Interesting Information Security Bits for 10/31/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. spylogic.net – Facebook Privacy & Security Guide Released
   Tom has released his Facebook Security & Privacy Guide. You really should take a look if you have a Facebook account.
2. Tips for getting started in information security – Kees Leune
   Kees gives those interested in entering the information security profession some really good things to think about and offers up some practical guidance that is will realy help new entrants focus on getting where they want to go.
3. Freeform Comment: View from the defence: seven reasons for security as a service
   An article by Jon Collins summarizing the panel he hosted on SaaS at RSA Europe. Some good points are made in its favor.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

RSA Europe 2008 – Day 3

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today’s agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale – Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing – Whether You Like It or Not
Brian O’Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC
Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or – if you happen to be on the other side – use these insights to develop a better strategy for protecting your consumers agains fraud.

Don’t Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO – Higher Profile? Stronger Powers? More Effective”
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner’s Office (ICO) being strengthened?  What will be the ICO’s approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government’s handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems – as part of which it must develop partnerships with the private sector.

Have a great day!

Kevin

Technorati Tags: rsa europe 2008

RSA Europe – Day 2

Hello again people.

In a bit of a time pinch, so here is the agenda for the day for those who care

• ‘The New Face of CyberCrime’ film screening and panel
• Blinded by Flash: Widespread Security Risks Flash Developers Don’t See
• Why Security Programs Fail
• The Future of Privacy
• Security in the Era of Identity 2.0
• Hackernomics
• DLP: What will be
• The Many Faces of Social Engineering

Should be an interesting and busy day.

Kevin

RSA Europe 2008 starts today…

Good morning everybody or at least those who are in a time zone similar to GMT   RSA Europe starts today and I am sitting in the press room scheduling out my day.  For those interested, my itinerary follows:

10:00 – Keynote – Arthur W. Coviello, Jr. – Executive Vice President EMC
Information Security: From Ineffective to Innovative
While security spending continues to rise, companies are not feeling particularly more secure today than they did five years ago.  Art Coviello will explore this paradox and share with us how focusing on the key variables of vulnerability, probability and materiality can enable us to effectively balance the risk/reward equation.

10:40 – Keynote – Panel – Moderator Christopher Kuner – Partner and Head, Hunton & Williams
Online Privacy and the World of Behavioural Targeting: Challenges and Options
A moderated panel discussion about the move towards behavioural targeting in advertising and what impact this may have on online privacy and security.

11:30 – Chris Batten – Managing Director, Acumin
Managing your own Security Career
Careers in information security are difficult to navigate as the industry changes at an ever increasing pace.  This session addresses the important skills, traits and knowledge one needs to find and keep the kind of position that challenges you and helps you grow while be well compensated.

13:15 – Amichai Shulman – Co-Founder & CTO, Imperva
Google-Hacking and Google-Shielding
Data leakage via search engines is an every increasing problem.

14:30 – Dennis McCallam – Chief Security Architect – Northrop Gruman
Out with Traditional Authentication and Protection – In with New Data-Centric Security and Aggregated Authentication
Dennis will demonstrate a cost-effective data-centric enterprise approach using user cases that show the operational flexity and significant advantages of this type of approach.

16:00 Neil Costigan – Technical Advisor, BehavioSec – Peder Nordstrom – CTO, BehviorSec
Why Settle with Conventional Authentication when Behaviormetrics Go Beyond it?
Behaviormetrics monitors a user’s session continuously to determine if that user is in fact the one associated with the credentials used for authentication.

There is a reception this evening and of course the exhibition hall is open all day. Should be a busy day.

Have a great morning, afternoon or evening as the case may be.

Kevin

Interesting Information Security Bits for 10/21/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. Your Simple Guide To Endpoint Encryption Options | securosis.com
   Rich gives us a great resource for discussing and determining how and to what extent we should implement endpoint encryption.
2. PCI, Risk Management & “The Blackberry Arsenal” << Risktical Ramblings
   A good story with some good take aways for both those answering to RFPs and those reviewing the answers to RFPs.
3. BrokenHalo LABORATORIES >> Midnight Research Labs releases Depant
   This looks like a really neat tool. Scans your target for services with default passwords. Yummy.
4. .:Computer Defense:. >> NoScript Force SSL
   Using NoScript, you can force sites to SSL that don’t do a good job of it themselves.Hat tip: Michael Farnum and Security4All
5. IT security guide: Understanding cyber-risks means knowing what questions to ask
   Something free from ANSI. You should go get your copy if for no other reason than that Seriously, good stuff in here.
6. Researchers hack wired keyboards, hijack keystrokes | Zero Day | ZDNet.com
   Tempest for the 2000s. Looks like avoiding those wireless keyboards may not actually provide the security you may have felt that it did.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Where’s my data? Um…it was here a minute ago….

