December 2008

Interesting Information Security Bits for 12/16/2008

by kriggins on December 16, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Time to patch Apple owners.
    21 OS X Vulnerabilities Patched By Apple - Security Watch
    Tags: ( patches apple vulnerabilities )
  2. Even Google can get taken in by ad-based malware.
    Google sponsored links caught punting malware * The Register
    Tags: ( malware google ads )
  3. Be careful on Facebook. Well, you should always be careful on Facebook, but there are a few specific reasons you should be until they get them fixed.
    Four XSS flaws hit Facebook | Zero Day | ZDNet.com
    Tags: ( exploit vulnerability xss facebook )
  4. Andy points to an article by Rebecca Herold about the importance of vetting your 3rd party service providers information security stance. He then offers his opinion which agrees with Becky's and mine for that manner.
    3rd Party Security
    Tags: ( security vendor review )
  5. Look out folks. It appears that India is being targeted by Chinese hackers. With significant out sourcing going to India, we need to be very aware of this situation.
    The Dark Visitor >> Chinese hackers stealing Indian InfoTech data
    Tags: ( breach india )
  6. The invitations for the RSA Security Blogger's Meet-up. Better get your RSVP in soon. Only 200 will get to attend.
    Network Security Blog >> Look for your invite
    Tags: ( rsa meetup )
  7. This is just nifty.
    ITSec Non-Hypocritical Oath
    Tags: ( creed )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 12/15/2008

by kriggins on December 15, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Lavasoft has jumped into the anti-virus market. We'll have to keep an eye on this one.
    Ad-Aware gets an antivirus cousin | The Download Blog - Download.com
    Tags: ( free anti-virus )
  2. Some interesting situation that lead to a need for data recovery. Hat tip to Xavier at /dev/random (blog.rotshell.be)
    Kroll Ontrack Top Ten Data Mishaps and Recoveries - Press Release
    Tags: ( amusing general )
  3. The workarounds section for the recent 0-day for IE has been updated. This blog post goes into some further detail about the workarounds.
    Security Vulnerability Research & Defense : Clarification on the various workarounds from the recent IE advisory
    Tags: ( exploit vulnerability microsoft ie workarounds )
  4. Part 2 of SynJunky's fictional story about detection of and incident response to an insider attack.
    Syn: The Story of an Insider - Part 2. The Sys Admins Story
    Tags: ( insider )
  5. This is a nifty way to get the job done.
    Writing a web services fuzzer in 5 minutes to SQL injection | tssci security
    Tags: ( webappsec injection sql )
  6. Woot! Version 1.2 of Burp Suite has been released.
    PortSwigger.net - web application security: Burp Suite v1.2 released
    Tags: ( webappsec burp )
  7. Just go read it. You won't regret it.
    Rational Survivability: GigaOm's Alistair Croll on Cloud Security: The Sky Is Falling!...and So Is My Tolerance For Absurdity
    Tags: ( cloud )
  8. Rory is writing a series of posts on penetration testing. The first is up.
    Rory.Blog: What is Penetration Testing?
    Tags: ( pentest )
  9. Here is a very cool idea for a low/no cost way to implement DLP.
    /dev/random >> Blog Archive >> Simple DLP with Ngrep
    Tags: ( dlp ngrep )
  10. Looks like nifty tool to add to the arsenal.
    Jeremy's Computer Security Blog: JPEG Fuzzer has ARRIVED
    Tags: ( fuzzer jpeg )
  11. Watch out folks, SkyNet is just around the corner.
    Schneier on Security: Killing Robot Being Tested by Lockheed Martin
    Tags: ( skynet )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 12/14/2008

by kriggins on December 14, 2008

in Interesting Bits

Good evening everybody! I hope your day/weekend went well. Here are just a few things I found on my news feeds today.

