June 2009

Interesting Information Security Bits for 06/30/2009

by kriggins on June 30, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The solution to the latest packet challenge from I Smell Packets.
    Solution to the Name That Exploit Packet Challenge << I Smell Packets
    Tags: ( challenge packet )
  2. Rich is tackling costs associated with a data breach. He is approaching it from a hard vs. soft costs perspective. Those familiar with FAIR will recognize these as primary and secondary loss factors.
    Securosis Blog | Creating a Standard for Data Breach Costs
    Tags: ( breach costs )
  3. It wouldn't be Blackhat/DefCon season without at least one cease and desist order. The first one this year stops a talk about hacking ATMs.
    ATM Vendor Halts Researcher's Talk on Vulnerability | Threat Level | Wired.com
    Tags: ( atm blackhat )
  4. Thus declareth @hevnsnt. Change your Twitter password on July 1st. Actually a good idea for several reasons which he shares in this blog post.
    July 1st is #twittersec Day | The Edge of I-Hacked
    Tags: ( twitter )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/29/2009

by kriggins on June 29, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Ryan has put together a very nice article about KisMAC. Now I just need to buy a Mac so I can try it out ;)
    The definitive KisMAC article.
    Tags: ( wireless hacking )
  2. I saw this when Justin tweeted it. You should take a look if you missed it.
    Developing Security: Top 10 signs you are a Security Twit
    Tags: ( humor )
  3. Richard puts pen to paper and figures out what you could do with a million dollars as a blackhat. Answer: Just about anything you want to.
    TaoSecurity: Black Hat Budgeting
    Tags: ( hacking )
  4. Christofer has lost his mind and can't remember what he was doing when he created the diagram in this post. He is looking for you to help him remember. If you give him the best answer, he will even give you enough to buy several Hoffacinos.
    Rational Survivability >> What The Hell Was I Thinking?...Help Me Remember & Win $25
    Tags: ( challenge )
  5. Part 2 of the Application Security Street Fighter blog's exploration of PHP and session attacks is up.
    AppSec Street Fighter - SANS Institute >> Session Attacks and PHP - Part 2
    Tags: ( php session )
  6. Need some log data for research? Anton is here to help you out.
    Anton Chuvakin Blog - "Security Warrior": Free Log Data For Research!
    Tags: ( logs )
  7. This is nifty. Rob has created a way to drop the metasploit framework on a target as a payload. Very fun.
    Room362.com >> Blog Archive >> Metasploit Framework as a Payload
    Tags: ( metasploit )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/25/2009

by kriggins on June 25, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The CFP for BSides Talks in Vegas is open.
    Security B-Sides / BSidesLasVegasTalks
    Tags: ( conference )
  2. Be careful with those quizzes on social media sites. You might be giving away more than you intended to, like your identity.
    How I'm going to use social networking to steal your identity!
    Tags: ( identity )
  3. An easy way to remember how to get to the sysinternals tools no matter where you are.
    Sunbelt Blog: Using live.sysinternals.com as an ad-hoc analysis toolset
    Tags: ( sysinternals tools )
  4. You probably already know, but Clear is gone. Steve shares some thoughts about this.
    Steve Goodbarn: Clear and Present Bankruptcy
    Tags: ( iisn clear )
  5. Dave shares a few things about auditors that you should probably keep in mind when you are at their tender mercies.
    ShackF00 >> 10 Things Your Auditor Isn't Telling You
    Tags: ( audit compliance )
  6. Dideir is at it again. This time injecting VBScript into running processes.
    bpmtk: Injecting VBScript << Didier Stevens
    Tags: ( injection code dll )
  7. Lori tells us five questions we should ask when looking at load balancing in the cloud and why we should ask them.
    Five questions you need to ask about load balancing and the cloud
    Tags: ( cloud )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/24/2009

by kriggins on June 24, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. There is some confusion about when the bi-hourly shutdowns for Windows 7 Beta start. They start July 1st, 2009.
    Clarification on the Date for Bi-hourly Shutdowns for the Windows 7 Beta - Windows 7 Team Blog - The Windows Blog
    Tags: ( windows-7 beta )
  2. More ASP.Net and session attacks. Good stuff.
    AppSec Street Fighter - SANS Institute >> Session Attacks and ASP.NET - Part 2
    Tags: ( asp.net session )
  3. Here's an interesting exploration of the validity of the election returns of the recent presidential election in Iran.
    The Devil Is in the Digits: Evidence That Iran's Election Was Rigged - washingtonpost.com
    Tags: ( election iran )
  4. A nice article on writing information security policies.
    How to Write an Information Security Policy
    Tags: ( policy )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/23/2009

by kriggins on June 23, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well. Sorry for missing yesterday. I had a brutally busy day and then we had a power outage at home to boot.