In the article “Study: Global information security improves, but still imperfect“, Angela Moscaritolo points us at a report recently released by PriceWaterhouseCoopers, “Safeguarding the new currency of business.”  The report is the findings of the 2008 Global State of Information Security Study®. Her article points out some salient issues found in the report, but I would like to focus on one particular issue.

On page 12 of the report, we find the following:

Finding #5
Many companies, however – if not most – do not know exactly where important data is located.

Other findings in the report indicate that we are doing better in implimenting technical controls and our compliance efforts also appear to be improving. But here is the rub, what value are better technical controls and a clean compliance report if you don’t know where your sensitive data is?

Okay, we don’t know where our data is. We need to find it. How do we do that?

Ask 10 information security professional that question and you will get 12 answers, all of them starting with “it depends.” If we can’t get a definitive answer from these folks, who can we get one from? How about the people who use that data each and every day?

Again, there are plenty of ways you could go about gathering that information from your user populace, many of which would be adequate.  But if we want better than adequate, I think Michael Santarcangelo gives us a great model for producing excellent results in his book Into the Breach.

You should get his book and read it as I have said before, but in short, engage your users in small groups and ask them how they do their jobs, in detail.  This will drive out where your data is. You may think your data is that big honking database, but what if a lot of it is in spreadsheets stored on a file server that you know nothing about?

This is a very simplified treatment of a great process that Michael details in his book. So, again, go get it. Read it. Twice. You will not regret it.

Kevin

Interesting Information Security Bits for 10/20/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. pdgmail: new tool for gmail memory forensics << SANS Computer Forensics, Investigation, and Response
   If you use GMail, you should really read this article. Sandboxing in some fashion sounds like a really good idea.
2. TaoSecurity: Trying Firefox with CMU Perspectives
   Much like the web of trust used in GPG signatures, Perspectives for Firefox uses a groups of “notaries” to verify the authenticity of a self-signed ssl certificate. Interesting stuff.
3. extern blog SensePost;
   The OWASP NYC talks have been posted.
4. spylogic.net – Information Gathering with Maltego
   Tom has posted his slide deck for the presentation he gave at the Northeast Ohio Information Security Forum last week.
5. Carnal0wnage Blog: Webapp Asssessments Rule or ‘why running as ‘dbo’ is bad!
   Another fun, as in oh my goodness, read about a pentest. This time an appsec test.
6. Carnal0wnage Blog: A Successful Pentest with some Failures.
   A nice description of a pen test.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Interesting Information Security Bits for 10/18/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. The Art of Software Security Assessment >> Bugs vs. Flaws
   A really interesting post about definitions and approaches to application security issues and testing. Read the comments too. Really good stuff.
2. HiR Information Report: Response: “Is Twitter the newest data security threat?”
   Ax0n answer’s the question that Lori presented the other day.
3. Telecom Immunity Law Challenged In Court — Telecom Amendments Act — InformationWeek
   The Electronic Frontier Foundation is challenging the Telecom Amendments Act that gave telecom providers retroactive immunity from prosecution for domestic wiretapping they did at the behest of the government. This is a very good thing.
4. Two new IRS systems have major security weaknesses, federal report says
   Wow. The apparent delinquency in the systems discussed here is atrocious, particularly for the type of system being discussed, i.e. the one that keeps and manages our tax returns.
5. Altor Networks Introduces Virtual Firewall – Application and Perimeter Security News Wire – Dark Reading
   I can’t comment on the effectiveness of the product, but it is nice to see this type of product starting to appear.
6. BeCrypt Cryptographic Library Gets Cert – Host security News Wire – Dark Reading
   I’ve use BeCrypt products for quite some time and have found them to be excellent. They now have a library that is FIPS 140-2 certified.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Interesting Information Security Bits for 10/17/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. The IT Security Guy: Autumn 2008 Edition of 2600 on Newstands
   Looks the Autumn 2008 edition of 2600 is out already. Go get yours.
2. StillSecure, After All These Years: StillSecure, After all these years, Podcast 59 – Mike Murray
   Alan and Mitchell have a new podcast up. Mike Murray visits with them about the impact current economic conditions might have on the security market.
3. C S R C – Systems Administration
   NIST has released their Guide to Securing Microsoft Windows XP. Always good stuff.

   Hat tip: @danphilpott

4. USB Goodies 2008 – Room362.com
   This is an awesome list of goodies for infosec and information technology peoples. Ah, who am I kidding, it’s a great list of goodies for any geek The tools will soon be available as a downloadedable package on BitTorrent.
5. NIST.gov – Computer Security Division – Computer Security Resource Center
   From the webpage:
   The intent of the assessment case is to provide helpful information and purposefully not to limit the flexibility of an assessor in applying his or her own judgment as to the ‘right’ set of assessor actions to assess a control in a specific information system or organization. Rather, the assessment cases provide worked examples for organizations to use in developing their assessment plans.
6. Uncommon Sense Security: Security Twits Road Trip Photos
   A group of Security Twits recently hopped in an RV together and made the trip to DayCon. Here are the pictures from the trip.
7. Survey: 88% of Mumbai’s wireless networks easy to compromise | Zero Day | ZDNet.com
   Not good, not good at all.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

But, that was fiction, wasn’t it?

In this post, I talked about Cory Doctorow’s fiction book Little Brother.  I briefly mentioned the excessive surveillance implemented by the government as a result of an event that occurred in the book. However, the focus of that post wasn’t the surveillance, but that any system can be designed in such a way that the designer cannot break it.

I think that is still a valid point, but let’s look at the issue of excessive surveillance today.  In the book, everybody in the San Francisco area is essentially watched all the time.  Through tracking of how people move around via public transit id cards, to the laptops provided to students at school which monitor and report on the students online activities, to spending patterns based on credit and debit card usage and through the the populace itself.

The government has convinced a large portion of the populace that this level of daily scrutiny is for their own good.  It is necessary so that the terrorists can be caught. Furthermore, it is the people’s responsibility to report suspicious activity.  We are talking about a situation in which essentially all rights to privacy have been suspended. Now, in Little Brother, this is only occurring in the San Francisco area because of a terrorist attack.

In this post, I talk about a mini-series being aired in the United States right now by PBS called “The Last Enemy.”  In this fictional program, we have moved beyond a locality being under constant watch.  The entire United Kingdom is being watched by a program called T.I.A or Total Information Awareness.  T.I.A. is fed data from every system the government has and many public sector systems too.  It gives the government the ability to see every move of every person within its database.  It is even able to infer the existence of someone who has not gotten their national identity card by the interactions of people who do have their card.  Again a situation where all rights to privacy have been suspended, whether the people know it or not.

By now, I am sure you are saying to yourself, “What is the point you are trying to make?” Well, apparently, there is a possibility that fiction could quickly become truth. This article on the BBC news website talks about a bill that will be introduced in November in the United Kingdom.  From the article:

Details of the times, dates, duration and locations of mobile phone calls, numbers called, website visited and addresses e-mailed are already stored by telecoms companies for 12 months under a voluntary agreement.

The data can be accessed by the police and security services on request – but the government plans to take control of the process in order to comply with an EU directive and make it easier for investigators to do their job.

Information will be kept for two years by law and may be held centrally on a searchable database.

So, it seems that we are moving beyond fictional representations of this type of behavior.  And lest we forget, the United States has been dealing with issues along these same lines for some time now. We hear about wire taps being put in place without warrants and Internet Service Providers allowing governmental agencies to install equipment that monitors all data moving over their backbones.

Let’s look at one final fictional rendition of a totalitarian state which controls its populace ruthlessly, George Orwell’s 1984. I leave you with two quotes from this book and let you draw your own conclusions as to where we are headed if we are not careful.

“The thought police would get him just the same. He had committed—would have committed, even if he had never set pen to paper—the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you.”

“It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself—anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face… was itself a punishable offense. There was even a word for it in Newspeak: facecrime…”

Kevin