Changing the SSL cipher order in Internet Explorer 7 on Windows Vista

Recently, the question of using AES for SSL has come up in the newsgroups and at some conferences. When IE makes an HTTPS connection to a web server, it offers a list of cipher supported cipher suites. The server then selects the first one from the list that it can match. The default order that…


More on Autorun

Last month, in my post “Autorun: good for you?” I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers. Well, it turns out that Windows will override this setting if you insert a USB drive that your…


What’s your data worth? More importantly, to whom?

This week, I’m attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don’t consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to you….


Myth vs. reality: Wireless SSIDs

Do you ever wonder sometimes how it is that some ideas just won’t die? Like the thought that not broadcasting your wireless network’s SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several…


Playing around with my blog

In the right-hand column I’ve added a new section with four interesting bits of info for you: A ClustrMap, that shows the locations around the world where people read my blog from. I registered the thing back in December 2006, but just figured out how to add it to the blog software a few days…


More on the necessity of antivirus software

A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four…


Autorun: good for you?

Yes, if you’re a five-year-old and you’re tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the game to start….


Antivirus software — who needs it?

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I’ve been involved in computer security — as a practitioner, a consultant, and an instructor/speaker — for several years. I feel fairly confident in calling myself an expert. I don’t run anti-malware…


Password policies. Once again.

Recently in the newsgroups (, to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn’t enable account lockout by default, that we don’t have a built-in mechanism for automatically disabling unused accounts, that the 42-day default expiration is troublesome. Here’s my…


Innovative spam subject lines

Speaking of spam (previous post about Microsoft sweepstakes scams), while trolling through my junk email folder I noticed these today: “You have exactly repeated the views of the immortal Emmanuel on that subject.” “The river of time itself consisted for the most part of bright-coloured foreign cars with water spurting up in fountains from under…