cloud

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Hoff points to an interesting project that addresses the distributed authentication issue in web based systems.
    MashSSL - An Excellent Idea You've Probably Never Heard Of... | Rational Survivability
    Tags: ( authentication ssl web )
  2. Get your Security Threat Report 2010 while it's hot!
    Sophos Security Threat Report 2010 | Graham Cluley's blog
    Tags: ( threats reports )
  3. Jennifer is involved in a few talks at Security BSides San Fran. Vote for her!
    Security Uncorked >> The Skinny on Security BSides San Francisco
    Tags: ( conferences bsides )
  4. The finalists for the Social Security Blogger Awards 2010 have been selected.
    The Ashimmy Blog: Envelope please, and the winners are . . .
    Tags: ( awards )
  5. Very cool. Encrypt your logs before sending them across the wire.
    Immutable Security >> Using OSSEC for Encrypted Log Transport
    Tags: ( logging encryption ossec )
  6. Similar to the Amazon EC2 experiment last year, this time it is done with Microsoft's Azure.
    Breaking Password Based Encryption with Azure - Gotham Digital Science
    Tags: ( passwords cracking cloud )
  7. Looks like status quo for the PCI DSS this year.
    Security.exe - Powered by The CISO Group >> Blog Archive >> No major changes to PCI DSS in 2010, but watch for chip and pin in the future
    Tags: ( pci )
  8. Graham points out something those who use twitter should be aware of. Lists as spamming tools.
    Twitter list spam
    Tags: ( lists )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is a good article to look at if you are thinking about the cloud and your business. (Hat Tip: @infosecstuff)
    Cloud Security: Ten Questions to Ask Before You Jump In
    Tags: ( cloud )
  2. Another interesting tool today. Use Bing to find associated IP address and DNS hostnames. (Hat Tip: @lbhuston)
    Bing Web Server Probe
    Tags: ( tools webappsec )
  3. This looks like an interesting tool to add to your web app sec Firefox toolkit.
    Groundspeed 1.1 - Web Application Security Add-on For Firefox | Darknet - The Darkside
    Tags: ( webappsec tools firefox )
  4. Jarrod shares how he got into information security and offers some thoughts on making your own move.
    /dev/null - ramblings of an infosec professional: How to Get A Start in Information Security
    Tags: ( career )
  5. Ben is up next on the D-list interviews. I know Ben from Twitter and hope we can meet IRL someday.
    Andrew Hay >> Blog Archive >> Information Security D-List Interview: Ben Jackson
    Tags: ( interview )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Gunnar says what I have been thinking about the whole APT argument, only much better than I could.
    1 Raindrop: I Can See APT From Here
    Tags: ( apt )
  2. Anyone who does forensics or needs to deal with Linux machines should be aware of how the /etc/fstab file works. Sometimes to can find interesting things by peaking in there.
    How to edit and understand /etc/fstab
    Tags: ( linux filesystem fstab )
  3. This is just very cool. A very neat visualization of historical browser use statistics.
    http://www.michaelvandaniker.com/labs/browserVisualization/
    Tags: ( visualization )
  4. This is an interesting treatment of what cloud computing is.
    Elemental Cloud-o-gram : elemental cloud computing
    Tags: ( cloud )
  5. This is the one of the big questions you have to answer when you consider moving your sensitive corporate and customer data to externally hosted cloud services.
    Thoughts on Secure Multi-Tenancy - Chuck's Blog
    Tags: ( cloud multi-tenancy )
  6. Hmm, doesn't look like the basis for Google claiming the Chinese are behind the Aurora attacks is quite as cut and dried as presented.
    'Aurora' code circulated for years on English sites * The Register
    Tags: ( google aurora )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Boy, you can tell it's a Monday. We have a big batch of interesting bits to take a peak at today.

Here are today's Interesting Information Security Bits from around the web.

