Hello Secure World is a website set up by Microsoft to promote Windows security. The Microsoft Business Marketing Organization (BMO) and Tri-Digital worked with us on DEC 08 in Chicago to record some of the more security-related sessions, and they are now available on the HSW site. Start at the main page, sit through the intro (or click the Skip link), and click the "Inside the DEC" link.

IIRC, we recorded 10 of the sessions. Currently four of the RMS-related sessions are available; I believe that the BMO rotates the 10 sessions through the site.

Is this a usable format for you? Would you like to see all of the DEC content recorded this way?

It never ends, does it?

Bank loses tapes with data on 4.5M clients - Network World

I just heard today that NetPro's ChangeAuditor was nominated as a finalist for the Best of TechEd 2008 IT Pro Awards. That is great recognition for product that has been so successful for us and for our customers over the last several years.

When we first defined ChangeAuditor (back in 2002!) it was intended to be an automated change log for Active Directory administrators. Any administrative change you could make to AD, ChangeAuditor would track and record who made the change, when and where the change was made, and what the old and new values were. If you changed an ACL on an OU, or added a site-link, or deleted a GPO setting, or changed an NTDS registry setting on a DC, ChangeAuditor would immediately record the who, what, when, and where (you had to add the why manually).

My favorite customer experience with ChangeAuditor happened during a proof-of-concept installation at A Really Large Semiconductor Manufacturer. Their AD spanned the globe and supported more than 100K users. The AD admin team managed their AD like their lives depended on it, and they had change control processes in place that would make an IT auditor weep with joy. The AD team were justifiably proud of their tightly-run ship, and needless to say, they were absolutely floored when they saw the kinds of changes being made by delegated admins that flew underneath their change control radar. It was an impressive demo.

Since then, ChangeAuditor has grown both in depth and breadth. ChangeAuditor now tracks essentially any change made to AD, administrative or otherwise, and provides a truckload of useful out-of-the-box administration and compliance reports. And ChangeAuditor tracks changes in other platform services as well, including Exchange, SQL Server, and Windows file servers. You can expect support for other core services Real Soon Now (tm).

Congratulations to the ChangeAuditor product team at NetPro for this fine recognition.

If you want to learn more about ChangeAuditor, click here.

I find configuring WS08 Server Core a bit of a pain because I have to use several different (and unfamiliar) command-line tools to perform the normal day-to-day configuration tasks that I do so easily with the graphical tools in a full WS08 install. It's not a big deal; the proper command-line syntax is documented in several places, for instance here, but it can be annoying.

Rafael Dominguez, one of NetPro's Systems Engineers, passed this nifty little tool on to me today. It's a little graphical utility by Guy Teverovsky that supports the most common configuration scenarios, including:

I haven't used it yet, but I will. Check it out!

I heard about this through the CyTrap labs Regustand newsletter. Basically, the Article 29 Working Party of the European Commission have carefully read the privacy regulations and issued an interpretation that, among other things, consider that IP addresses are personal data and are subject to privacy regulations.

I suppose from a privacy perspective this makes sense, and if you read the interpretation, it is hard to argue with the logic. On the other hand, the only organization that can reasonably identify a person on the other end of an IP address is the ISP that issued it. J Random Webmaster can capture the IP address and some other interesting information about the client, but they will be hard-pressed to associate that information with an "identified or identifiable natural person". But the wording of the legislation states that any information "relating to" such a person is "personal data", and IP addresses would seem to qualify. This means that IP addresses are subject to Directive 95/46/EC which governs the use of personal data.

So does this mean that DHCP logs are subject to the same regulations that passport numbers are? It would seem so. Even in the enterprise? Again, it would seem so.

Yet another thing to add to the compliance effort.

The Gap (a popular clothing retailer in the US) announced last week that one of the vendors that they use for personnel recruiting had a laptop stolen. The stolen laptop contained the job application information (including social security numbers) of more than 800,000 people, and the data was unencrypted. (See this press release.)

The Gap had a contractual trust relationship with the vendor, and that trust included an agreed upon policy that PII storage would be encrypted. Whoever stole the laptop is clearly to blame for the data breach, but the vendor did not ensure that PII was encrypted, and is just as clearly at fault for not adhering to the terms of their contract. But what about The Gap? What is their responsibility in this situation? Well, legally (and I'm not a lawyer, so all the usual disclaimers apply) as I understand it, The Gap is liable for the action of its vendors. The Gap can't avoid responsibility just by outsourcing. But practically speaking, what could The Gap have done to prevent this situation? The laptop was not under their control, the employees who managed the laptop were not under their control, the employee that managed to get the laptop stolen was not under their control, and the thief himself was not under The Gap's control. What could they have done? Did The Gap practice due diligence with the PII they were entrusted with?

The Gap should have periodically and independently verified the security practices of their vendor. This sort of provision is written into contracts all the time, but usually at the customer's (e.g. The Gap's) discretion. Did they ever audit their vendor's practices? Did they test (or have tested) the vendors controls? The press release doesn't say, but clearly whatever The Gap did do, it wasn't sufficient. I've never thought of it this way before, but when you add in the audit costs to an outsourcing contract, does it still make sense to outsource? Food for thought...

This is a great example of the porous nature of corporate networks today. This compromised data moved from a secure website, through a (presumably) encrypted database, was unencrypted and copied to a vendor's laptop (probably through a secure authenticated connection). The laptop then wandered off into space.

Clearly, the firewall is not the network endpoint we'd like to think it is.