Wow, this has been a crazy busy week.

My apologies for not taking the time to get the daily bits posts out the door. However, don't despair. I have a bumper crop for you today because I have been keeping my eye on things.

Unfortunately you will have to do without my pithy (or so I'd like to believe) comments today. 🙂

Also, RSA Europe 2009, where I'll be speaking, is right around the corner along with some vacation time, so you will see fewer bits posts over the next couple weeks and they will probably be like this one.   I will be back in full gear after the conference. I will blog when I can on what I see at RSA though.

Anywho, here are today's (this weeks) Interesting Information Security Bits from around the web.

  1. Immutable Security >> Low and Slow SSH Brute Force Attacks
    Tags: ( ssh )
  2. Real World Stories: How Pen Tests Complement Vulnerability Scans << Core Security Technologies
    Tags: ( wepappsec pentest )
  3. Visa Announces New Data Encryption Practices
    Tags: ( pci )
  4. 'What's wrong with Smelly Widgets?' - Packet Challenge << I Smell Packets
    Tags: ( challenge packet )
  5. The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - FRHACK01 copy of presentations
    Tags: ( conference presentations )
  6. Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft | Hackers Center Blogs
    Tags: ( passwords )
  7. AVG Stepping Up Consumer Anti-Virus Offerings | Darknet - The Darkside
    Tags: ( anti-virus avg )
  8. Man banished from PayPal for showing how to hack PayPal * The Register
    Tags: ( paypal )
  9. Book Review: The Rootkit Arsenal << McGrew Security Blog
    Tags: ( books reviews )
  10. Jeremiah Grossman: All about Website Password Policies
    Tags: ( infosce passwords )
  11. Digital Soapbox - Preaching Security to the Digital Masses: Things I Learned at SecTor 2009
    Tags: ( conference toorcon recap )
  12. TaoSecurity: Technical Visibility Levels
    Tags: ( avialability monitoring )
  13. SSL Still Mostly Misunderstood - DarkReading
    Tags: ( ssl )
  14. Anton Chuvakin Blog - "Security Warrior": Compliance != Security, Does Security = Compliance?
    Tags: ( compliance security )
  15. A Page from Singapore's Cybersecurity Playbook | Optimal Security: The Lumension Blog
    Tags: ( general )
  16. You Can't Always Be Proactive - Hacked Off - Dark Reading
    Tags: ( general )
  17. Security Uncorked >> Good, Bad and Ugly: On SecTor's Wall of Shame
    Tags: ( passwords wireless )
  18. CSS History Hack Used To Ban Torrent Users web application security lab
    Tags: ( css )
  19. Yahoo Best Jobs in America ranks infosec professional #8
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Ax0n has started a series on setting up an evil wifi attack type thing 🙂
    HiR Information Report: Evil WiFi Part 1: Jasager/Fonera Setup
    Tags: ( wifi hacking )
  2. Jennifer is pimping the Security B-Sides unconference that is occurring in Las Vegas around the same time as Blackhat. Cool stuff.
    Security Uncorked >> Security B-Sides Conference in Vegas
    Tags: ( conference security-b-sides )
  3. Zach "Quine" Lanier, the @securitytwits herder, is the next up in Raf's interview series.
    Digital Soapbox - Preaching Security to the Digital Masses: 31337 Spotlight: "Quine"
    Tags: ( interview )
  4. Here is the solution to the latest I Smell Packets challenge.
    Solution to Where in The World is Chris? << I Smell Packets
    Tags: ( challenge )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Dark Reading is hosting a free all-day virtual conference titled "Dealing with Insider Threats" next week.
    Dark Reading To Hold Virtual Conference On Insider Threats Next Week - security events/Security - DarkReading
    Tags: ( conference )
  2. You can download the cfp document and instructions for RSA USA 2010 already. The website will be live for submission soon. The deadline is August 15th since the conference is a month earlier next year.
    RSA Conference 365
    Tags: ( cfp rsa-usa-2010 )
  3. Mubix gave an impromptu talk about Metasploit last night and this happened. Just hilarious.
    YouTube - Anon's raid Mubix
    Tags: ( humor )
  4. Here's a place to read about information security FUD or offer your own stories about it.
    Welcome To -
    Tags: ( fud )
  5. Jeremiah offers some thoughts on why vulnerable code should still be fixed after a web application firewall has been installed. Good comments too.
    Jeremiah Grossman: Why vulnerable code should be fixed even after WAF mitigation
    Tags: ( waf )
  6. Looks like all the hoopla about OpenSSH yesterday was just that, hoopla.
    OpenSSH 0day FUD
    Tags: ( openssh )
  7. A nifty reference card for 802.11.
    Will Hack For SUSHI >> 802.11 Pocket Reference Guide
    Tags: ( 802.11 )
  8. Lee Kushner and Mike Murray will be on PaulDotCom tonight at 7:00PM EDT. Cool stuff. Post tells what they will be talking about.
    InfoSec Leaders on PaulDotCom Tonight | Information Security Leaders
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.