  1. Looks like Chrome and Safari need a little work on their password managers.
    Researcher: Chrome, Safari password managers need work
    Tags: ( browser chrome password safari manager )
  2. Another reminder that you have no control over what is installed on computers made available for public use. Furthermore, neither do those who are responsible for those computers.
    PCs at wire transfer shops loaded with viruses
    Tags: ( virus keyloggers kiosks )
  3. An interesting article about the old fashioned kind of piracy. The kind where they steal boats, not CDs.
    Somali Pirates Operate Their Own World Wide Network
    Tags: ( general piracy )
  4. Looks like it's not just IE7 that is vulnerable to the latest 0-day exploit. Better switch to something else. Firefox is my favorite.
    Microsoft: IE5, IE6 also affected by browser vulnerability - Network World
    Tags: ( vulnerability ie exploit micrsoft )
  5. An option is now available to allow your Tor hosted content a little farther reach.
    New Service Makes Tor Anonymized Content Available to All | Threat Level from Wired.com
    Tags: ( privacy )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 12/12/2008

by kriggins on December 12, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. I mentioned this white paper when I did my RSA Europe recap back in October. It is worth a read. * the link goes directly to the PDF
    Web 2.0 Security and Privacy
    Tags: ( privacy enisa )
  2. Here are some things you can do to protect yourself against the 0-day exploit that works against IE7.
    Microsoft talks up countermeasures to fend off new IE attacks
    Tags: ( vulnerability microsoft ie7 )
  3. Adding to the growing pile of recent 0-day exploits for Microsoft products, there appears to be one for SQL Server.
    Security pros groan as zero-day hits Microsoft's SQL Server * The Register
    Tags: ( exploit vulnerability 0day sqlserver micrsoft )
  4. Some good general guidance for how to react in the event you have a data breach. I would offer that it is good advice for everybody involved and not just the CIO.
    How a CIO should deal with aftermath of a data breach
    Tags: ( data breach )
  5. looks like Cisco is in for a legal fight.
    Cisco sued by Free Software Foundation for copyright infringement - Network World
    Tags: ( general )
  6. Innismir weighs in on the recent meme of penetration testing being dead. He, like most of us involved in the discussion, doesn't think its dead either.
    innismir.net -- Pentration Testing - Not Quite Dead Yet
    Tags: ( pentest )
  7. Rich brings up some good points. Worth reading and thinking about.
    How The Cloud Destroys Everything I Love (About Web App Security) | securosis.com
    Tags: ( cloud webappsec )
  8. WhiteHat Security's quarterly report on website security statistics is available for download. This is the sixth one they have put out. Good stuff in there.
    Jeremiah Grossman: Sixth Quarterly Website Security Statistics Report
    Tags: ( general reports )
  9. Jeremiah offers some really good guidance for justifying your budget for web application security spending.
    Jeremiah Grossman: Budgeting for Web Application Security
    Tags: ( webappsec )
  10. Here's a framework for SAP pen testing.
    sapyto v0.98 Released - SAP Penetration Testing Framework Tool | Darknet - The Darkside
    Tags: ( pentest sap )
  11. You can't make this stuff up. Remember folks, you have to make sure that all data is removed form devices before you get rid of them.
    Liquidmatrix Security Digest >> McCain Campaign Sells Off... Data?
    Tags: ( data leakage )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }

Interesting Information Security Bits for 12/11/2008

by kriggins on December 11, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. If any of these apply to your organization you have some work to do.
    http://www.networkworld.com/news/2008/121008-the-seven-deadly-sins-of.html
    Tags: ( program )
  2. Looks like there is another 0-day out.
    Microsoft looking into WordPad zero-day flaw | Security - CNET News
    Tags: ( vulnerability microsoft wordpad )
  3. Shrdlu offers some good suggestions on preparing for next year.
    Layer 8: Out with the old, in with the new.
    Tags: ( general )
  4. Nifty. Five security related distributions in one.
    Ask and you shall receive - SumoLinux - Room362.com
    Tags: ( tools linux distro )
  5. Rich puts to paper (work with me) the same thoughts I had when I read about the direction China is thinking of taking in regards to technical information of products entering China.
    A Good (Potential) Risk Management IQ Test For Management | securosis.com
    Tags: ( general )
  6. Google gives a nifty resource.
    Google's Browser Security Handbook | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills
    Tags: ( security browser google books )
  7. Part 5 of this great series is now available. If you haven't read the previous parts, they are linked in the first paragraph.
    Building a Web Application Security Program, Part 5: Secure Development | securosis.com
    Tags: ( webappsec program )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interviewing Tips

by kriggins on December 10, 2008

in Career, Tips

A couple of things have brought this particular topic to my mind recently. First is the amount of layoffs that we are seeing in just about every sector of the economy. Second is last weeks MentorNet topic.

Most of us are familiar with the first issue, some on a more personal level than others. The second may be a little more obscure. MentorNet is a great organization that I started participating in last year. From the website:

MentorNet is the award-winning nonprofit e-mentoring network that positively affects the retention and success of those in engineering, science and mathematics, particularly but not exclusively women and others underrepresented in these fields.

Anyway, last weeks topic asked mentors to share with their mentees any tips they might have for interviewing.

Here is what I shared.

One of the best resources I know of that deals with interviewing skills is "Knock'em Dead" by Martin Yate.

That being said, here are a few tips that you might find helpful:

  1. Regardless of what is said about dress for the interview, always show up in business attire. You only have a few seconds to make that first impression. How you are dressed is one of the first weapons you have to make that first good impression.
  2. Make sure you do your research on the company that you are interviewing with. Solid knowledge of what the company does is always a good indicator of an applicant's seriousness. Ask questions that show this knowledge throughout the interview so they know you spent the time to become familiar with the company.
  3. Write out answers to common interviewing questions before you start interviewing.  The book above and many websites have lists of commonly asked interview questions.  You will be much better prepared for them if you have already thought about those questions and written answers to them. Just to be clear, don't read these answers to the interviewer :)
  4. Have somebody do mock interviews with you. Have them ask the questions you have prepared answers for. Also have them ask some questions that you don't have answers for.
  5. Write down some questions you have about the company and the person you will be reporting to. Good questions are what's the corporate culture like, management styles, career path, etc. Again, the book above has some great ones. Take the list with you and bring it out when they ask if you have any questions. I did this for my last two interviews and it was viewed positively by both.
  6. Ask about next steps when the interview is shutting down if they haven't already shared them.
  7. Finally, never say 'yes' immediately. If the company pressures you to do so, you might want to think about whether that is a good company to work for or not.

What are your tips for preparing for and excelling in an  interview?

-Kevin

{ 2 comments }

Interesting Information Security Bits for 12/10/2008

by kriggins on December 10, 2008

in Interesting Bits

Hello everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A nice write-up for those who need a primer on building a patch management program. Those already responsible for one would probably benefit from a quick read too.
    http://www.networkworld.com/news/2008/120908-how-to-handle-security-patches.html
    Tags: ( patching program )
  2. Looks like DNSSEC might be getting some traction.
    VeriSign, NeuStar and others team on DNS security
    Tags: ( dns dnssec )
  3. Here is part 2 of a nice descriptoin of User Account Control Virtualization (UAC). Part 1 is here http://www.windowsecurity.com/articles/Protecting-System-Files-UAC-Virtualization-Part1.html
    Protecting System Files with UAC Virtualization (Part 2)
    Tags: ( vista uac )
  4. Time to update the IDS/IPS signatures. There is a new nasty out that takes advantage of IE7.
    New Web attack exploits unpatched IE flaw
    Tags: ( microsoft ie vulerability )
  5. Mr. Dahn has a few words to say about PCI and virtualization. You should go read them.
    PCI Blog - Compliance Demystified >> Blog Archive >> PCI already addresses Virtualization
    Tags: ( pci virtualization )
  6. Part 4 is up of this great series.
    Building a Web Application Security Program: Part 4, The Web Application Security Lifecycle | securosis.com
    Tags: ( webappsec program )
  7. The Black Hat Japan 2008 audio and presentations are now available.
    Black Hat Japan 2008:buratukuhatutoziyapan2008
    Tags: ( presentations conference audio )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 3 comments }

Interesting Information Security Bits for 12/09/2008

by kriggins on December 9, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. ReomoteSpy is back for sale after being shut down for a bit. The article explains why.
    RemoteSpy Back On Sale - Security Watch
  2. Time to update your Blackberry Desktop software. A bit of a problem with ActiveX.
    RIM updates BlackBerry Desktop Software to fix ActiveX flaw
  3. If you have already installed PHP 5.2.7, you should probably back rev.
    PHP 5.2.7 removed from distribution over security bug | Zero Day | ZDNet.com
  4. Firefox has released a new beta of version 3.1. It contains a privacy mode. Check it out if you like living on the edge :)
    Techworld.com - Firefox finally gets privacy mode
  5. Mike Rothman is giving and series of webcasts about being a pragmatic CSO. The first is tomorrow. The registration link in the blog post. As a bonus, those attending will get a 50% discount on his book, but you do have to attend.
    Pragmatic CSO Newsletter #69 - Management Training | Security Incite: Analysis on Information Security
  6. Fyodor wrote a book about using Nmap. You might want to read it.
    Nmap Network Scanning--The Official Nmap Project Guide to Network Discovery and Security Scanning
  7. The fellas over at Napera have some good tips on security your wireless networks.
    5 steps to securing your corporate wireless network in 2009 >> Napera Networks

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 12/08/2008

by kriggins on December 8, 2008

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A nice treatment of the CheckFree exploit.
    Digging Deeper Into the CheckFree Attack - Security Fix
  2. This is an interesting article with several suggestions that are apply whether you are worried about Jasager or not. For those not aware, Jasager is an implementation of Karma on a FON access point. Karma is a penetration and exploit framework for wireless networks.
    Jasager: On the Defensive - Room362.com
  3. Tyler offers us a nifty little script that uses Nmap, perl, grep, cut, and sed to provide you with a list of live IP addresses that resolved to hosts names. Great fun to be had.
    .:Computer Defense:. >> IP Resolution with nmap
  4. Mr. Hoff has a post up that I need to read a couple more times. It is packed full of thought provoking information.
    Rational Survivability: Infrastructure 2.0 and Virtualized/Cloud Networking: Wait, Where's My DNS/DHCP Server Again?
  5. Alex has a nice response up to Bill Brenner's CSO Online article that discusses whether penetration testing has a limited future. Good stuff.
    Penetration Testing Not Dead, Probably Just Pining for the Fjord

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 12/06/2008

by kriggins on December 6, 2008

in Interesting Bits

Good evening everybody. I hope you are having a great day.

Here are today's Interesting Information Security Bits from around the web.

  1. In the U.K., if you were picked up as a person of interest, your DNA would be kept regardless of the outcome of the investigation. This means that innocent people would be in the system. Looks like that is about to change.
    U.K.'s DNA database violates rights, court rules | Security - CNET News
  2. A new variant of the DNSChanger trojan is making the rounds.
    New trojan in mass DNS hijack * The Register
  3. An apparent vulnerability in an undisclosed version of Asterix is apparently being used by scan artists.
    FBI: Criminals auto-dialing with hacked VoIP systems - Network World
  4. Ed's latest challenge is up.
    The Ethical Hacker Network - Santa Claus is Hacking to Town
  5. I was watching conversation on twitter that was the genesis of this post. Great fun.
    A Friday Afternoon Conversation About PCI DSS | RiskAnalys.is
  6. There is a nifty new feature available over at the DataLossDB. Read cwalsh's post to find out what new information you have access to.
    Emergent Chaos: DataLossDB announces awesome new feature

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

← Previous Entries

Next Entries →