Spliced feed for Security Bloggers Network |
| You need a PI license to repair computers? [Network Security Blog] Posted: 02 Jul 2008 07:33 AM CDT This is just silly! I wonder if some Texas lawmaker isn’t proactively protecting his pr0n collection from the computer repair guys? If a computer repair technician needs a private investigator’s license, what do real forensics specialist need? I’d hate to be the test case, but this really needs to see a court room. |
| clothes off or I hack your computer [belsec] [Belgian Security Blognetwork] Posted: 02 Jul 2008 03:57 AM CDT Danny K. from Holland has been convicted by a Belgian judge to conditional sentence of 8 months in prison and 500 Euro because he blackmailed a girl of 15 from Antwerp to masturbate herself before her webcam. If she didn't do it, he would hack her computer. Because the computer of the girl had only recently been repaired she agreed because what would she tell her mother ? That her computer is broke again ? She would start asking questions and having some interest in what she is doing all day and night on that computer. Probably she did discover something because otherwise she wouldn't have taken the steps. Seems he was so sick in his mind that he was trying to do this since years but that that poor girl was his first victim to fall for that stupid trick. Loser. Find no other word for it. But to make of this a national alert that everybody with a webcam is vulnerable and will be hacked, attacked, cyberbullied into masturbating before it..... is another matter. If you don't need it, don't put it on. This is the same for webcams as for wireless, bluebooth and computers in general. |
| XSS Vulnerability in Commtouch Gateway? Not anymore! [Commtouch Café] Posted: 02 Jul 2008 02:53 AM CDT Commtouch Enterprise Anti-Spam Gateway is a nice and very effective product [hey, I am objective:)] that helps enterprises to block spam and virus outbreaks. It’s been out there for a long time and it has a solid base of loyal and happy customers all over the world. I know, because I’ve been supporting this product [...] |
| ENISA cybersecurity policy study recommendations [belsec] [Belgian Security Blognetwork] Posted: 02 Jul 2008 02:49 AM CDT We recommend that the EU introduce a comprehensive security-breach notification law We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime. We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs. We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability. We recommend that the EU develop and enforce standards for networkconnected equipment to be secure by default. We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle. We recommend security patches be offered for free, and that patches be kept separate from feature updates. The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions. We recommend that the European Commission prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers. ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online. We recommend that ENISA should advise the competition authorities whenever diversity has security implications. We recommend that ENISA sponsor research to better understand the effects of Internet exchange point (IXP) failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience. We recommend that the European Commission put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime. We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model. We recommend that ENISA champion the interests of the information security sector within the European Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms. |
| Can I have a moment of your precious time ? [remes-it] [Belgian Security Blognetwork] Posted: 02 Jul 2008 02:45 AM CDT "If you abuse a woman or a child, you destroy the future" thank you ! Wim |
| What’s My Motivation? [securosis.com] Posted: 02 Jul 2008 01:11 AM CDT Or more appropriately, “Why are we talking about ADMP?” In his first post on the future of application and database security, Rich talked about Forces and Assumptions heading us down an evolutionary path towards ADMP. I want to offer a slightly different take on my motivation, or belief, in this strategy. One of the beautiful things about modern application development is our ability to cobble together small, simple pieces of code into a larger whole in order to accomplish some task. Not only do I get to leverage existing code, but I get to bundle it together in such a way that I alter the behavior depending upon my needs. With simple additions, extensions and interfaces, I can make a body of code behave very differently depending upon how I organize and deploy the pieces. Further, I can bundle different application platforms together in a seamless manner to offer extraordinary services without a great deal of re-engineering. A loose confederation of applications cooperating together to solve business problems is the typical implementation strategy today, and I think that the security challenge needs to account for the model rather than the specific components within the model. Today, we secure components. We need to be able to ‘link up’ security in the same way that we do the application platforms (I would normally go off on an Information Centric Security rant here, but that is pure evangelism, and a topic for another day). I have spent the last four years with a security vendor that provided assessment, monitoring, and auditing of databases and databases specifically. Do enough research into security problems, customer needs, and general market trends; and you start to understand the limitations of securing just a single application in the chain of events. For example, I found that database security issues detected as part of an assessment scan may have specific relevance to the effectiveness of database monitoring. I believe Web Application security providers witness the same phenomenon with SQL Injection as they may lack some context for the attack, or at least the more subtle subversions of the system or exploitation of logic flaws in the database or database application. A specific configuration might be necessary for business continuity and processing, but could open an acknowledged security weakness that I would like to address with another tool, such as database monitoring. That said, where I am going with this line of thought is not just the need for detective and preventative controls on a single application like a web server or database server, but rather the Inter-application benefit of a more unified security model. There were many cases where I wanted to share some aspect of the database setup with the application or access control system that could make for a more compelling security offering (or visa-versa, for that matter). It is hard to understand context when looking at security from a single point outside an application, or from the perspective of a single application component. I have said many times that the information we have at any single processing node is limited. Yes, my bias towards application level data collection vs. network level data collection is well documented, but I am advocating collection of data from multiple sources. A combination of monitoring of multiple information sources, coupled with a broad security and compliance policy set, would be very advantageous. I do not believe this is simply a case of (monitoring) more is better, but of solving specific problems where it is most efficient to do so. There are certain attacks that are easier to address at the web application level, and others best dealt with in the database, while others should be intercepted at the network level. But the sharing of policies, policy enforcement, and suspect behaviors, can be both more effective and more efficient. Application and Database Monitoring and Protection is a concept that I have been considering/researching/working towards for several years now. With my previous employer, this was a direction I wanted to take the product line, as well as some of the partner relationships to make this happen across multiple security products. When Rich branded the concept with the “ADMP” moniker it just clicked with me for the reasons stated above, and I am glad he posted more on the subject last week. But I wanted to put a little more focus on the motivation for what he is describing and why it is important. This is one of the topics we will both be writing about more often in the weeks and months ahead. |
| 10,000 laptops lost *Each Week* in the 30 largest US airports. [IceLock Blog] Posted: 02 Jul 2008 01:08 AM CDT According to a recent Ponemon Institute study done for Dell, highlighted here in PC World, over 10,000 laptops are lost each week in airports alone!But here’s the crazy part: “About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.” It’s really hard to understand why this is not a giant red flag, for government, for liability insurers, for business owners everywhere, given how readily confidential information is bought and sold at this point.Maybe it’s still just too hard to use most encryption solutions? This is what we believe and the problem IceLock is intended to solve. |
| ATM PIN Thefts [securosis.com] Posted: 02 Jul 2008 12:59 AM CDT The theft of Citibank ATM PINs is in the news again as it appears that indictments have been handed down on the three suspects. This case will be interesting to watch, to see what the fallout will be. It is not still really clear if the PINs were leaked in transit, or if the clearing house servers were breached. There are a couple of things about this story that I still find amusing. The first is that Fiserv, the company that operates the majority of the network, is pointing fingers at Cardtronics Inc. The quote by the Fiserv representative “Fiserv is confident in the integrity and security of our system” is great. They both manage elements of the ’system’. When it comes down to it, this is like two parties who are standing in a puddle of gasoline, accusing each other of lighting a match. It won’t matter who is at fault when they both go up in flames. In the public mind, no one is going to care, and they will be blamed equally and quite possibly both go out of business if their security was shown to be grossly lacking. My second though on this subject was, once you breach the ’system’, you have to get the money out. In this case, it has been reported that over $2M was ‘illegally gained’. If the average account is hacked for $200.00, we are talking about at least 10,000 separate ATM withdrawals. That is a lot of time spent at the 7-11! But seriously, that is a lot of time to spend making ATM withdrawals. I figure that they way they got caught is that the thief’s picture keept turning up on security cameras … otherwise this is a difficult crime to detect and catch. I also got to thinking about ATMs and the entire authentication