{ 1 comment }

Recap: RSA Europe 2008 Day 2

by kriggins on November 2, 2008

in Conferences

Hello again. Day 2 of RSA Europe 2008 was a busy one.  I attended several sessions during the day and then the Security Catalyst, Security Bloggers, Security Twits get together happened that evening. This post will only talk about the day.  The meet-up post will be later. Without further ado, let's get to it.

'The New Face of Cybercrime' Film Screening and Executive Panel Discussion

Fortify commissioned the creation of a short film that explores what cybercrime looks like in today's world. The film was well done and does a good job of showing that cybercrime is no longer about how many defacements malicious individuals can rack up. It isn't about bragging rights on which systems were hacked.  Cybercrime is big business these days.

Those perpetrating it are doing it for money.  As such, they don't want to get kicked out of you systems and don't want anybody to know they are there.  It is a different world and we need to be vigilant and focused if we are going to be successful in protecting our enterprises.

Blinded by Flash: Widespread Security Flash Developers Don't See
Prajakta Jagdale, Security Researcher, Hewlett-Packard

Prajakta's session was an interesting one. She showed us how most current problems we find in web apps also exist in Flash based applications.  This includes things like XSS, cross-domain privilege escalation, data injection and others. She also showed some interseting things that can be done with some Action Script functions like onMetaData, a video related function, setClipboard, which does exactly what it says and runtime instantiation.

Of more concern is her finding of client side authentication and other client side issues in a disturbing percentage of applications.

The Future of Privacy
Bruce Schneier, Security Technologist and CTO, BT Counterpane

Bruce always has interesting things to say.  I will share that most of what he talked about is stuff that he has been talking about in his essays and on his blog. That being said, here are a few nuggets that resonated with me.

  1. Data is a byproduct of the information age - systems are not generating scads and scads of data on you because they are malicious. It just happens as more and more facets of our lives are moderated by computers. Think about email, telephone calls, credit card purchases, books bought via Amazon.  All of these generate data.
  2. Ephemeral data is now stored - In the past the conversation you had in the hall with your co-worker disappeared as soon as it was over. Now, with email, instant messaging, skype and other methods of electronic transport becoming more and more the primary method of communication, those conversations are sticking around.
  3. We aren't in control of that data - We don't have the ability to delete all the data that is being built up about us because we don't control it. Again, this isn't malicious, it's just the way things are in the information age.

The rest of the keynote was quite interesting as he delved into many facets of what will be happening moving forward.

Herbert H. Thompson, Ph. D., Chief Security Strategist, Peope Security

Dr. Thompson gave a great talk that drove home even more that we are in an era where the motives of today's attackers are no longer about the 'cool' factor.  It is a business and we are being faced with well financed and motivated attackers who are interested in what we have as opposed to just wanting to take us down. He posits Five Laws of Hacker Economics which is worth a read.  Good stuff.

Another good day at the conference.


Technorati Tags: , ,


Recap: RSA Europe 2008 Day 1

by kriggins on November 1, 2008

in Conferences

Hi there folks. I am home and somewhat rested from my trip to London for the RSA Europe 2008 conference. It was a great trip and i enjoyed the conference.  Below is a recap of my first day.  This is going to be long, so hang in there 🙂

Information Security: From Ineffective to Innovative
Arthur W. Coviello, Jr. - Executive Vice President EMC

If I had to compress Mr. Coviello's talk into a few concise points, they would be the following:

  1. Concentrating all our information security efforts at the perimeter is an ineffective model in today's world.
  2. The data we are tasked with protecting must become central to our thought processes when determining how to protect our enterprises.
  3. Information security must be business aligned.

Point number 1: Our perimeters have become quite porous.  This is by design.  As such, customers, partners and others have much more access to internal systems than ever before.  This means that perimeter defenses are inadequate in dealing with attacks that are targeted at the data contained in the applications which are published to the world.  It's the old crunchy shell vs. chewy center problem.

Point number 2: As alluded to above, in many cases the data and applications most important to the enterprise are being published to the internet or to trusted third parties in such a manner that perimeter controls are next to useless in protecting them.  We must start thinking of ways to protect the data where it sits and ensuring that the applications we publish are developed as securely as possible.

Point number 3: Finally, Mr. Coviello said that information security must become business aligned.  We used to be fear driven, i.e. we must protect ourselves from the evil out "there". That has morphed into our current situation where we are often compliance driven, i.e. regulation x must be complied with therefore we must do y. The next step is to be business driven.  We need to understand what the business needs to accomplish, what the keys to the kingdom are, and how to protect them in a manner that is risk appropriate and as unobtrusive to the user as possible.

I agree with all the points he made. It will be a challenge, but we will benefit greatly if we can become an integral part of the business process and start protecting the crown jewels instead of the walls that contain them.

Managing your own Security Career
Chris Batten - Managing Director, Acumin

Mr. Batten offered some insight into how to manage you information security career.  His prescription for managing your career is summed up in three statements:

  1. Know yourself
  2. Know others
  3. Do a gap analysis

Know yourself: If you don't know yourself, i.e. strengths, weaknesses, goals, how can you plot a course to get you to where you want to go.

Know others: If you don't know what others expect or how they perceive you, how can you navigate the course you have plotted to get to where you want to go.

Do a gap analysis: Once you know yourself, know others and have determined where you want to go, do a gap analysis of where you are now and what the next step is in your chosen course. Notice the next step part.

He mentioned that planning for ten years down the road is probably not the best use of your time.  Things change.  Another statement he made is the career path should be your career path, not the company's career path for you.  Determine what you want to do and make that happen either.

A Dialogue with ENISA
European Network and Information Security Agency

In this press only event, ENISA presented two white papers, one which has already been published, "Security and Privacy in Massively Multiplayer Online Games", and "Web 2.0 Security and Privacy" which will be released in the near future.  The summaries were both interesting.

I never realized that there was so much real money at stake in the virtual worlds that have been developed in the last few years. Time became short, so we did not have a chance to talk much about the Web 2.0 paper, but a couple points that were raised are that users are going to be faced with more and more behavioural marketing and that the browser is the new OS. Not suprising, but intersesting none the less. I will be reading up on it when it is pubished and will report back then.

While I went to several other talks, these three were the most interesting to me and this is long enough already 🙂 Updates for Days 2 and 3 will be along in the next couple days.



RSA Europe 2008 – Day 3

by kriggins on October 29, 2008

in Awareness, Conferences

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today's agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale - Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing - Whether You Like It or Not
Brian O'Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC

Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or - if you happen to be on the other side - use these insights to develop a better strategy for protecting your consumers agains fraud.

Don't Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO - Higher Profile? Stronger Powers? More Effective"
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner's Office (ICO) being strengthened?  What will be the ICO's approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government's handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems - as part of which it must develop partnerships with the private sector.

Have a great day!


Technorati Tags:


RSA Europe 2008 starts today…

by kriggins on October 27, 2008

in Conferences

Good morning everybody or at least those who are in a time zone similar to GMT 🙂  RSA Europe starts today and I am sitting in the press room scheduling out my day.  For those interested, my itinerary follows:

10:00 - Keynote - Arthur W. Coviello, Jr. - Executive Vice President EMC
Information Security: From Ineffective to Innovative

While security spending continues to rise, companies are not feeling particularly more secure today than they did five years ago.  Art Coviello will explore this paradox and share with us how focusing on the key variables of vulnerability, probability and materiality can enable us to effectively balance the risk/reward equation.

10:40 - Keynote - Panel - Moderator Christopher Kuner - Partner and Head, Hunton & Williams
Online Privacy and the World of Behavioural Targeting: Challenges and Options

A moderated panel discussion about the move towards behavioural targeting in advertising and what impact this may have on online privacy and security.

11:30 - Chris Batten - Managing Director, Acumin
Managing your own Security Career

Careers in information security are difficult to navigate as the industry changes at an ever increasing pace.  This session addresses the important skills, traits and knowledge one needs to find and keep the kind of position that challenges you and helps you grow while be well compensated.

13:15 - Amichai Shulman - Co-Founder & CTO, Imperva
Google-Hacking and Google-Shielding

Data leakage via search engines is an every increasing problem.

14:30 - Dennis McCallam - Chief Security Architect - Northrop Gruman
Out with Traditional Authentication and Protection - In with New Data-Centric Security and Aggregated Authentication

Dennis will demonstrate a cost-effective data-centric enterprise approach using user cases that show the operational flexity and significant advantages of this type of approach.

16:00 Neil Costigan - Technical Advisor, BehavioSec - Peder Nordstrom - CTO, BehviorSec
Why Settle with Conventional Authentication when Behaviormetrics Go Beyond it?

Behaviormetrics monitors a user's session continuously to determine if that user is in fact the one associated with the credentials used for authentication.

There is a reception this evening and of course the exhibition hall is open all day. Should be a busy day.

Have a great morning, afternoon or evening as the case may be.



Hello everyone.  RSA Europe 2008 is just around the corner!  Some of us have been talking about setting up a Security Blogger/Security Catalyst/SecurityTwits meetup and have settled on a date, time and location.  We will be getting together on Tuesday the 28th at 8:00 PM.  The Novotel London Excel bar is the location.  The hotel is part of the Excel conference center, so should be easy to track down, but just in case, here's a map:

If you would like to join us or have a suggestion for a better location, please let me or Security4All know.  I can be contacted either by comments to this post or kriggins _at_ and Security4All can be contacted here.

Hope to see you there.

Update: I realized this morning that I was remiss in specifying who was paying for any food or drink you might have during this get together. Everybody will be responsible for their own tab for this event.

Update #2: Today's the day! As indicated above, we will be in the Upper Deck Bar in the Novotel hotel.  We are going to do our best to carve out a corner to the right of the bar near the river.  Please see the About page to see a picture of me which may help you in picking out our group 🙂



Headed to RSA Europe 2008

by kriggins on September 26, 2008

in Conferences

Cool news folks.  I am now an accredited press/analyst for RSA Europe 2008.  Even better, I'm going. Hotel reservations have been made and flights booked.  I am looking forward to attending.  This will be my first RSA and looking at the agenda, it appears that there will be plenty of interesting talks to sit in on.

More importantly though, I am looking forward to meeting and talking with other information security professionals.  I already know that several of the @SecurityTwits are going to be there.  Please drop me a note or leave a comment if you are going to be there.  I'm thinking a meetup might be in order if enough are interested.  If not, lunches and hallways are always available for meeting and greeting.

I look forward to hearing from you all.