Interesting Information Security Bits for 10/16/2008

October 16, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. Firefox 3.1 Beta Available For Download – Security Watch
    Nuff said.
  2. Security vendors cry foul over exploit tests * The Register
    And the vendors fire back at Secunia after yesterday’s report.
  3. Adobe patches Flash clickjacking and clipboard-poisoning bugs
    Adobe has fixed some stuff related to the clickjacking problem.
  4. Botnet Visualizations – RFI and SQL Injections | Security to the Core | Arbor Networks Security
    This is pretty cool stuff.
  5. /dev/random >> Blog Archive >> Asset Management Using Nmap
    Nice blog post on using some new nmap features to implement asset management in an way that does not break the bank.
  6. Detailed report on the Georgia Cyberwarfare incident | Security4all – Dedicated to digital security, enterprise 2.0 and presentation skills
    Security4All points out that a report is not available that discusses the Georgia Cyber Warfare incident.
  7. Is Twitter the newest data security threat?
    Lori has an insightful post about twitter and application of its ilk.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin


Interesting Information Security Bits for 10/15/2008

October 15, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Symantec launches online PC tech support services | News – Security – CNET News
    Give remote access to your system to Symantec and for $39.99 or $69.99 and they will solve your PC problems. I’ll leave you to come to your own conclusions here.
  2. Security policy being bypassed by employees, survey finds
    This article just reinforces that you have to make the security controls you put in place manageable and easy to use. You also need to make sure you are enabling your users to act securely. You, as a security professional, are doing your business a disservice if you force the users to make choices that place the business at risk because they can’t get their jobs done efficiently due to onerous or poorly designed security controls.
  3. Bush signs PRO-IP antipiracy law
    The PRO-IP Act has been signed into law. There is a bit of a difference of opinion as to if this is a good thing or not.

That’s it for today. Have fun!

Subscribe to my RSS feed here.

Kevin


Interesting Information Security Bits for 10/14/2008

October 14, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Using Cain to do a “Man in the Middle” attack by ARP poisoning (Hacking Illustrated Series InfoSec Tutorial Videos)
    Irongeek has a video up showing how to use cain for man in the middle attacks.
  2. The Security Catalyst >> Join me at the Microsoft Small Business Summit This Wednesday
    Michael (SecurityCatalyst) will be presenting at the Microsoft Small Business Summit on Wednesday. You can watch along live if you wish. Details inside.
  3. Grumpy Hacker News Network: OWASP EU Summit 2008
    The OWASP EU Summit 2009 has been annouced. It will take place in Portugal from November 3rd to the 7th.
  4. DarkMarket carder forum revealed as FBI sting * The Register
    This is great. The FBI setup a carder forum as a sting operation.
  5. Top security suites fail exploit tests
    Secunia has a report out in which 12 security suites are tested and don’t do very well at all. Read the report for the specifics, but if you throw a bunch of malware at a system that is un-patched, no amount of security software is going to protect you from getting infected.

If you like these posts, you can get them easily by subscribing to my RSS feed.

That’s it for today. Have fun!

Kevin


Interesting Information Security Bits for 10/13/2008

October 13, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Schneier on Security: Threat Modeling at Microsoft
    Schneier points us to a white paper by Adam Shostack on Microsoft’s threat modeling methodology. I have only read the first part, but it looks interesting.
  2. McGrew Security Blog >> Blog Archive >> Slides for a forensics class lecture on ext2/3
    Welsey has put up the slides for a talk he is giving about ext2/ext3 file system forensics. You should go check them out.
  3. Apocalyptic Vulnerability Percentages – FUD 101 ha.ckers.org web application security lab
    A good read from RSnake about just how vulnerable are we.
  4. PPT_VeriSign_Webcast_Brazil_20081008.pdf (application/pdf Object)
    Slides from a threat briefing on Brazil that was given by Brazil last week.
  5. Carnal0wnage Blog: OWASP APPSEC 2008 Conference Videos Online
    Videos are out from the OWASP AppSec 2008 conference.
  6. Matasano Chargen >> Blog Archive >> Detecting Anonymizing Proxies
    A good article on how to detect anonymizing proxies on you network.
  7. Matasano Chargen >> Blog Archive >> Owning Networks With Soldering Irons and Radio Shack Parts
    A great walk through of Stephen’s experience with a recent pen test that required him to do some hardware hacking.
  8. Dell Launches SingleClick Remote Access – Host security News Wire – Dark Reading
    Dell is now offering a “Go to my PC” like service.
  9. Over half of U.K. firms have lost data
    Ouch. On top of the pure mind boggling statistic that 55% of British companies have had a breach and that 49% have had more than one, is the finding that only 10% were considered to be the result of malicious entities. Go take look.
  10. U.S. proposes digital signing of DNS root zone file
    The U.S . department is looking for comments on how to implement DNSSEC for records in the root zone.
  11. Error puts data on 30 million German phone users on Internet (AFP) by AFP: Yahoo! Tech
    Not once, but twice now, the Deutsche Telekom has lost personal data. Lots of it.

    Hat tip: @mckeay

That’s it for today. Have fun!
Kevin


Update: RSA Europe 2008 Blogger/SCC/SecurityTwits Meetup

October 13, 2008

Hello everyone.  RSA Europe 2008 is just around the corner!  Some of us have been talking about setting up a Security Blogger/Security Catalyst/SecurityTwits meetup and have settled on a date, time and location.  We will be getting together on Tuesday the 28th at 8:00 PM.  The Novotel London Excel bar is the location.  The hotel is part of the Excel conference center, so should be easy to track down, but just in case, here’s a map:

If you would like to join us or have a suggestion for a better location, please let me or Security4All know.  I can be contacted either by comments to this post or kriggins _at_ infosecramblings.com and Security4All can be contacted here.

Hope to see you there.

Update: I realized this morning that I was remiss in specifying who was paying for any food or drink you might have during this get together. Everybody will be responsible for their own tab for this event.

Update #2: Today’s the day! As indicated above, we will be in the Upper Deck Bar in the Novotel hotel.  We are going to do our best to carve out a corner to the right of the bar near the river.  Please see the About page to see a picture of me which may help you in picking out our group :)

Kevin


Interesting Information Security Bits for 10/10/2008

October 10, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. The Ethical Hacker Network – Scooby Doo and the Crypto Caper
    Ed Skoudis has another hacker challenge up.
  2. Frame Injection Fun | GNUCITIZEN
    Interesting article about frame injection along with some toys to play with.
  3. Event Registration (EVENT: 115053)
    The next Blackhat Webinar is next week. Sign up now.
  4. Turbo-charged wireless hacks threaten networks * The Register
    It’s getting easier and cheaper to build machines that can more quickly break Wi-Fi encryption.
  5. Metasploit Hacking Tool Now Open for Licensing – Desktop Security News Analysis – Dark Reading
    Metasploit is now as open source as it can be.

That’s it for today. Have fun!
Kevin


Interesting Information Security Bits for 10/09/2008

October 9, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Network Security Blog >> Step by step guide to the DNS vulnerability
    Martin points us to a good walk-through of the DNS vulnerability that Dan Kaminsky discovered. As he says, it is very complete.
  2. Matasano Chargen >> Blog Archive >> I broke Opera
    Looks like it’s time to patch Opera.
  3. Firefox add-on blocks ‘clickjacking’ attacks
    The latest version of Noscript protects against at least some clickjacking attacks.
  4. How botnets use ‘bullet-proof’ domains | News – Security – CNET News
    Article pointing to a new study that digs into why it is getting harder and harder to shut down botnets.

That’s it for today. Have fun!
Kevin


Interesting Information Security Bits for 10/08/2008

October 8, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Why Risk Management Doesn’t Work (?!) | RiskAnalys.is
    Alex gives us another thoughtful post on risk management and analysis in reponse to some questions he received in light of a recent Dark Reading article called “Why Risk Management Doesn’t Work” Interesting insights follow.
  2. Career Advice from the POPE | Security Incite: Analysis on Information Security
    Mike walks us through the thought process he used recently to help him make the decision to take on another career challenge. Very good stuff.
  3. 8 things you can do with a proxy
    Lori gives us a useful list of things that proxies can be deployed for. Don’t forget that she recently gave us a great primer on what proxies are and the different types that can be setup.
  4. Clickjacking Details ha.ckers.org web application security lab
    Rsnake has posted details on clickjacking.
  5. New Cyber Security Awareness Videos for Families – Desktop Security News Wire – Dark Reading
    Kudos to CryberPatrol for offering this free resource.
  6. Tenn. student indicted for hacking Palin’s e-mail
    Like the title says, the individual allegedly guilty of “hacking” Palin’s email has been indicted.
  7. Asus admits Eee Box mini PC shipped with virus | Register Hardware
    I’d love to say this is the first time this has ever happened, but, unfortunately, I can’t. Seems to happen fairly regularly from a variety of vendors.
  8. Symantec to buy MessageLabs for $695M | News – Security – CNET News
    And the consolidation dance continues.
  9. IT contractor caught stealing Shell Oil employee info * The Register
    Yup, another case of an insider stealing data. The external threat is important, but don’t forget the issue of insiders who already have access to your information.

That’s it for today. Have fun!
Kevin


Interesting Information Security Bits for 10/07/2008

October 7, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Business of Security
    Some interesting stuff on risk management and assessment and analysis.
  2. LoJack for Laptops (the Free Version) – Freakonomics – Opinion – New York Times Blog
    Title kinda says it all.

    Hat tip: @catalyst

That’s it for today. Have fun!
Kevin


Once more unto the breach…

October 7, 2008

Once more unto the breach, dear friends, once more,
Or close the wall up with our English dead!
In peace there’s nothing so becomes a man
As modest stillness and humility;
But when the blast of war blows in our ears,
Then imitate the action of the tiger:
Stiffen the sinews, summon up the blood.

Henry V” (5.3.44-51)

Michael J. Santarcangelo, II has written a little book titled Into the Breach. The preview copy I have has 91 pages of content, but I want to make something very clear, the ideas in this little book are big, very big.

The subtitle of the book is “Protect Your Business by Managing People, Information, and Risk.”  Seems pretty straight forward, doesn’t it? However, those of us in the information security profession are painfully aware that actually doing what that simple statement says is often far from straight forward.

Michael wants to help us with the issue and puts forth a process that can greatly increase our ability to satisfy that statement in a manner that brings engagement from all parts of the organization. At its root, Micahel’s strategy makes protecting the data of our organizations everybody’s job, not just information technologies job, but it does so in a way that re-energized everybody by giving them a voice in what is important and what is not.

He starts out the book by introducing and addressing three common myths that crop up when we start talking about protecting our organization’s data from unauthorized access or “breach”:

  1. “Outsiders pose the biggest threat to information.”
  2. “Information protection needs a technology solution.”
  3. “Protecting information costs too much.”

Throughout the rest of the book, he walks us through a process that is simple in its execution, but profound in what it provides to those who participate in it. I’m not going to steal Michael’s thunder. I am going to suggest that you pick up a copy of his book and read it…twice…at least. If you do and implement the strategies contained in it, you will be much better equipped to “Protect Your Business by Managing People, Information, and Risk” and reducing the chances that your data will go “Into the Breach.”

Kevin


Follow

Get every new post delivered to your Inbox.