As we all know, online shopping is nothing new but as its popularity continues to grow so does the malicious threats that can occur during your shopping experience.  That is why we want to provide you with some reminders and tips on how to make you’re online shopping a safer experience.  We also encourage you to share these tips with your family who may make online purchases too.

There are a few simple precautions you can take to further secure yourself before you make your online purchases.  First make sure you have a web filter in place that will warn you of suspicious websites. Keep your web browsers up to date too. Often times the site you are shopping on is legitimate but if your computer is infected with keyloggers and other malicious viruses you can run the risk of your credit card data being stolen.

It is always best to shop at familiar websites but if you are looking at products or services from an unfamiliar sight do a little research before you begin; find out what other consumers have to say about the store or seller.  Epinions.com and BizRate.com give customer evaluations that may help you determine the legitimacy of the company.  It is also a good idea to review the website for the BBB and or TRUSTe approval icons.  Be sure to click those icons to ensure that they take you to those accredited sites and that you can find the companies name within their listings. Often times harmful sights will display the graphic with no link so be aware.

Remember, before entering your personal data and credit card information check the connection of the website out to make sure it is encrypted. The URL will start with (http“s”) and also look for the padlock icon in the address bar or right corner of the window.  Be aware of any warnings that your computer gives you regarding the security certificate of the site, when in doubt find somewhere else to shop.

Keep in mind when choosing a payment method it is always best to use PayPal if it is an option, that way your credit card and bank account information will not be shared with the merchants and sellers. PayPal will also protect you against fraudulent charges and if there are problems with your purchases. Once your purchases are made it’s always a good idea to check your bank accounts and credit card statements to ensure the proper amount was charged; if the charges are wrong contact the website where your purchases were made immediately along with calling your  Credit Card Company to inquire about a “charge back”.

We hope that by keeping these tips in mind that you will continue to enjoy shopping online and are more secure in doing so.

Well who better to ask about tech gifts or gadgets than the tech guys themselves? Here at Savid we are always interested in finding the coolest and latest tech gadgets out there. So to help you out this holiday season we have put together our 2011 Holiday tech gift guide to help you with your shopping.

Get ready this will be a quick shopping trip and you will never have to leave your comfy office chair! Our engineers have these items on their shopping list this year and we are sure they will make someone happy on yours.

• The new Kindle Fire at a great price for just $199! There’s much to do, view movies, TV shows, magazines, songs, and books. Thousands of apps rights at your fingertips view it all on this full color 7” inch screen multi-touch display. Its ultra fast and you even get free cloud storage for your Amazon content, what a great buy. It’s sure to be on someone Holiday list.
• Trent IMP500 iFuel Spare Battery Charger This little gadget is a must have, tired of your battery always losing charge? Well this device can give you the added life your gadget needs, 38hrs of movie time on your iPhone or iPod Touch. It also works on Motorola Droid, HTC Android EVO phones, Kindle DX, Blackberry, and Samsung Galaxy. Not to mention Sony PSP, Amazon Kindle, Nintendo DS lite, DSi and Gameboy with optional adapters. Great price, around $40
• The Kinect Do you want to get someone active this holiday season, well then the Kinect is the right gift for giving. This brings gamming to a new level; no controllers needed it works by your body movement and the sound of your voice.  It’s fun for the whole family and online for $159.
• Boxee TV – This device finds your favorite TV show and movies and puts them on your TV.  But Boxee also allows you to use Apps, and get Social all while setting on your sofa watching TV. There are two ways to get a Boxee buy one or make one. You can purchase a Boxee from the store or make one with their free software using your laptop. Now they even have Boxee for iPad.  Boxee device is pricing around $180.
• Altec Lansing M812 Octiv Air Wireless Speaker System with iPod docking station. This would make a great gift for any music lover. Simply place your iPod in the docking station and kick back and listen as the system delivers 80 watts of powerful high-fidelity sound and better yet, its clutter free, portable, easy to use, and even comes with a remote.  It’s priced around $180 online.
• Sony Internet TV Blu-ray Disc Player This device allows you to play Blu-ray, DVD’s and CDs. You can also connect to the internet and download Android apps as the device has built in Wi-Fi. The player comes with a remote that has a full QWERTY keyboard.  Priced online for $200.
• KeyFolio ™ Pro Universal BT Keyboard Case for 10” Tablets This keyboard was designed for 10” Android based tablets.  The keyboard and viewing angles were designed to be ergonomic. The tablet fits securely in the elastic bands and the corners secure your tablet in place. This gift is great for those who prefer to type on an actual keyboard verse touch screen. You can pick the KeyFolio™ up for around $90.

While I normally post on twitter or our Facebook Fan Page when we have new webinars and whitepapers available for download, we have had requests from clients to post an archive of all of our past content so I spent the last couple of days working with our marketing team to encode, upload, and categorize a bunch of the webinars and whitepapers we have been building.

We are only about 25% done but the list already has some great topics such as Mobile Application Security, Virtualization Security, and Risk Assessment Best Practices so go and check out the Webinars and Whitepapers

My friend, Lance Spitzner, founder of the Honeynet Project, has launched a new blog on securing the human. Lance focuses on providing quality cutting edge security awareness programs to private companies.

Lance does fantastic work. Go read his blog!

So I was talking with a client last week and they mentioned that they haven’t seen any new blog posts from me in a while. I said that was weird because I had just posted yesterday.When i get back to the office, I go online to this site from another PC and low and behold, no blog post.

Apparently, I was logging into and using our beta site because I had my hosts file specifically pointed to a different server that hosted our beta site. So…there are a bunch of blog posts that you will see coming that were actually posted months ago!

Bruce Scheiner is talking about a great post at the Boston Review about the new age of cyber-warfare, and how cyber-warfare is greatly exaggerated. I couldn’t agree more. Granted, the US government has a cyber-warfare problem. All governments do, however, the bigger problem that is more real today is cyber-crime. I spoke at the Federal Reserve last week on this exact topic.

Small businesses are now being targeted because they have more money in their accounts and it is easier to transfer larger sums of money out of their accounts without fraud detection going off at banks.

A quote from the review sums it all up:

So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I try very hard not to do what they describe when I speak but it can be difficult especially to those that are not familiar with the problem.Cyber-crime is the death by a thousands cuts type of problem. $3,000 here, $5,000 there, but it all adds up pretty quickly. Cyber-warfare is much bigger and easier to point at than these small little fraud issues.

If you have 10 minutes of time, read the Boston Review article and give me some feedback. Are we in a situation where we as citizens have to be concerned about cyber-warfare like we were concerned about nukes in years past?

There is a bill, S.773, floating around the Senate that will require cybersecurity professionals in the future to be licensed, similar to how a general contractor, electrician etc is licensed. Furthermore, according to CNET News, “[the bill] appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.”

Will this bill pass? Or even more important, is it a good idea?

I don’t think we will see a license requirement anytime soon. When I was at Blackhat I saw Booz, Northrup, and the like executing a massive recruiting effort. The government is trying to hire thousands of cybersecurity professionals. Requiring licensing will delay this by years as those in the field get licensed. With the various security certifications we have now, who will be the governing body to determine what data goes into the certification? Most of the certifications in my view are worthless and I would take a guy (or girl) that has been “on the front lines” before I take a person with 4 certifications and little experience.

What about the ability to take control of private networks in an emergency? From my experiance, there is no way in hell I want the government touching my private network. most government networks are LESS secure than their private counterparts! Furthermore, there has been a massive brain drain from government to the private sector for cyber security positions so who will have the best skilled people available in case of an emergency? Perhaps we should let the private sector take control of government networks during a crisis?

Interested in reading the 55 page excerpt?

A new lawsuit by the Free Enterprise Fund going to the Supreme Court soon challenges the constitutional validity of a certain provision in the Sarbanes-Oxley Act.

The lawsuit claims the Sarbanes-Oxley Act violates constitutional requirements since it gives the Public Company Accounting Oversight Board regulatory powers over the accounting industry, and yet its members are not appointed by the President. They argue that this is a violation of the separation of powers specified in the constitution that leaves the President with insufficient control over what could be considered an executive function.

But to me it sounds like a technicality; pointed at those clamoring for the downfall of SOX. Since SOX lacks a severability clause, if the lawsuit prevails then the entire Act would be thrown out, not just the part about PCAOB appointees. This is probably what the Free Enterprise Fund is planning on.

Opponents of Sarbanes-Oxley are many and they’d love to see SOX thrown out. Ron Paul, to name one, argues that SOX compliance gives U.S. corporations a competitive disadvantage with foreign markets. Both foreign an U.S. firms that do not wish to endure the intrusive compliance regulations of SOX are deregistering from the U.S. stock exchange. This is understandable since the costs SOX imposes have averaged at $5.1 million in compliance costs. The year after it became law, the number of companies de-registering from the stock exchange tripled.

The Act also seems to discourage the initial public offering market from growing. Startups can hardly afford the SOX compliance costs in order to quality for stock market registration. But without investors these companies don’t have much of a chance to grow.

On the other hand, many of these companies fleeing from stock exchange registration because of SOX may have something to hide. In those cases, SOX is doing its job of preventing companies that employ crooked accounting practices from swindling mom and pop investors.

It remains to be seen how the Supreme Court will rule on the lawsuit and, if the lawsuit prevails, how it will end up reforming all aspects of the Sarbanes-Oxley Act.

Sorry for the lack of posts the past two weeks, I was in Vegas for  BlackHat and Defcon, took a couple day break, and then Boston but now I am back in action! More posts to come in the next few days.

Not too long ago, I discussed speed-sourcing as a viable alternative to the traditional slow-poke method of vendor selection and approval. But I neglected to mention some of the more sordid suspicions against consulting firms that advocate speed-sourcing. This is all just speculative rumblings from those in the industry, not to be taken as fact. But I will share with you some of the suspicions about the “speed sourcing scam.”

The scam is perpetrated between the consultants and the vendors at the expense of the client. The consulting firm makes vendor or supplier recommendations to the trusting client to speed up the outsourcing process. But these vendors really have under-the-table deals going on with the consultants. These consultants lie to the client and say the vendor is qualified and offers a competitive rate. Or they offer a potential pool of vendors from their proprietary “center of expertise” – all of whom are in cahoots with the consultants. They will even provide stock RFP responses from by the supplier. The client doesn’t know any better, which is why they rely on a consulting firm in the first place.

The consultants are paid based on how fast the vendor and client are able to make a deal. Thus we have what they like to call “speed sourcing” – some nice jargon for the smoke and mirrors act.

Of course, the vendor may be wholly incapable of delivering what the client asks for, especially if they are overloaded with deceitful consultants referring work to them. But why should the consultants care if they already made the commission?

By hiding behind a make-believe trend these consultants could be greasing their palms. But this is all speculation at this point, possibly a security expert’s inherent paranoia. I couldn’t find one reported case of this happening online. But just because it hasn’t been caught and reported yet, doesn’t mean it isn’t happening. Just something to keep in mind when working with your consultants and your vendors.