process is not much more than basic two factor authentication combined with some simple behavioral checks at the back end. The security of these networks is really not all that advanced. Typically PIN codes are four digits in length, and it really does not make a lot of sense to use hash algorithms given the size of the PIN and the nature of the communications protocol. And while it requires some degree of technical skill, the card itself can be duplicated, making a fairly weak two factor system. Up until a couple years ago, DES was still the typical encryption algorithm in use, and only parts of the overall transaction processing systems keep the data encrypted. Many of the ATMs are not on private networks, but utilize the public Internet and airwaves. Given the amount of money and the number of transactions that are processed around the world, it is really quite astonishing how well the system as a whole holds up. Finally, while I have been known to bash Microsoft for various security miscues over the years, it seems somewhat specious to state “Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system.” Of course they are targetting the infrastructure; that is the whole point of electronic fraud. They probably meant the back end processing infrastructure. And why mention Windows? Windows may make familiarity with the software easier; this case does not show that any MS product was at fault for the breach. Throwing that into the story seems like they are trying to cast blame on MS software without any real evidence. |
| Network Security Podcast, Episode 110 [Network Security Blog] Posted: 01 Jul 2008 10:26 PM CDT Ever have one of those days where just about nothing seems to go right? That just about describes today. Rich had to bail tonight due to family obligations, though it sounds like it’s the fun type of obligation, not like having dinner with Aunt Ethel or something. We had a guest lined up, but due to poor planning on our (read: my) part, we didn’t communicate the recording time well enough and that didn’t work out. Luckily Michael Santarcangelo was available to join me tonight as co-host, so you aren’t stuck listening to me drone on by myself for half an hour or so. I know that’s what I used to do every week, but it just seems so much harder than it used to. Network Security Podcast, Episode 110
Time: 1:03:17 This posting includes an audio/video/photo media file: Download Now |
| Metadirectories Aren't Dead (They're Just Aging) [Matt Flynn's Identity Management Blog] Posted: 01 Jul 2008 10:04 PM CDT Nishant Kaushik updated his blog and one of his old posts showed up on PlanetIdentity reminding me of the recent discussions on metadirectories and virtual directories between him and others (Dave, Jackson, Kim). Not that I want to pick a fight with any of these guys, but for anyone who thinks the metadirectory is dead, I have a simple (albeit a bit late) scenario for you. There are three identity stores:
I love virtual directory technology as much as the next guy (Hi Mark), but claiming that any technology is superior to another without a discussion of the specific requirements being met just doesn't seem to make sense. Companies, departments, and projects within departments have different needs. I've said it before. They're just tools. So, when James McGovern asks what the role of virtual directory should be, I don't have an answer. There is no should in this discussion. Ian Yip had a similar pragmatic answer. And Nishant echoed with "the mantra should always be to choose the right tool that solves your problems". Exactly. If the idea is simply to talk about what the future should look like, I think James hit on something. There has been a ground swell of apps that directly support Active Directory as the user store. So, maybe the next versions of the HR and LOB apps in the above scenario would attach directly to AD eliminating the need for any solution here. As prevalent as AD has become, that seems more likely than mass-consumption of virtual directory technologies. And it's probably what Jackson was alluding to (Quest enables *nix systems to leverage AD). Another possibility is that apps will support SOA-based authentication and authorization, though that hasn't quite spread like wild fire quite yet. Don't get me wrong – I don't think the need for virtual directory technologies will go away anytime soon, but I wouldn't be surprised if it never becomes a standard in the mid-market. And I don't think it'll ever completely replace metadirectory technologies. Metadirectory may be aging, but hey, 50 is the new 30. It's not dead yet. |
| PRC Cyber Space Capabilities [The Dark Visitor] Posted: 01 Jul 2008 06:08 PM CDT
Very interesting testimony before the US-China Economic and Security Review Commission on PRC cyber space capabilities. The commission broke the talks down into three major sections, with some congressional persepective and admin thrown in for good measure. The primary topics were space capabilities, cyber capabilities and proliferation. Only panel three spoke on cyber issues but a typo in the contents section says panel two also spoke on it. Panel two actually talked about space capabilities. The three people called to testify before the panel were Colonel McAlum, Mr. Thomas and Dr. Mulvenon. All three gave very good presentations. If you don’t want to search through the whole document, the cyber section begins on page 45.
Really glad to finally hear someone clarify the difference between cyber attack and intrusion. Words really do make a difference. The rest of the report on PRC cyber space capabilities found here…. ![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small} |
| The next big storm: outdated browsers and plugins [Security4all] [Belgian Security Blognetwork] Posted: 01 Jul 2008 06:02 PM CDT In February, Secunia provided us some statistics from their PSI tool. This tool searches for missing patches, and not only Microsoft. So it's excellent for detecting missing third party patches.... |
| Netgear provides alternative opensource router [Security4all] [Belgian Security Blognetwork] Posted: 01 Jul 2008 05:40 PM CDT Netgear has a WGR614L wireless router specifically targeting open source firmware hackers. It can use Tomato, DD-WRT, and soon OpenWRT. At the core of this router is a 240MHz MIPS processor with 16MB... |
| hacked untouchable entertainment u-e.be [belsec] [Belgian Security Blognetwork] Posted: 01 Jul 2008 05:37 PM CDT But I doubt that they had this in mind when they said they were launching
|
| Posted: 01 Jul 2008 05:09 PM CDT * De discussie over de Maatschappelijke beleidsnota digitaal Vlaanderen 28 mei 2008 (196 pag pdf) gaf aanleiding tot een document van 61p pdf met beleidsaanbevelingen. Enkele frappante uitspraken Toch is het interessant het volgende te kunnen lezen over de gemeenten. gemeenten levert minimale inspanningen ten behoeve van andersvaliden (blind surfer of enige andere technologie). Ook moet de burger meestal eerst inloggen en een user-id en een paswoord hebben, voor hij kan zien welke dienstverlening er kan geraadpleegd worden (e-loket): de veiligheid hiervan ligt veel lager dan het systeem dat bv. gebruikt wordt door Certipost. Professor Paul Lagasse stelt volgende zaken in het uitgebreide document * We zijn in de merkwaardige situatie terechtgekomen waarbij onze fysische veiligheid door wetgeving en politie beschermd wordt, maar waar de gebruiker zelf maar voor zijn digitale veiligheid moet opdraaien. Ik roep de operatoren op hun verantwoordelijkheid te nemen en deze dienst te verlenen: zij beschikken over de technische mogelijkheden de consument afdoende te beschermen. Ik ben voorstander van een regelgeving die de operatoren ertoe aanzet de gebruiker te beschermen indien hij dat wenst * Operatoren die de spam niet zelf tegenhouden voor ze naar anderen vertrekt, zullen geboycot worden door de andere operatoren. Zij worden met andere woorden uitgesloten als outlaws. * Ook de moderne gsm’s worden met spam en virussen bestookt. Wij realiseren ons dat nog niet echt, omdat de gsm-technologie in Europa nog vrij beperkt is. Maar in het Oosten, waar gsm’s ook de mogelijkheid tot mail en multimedia bieden, bestaat het probleem wel degelijk Dhr Stijn Bijnens* De medische sector is volgens mij het meest kwetsbaar. In de VS maakt de HIPA-reglementering veiligheid afdwingbaar. Wij hebben een nog strengere wetgeving, maar die wordt niet afgedwongen. De budgetten om dat uit te voeren zijn laag, behalve bij de grootste ziekenhuizen. * Men vindt het normaal dat niet elk huis een waterzuiveringsinstallatie heeft, maar verwacht niet hetzelfde van zijn telecomoperator als van zijn drinkwaterbedrijf. De consument hoeft dat niet te accepteren. Beveiliging moet een basisdienst van het netwerk worden en de markt zal wellicht ook zo evolueren. Zuiver internet is hetzelfde als schoon water en een constante netspanning. Beide sprekers vergeten wel dat volgens de Nieuwe Telecomwet de operatoren dit gratis moeten aanbieden zonder enige meerkost aan de gebruiker. |
| what is awaiting other tax services : tax phishing [belsec] [Belgian Security Blognetwork] Posted: 01 Jul 2008 04:35 PM CDT this is one that is becoming something common in the US From: "IRS"<tax-refund-online@irs.info> After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of $949.30. If you don't receive your refund within 9 business days from the original IRS mailing date shown on Where's My Refund?, you can start a refund trace online. To get to your personal refund information, be ready to enter your: To access the form for your tax refund, please click here : Tax Refund Online Form Note: note : there are people that actually believe this |
| PktAnon : Packet Trace Anonymization Tool [/dev/random] [Belgian Security Blognetwork] Posted: 01 Jul 2008 01:41 PM CDT
A few weeks ago, I wrote a post about packet capture anonymization. When you have to share traces with other parties, anonymization can be a requirement. A new tool is available: PktAnon. |
| The Website is Down! [/dev/random] [Belgian Security Blognetwork] Posted: 01 Jul 2008 01:34 PM CDT |
| The NHS just doesn't "do" Information Security [IT Security Expert] Posted: 01 Jul 2008 01:16 PM CDT I said this before, and I'll probably say it again a few more times, "The NHS just doesn't "do" Information Security". The latest in a catalogue of NHS breaches involved a Senior Manager who had his laptop stolen, but the laptop held over 21000 records of Essex patients. The same old problem with a laptop breach... 1. No Hard Disk Encryption - Password Protection is almost no protection, it's very easy to bypass Windows passwords, pretty much anyone who can type into Google can manage to achieve it. 2. Poor Information Management. We have a vast amount of Sensitive Data which has been allowed to be "copied" from a central IT system to a laptop. Should the Manager have access to that much information? Should he be allowed to export that much information from the host system? Probably not. Who else can access and take a copy of this data? What's to stop someone putting it onto a £6 flash drive? I have friends who work in the NHS, they tell me the NHS has no culture or awareness towards protecting the vast amount of personal and lets face it, highly sensitive information which the NHS holds and processes. I'm not saying keeping people alive is less important than investing in information security, but that's the problem, a lack of investment (money) and that's why there will continue to be serious data breaches involving the NHS . But consider this, soon the NHS will be storing our DNA profiles on their systems as well... I'll finish on a positive note with this data breach, as I'm being far too negative lately, good for the NHS for disclosing and letting the people who are affected know in a decent time frame, well they had plenty of practice - right? |
| Why Teams Reinvent the Wheel [The Security Catalyst] Posted: 01 Jul 2008 01:01 PM CDT After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers.
While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most "security" professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better). This is an inherent challenge –- and benefit –- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better). In order to prevent the unnecessary reinvention of what already exists — and use time and resources to get better results — it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it): 1 - "Truthiness" Strikes Again!
There is too much "truthiness" in security today — inherent in the myriad of certifications, frameworks and solutions — and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others. The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be "right." Just because someone "claims it so" doesn't make it true (even if it is written on the Internet). Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of "fact", but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 - hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result. (Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if you're not reading this regularly, you should consider it) 2 - Failure to Focus on Fundamentals Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept "close enough" and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress. Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion. 3 - group think prevails
Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively. This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied - it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results. Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners). Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed. Your New Wheel (wait, did you want a new wheel?) While "ownership" is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions "not made here" (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in. How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.
Technorati Tags: catalyst, comptia, fundamentals, groupthink, into the breach, trustmark, truthiness |
| Sipera looking to hire a few good VoIP security researchers… [Voice of VOIPSA] Posted: 01 Jul 2008 12:37 PM CDT
Job descriptions and information about applying can be found over on Sipera’s “Careers in VoIP Security” page. (i.e. please do not leave comments here about these jobs or contact us as we have nothing to do with the jobs). Technorati Tags: |
| Don’t lose your laptop at the airport! [Network Security Blog] Posted: 01 Jul 2008 12:17 PM CDT I don’t know about other travelers, but losing my laptop while flying to or from a client site is one of my bigger fears. I have so much sensitive information on my drive that I’d panic if it was out of my site for more than the thirty seconds it takes to X-ray my laptop. And according to a new study released yeasterday by the Ponemon Institute, I have a reason to be worried. I like the line in this article, “close to 10,278 laptops are reported lost every week”. That sounds like a pretty exact number to just be close. I agree completely with the advice given by the FTC: treat your laptop just like you would a wad of cash. It’s fairly easy for a thief to turn around and sell your laptop for a couple of hundred dollars. You wouldn’t leave a bundle of twenties sitting around on the X-ray machines conveyor belt, so why do people leave laptops lying around. What’s possibly more important than the laptop itself is the data on the hard drive of the computer. If it’s your computer, not work’s, you might be in real danger of having to deal with identity theft if your computer is stolen. If it is your work computer, you’ve lost whatever you’ve done since you last backed up. And if you’ve got any sensitive business documents on the drive, you will probably have some explaining to do to your boss, not to mention any client data that went with it. Disk encryption, whether whole disk or just a partition is one solution just about every traveler should be looking at. At least that way all you’ll be suffering is the lost work, not at having to report a compromise because you lost sensitive information. Not that anyone in their right mind would be carrying large amounts of credit card or personally identifiable information around on their laptop, right? |
| Save your passwords with Mozilla’s Weave [GNUCITIZEN Media Portfolio] Posted: 01 Jul 2008 10:07 AM CDT Save all your passwords and session identifiers in the cloud with Mozilla’s Weave. What do you think about that?  Now this is not entirely unique feature to Mozilla only. We’ve seen the same trend with Microsoft’s Live Mesh and I suspect that Adobe and Yahoo are currently working on their own clones. These types of technologies totally change the rules of the game. Now picture this: what if your corporate employee uses the same password for their flickr account as their VPN/Email logon? Hack the cloud, get the goodies! |
| Inside NSA Red Team Secret Ops With Government’s Top Hackers [Vincent Arnold] Posted: 01 Jul 2008 08:58 AM CDT
When it comes to the U.S. government's computer security, we in the tech press have a habit of reporting only the bad news—for instance, last year's hacks into Oak Ridge and Los Alamos National Labs, a break-in to an e-mail server used by Defense Secretary Robert Gates … the list goes on and on. Frankly that's because the good news is usually a bunch of nonevents: "Hackers deterred by diligent software patching at the Army Corps of Engineers." Not too exciting. So, in the world of IT security, it must seem that the villains outnumber the heroes—but there are some good-guy celebrities in the world of cyber security. In my years of reporting on the subject, I've often heard the National Security Agency's red team referred to with a sense of breathless awe by security pros. These guys are purported to be just about the stealthiest, most skilled firewall-crackers in the game. Recently, I called up the secretive government agency and asked if it could offer up a top red teamer for an interview, and, surprisingly, the answer came back, "Yes." Source: Popular Mechanics |
| The Challenges for Trustmark (or any Framework/Solution) [The Security Catalyst] Posted: 01 Jul 2008 07:31 AM CDT I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation. As noted earlier in the series, Trustmark initially eases the path for "channel vendors" to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of "due diligence" today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased. Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same. Three Challenges to Success 1. building the framework/solution The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I'll be breaking these down into a series of of readable columns. However, if there is enough interest, I'll pull them together in the end for a cohesive paper and make it available for download. I know that I'll be referring back to this research to avoid mistake in future efforts.
Technorati Tags: catalyst, comptia, BITS, trustmark This posting includes an audio/video/photo media file: Download Now |
| NDR (aka Backscatter) - The whole story [Amir Harel] Posted: 01 Jul 2008 06:25 AM CDT I've just posted a comprehensive post in Commtouch's blog about everything you need to know about NDRs. This is just a summary of that post: What is NDR An NDR is a bounce message notifying that a message did not reach the intended recipient. Since there is no industry standard for these bounce messages, there are several names for this type of scenario. Here are a few that I know of:
For the purpose of this post I will use the term "Legitimate-NDR", for NDR messages that were sent to the original sender of the message (e.g. if they had a typo in an email address), and "Spam-NDR", for NDR that was triggered by a spam message, where usually people get them since spammers sent spam "on their behalf" and the unsuspecting user receives the NDR. Types of NDR Unfortunately, there is no industry standard for how NDR messages should look nor how they should be treated. When an MTA issues an NDR, it usually sends it in one of the following forms:
Although there is no definitive evidence, from what we see in our detection centers, most MTAs return Partial NDRs. Although Empty NDRs is not the most common method, they really complicates the problem since it is very difficult to distinguish between "Legitimate NDR" from "Spam NDR". It is important to understand that Full NDR poses real security threats rather than just annoying spam messages, since it may contain malware attachments intended to infect the machine with malicious code. Background Spam NDR has been around for years but has only recently gained recognition as a major spam issue, most of it can be associated to the massive trend of using zombie armies to propagate spam, and the never-ending endeavors of spammers to come up with new techniques to evade anti-spam solutions. for more info about the subject and how Commtouch address this problem, you can go to the full post here. |
Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) — but it rather than building on the wheel, it often reinvents the wheel.
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment