Interesting Information Security Bits for 10/31/2008

October 31, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. – Facebook Privacy & Security Guide Released
    Tom has released his Facebook Security & Privacy Guide. You really should take a look if you have a Facebook account.
  2. Tips for getting started in information security – Kees Leune
    Kees gives those interested in entering the information security profession some really good things to think about and offers up some practical guidance that is will realy help new entrants focus on getting where they want to go.
  3. Freeform Comment: View from the defence: seven reasons for security as a service
    An article by Jon Collins summarizing the panel he hosted on SaaS at RSA Europe. Some good points are made in its favor.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



RSA Europe 2008 – Day 3

October 29, 2008

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today’s agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale – Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing – Whether You Like It or Not
Brian O’Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC

Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or – if you happen to be on the other side – use these insights to develop a better strategy for protecting your consumers agains fraud.

Don’t Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO – Higher Profile? Stronger Powers? More Effective”
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner’s Office (ICO) being strengthened?  What will be the ICO’s approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government’s handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems – as part of which it must develop partnerships with the private sector.

Have a great day!


Technorati Tags:

RSA Europe – Day 2

October 28, 2008

Hello again people.

In a bit of a time pinch, so here is the agenda for the day for those who care 🙂

  • ‘The New Face of CyberCrime’ film screening and panel
  • Blinded by Flash: Widespread Security Risks Flash Developers Don’t See
  • Why Security Programs Fail
  • The Future of Privacy
  • Security in the Era of Identity 2.0
  • Hackernomics
  • DLP: What will be
  • The Many Faces of Social Engineering

Should be an interesting and busy day.


RSA Europe 2008 starts today…

October 27, 2008

Good morning everybody or at least those who are in a time zone similar to GMT 🙂  RSA Europe starts today and I am sitting in the press room scheduling out my day.  For those interested, my itinerary follows:

10:00 – Keynote – Arthur W. Coviello, Jr. – Executive Vice President EMC
Information Security: From Ineffective to Innovative

While security spending continues to rise, companies are not feeling particularly more secure today than they did five years ago.  Art Coviello will explore this paradox and share with us how focusing on the key variables of vulnerability, probability and materiality can enable us to effectively balance the risk/reward equation.

10:40 – Keynote – Panel – Moderator Christopher Kuner – Partner and Head, Hunton & Williams
Online Privacy and the World of Behavioural Targeting: Challenges and Options

A moderated panel discussion about the move towards behavioural targeting in advertising and what impact this may have on online privacy and security.

11:30 – Chris Batten – Managing Director, Acumin
Managing your own Security Career

Careers in information security are difficult to navigate as the industry changes at an ever increasing pace.  This session addresses the important skills, traits and knowledge one needs to find and keep the kind of position that challenges you and helps you grow while be well compensated.

13:15 – Amichai Shulman – Co-Founder & CTO, Imperva
Google-Hacking and Google-Shielding

Data leakage via search engines is an every increasing problem.

14:30 – Dennis McCallam – Chief Security Architect – Northrop Gruman
Out with Traditional Authentication and Protection – In with New Data-Centric Security and Aggregated Authentication

Dennis will demonstrate a cost-effective data-centric enterprise approach using user cases that show the operational flexity and significant advantages of this type of approach.

16:00 Neil Costigan – Technical Advisor, BehavioSec – Peder Nordstrom – CTO, BehviorSec
Why Settle with Conventional Authentication when Behaviormetrics Go Beyond it?

Behaviormetrics monitors a user’s session continuously to determine if that user is in fact the one associated with the credentials used for authentication.

There is a reception this evening and of course the exhibition hall is open all day. Should be a busy day.

Have a great morning, afternoon or evening as the case may be.


Interesting Information Security Bits for 10/21/2008

October 21, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. Your Simple Guide To Endpoint Encryption Options |
    Rich gives us a great resource for discussing and determining how and to what extent we should implement endpoint encryption.
  2. PCI, Risk Management & “The Blackberry Arsenal” << Risktical Ramblings
    A good story with some good take aways for both those answering to RFPs and those reviewing the answers to RFPs.
  3. BrokenHalo LABORATORIES >> Midnight Research Labs releases Depant
    This looks like a really neat tool. Scans your target for services with default passwords. Yummy.
  4. .:Computer Defense:. >> NoScript Force SSL
    Using NoScript, you can force sites to SSL that don’t do a good job of it themselves.Hat tip: Michael Farnum and Security4All
  5. IT security guide: Understanding cyber-risks means knowing what questions to ask
    Something free from ANSI. You should go get your copy if for no other reason than that 🙂 Seriously, good stuff in here.
  6. Researchers hack wired keyboards, hijack keystrokes | Zero Day |
    Tempest for the 2000s. Looks like avoiding those wireless keyboards may not actually provide the security you may have felt that it did.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.


Where’s my data? Um…it was here a minute ago….

October 21, 2008

In the article “Study: Global information security improves, but still imperfect“, Angela Moscaritolo points us at a report recently released by PriceWaterhouseCoopers, “Safeguarding the new currency of business.”  The report is the findings of the 2008 Global State of Information Security Study®. Her article points out some salient issues found in the report, but I would like to focus on one particular issue.

On page 12 of the report, we find the following:

Finding #5
Many companies, however – if not most – do not know exactly where important data is located.

Other findings in the report indicate that we are doing better in implimenting technical controls and our compliance efforts also appear to be improving. But here is the rub, what value are better technical controls and a clean compliance report if you don’t know where your sensitive data is?

Okay, we don’t know where our data is. We need to find it. How do we do that?

Ask 10 information security professional that question and you will get 12 answers, all of them starting with “it depends.” If we can’t get a definitive answer from these folks, who can we get one from? How about the people who use that data each and every day?

Again, there are plenty of ways you could go about gathering that information from your user populace, many of which would be adequate.  But if we want better than adequate, I think Michael Santarcangelo gives us a great model for producing excellent results in his book Into the Breach.

You should get his book and read it as I have said before, but in short, engage your users in small groups and ask them how they do their jobs, in detail.  This will drive out where your data is. You may think your data is that big honking database, but what if a lot of it is in spreadsheets stored on a file server that you know nothing about?

This is a very simplified treatment of a great process that Michael details in his book. So, again, go get it. Read it. Twice. You will not regret it.


Interesting Information Security Bits for 10/20/2008

October 20, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. pdgmail: new tool for gmail memory forensics << SANS Computer Forensics, Investigation, and Response
    If you use GMail, you should really read this article. Sandboxing in some fashion sounds like a really good idea.
  2. TaoSecurity: Trying Firefox with CMU Perspectives
    Much like the web of trust used in GPG signatures, Perspectives for Firefox uses a groups of “notaries” to verify the authenticity of a self-signed ssl certificate. Interesting stuff.
  3. extern blog SensePost;
    The OWASP NYC talks have been posted.
  4. – Information Gathering with Maltego
    Tom has posted his slide deck for the presentation he gave at the Northeast Ohio Information Security Forum last week.
  5. Carnal0wnage Blog: Webapp Asssessments Rule or ‘why running as ‘dbo’ is bad!
    Another fun, as in oh my goodness, read about a pentest. This time an appsec test.
  6. Carnal0wnage Blog: A Successful Pentest with some Failures.
    A nice description of a pen test.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.