General

250th Interesting Bits Post

by kriggins on August 6, 2009

Well how about that? The August 6th Interesting Bits post was number 250.

I never dreamed I would hit 250 when I first started doing these posts. It just seemed like a good way to post regularly

Many of you have mentioned that you appreciate these posts and I thank you for those thoughts.

The Interesting Bits posts have become a mainstay of this site and will continue for the foreseeable future.

On that note, feel free to send me links you think I might like to include. I don't promise to include every one, but I do promise to check every one out. You can email them to me (kriggins _at_ infosecramblings _dot_ com) or send them to me via twitter @kriggins.

Thanks for reading and as always drop me a line or leave a comment with your thoughts.

-Kevin

{ 0 comments }

Testing Twitter Tools Again

by kriggins on August 2, 2009

in General

This is a another test. I am testing a plugin that tweets for me as opposed to using an external service.

-Kevin

{ 0 comments }

I am Honored!

by kriggins on April 12, 2009

in Conferences,General

As I was catching up on blogs this evening, I came across this posting on the RSA Security Bloggers blog that gives the list of blogs nominated for the 2009 Social Security Awards. The awards are to be given out at the Security Blogger's Meetup.

Imagine my surprise when I found Infosec Ramblings on the list in the n0n-technical blogs category.

To the person or persons who nominated me, my sincere thanks. I am honored that you consider this little corner of the blogosphere worthy of sitting with the other fine blogs on the list.

Congratulations to all who were nominated and I am really looking forward to meeting many of you at the meet-up.

-Kevin

{ 0 comments }

Happy First Birthday Infosec Ramblings

by kriggins on March 22, 2009

in Announcement,General

On March 22nd, 2008, Infosec Ramblings was born. One year ago (as I write this), I clicked publish on my first blog post. It was titled Too Focused and was inspired by on Seth Godin's posts. Here it is if you are interested.

Since then I have published 245 posts including this one and two how-tos for Backtrack. I have really enjoyed the conversations that have occurred. I must admit that I was not sure how long I would keep this up, but find that I enjoy blogging more today than I did a year ago. I look forward to continuing to bring you daily Information Security Bits and other things that strike my, and hopefully, your fancy.

Thank you so much for reading and even more for responding! Soon we will be celebrating year two!

-Kevin

Photo courtesy of zappowbang.

{ 3 comments }

If You Want It Done Right, Do It Yourself

by kriggins on February 8, 2009

in General

Jeff Atwood has a post up titled Don't Reinvent The Wheel, Unless You Plan on Learning More About Wheels.

Go read it first. The comments too. Go on, I'll wait.
.
.
.
.
.

Welcome back! Good post, huh?

First, I agree with Jeff that there are times when it is more important to figure something out for yourself. Second, I also think there are times when re-use is the right way to go. That brings us to Information Security.

We have all these "best practices" and standards flying around that people are always pointing to and saying you should do THAT.

There are instances where this is completely true. If you are subject to PCI DSS requirements then you really ought to adhere to the requirements. Unless you want to pay fines and such.

However, if you aren't, does it really make sense to apply those requirements to your networks and systems? It might, but then again, it might not. The exact same thing can be said for ISO:27002.

This is where re-inventing the wheel comes in.

We must examine our businesses and make sure that we are not just plugging in the accepted standards and "best practices" without understanding whether they matter in our environment.

Our job as information security professionals is to maintain the Confidentiality, Availability and Integrity of the data under our care. As such, we must make sure we do so with a full understanding of what that data is and how the business uses it. Implimenting policies, processes and technologies exactly the same way everybody else is doing it, is not the way to effectively use our resources.

I fully support the use of standards and "best practices" and believe that PCI DSS, ISO:27002 and other standards and requirements are good things. We just need to be careful that we are paying attention when we use them.

What say you?

-Kevin

{ 9 comments }

Monster.com – They Just Don’t Get It!

by kriggins on January 28, 2009

in Awareness,General,Privacy

I had a Monster.com account hanging out there for a few years. I wasn't looking for a new position so all the privacy controls were turned on. Along comes the second data breach in under two years. I decided I didn't need that account anymore. I know, closing the barn door after the horse is already gone.

Anyway, I went to log into my account to have it removed and couldn't remember my password. No problem. I clicked on the 'Forgot my password' link and received a nice email with url in it to reset my password. Slight problem. The URL didn't point to an SSL encrypted page.

I decided to give them the benefit of the doubt by assuming I would be redirected to a secure page to actually reset my password. Nope. The reset page was also unencrypted. To reset my password I had to let it flit across the hostile internet in cleartext. I went ahead and did it since I was deleting the account anyway.

That made me a little curious and I decided to poke around a little more to see if anything else obvious popped up. Didn't take long.

The sign up page wich asks for your full name, email address, password, location and current employment status is also not encrypted. Once again, I decided to give them the benefit of the doubt and took a peak at the page source to see if maybe they posted the information to a secure page. Nope. At least not that I can find.

What this says to me is that there is a serious lack of understanding of information security in Monster.com's organization. If as basic a tenet as encrypting passwords when in transit and at rest is not understood and enforced, what else are they missing.

</hops off soap box>

-Kevin

{ 1 comment }

Somebody Got Some Splaining To Do

by kriggins on January 16, 2009

in General,programming

An attribution would have avoided a problem here.

Marcin has a post up comparing the SANS Application Security Procurement Language and the OWASP Secure Software Contract Annex.

Give it a read and see what you think.

Kevin

{ 0 comments }

Contracts DO NOT Equal Security – New York and Secure Code

by kriggins on January 16, 2009

in General,programming

Hi folks. Yesterday, I included this story in my Bits post. It is about new procurement language that says software vendors must "certify" that their software does not have any of the Top 25 Errors released by SANS/CWE early this week.

I have read several blog posts on the topic since and today the topic came up on The Security Catalyst Forums. (You should check those out it if you haven't already. Great conversations and community.)

One of the questions posed was this; does this approach seem like something that should be encouraged?

Below is the response I posted.

Two main things pop out at me with this type of thing.

The first is this phrase "must certify that they have rid their code of the Top 25 Errors." What about the next 25 or the next one? I read a blog post over the last couple days that talked about this very well. Blocking where I saw it. If I find it I will update the thread. The essential bit was that "certifying" that you have addressed the top 25 errors doesn't mean your software is secure. That "26th" error can be a show stopper too. Say it with me, compliant does not equal secure. Before people yell at me, I am not implying that we shouldn't address the errors listed in the top 25. (side note: Kees and some others have been pointing out that the 25 may not really be 25)

My second concern is this, sayin' it doesn't make it so. Creating contract language like this can lead an organization to a false sense of security. I can see where orgs might go the route of "the contract says the software is secure so we don't need to test it or perform a risk assessment." Again, that 26th error can hurt a whole lot.

Just my 2 cents worth. It's super cold in Iowa, so flame away

Like it says above, these are my thoughts. What are yours?

-Kevin

{ 3 comments }

Retraction: U.K. Police Can’t Hack Willy Nilly

by kriggins on January 6, 2009

in General,Privacy

In yesterday's Interesting Information Security Bits post, I pointed to an article that indicated that the U.K. had implemented policy changes that allow police officers to "hack" into a suspect's computer without a warrant.

According to this article. That is not true. While there have been discussions about expanding the police force's latitude in this arena, nothing has been enacted at this time.

From the article:

A spokesman for the Home Office told the Reg that UK police can already snoop - but these activities are governed by the Regulation of Investigatory Powers Act and the Surveillance Commissioner. He said changes had been proposed at the last Interior Ministers' meeting, but nothing has happened since.

I have pointed this out in it's own post because I dislike being responsible for spreading fud. I apologize for misleading you with my post yesterday.

Kevin

{ 1 comment }