Here are today's Interesting Information Security Bits from around the web.

  1. A new packet challenge is up at I Smell Packets.
    Packet Challenge - Name that Exploit << I Smell Packets
    Tags: ( challenge packet-capture )
  2. This is an interesting post with some thoughts that can be extended well beyond virtualization.
    View Yonder >> Free the Gladiators!
    Tags: ( virtualization )
  3. This time a peak at php and sessions.
    AppSec Street Fighter - SANS Institute >> Session Attacks and PHP
    Tags: ( session )
  4. Anton opines on the contents of the letter sent to the PCI council by the National Retail Federation and other retail associations.
    On "PCI Letter"
    Tags: ( pci letter )
  5. Mozilla has been at work to come up with a method of getting rid of XSS problems. They believe they have it with Content Security Policy.
    Shutting Down XSS with Content Security Policy at Mozilla Security Blog
    Tags: ( csp mozilla )
  6. Christofer has a nice couple of graphics that help describe cloud computing from a high level perspective.
    Rational Survivability >> Incomplete Thought - Cloudanatomy: Infrastructure, Metastructure & Infostructure
    Tags: ( cloud )
  7. The ISC diary points out some ways to protect your webserver from being DOSed by the tool released by Rsnake recently.
    Apache HTTP DoS tool mitigation
    Tags: ( apache dos )
  8. RSnake take a look at detecting man-in-the-middle proxies.
    Detecting MITM/Hacking Proxies Via SSL ha.ckers.org web application security lab
    Tags: ( mitm )
  9. Lori offers some thoughts on IPv6 that you should also be thinking about.
    You are the new number 3ffe:1900:4545:3:200:f8ff:fe21:67cf
    Tags: ( ipv6 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Backtrack 4 Pre-Final Released and How-to Updated

by kriggins on June 19, 2009

in Announcement,Security testing,Tools

Woot. Offensive Security has released Backtrack 4 Pre-Final to the public.

I updated my Backtrack 4 USB/Persistent Changes/Nessus How-to a couple weeks ago with instructions, but a public link was not available.  The how-to has been updated with download locations and links to the md5sum and sha256sums.

Have fun.

-Kevin

{ 0 comments }

Interesting Information Security Bits for 06/18/2009

by kriggins on June 18, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This really is not good from an enterprise security perspective.
    Opera Unite: A Great idea or horrible security risk? - Security
    Tags: ( browser opera )
  2. As Martin says, Level 2 merchants are now faced with a little bit higher bar to get over.
    Network Security Blog >> Level 2 merchants are going to have to get serious about PCI
    Tags: ( pci )
  3. Andrew has started a series on SIEM. Check it out for some good advice.
    Andrew Hay >> Blog Archive >> A SIEM Solution is Like a Garden
    Tags: ( siem )
  4. Rafal talks about a nifty looking tool that I'll be checking out.
    Digital Soapbox - Preaching Security to the Digital Masses: Watcher - Web Vulnerabilities Served Up Passively
    Tags: ( tools webappsec )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/17/2009

by kriggins on June 17, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. ISC has a nifty services file that also includes a bunch of ports on which different trojans and malware listen.
    http://isc.sans.org/services.html
    Tags: ( ports malware )
  2. Here's a little something to play with in your reversing lab, the Kindle machine readable source code.
    Amazon.com: Help > Digital Products Help > Amazon Kindle Wireless Reading Device > Amazon Kindle Terms, Warranties, & Notices > Source Code Notice
    Tags: ( kindle )
  3. Amusing.
    YouTube - 50 Ways to Inject Your SQL
    Tags: ( humor sql )
  4. The entire Penetration Testing and Vulnerability Analysis course at Polytechnic Institute of New York University is now available on the web for free. Very cool.
    Penetration Testing and Vulnerability Analysis - Home
    Tags: ( education )
  5. The start of what looks to be an interesting series on session attacks against ASP.NET.
    AppSec Street Fighter - SANS Institute >> Session Attacks and ASP.NET - Part 1
    Tags: ( asp.net session )
  6. Opera release version 10 of its browser yesterday and it contains something new called Unite. It should scare you if you are responsible for protecting your enterprises data assets. Any user can now quickly and, supposedly, easily setup a web server/service.
    Boaz Gelbord: Opera Invites You to Join the Cloud
    Tags: ( opera browser )
  7. A new version of Wireshark has been released. Wireshark is an awesome open source network sniffer that is very robust and full of functionality.
    Wireshark 1.2.0 released
    Tags: ( wireshark packet-capture sniffer tools )
  8. Interesting. Low bandwidth denial of service on a web server without affecting other services and easily started and stopped.
    Slowloris HTTP DoS ha.ckers.org web application security lab
    Tags: ( dos http apache )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 06/16/2009

by kriggins on June 16, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Microsoft has had a threat modeling guide and some tooling for software development for a bit now. Today a guide was released for infrastructure. This could be very nice. I will be checking it out.
    HolisticInfoSec.org: IT Infrastructure Threat Modeling Guide now available
    Tags: ( threat-modeling )
  2. Andrew sat down and did something that each of us should be doing on a regular basis. He wrote a development plan. He didn't call it that, but that is what he did. Remember folks, your career is your responsibility, not your employers.
    Andrew Hay >> Blog Archive >> Training That I Would Like...
    Tags: ( career )
  3. Keep you eyes on this one. Could be some interesting stuff coming next month in regards to third-party twitter services.
    Coming in July: Month of Twitter Bugs | Zero Day | ZDNet.com
    Tags: ( twitter )
  4. Some interesting data collected on infosec professionals and why they move about. The full report is linked to in the post.
    Why do infosec consultants move jobs? | The Infosec Cynic
    Tags: ( career )
  5. OSSEC is a neat tool. If you want to get the low down, read Wim's post.
    OSSEC in a nutshell << The Security Kitchen
    Tags: ( hids ossec )
  6. You've probably seen plenty of warnings about url shorteners and how they present a security problem. Here is some solid proof that you should be careful with them. I'm not saying don't use them, I use them myself. Just be careful when clicking on the that url.
    Cligs short url service hacked, millions redirected | Graham Cluley's blog
    Tags: ( url-shorteners hacked )
  7. Craig has a great post up that I need to read a couple more times. Worth taking a look at. While you are at it, why not get engaged in the conversation.
    Stop the Madness! Cloud Onboarding Audits - An Open Question... | Cloud Security
    Tags: ( cloud )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Exploring F.A.I.R. – Taxonomy – Definition of Risk

by kriggins on June 15, 2009

in fair,Risk Management

First, I apologize for the long absence of any further posts in this series. I am sure everybody thought I had decided not to continue. Not the case. With the presentation at Secure360, a bathroom remodel and life in general getting in the way, I didn't take the time to keep on top of this series.

Anyway, let's dive back in. All the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post I said we were going to talk a little more about assets, but we are not. We are going to start in on the taxonomy and pick up those words about assets a little later. First, what in the world is a taxonomy? I asked myself this question late last year.

From wikipedia:

...In addition, the word is also used as a count noun: a taxonomy, or taxonomic scheme, is a particular classification ("the taxonomy of ..."), arranged in a hierarchical structure. Typically this is organised by subtype-supertype relationships, also called parent-child relationships...

At the top of a taxonomy is the item being represented. I guess that means we should define exactly what we are building this taxonomy for. One would think I'd have gotten to this a bit earlier. Apparently not :) Okay. Here we go. Let's define RISK.

Risk_definition

From the introduction:

Risk - The probable frequency and probable magnitude of future loss

If risk is defined as above, then the very top of our taxonomy looks like this:

taxonomy-head

Starting with the next post, we will begin to build out the rest of the taxonomy. However, we are going to start from the bottom.

As always, I am interested in what you have say. Please leave comments or email me if you like. My email address is on the about page.

-Kevin

{ 0 comments }

← Previous Entries