METRO Opens Doors, So Employees can take home all the equipment

Recently, a Washington DC prosecutor declined to prosecute a former Washington METRO employee accused of theft.   He was found to have taken home nine laptop computers, a power generator, a DVD player, a BlackBerry wireless device, a color printer, a digital camera, lots of tools and a computer monitor.   The prosecutor wrote that the absence of enforcement of …

Continue reading ‘METRO Opens Doors, So Employees can take home all the equipment’ »

Auditors and Company Policy, Part 2

Back in 2007 I posted a blog entry about catching our auditors violating company policy by putting their company’s computer on our network.   Today, new group of FISMA auditors, same issue.   If the auditors were a bit slicker, I”d believe them when they said they were testing our controls for unauthorized computers.   (trust me, this …

Continue reading ‘Auditors and Company Policy, Part 2’ »

Jailbreaking – Unsafe at any speed

Look at me, making Ralph Nader references whether they work or not. Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier. What does this mean for iPhones used the enterprise? Just because …

Continue reading ‘Jailbreaking – Unsafe at any speed’ »

Corporate Fantasyland

Twice today I read “enterprises do this” statements that made me laugh. Over at SANS the handler wrote “Corporates typically block outbound FTP” while describing Yahoo phishing that had FTP downloaded malware. Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in …

Continue reading ‘Corporate Fantasyland’ »

Auditors and Company Policy

It’s always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use …

Continue reading ‘Auditors and Company Policy’ »

The Paris Hilton DoS

I think the lesson to be learned here is its a good idea to have a maximum message size and enforce it at all levels. Even a very large limit like 100 MB would have prevented this message from being processed by exchange, scanned by trend micro, processed by sendmail before being stopped. This could have been really bad for the infrastructure.

Developing an Employee Usage Policy Part 2

My professor posted the following guidelines for creating/evaluating an employee use policy. Email and Internet Usage Policy Implementation of sound, well-written policies helps manage risk by defining acceptable and unacceptable forms of behavior and educating employees as to the organization’s expectations concerning their behavior. Organizations can and should expect their employees to act ethically and …

Continue reading ‘Developing an Employee Usage Policy Part 2’ »

U.S. vs Councilman opens door for admin snoops

The Electronic Frontier Foundation charges that this weeks appeals court decision in U.S. vs Councilman gives your ISP the right to monitor your email. The court brief is http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf The defendant used procmail and sendmail to monitor email from Amazon to the booksellers and other email clients that used his mailserver. He used a form …

Continue reading ‘U.S. vs Councilman opens door for admin snoops’ »