virtualization

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A few days ago I pointed out an article that discussed some issues with the default settings for UAC in Windows 7. This article shows that the criticism in the other article is well earned.
    Windows 7 vulnerable to 8 out of 10 viruses | Chester Wisniewski's Blog
    Tags: ( virus windows-7 )
  2. Interested in cross-subdomain cookie attacks? Check out the paper that mckt wrote. It is based on his presentation at Toorcon recently.
    Skeptikal.org: Cross-subdomain Cookie Attacks
    Tags: ( webappsec exploits )
  3. Thinking about virtualizing your databases? Make sure you are doing so for any of the mythical reasons that Adriane addresses in this article.
    Securosis Blog | Myths Surrounding Databases in Virtual Environments
    Tags: ( virtualization database )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Exception, variance, these words are the bane of the information security professional. We all have to deal with them. Jarrod offers some thoughts on the topic. You will benefit from reading them.
    /dev/null - ramblings of an infosec professional: Security Exemptions
    Tags: ( policy )
  2. Ben shares his method for writing along with some thoughts on writing in general. It's a good read and I bet you can find some things in there that can be applied to your own writing.
    The Writing Funnel (The Falcon's View)
    Tags: ( general writing )
  3. A bit ago, a forensic contest was opened with the winner getting a free SANS course. That contest is now over. Here is the cool part, they took the finalist's answers and made a website out of them for the rest of us to learn from. Check it out.
    Network Forensics Puzzle Contest
    Tags: ( forensics contest answer )
  4. This boggles the mind. A judge has ordered that Google deactivate an account because the account holder received an email not intended for them. I seriously hope this gets challenged. Otherwise, we are in for a very rocky time.
    Judge Orders Gmail Account Deactivated After Bank Screws Up | Threat Level | Wired.com
    Tags: ( cloud privacy )
  5. Hoff has penned a post that, along with the attending comments, is something that you should read. Seriously, go read it.
    Incomplete Thought: Virtual Machines Are the Problem, Not the Solution... | Rational Survivability
    Tags: ( virtualization )
  6. Shrdlu offers some guidance on how to implement new policies. I have used this same method in the past.
    The policy bootstrapping problem.
    Tags: ( policy )
  7. Next month is Cyber Security Awareness month. The Internet Storm Center handler's diary will again be making deep dives into various security issues during the month. If you aren't a subscriber now, I suggest you rectify that lapse.
    Cyber Security Awareness Month
    Tags: ( awareness )
  8. Wade talks about the difference between Management Science methods of making decisions and engineering methods. He then ask the question "..how does your company make 'Should we do X, Y, or Z?' decisions?" (slightly paraphrased) He offers a few he has seen. Stop by and offer your input.
    Verizon Business Security Blog >> Blog Archive >> Security Decisions - How do you make them?
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! Sorry for missing both Friday's and yesterdays bits posts. My Friday was spent working with Habitat for Humanity on a new home for a deserving family. It was a great experience and I heartily recommend it as time well spent. Yesterday was just too busy 🙂

Anyway, here are today's, and a few from this weekend, Interesting Information Security Bits from around the web.

  1. A new version of OffVis is available along with a training video.
    Security Research & Defense : OffVis updated, Office file format training video created
    Tags: ( tools microsoft office )
  2. Here is an interesting adaption of "The Joel Test."
    Matasano Security LLC - Chargen - The Joel Test: 12 Steps To Better IT Management
    Tags: ( general )
  3. A great article from Russel. This one contains some tips for building an Information Security Risk Scorecard.
    12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks) << The New School of Information Security
    Tags: ( scorecard risk )
  4. This is a very interesting article about backups and virtualization strategies. A very import part of your strategy needs to be, How are you going to deal with backups?
    The Side Effects of Backup on Server Virtualization - Backup & Beyond
    Tags: ( virtualization backup )
  5. The latest version of the SANS Top Cyber Security Risks report is out.
    SANS: The Top Cyber Security Risks
    Tags: ( risks )
  6. Here is a nice article with some questions to ask when considering the implementation of an identity management solutions. (Hat Tip: http://securityblog.typepad.com)
    12 questions to ask before implementing an identity management system -- Government Computer News
    Tags: ( identity-management )
  7. The Security Twits bus is off on another adventure as it gathers up a bunch to twits and heads to SecTor. Let Jack know if you want to be picked up 🙂
    Uncommon Sense Security: Security Twits Road Trip III, the SecTorBus
    Tags: ( conferences security-twits )
  8. Rsnake has a whole pile of HTTP headers for you to play with should you want to. I bet some interesting things can be found out.
    Half a Million HTTP Headers ha.ckers.org web application security lab
    Tags: ( data )
  9. An entirely virtual security conference is taking place on November 6th-8th. Very cool. What's even better is that all CFPs are being accepted.
    SecurityTubeCon - Democratizing Hacker Cons
    Tags: ( conference cfp securitytube )
  10. Want to setup some motion sensors to tweet activity? Ax0n shows us how.
    HiR Information Report: Gustav, the hackerspace twitter-bot
    Tags: ( hardware-hacking )
  11. SynJunkie took a short break from his CCNA studies (good posts in that series too) to give a post about using Fgdump, John the Ripper and Powershell together to do some nifty scripted password auditing.
    Syn: Password Auditing with Fgdump, John the Ripper & PowerShell
    Tags: ( passwords cracking )
  12. Russel has an interesting challenge for us. I know a few in academia that might enjoy this conversation.
    This Friday is "Take an Academic Friend to Work Day" << The New School of Information Security
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. There were a couple of incidents with ATMs at the recent Defcon conference. See Chris's post about a warning from ENISA with some guidance on what to look for to keep safe.
    Dr. InfoSec: ENISA Warns of Alarming Increase in ATM Crime
    Tags: ( atm )
  2. This is very cool. An open source virtual switch. (Hat tip: @aneel)
    Open vSwitch
    Tags: ( virtualization switch )
  3. There is some good information about DirectAccess in this article.
    Understand the pros and cons of Microsoft Windows 7 DirectAccess
    Tags: ( directaccess windows-7 )
  4. Looks like there are still some issues with firewire and access to memory. Check out this post for more information.
    Windows 7 Firewire Attacks << Ramblings of the anal security guy
    Tags: ( firewire windows-7 )
  5. Chris has posted a nice list of podcasts that you should check out if you looking for some new information security listening pleasure.
    Filling your ipod... << Ramblings of the anal security guy
    Tags: ( podcasts )
  6. The packet captures from Defcon 17 are now available via bittorrent.
    Diutinus Defense Techonologies Corp. / Home
    Tags: ( defcon ctf )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. You can download the raw anonymized survey results from the Project Quant survey.
    Raw Project Quant Survey Results
    Tags: ( patching )
  2. Want to hear about writing a security book? Andrew will be SANS Network Security 2009 talking about that very thing.
    Andrew Hay >> Blog Archive >> Presenting at SANS Network Security 2009 - "So You Want to Write a Security Book, Eh?"
    Tags: ( writing books )
  3. Some thoughts on compliance in a virtualized environment.
    Five Ways To Meet Compliance In A Virtualized Environment - DarkReading
    Tags: ( virtualization )
  4. A couple things to check and do after you upgrade to Snow Leopard.
    Snow Leopard downgrades security and misses opportunity to improve | Chester Wisniewski's Blog
    Tags: ( apple macosx )
  5. In case you didn't know, there is going to be a blogger meetup at RSA Europe in October. 🙂
    RSA Conference - Security Bloggers Meet up 2009 - London | Security Active Blog
    Tags: ( meetup )
  6. This post strikes a particular chord with me as I have been thinking about this quite a bit lately. Most of us are operating under some pretty crushing workloads, but it we don't take time to manage our people, those workloads will just even heavier.
    Security Ripcord >> Blog Archive >> Take Time To Manage
    Tags: ( management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well. Sorry for missing yesterday. I had a brutally busy day and then we had a power outage at home to boot.

Here are today's Interesting Information Security Bits from around the web.

  1. A new packet challenge is up at I Smell Packets.
    Packet Challenge - Name that Exploit << I Smell Packets
    Tags: ( challenge packet-capture )
  2. This is an interesting post with some thoughts that can be extended well beyond virtualization.
    View Yonder >> Free the Gladiators!
    Tags: ( virtualization )
  3. This time a peak at php and sessions.
    AppSec Street Fighter - SANS Institute >> Session Attacks and PHP
    Tags: ( session )
  4. Anton opines on the contents of the letter sent to the PCI council by the National Retail Federation and other retail associations.
    On "PCI Letter"
    Tags: ( pci letter )
  5. Mozilla has been at work to come up with a method of getting rid of XSS problems. They believe they have it with Content Security Policy.
    Shutting Down XSS with Content Security Policy at Mozilla Security Blog
    Tags: ( csp mozilla )
  6. Christofer has a nice couple of graphics that help describe cloud computing from a high level perspective.
    Rational Survivability >> Incomplete Thought - Cloudanatomy: Infrastructure, Metastructure & Infostructure
    Tags: ( cloud )
  7. The ISC diary points out some ways to protect your webserver from being DOSed by the tool released by Rsnake recently.
    Apache HTTP DoS tool mitigation
    Tags: ( apache dos )
  8. RSnake take a look at detecting man-in-the-middle proxies.
    Detecting MITM/Hacking Proxies Via SSL ha.ckers.org web application security lab
    Tags: ( mitm )
  9. Lori offers some thoughts on IPv6 that you should also be thinking about.
    You are the new number 3ffe:1900:4545:3:200:f8ff:fe21:67cf
    Tags: ( ipv6 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Mike Murray and Lee Kushner have a podcast series that each of us should be listening to.
    When Your Security Career Gets Hacked - Dark Dominion Blog - Dark Reading
    Tags: ( career )
  2. Both amusing and helpful.
    Job Interview: How To Nail An Interview (20 Tips)
    Tags: ( career interviewing )
  3. Go ahead write those passwords down. Just not all of it. I like this idea as long as we are careful in picking the "pin" part, i.e. don't use your birthday 🙂
    Put Your Passwords on a Post-it - F-Secure Weblog : News from the Lab
    Tags: ( passwords )
  4. The annual FBI cryptography challenge is up. Go crack em' up.
    FBI Annouces Annual Can-You-Crack-the-Code Challenge
    Tags: ( cryptography challenge )
  5. Christofer is talking about something he touched on at RSA and before, who manages the network in the virtually cloudy world, the server admins or the network admins or both?
    Rational Survivability >> Quick Bit: Virtual & Cloud Networking - Where It ISN'T Going...
    Tags: ( virtualization networking )
  6. Another PDF parsing vulnerability in BES. I believe a patch is now available.
    How to control a Blackberry Enterprise Server with just a PDF | Graham Cluley's blog
    Tags: ( pdf rim blackberry vulnerability )
  7. McAfee did a study to determine what the riskiest search terms are. This report is the result of that study. Note: Link goes to PDF (via: eWeek)
    The Web's Most Dangerous Search Terms
    Tags: ( malware search )
  8. This is a nice article on using ITIL to improve and strengthen your information security program.
    How ITIL Can Improve Information Security
    Tags: ( itil )
  9. An interesting exploration of a insider attack on California Water Service Company that occurred recently.
    Ascension Blog >> He did WHAT?!?!
    Tags: ( breach )
  10. L0phtcrack is back and raring to go.
    L0phtcrack 6 Site Is Live : Liquidmatrix Security Digest
    Tags: ( passwords tools l0phtcrack )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Looks like we may have some work to do to secure our IE installations.
    IE 7 and 8 Default Security Leaves Intranets At Risk - DarkReading
    Tags: ( ie )
  2. Congratulations to the guys at Liquidmatrix! 3000 posts and counting.
    Milestone Post 3000 For Liquidmatrix : Liquidmatrix Security Digest
    Tags: ( general )
  3. This is not good. Not good as in, very bad. If you allow virtual guests with different security characteristics to live on the same host, you might want to rethink that decision.
    VMware exploits - just how bad is it ? - isc
    Tags: ( exploits virtualization )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Christian walks us through how he sandboxed a Windows VM on an Ubuntu server. Good stuff if you ever want to test some bit of evilness.
    un-excogitate.org >> Blog Archiv >> Sandboxing a Windows VM on Ubuntu
    Tags: ( virtualization sandboxing )
  2. Test it yourself, but it looks like Nessus 4 is quite a bit faster than version 3.
    Tenable Network Security: Nessus 4 Performance Benchmarks
    Tags: ( nessus )
  3. Adam writes about outcomes vs. process or technology. I completely agree with him.
    Security is about outcomes, not about process << The New School of Information Security
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well. Here are today's Interesting Information Security Bits from around the web.

  1. Folks, please be careful what you put on your Facebook pages. Don't let something like this happen to you. Police: Facebook hacker gets student's nude photos Tags: ( privacy facebook )
  2. Some video of Dino Dai Zovi, Rich Mogull, Christofer Hoff being interviewed by Dennis Fisher on virtualization. Rational Survivability: Virtualization & Security: Disruptive Technologies - A Four Part Video Miniseries... Tags: ( virtualization )
  3. When to use the carrot and when to use the stick? Both good questions. Shrdlu has some advice for us. Carrot-sticks and security. Tags: ( enforcement )
  4. What happens when you need endpoint DLP on Windows, Mac and Linux all at once? The answer, nothing easy 😉 Is There Any DLP or Data Security On Mac/Linux? | securosis.com Tags: ( dlp )
  5. This looks to be like a whole lot of fun. If you are close, it should go on your list of things to do. HiR Information Report: Cowtown Computer Congress Grand Opening [Kansas City] Tags: ( hackerspace )
  6. Erik has part 3 of his securing Linux series up. Art of Information Security >> Secure Your Linux Host - Part 3: Why A Host Firewall ? Tags: ( linux )
  7. A nice beginning to what looks to be an interesting series. ShackF00 >> BS Filtering for CISOs: An Introduction Tags: ( ciso )

That's it for today. Have fun! Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts. Kevin

{ 2 comments }