  1. This is a long post, but a great recap of the 2009 CSAW-CTF competition. Good stuff in there. You can even try some of the challenges yourself.
    Matasano Security LLC - Chargen - Exercises for a burgeoning Army of Ninjas
    Tags: ( challenge )
  2. I don't usual point to recap posts, but Rich has a very good thought in the introduction to last week's Friday summary. Something I am dealing with myself.
    Securosis Blog | Friday Summary: January 22, 2010
    Tags: ( general )
  3. It isn't only credit card, SSNs and bank account details that are being traded by the fraudsters anymore.
    Zscaler Research: Watch out Bill Gates...
    Tags: ( social-media fraudsters )
  4. If you use any of these passwords anywhere, I strongly suggest you go change it right now.
    Top 20 website passwords you shouldn't be using | Graham Cluley's blog
    Tags: ( passwords )
  5. The latest pass at the old 'is certification worth a pickle?' question. Actually, a good article with some good advice. The comments are of value too.
    Securosis Blog | The Certification Myth
    Tags: ( certification )
  6. Dave peels back a couple layers of the security mind and peeks at what's inside.
    ShackF00 >> A Glimpse Into the Security Mindset
    Tags: ( security mindset )
  7. Ax0n digs into a new lock. Nifty stuff.
    HiR Information Report: Review: Master 1500iD "Speed Dial" lock
    Tags: ( locks )
  8. Hoff offers some sage advice on compliance and cloud computing.
    Cloud: Security Doesn't Matter (Or, In Cloud, Nobody Can Hear You Scream) | Rational Survivability
    Tags: ( cloud compliance )
  9. Brian has a neat little exploration of a browser exploit kit.
    A Peek Inside the 'Eleonore' Browser Exploit Kit -- Krebs on Security
    Tags: ( exploit browser )
  10. This time we learn a little more about Wim, a very good on-line friend of mine. We haven't met in person yet, but I know that will happen some day.
    Andrew Hay >> Blog Archive >> Information Security D-List Interview: Wim Remes
    Tags: ( interview d-list )
  11. Oops. Looks like Google forgot their 'Do no evil' motto again.
    Sunbelt Blog: Google Toolbar tracks searches after it's disabled.
    Tags: ( google-toolbar data-leakage )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. SynJunkie reminds us that is best to not run as admin all the time and then offers some tips on how to elevate our privileges when we need to.
    Syn: Part-time Superman
    Tags: ( windows least-privilege )
  2. Mike Rothman has penned an article for fudsec that you owe it to yourself to go read. He calls out some fud and then gives us some actionable advice. Good stuff and, yes, I said "actionable." I'm sorry, it's the manager is me sneaking out 🙂
    Guerilla Security Leadership - fudsec.com
    Tags: ( general )
  3. The A6 (Automated Audit, Assertion, Assessment, and Assurance API) Working Group held their kick-off call recently. The recording is available.
    Recording & Playback of WebEx A6 Working Group Kick-Off Call from 1/8/2010 Available | Rational Survivability
    Tags: ( cloud a6 )
  4. Mark points out that bad things can happen if somebody who shouldn't be able too, has the ability to delete computers in an Active Directory domain. Good thing he shows us how to fix it too.
    Gone in 60 Seconds
    Tags: ( active-directory )
  5. Didier gives a video tutorial on using the Adobe Reader JavaScript Blacklist Framework. Pretty nifty stuff.
    Adobe Reader JavaScript Blacklist Framework << Didier Stevens
    Tags: ( )
  6. Anton points out that PCI has components that are not just point-in-time issues, i.e. there are ongoing compliance checks and requirements.
    Anton Chuvakin Blog - "Security Warrior": How to Stay Compliant? or Ongoing Tasks in PCI DSS
    Tags: ( pci )
  7. Securosis has started a new feature call FireStarter. They will be tossing ideas out for the community to chew on. First up - Risk Management. Go check it out and offer up some FIRE!
    Securosis Blog | FireStarter: The Grand Unified Theory of Risk Management
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. William is building a taxonomy of cloud computer benefits. Go check it out and contribute.
    William Vambenepe -- Taxonomy of Cloud Computing Benefits
    Tags: ( cloud )
  2. Brian is interested in finding out what kind of internet users his readers think they are.
    What Kind of Internet User Are You? -- Krebs on Security
    Tags: ( general )
  3. Burp Suite v1.3 has been released.
    PortSwigger.net - web application security: Burp Suite v1.3 released
    Tags: ( webappsec tools burp )
  4. Port knocking is a pretty nifty technique for providing remote access to your system while it appears to be unreachable via the network. It involves sending a specific set of packets or a specifically crafted packet to nominally "closed" ports on your system. The firewall or add-on tooling listens for these packets and then opens the appropriate ports when it sees them. This page has a list of tools that you can use to setup port knocking.
    PORTKNOCKING - A system for stealthy authentication across closed ports. : IMPLEMENTATIONS : implementations
    Tags: ( remote-access port-knocking )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! It has been a crazy day and it isn't done yet by a long shot. Therefore, just a quick post with a few links. Sorry for the lack of my pithy/inane comments. 🙂

Here are today's Interesting Information Security Bits from around the web.

