Spliced feed for Security Bloggers Network |
| [Chinese]PCI-DSS的新要求 [Telecom,Security & P2P] Posted: 04 May 2008 01:39 AM CDT 前不久,PCI委员会公布了两则安全要求的新解释 - 关于渗透测试11.3,以及关于Web应用安全的要求6.6. McAfee的官方博客进一步讨论了这两则具体要求。 关于渗透测试,PCI并不要求某些具体的人员或者厂商做安全扫描或测试,内部人员或者其他有能力的资源都可以,至少每年一次。在范围上,与持卡人数据有网络连接的所有信息系统都在测试范围。 关于Web应用安全,从6月30日开始生效,提供了两个选项- 其一是Web应用代码评审又进一步分成了四种做法,它们是: * Manual review of application source code 该要求与企业自身的软件开发生命周期管理(SDLC)有关。 其二是使用应用层防火墙。要求提到不仅仅是产品的选择和安装,更重要的是架构、策略配置和管理维护等各种环节。 此处可以下载相关的各个要求文档。 |
| Spam is now 30. [NP-Incomplete] Posted: 04 May 2008 01:17 AM CDT |
| Posted: 03 May 2008 11:24 PM CDT As you probably know Microsoft has officially withdrawn their offer for Yahoo. I had a look at the letter Steve Ballmer sent to Jerry Yang officially withdrawing the offer and offering his reasons why. Must say that it is rare that a document like this is made public. I must also say that if I were a Yahoo shareholder, it would be a key piece of evidence when I sued Jerry Yang and the rest of the Yahoo board and management for not accepting Microsoft's generous offer. What I found particularly disturbing (as did Ballmer and Microsoft evidently) was Yahoo's threat to basically outsource their search advertising to Google if Microsoft pursued proxy fight takeover. Talk about cutting off your nose to spite your face! That would be suicidal for Yahoo, but just goes to show you that Yang and gang had a no Microsoft at any cost strategy. With the passage of time I think this will be looked on as a terrible mistake by Yahoo and at some point in the next 24 to 36 months they are going to be acquired for a lot less money. They cannot compete with Google alone, they have not executed well for years and this will force Microsoft to do something else to become more competitive in search. |
| Iron Man was just not very magnetic to me [StillSecure, After All These Years] Posted: 03 May 2008 10:48 PM CDT
In the movie incarnation, Tony Starks is the son of a weapons designer and a brilliant weapons designer himself. However, he has some serious character flaws. He is kidnapped by some sort of mid-eastern terrorists and take some shrapnel in his chest. A doctor attaches an electromagnet to a car battery on his chest to keep the shrapnel from going into his heart. Downey then designs some sort of mini-power source to power the electromagnet, He uses the power source to power a metal suit he builds (long story) and escapes from the terrorists. From there the movie is fairly predictable and frankly in my opinion not very good. I didn't understand how he got the superpower, it was just a powered suit and how it worked was pretty silly. The ultimate thumbs up or down for me was that both of my sons fell asleep in the movie theater. The good news is that this is the start of the summer movie season. I am really looking forward to Indiana Jones and the kids want to see Speed Racer! |
| [Chinese]联想可能收购富士通重夺全球PC第三 zz [Telecom,Security & P2P] Posted: 03 May 2008 09:52 PM CDT 近日看到联想收购富士通西门子的新闻又起。在2004年左右的新闻中联想否认了传言,专注消化IBM PCD。三年的时间过去了,联想已经成功地进行了IBM PCD业务的整合吸收,全球业务展现良好的快速增长的喜人格局。不知这次Chairman Yang的谈话意味着什么?后面如何发展? 转载下述计世网的新闻,并不代表本人赞成或者反对该新闻中的任何观点。 联想可能收购富士通重夺全球PC第三 杨元庆今天在接受彭博社电视采访时表示:"我们不满足于我们目前市场份额及其全球排名地位。我认为业内将出现进一步的并购,我们希望把握机会来进行收购。"联想曾于2005年收购了IBM公司的个人电脑事业部。 由于宏基收购了Packard Bell BV,联想欧洲扩展计划去年遭遇挫折。大和研究所(Daiwa Institute of Research)分析师约瑟夫·何(Joseph Ho)称,富士通西门子电脑公司(Fujitsu Siemens Computers)等电脑制造商,可能会成为联想的收购目标。 约瑟夫·何表示:"鉴于联想强大的财务实力,希望收购很具有意义。问题是收购的目标和收购价格。"这位分析师给予联想股票评级为"跑赢大盘"(outperform)。 据联想最新的数据显示,联想截止去年12月31日拥有现金及等价物总额为22亿美元。联想销售额的一半以上来自于亚洲地区市场。 三年前,联想由于以12.5亿美元收购了IBM的个人电脑事业部,从而一举成为全球第三大个人电脑制造商。在那次收购后,联想将其总部移到了美国北卡罗莱那州罗利市(Raleigh)。但是,由于台湾的竞争对手宏基收购了Packard Bell,联想于2007年下半年失去了全球第三大个人电脑销售商地位。 杨元庆排除收购宏基的可能性,并且拒绝透露关于收购目标的细节。媒体没有能够获得总部位于荷兰Maarssen的富士通西门子发言人阿尔夫·兰兹拉斯(Ralf Lanzrath)对此事的评论。 市值 据彭博社的数字称,按照4月30日联想股票收盘价计算,联想市值为553亿港元(约合71亿美元),大约是第一大个人电脑销售商惠普市值的6%。宏基的市值为1588亿新台币(约合52亿美元)。联想股价自从其收购IBM个人电脑事业部以来已经翻了一番,高于MSCI AC亚太信息技术综合指数涨幅值38%。 根据市场研究公司4月16日的数据显示,由于亚洲市场需求强劲,联想第一季度个人电脑发货量同比增长了21%。但这个增幅低于竞争对手宏基,宏基第一季度个人电脑发货量增长在前四大个人电脑销售商中增长幅度最高,达到66%。 联想还在中国市场努力阻止其市场份额丧失给惠普和戴尔等竞争对手,惠普和戴尔等竞争对手在中国市场正在扩大他们的销售渠道。 低价格 惠普和戴尔等美国个人电脑销售商正在中国推出低价格个人电脑产品,这导致联想去年中国市场份额从前一年的36%降低至29%。杨元庆于4月25日在北京接受采访时表示,联想不会采用这样的战略去扩展中国以外的市场。杨元庆表示:"由于我们的中国背景,很容易被认为我们在制造低价格和低质量产品。我们希望被认可为具有创新和高质量产品的公司,如果我们现在强有力地进入低端个人电脑市场,这将会损害我们的形象。" JPMorgan香港分析师查尔斯·谷(Charles Guo)认为,对于包括惠普和戴尔等那些正在寻求获得中国市场较大份额的那些公司来说,方正和清华同方等中国本地个人电脑制造商可能会成为他们的收购目标。查尔斯·谷表示:"收购诸如方正和清华同方这样的中国竞争对手,将会让收购者获得中国市场的不错份额,联想对于此当然很担心。" 媒体没有能够获得方正和清华同方对此评论的反应。 大中华市场 查尔斯·谷称,联想产生自包括台湾和香港在内的大中华地区市场的营收今年将会提高,尽管其在欧洲和美国市场的营收增长将会放慢。 第一季度,中国经济增长速度达到10.6%,而中国城市居民的收入增长幅度达到11.5%,农村地区居民收入增长幅度为18.5%。 联想于今年1月份有权开始在美国、澳大利亚和俄罗斯等14个市场提供自己的IdeaPad PC产品。杨元庆表示:"最重要的事情是提高我们的市场份额,这比赚钱更为重要。"(网易科技) |
| Website Security Strategies that work [Security4all] [Belgian Security Blognetwork] Posted: 03 May 2008 08:49 PM CDT Jeremiah from Whitehat Security, gave a presentation that was filmed by Infosec events. I'm an avid reader of Jeremiah's blog and watching this video was fun. The presentation presented a solution to... |
| The Dirty Secrets Of The Security Industry [Security4all] [Belgian Security Blognetwork] Posted: 03 May 2008 08:19 PM CDT Roger's blog mentioned the 8 Dirty Secrets Of The Security Industry, an article by informationweek.com. Let's briefly have a look at them: Vendors do not need to be ahead of the hackers; they only... |
| Shimel's in Der Himmel & Stiennon's A Mean-Un...NAC Dust-Up Part Deux. [Rational Survivability] Posted: 03 May 2008 06:26 PM CDT
This is like a bad episode of "Groundhog Day" meets "Back To the Future." You know, when you wake every day to the same daymare where one person's touting that features like NAC are the next flux capacitor while another compares its utility to that of sandpaper in the toilet roll dispensers in a truck stop restroom? I know Internet blog debates like this get me more excited than having my nipples connected to jumper cables and being waterboarded whilst simultaneously shocked with 1.21 Jigawatts... Alan Shimel's post ("Stiennon says NAC is dead - I must be in heaven!") in response to Stiennon's entry ("Don't even bother investing in Network Admission Control") is hysterical. Why? Because it's the exact arguments (here and here) they had back in August 2007 when I refereed (see below) the squabble the first time around and demonstrated convincingly how they were both right and both wrong. The silly little squabble -- like most things -- is all a matter of perspective. I'd suggest that if you want a quick summary of the arguments without having to play blog pong, you can just read my summary from last year, as none of their arguments have changed. /Hoff P.S. The German word "himmel" translates to "heaven" (and sky) in English...funny given Shimmy's post title, methinks... |
| Asset Focused, Not Auditor Focused [Rational Survivability] Posted: 03 May 2008 06:25 PM CDT
I don't really recall when or from whence GRC sprung up as an allegedly legitimate offering, but to me it seems like a fashionably over-sized rug under which the existing failures of companies to effectively execute on the individual G, R, and C initiatives are conveniently being swept. I suppose the logic goes something like this: "If you cant effectively govern, manage risk or measure compliance it must be because what you're doing is fragmented and siloed. What you need is a product/framework/methodology that takes potentially digestible deliverables and perspectives and "evolves" them into a behemoth suite instead?" I do not dispute that throughout most enterprises, the definitions, approaches and processes in managing each function are largely siloed and fragmented and I see the attractiveness of integrating and standardizing them, but I am unconvinced that re-badging a control and policy framework collection constitutes a radical new approach. GRC appears to be a way to sell more products and services under a fancy new name to address problems rather than evaluate and potentially change the way in which we solve them. Look at who's pushing this: large software companies and consultants as well as analysts looking to pin their research to something more meaningful. From a first blush, GRC isn't really about governance or managing risk. It's audit-driven compliance all tarted up. Gunnar said:
Instead of Risk Management helping to deliver transparent Governance and as a natural by-product demonstrate compliance as a function of the former, the model's up-ended with compliance driving the inputs and being mislabeled. As I think about it, I'm not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem. I see internal audit driving the adoption which given today's pressures (especially in public companies) would first start in establishing gaps against regulatory compliance. If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach, rather than make a left turn Gunnar suggested:
For obvious reasons, I am compelled to say "me, too." I would really like to talk to someone in a large enterprise who is using one of these GRC suites -- I don't really care which department you're from. I just want to examine my assertions and compare them against my efforts and understanding. /Hoff |
| The Five Laws Of Virtualization - Not Immutable Any More? [Rational Survivability] Posted: 03 May 2008 06:24 PM CDT
I'm not sure I really ever got an answer to what those "...standard risk principles" are and as such, there seems to exist a variability based upon interpretation that again makes me scratch my head when staring at the word "immutable." So I try and overlook the word (as did the author/editor in the title of the Baseline magazine article below -- it was omitted) and I find myself back where I started which sort of makes sense given the somewhat reflexive and corollary nature of these "laws." This is where I get stuck. I don't know whether to interpret each law as though it can stand on its own or the group as a whole. Basically, I have a hard time seeing how they enable making more effective risk management decisions any easier. I will admit, it could just be me... Further, I've noticed the very careful choice of words used in these laws, and interestingly they don't appear to be consistently referenced which would defeat the purpose of calling them "immutable," no? Take for example the original wording of the five laws from Burton's original minting and compare it against an article appearing in Baseline magazine from the same author(s) -- Lindstrom in this case:
Baseline Magazine Article Example:
This example may seem subtle and unimportant, but I maintain it is not. I suggest that they mean very different things indeed. I mean, if these are "laws," they're not something you get to reword at a whim. I trust I don't have to explain why. One could have lots of fun with the Constitution if that were the case. ;) There are additional differences scattered throughout the two articles. See if they appeal differently to you as they did to me. Now, I'm sure Pete's going to suggest I'm picking nits and that I'm missing the spirit and intent of these "laws," but before he does, I'm going to remind him that I didn't come up with the title, he did. I'm merely stuck on trying to assess whether these are actually "immutable" or "refutable" but I am admittedly still having trouble getting past step #1. Help a brother out. Explain these to me to where they make sense. Pete tried and it didn't stick. Maybe you can help? /Hoff |
| Posted: 03 May 2008 04:30 PM CDT May is a bit slower with only 7 different events going. Here is a list of information security events in May:
Out of the seven events, I will be attending IEEE W2SP, and Hacker Halted. This will be my first time to Myrtle Beach; does anyone have suggestions on things to do out there? Other than golf For more upcoming information security events, check out our calendar page. |
| What a Dud: Dani's Duds [The Falcon's View] Posted: 03 May 2008 04:10 PM CDT Several friends and family suggested that we go to a consignment sale to look for baby stuff (we're expecting, if you hadn't heard). So, we got up earlier than normal this morning to hit the big annual Dani's Duds consignment... |
| Posted: 03 May 2008 12:04 PM CDT
I wrote this some time ago and decided that I didn't like the tone as it just came out as another whiny complaint against the "man." I'm in a funny mood as I hit a threshold yesterday with all the so-called experts coming out of the woodwork lately, so I figured I'd post it because it made me chortle. They Shoot Horses, Don't They? To answer what seems to be a question increasing in frequency due to the surge in my blog's readership lately, as well as being cycled through the gossip mill, I did not change the name of my blog from "Rational Security" to "Rational Survivability" due to IBM's Val Rahmani's charming One might suggest that Val's use of the mythological reference to Sisyphus wasn't as entertaining as Noonan's "security as the width of two horses' asses" keynote from a couple of years ago, but her punchline served to illustrate the sad state of Information Security, even if it also wanted to make me shoot myself. Val's shocking admission that IBM was "...exiting the security business," that "...information security was dead," and that we should all celebrate by chanting "...long live [information] sustainability!" This caused those of us here at Rational Survivability HQ to bow our heads in a moment of silence for the passing of yet another topical meme and catchphrase that has now been "legitimized" by industry and thus must be put out of its misery and never used again. Yeah, you might argue that "sustainability" is more business-focused and less military-sounding than "survivability," but it's really about the same concepts. I'm not going to dissect her speech because that's been done. I have said most of what I have to say on this concept in my posts on Information Survivability and honestly, I think they are as relevant as ever. You can read the first one here and follow on with the some more, here. For those of you who weren't around when it happened, I changed the name of my blog over six months ago to illustrate what is akin to the security industry's equivalent of an introduction at an AA meeting and was so perfectly illustrated by Val's fireside chat. You know the scene. It's where an alcoholic stands up and admits his or her weaknesses for a vice amongst an audience of current and "former" addicts. Hoping for a collective understanding of one's failure and declaring the observed days of committed sobriety to date, the goal is to convince oneself and those around you that the counter's been reset and you've really changed. Despite the possibility of relapse at any moment, the declaration of intent -- the will to live sober -- is all one needs. That and a damned good sponsor. And now for something completely different!
That's right. I'm going to violate the Prime Directive and go right with the patented Analog Of Barnum & Bailey's Circus:
See, I told you it was awful. But you know what's much worse than my shitty little clown analogy? Reality. Come one, come all. Let Me Guess Your Weight! So in today's time of crappy economics when money is hard to come by, it's now as consumers that we start to pay attention to these practices -- this circus. It's now that we start to demand that these alleged predatory vendors actually solve our business problems and attend to our issues rather than simply recycle the packaging. So when life hands vendors a lemon, they make marketingade, charge us $4.50 a pop and we still drink it. Along those lines, many mainstream players have now begun to work their marketing sideshows by pitching the supposedly novel themes of sustainability, survivability, or information centricity. It's a surreptitiously repentant admission that all the peanuts and popcorn they've been selling us while all along we ooh and ahh at the product equivalents of the bearded lady, werewolf children and the world's tallest man still climax at the realization that it's all just an act. At the end of the night, they count their money, tear down the tents and move on. When the bearded lady gets a better gig, she bails and they bring in the dude with the longest mustache. Hey, hair is hair; it's just packaged differently, and we go to ogle at the newest attraction. There's no real punchline here folks, just the jaded, bitter and annoyed comments of someone who's becoming more and more like the grumpy folks he always made fun of at bingo night and a stark realization of just how much I hate the circus. /Hoff |
| Credit Card Thieves Hitting Smaller Prey [The IT Security Guy] Posted: 03 May 2008 09:59 AM CDT This was a great piece on SearchSecurity.com this week about how credit card thieves are targeting small merchants and their point-of-sale (POS) systems. The article cited a study by Trustwave, a major PCI consultant based in Chicago. This shouldn't come as any great surprise. Unlike larger companies, small businesses often don't have the resources, let alone a dedicated IT security staff, to pay attention to every detail of the PCI requirements. Attackers know this, targeting more vulnerable small fries rather than big guys with stronger IT security defenses. But what was interesting was that Trustwave found that many small businesses use third-party vendors to set up their POS systems. These systems aren't configured securely, often with default passwords -- commonly known by hackers -- still in place. To add insult to injury, it isn't difficult for attackers to find exposed POS systems with simple port scans. |
| "Illegal" is still illegal [An Information Security Place] Posted: 03 May 2008 08:24 AM CDT First, let me be very clear that I have, in the past, downloaded music illegally. I have also used pirated software in the past. And while I can’t say that every song I have on my iPod is legal (simply because I can’t remember where I got some of them), I can say that I discontinued the use of pirated software a while ago. So, moving on… Don Tennant is an editor over at Computerworld, and he is also a blogger. He recently posted a story that his son wrote while attending Worcester Polytechnic Institute in Massachusetts. The story was about a group of pirates (software, music, and movie pirates - not the kind who says "ARGH") at his school who were very prolific in their pursuits and ended up getting caught and quite busted. It is a great read, and it goes into a lot of good detail (Don, looks like your son got your writing talents). But as good as the story is, my point for this post is the comment that was made on the post. Someone that didn’t post their name (people like this usually don’t) wrote a fairly lengthy comment. Here’s the main excerpt that makes me cringe:
Here’s my reply:
That is really what this is about. As long as people can justify in downloading music, movies, and software illegally, it is going to continue to happen. This is not a problem that technology is going to solve. The different industries have tried again and again, but to no avail. It really comes down to people’s hearts. And having made that disclaimer above, I also want to say that I am not writing a "holier-than-thou" post. I am simply writing this post to say that when you are breaking the law, no amount of quotes around the word "illegal" makes it OK. Vet |
| What is Black PR? A tour of the black arts. [Security4all] [Belgian Security Blognetwork] Posted: 02 May 2008 05:36 PM CDT Last month, I saw Black PR mentioned for the first time on GNUCITIZEN. I never heard of it and it intrigued me. We all know that PR stand for Public Relations but what is Black PR? Black Public... |
| How VIP Helps George [Online Identity and Trust] Posted: 02 May 2008 05:01 PM CDT We had a little fun with a whiteboard, magnets, some goofy voices and a video camera. Take a look at the premiere of "How VeriSign Identity Protection Keeps George Happy and Safe Online". |
| Spywareguide Roundup [Vitalsecurity.org - A Revolution is the Solution] Posted: 02 May 2008 11:35 AM CDT Shall we get down to business? * Credit Card up for Renewal? Then Beware This Phish: A funky little diversion through a Phish scam that caught my eye simply because my credit card was due to expire. * The Spectre of Rogue Facebook Applications, Back Once More: Ooh, it's all kicking off with Facebook applications again! * Pinont.com - No Need to Panic: Aargh, it's an apocalyptic wave of.....viagra spam. * Beware - New MSN Messenger Password Stealing Program in the Wild: This is a pretty slick application for scumbags everywhere - click a few buttons, and hey presto, a ready-rolled executable that can be used to steal your MSN Messenger login credentials. here's the Client:  And here's what the attacker will see with the click of a button, assuming the victim let the infection file execute on their PC beforehand:  .....ouch. |
| Secunia NSI 2.0 Final Release [/dev/random] [Belgian Security Blognetwork] Posted: 02 May 2008 09:37 AM CDT
Secunia announced today the final release of NSI (”Network Software Inspector“) 2.0! This application performs scans of your network devices and reports vulnerabilities to a centralized dashboard. This is a must to maintain a good level of security inside your network. You can test if for free for 7 days / 3 hosts. On the other side, I recommend you to use the PSI (”Personal Software Inspector“) for personal computer (already reviewed here). |
| Nessus vulnerability scanner pigized [Security Data Visualization] Posted: 02 May 2008 09:32 AM CDT Graph of a Saint scan as seen by Snort and Prelude LML using pig |
| Saint vulnerability scanner pigized [Security Data Visualization] Posted: 02 May 2008 09:30 AM CDT Graph of a Saint scan as seen by Snort and Prelude LML using pig |
| Retina vulnerability scanner pigized [Security Data Visualization] Posted: 02 May 2008 09:29 AM CDT Prelude IDMEF Grapher (PIG) shows IDMEF data on a multi-axes view for graphical alerts analysis. This graph shows what was displayed performing a scan using the Retina software. Snort and Prelude LML (log analysis) send their alerts to the prelude manager that we connect to using pig. |
| Chinese hacking in Belgian media (updated) [Security4all] [Belgian Security Blognetwork] Posted: 02 May 2008 07:11 AM CDT Translated article from the Belgian newspaper: "Gazet van Antwerpen - Kraakt China belangrijke Belgische computers?" The Committee I (Security4all: This is a oversight committee on the Belgian... |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment