pci

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Hoff points to an interesting project that addresses the distributed authentication issue in web based systems.
    MashSSL - An Excellent Idea You've Probably Never Heard Of... | Rational Survivability
    Tags: ( authentication ssl web )
  2. Get your Security Threat Report 2010 while it's hot!
    Sophos Security Threat Report 2010 | Graham Cluley's blog
    Tags: ( threats reports )
  3. Jennifer is involved in a few talks at Security BSides San Fran. Vote for her!
    Security Uncorked >> The Skinny on Security BSides San Francisco
    Tags: ( conferences bsides )
  4. The finalists for the Social Security Blogger Awards 2010 have been selected.
    The Ashimmy Blog: Envelope please, and the winners are . . .
    Tags: ( awards )
  5. Very cool. Encrypt your logs before sending them across the wire.
    Immutable Security >> Using OSSEC for Encrypted Log Transport
    Tags: ( logging encryption ossec )
  6. Similar to the Amazon EC2 experiment last year, this time it is done with Microsoft's Azure.
    Breaking Password Based Encryption with Azure - Gotham Digital Science
    Tags: ( passwords cracking cloud )
  7. Looks like status quo for the PCI DSS this year.
    Security.exe - Powered by The CISO Group >> Blog Archive >> No major changes to PCI DSS in 2010, but watch for chip and pin in the future
    Tags: ( pci )
  8. Graham points out something those who use twitter should be aware of. Lists as spamming tools.
    Twitter list spam
    Tags: ( lists )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. SynJunkie reminds us that is best to not run as admin all the time and then offers some tips on how to elevate our privileges when we need to.
    Syn: Part-time Superman
    Tags: ( windows least-privilege )
  2. Mike Rothman has penned an article for fudsec that you owe it to yourself to go read. He calls out some fud and then gives us some actionable advice. Good stuff and, yes, I said "actionable." I'm sorry, it's the manager is me sneaking out 🙂
    Guerilla Security Leadership - fudsec.com
    Tags: ( general )
  3. The A6 (Automated Audit, Assertion, Assessment, and Assurance API) Working Group held their kick-off call recently. The recording is available.
    Recording & Playback of WebEx A6 Working Group Kick-Off Call from 1/8/2010 Available | Rational Survivability
    Tags: ( cloud a6 )
  4. Mark points out that bad things can happen if somebody who shouldn't be able too, has the ability to delete computers in an Active Directory domain. Good thing he shows us how to fix it too.
    Gone in 60 Seconds
    Tags: ( active-directory )
  5. Didier gives a video tutorial on using the Adobe Reader JavaScript Blacklist Framework. Pretty nifty stuff.
    Adobe Reader JavaScript Blacklist Framework << Didier Stevens
    Tags: ( )
  6. Anton points out that PCI has components that are not just point-in-time issues, i.e. there are ongoing compliance checks and requirements.
    Anton Chuvakin Blog - "Security Warrior": How to Stay Compliant? or Ongoing Tasks in PCI DSS
    Tags: ( pci )
  7. Securosis has started a new feature call FireStarter. They will be tossing ideas out for the community to chew on. First up - Risk Management. Go check it out and offer up some FIRE!
    Securosis Blog | FireStarter: The Grand Unified Theory of Risk Management
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

To those in the U.S., welcome back to work unless, of course, you are reading this when it was posted 🙂

Here are some Interesting Information Security Bits from around the web.

  1. Sounds like Paul and I have the same pet peeve. If you are accepting credentials on a page, serve the whole page over SSL, not just the form submission part.
    Not just plain old http | Paul Ducklin's blog
    Tags: ( https integrity )
  2. Are you wondering what is a public network and what is not from a PCI perspective? If so, check out Branden's post.
    Branden Williams's Security Convergence Blog >> The Gobble-Gobble of Public Networks
    Tags: ( pci public )
  3. The call for papers for HITB 2010 Dubai is now open.
    The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - Hack In The Box (HITB) Security Conference 2010 Dubai
    Tags: ( conferences cfp hack-in-the-box )
  4. Some interesting data about usernames and passwords used during brute force attacks. It was collected by Microsoft.
    Microsoft Malware Protection Center : Do and don'ts for p@$$w0rd$
    Tags: ( passwords )
  5. The Notocon videos are available now.
    The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - Notacon 2009 video files are now online
    Tags: ( conferences notocon videos )
  6. Ever beat your head against the wall because you can't figure out why that stupid program keeps running every time you restart your computer? This fine list will help track down that pesky critter.
    Immutable Security >> Windows Startup Locations
    Tags: ( windows startup )
  7. This is very very cool. How about being able to ssh to your host on port 80, even when it has a fully functional Apache server running on the same port? Like I said, that is seriously cool.
    Creating Ghost Services with Single Packet Authorization
    Tags: ( access-control tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

It is Thanksgiving Day week in the U.S. and that means a couple of days off. I decided to tack on an extra day and won't be working tomorrow either. Yay! Five days off in a row.

Anywho, I will also be taking those days off from the Interesting Bits posts so this one will have to tide you over until Monday 🙂

Here are today's Interesting Information Security Bits from around the web.

  1. 10 things to think about not doing when on Facebook. This list will keep you safer.
    Errata Security: 10 Facebook Don'ts
    Tags: ( facebook )
  2. Is your iPhone infected with the Duh worm? Paul tells us how to clean it up.
    How to clean up the Duh iPhone worm | Paul Ducklin's blog
    Tags: ( iphone worm )
  3. Russel is looking for some collaborators on an research project he is working on. It looks to be very interesting. From his post: "The topic is the arms race between attackers and defenders from the perspective of innovation rates and "evolutionary success" - the Red Queen problem (running just to stand still). Here's a sample research question: "can bureaucracies (defenders) keep up with a decentralized black market (attackers)?", and similar." Read the rest of the post and drop him a line if you are interested.
    Information Security as an Evolutionary Arms Race - Research Collaborators Wanted << The New School of Information Security
    Tags: ( research )
  4. Shrdlu once again has penned an article that you should go read. Metrics are great, but they have to mean something.
    The meaning of metrics
    Tags: ( metrics risk )
  5. There is 0-day out there for IE 6 and IE 7. Microsoft's recommendation in some cases is to upgrade to IE 8. Um, oops.
    Major IE8 flaw makes 'safe' sites unsafe
    Tags: ( ie vulnerabilities )
  6. An interesting post that explores a conundrum that some organizations face when trying to comply with PCI. What happens when some of what I do requires me to be out of compliance with PCI-DSS?
    Branden Williams's Security Convergence Blog >> Multi-Function Service Providers, What To Do?
    Tags: ( pci )
  7. From the post: "We have uploaded the audio recording of select talks from the Ohio Information Security Summit that took place October 29-30, 2009 in Cleveland, Ohio." Looks like some good stuff is available. Check out the post for the details.
    Security Justice >> Blog Archive >> Select Talks from ISS2009 Now Available for Download
    Tags: ( audo conferences talks )
  8. A new tool is available that shows some interesting things about the internet.
    Room362.com - Blog - SHODAN The Computer Search
    Tags: ( tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is a nice post talking about fuzzing with Burp.
    ClearNet Security : need to do a GET before POST, fuzzing with BURP and WebScarab
    Tags: ( webappsec fuzzing burp )
  2. I know it seems like I point out every FudSec.org post that happens and, actually, I do. It's because they are all great posts that have good thought generating material. Jayson attacks Cyberwar in this week's edition.
    Beware of Falling Turtles (Plus other things that shouldn't really frighten us) - fudsec.com
    Tags: ( fudsec cyberwar )
  3. This is a must read in my opinion. I have only read the executive summary and skimmed the assurance framework part so far, but they alone are worth the price of admission. I look forward to digging into the assessment portion soon.
    Cloud Computing Risk Assessment -- ENISA
    Tags: ( cloud risk-assessment )
  4. Craig has an interview with Giles Hogben up with some insight into the new Cloud Security Risk Assessment mentioned above.
    ENISA Cloud Security Risk Assessment: An Interview with Giles Hogben | Cloud Security
    Tags: ( cloud risk-assessment )
  5. Anton takes an interesting approach to why PCI is good.
    Anton Chuvakin Blog - "Security Warrior": Smart vs Stupid: But Not Why You Think So!
    Tags: ( pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Wow, this has been a crazy busy week.

My apologies for not taking the time to get the daily bits posts out the door. However, don't despair. I have a bumper crop for you today because I have been keeping my eye on things.

Unfortunately you will have to do without my pithy (or so I'd like to believe) comments today. 🙂

Also, RSA Europe 2009, where I'll be speaking, is right around the corner along with some vacation time, so you will see fewer bits posts over the next couple weeks and they will probably be like this one.   I will be back in full gear after the conference. I will blog when I can on what I see at RSA though.

Anywho, here are today's (this weeks) Interesting Information Security Bits from around the web.

  1. Immutable Security >> Low and Slow SSH Brute Force Attacks
    Tags: ( ssh )
  2. Real World Stories: How Pen Tests Complement Vulnerability Scans << Core Security Technologies
    Tags: ( wepappsec pentest )
  3. Visa Announces New Data Encryption Practices
    Tags: ( pci )
  4. 'What's wrong with Smelly Widgets?' - Packet Challenge << I Smell Packets
    Tags: ( challenge packet )
  5. The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - FRHACK01 copy of presentations
    Tags: ( conference presentations )
  6. Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft | Hackers Center Blogs
    Tags: ( passwords )
  7. AVG Stepping Up Consumer Anti-Virus Offerings | Darknet - The Darkside
    Tags: ( anti-virus avg )
  8. Man banished from PayPal for showing how to hack PayPal * The Register
    Tags: ( paypal )
  9. Book Review: The Rootkit Arsenal << McGrew Security Blog
    Tags: ( books reviews )
  10. Jeremiah Grossman: All about Website Password Policies
    Tags: ( infosce passwords )
  11. Digital Soapbox - Preaching Security to the Digital Masses: Things I Learned at SecTor 2009
    Tags: ( conference toorcon recap )
  12. TaoSecurity: Technical Visibility Levels
    Tags: ( avialability monitoring )
  13. SSL Still Mostly Misunderstood - DarkReading
    Tags: ( ssl )
  14. Anton Chuvakin Blog - "Security Warrior": Compliance != Security, Does Security = Compliance?
    Tags: ( compliance security )
  15. A Page from Singapore's Cybersecurity Playbook | Optimal Security: The Lumension Blog
    Tags: ( general )
  16. You Can't Always Be Proactive - Hacked Off - Dark Reading
    Tags: ( general )
  17. Security Uncorked >> Good, Bad and Ugly: On SecTor's Wall of Shame
    Tags: ( passwords wireless )
  18. CSS History Hack Used To Ban Torrent Users ha.ckers.org web application security lab
    Tags: ( css )
  19. Yahoo Best Jobs in America ranks infosec professional #8
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Hi everybody! I hope your day is going well. Sorry about missing the Bits post yesterday. I was presenting at the Nebraska CERT Conference and the day just got away from me.

Here are today's Interesting Information Security Bits from around the web.

  1. Rich shares some interesting information about the heartland breach.
    Securosis Blog | New Details, and Lessons, on Heartland Breach
    Tags: ( heartland )
  2. Graham has a survey up that asks some questions about encryption on smart devices and whether you are using it or not.
    Is your smartphone encrypted? | Graham Cluley's blog
    Tags: ( survey smartphone )
  3. Here is a nice calendar that is being setup to track security events. Not incidents, events like RSA, DefCon, BruCon, etc.
    /dev/random >> Security Events Calendar
    Tags: ( calendar )
  4. I haven't listened yet, but with Martin McKeay, Mike Rothman, Alex Hutton, Nick Selby and Josh Corman together about PCI, there has got to be some good stuff in there.
    Network Security Blog >> Ranting Roundtable on PCI
    Tags: ( pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. NSS Labs has published their third quarter Browser Security Test.
    Comparative Browser Security Testing - Phishing & Socially Engineered Malware - nsslabs.com
    Tags: ( browser )
  2. The Call for Speakers for RSA USA 2010 has been extended a week. Deadline is now August 21st.
    Call for Speakers
    Tags: ( rsa cfp )
  3. Brian talks about hype in the information security market.
    Hyper Security - fudsec.com
    Tags: ( fud )
  4. It has been talked about quite a bit over the last year or more. Can a cloud based solution be PCI compliant? Looks like the answer to that question has been given and by one of the larger cloud providers.
    Network Security Blog >> Cannot achieve PCI compliance with Amazon EC2/S3
    Tags: ( pci cloud )
  5. This is interesting. A botnet being controlled via Twitter.
    >> Twitter-based Botnet Command Channel * Security to the Core | Arbor Networks Security
    Tags: ( twitter botnet )
  6. Is your cell phone telling tales on you? Looks like the Palm Pre might be.
    Is Your Palm Pre Watching You? : Liquidmatrix Security Digest
    Tags: ( surveillance )
  7. Dave offers up a tutorial on encrypting your data backups on the cheap.
    IT Security Expert: Secure Encrypted Data Backup on a Budget Tutorial
    Tags: ( backup encryption )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A very nice analysis of the current WordPress admin password reset issue. BYW - Go fix your installs.
    Digital Soapbox - Preaching Security to the Digital Masses: WordPress Bugs... A Disturbing Vulnerability
    Tags: ( wordpress )
  2. PCI v1.2.1 is official now. See inside for the details.
    Branden Williams' Security Convergence Blog: PCI DSS Goes v1.2.1
    Tags: ( pci )
  3. Looking for some pcap data sets to play with. Richard points to some recent ones published some by West Point.
    TaoSecurity: 2009 CDX Data Sets Posted
    Tags: ( pcap )
  4. You really owe it to yourself to check out this post and attendant white paper. CRSF is some scary stuff.
    Neohaxor.org >> Blog Archive >> Dynamic Cross-Site Request Forgery (CSRF)
    Tags: ( crsf )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. MasterCard has published their fine schedule.
    MasterCard Becomes The First Card Brand To Publish PCI Fines | SecTechno
    Tags: ( pci fines )
  2. Nick's rant/opining that is worth a read.
    Showing The Oblomovs The Door - fudsec.com
    Tags: ( general )
  3. Check out Jack's "rantbuttal." His word, not mine, but I really like it 🙂
    Uncommon Sense Security: Smart people saying dumb stuff, again.
    Tags: ( testing )
  4. An interesting discussion of multi-tenancy.
    Rational Survivability >> There's A Difference Between Application/OS Multitenancy and Data(base) Multitenancy
    Tags: ( cloud )
  5. I saw Trey give a version of "Making Money the Blackhat Way" at Secure360 this year. This blog post talks about some interesting issues related to that.
    Jeremiah Grossman: Security Religions and Risk Windows
    Tags: ( general )
  6. Mike's response to Nick's post on Fudsec.
    Chaordic Mind >> Personal Responsibility in Information Security
    Tags: ( general )
  7. Details for the August Atlanta NSAIG meeting are inside.
    NAISG - August Atlanta Meeting >> Andy ITGuy
    Tags: ( naisg atlanta )
  8. Here is a tutorial on lock picking for the beginner.
    Lock Picking 101 * View topic - Beginner's Lockpicking Exercise - by digital_blue
    Tags: ( lockpicking )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }