October 2009

Interesting Information Security Bits for 10/29/2009

by kriggins on October 29, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The Security Baselines for Windows 7 and IE 8 are now available.
    Now Available: Security Baselines for Windows 7 and Internet Explorer 8 - Springboard Series Blog - The Windows Blog
    Tags: ( windows-7 ie8 )
  2. The call for submissions for Peer2Peer sessions at RSA 2010 has opened. Have a topic you want to explore with others in your industry/field/profession? Go ahead and suggest it.
    Peer2Peer Sessions
    Tags: ( rsa-2010 cfp )
  3. Xavier's first day recap of Hack.lu is up.
    /dev/random >> hack.lu Day #1
    Tags: ( conferences hacklu )
  4. Jeremiah offers some interesting thoughts on black box vs white box software testing.
    Jeremiah Grossman: Black Box vs White Box. You are doing it wrong.
    Tags: ( webappsec )
  5. Another good article on methods and tools to monitor/gather intelligence about your company that might be mentioned on-line. This one focuses on blogs, message boards, and metadata.
    Enterprise Open Source Intelligence Gathering - Part 2 Blogs, Message Boards and Metadata -- spylogic.net
    Tags: ( monitoring )
  6. This is scary.
    hype-free: Why network neutrality is a big deal
    Tags: ( general )
  7. Anton's notes from the day he spent at NIST's SCAP conference.
    Anton Chuvakin Blog - "Security Warrior": Notes from NIST SCAP 5th Security Automation Conference
    Tags: ( conference nist-scap )
  8. Alex has posted a nice exploration of impact vs asset valuation. This is a very FAIResque treatment of the issue if you ask me, which is a good thing in my opinion.
    Verizon Business Security Blog >> Blog Archive >> The curious case of asset Valuation.
    Tags: ( risk-analysis asses-valuation )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 10/28/2009

by kriggins on October 28, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Andrew shows how to install log2timeline on a SANS Investigative Forensic (SIFT) workstation.
    Andrew Hay >> Blog Archive >> Installing log2timeline on SIFT - Updated Instructions for Ease of Use
    Tags: ( forensics )
  2. Before you fire up your new RDS instance with Amazon, you might want to take a gander at Adriane's post. This is not to say don't do it, just some things to think about before you do.
    Securosis Blog | Amazon RDS Announced
    Tags: ( mysql amazon rds )
  3. Some thoughts about cross-gadget security in Google Wave.
    Cross-Gadget Security in Google Wave
    Tags: ( wave )
  4. Richard pulls together a lot of the conversation about A6.
    TaoSecurity: Initial Thoughts on Cloud A6
    Tags: ( cloud a6 )
  5. As always, if an attacker has physical access, things get much easier.
    My not so evil maid - Truecrypt encryption attack | Security Active Blog
    Tags: ( truecrypt )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 10/27/2009

by kriggins on October 27, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Some good tips and resources for gathering intelligence.
    Enterprise Open Source Intelligence Gathering - Part 1 Social Networks -- spylogic.net
    Tags: ( gathering )
  2. I always enjoy pointing to posts that contain resources for education and career advancement. Here is another one.
    Room362.com - Blog - Getting your n00b fill of security
    Tags: ( career learning education )
  3. As always, tools can be used for good or for evil.
    Google Wave as a Tool for Hacking | Social Hacking
    Tags: ( )
  4. This is a fun video. Evolution of Security.
    A Video For You - F-Secure Weblog : News from the Lab
    Tags: ( general )
  5. Want to avoid complete failure from a logging perspective? Check out Anton's list of logging failures.
    Anton Chuvakin Blog - "Security Warrior": Top Log FAIL!
    Tags: ( logging )
  6. An incident response plan isn't any good if it isn't workable. Check out Martin's thoughts on the issue.
    Have a workable plan, or else... : The Security Catalyst
    Tags: ( incident-response )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits RSA Catch-up Part 2

by kriggins on October 27, 2009

in Interesting Bits

Here is part 2 of my catch-up posts.

  1. Argument For Anonymity - Secure Computing: Sec-C
    Tags: ( anonymity )
  2. RaDaJo (RAul, DAvid and JOrge) Security Blog: Samurai Web Testing Framework (WTF) Firefox Add-ons Collection
    Tags: (  firefox add-ons )
  3. Medical Records: Stored in the Cloud, Sold on the Open Market | Threat Level | Wired.com
    Tags: ( data-leakage phi cloud )
  4. Moving from a Threat Centric to Trust Centric Endpoint Management Model | Optimal Security: The Lumension Blog
    Tags: ( whitelisting malware )
  5. SharePoint and Security | Retail Information Security
    Tags: ( sharepoint )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Name, Birthday, and Email…Why Not.

by kriggins on October 27, 2009

in Awareness

I post a lot of links in my daily bits post, but every once in a while I come across something that I think needs to be singled out. This is one of those occasions.

Graham Clueley of Sophos put up this post which I think is a must see. Not necessarily for those of us in the profession, but for our families and friends. Contained in the post is a video where they ask random strangers on the street for their full name, birthday and email address.

Check out what happens and then forward it on to those important to you to help drive home that they need to be careful with their information.

-Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Interesting Information Security Bits for 10/26/2009

by kriggins on October 26, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is some interesting data. I haven't run through it completely yet, but it takes the results of a bunch of scans and then does some mapping against PCI DSS. Fun with numbers :)
    Web Application Security Consortium (WASC) 2008 Statistics Published | Darknet - The Darkside
    Tags: ( metrics webappsec )
  2. This article discusses the decision to ship Windows 7 with a default UAC setting of medium-high.
    Windows 7's security 'time bomb' | The Last Watchdog
    Tags: ( windows-7 uac )
  3. An interesting post by Chris on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization?
    Risk / Threat vs. Risk Issue << Risktical Ramblings
    Tags: ( risk )
  4. Paul offers a couple thoughts on social networking and data leakage.
    Social networking in the antipodean spotlight | Paul Ducklin's blog
    Tags: ( social-engineering data-leakage )
  5. SynJunkie has another story based post up. This time about the dangers of dual-homing, specifically with a wired connection and a wireless one.
    Syn: Bobs Double Penetration Adventure - Part 1
    Tags: ( pentest )
  6. The Whitehouse has moved their website from an internally developed CMS to Drupal. Rsnake offers up some thoughts on why this might be both good and bad.
    Whitehouse Drupal and The Open Source Security Model ha.ckers.org web application security lab
    Tags: ( drupal cms whitehouse )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits RSA Catch-up Part 1

by kriggins on October 25, 2009

in Interesting Bits

Hi there folks. I know it's been awhile since we've had a bits post, but never fear. I did not just click 'mark all read' and am making my way through the back log. For the next few days you should see a bits post for that day and a catch-up post. This is the first catch-up post. I apologize, but the catch-up posts will probably be commentless like this one.

  1. The Ethical Hacker Network - SSHliders
    Tags: ( challenge )
  2. Nikto 2.10 released << Ramblings of the anal security guy
    Tags: ( nikto tools webappsec )
  3. Twitter Risks | The Infosec Cynic
    Tags: ( twitter humor )
  4. Syn: Abusing VLANs With BackTrack
    Tags: ( vlans backtrack )
  5. Carnal0wnage Blog: Oracle Hacker's Handbook Book Review
    Tags: ( book review oracle )
  6. Securosis Blog | IDM: Reality Sets In
    Tags: ( idm )
  7. Do the Evolution... - fudsec.com
    Tags: ( profession )
  8. Are Security "Best Practices" Unethical? << The New School of Information Security
    Tags: ( best-practices risk-management )
  9. Information Escapology << wirewatcher
    Tags: ( passwords logging )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

RSA Europe 2009 – Day 3 Recap

by kriggins on October 25, 2009

in Conferences

The final day of RSA Europe 2009 was particularly special to me since it was my speaking debut at an RSA function.

About 20 minutes before I was due to go on I tweeted "6 VMs, a slide deck and me typing...easy peasy :) ." Surprisingly enough, it was easy peasy. I got through the deck, there were no technical failures and I didn't make a single typing mistake......okay, the last bit is a fib.

Things went well and I was able to demonstration most everything I wanted to. I am know looking forward to the audience feedback.

I did manage to attend a few sessions as well. I started the day out with "The Impact of Future Regulation on Risk & Security Management." The description indicated that the presentation would take a look at how future regulation might impact information security risk management. I was hoping for some possible guidance about what might be coming down the road, but that did not really appear. What was offered was a general implementation roadmap for any new regulation that might come along. Essentially, it was; study the new regulations, review current governance, define awareness, revise policy where appropriate, revise processes and controls as needed and review and consolidate. Nothing earth shattering, but not a bad plan either.

I next sat with James DeLuccia, who has some great recap posts too, in the "Can Virtualization Threaten Security & Compliance?" panel. This was a great discussion. One of those panels that you wish could go on well beyond the time allotted. There a great deal of good commentary about the impact of virtualization on security and compliance. Beyond the conversation, three things really impressed me about this panel:

  1. It did not turn into discussion about cloud computing although cloud computing was covered where appropriate.
  2. The panel members were all very respectful of each other and the audience.
  3. The panel was prepared and ready to discuss the topic.

The information was flying fast and I was too busy paying attention and participating to take good notes, but  a few things that stood out were:

  • Shadow IT - How are we going to enforce standards, policy and achieve compliance when anybody can fire up a virtual machine either internally or via a cloud service?
  • Server mobility is a real issue - What if the regulation you need to comply with says your machine has to stay in a particular location? How are you going to check that? How are your going to enforce that?
  • Inactivity/sprawl/licensing - Virtualization give us the ability to rapidly provision servers and, in a lot of cases, without the active participation of an IT worker. How are we going to deal with sprawl? How are we going to manage licensing? How are we going to keep on top of active vs inactive virtual machines? How are we going to deal with inactive machines?

One of my favorite bits from the panel was from John Howie, Senior Director, Microsoft Corporation. He said, a bit paraphrased, "The greatest threat to infosec pros is the Chief Financial Officer." This was in reference to the lower cost of running them and moving the expense from capital expenditure to operating expense. These business drivers mean we will see more and more call for virtualization.

I did attend the closing keynote. The only real message was there needed to be better integrated controls and they let me get away with it.

I will be making a final RSA Europe 2009 post with my general thoughts, so I will close this one down now.

-Kevin

{ 0 comments }

RSA Europe 2009 – Day 2 Recap

by kriggins on October 22, 2009

in Conferences

Day 2's recap is going to be rather short and for that I apologize. I spent a good portion of the day tweeking and twiddling with my presentation. My presentation went well. No technical failures and I got all my points across. I would have been happier with it being a little smoother, but over all, I am happy.

I did manage to take in one of the keynotes, "The Underground Economy." Andy Auld from SOCA and Keith Mularski from the FBI gave an interesting talk about how the computer crime economy works. They spoke about the different forms of malware and spam, digital currencies, exchangers and then talked about the organized criminal networks that they have come across. A very interesting talk even if a number of the slides where rather difficult to see.

The next session I attended was "Is IT Risk Management Just a Fad?". I expected a talk that would compare and contrast what I call "checklist security" and information security risk management. Unfortunately, that was not the case and I did not really take anything away from this talk.

They final talk I attended was the "Collateral Hacking" panel. It consisted of moderator Hugh Thompson and panelists, Andrew Nash from PayPal, David Ostertag of Verizon Business Services and Ira Winkler of ISAG. From the description, the panel was going to talk about what happens when your co-tenant in a cloud is attacked, hence the title of Collateral Hacking. Unfortunately, it quickly lost its way and ended up being far off topic.

-Kevin

{ 0 comments }

RSA Europe 2009 – Day 1 Recap

by kriggins on October 21, 2009

in Conferences

Yesterday was the first day of RSA Europe 2009 and I enjoyed it a great deal.

I ran into Brian Honan first thing in the morning and Craig Balding shortly thereafter.

I attended both opening keynotes and they were well done.

I particularly enjoyed Hugh Thompson's presentation.  He spoke about gateway data. This is data, that by itself, seems innocuous. However, it can be used or combined with other data to get more data or more access. He was speaking from the perspective of the data that we often put in public spaces such as Facebook, Twitter, blogs, etc. He also mentioned how on-line behaviors can be used to infer additional information. He classified this data into three different types:

  1. Direct Use - Public data that can be transformed
  2. Amplification - Conversion of public data to private data by bouncing it off a person
  3. Collective Intelligence - Collecting and correlating information from different on-line activities to deduce private information.

The last was the most interesting. He is doing a study which shows how the activities of individuals on LinkedIn can often be correlated to significant future events in the companies the individuals work for.

The next session I attended was 'How Information Security Careers are Changing.' This was an interesting session that looked at where are profession started and where it is going. This biggest take away for me was that where our profession used to be primarily technical, we have started to see a shift to a more differentiated situation where we have technical specialists, generalists, consultants and leaders. This means we both have more choices and have to be cognizant of the choices we make as we navigate our careers.

Brian Honan's talk on stealing an identity using purely public information was very enjoyable. About a year ago, a journalist challenged Brian to "steal her identity" using only publicly available information, no automated tools and only completely legal means. Of course, he didn't actually steal her identity, but through the information he found online, he was able to get a copy of her birth certificate, a completely legal activity in Ireland. Pretty much game over at that point. The message here is to be very careful what you put out there because it a) never disappears and b) can be used easily by the 'evil hackers.' He then showed us a number of automated tools like pipl.com and maltego that can make this process even easier.

My final session for the day was Craig Balding's Cloud Security talk. Again, very well done. His talk was a great overview of the issues that exist. Craig is an engaging speaker and stressed that the first step to being able to effectively use cloud services in as secure a manner as possible, is to classify our data. Yup, an old song, but a tune that is even more catchy when considering cloud computing. Unfortunately, I had to cut out a little early, but will definitely be catching the rest when the recordings become available.

The last event of my day was the RSA Europe 2009 Security Bloggers Meetup. I have already written my quick recap post of that one and so will not repeat it here other than to say that I really enjoyed seeing old friends, meeting on-line friends for the first time and making some new ones.

If you happen to be here and would like to say hi, send me a note at kriggins@infosecramblings.com or @ me on twitter. I am @kriggins there.

-Kevin

Reblog this post [with Zemanta]

{ 3 comments }

← Previous Entries