SlideShare a Scribd company logo

Corp Web Risks and Concerns

Download as PPTX, PDF
P
PINT Inc

The document discusses various risks facing organizations with a web presence and provides recommendations to address those risks. It identifies issues such as security vulnerabilities, privacy concerns, social media risks, and analytics inaccuracies. It recommends that organizations conduct security audits, monitor their websites for hackability, disclose any required information, and stay aware of their site's performance, uptime, and what search engines are indexing about them.

Technology
Related topics:
Risk-Management
1 of 89
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
Risk Management & Corporate Internet Efforts Thomas A. Powell tpowell@pint.com www.pint.com
Our Plan Today • Show some existing and emerging problems • Present some possible solutions • Illustrate all with examples and stories • Have a little fun so it is memorable, because if you don’t remember much today you won’t act so … let’s get memorable
Risk Management “Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.”
Translation – Avoid This Instead – openly acknowledge what could happen and actively decide to address it (or not)
A Root Cause for Missing Many Risks? • Who exactly owns the Web initiatives • …and in turn the problems and risks they may face or create?
Everybody Does!
Mind the gaps! Diverse ownership often creates: • Duplicate (or unnecessary) expenditures • Diversity problems • Lots of gaps!
The Web Team Does!
BTW…The Web is the Real World • Everything is different online don’t you know? • Psst…don’t tell anyone
Things We Do To Ourselves Sometimes we make poor decisions about: • Development • Design • Hosting • Security • Social • Analytics
Add To This Things Others Do To Us • Impose rules on us • Try to hack us • Try to trick us • Try to crash us • Say bad things about us As well as any black swans of life we can’t account for
There Be Web Orcs! I can SQL injectz you!
And They Cause Troubles
Why – Ego Defacement (Relax – Faked) This type of “tagging” for cred
Why - Hactivism All fun and games until LOIC is aimed at your site
We’re Not Targets!
Why – 4 Lulz Ok so it isn’t funny to you but it is to them
Nope, Never Happens After hacking PBS.com they added this article for the “Lulz”
Why – Spread Malware “Germs” Put malware on your home page to infect others
Why – ID Theft You (or your users) are a commodity (at least your id, IP or cc# is)
Come on not us! • If you get compromised legally per California SB 1386 you are supposed to disclose • 40 other states have similar laws • That could be a lot of trouble and $!
Why – Zombie Recruiting Grow and army and then… “Awake my Zombie army and attack!”
Really for sure not us!
Why – For The $£¥€!
Yes - Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And they’re in your country too…
Reaction - Build Walls
Man the defenses! “No worry, IT put a firewall in place”
We’re awake! and what exactly do you see?
Just another day on the Internetz
The Toolbox is Overflowing
Attacker Type #1 Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
Attacker Type #2 “I’m just a lowly peasant HTTP request. May I pass?”
Hope Your Site Owner Thinks Like a Bouncer? “Yer not on the list. Come on in?!”
The weak minded are easily tricked “These are not the requests you are looking for”
0-day to the Face! “To get our new signature files you need a valid support plan”
The Appearance of Security The Intent Thief: “How quaint a club!”
Real Security Tradeoffs This...
Security Tradeoffs ...or this?
We want it all!
Don’t Worry We Use Open Source! It’s open code to “hackers” too and if widely used becomes a big target
Zoinks!
But everyone uses that… Indeed that may be true I also evaluate my hamburger quality the same way
Evaluating By Looks
Custom Troubles • Reality: Site owners often their own worst enemy • Excessive customization by non-security minded devs • Now add in some third party components with their own troubles for good fun – It’s a 3rd Party Security Party!
