Security Balancetrying to bring balance to the Force |
 |
I really enjoyed reading this post from Richard Bejtlich. There is one piece that makes it almost perfect:
“Web 2.0: this is what is here, with more on the way — essentially indefensible applications all running over port 80 TCP (or at least HTTP) that no developer really understands and for which no one takes responsibility”
I [...]
There are news about the Stration Worm, which spreads itself using Skype and can migrate to other networks, like MSN and ICQ. That’s very interesting, specially because it’s quite aligned to what I presented on Black Hat Europe this year. Although I was talking about botnets, some of the trends apply to all kinds of [...]
This article from slashdot is very good. It’s funny to see how easy it is to obtain credit card numbers. PCI still have a long way on securing this information, if this can be done after all. From the article:
“Some “script kiddie” tricks still work after all: Take the first 8 digits of a standard [...]
OK, just like when you start talking about the Relativity Theory and mention E=mc^2, we always mention RISK = Impact x Probability when talking about Risk management. And it’s interesting to see how the Probability is measured. A good thread on this subject is here.
People usually calculate the probability by looking at what can be [...]
I’ve just read two papers from the HotBots conference from Usenix. One, from Grizzard, Sharma, Nunnery, Kang and Dagon, shows an overview about p2p botnets. It’s interesting to see that the authors identified exactly the same issues that we tried to solve during on our Black Hat presentation, specially the hard coded information needed by [...]
While reading the well written “Intro to hackernomics” from Herbert Thompson on Network World, I noticed something quite interesting about threats motivation.
Thompson first law states that “most attackers aren’t evil or insane; they just want something. “. Money is the natural choice for that something.
However, we can list several incidents that didn’t generate any profit [...]
Gunnar Peterson published a few days ago what he called “Security Architecture Blueprint“. It is a blueprint of the Security Services needed to deploy a security architecture, from processes to technologies. Together with P-CSO from Mike Rothman I believe it’s one of the best support materials to a CSO to use when developing a Security [...]
Fernando Cima posted on his blog about new features on Windows Longhorn, the client and server for FTP over SSL.
That’s a very important feature for those fighting to improve the security of file transfers on their networks (specially those dealing with PCI-DSS). The fact of having this as native resources will make it easier to [...]
Sometimes I catch myself defending “less secure” solutions for specific situations. It feels a little strange, but it usually happens when someone with “canned” knowledge about security tries do discuss the risks for some kind of technology, usually trying to use it as an excuse to avoid needing to work to make that thing happen. [...]
