 |
|||
|
October 1, 2008
By Declan Ingram Kiwicon 2008 has come to a close and the crowds have left with a trail of coffee cups and empty beer kegs. The line up this year for the second annual New Zealand IT Security / Hacker Conference included a mixture of the usual suspects and first time presenters, which is always good to see. Highlights this year included “The Paul Craig Omnibus”, Brett Moore’s “Hacking Citrix in 2008″ and Longpipes’ “Sekret Lightning Talk”. Comments (6)
August 5, 2008
By Amit Deshmukh The DNS vulnerability recently discovered by Dan Kaminsky allowed researchers and vendors from across the world to collaborate over fixing the issue. (Details available here: http://news.cnet.com/8301-1009_3-9998906-83.html). Old news but…… Since then a number of security solution vendors have jumped onto the bandwagon of the week. (There seem to be so many of them of late!) and have provided their own versions of how best to identify and solve the problems. Many vulnerability detection solutions now have begun detecting the DNS issue and have updated their signatures to verify the existence of the problem. However, it is critical that a company assessing its infrastructure for this vulnerability understands their DNS environment before they begin to audit their systems for this flaw, as this article very rightly points out: http://blog.tenablesecurity.com/2008/07/but-i-patched-o.html July 29, 2008
David Rice is an internationally recognised information security professional and author of the critically acclaimed book, “Geekonomics: The Real Cost of Insecure Software.” For a decade he has advised, counseled, and defended global IT networks for government and private industry. David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. He is a frequent speaker at information security conferences and currently Director of The Monterey Group. I had a chance to talk with David recently and I hope you enjoy the read. ———————————————————————————- BorB: Thank you for taking the time for a chat David. I thoroughly enjoyed the book and would recommend it to everyone. What’s the feedback been like from the industry and non-industry (consumers) in general? DR: Thank you for the opportunity to join the discussion on your blog. Feedback from the information security industry has been overwhelmingly positive. Defending against an unrelenting stream of software vulnerabilities is simply unsustainable. It also happens to be ridiculously expensive. I think people get that point. Software manufacturers and security vendors have led us into a cul-de-sac that we have been wandering around in for a few years, and the frustration is palpable. I think approaching insecure software from an economic perspective has started opening doors that lead out of the cul-de-sac and there is a feeling of hope in that. The response from outside the information security industry, particularly consumers, has been a mixture of enlightenment, shock, and dismay. For example, a U.S. government representative stated to me, “I can’t put [the book] down. It’s incredible because I’ve never really thought about things this way before.” On a recent radio interview the host asked (rather desperately I might add), “Why isn’t this stuff [cyber attacks] being reported? What do we do?” By the tone of his voice, I could tell he was truly disturbed as well as surprised. It was as if someone told him cigarettes cause lung cancer, manufacturing creates pollution, or fatty foods cause heart disease. Yes, indeed, software can have significant private and social costs also. On the whole, I think these reactions are healthy and normal. Some people are getting concerned, and some angry. These reactions, and those like them, are understandable and I take such reactions as a good sign. It means that listeners are re-adjusting their viewpoints based on the information presented to them. In the end, I don’t think if we inside the security profession really comprehend just how far behind the rest of the populace is in understanding the issues of cyber security. July 11, 2008
I’ve posted before about the Australian Information Security Association. AISA is volunteer run organisation of Information Security professionals with branches in almost every capital city in Australia and in excess of 800 members. The number of members in recent times has grown significantly and AISA as an “organisation” as opposed to an “Interest Group”, which it started as, is growing also. In this chat with Stephan Overbeek (the current Australian Chair) of AISA, we talk about the organisation, focus on valid questions and concerns raised by many in the industry here (including myself) about AISA and look at what AISA’s plans for the future are. (Note: I am an AISA member and a volunteer on the Executive committee as I have mentioned in the past). July 3, 2008
By straxd Nobody expects an Australian inquisition…. Most of you have probably heard by now that new regulations have been enacted for World Youth Day in Sydney which allow police to fine up to $5500 and possibly imprison people who “annoy and inconvenience” World Youth Day participants. From the SMH; co-incidentally written by Julian of Chaser fame. One could put forward the argument that this has been setup for the Chaser team and other organised mobs are being discriminated against unfairly. Why should the Chaser team spoil the fun for everyone! June 26, 2008
By YanaBanana and Drazen Drazic Not talking about a new theory here but maybe some points worth discussion. Starting ramble: With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general. Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket – ready to fire at any target you wish. Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2). June 12, 2008
By Big Galoot Here we go again. Yet another example of highly questionable reporting in our local IT media. Ladies & gents, these type of ’stories’ need to be highlighted for what they really are – paid advertising. This time, it’s our old friend at Symantec – schmoozing big time, one expects, in the hope of favourable commentary & cheap brand exposure in the Australian IT newspaper. Whats the ’story’, you ask? By Donal O Duibhir Donal looks at “The Common Configuration Scoring System” draft from NIST: http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been May 1, 2008
By Declan Ingram Upon speculation that Microsoft had build backdoors into Vista, Niels Ferguson, a developer and cryptographer at Microsoft wrote: “The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data……..Over my dead body“ That’s very reassuring.. Until this was released : “Microsoft device helps police pluck evidence from cyberscene of crime“. April 23, 2008
By Declan Ingram PCI clearly states in requirement 10: “Track and monitor all access to network resources and cardholder data” And rightly so. It goes on to say “Determining the cause of a compromise is very difficult without system activity logs.” It certainly is. Infact, for nearly all attacks where card data is at stake, it can border on impossible. Enterprise log management is hard. It is expensive, and there are few organisations that do it well. Not only that, but the organisations that do it well are also much more likely to have their general state of security much higher – meaning that (all things being equal) they are less likely to suffer a breach in the first place. |
Categories
|
||
