I've known this for some time, but finally have a good post to link. Tom's Hardware has a review of a Black Hat dat talk about the dangers and uses of Google in hacking.

I firmly believe that famed Adrian Lamo, the "drifter" hacker who performed his hacks using only a web browser and open cybercafe computers, utilized search engines in smart ways to find vulnerable sites.

You can easily do a search for the title of a web admin interface page and come up with potentially unprotected hits. For instance, I once found an open Linksys WRT54G web interface by typing in some combination of text that is found on the admin web interface. Limit a search for "admin" to a particular domain or company, and you might just find pages that some admin thought were hidden because no pages linked to them and they weren't know...i.e. they thought obscurity was enough security.

Just think, using Google to look up default and running VNC installs open to the public...just connect and 0wn.

I did not know this, but it turns out Mircrosoft keeps a list of all the ports that various MS services use. This list is available for download as an Excel spreadsheet from the Microsoft site.

The list is kinda long, so I'll just link to it at packstorm.

Universal Plug-n-Play has been a nightmare of a vulnerable and useless service running by default on Windows XP systems. Patches have come and gone, but still, this service, coupled with SSDP, are simply useless and volunteer far too much information for prying eyes as they readily display the OS of a target machine to a hostile probe. Turning off the SSDP service in Windows XP also turns off the UPnP service as well, and should be part of a base install configuration set. NIST standards include this disabling of SSDP as part of their XP procedures.

A translation for The Art of War online. Another book that I should get, but I just don't know which version to pick up... I may just read this one, formulate my own conclusions and gain my own insight from it before picking up a book that expounds on the principles for me.

Two papers popped up as mentioned on another site I visit. First a paper discussing a number of insider security incidents over the past 8 years involving about 26 insiders at financial institutions. Second, a 4 year old paper from the DoD outlining means of mitigating insider threats.

Snippets shamelessly snagged from the other site in regards to the first paper:

"- Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.

- The majority of the incidents (81%) were devised and planned in advance. Furthermore, in most cases, others had knowledge of the insider's intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

- Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.

- Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in hacking and 27% had come to the attention of a supervisor or co-worker prior to the incident.

- Most of the incidents (83%) were executed physically from within the insider's organization and took place during normal business hours."

The online book TCP/IP Illustrated Vol 1 is available online. Note that this is an older book dating from 1994, and is also not for the faint of heart as it skips past the high-level view of TCP/IP and actually digs right down into the nuts and bolts that make it work, in conjunction with real-world illustrative examples (hence the book name!). I should read this volume at some point, but maybe not quite yet until I get some more sniffing experience under my belt.

This article is a very quick-shot laundry list of many network terms and items. The whole presentation makes my head spin because the author goes through each one in bambambambam rhythm, but still a nice little bit to read through in pieces.

Stole a bunch of links from another site describing some new spyware that adds some network traffic and unwanted ads on users' desktops and networks. 180Solutions might just hit someone I know at work someday soon.

180Solutions Analysis
Full disclosure at Seclists
Securiteam analysis of 180Solutions trojan
180Solutions : nCase

TechBooksForFree has a small list of free e-books online.

This site has a large program that contains a small CISSP quiz set and some really cool entry/intermediate-level video tutorials on using some populat and not-as-popular scanning and penetration tools. The videos are free, some tools are linked off the site. The videos use a "tscc" TechSmith Camtasia codec, so that might need to be downloaded.

Shon Harris is featured in a full series of CISSP training webcasts on SearchSecurity.com. These are free, although you have to supply information to start the link, there is no requirement to supply legit information. Seems to work better on IE than Firefox. Webcasts are about 60 minutes each.

Now the 50-year-old Seemayer is once again on the cutting edge: Sick of spam clogging his in-box and spyware and viruses crashing his system, Seemayer yanked out his high-speed connection.

"I'm not going to pay for something that I can't use," he said.

A small but growing number of frustrated computer owners are coming to the same conclusion. They're giving up or cutting back their use of the Internet, especially at home, where no corporate tech support team will ride to their rescue.

Article is here

About 4 years ago the IT community hit a glut of new IT folk, many of whom didn't know what they were doing, as exponentially proliferating computers and broadband made a "computer expert" out of thousands and thousands of casual computer users every month. Now, the point of this article rings a very true note as I know people personally who are online less and their taste for things Internet related has soured, all due to Spam and Spyware. As people have hit the net in droves, so too have the vultures and the advertisers followed. Unfortunately, Microsoft's products (namely IE) were not engineered for such scales of economy...the holes were too big, and it only took time and a large enough marketplace for those holes to become so big and pervasively exploited that it is starting to backlash and drive people out of the niche.

I guess on the one hand it is good to see this trend, because it just means people like me are that much more practical today. Where once was a geek that could help out now and then, people like me will soon become as necessary as white blood cells protecting a biological body. Fallout like this also scrapes off the chafe of the IT sector, leaving a heartier and overly better-skilled workforce to forge ahead into this maturing medium.

This backlash can only be temporary. The Internet is far too powerful a tool and even an integral component of life, especially for younger people. This won't last, but is just part of the growing phases... The Internet as a means of communicating, expression, information gathering and sharing, expanding marketplaces... There are times when people take a step back from consumerism and all the gadgets and toys of life, and some of them get back to being simpler, being happy in simplifying. But sometimes, some tools are just too life-changing, world-altering, that they can't just be dropped in the name of simplification...much like the steam engine, cars, airplanes, telephones.

...
There is a group at Best Buy called the Geek Squad who are available to help consumers with their computers questions and problems. However, I think there is still a very strong market for someone much more specialized: security persons. I think people can work their way into putting together printers and home networks by utilizing corporate support through vendors. However, there are few ways to "learn" how to deal with spam, spyware, adware, viruses, and malicious users/worms bouncing digital flak at their always-on broadband connections. There are few ways for people to pull themselves up out of the clutches of all this garbage and still be productive and efficient with theit time and investments online. Getting a printer online is one thing, but confidently securing a home network and family is another.

Thought this article detailing tools and conclusions made based on an intrusion to a system the author administers. Just nice to see tools and analysis in action.

Sed quis custodiet ipsos custodies?

Read an amazing artcle about defeating DDoS attacks. The main subject of the story went on to found Prolexic, a DDoS protection company which hosts a nice page of information about zombies and DDoS found here.

This post is an interesting viewpoint on myths about security and passwords. Must "out-there" is the opinion that changing passwords regularly is now dead and does not enhance security at all.

I've long kind of had an idea that makers would put backdoor passwords into BIOS implementations, but never really looked into it. Then I happened upon this posting one day which lists a lot of backdoor passwords for various BIOS platforms and versions. Pay particular attention to the mention that some BIOS lock themselves after a few incorrect attempts, so be cautious. I've not tested any of these, but it would be very fun to play with.

Not many people realize there is a component to Windows XP called the Prefetcher. Even fewer desktop/system support people realize the significance of it. This prefetcher for Windows keeps a cache of a lot of programs downloaded by Windows, and acts independently of IE. So if you clear your cache in IE, your downloaded files might still be found in the prefetcher. Most people are tipped off to this location only after a piece of malware has been downloaded (automatically or by accident) and a copy was saved in the prefetch area of Windows, generating an AV alert pointing to this location. This short link is a start to managing the prefetcher cache.

Creating services in Windows is one of those frustratingly annoying things that many people would love to do, but is typically difficult to find information on how to do it. In fact, you can't really do it unless you're a programmer or you have some extra tools from Microsoft. I guess this prevents every John Doe Idiot from completely screwing up their computers with crappy service lists. I am happy to have found this quick post on how to create your own services.

This is a monster article on external attacks, largely from the point of view of Linux since this was in a Linux magazine. Many books cover this entire spectrum in hundreds of pages, but this article condenses it down nicely, albeit it is really packed with info.

Malware is an amazing little hobby to have, and these two paper cover malware analysis brilliantly.

part one
part two

NetBIOS Null Sessions are elementary and a first stop for anyone performing system recon. They should always be turned off, and this link is a nice reminder of the issues, the dangers, and the fixes.

The paper, Insertion, Evasion, and Denial of Service: Eluding Intrusion Detection, is the definitive guide to beating IDS and has been the foundation of IDS attacks ever since. I must read this sometime, for historical reasons and more.

Having just watched Dan Kaminsky's Black Ops of TCP/IP 2005 presentation that he gave at the 22nd Chaos Communications Congress, I have a couple links on dns snooping, which he (in typical Kaminsky fashion) utilized in creative fashions. First, a paper on dns cache snooping. And second, a site on how dns snooping actually works.

I should get the Log Parser book sometime, as it goes over things on this site about the Microsoft logparser tool. This should be useful to use to perform adhoc and maybe some scripted queries against single or groups of logs.

Sans has a bit on defeating a DOS attack. They also have a webcast I'd like to check out on the same topic.

There is a fairly new blog out called Checkmate that deals with forensics and other things security. Here are some choice pieces to check out so I can catch up:

rainbow tables
timestompe
xp's built-in spyware
userassist
apache and squid logs

A thorough examination of sql injection attacks using examples.

A SANS Tool Talk Webcast: Anatomy of an Attack.

Illustrated Guide to Crypt Hashes

Information Overload. Kind of hard to admit that I am nearing that point, since I completely love learning things and absorbing knowledge. But the IT, techie, world has been doing that to me lately...really kicking my ass. I want to learn so much, catch up on things over the years that I missed because I wasn't a packet geek or into coding as a child (yeah, right!). I have an entire different part of this site dedicated to postings and news and links and tidbits of knowledge that I have happened across in the past few years (I keep these separate because, well, it's just for me). I have a huge list of bookmarks in my web browser that are "pending" things to check out, usually tools, large sites, or long papers that I didn't have time to fully deal with back when I was made aware of them. I have dozens upon dozens of books that are half-started or not yet read...as if just owning them means I can somehow claim the knowledge locked away.

I don't have enough hours in my day, enough days in my life, to learn all this stuff like I want to learn it. That's frustrating beyond belief.

Couple this with my recent soul-searching about my career. I love my career to date and where it is going, but I've had some thoughts that maybe specializing a bit more would be beneficial.

Now that I was working on "that other" part of my site that will remain mysteriously locked away, I have realized that my categorizing of information is almost manic at this point. It is still a mess and I'm not happy with having all this knowledge in front of me and just not having the time to get to it. Maybe I should specialize that too?

It kinda makes sense, but while I am happier to do this with my young career, I'll likely not adopt that quite too soon with my thirst for knowledge...but I certainly need to slow down and instead of blitzing this realm, to sit back, clear off the desk, and focus on a few things at a time and truly enjoy and experience them.

Link to pictures of the CDC 2005 event at Iowa State University. The CDC is the CyberDefense Competition held at ISU where teams of students attempt to defend their networks against a team of attackers (usually area professionals) over the course of an entire weekend. The event is reminiscent of Defcon's Capture the Flag, but with a much more instructive mentality. I wish we had this much stuff in this field at ISU back when I was a student! A version of this is also being held annually where high school teams are the defenders and college students are the attackers.

This link I have not tried recently, but I believe these are still free study guides for the cissp and should still be pretty informative. I read one or two about a year or more ago, and file away the link for a time when I could more fully pursue the cissp. I believe these are from Shon Harris and hosted by this site as a sponsor.

Of note, Shon Harris also has CISSP training that you can pay for and attend.

Want to become a Chief Espionage Officer?

Wow, I never thought I would see an article on CNN.com that had some technical merit! CNN questions laptop security and why exactly is sensitive data finding its way to mobile devices in the first place? Excellent question!

Blue Pill and Red Pill are part of some new research into hardware abstraction and virtualization where a system can be fully controlled by an attacker if he/she can get an abstraction layer between the OS and the hardware...well, then it's game over. Thankfully, this is not easy and does require physical access. Nonetheless, cutting-edge creativity is quite interesting.

Email headers are a simple thing, but when you're in a bind and needing to read one or more, they can sometimes be such an annoyance. This paper is a fullblown discussion on email headers and what they mean. Quite a nice read, to be honest.

I have a ton of respect for Prolexic and what they offer to our world. But the spammers and botnets have waged a mini-war against Blue Security and anyone who seems to assist them. But instead of directly attacking Prolexic, a botnet was leveraged against upstream DNS servers for UltraDNS. Wow, just wow. This is the sort of cyberwarfare that is coming or already here where masses of zombied computers are wielded. So far much of this has been individual hackers or groups with personal beefs, but much like phishing and virus attacks, I expect things like this to take a much more organized and sinister turn in the next 4 years.

Sometimes you just need to inject some "security awareness" points into your training program. "Protect Your Workplace" posters from the federal government are an inexpensive and easy way to start.

And search this page for the security calendar.

It is interesting to see the trend of what is hot in security and networking and sysadminness. The turn of the millenium brought in virtualization, and a few years ago Metasploit broke onto the scene in a big way. Wireless and mobility have been amazingly hot in the last 6 years as well. And now that web apps are being developed by everyone, web app testing and security is catching up. In all of this, I thought it would be nice to keep track, for my own purposes, the hot topics at periodic times of the years just to see where things are moving and shaking.

1. web application / layer 7 security / fuzzing - driven by a huge focus in the past 8 months on MS Office vulnerabilities and browser exploits.

2. mobility - driven by laptops being used and lost in the field, prompting a huge number of disclosures of lost information that questionably should not have been outside the corporate/gov't environments anyway.

3. disclosure and identity theft - Just about everyone has been joining the disclosure bandwagon whether they like it or not, from the VA, Deloitte and Touche, and many universities (poor edu's will always have a tough open vs secure battle). This will only get worse and hopefully soon the media stops waving each one that happens.

5. botnets and ddos - Blue Security wanted to beat spammers by spamming them. Instead, Blue Security got DDoSed so hard, they are now out of business and have thrown in the towel. Botnets have been widely reported in the past couple years, but they still seem to grow and remain huge and potent.

4. wireless - wireless is just waiting to blow up, with hotspots getting more common and big companies with secret plans on widespread wireless for the masses. Since wireless is still hugely exploitable and fun to mess with, this is just waiting for a huge lashback and a huge outbreak in personal systems being exploited over wireless. Home users haven't been this vulnerable to being rooted since NAT was hardly used on broadband connections. This is an area that is also just waiting to explode with use and companies and wirespread access.

Mentions and tools: Metasploit is still hot and HD Moore is one of the biggest names in security right now; virtualization is still hot; Office and IE are getting hammered with exploits which is keeping Microsoft very busy; LiveCDs are all over the place now, joining the awesome Knoppix (BackTrack owns).

You can search for malware using Google, right down to infected sites inadvertantly sharing out malware code (executables). Damn cool stuff, and damn cool site. Search for "Bagle" for a good example.

I need to check this out sometime. The packet challenge at SANS is not a regular thing, I think, but could still make for an interesting exercise for me. Bejtlich posted a couple links to answers here and here.

The folks at F-Secure put up this series of exercises in reverse engineering and called it a khallenge. Sounds like a fun way to get into reverse engineering a bit, someday. If I get stumped, might be able to find some hints around this blog.

A post over at SecurityFocus went over Microsoft Office forensics and some things to do to enhance security, most notably privacy. Because Office is so universally used, I've found that many people, techie and non-techie both, want to put their heads in the sand about issues with Office. They just don't want to hear about the issues, even as malicious persons have begun poking at the apps and more and more data is disclosed on the web and search engines.

I've long wanted a concise and listed set of items to check on and change when dealing with metadata in MS Office Word documents. Now I have it!

Update: Here is another link dealing with pesky lingering Office data that shouldn't be there.

Quite an ingenious simple little method to hide files on an ntfs disk: alternate data streams. This article on Security Focus makes it look a little more difficult than it is, due to the author going through the effort of describing breaking into a machine to set an ADS on a few hidden files. LNS and LADS are two tools to scan a disk for ADS...although they are certainly not swift in their scans.

Update: An ADS tutorial from STC

Just a quick listing of some secure USB drives that use hardware encryption and are recommended:

mtrust mdrive 500
kingston data traveler elite - privacy ediction
verbatim store'n go corporate - secure

This is an analysis of Mocbot from LURHQ. Especially interesting is the follow-up on the Spammer that this new variant downloads, as well as the graphic showing which antivirus companies properly detected the malware. I wonder if the only ones detecting are the heuristic scanners and not the signature-based scanners...?

Not sure what to make of this yet, but sounds like an awesome little tool. Lurhq pimps this as a "sandnet" where you can run malware and it will even get its own little "internet" to play with if it chooses to connect out. Sweet action!

It really sucks when users think they're being cute by utilizing remote control services to connect from home to work or work to home PCs. These just are not cool, especially when used without permission. I always forget the sites, though, so this will start my list of sites to blacklist on firewalls/web filters whenever I set any up. These are not wanted in the corporate sphere.

GoToMyPC
LogMeIn (and secure.logmein.com)
Hamachi - p2p?

Hamachi is a particularly scary thing, but like Skype, it should require a common mediation server to get the two endpoints together, and therein lies a single point of denial on firewalls. Either way, novel idea, and something I'd like to check out on my own. If even the mediation is peer-to-peer, we should be marking the app as a highly bad app, kinda like an irc client...

Foxy Proxy has some excellent tutorials as well as the proxy stuff.

This link goes to a Microsoft doc about Windows XP Countermeasures and Threats. Of particular interest, Chapter 7 makes an excellent reference on the services that Windows XP has, and whether they are necessary or not. Disable them if they are not necessary.

I've already gotten them, but this will just be a placeholder position for links to this years defcon 14 and black hat 2006 papers.

This was a nice read about job interviews. I believe Google also did this sort of interview tactic, especially the "impossible question" part. The biggest takeaway from this for me is the Smart and Gets Things Done. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.

May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that "security through obscurity is worthless." I've read this a lot and heard it in person a lot too, but it is often misused. What is really meant is "security through obscurity alone is worthless." Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:

1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.

2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.

Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.

(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago "unbreakable" they are now accepted as flawed...as processors continue to speed up, will today's standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)

I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: "Can you prove your IT environment is safe?"

I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.

"Well, you know, it's a toolbox, I don't care. You put the tools in and do the job, that's all." - Sam, Ronin, when asked what kind of gun he favors.

This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.

When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.

And let's face it. All of these are going to be part of a security or IT person's life at some point and we'll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog...).

On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.

I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough...

DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.

In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.

And now, it's happened. Javascript has been demonstrated to be able to not just screw with a local system, but also penetrate the local network that system is on.

Wow.

Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.

It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won't leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.

First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend's hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I've never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.

In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.

If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I'm not a special hacker or something, I'm a regular guy and if regular guys play with gleaned myspace and email accounts...).

After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the 'settling in' process of a new system. Of my few cracked products, someday once I am out of the 'cash-strapped college boy' phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.

I've been pretty conscious lately of where my personal information goes. I've been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year's heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.

Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.

I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand...just think, all it takes is the least secure online store to be broken into and the data siphoned away...such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?

In the end, I just become more sympathetic to removing the "convenience" of sites "remembering" my account information so I don't have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor... How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?