Security Balancetrying to bring balance to the Force |
 |
This is from DailyDave:
“Sinan Eren wrote a working version of GREENAPPLE, a remote kerneloverflow in SMB for Windows 2000. It’s available now to ImmunityPartners, but it will be in the June Immunity CANVAS release, whichwill be interesting. Essentially it’s the first remote kernel overflowI’ve ever seen – maybe someone knows of one I don’t?”
It’s related [...]
It’s not surprising to see a new exploit for MS Word that is being used to run malicious code. It only confirms my belief that workstations/users are the prefered entry point for attacks. Interner facing servers are usually well protected and monitored. Workstations are usually bad configured, not patched and placed in flat and not [...]
Do you really have to change your password at short periods?
The increase in Rainbow Tables tools, and tables for sale, is showing that changing password would be efficient only if performed daily (or hourly!). Let’s make people learn a very good password to avoid dictionary and guessing attacks, them let them use it for more [...]
I’ve recently heard about changes in two security compliance drivers that I deal with, SOX and PCI. There are discussions about changes in SOX to avoid the confusion of which controls are needed (and how they should be implemented), as well as how the audit firms should assess risk in their clients.
PCI Data Standard Requirements [...]
One post at cisspforum caught my eye. The author, Scott Pinzon, authorized me to quote him:
“I don’t think Information Security is “failing,” for the simple reason that today more online commerce is occurring than ever in history, and for the most part, it works.
Info Sec is far from perfect; we all know that. But you [...]
This is the matter of the moment in UK. More problems, this time with Lloyds. This article gives more details about what is really happening.
I love when someone attacks infosec absolute truths! Roger Grimes did that in this article at Info World. I lke the part where he comments security through obscurity:
“The myth would have you believe that security by obscurity has no value and any scheme using it should be immediately discounted. But the fact of the matter [...]
I haven’t heard about it yet, a blog from Cambridge security researchers. It seems to have very good content, in a first glimpse. I’ll look closer later.
Noam Eppel wrote an article called “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.” that generated a lot of noise in the security community. I decided to comment it in my blog too.
Yes, it’s really too-FUD. But it also has great points about things that are real. Some of them are not [...]
Thre is a lot of noise in the security feeds about this fraud in UK. Most articles from the press gives the impression that the chip on the cards were victim of the fraud. The problem, however, seems to be on the old magnetic stripe fall-back feature. This is another situation that shows why supporting [...]
