risk

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Time to patch Firefox.
    Firefox 3.0.6 targets security issues | Security - CNET News
    Tags: ( vulnerability firefox patch )
  2. You might want to be careful what sites you go to when you are logged into the twitter web interface. Also remember, that if you clicked on 'remember me', you are logged in even if you don't have it open in tab.
    Twitter Clickjacking Hack Released - DarkReading
    Tags: ( vulnerability clickjacking twitter )
  3. An interesting article with good points regarding the ability to disable UAC in Windows 7 and the fact that somebody has made a user-space program that does it automatically. Worth a gander.
    Both Sides on the Win7 UAC Problem
    Tags: ( windows-7 uac )
  4. If you're looking for a infosec job, the U.K. may be a good place to check. No idea on immigration and such, but couldn't hurt to take a peak.
    Many computer security jobs are still available in UK >> Computer internet security
    Tags: ( jobs )
  5. The CFP of Black Hat is open. Get your pencils ready and your ideas flowing.
    Black Hat : Black Hat USA 2009 Call For Papers
    Tags: ( blackhat conferences cfp )
  6. Black Fisk warns us to be careful of the number we see in reports on the cost of breached data. He doesn't say dismiss them out of hand, but we are better off if we can come up with some figures specific to our own organizations.
    Black Fist Security: Risk analysis: Cost of breaches and rolling your own numbers
    Tags: ( risk management )
  7. A nice post by Kees. Don't forget that you need to plan on more than one level and to do so you need to keep informed.
    On Situational Awareness - Kees Leune Information Security Blog
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Via Bruce Schneier. Another one to add to the reading pile.
    Probing the Improbable: Methodological Challenges for Risks with Low Probabilities and High Stakes
    Tags: ( risk measuring )
  2. Part three of Rich and Alane's model for justifying data security to the business. Interesting reading.
    The Business Justification for Data Security: Risk Estimation | securosis.com
    Tags: ( risk management )
  3. Time to buy that shielded wallet or purse.
    Drive-By 'War Cloning' Attack Hacks Electronic Passports, Driver's Licenses - DarkReading
    Tags: ( rfid cloning )
  4. Playing with XSL injection. Looks like some interesting things can be done there.
    Acunetix Web Application Security Blog >> The hidden dangers of XSLTProcessor - Remote XSL injection
    Tags: ( injection xsl )
  5. I pointed out an article yesterday that talked about a common encryption standard being adopted by hard drive manufacturers. The flip side of that is mentioned in this article, data recovery and forensics could get much harder.
    New disk encryption standards could complicate data recovery
    Tags: ( forensics encryption data recovery harddrive )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

What have we got today? Well, super secret spy writing, justification for implementing security measures, be careful with publicly talking about your infrastructure, some PCI discussion, ENISA is looking for some writers, and nice article about making the web more secure.

  1. Super secret spy writing technique brought to by Ax0n. Pretty nifty.
    HiR Information Report: "Secret" messages with Pilot Frixion
    Tags: ( general )
  2. Another way or framework for justifying implementation of security measures. They will be talking about it over the course of several blog posts and releasing the paper soon.
    The Business Justification For Data Security | securosis.com
    Tags: ( risk business justification )
  3. Tom makes are really good point. Be careful how much information you share about your infrastructure publicly. Particularly if you have some challenges to overcome.
    spylogic.net - Who's managing information security in your city?
    Tags: ( data gathering general )
  4. Michael puts forth his perspective on what PCI compliance really means. Then there is some interesting discussion in the comments. You should read it.
    Society of Payment Security Professionals - Compliance Demystified >> Blog Archive >> What PCI compliance really means
    Tags: ( pci )
  5. ENISA is looking for articles for the ENISA Quarterly Review. Topic preference: "Resilience and Security of Communication Networks"
    ENISA Call For Articles
    Tags: ( cfp enisa )
  6. Very nice article with some good ideas on how to better accomplish making the web more secure.
    Blog :: by Wade Woolwine >> Blog Archive >> RE: Alignment of Interests in Web Security
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Today's Bits has really big phone bills, blocking wi-fi signals, a new NIST publication about protecting PII, more storytelling by Synjunkie, generational differences and their impact on business's security, the winners of the latest Ethical Hacker challenge, HITB videos, and the Top 10 Hacking videos on YouTube.  Read on for details.

  1. Just like any networked device/system, make sure your phone systems are appropriately resistant to attack. Otherwise, you might be faced with some serious phone bills.
    Police investigate phone hacker spree : thewest.com.au
    Tags: ( pbx )
  2. This is interesting, but be careful. There may be laws that affect whether you can you this type of product.
    Techworld.com - New paint promises high-speed Wi-Fi shielding
    Tags: ( wireless blocking )
  3. Rebecca lets us know that NIST has a new publication ready for us, "Guide to Protecting the Confidentiality of Personally Identifiable Information" This should be a good read.
    New Guidelines for Safeguarding Personal Data - Realtime IT Compliance
    Tags: ( pii protection )
  4. Synjunkie has part 3 of the his Newbie Haxor storyline up.
    Syn: The Story of a Newbie Hax0r - Part 3. Lets Get Physical
    Tags: ( stories )
  5. This has been a topic I have been thinking about quite a bit as I get more involved in social networking. As indicated below, the generation just now entering the work force and the one right behind them communicate in a way that is completely different than any generation before them. We are going to have to learn how to accommodate this while maintaining security.
    IT Security's Next Big Threat: Young People - security trends/Vulnerabilities - DarkReading
    Tags: ( risk )
  6. The winners of the latest challenge at the Ethical Hacker Network are posted.
    The Ethical Hacker Network - Santa Claus is Hacking to Town - Answers and Winners
    Tags: ( challenge )
  7. Martin points out that the HITB Malaysia videos are available now.
    Network Security Blog >> HITB Videos available
    Tags: ( videos conferences hitb )
  8. Here ya go. Some hacking videos for you pleasure.
    Hat tip: http://www.stevegoodbarn.com
    Top 10 YouTube hacking videos | NetworkWorld.com Community
    Tags: ( videos hacking )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Sorry for the late post folks. Been a busy, busy day. Below you find a post by RSnake begging for discussion, EFF pushing for modification to DMCA, a method to secure BGP, how we communicate to our users is important, the final part of an risk assessment using FAIR, SQL firewalls, and the fact that BeanSec is next week. Have a great weekend.

  1. Crime and Punishment ha.ckers.org web application security lab
    Tags: ( general opinion )
  2. This would benefit everybody.
    EFF pushes for legal handset jail-breaks - vnunet.com
    Tags: ( cellphone drm )
  3. This will be a definite improvement. There have been several cases of BGP errors causing significant problems in the year or so.
    U.S. plots major upgrade to Internet router security - Network World
    Tags: ( bgp bgpsec )
  4. David reminds us that how a message is delivered just as important as why the message is delivered.
    The Power of Positive Rethinking : The Security Catalyst
    Tags: ( communication )
  5. Part 4 of Chris's latest FAIR assessment is posted.
    Risk Scenario - Hidden Field / Sensitive Information (Part 4 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  6. It was only a matter of time before we started seeing SQL firewalls. Not saying it's a bad thing.
    /dev/random >> Blog Archive >> Databases Protection with GreenSQL
    Tags: ( firewall sql )
  7. Beansec next week.
    Rational Survivability: BeanSec! Wednesday, January 21st, 2009 - 6PM to ?
    Tags: ( beansec meetings )
  8. Yes, indeed. I and others have said it more than once, compliance does not equal security.
    Network Security Blog >> "Security first" please!
    Tags: ( security pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Today's Bits consists of more risk assessment talk, biometrics and passports, secure code by demand, compliance vs security, builders and breakers in software security, DEFCON CTF, how SSL works, PCI and security, a good way to quantify risk and an argument that one pass data wipe is enough. Details below.

  1. Part 3 is up of Chris's assessment.
    Risk Scenario - Hidden Field / Sensitive Information (Part 3 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  2. Get ready to get your fingers inked when you apply for a passport in the E.U. (Okay, there are inkless methods bow. Not near as much fun to write scanned though.)
    Biometric passports agreed to in EU - Network World
    Tags: ( privacy )
  3. Folks, it just isn't this easy. Unlike Picard, we can't just "make it so."
    New York drafts language demanding secure code
    Tags: ( general )
  4. Compliance does not equal security. Never has and never will. Good thought in here.
    Using The Compliance Stick Actually Weakens You | RiskAnalys.is
    Tags: ( risk compliance )
  5. An interesting argument, which I happen to agree with, by Jeremiah about the need to both builders and breakers when it comes to software security.
    Jeremiah Grossman: Builders, Breakers, and Malicious Hackers
    Tags: ( general opinion )
  6. Ever wanted to run a CTF? Defcon needs to talk to you. Be warned, we are talking about a granddaddy of a CTF.
    DEFCON 17 CTF Call for new Organizers! - Defcon Forums
    Tags: ( defcon ctf )
  7. A real nice basic introduction to how SSL works.
    Security Workshop: How HTTPS/SSL works Part 1 - Basics
    Tags: ( ssl )
  8. A nice post by Anton that I found via Alex over at riskanal.is. Repeat "Security First."
    Anton Chuvakin Blog - "Security Warrior": Tales From the "Compliance First!" World
    Tags: ( pci compliance )
  9. Adam has a great post up on the Security Catalyst blog. The KISS principle in action.
    The Breach-Stamp Metric : The Security Catalyst
    Tags: ( risk communication )
  10. A nice article with some hard data on the effective of data retrieval off of a drive which has been effectively wiped. Effectively here meaning with only one pass.
    Overwriting Hard Drive Data << SANS Computer Forensics, Investigation, and Response
    Tags: ( data disposal )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

In today's crop of Bits we have more FAIR analysis, a couple articles about surveillance in the US, a patch for Win 7 Beta and other Microsoft products, a great visualization of application security relationships, virtualization security info and some helpful data recovery advice.

  1. Part 2 is up. The more I read about and see FAIR (Factor Analysis of Information Risk) in action, the more I like it.
    Risk Scenario - Hidden Field / Sensitive Information (Part 2 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  2. A new project over at Electronic Freedom Foundation. Very interesting information.
    The SSD Project | EFF Surveillance Self-Defense Project
    Tags: ( privacy surveillance eff )
  3. This article contains links to some really interesting information. If you are concerned or curious about surveillance in the U.S., you should give it a gander.
    Report: U.S. Surveillance Society Running Rampant | Threat Level from Wired.com
    Tags: ( surveillance )
  4. The first patch is out of Windows 7 Beta. Be warned that it does not address the SMB issue which does exist for Windows 7 Beta. Read the article for the details.
    Microsoft issues first Windows 7 beta patch
    Tags: ( vulnerability microsoft patches )
  5. Some good information about Microsoft's January patches.
    Inside the MSRC: Microsoft describes Server Message Block update
    Tags: ( vulnerability microsoft patches )
  6. I'm going to print this out and hand it on my wall. Great visualization of application security and how the different pieces relate and interact.
    Jeremiah Grossman: The World of Web Security
    Tags: ( appsec webappsec taxonomy )
  7. Continuing a series on virtualization security, Ryan points out some of the risks inherent in server virtualization.
    Virtualization Security Part 2 - PandaLabs
    Tags: ( virtualization )
  8. A nice post with some really good advice on being prepared for hard drives which are having problems.
    Data Recovery from Dead Drives | Forensics, Security, Auditing | Enclave Forensics
    Tags: ( data recovery )
  9. Another tool that builds a focused word list for brute force password attacks.
    The Associative Word List Generator (AWLG) - Create Related Wordlists for Password Cracking | Darknet - The Darkside
    Tags: ( password wordlists )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Well the start of a new weeks is here, along with a batch of interesting things to take a look at. Only blogs again this time.

360 Security, along with many other folks, points out that the Apple DNS Patch Fails To Randomize.

Kurt Dobbins over at Arbor Networks has an interesting post up about the Myths and Realities of the Net Neutrality Debate. Good stuff in there.

Bruce Schneier brings to our attention that the U.S. government has published its policy regarding Seizing Laptops at Borders. Basically, we take when we want to and you don't have any say in the matter.

Nifty post up at Neohapsis talking about exploiting hardware vulnerabilities in the Intel CPU. Neat stuff. Kris Kaspersky's talk "Remote Code Execution Through Intel CPU Bugs" to be given at Hack in the Box was the impetus.

Wesley has created his first Metasploit module. It is a nifty tool. You should go take a look if you are interested in pen testing.

CG points to a paper and demo for DHCP script injection. Lots of fun to be had there.

Ha.ckers.org has a nice little bookmarklet that make is easy to use MSN IP Search to find domains on the same IP address as the web page you are reading.

Chris Hayes
continues his discussion of risk in response to Shrdlu's comments on a previous post. Good stuff.

Finally, Gary Warner points us to another story about an insider selling PII.

I will be leaving for Vegas on Thursday so there will be light posting here until next week.

Kevin

Technorati Tags: , , , , , , , ,

{ 1 comment }