Spliced feed for Security Bloggers Network |
| Sending in the big boys [Vitalsecurity.org - A Revolution is the Solution] Posted: 10 May 2008 06:49 AM CDT  7) However: I am a moron and will provide you with these tools anyway. The above is from the website of the guy distributing a whole bunch of fake IM applications. Question: What happens when you send the companies being imitated the name, address and phone number of the boob pushing these fake programs? Answer:  Hahaha etc | |||||||||||||||||||||||||||||||||||||||||||||||
| Proprietá transitiva. [varie // eventuali // sicurezza informatica] Posted: 10 May 2008 04:11 AM CDT Leggevo questi due articoli, evidentemente basati sullo stesso studio di PC Tools. Information Week titola: Windows Vista More Vulnerable To Malware Than Windows 2000 ComputerWorld invece: Windows Vista more secure than XP, says security company Quindi potremmo dire che Windows 2000 é più sicuro di Windows XP. Poi consideriamo che in una recente competizione un Mac é stato "bucato" prima di Vista ed Ubuntu, quindi sempre generalizzando grossolanamente, Windows 2000 é più sicuro di Mac OS X. E sicuramente potrei trovare evidenza anche per mettere in classifica Ubuntu. Però siccome di generalizzazione si tratta mi si potrebbe dire che Ubuntu é più/meno sicuro di Debian e che com'era bello Windows NT 4, o che eccetera eccetera. Io credo che il Sistema Operativo più sicuro sia quello che si conosce meglio. In mano a me per esempio un Mac sarebbe uno scolapasta, un Linux un po meno che uno scolapasta, mentre con Windows che mi vanto di conoscere bene non ho mai accusato problemi. Più in generale meglio si conosce qualcosa e più sicura questa diventa. | |||||||||||||||||||||||||||||||||||||||||||||||
| San Francisco Bay Area Security Community [Infosec Events] Posted: 09 May 2008 09:27 PM CDT Because I maintain the information security events calendar, I often get asked about local information security events. If I were to add all the local events that I know about, it would fill the calendar with a ton of entries, many of them not applicable to the users. I might start another calendar only for San Francisco / Bay Area events, but for now, identifying the resources available is good enough. So for those information security professionals in (or visiting) the San Francisco Bay Area, here is a list of security groups:
If formal organizations aren’t your thing, there are a few informal groups as well.
While not exactly a community resource, there are a few major information security conferences that get held in the San Francisco Bay Area as well. Conferences are another great way to network with fellow information security professionals, so here they are.
As you can see, the San Francisco Bay Area security community is quite strong. Also, we are trying to identify all the local bloggers, so for those in the area that blog, please contact us. | |||||||||||||||||||||||||||||||||||||||||||||||
| Reflections on the 2008 RSA Conference [The Falcon's View] Posted: 09 May 2008 03:50 PM CDT Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful... | |||||||||||||||||||||||||||||||||||||||||||||||
| Vote for my Black Hat USA 2008 Presentation! [Andrew Hay] Posted: 09 May 2008 02:34 PM CDT
I’ve submitted a presentation/paper for Black Hat USA 2008 and if you are attending I’d really appreciate it if you voted for me. The title of the paper: The Bot Came Back, The Very Next Day. Vote it up and join me in discussing the past, present, and future of botnet activity in fabulous Las Vegas! | |||||||||||||||||||||||||||||||||||||||||||||||
| Still around [Vitalsecurity.org - A Revolution is the Solution] Posted: 09 May 2008 01:44 PM CDT | |||||||||||||||||||||||||||||||||||||||||||||||
| domainnames that last month were many times found in malware [belsec] [Belgian Security Blognetwork] Posted: 09 May 2008 11:45 AM CDT dns2go.com | |||||||||||||||||||||||||||||||||||||||||||||||
| Interesting Bits - May 9th, 2008 [Infosec Ramblings] Posted: 09 May 2008 10:42 AM CDT Hoff posted yesterday about the hard security costs associated with virtualization. He points out that while there may be cost savings in other areas, there will likely not be any from a security perspective and likely will be additional costs introduced by using virtualization. Christopher has an entry up that talks about breaking our of Windows remoteapps. Very interesting. Have a great day. Kevin         | |||||||||||||||||||||||||||||||||||||||||||||||
| HSBC branch server goes missing [spylogic.net] Posted: 09 May 2008 09:49 AM CDT  This is one of those security breaches that underlines the need for physical security if you are doing remodeling or construction where there is potentially sensitive customer data being held...like a bank! From the official bank disclosure: "The Hongkong and Shanghai Banking Corporation Limited confirms one of its computer servers went missing on 26 April 2008 at its Kwun Tong Branch, which has been undergoing renovation. The data held on the server includes account number, customer name, transaction amount and transaction type." Nice! This just adds to the list of breaches that HSBC has announced recently...not a good time to be an HSBC customer. Seriously though, all banks should look at the physical security around these renovations..most construction sites I have seen have no security at all. I hardly ever see even a security fence around these locations. Take a look next time you drive by a store or building that is under a remodel or construction. You might be surprised at the lack of physical security of these locations. | |||||||||||||||||||||||||||||||||||||||||||||||
| If You Can’t Protect Your Website, How Can You Protect The Country? [BlogInfoSec.com] Posted: 09 May 2008 06:00 AM CDT If politics is a contact sport, why do I expect that we will not hear the political argument, “If You Can’t Protect Your Website, How Can You Protect The Country?” Why do I think that is it unlikely to be used as a valid political attack in the public discourse within our current US election? It seems to me that the main reason politicians stay away from using hacking as a political weapon is the ease at which it may be used against them at some point in the future. Politicians can’t change their public voting record, their former associations or last night’s speech (i.e., the past), but their website could be hacked in the future. Imagine this scenario: candidate A gets hacked. Candidate B makes a big production about how this hack represents a deficiency in candidate A. Candidate B gets hacked. Candidate B is now in a weaker position than candidate A. If candidate B is not hacked over the course of the election, then they win this spin. Otherwise, the one who is hacked second becomes a weaker candidate. It’s a game of hypocrisy: “Candidate accuses me, but they can’t do it themselves…” We can reframe our information security questions from candidate’s perspective:
In both cases, I think the answer is “No.” In the first case, it’s because there are more central issues regarding the health of our country. In the second case, website security is not a direct responsibility of the candidate, as such it is unlikely to reflect poorly on them should something go astray. (In short, there’s someone else to blame.) So, there really isn’t the incentive to risk using a hack as a political weapon. In the analysis above, I only considered a website hack because this just happened to Obama and because it is clearly a public incident. There are other incident types to consider (which I’ll leave to the reader’s imagination). I’ll also go on record and say that if the incident is large enough in scope — for example, a candidates entire campaign headquarters is compromised — that may have a significant political effect that could sway voter’s opinions. When first starting out in computer security, I downloaded SATAN by Dan Farmer and Wietse Venema. Bundled in Farmer and Venema’s download was their classic paper, “Improving the Security of Your Site by Breaking Into it.” In it they write:
Those words are as true today as in 1995. Consequently, I certainly wouldn’t stake my political career on a hack. Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. | |||||||||||||||||||||||||||||||||||||||||||||||
| Is our minister of Telecommunications a Pirate [belsec] [Belgian Security Blognetwork] Posted: 09 May 2008 05:23 AM CDT The Belgian federal minister of Telecommunications van Quickenborne (Q voor friends and campaigners) has a long history of being the strange table-jumper in our political circles. He placed a webcam in his parliamentary office and as Secretary of State for Administrative Simplification he had a Kafka plan that made thousands of administrative rules and forms disappear. Now he is at it again. He is - just as several thousand other Iphone users in Belgium - using a cracked Iphone. Normally the Iphone can't be used in Belgium because there is no exclusive closed-in monopolistic blackmailing deal between big brother Apple and a victim telecom company that sees itself obliged to accept the terms and conditions of the Big Master Apple. But the Belgian Minister has asked someone (I hope he didn't do it himself) to make his Iphone usable. This can only be done by illegal software on the internet that Apple tries to hunt down or tries to outsmart (for a while). But as our minister of telecommunications does this, how can he protest against crackers that are outsmarting monopolistic firms, making games usable on more platforms, distributing films before they are in our theaters 6 months later (if they are distributed at all) and so on. It is the same logic (and I am not saying that I agree with it, I just try to explain the logic). It doesn't matter what the object of the crack is ( a film, a game, a DVDplayer, pc program or a phone). The logic is that at one side the firms and owners want to protect their business model and at the other side the crackers want to change or circumvent that model themselves. Between it is the public for which both do a battle of the minds and the pockets. The European Commission said they would investigate the Apple Iphone monopoly but there is no news yet from that front. For our Minister it wasn't going Quick enough.  answer to comment : illegal because of copyright, trademarks, patents and whatever that Apple won't sue a minister, that is right, but maybe they will take on some poor simple guy somewhere - or just upgrade their soft and block anyone out - whoever he or she is Let's hope the European Commission does something else than singling out only Microsoft while leaving all these other small but important monopolies alone. For the user a monopoly is a monopoly, small or big. | |||||||||||||||||||||||||||||||||||||||||||||||
| How Google knows what the flemish Call Center will answer [belsec] [Belgian Security Blognetwork] Posted: 09 May 2008 04:56 AM CDT Well if you use this Googledork than you will have a list of all the contactpersons and solutions that the people working in the call center of the Flemish Regional Administration will use. So why call them. You search a person and have more information than they would even give you
| |||||||||||||||||||||||||||||||||||||||||||||||
| Contract Vlaamse Gemeenschap - Telindus online Googled [belsec] [Belgian Security Blognetwork] Posted: 09 May 2008 04:47 AM CDT | |||||||||||||||||||||||||||||||||||||||||||||||
| Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor [Darknet - The Darkside] Posted: 09 May 2008 03:34 AM CDT Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on.. I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit. Would [...]SHARETHIS.addEntry({ title: "Want Some COFEE?... Read the full post at darknet.org.uk | |||||||||||||||||||||||||||||||||||||||||||||||
| Posted: 08 May 2008 11:43 PM CDT A while back, I blogged about an unfortunate event where a 14-year old girl had to change her name and move to a different location because she had undressed in front of her boyfriend - using a webcam. Since then, I have had a steady growth of visitors targeting that particular post. Some days, this post even shows up on my list of "Most visited" stories, as shown under:
Of course, me being in Norway, I am culturally obliged to be naive. And for a while, I can accept that. But after 6 months, and the same story keeps pulling visitors, even my limits are reached. I mean - what kind of sick bastards are searching for the text in this image? (No I am not concerned about the "wep hacker" search...)
Now, I immediately picture some crazy predator like the ones over here. But - giving it a little more thought, perhaps not all the hits are from wankers - but from young, frustrated guys looking for same-age girls? If there are predators only, I'd love to do something with it. You know, some ball-crushing or similar exercise. But - if even only one of the visitors are a young person looking for others in the same situation, or someone who plans to do something similar - then I hope that the post actually may do some good. Either by helping out someone in a difficult situation, or by avoiding such a mistake to repeat itself. --- If you are still looking for 14-year old girls stripping - you might want to try this YouTube clip! Just be warned - you have to be 18 years or older! Bookmark/Search this post with:  |  |  |  |  |  |  |  This posting includes an audio/video/photo media file: Download Now | |||||||||||||||||||||||||||||||||||||||||||||||
| OWASP Toronto Presentation - Building A Web Spider [360 Security] Posted: 08 May 2008 03:21 PM CDT A couple of weeks ago I spoke at OWASP Toronto. My goal was to lead a discussion on building a web application spider... what you had to consider, pitfalls to avoid and so forth. I felt like it went fairly well, the discussion lasted about an hour and there was quite a bit of group interaction. I picked up some interesting things from the attendees and I'm hoping that they picked up some interesting ideas from me. At the end of the discussion, I was asked if I could make the slides and the sample source (for a very basic spider) available. So here they are. PowerPoint Presentation | |||||||||||||||||||||||||||||||||||||||||||||||
| Posted: 08 May 2008 02:47 PM CDT I'm not sponsored by any vendor (as this ebook is) but I wanted to mention this since it's a freebie. Consider it the A of CIA. Today's IT infrastructures are complex, inflexible and growing fast.... | |||||||||||||||||||||||||||||||||||||||||||||||
| Interesting Bits - May 8th, 2008 [Infosec Ramblings] Posted: 08 May 2008 02:12 PM CDT Hello there. Here are today’s interesting bits from the security blogosphere. Rebecca Herold has post up that talks about how the decisions people make about what they post on public sites can affect their ability to get a job. Paul’s late-breaking computer attack vectors recording and slides is now available. I recently pointed to 0×000000’s .htaccess that acts as a web app firewall. Well, it has been revised again and a walk through has been provided to explain what is going on. Good stuff. Kees has a great post up about understanding what you protect. As he says: putting information security controls in place is not a goal, but a means to achieve a business goal. That’s all I’ve got right now. Been a busy day. Have great rest of yours. Kevin         | |||||||||||||||||||||||||||||||||||||||||||||||
| Notacon 5 conference videos [Security4all] [Belgian Security Blognetwork] Posted: 08 May 2008 02:09 PM CDT A reader commented that not just the presentation videos of Notacon 4 were online, but also the ones of the more recent Notacon 5. The reason why I mentioned the older ones (first), because they... | |||||||||||||||||||||||||||||||||||||||||||||||
| Why you should't be on a vendor's client list [Security4all] [Belgian Security Blognetwork] Posted: 08 May 2008 12:15 PM CDT When you buy a product, sometimes a vendor can offer you a discount in return for being able to mention you as a client. It might sound like a sweet deal without any risk. Or is it? Let's take an... | |||||||||||||||||||||||||||||||||||||||||||||||
| Sun Engineers - I Know Where The Rock Star Jobs In SaaS Are! [The Converging Network] Posted: 08 May 2008 11:52 AM CDT
Send your information to jobs@absolute-performance.com. Tell 'em you read about it on The Converging Network blog. Rock On! | |||||||||||||||||||||||||||||||||||||||||||||||
| Get Ready For XaaS Everywhere [The Converging Network] Posted: 08 May 2008 09:54 AM CDT
If imitation (being copied) is the most sincere form of flattery, then I'd say SaaS is gaining enough traction that others are coping the XaaS term for their use. But we shouldn't forget, what this all really means to us is that software, infrastructure, data, etc., etc,. are all moving into the cloud, being offered as a service. So if anyone needs any Blogging-as-a-Service, you know where to contact me. :) | |||||||||||||||||||||||||||||||||||||||||||||||
| Jeez - State department laptops missing.. [Data Protection, Management and Leakage] Posted: 08 May 2008 08:33 AM CDT This is bad news - folks with some of the most sensitive information seem to be willy-nilly with their laptops. How can we expect plain old corporate folks to take protection seriously? And this snippet takes the cake "...about 400 missing laptops belonging to the Anti-Terrorism Assistance Program ..." I wonder how many of these were targeted and stolen... If so, is a cold boot attack more likely against these types of assets? | |||||||||||||||||||||||||||||||||||||||||||||||
| Invaluable Advice from a Renowned CISO [BlogInfoSec.com] Posted: 08 May 2008 06:00 AM CDT As you know, this column focuses on some of the most fundamental components of an effective Security Program, namely the skills and competencies required by the security leader to implement a successful program. These traits, sometimes called the 'soft skills’ of security management, are increasingly important as security risk management becomes a predominant Board room conversation. Chapter 8 of the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008] offers invaluable advice from one of our renowned 'been there, done that’ security professionals, Howard Schmidt. Howard has an impressive resume: In addition to Schmidt’s service at the White House he has served as Vice President and Chief Information Security Officer and Chief Security Strategist at eBay, Chief Security Officer for Microsoft Corp, Supervisory Special Agent and Director of the Air Force Office of Special Investigations Computer Forensics Lab and Computer Crime and Information Warfare Division.” This column will highlight some of the wisdom from that chapter. In his introspection, Howard relates an epiphany he had early in his career. Although he was working with very intelligent, successful non-security people, he recognized that they had difficulty comprehending the 'what’ and 'why’ of information security. Now, don’t we all experience that at some time in our careers? We, who know and understand the risks and frailties of computer systems and networks; we, who eat, live and breathe security risk management; we, who devour the horror stories online and in hard copy of daily security breaches and identity thefts. Why would we not expect others to appreciate security? This is a critical point in achieving success in our profession: we must recognize that our business constituents have a myriad of decisions to make each day, and that information security is but one of many issues that may or may not even appear on their radar range. Regardless of whether we name it security and business alignment, business risk management, asset protection - semantics aside, we have to have the patience and the ability to articulate the importance and more importantly, the appropriate prioritization of information security. In his remarkable career, Howard leveraged his skills and competencies in his approach to providing visibility and influencing the organizations that he has been a part of. In his chapter, Howard offers excellent advice on the following: What Skills Should a CISO Have:
How a CISO Acquires Business Acumen:
Remember in the old days how we used to turn blue trying to convince our organizations that security was important. Howard makes a legitimate point that the thought process has evolved from “Why do we need security?” to “Help me make my business secure.” Businesses are becoming quite aware of security risks. How can they not be more aware when daily headlines decry lost laptops and identity theft? Our challenge as security professionals is to figure out how to assist the business in meeting their risk management needs in a manner that won’t be negatively impacted. Howard also validated what I’ve always believed is an important facet of information security - and a point that I highlighted in my first column on this blog - that is, consideration of the culture of the organization is pivotal for the success of a security program. The level of assurance is dependent on what needs to be safeguarded and the environment in which it resides. Remember, security must be realized as a benefit to the organization, both in cost savings as well as risk mitigation. Lastly, Howard offers his advice on the toughest challenges facing our profession today. Here’s a partial list:
Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. | |||||||||||||||||||||||||||||||||||||||||||||||
| April Commenter of the Month Competition Winner! [Darknet - The Darkside] Posted: 08 May 2008 05:26 AM CDT Competition time again! As you know we started the Darknet Commenter of the Month Competition on June 1st 2007 and it’s been running since then! We have just finished the tenth month of the competition in April and are now in the twelfth, starting a few days ago on May 1st - Sponsored by GFI. We are [...]SHARETHIS.addEntry({ title: "April... Read the full post at darknet.org.uk |
Hey All,
With the eminent round of additional 
With the soaring interest in Software-as-a-Service (SaaS), we are already seeing the same metaphor used for other service offerings. Platform-as-a-Service, or PaaS, is becoming a common place term. Now I've also seen IaaS, or Infrastructure-as-a-Service. As I like to say, no good idea goes un-copied. What that means is we should all expect to be overrun by the use of XaaS terms, where X equals whatever word or phrase any vendor, analyst or marketer chooses to promote their product or service. If Sausage-as-a-Service will help sell more processed meats, you can bet someone will jump on the bandwagon and leverage XaaS to their benefit. | You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment