Spliced feed for Security Bloggers Network |
| Posted: 05 May 2008 07:14 AM CDT Frost & Sullivan is the latest analyst firm to note that NAC is coming on through to the other side. They say, "As common misperceptions are dispelled and NAC gains acceptance as a key part of network security, these technologies become the center of a highly competitive and lucrative market ..". They have released a new report according to this article in Trading Markets. The report further states, "NAC has made its mark in the market to such an extent that more participants have entered the NAC space. In the near future, this growth phase of the market will get a strong boost from the entry of major participants." The report goes on to say, "NAC has proved its worth as an enterprise security product that can effectively enforce security policies. Now that many third-party product evaluations and customer reviews are available, customers can make well-informed decisions and purchase a superior NAC product. This also expects to help drive the market." OK, enough quotes from the article. My point is that despite the ramblings of the naysayers like my friend Stiennon, there is a gathering storm of evidence and commentary showing NAC is real, it works and it is valuable. |
| Proposed SEC Rules Broaden Scope of InfoSec Compliance Responsibilities [BlogInfoSec.com] Posted: 05 May 2008 06:00 AM CDT On March 11, 2008, the United States Securities and Exchange Commission (SEC) published proposed rules intended to "set forth more specific requirements for safeguarding information and responding to information security breaches, and broaden the scope of the information covered by Regulation S-P's safeguarding and disposal provisions." Interested parties are invited to send comments concerning the new rules, and the deadline for submitting suggestions is May 12, 2008. I do not promise you that this document is an easy read. The text is a veritable thicket of legalese, despite the SEC's well publicized espousal of "plain English." (Apparently, the agency's advocacy of "plain English" extends mainly to the companies regulated by the SEC, rather than to documents published by the agency itself.). However, the proposed rules represent an important development in the ever-expanding literature comprising federal regulations that invoke the services of information security in the cause of preserving and strengthening customer privacy within the financial services industry. In fact, the SEC's proposed rules may represent the most systematic effort of a federal agency to provide guidance to Infosec professionals concerning privacy controls. The provisions of virtually all previous governmental privacy initiatives—including Gramm-Leach-Bliley, the FACT Act, and state data breach regulations—are here combined into one comprehensive set of rules. Interestingly, the new rules do not simply collect these separate initiatives into a single document, but incorporate diverse regulations into a new and broadly expanded concept of "privacy." In addition, the proposed SEC rules enlarge the scope of InfoSec compliance responsibilities. If these rules are adopted as originally proposed, it is likely that other agencies responsible for the regulation of financial and medical services industries will adopt a similar approach to privacy. Therefore, Information Security professionals are well advised to read these rules and consider their implications. This article will discuss some of the most significant of these implications. A New Kind of Protected Data: "Personal Information" The authors of the SEC rules are aware that prior federal regulations have identified several different types of financial information that must be safeguarded by security measures. The Gramm-Leach-Bliley Act (GLBA), for example, maintained that "nonpublic personal information" (NPI) must be protected by appropriate access and other technical controls. NPI was never precisely defined, although GLBA classified two general types of data as nonpublic personal information: (1) Nonpublic personally identifiable financial information pertaining to a "natural person" (i.e., a human being, as opposed to a corporation) and (2) any list, description, or other grouping of consumers derived using any personally identifiable financial information that is not publicly available. Thus, the fact that an individual is the customer of a particular financial institution is, in itself, NPI. Also, a consumer's name, address, social security number, and account number are also NPI—unless the information can be obtained from a publicly available source. However, a customer's telephone number, if listed in a phone book, is not NPI. The FACT Act introduced a second type of protected data, "consumer report information." This refers to any record about a "natural person," whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. The term "consumer report" generally means a report bearing on a consumer's creditworthiness, credit standing, reputation or other factors used in connection with establishing the consumer's eligibility for credit, insurance, or employment. Authors of the new SEC rules accept the view the "nonpublic personal information" and "consumer report information" must be safeguarded. However, they establish a new kind of protected data—"Personal Information"—that includes these two types, plus a new category of confidential information. This new category includes "information identified with any customer, or with any employee, investor, or securityholder who is a natural person, in paper, electronic or other form, that is handled by the institution or maintained on the institution's behalf." Thus, for example, records of employee user names and passwords are now considered protected. In addition, the nonpublic personal information belonging to an institutional client must also be protected, even though the individuals associated with the information are not themselves clients of the company responsible for storing or processing the data. Under this broad notion of "personal information," all nonpublic personal data associated with clients, employees, and institutional clients' clients must be carefully secured. Data Security Breach Response Since California originally implemented its data security breach response legislation (popularly known as SB1386) in 2003, numerous states (and also New York City) have passed similar measures. Several statutes have also been discussed on Capitol Hill as a federal initiative that could supersede and bring order to the occasionally-conflicting state laws. However, the proposed SEC regulations have now introduced a federal rule that represents a departure from many of the existing state laws. According to the new SEC rules, a data security breach must involve "sensitive personal information." This "information" is defined as "any personal information, or combination of components of personal information, that would allow an unauthorized person to use, log into, or access an individual's account, or to establish a new account using the individual's identifying information." The SEC proposal describes several specific types of information that are considered "sensitive": (1) any identifying information (including an individual's Social Security Number, name, telephone numbers, street address, email address, or online user name) in combination with (2) authenticating information, such as account number, credit or debit card number, driver's license number, credit card expiration date or security code, mother's maiden name, password, or PIN. The proposed rules require any regulated institution to report to the SEC any incident involving a data breach if (1) sensitive personal information is involved and (2) the institution becomes aware of any incident of unauthorized access to or use of personal information "in which there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information." Previous data breach regulations have not included the condition concerning the presence of significant risk of "harm or inconvenience" to an individual; the SEC regulators are explicitly attempting to limit the scope of incidents that must be reported. Rationale for the New Rules President Clinton signed the Gramm-Leach-Bliley Act into law on November 12, 1999. On February 1, 2001, the major federal agencies responsible for regulating the banking industry published their "Interagency Guidelines Establishing Standards for Safeguarding Customer Information." These Guidelines were intended to implement the privacy provisions of GLBA. Interestingly, this document did not emphasize the threat of identity theft as a major rationale for the new regulations. However, written more than seven years later, the proposed SEC regulations are explicitly focused upon the prevention of identity theft and the strengthening of trust in online brokerage services. "In recent years," the authors assert, "we have become concerned with the increasing number of information security breaches that have come to light and the potential for identity theft and other misuse of personal financial information…Perhaps most disturbing is the increase in incidents involving the takeover of online brokerage accounts…." Clearly, the regulators are not motivated simply by awareness that consumer privacy is, in itself, a good thing. Rather, the authors of the new rules are concerned that maintaining the privacy of certain consumer information is necessary to prevent criminal activity and to bolster trust in online investor services. Implications for Information Security Professionals The proposed SEC rules have broadened the types of data that are subject to security controls pertaining to encryption, access control, and transmission and storage. All types are now grouped under the general category of "Personal Information." Frequent reference to specific types of data that comprise "Personal Information" will require information security professionals to assist with the development of a robust data classification program that can accommodate the diverse data elements comprising "Personal Information." In addition, appropriate controls must be implemented to ensure the security of these elements. For most organizations, hopefully, these additional efforts will simply build upon the work already accomplished, or in progress, to accommodate existing state and federal privacy regulations. Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. |
| Pimping myself [An Information Security Place] Posted: 04 May 2008 10:37 PM CDT OK, I am going to do a little self-pimping here. For those of you who have been reading my blog for a year or so, you probably know that I also blog over at Computerworld. But if you haven’t been around a while, or you just plain missed it, please go take a look when you get the chance (and subscribe to the feed). My writing is typically a little more subdued over there, simply because CW can’t have me calling people an ass. Also, there are a lot of blogs over at CW, and they have a bunch of different subjects. The site is great (it has won some awards), and the editing staff is awesome as well. OK, self-pimping is over. Vet |
| Airport Security: Should This Worry Me? [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 04 May 2008 05:28 PM CDT Hey folks - just another airport (in)security note, as I travel and criss-cross this great land of ours. I'm always on the lookout for silly security snafus that would seek to compromise the high standards DHS has set forth for maintaining airline security. Given what I know about the state of DHS and more specifically the TSA organization - I keep extra care when I go through the "security screening" process at the airports. I was going through O'Hare's Terminal 1 this afternoon, and just happened to be wearing my Nike AirMax 180's again (these are the ones with the Apple "pod" in the mid-foot of one of the shoes). I went through security, took my shoes off, put them through the x-ray machine and watched the two very ... "conversationally engaged" girls as the shoes went through. One of them looked down for a split-second as my shoes went through, then continued her conversation about a party that she went to last night that was "off the hook". So two things immediately hit me that were very wrong with this picture.