Instead It’s A Target Rich Environment
You Must Trust No Inputs
Psst…your pants are down
Really…they’re down
Psst….This isn’t hidden
What’s The Password? Keys to your Web Kingdom
No Try Limit = No Security Eventually* No retry limits + No Easy Alerting Let a bot work on it
Password Policy Time! • Make your user’s have some strong password with letters, numbers, really long, etc. • So…they write it down then • Or they come up with one and use it everywhere…yes absolutely everywhere
They Hack There To Hack You Here A user’s security posture may be weaker on your other sites and...
Password Reuse + No Second Form = Fail “Take this key and believe you are secure”*
Who’s Watching? • Enjoy your double cap, venti, packet captured browser session!
Better SSL All Your Public WiFi Sessions No SSL out in open = grab and go access
Always Easiest to Attack People! Name : Jim LaFleur Occupation : Chief of Security Organization: Dharma Initiative Find Jim’s name/email in your site comments, Linkedin, Facebook, etc.
Spear Phising • Executives are good targets • Often C-Level executives are not that “cyber savvy” • Be quite concerned about any systems with electronic fund transfer access
Rise of DoSing & Electronic Sit Ins
This is Your Site on DoS
Just Throw Money At IT Sure it helps but there is no “silver bullet” box especially without a posture change
Tech Just Can’t Solve All And tech issues may lead to real corporate trouble…
Accessibility Risks
Privacy Risks
IP Risks • Your content, site design, source, etc. is easily copied • It can be quite hard to find all occurrences of it • Recourse is tough particularly if international
BTW Ever Look What You Agreed To?
Delivery Really Matters
Speed Fail
Misinformation Risks
Vetting is for Losers!
Speed over Substance about in the “Most of what is written tech world – both in blog form and old school media form – is bullshit.” “Most are stories written with little or no research done. They’re written as quickly as possible. The faster the better.” Right from the “horse’s mouth”
Advertising Risks
Click Fraud
GIGO™ Analytics • Are your analytics accurate? • Are you watching them real time or not? • Are you trying to find answers from reports or making reports to answer questions?
Did you know? • When it comes to Web analytics* • JavaScript Off = Invisible • Bad people, bots, etc. do this • Cookies off = Big Mess • Others can easily forge results
Trust But Verify
Social Media Risks
Watch Out Engaging the Thoughts of Crowds Mobs
Yeah That’s Not a Good Use of Social
What do you call this again?
GeoSocial Risks
Emergency Web Broadcast System
Just in case all that wasn’t scary enough
Summary • Have you had a security audit of your Web properties? • How hackable is your site? • What disclosure issues may you have? • How aware of your site performance and uptime? • How aware of what Google’s index about you and your sit are you?
Summary • What information are you or your vendors collecting? • Is your privacy policy addressing it? • Are you aware of privacy regulations in the markets you serve • Are you aware of accessibility concerns • Could you be a target?
Summary • Do you have a social media policy? • Do you have a crisis communication plan? • Are you actively watching your analytics? • How active are you monitoring social for • Stock issues, HR issues, Customer Issues
Summary • If you spend ad dollars online • How do you track effectiveness • How do you track fraud? • Do you have an inventory of 3 Party rd Scripts / Services you use? • What are the QoS, Security and Legal terms of these 3rd parties
Summary • Are you disclosing information both technical and not that you should not? • Error pages, source code, social media profiles, etc. • What is the fail point of your site or Web application? • Are you ready for a DoS attack?
Questions? Thomas A. Powell tpowell@pint.com http://www.pint.com Twitter: PINTSD

More Related Content

PPTX
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Steve Poole
 
PPTX
Jax london2016 cybercrime-and-the-developer
Steve Poole
 
PPTX
Connecting the Dots
InnoTech
 
PDF
Ethics and ux ux sofia nov 2018
Eric Reiss
 
KEY
20100421 ecomm pressy
Anselm Hook
 
PDF
Ethics and UX IxDA Berlin 2018
Eric Reiss
 
PPTX
Digital Citizenship for Teens
Chris Elgee
 
PDF
EthUX - ethics and ux
Eric Reiss
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Steve Poole
 
Jax london2016 cybercrime-and-the-developer
Steve Poole
 
Connecting the Dots
InnoTech
 
Ethics and ux ux sofia nov 2018
Eric Reiss
 
20100421 ecomm pressy
Anselm Hook
 
Ethics and UX IxDA Berlin 2018
Eric Reiss
 
Digital Citizenship for Teens
Chris Elgee
 
EthUX - ethics and ux
Eric Reiss
 

Similar to Corp Web Risks and Concerns (20)

PPTX
Thoughts on Defensive Development for Sitecore
PINT Inc
 
PPT
Secure by design and secure software development
Bill Ross
 
PDF
Social Networks And Phishing
ecarrow
 
PPT
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Mark Henshaw
 
PPT
DEVSECOPS_the_beginning.ppt
schwarz10
 
PPTX
Risk Assessment of Social Media Use v3.01
overcertified
 
PDF
Mitigating Web 2.0 Threats
Kim Jensen
 
PPTX
Hackers contemplations
Chris Roberts
 
PDF
Fall2015SecurityShow
Adam Heller
 
PDF
20101012 isa larry_clinton
CIONET
 
PDF
Things that go bump on the web - Web Application Security
Christian Heilmann
 
PDF
Cloudy Wpcybersecurity
athkeb
 
PDF
The New Normal - Rackspace Solve 2015
Major Hayden
 
PPT
Rainer+3e Student Pp Ts Ch03
kbzdox ivanovich
 
PDF
People the biggest cyber risk
University of Hertfordshire
 
PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Managing cyber security
University of Hertfordshire
 
PDF
The Threat Landscape & Network Security Measures
Carl B. Forkner, Ph.D.
 
PPT
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
PDF
Introduction to the Current Threat Landscape
Melbourne IT
 
Thoughts on Defensive Development for Sitecore
PINT Inc
 
Secure by design and secure software development
Bill Ross
 
Social Networks And Phishing
ecarrow
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Mark Henshaw
 
DEVSECOPS_the_beginning.ppt
schwarz10
 
Risk Assessment of Social Media Use v3.01
overcertified
 
Mitigating Web 2.0 Threats
Kim Jensen
 
Hackers contemplations
Chris Roberts
 
Fall2015SecurityShow
Adam Heller
 
20101012 isa larry_clinton
CIONET
 
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Cloudy Wpcybersecurity
athkeb
 
The New Normal - Rackspace Solve 2015
Major Hayden
 
Rainer+3e Student Pp Ts Ch03
kbzdox ivanovich
 
People the biggest cyber risk
University of Hertfordshire
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Managing cyber security
University of Hertfordshire
 
The Threat Landscape & Network Security Measures
Carl B. Forkner, Ph.D.
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
UISGCON
 
Introduction to the Current Threat Landscape
Melbourne IT
 
Ad

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Cloud computing and distributed systems.
kkkkkhan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Teaching material agriculture food technology
LiaRayya
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Ad

Corp Web Risks and Concerns

  • 1. Risk Management & Corporate Internet Efforts Thomas A. Powell tpowell@pint.com www.pint.com
  • 2. Our Plan Today • Show some existing and emerging problems • Present some possible solutions • Illustrate all with examples and stories • Have a little fun so it is memorable, because if you don’t remember much today you won’t act so … let’s get memorable
  • 3. Risk Management “Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.”
  • 4. Translation – Avoid This Instead – openly acknowledge what could happen and actively decide to address it (or not)
  • 5. A Root Cause for Missing Many Risks? • Who exactly owns the Web initiatives • …and in turn the problems and risks they may face or create?
  • 7. Mind the gaps! Diverse ownership often creates: • Duplicate (or unnecessary) expenditures • Diversity problems • Lots of gaps!
  • 8. The Web Team Does!
  • 9. BTW…The Web is the Real World • Everything is different online don’t you know? • Psst…don’t tell anyone
  • 10. Things We Do To Ourselves Sometimes we make poor decisions about: • Development • Design • Hosting • Security • Social • Analytics
  • 11. Add To This Things Others Do To Us • Impose rules on us • Try to hack us • Try to trick us • Try to crash us • Say bad things about us As well as any black swans of life we can’t account for
  • 12. There Be Web Orcs! I can SQL injectz you!
  • 13. And They Cause Troubles
  • 14. Why – Ego Defacement (Relax – Faked) This type of “tagging” for cred
  • 15. Why - Hactivism All fun and games until LOIC is aimed at your site
  • 17. Why – 4 Lulz Ok so it isn’t funny to you but it is to them
  • 18. Nope, Never Happens After hacking PBS.com they added this article for the “Lulz”
  • 19. Why – Spread Malware “Germs” Put malware on your home page to infect others
  • 20. Why – ID Theft You (or your users) are a commodity (at least your id, IP or cc# is)
  • 21. Come on not us! • If you get compromised legally per California SB 1386 you are supposed to disclose • 40 other states have similar laws • That could be a lot of trouble and $!
  • 22. Why – Zombie Recruiting Grow and army and then… “Awake my Zombie army and attack!”
  • 23. Really for sure not us!
  • 24. Why – For The $£¥€!
  • 25. Yes - Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove And they’re in your country too…
  • 27. Man the defenses! “No worry, IT put a firewall in place”
  • 28. We’re awake! and what exactly do you see?
  • 29. Just another day on the Internetz
  • 30. The Toolbox is Overflowing
  • 31. Attacker Type #1 Stupid Bot Brigade - “Charge!” ../cmd.exe &1=1;droptable
  • 32. Attacker Type #2 “I’m just a lowly peasant HTTP request. May I pass?”
  • 33. Hope Your Site Owner Thinks Like a Bouncer? “Yer not on the list. Come on in?!”
  • 34. The weak minded are easily tricked “These are not the requests you are looking for”
  • 35. 0-day to the Face! “To get our new signature files you need a valid support plan”
  • 36. The Appearance of Security The Intent Thief: “How quaint a club!”
  • 38. Security Tradeoffs ...or this?
  • 39. We want it all!
  • 40. Don’t Worry We Use Open Source! It’s open code to “hackers” too and if widely used becomes a big target
  • 42. But everyone uses that… Indeed that may be true I also evaluate my hamburger quality the same way
  • 44. Custom Troubles • Reality: Site owners often their own worst enemy • Excessive customization by non-security minded devs • Now add in some third party components with their own troubles for good fun – It’s a 3rd Party Security Party!
  • 45. Instead It’s A Target Rich Environment
  • 46. You Must Trust No Inputs
  • 50. What’s The Password? Keys to your Web Kingdom
  • 51. No Try Limit = No Security Eventually* No retry limits + No Easy Alerting Let a bot work on it
  • 52. Password Policy Time! • Make your user’s have some strong password with letters, numbers, really long, etc. • So…they write it down then • Or they come up with one and use it everywhere…yes absolutely everywhere
  • 53. They Hack There To Hack You Here A user’s security posture may be weaker on your other sites and...
  • 54. Password Reuse + No Second Form = Fail “Take this key and believe you are secure”*
  • 55. Who’s Watching? • Enjoy your double cap, venti, packet captured browser session!
  • 56. Better SSL All Your Public WiFi Sessions No SSL out in open = grab and go access
  • 57. Always Easiest to Attack People! Name : Jim LaFleur Occupation : Chief of Security Organization: Dharma Initiative Find Jim’s name/email in your site comments, Linkedin, Facebook, etc.
  • 58. Spear Phising • Executives are good targets • Often C-Level executives are not that “cyber savvy” • Be quite concerned about any systems with electronic fund transfer access
  • 59. Rise of DoSing & Electronic Sit Ins
  • 61. Just Throw Money At IT Sure it helps but there is no “silver bullet” box especially without a posture change
  • 62. Tech Just Can’t Solve All And tech issues may lead to real corporate trouble…
  • 65. IP Risks • Your content, site design, source, etc. is easily copied • It can be quite hard to find all occurrences of it • Recourse is tough particularly if international
  • 66. BTW Ever Look What You Agreed To?
  • 67. Delivery Really Matters
  • 70. Vetting is for Losers!
  • 71. Speed over Substance about in the “Most of what is written tech world – both in blog form and old school media form – is bullshit.” “Most are stories written with little or no research done. They’re written as quickly as possible. The faster the better.” Right from the “horse’s mouth”
  • 74. GIGO™ Analytics • Are your analytics accurate? • Are you watching them real time or not? • Are you trying to find answers from reports or making reports to answer questions?
  • 75. Did you know? • When it comes to Web analytics* • JavaScript Off = Invisible • Bad people, bots, etc. do this • Cookies off = Big Mess • Others can easily forge results
  • 78. Watch Out Engaging the Thoughts of Crowds Mobs
  • 79. Yeah That’s Not a Good Use of Social
  • 80. What do you call this again?
  • 83. Just in case all that wasn’t scary enough
  • 84. Summary • Have you had a security audit of your Web properties? • How hackable is your site? • What disclosure issues may you have? • How aware of your site performance and uptime? • How aware of what Google’s index about you and your sit are you?
  • 85. Summary • What information are you or your vendors collecting? • Is your privacy policy addressing it? • Are you aware of privacy regulations in the markets you serve • Are you aware of accessibility concerns • Could you be a target?
  • 86. Summary • Do you have a social media policy? • Do you have a crisis communication plan? • Are you actively watching your analytics? • How active are you monitoring social for • Stock issues, HR issues, Customer Issues
  • 87. Summary • If you spend ad dollars online • How do you track effectiveness • How do you track fraud? • Do you have an inventory of 3 Party rd Scripts / Services you use? • What are the QoS, Security and Legal terms of these 3rd parties
  • 88. Summary • Are you disclosing information both technical and not that you should not? • Error pages, source code, social media profiles, etc. • What is the fail point of your site or Web application? • Are you ready for a DoS attack?
  • 89. Questions? Thomas A. Powell tpowell@pint.com http://www.pint.com Twitter: PINTSD

Editor's Notes

  • #3: And we promise – there will be no cat pictures today. A single example of one of our products and a few candidates for world’s worst pie charts
  • #4: Buying a box, list or service isn’t really going to secure that much if you aren’t aware and involved
  • #8: In particular we often run into an accountability gap
  • #10: Don’t You Understand!? We’re doing T-Business!!!
  • #14: This is the runner up in the worlds worst pie chart contestThe most common outcomes: 1) Information Leakage, 2) Downtime, 3) Defacement.Web Application Security Consortium (WebAppSec.org) Web Hacking Incident Database:http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • #15: Relax I faked this … http://www.cornify.com/ - not real in this case but if you had an XSS hole don’t be surprised if the famous Konami code reveals this
  • #20: Common scheme seen it on sites where they hack wordpress to hack the database of a shared site to hack the home page to spread malware. You find out once Google starts blocking you
  • #22: http://www.focus.com/fyi/15-most-massive-data-breaches-history/
  • #30: All those 404s might be some nice poorly done hack attempts
  • #31: Here it is the world’s worst pie chart….The Big Three attack methods, according to WebAppSec.org: SQL Injection, XSS, and DoS.
  • #42: Secunia advisories for Drupal 6.x: http://secunia.com/advisories/product/17839/?task=advisories
  • #44: This is a well built house!
  • #45: A customer who shall not be named here.Uses Sitecore as their base CMS.External facing portal uses only a "published view"Sitecore admin and content generation performed from a separate system located behind the DMZ.Publishes pages to the outside portal
  • #46: The top weaknesses according to WebAppSec.org include:Improper Input HandlingImproper Output HandlingInsufficient Anti-AutomationInsufficient AuthenticationSee also the OWASP Top Ten:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project1: Injection 2: Cross-Site Scripting (XSS) 3: Broken Authentication and Session Management 4: Insecure Direct Object References 5: Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure Cryptographic Storage 8: Failure to Restrict URL Access 9: Insufficient Transport Layer Protection 10: Unvalidated Redirects and Forwards
  • #52: Many of the sites we found with exposed login pages also failed to lock out a user after dozens of retries, open the door to dictionary attacks and brute forcing.
  • #53: For published Web sites that use authentication, you can also set password policies directly in ASP.NET (web.config), whether the membership provider is AD or SQL Server. See Sitecore CMS 6 Security API Cookbook (section 2.3)http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdfAnd theMicrosoft here documentation:http://msdn.microsoft.com/en-us/library/whae3t94.aspx
  • #55: Sadly these guys got hacked even … But even if you have second form…. Be careful where you go
  • #56: The mean streets of starbucks might be a bit meaner than you think….public WiFi is the hackers best friend these days
  • #57: Meet Firesheep - http://en.wikipedia.org/wiki/Firesheep Easy to do this without but we keep lowering the bar for peopleWhy people don’t do SSL? Cert cost? Server scale
  • #59: Let’s assume we are going to avoid the impersonation move
  • #64: http://www.lunarpages.com/company/newsletter/your-business-website-and-ada-compliance/
  • #71: “process journalism is the posting of a story before it is fully baked, something the NY Times officially despises, but the do it to” – Mike Arrington of Techcrunch / AOL
  • #72: http://parislemon.com/post/17527312140/content-everywhere-but-not-a-drop-to-drink
  • #74: Google says it is 2% otherw say that it is > 20% http://www.forbes.com/sites/andygreenberg/2010/10/21/record-click-fraud-boosted-by-fake-video-cell-phone-traffic/
  • #77: Just cuz I sell you ads doesn’t mean I can’t run your analytics
  • #78: Southwest airlines darling of social media stumbles with Kevin Smith
  • #83: http://bloggingmebloggingyou.wordpress.com/2009/02/11/crisis-communications-dark-sites-101/http://collegewebeditor.com/blog/index.php/archives/2007/04/17/virginia-tech-tragedy-lessons-learned-in-crisis-communication-a-day-after-the-unthinkable/