberwar. We knew. from The Security Awareness Company on Vimeo.

Simply Security: Once Is Never Enough from The Security Awareness Company on Vimeo.

Check out this first episode of Simply Security.

Simply Security: Flying in the name of Awareness from The Security Awareness Company on Vimeo.

Let me know what you think!

www.thesecurityawarenesscompany.com

The DHS announced it wants to hire 1,000 security experts to defend the critical infrastructure of the U.S.  Then a number of criticisms appeared saying, “there aren’t 1,000 security experts in the whole wide world!”

Oops!

Security is a Wide Area and there are all sorts of experts – not one master set of skills that you can find on any single resume.

A few years ago ~1994 I was at dinner with Mr. Ex. (Don’t want to embarrass him cause he still claims he is the smartest of us all.)  I had only been in the field about 10 years and was learning… as we all still are every day. He told me, “I know everything there is about security….” ad nauseum.  NONE OF US DO! (I choked on my Ratatouille but kept PC-ish and moved my plate to another table.)

The error here is with DHS PR. Some wonk used the media term “security expert” (sans definition) and off we go in the wrong perception-description; just as we have allowed the media to blame every security incident on ‘hackers’ – clearly a massive nom-de-guerre error by any standard.

Once we allow them to lock in the term “security expert” as a catch all for anyone who can find the ‘on’ button or push Defrag or even do slick coding hacks, we are in trouble. No more than a company (or kinetic force projection outfit) can run on one set of expert skill sets, security itself (like any vertical technical discipline) is a highly granulated suite of skills that must be integrated.

A CND/CNA (Computer Network Defense/Attack) suite of expertise includes (at a broad stroke) many skills needed to deploy and Information Army

- Mapping People

- Cracking People

- Coding (CNA & CND)

- Reverse Engineering

- Social Engineering

- C3I

- Sniffers

- Readers

- Research

- Moles (yeah, C****, I****, P****** has none of those in our CIs)  (Note: the way the national letters come out…

- Analysts/Synthesizers

- Manufacturing (CNA)

- Distribution (CND/CNA)

- PR (!! Techy and accurate, not PC)

- Education

- Awareness

- Perception Management & PsyOps

- Failure Modeling

- Process Control

- Reconstitution

- DR

- Layered Technical Management.

- The interdisciplinary expertise needed from psychology, neural behavior, etc. etc. (Security is not technical, solely, not is it?)

- Yeah… and more good PR people who speak geek. (Not the usual wonks)

No one can do it all. No one has all of these skills. Period.

I worry much less about DHS acquiring 1,000 people with skills than them being able to find the right management who understand security, the temperament of the geek community and can last more than a handful of months in a culture designed to fail.

There are millions of people with the varied skills a well-organized Information Army (CND/A) needs. There are decidedly fewer people who know how to, or have even ever thought about to taxonomize the skills and organize them (skills and people) like a true business.

Get a free download of ‘Information Warfare’ at:  http://www.winnschwartau.com/downloads.html and take a look at Chapter 16.

Winn

My daughter and I are in Paris and she said she went to one when she lived here and it was one hell of a party.

“Let’s go!” It begins around dark with a half dozen key ‘party zones’.

We had dinner and bought a couple of bottles of wine (awesome red at $4) and off to the chaos. The streets were riotous in a good way. Gendarmes everywhere. Machine guns, too, in a good EU sort of way.

People carousing, drinking, open liquor everywhere… partay! But Ashley and I keep our wine in her “Hackers Are People Too” tote bag. The line to get into Luxembourg Gardens (a huge gorgeous public park) is eternal. Partay! Crazy music. Noise. Shouting. Honking. Traffic like… why the hell are you even driving?

I am thoroughly prepared for a French pat-down. Uzis around. So, yeah, I expect security. Aha! We’re at the gate. And what do the police want? OUR FRICKIN’ WINE!

No drinking in the public park… vin rouge is cascading down the streets… Uzis are everywhere… what are they trying to protect against?

Security Metaphor: Make noise in the East and take their wine in the West. (Sun Tzu) The massive presence of heavily armed police makes one feel reasonably protected (in a hit the ground quickly sort of way) and indeed, Nuit Blanche was 100% calm. There were no signs to indicate “intercict du vin” (no booze allowed) but that’s the beauty of Sun Tzu. An additional layer of unannounced security (that did p*** me off)  but completely understandable in retrospect. If an alcohol fueled riot had commenced inside Luxembourg Gardens, with only a handful of entrance/exits, the effects could have been most problematic. Nip it at the bud. Lessons to be learned.

Internet scammer, Richard Neiswonger, sold “business opportunities” to unsuspecting victims through massive telemarketing efforts. Through extended court proceedings, the judge has had enough. His order: “Give us your $3.2 Million house…now… or go to jail.”

It’s about time.

But… let’s reconsider jail as the knee jerk reaction to cyber criminals.

“Send the punk to the slammer!” about a 15 year old kid who hacked the wrong company.

“She deserves 5 years in prison…” for being part of a bot net.

I have severe problems with the auto-American answer of jail for every miscreant act – especially of the cyber kind.

I firmly believe in alternative sentencing and think that the perpetrators should suffer in some way. But send them to the Group W bench with father rapers and murderers? I think not. The cost to society is like $50K+ per year to lock up the non-violent offender where he/she will fine-tune his criminal skills and contacts. Education courtesy of our Justice system.

We have the technology. Let’s use it.

GPS ankle-bracelets. Let’s use them.

Education: smart guys know their technology but got misdirected. Let’s put them back on track and utilize their expertise and truly behave like we believe in rehabilitation. How many cyber-acts are truly terrorist oriented? We fail to make much distinction from the ADD teen and Al Qaeda.

Can’t use a computer from home? Put the sensors in the ankle bracelet. If he/she really needs the Internet (who doesn’t?) let’s create a unique mandated path that all of their traffic must go through and monitor the hell out of it. How many thousands of cyber-criminals can be ‘controlled’ through one heavily restricted server farm? (Think China.)

The costs are a small percentage of what we experience now… and think of many more plea bargains will come about with reasonable sentences instead of the horrors of jail.

We have the technology. We know how to do it. But do we have the will? We can also send them back to jail if all else fails.

I’ve been traveling in Europe and didn’t have a chance to comment. Well, I really chose not to work so much.

Sure, why shouldn’t we shut down the Internet?

Of course, I am referring to the hoopla about various interpretations of whether the U.S. government should be able to turn off the Internet in case of severe cyber-attack. A few problems to consider:

• What is ‘Severe’? Who decides?
• Can the Internet – even the U.S. portion - actually be turned off?

I’ve seen various discussions on these points but for now, let’s pretend that they don’t exist. There are other issues.

1. We teach home and business users that if they think they are infected with malware to disconnect their Ethernet or wireless connection immediately to stop the propagation. No one has a problem with that. It makes sense.
2. On 9/11, we shut down all air traffic in a matter of hours. No one had a problem with that. (Being stuck in Fargo, though, might have been a hassle. Think the Steve Martin movie, ‘Planes, Trains and Automobiles.’

Unplugging from hostility is not a new concept. The fundamental question in this case is, which is worse? Disconnecting for a time and reconstituting with control, or allow an attack to continue while we try to combat it and use the Net at the same time.

This returns to the questions of ‘what is Severe?”

From my view, disconnecting is a must-have option that should be on the table at all times. It makes sound engineering sense. In complex systems, isolation, analysis, repair and reconstitution (reconnection) is the only way. How else can you figure out what’s really wrong and how much damage has been done? Power companies have done it for years. The tacos did it in 1991 when the SS7 switches collapsed. Lasted a few hours.

Should the feds decide to unplug the banks or should the collective wisdom of the Fed Reserve and leading financial institutions make that decision in a defensive step of self-preservation?

The problem I have with the majority of what I hear is the fear mongering of nationalization by technically ignorant politicos with media access and an agenda.

The question should be, “How do we properly plan” for such an eventuality instead of merely spreading unfounded fear.

“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.

“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”
“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective?

You bet.

Point is, back in 1987, Congressmen (people?) Glickman and Valentine were the point men on the CSA, Computer Security Act of 1987. (This is the committee that told me cyberwar/terrorism/etc. was a figment of my imagination. Quality folks, there.) One major goal of the Act was called “C2 by ‘92”.

In the old security parlance of the Orange Book, C2 security was good enough for “sensitive but unclassified” information. Big push. Big initiatives. Big goose egg of security tongue wagging.

So, the DHS is downplaying this sensitive but unclassified hack as, “no information can be posted on HSIN that would cause anything more than minor damage to the homeland security mission.”

I am sorry. No, they should be!

Any data leak is potentially monstrous. So, this data was C2. Fine. Then another C2-level hack here and another there… and you glue together all of the data from these hacks and suddenly the amalgamated data is MJ-12 (alien technology) secret.

OK, you get the point.

Data in isolation may seem worthless, but a cut, a snip and a paste later you’ve got yourself a database worth boatloads to the bad guys.

What is even worse, that these days, the flipping DHS can’t practice Security 101 and avoid getting hacked? It’s not that hard… if you let the geeks do their jobs.

I find it immeasurably embarrassing that the guys and gals who are supposed to protect us can’t even protect themselves to the most minimal standards.

Of course the public information doesn’t say whether the situation was caused by a poorly configured machine (of what OS, by the way), unpatched vulnerabilities or the same type of criminal stupidity that allowed the details of Obama’s Helo to get into the hands of the Iranians.

Come on people: every bit of data is valuable. Just cause you don’t see that doesn’t make it true.