Security Balancetrying to bring balance to the Force |
 |
I was reading Shimel’s blog today and followed an indication from him about another security blog, “JJ’s Security Uncorked”. It was a very nice surprise to find this post about three things that are often forgotten in network inventories, assessments and other processes: Cameras, Controllers and Card Readers. It was particularly interesting for me because [...]
Axur is a Brazilian company with huge knowledge about ISO27001/2. Their product, ISMS, is a great solution for those looking for a platform to build their ISMS over. They are blogging in english now, it’s a very good source of information about the standards.
I may be a little late on this, but only today I was presented to NORMAN Sandbox, an automated sandbox that analyses malware that you can submit to it online. (update: credits to Sp0oKeR, who indicated the site to me)Â The system has very nice features. It can identify what the malware does when executed, [...]
Then read this. The French bank Societé Generale lost more than $7 billion (yes, billion!) because of an internal fraud, commited by a single trader. That’s an interesting insider threat case! I found this piece particularly interesting: “Axel Pierron, senior analyst at Celent, an international financial research and consulting firm, was stunned that a trader [...]
I was reading this post from Gunnar Peterson about how to improve application security levels in an organization. He mentions a curious strategy to induce competion between different development teams. In a certain way his method works with a motivation that is vey curious for us: the right to “remain insecure”. But in a nice [...]
I’ve just received a link pointing to a Risk Management methodology used by the French government called “EBIOS”: Expression of Needs and Identification of Security Objectives. There isn’t anything revolutionary on this, being a good work of putting together things like ISO27002 and the Common Criteria / ISO15408. However, the site also has an open [...]
OK, so Oracle DBAs are not patching their databases. Why does that happen? I can see a number of factors here: – Bad security professionals that believe that “Oracle is very secure” and just worry about patching Microsoft, the source of all evil things in earth. – Terrorist DBAs that are always saying that “patching [...]
I’m having a good conversation about OTP/2FA for online banking in the cisspforum mail list. Tim Bass and Martin Wehlou incredibly good professionals and are adding valuable points to the subject. Martin posted (01/2007) in his blog a very good explanation about the problem that the banks are trying to solve with OTP solutions. He [...]
I’ve just read from the Symantec Security Response Weblog that they detected a trojan that behaves exactly like what I predicted a few years ago: it dynamicly changes the content from wire-transfer transactions, defeating two factor authentication mechanisms. It was also part of my Black Hat presentation last year. What will happen to the two-factor [...]
I was reading at SANS ISC diary about mass compromises by SQL Injection. It seems to be something automated, maybe a botnet or even a worm. What kind of automated threat this is isn’t really what matters here. The most important fact here is that we are now seeing SQL Injection attacks being used by [...]