Something else caught my attention. When I asked Mr. Luis M. the question "Why do we need to put our shoes into the screening machine...?" his answer was (I swear, word for word he said...) "Because we need to check for some stuff". This is the sort of high-quality, educated and intelligent answer I would except from today's TSA agents, honestly. I'm not knocking all TSA agents because some actually have a greater than High School education, but this is just appalling! I'm not asking for a national secret, so he should be able to tell me. I'm also not asking a terribly complex technical question, am I? Anyway - I'm about to board a flight out to San Francisco... hopefully on my flight home someone notices my shoes :) -- Fly safe! |
| Posted: 04 May 2008 04:01 PM CDT Peter Hitchens wheeled out a predictable attack on videogames - namely Grand Theft Auto 4 - in the print edition of the Daily Mail today. His tortured logic spilled onto his weblog, so I left him the following reply: "Could it possibly be bad for a child or a teenager to spend long hours impersonating a violent car thief?" (Hitchens) Could it possibly be bad for you to write a "won't somebody think of the children" missive to whip up the usual sensationalist panic about videogames while (predictably) failing to mention the product in question is clearly labeled 18 for adults? Rather than decry the game, perhaps it might make more sense to attack gamestores that happily sell products aimed at an older market to kids. Perhaps it might be better to attack the parents that thoughtlessly hurl products aimed at an older market at their children. Unless, of course, you're *also* going to blame the collapse of Western civilization on every single activity aimed at someone over 18 along with the horrors of GTA4? The gaming market has grown and aged with the products. I've played games for 25 years, and I don't particularly fancy playing "super happy hooray for everything" anymore. Thanks for trying to limit my choice of personal pursuits via the agenda you're pushing without even bothering to try the product in question. If you *had* actually tried the game, you wouldn't be writing it off as a senseless, lawless gunfest with no consequences, morals or anything approaching depth beyond "kill everything in sight". It's mature, its intelligent, its - shock horror - actually very grown up, and at least one major videogame site said of this game in its review that the more realistic and serious nature of the lead character meant that they were actually *less* inclined to go on a gun rampage, because it "didn't feel like something the character would do". To impress upon a player that sense of depth with regards a fictional character jumping around on a screen is pretty impressive. To do such a thing when it could be argued the basic mechanic of the title is to shoot people, even more so. But of course, you're too busy wheeling out assumptions and blanket statements. He never published the comment. Funny, that... |
| Why even having health insurance is not enough anymore [StillSecure, After All These Years] Posted: 04 May 2008 03:13 PM CDT
1. My wife had minor surgery in September. It was ambulatory surgery where she went in the morning and went home that afternoon/evening. Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k! When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could. I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc. 2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation. We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger. Plus the insurance company covers less and less. This squeeze is frankly baffling. How can you pay more and get less. 3. I had a dental implant a few months back. Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it. My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area. So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again. 4. The orthodontist. This one is perhaps the worst of all and really gets my goat. My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later. OK, great lets do it, right? Wrong! Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600. That leaves a balance of $2400 that I have to pay. However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket. What is wrong with that picture. Whether I have insurance or not, it still costs me $2400! This is fundamentally what is wrong with our health care system. The dentist is willing to accept $2400. He should take the $1200 from my insurance and I should pay him another $1200. Anything else is ludicrous and in my mind borders on criminal insurance fraud. We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either. Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care! BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it. |
| 2008 Goals: April Progress Report [The Falcon's View] Posted: 04 May 2008 01:39 PM CDT "Life is a series of natural and spontaneous changes. Don't resist them - that only creates sorrow. Let reality be reality. Let things flow naturally forward in whatever way they like." (Lao Tzu) Goodness gracious, where in the world did... |
| Are we Secure yet? (Part 1) [Rory.Blog] Posted: 04 May 2008 09:14 AM CDT One of the questions that a Information Security person dreads most is someone from the business asking "Are we secure?". You can be torn between the urge to explain in detail why that question can't be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or a flippant "yes" which may well come back to haunt you... One of the reasons why the answer could be so long is the obvious question "Secure from what". A set of controls which may be reasonable tight when faced with a non-targeted threat from malware may be totally inadequate against a motivated knowledgeable insider threat. So, perhaps one way to help is to break down the "secure" question a bit in to categories of threat. For example: -
This way you can classify your controls as to how well they target each threat category, giving a better picture as to what level of risk your organisation is actually running. Non-Targeted Threats First off is probably the easiest one, "Non-Targeted Threats". This category includes a lot of the "traditional" threats to your security and is also probably the easiest one to mitigate, as the attacker isn't intelligently looking for a way to attack you they're just randomly interested in getting access to assets. Examples of this category of threat are
Looking at these sample threats, we can see that it's likely that more automated controls will be effective against them. We don't need to be absolutely flawless in our execution of security to defeat them but we need to be "good enough" that the attack moves on to someone else. So controls which are likely to be effective in this space could be :-
So far, so good. Next up we'll look at the trickier area of Internal Targeted Threats. |
| Grasping Security thru Visualization [Security Uncorked] Posted: 03 May 2008 09:02 PM CDT Visualization is not a new concept to me- I’ve been turning data into various types of trends, charts, graphs, maps and 3D images for years. But, the concept of viewing and interpreting security and network data through visualization is relatively new- and I think you’re going to be seeing a lot more of this in the coming months and years. One of the things I have the… pleasure… of doing, is consulting with various manufacturers to see how they can make their products and interfaces more usable. Specifically, I try to help them understand what to add or change in order to allow customers to interpret and use the data that’s being delivered to them. How can they take all this stuff, make sense of it, and correlate it to events on the network. A lot of times that means finding ways to map data sources to known devices on the network, and parsing out what’s expected vs unexpected, or anomalous. We do this for WAN and LAN-based data, and for sources within the network, the DMZ and externally. It’s a lot of work and still not as wizard-like as we might hope. But, I think I’ve just found my new favourite toy- and it came via Splunk. When I saw it, I just had to have it. :) I didn’t get far with the Splunk demo at RSA, but totally made up for it at Interop, by way of an extremely knowledgeable woman - Christina Noren, the VP of Product Management there at Splunk. Talk about someone who knows her stuff. I was really amazed with what this little log search engine can do. And, add to that the overview of visualization I got from Raffy Marty, Chief Security Strategist, and I was totally blown away. With Splunk, you can quickly gain insight into the events happening on your network, and the visualization tools give you a unique and easy-to-interpret representation of the data. The two together build a foundation for some great security tools, and ways to visualize data and trends for everything from PCI compliance to Change Management to Phishing attacks… and more. Why is this important? I’m always looking for new ways to present data to customers. We can throw all the gadgets we want to on the network, but ultimately someone (not someTHING) needs to know what’s going on- especially in a world now where people are being held personally responsible for security- or lack there of. There’s a lot of data and events, and we need a way to turn that information into something useable. Go forth and play… You can download Splunk (yes, for free) at Splunk.com. Check out the blogs and SplunkBase to get more cool tools and plug-ins. In a couple of months, Raffy’s new book Applied Security Visualization will be released and includes more in-depth information on using visualization in your environment. I strongly suggest you read it. Need more reasons to check it out? They have the BEST t-shirts ever… Expect to see more from me on this topic, and some tips and tricks for Splunk… # # # |
| Layered Security: Solving the Cube [Security Uncorked] Posted: 03 May 2008 08:06 PM CDT We always talk about ‘layered security’ and ‘defense in depth’ as strategies for securing the network. And, usually, we’re talking about these as good strategies. However, with more and more security ‘stuff’ on the market, the layered security solutions are starting to lose some of their value. Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does. In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape. The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats. Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world. All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing. What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on. So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.
# # # |
| 802.1X Terminology- Port 'Closed' [Security Uncorked] Posted: 03 May 2008 06:20 PM CDT Recently, I’ve been asked to explain my choice of terminology when describing 802.1X during various talks and presentations. One piece of verbiage I tend to use is that an 802.1X-enabled port is ‘shut off’ or ‘closed’ prior to endpoint authentication. My choice of words seems to raise a few eyebrows with my audience. You, like several others, may ask- “That seems like an ‘untechnical’ term, shouldn’t you say it ‘disables’ the port?” Well, no, we shouldn’t say that. When we talk about ‘enable’ and ‘disable’ for ports, that’s actually a port property designation within the switch. When we disable a port in the switch, we’re turning it off and preventing it from passing any traffic. When we have an 802.1X-enabled port that’s unauthenticated, it still has to pass SOME traffic types, such as EAP (and possibly discovery protocols, such as Cisco’s CDP). Otherwise, we’d never be able to authenticate, right? So, I, like many others in the NAC world, usually refer to an unauthenticated 1X port as being ‘shut off’ or ‘closed’ just as a means to distinguish it from ‘disabled’ which does have its own meaning. # # # |
| Unintended Consequences [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 02 May 2008 05:14 PM CDT This past week I spoke at the Systems and Software Technology Conference on the topic of Understanding Web Application Security in a "Web 2.0" world, and hung around to hear a few other people speak on topics that I thought were interesting. Of note, is Paul Anderson's talk on his group's advances in the technology of binary code tracing and code obfuscation tools which his company GrammaTech sells. The first part on dis-assembly and analyis of binary code for vulnerabilities was fascinating - but I think the second portion of his talk was what peaked my attention. Essentially - his company has a suite of tools that will "transform" your code and make it nearly impossible to disassemble (he demonstrated screen shots using IDA Pro). His example was taking cat.exe, a tool we are all familiar with and taking two IDA Pro screen-shots of the binary executable. The first was just the .exe file on its own, showing all the innards and components of the binary. The second was of the same file after Paul's tools had "obfuscated" the code. IDA Pro had no idea what to do with this new binary... it found one function (the main one) and mis-labeled where it was stored (it "found" it in :data)... so this leads me to an interesting concern - so I asked the question ... If you're now building a toolkit (or rather, perfecting it, since I'm fairly confident stuff like this exists in large quantities anyway already) and it gets into the hands of the people writing the malware (and it will) are we looking at another major set-back for signature based malware detection? You can see this two ways, or so I think. You can look at it and say "well, this technology will change how we detect viruses and such; when it gets into the "wrong hands" it will set the good guys back pretty bad. The second way to really look at this is a two-pronged though. We're already finding code that's polymorphic and self-changing to evade detection, these tools will only further the cause and give that process enterprise-level assistance. Next - signature-based malware detection is a fairly dying and outdated method anyway...right? So now I guess the ante has been raised in the perpetual arms race between the white-hats and black-hats. With more and more tools coming out to assist in DRM, PI security (through binary code obfuscation) are we really wasting efforts? Naturally you can guess I have my own opinion - but I'd like you to think about it for yourself. |
| Off to EDUCAUSE/Internet Security Professionals [Kees Leune] Posted: 02 May 2008 02:58 PM CDT I am heading off to the EDUCAUSE/Internet2 security professionals conference this weekend. The event starts Sunday and completes Tuesday around noon. While getting my packing list checked off (business cards, itinerary, confirmations, reservations, schedule, etc) I was getting ready to pack my laptop, power supply, cable lock, external drive, etc. Then I stopped. Why would I carry all this stuff? I consider myself an experienced traveler and I have visited a fair number of conferences all over the world. Traveling is annoying enough; I do not need anything that is non-essential. After all; what I do not carry, I cannot lose. True, having access to email would be nice (I'm not on Crackberries). and web browsing would convenient too, but face it: I am in session Sunday from 8.30am-late (hopefully there will be some good BoF sessions), Monday starts even earlier (7am) and might end even later, and Tuesday I'll be checking out of the hotel and traveling back home. When would I even have time to get my e-fix? Traveling in general, and navigating public transportation (incl. clearing airports) is much easier without carrying a lot of stuff. So; what will I be taking in addition to some fresh clothes? A stack of business cards, my cell phone (with charger), my notepad and one pen. |
| Defcon 15 videos - VoIP related talks [SIPVicious] Posted: 02 May 2008 12:21 PM CDT Just in case anyone missed Defcon 15 (like I did), here's two talks of interest with relation to VoIP:
Thanks for Anthony of Iron::Guard for the pointer.  |
| Success story of the OWASP Day II in Italy [Writing Secure Software] Posted: 02 May 2008 06:53 AM CDT I participated to OWASP Italy back in March. OWASP Italy was a success story: more than 200 attendees, 9 great speakers, 5 sponsors, 1 round table and an article (in Italian) here: http://punto-informatico.it/2266944/PI/Commenti/La-Web-Application-Security-parla--anche--italiano/p.aspx Here is the OWASP page of the event in English with the presentations: http://www.owasp.org/index.php/Italy_OWASP_Day_2 It was very nice to meet Matteo Meucci, Stefano Di Paola, Giorgio Fedon and Jacob West in Rome. The organization of the conference was fantastic and good lesson for me. Wish one day I will be able to organize a similar event with my OWASP chapter here in USA. My kudos to Matteo bellissimo lavoro, bravi!! Go OWASP! |
| OSSEC v1.5 now has builtin Asterisk rules [SIPVicious] Posted: 02 May 2008 03:10 AM CDT A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog. Grab it now. |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment