Today's Bits has really big phone bills, blocking wi-fi signals, a new NIST publication about protecting PII, more storytelling by Synjunkie, generational differences and their impact on business's security, the winners of the latest Ethical Hacker challenge, HITB videos, and the Top 10 Hacking videos on YouTube. Read on for details.
- Just like any networked device/system, make sure your phone systems are appropriately resistant to attack. Otherwise, you might be faced with some serious phone bills.
Police investigate phone hacker spree : thewest.com.au
Tags: ( pbx )
- This is interesting, but be careful. There may be laws that affect whether you can you this type of product.
Techworld.com - New paint promises high-speed Wi-Fi shielding
Tags: ( wireless blocking )
- Rebecca lets us know that NIST has a new publication ready for us, "Guide to Protecting the Confidentiality of Personally Identifiable Information" This should be a good read.
New Guidelines for Safeguarding Personal Data - Realtime IT Compliance
Tags: ( pii protection )
- Synjunkie has part 3 of the his Newbie Haxor storyline up.
Syn: The Story of a Newbie Hax0r - Part 3. Lets Get Physical
Tags: ( stories )
- This has been a topic I have been thinking about quite a bit as I get more involved in social networking. As indicated below, the generation just now entering the work force and the one right behind them communicate in a way that is completely different than any generation before them. We are going to have to learn how to accommodate this while maintaining security.
IT Security's Next Big Threat: Young People - security trends/Vulnerabilities - DarkReading
Tags: ( risk )
- The winners of the latest challenge at the Ethical Hacker Network are posted.
The Ethical Hacker Network - Santa Claus is Hacking to Town - Answers and Winners
Tags: ( challenge )
- Martin points out that the HITB Malaysia videos are available now.
Network Security Blog >> HITB Videos available
Tags: ( videos conferences hitb )
- Here ya go. Some hacking videos for you pleasure.
Hat tip: http://www.stevegoodbarn.com
Top 10 YouTube hacking videos | NetworkWorld.com Community
Tags: ( videos hacking )
That's it for today. Have fun!
Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.
Kevin
Today's Bits has malware infections, data breach at a card processor, the need for requirements, deperimeterization and endpoint control, awareness campaign metrics, an update to an F-Secure malware removal tool, and a list of InfoSec bloggers in Australia. More details below. Have a great day.
- First they allowed computers used in surgery to be rebooted automatically upon being patched by Windows Update. Then they disabled Windows update, but didn't put any further controls in place to protect these systems. Remember, if you disable one control, you need to introduce a compensating control where elevated risk exists.
Conficker seizes city's hospital network * The Register
Tags: ( malware )
- This has the potential to be huge.
Payment processor warns of network breach
Tags: ( breach creditcard )
- "Tell me what you got and I'll pick what I think I need" never ends well. The need for requirements extends well beyond security controls. If you can't effectively articulate your needs, you are never going to be able to fulfill them.
Requirements are required >> Andy ITGuy
Tags: ( general )
- Yup, if you done control the endpoint, you have some really big problems.
Deperimeterization without endpoint control? | Security Balance
Tags: ( endpoint control infrosec deperimeterization )
- Julie has a good post up on Security Catalyst with some suggestions on how to measure the effectiveness of you security awareness program.
Three Ways to Make Awareness Measurable : The Security Catalyst
Tags: ( awareness metrics )
- F-Secure has an update available for their F-Downadup Removal Tool. With the number of machines being reported that are infected with this malware, we should probably all have this in our toolbox.
ISTP and F-Downadup Removal Tool - F-Secure Weblog : News from the Lab
Tags: ( malware tools removal )
- Drazen has started a list of Australian InfoSec bloggers. Check it out and make sure you are on it if you are a InfoSec blogger in Australia.
Beast Or Buddha >> Australian IT Security Blog Directory
Tags: ( general blogs )
That's it for today. Have fun!
Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.
Kevin
Sorry for the late post folks. Been a busy, busy day. Below you find a post by RSnake begging for discussion, EFF pushing for modification to DMCA, a method to secure BGP, how we communicate to our users is important, the final part of an risk assessment using FAIR, SQL firewalls, and the fact that BeanSec is next week. Have a great weekend.
- Crime and Punishment ha.ckers.org web application security lab
Tags: ( general opinion )
- This would benefit everybody.
EFF pushes for legal handset jail-breaks - vnunet.com
Tags: ( cellphone drm )
- This will be a definite improvement. There have been several cases of BGP errors causing significant problems in the year or so.
U.S. plots major upgrade to Internet router security - Network World
Tags: ( bgp bgpsec )
- David reminds us that how a message is delivered just as important as why the message is delivered.
The Power of Positive Rethinking : The Security Catalyst
Tags: ( communication )
- Part 4 of Chris's latest FAIR assessment is posted.
Risk Scenario - Hidden Field / Sensitive Information (Part 4 of 4) << Risktical Ramblings
Tags: ( risk assessment fair )
- It was only a matter of time before we started seeing SQL firewalls. Not saying it's a bad thing.
/dev/random >> Blog Archive >> Databases Protection with GreenSQL
Tags: ( firewall sql )
- Beansec next week.
Rational Survivability: BeanSec! Wednesday, January 21st, 2009 - 6PM to ?
Tags: ( beansec meetings )
- Yes, indeed. I and others have said it more than once, compliance does not equal security.
Network Security Blog >> "Security first" please!
Tags: ( security pci )
That's it for today. Have fun!
Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.
Kevin
Hi folks. Yesterday, I included this story in my Bits post. It is about new procurement language that says software vendors must "certify" that their software does not have any of the Top 25 Errors released by SANS/CWE early this week.
I have read several blog posts on the topic since and today the topic came up on The Security Catalyst Forums. (You should check those out it if you haven't already. Great conversations and community.)
One of the questions posed was this; does this approach seem like something that should be encouraged?
Below is the response I posted.
Two main things pop out at me with this type of thing.
The first is this phrase "must certify that they have rid their code of the Top 25 Errors." What about the next 25 or the next one? I read a blog post over the last couple days that talked about this very well. Blocking where I saw it. If I find it I will update the thread. The essential bit was that "certifying" that you have addressed the top 25 errors doesn't mean your software is secure. That "26th" error can be a show stopper too. Say it with me, compliant does not equal secure. Before people yell at me, I am not implying that we shouldn't address the errors listed in the top 25. (side note: Kees and some others have been pointing out that the 25 may not really be 25)
My second concern is this, sayin' it doesn't make it so. Creating contract language like this can lead an organization to a false sense of security. I can see where orgs might go the route of "the contract says the software is secure so we don't need to test it or perform a risk assessment." Again, that 26th error can hurt a whole lot.
Just my 2 cents worth. It's super cold in Iowa, so flame away 
Like it says above, these are my thoughts. What are yours?
-Kevin
The first Des Moines ISSA Chapter meeting of the year will take place on January 26th at 11:30 a.m.
The topic is "Selling Security - Showing a Value Proposition and the Role of Metrics." Dave Nelson, the chapter President, will be presenting.
Additional details can be found on the website at http://desmoines.issa.org.
Kevin
Today's Bits consists of more risk assessment talk, biometrics and passports, secure code by demand, compliance vs security, builders and breakers in software security, DEFCON CTF, how SSL works, PCI and security, a good way to quantify risk and an argument that one pass data wipe is enough. Details below.
- Part 3 is up of Chris's assessment.
Risk Scenario - Hidden Field / Sensitive Information (Part 3 of 4) << Risktical Ramblings
Tags: ( risk assessment fair )
- Get ready to get your fingers inked when you apply for a passport in the E.U. (Okay, there are inkless methods bow. Not near as much fun to write scanned though.)
Biometric passports agreed to in EU - Network World
Tags: ( privacy )
- Folks, it just isn't this easy. Unlike Picard, we can't just "make it so."
New York drafts language demanding secure code
Tags: ( general )
- Compliance does not equal security. Never has and never will. Good thought in here.
Using The Compliance Stick Actually Weakens You | RiskAnalys.is
Tags: ( risk compliance )
- An interesting argument, which I happen to agree with, by Jeremiah about the need to both builders and breakers when it comes to software security.
Jeremiah Grossman: Builders, Breakers, and Malicious Hackers
Tags: ( general opinion )
- Ever wanted to run a CTF? Defcon needs to talk to you. Be warned, we are talking about a granddaddy of a CTF.
DEFCON 17 CTF Call for new Organizers! - Defcon Forums
Tags: ( defcon ctf )
- A real nice basic introduction to how SSL works.
Security Workshop: How HTTPS/SSL works Part 1 - Basics
Tags: ( ssl )
- A nice post by Anton that I found via Alex over at riskanal.is. Repeat "Security First."
Anton Chuvakin Blog - "Security Warrior": Tales From the "Compliance First!" World
Tags: ( pci compliance )
- Adam has a great post up on the Security Catalyst blog. The KISS principle in action.
The Breach-Stamp Metric : The Security Catalyst
Tags: ( risk communication )
- A nice article with some hard data on the effective of data retrieval off of a drive which has been effectively wiped. Effectively here meaning with only one pass.
Overwriting Hard Drive Data << SANS Computer Forensics, Investigation, and Response
Tags: ( data disposal )
That's it for today. Have fun!
Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.
Kevin
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=66aad5a6-3c7f-42aa-a633-0beb21329a86)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=dedbe1fc-bb65-47f1-abc8-73d164a6044d)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=43eed4ed-4b0a-4d32-a920-140342efb3b6)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=bcfdc161-764a-4a14-b5ee-4ea15b37b419)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=74aa698b-87b6-41ef-9986-592b4d8b6f1c)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=65e7586b-24a5-4a74-a585-03c540454127)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ad03b362-0ea3-413a-8f86-629b4040f9fa)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9042aafd-e136-43bc-984d-7f7421680baa)