  1. Better Than Nothing Security: Part I - Secure Computing: Sec-C
    Tags: ( general )
  2. Schneier on Security: The Security Implications of Windows Volume Shadow Copy
    Tags: ( data-wiping )
  3. William Vambenepe -- Cloud + proprietary software =
    Tags: ( cloud )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is a nice post talking about fuzzing with Burp.
    ClearNet Security : need to do a GET before POST, fuzzing with BURP and WebScarab
    Tags: ( webappsec fuzzing burp )
  2. I know it seems like I point out every FudSec.org post that happens and, actually, I do. It's because they are all great posts that have good thought generating material. Jayson attacks Cyberwar in this week's edition.
    Beware of Falling Turtles (Plus other things that shouldn't really frighten us) - fudsec.com
    Tags: ( fudsec cyberwar )
  3. This is a must read in my opinion. I have only read the executive summary and skimmed the assurance framework part so far, but they alone are worth the price of admission. I look forward to digging into the assessment portion soon.
    Cloud Computing Risk Assessment -- ENISA
    Tags: ( cloud risk-assessment )
  4. Craig has an interview with Giles Hogben up with some insight into the new Cloud Security Risk Assessment mentioned above.
    ENISA Cloud Security Risk Assessment: An Interview with Giles Hogben | Cloud Security
    Tags: ( cloud risk-assessment )
  5. Anton takes an interesting approach to why PCI is good.
    Anton Chuvakin Blog - "Security Warrior": Smart vs Stupid: But Not Why You Think So!
    Tags: ( pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. There is some truth in this post. A corollary is the mommy/daddy principle. I'll ask mommy and if I don't get the answer I want I'll ask daddy.
    Network Security Blog >> I'll do anything! Absolutely anything!
    Tags: ( general )
  2. The CFP for Metricon is open.
    Mini Metricon 4.5 Call For Participation << The New School of Information Security
    Tags: ( conferences cfp metricon )
  3. This is a must see.
    YouTube - Marcus J. Ranum on Cloud Computing Security
    Tags: ( cloud humor )
  4. Here is the mother lode of cheat sheets. Focused on developers, but there are a few that are security related.
    Cheat Sheet and Quick Reference Card Directory | devcheatsheet.com - Cheat Sheets for Developers.
    Tags: ( cheatsheet )
  5. This is the author's page regarding the SSL/TLS vulnerability just announced. It was a bit more reader friendly and promises to be so again, but the information is still there.
    extendedsubset.com
    Tags: ( tls ssl vulnerability )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A very good article on an issue that we need to think about as those who are very social media focused are working in our organizations.
    Lifestyle Hackers - CSO Online - Security and Risk
    Tags: ( social-media )
  2. You know you've been wanting to try it.
    Electric Alchemy: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
    Tags: ( passwords cloud cracking )
  3. Wonder what the latest changes to MA 201 CMR 17.00 are? Jack does us all a wonderful service by showing us the differences.
    Uncommon Sense Security: diff MA 201 CMR 17.00
    Tags: ( ma-201-cmr-17 )
  4. Part two of SynJunkie's latest story is up.
    Syn: Bobs Double Penetration Adventure - Part 2
    Tags: ( story wifi pentest )
  5. The latest version of Microsoft's Security Intelligence Report is available.
    Download details: Microsoft Security Intelligence Report volume 7 (January - June 2009)
    Tags: ( intelligence report microsoft )
  6. This post points out that we really need to be able to communicate with non-technical audiences. It then points to a new SANS short course that helps us learn how to do that more effectively. Looks very interesting.
    Keys to Professional Communication | Courses, Training | Enclave Forensics
    Tags: ( presenting speaking writing )
  7. This page contains links to a wealth of information on psychology and information security. Fascinating stuff that will keep you busy for quite some time.
    Hat tip: Adam @ The New School of Information Security Blog
    Psychology and Security Resource Page
    Tags: ( psychology )
  8. Here is the third and final part of SpyLogic's Enterprise Open Source Intelligence Gathering series. It focuses on monitoring and social media policies.
    Enterprise Open Source Intelligence Gathering - Part 3 Monitoring and Social Media Policies -- spylogic.net
    Tags: ( gathering intelligence )
  9. This is a nicely detailed post on using OWASP ESAPI for output validation. You are validating your output, right? It is actual the second in a series. The first part on input validation is linked to at the beginning and is also worthy of a gander.
    Output Validation using the OWASP ESAPI << Security Ninja
    Tags: ( output-validation owasp esapi )
  10. Anton posits that FUD is good sometimes. Interesting perspective. The New School Security blog has an interseted reponse too: http://newschoolsecurity.com/2009/10/just-say-no-to-fud/
    A Treatise on FUD - fudsec.com
    Tags: ( iis fud )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }