metrics

Interesting Information Security Bits for 11/24/2009

by kriggins on November 24, 2009

in Interesting Bits

It is Thanksgiving Day week in the U.S. and that means a couple of days off. I decided to tack on an extra day and won't be working tomorrow either. Yay! Five days off in a row.

Anywho, I will also be taking those days off from the Interesting Bits posts so this one will have to tide you over until Monday 🙂

Here are today's Interesting Information Security Bits from around the web.

  1. 10 things to think about not doing when on Facebook. This list will keep you safer.
    Errata Security: 10 Facebook Don'ts
    Tags: ( facebook )
  2. Is your iPhone infected with the Duh worm? Paul tells us how to clean it up.
    How to clean up the Duh iPhone worm | Paul Ducklin's blog
    Tags: ( iphone worm )
  3. Russel is looking for some collaborators on an research project he is working on. It looks to be very interesting. From his post: "The topic is the arms race between attackers and defenders from the perspective of innovation rates and "evolutionary success" - the Red Queen problem (running just to stand still). Here's a sample research question: "can bureaucracies (defenders) keep up with a decentralized black market (attackers)?", and similar." Read the rest of the post and drop him a line if you are interested.
    Information Security as an Evolutionary Arms Race - Research Collaborators Wanted << The New School of Information Security
    Tags: ( research )
  4. Shrdlu once again has penned an article that you should go read. Metrics are great, but they have to mean something.
    The meaning of metrics
    Tags: ( metrics risk )
  5. There is 0-day out there for IE 6 and IE 7. Microsoft's recommendation in some cases is to upgrade to IE 8. Um, oops.
    Major IE8 flaw makes 'safe' sites unsafe
    Tags: ( ie vulnerabilities )
  6. An interesting post that explores a conundrum that some organizations face when trying to comply with PCI. What happens when some of what I do requires me to be out of compliance with PCI-DSS?
    Branden Williams's Security Convergence Blog >> Multi-Function Service Providers, What To Do?
    Tags: ( pci )
  7. From the post: "We have uploaded the audio recording of select talks from the Ohio Information Security Summit that took place October 29-30, 2009 in Cleveland, Ohio." Looks like some good stuff is available. Check out the post for the details.
    Security Justice >> Blog Archive >> Select Talks from ISS2009 Now Available for Download
    Tags: ( audo conferences talks )
  8. A new tool is available that shows some interesting things about the internet.
    Room362.com - Blog - SHODAN The Computer Search
    Tags: ( tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 11/17/2009

by kriggins on November 17, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Leave it to David to be able to use canning and mason jars as an analogy for security and secure coding. Very nice post. Go read it.
    Reusable Code: The Mason Jars of Security | threatpost
    Tags: ( programming general )
  2. Yes, we are the unsung heroes. BTW - you have to read this if for no other reason that the Y2K reference towards the end.
    Securosis Blog | Why Successful Risk Management is Still a Failure
    Tags: ( general risk-management )
  3. I love a good walk-through and Paul provides us one that shows a step-by-step how-to on reversing some Javascript shellcode. Good stuff!
    Paul Melson's Blog: Reversing JavaScript Shellcode: A Step By Step How-To
    Tags: ( reverse-engineering javascript shellcode )
  4. The Offensive Security Exploit archive is alive and kicking. It picks up where Milw0rm left off. Go check it out.
    Offensive Security Exploit Archive Goes live | Security Active Blog
    Tags: ( exploits milw0rm )
  5. This looks to be an interesting series. Adam will be exploring ways to help information security professionals build useful and productive relationships within their enterprises.
    Adam Cardinal: Building Relationships - Internal Audit Team - IANS Perspective
    Tags: ( general )
  6. Woot! Metasploit 3.3 is out. I am hearing good things about this. Go check it out.
    Metasploit: Metasploit Framework 3.3 Released!
    Tags: ( metasploit webappsec pentesting )
  7. Here is a quick how-to describing a method to decompile flash files.
    Carnal0wnage Blog: Decompiling Flash Files with SWFScan
    Tags: ( flash decompile webappsec )
  8. An interesting article that explores some real-life cross subdomain exploits.
    Real-Life Examples of Cross-Subdomain Issues | Social Hacking
    Tags: ( cross-subdomain webappsec )
  9. This is going to be a very cool project. Get involved.
    Securosis Blog | An Open Metrics Model for Database Security: Project Quant for Databases
    Tags: ( metrics databases )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 10/26/2009

by kriggins on October 26, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is some interesting data. I haven't run through it completely yet, but it takes the results of a bunch of scans and then does some mapping against PCI DSS. Fun with numbers 🙂
    Web Application Security Consortium (WASC) 2008 Statistics Published | Darknet - The Darkside
    Tags: ( metrics webappsec )
  2. This article discusses the decision to ship Windows 7 with a default UAC setting of medium-high.
    Windows 7's security 'time bomb' | The Last Watchdog
    Tags: ( windows-7 uac )
  3. An interesting post by Chris on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization?
    Risk / Threat vs. Risk Issue << Risktical Ramblings
    Tags: ( risk )
  4. Paul offers a couple thoughts on social networking and data leakage.
    Social networking in the antipodean spotlight | Paul Ducklin's blog
    Tags: ( social-engineering data-leakage )
  5. SynJunkie has another story based post up. This time about the dangers of dual-homing, specifically with a wired connection and a wireless one.
    Syn: Bobs Double Penetration Adventure - Part 1
    Tags: ( pentest )
  6. The Whitehouse has moved their website from an internally developed CMS to Drupal. Rsnake offers up some thoughts on why this might be both good and bad.
    Whitehouse Drupal and The Open Source Security Model ha.ckers.org web application security lab
    Tags: ( drupal cms whitehouse )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 05/22/2009

by kriggins on May 22, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Some interesting documents have been published recently. This article points out a couple of them. Both have been added to my reading pile.
    Techworld.com - Risk assessment guides launched
    Tags: ( risk-management metrics )
  2. Jack offers some alternatives to saying "No." Very good ideas and we (not the royal we) should use them.
    Uncommon Sense Security: Don't say "No"
    Tags: ( communication )
  3. Want to know more about Johnny Long. Here you go.
    Sunbelt Blog: Johnny Long's story
    Tags: ( hackersforcharity )
  4. Chris works through an interesting exercise in quantifying loss. He then offers some thoughts on communicating loss. I need to read it again, but it strikes me as very useful. For those FAIR fans out there, it is very applicable to using FAIR.
    The Risk Is Right. << Risktical Ramblings
    Tags: ( risk-management )
  5. Lori has once again nailed it.
    The IT Security Flowchart
    Tags: ( general )
  6. This breaks things down very succinctly. As Rich says, that doesn't mean it's easy.
    Securosis Blog | The Pragmatic Data (Information-Centric) Security Cycle
    Tags: ( security-lifecycle )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 05/13/2009

by kriggins on May 13, 2009

in Interesting Bits

Good evening again. I just returned from Secure360 where I had a great deal of fun meeting and talking with people. I also gave my first conference talk today and that was also a lot of fun.

Here are today's Interesting Information Security Bits from around the web.

  1. Michael points out some more pre-configured targets for you to practice your pen testing skills on.
    lampsecurity hosting vulnerable vm images to attack (terminal23)
    Tags: ( education pentesting )
  2. I love this. Very simple, but very profound.
    Securosis Blog | The Data Breach Triangle
    Tags: ( data-leakage )
  3. Rich is looking for a little help in reviewing some survey questions related to Project Quant.
    Securosis Blog | Project Quant: Draft Survey Questions
    Tags: ( quantitative metrics )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Interesting Information Security Bits for 03/09/2009

by kriggins on March 9, 2009

in Interesting Bits

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A nifty series on dumping passwords from the memory of a system.
    Dumping Memory to extract Password Hashes Part 1 | Attack Research
    Tags: ( passwords )
  2. Part 2.
    Dumping Memory to extract Password Hashes Part 2 | Attack Research
    Tags: ( passwords )
  3. An interesting article with some interesting conversation in the comments. I tend to agree that IDS outside the firewall isn't really buying us much except for in very specific cases like one presented in the comments.
    Why is your IDS outside your Firewall?
    Tags: ( ids )
  4. More good reading on implementing a change management program.
    Black Fist Security: Change Management part 2
    Tags: ( change-management )
  5. Like the old adage says, "Lie, D*mn lies, and statistics." 🙂 Not really. Just make sure the statistics/metrics you are presenting make sense and the comparisons you are making are accurate.
    Beware the Security Metric
    Tags: ( metrics )
  6. Some good thoughts on things to consider when outsourcing.
    Security Manager's Journal: Geography is a small detail in security world
    Tags: ( outsourcing )
  7. A nifty walk-through on reverse engineering an iPhone app.
    Reverse Engineering iPhone AppStore Binaries
    Tags: ( iphone reverse-engineering )
  8. Looks like Conficker is upping the ante.
    Conficker gets upgraded with defenses * The Register
    Tags: ( malware )
  9. Oh boy, new toys. HD Moore has released a new toy that let's you perform war dialing using VOIP. Shiny!
    Metasploit's HD Moore releases 'war dialing' tools | Zero Day | ZDNet.com
    Tags: ( tools pentest wardialing )
  10. This is the second of two articles on the perils of metadata. This part offers some tips on reducing data leakage due to metadata.
    Tech Insight: How To Prevent Dangerous Leaks From Your Metadata - DarkReading
    Tags: ( metadata )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }