Security Balancetrying to bring balance to the Force |
 |
Anton Chuvakin wrote a very good piece about PCI and how regulations like that are usually written and interpreted. He is completely right on defining the problem as: Mandate the tools (e.g. “must use a firewall”) – and risk “checklist mentality”, resulting in BOTH insecurity and “false sense” of security. Mandate the results (e.g. “must [...]
Just found it: People a big security threat to virtualization, Interop speaker says – Network World People a big threat to virtualization?? Woo!!! If you replace “virtualization” by any other hot technology you will see it will also be true. Security is always designed and deployed in a way that it relies on people’s decisions. [...]
I wrote in a rush about testing the blog “desktop clients” last week and I think I didn’t make it clear about why I was doing all that testing and the results from them. OK, I’ll try to summarize it. My blogs are running on WordPress on a regular hosting service. I have my own [...]
Today I was in the office of a company where almost all the employees work on laptops. Everybody receive a security cable to secure the laptop on their desks to prevent theft. There is that old problem, “how to educate the users on using the security cable?”. They found an interesting way to educate the [...]
I’ve tried ScribeFire before and I was not impressed by the idea of blogging from Firefox. If had to use the browser, why not connect to wp-admin directly? Well, with my new quest for “Blogging clients” that can use my xmlrpc SSL-protected URL I end up by trying it again. Here I am, trying ScribeFire. [...]
I’m testing Zoundry Raven calling the XML-RPC interface of WordPress on a SSL URL. It’s maybe an alternative to secure posting, as I can use the “shared certificate” URL for this, what can’t be done with the regular wp-admin WordPress interface. I just need to check if this thing doesn’t “escape” from the specified URL [...]
This is how Chris Hoff is calling the fact that vulnerability researchers don’t spend time looking for holes in commercial (and expensive) software products, like virtualization platforms. I think we are living with this for a long time. I can mention mainframe software (even without buying hardware researchers could run it on emulators like Hercules), [...]
It would be impossible to write about low hanging fruits without mentioning network shares. I say it because they are usually my favorite path to elevate privileges when I’m performing a penetration test. Among stuff that I’ve already found on unprotected (I mean, Everyone – Full Control) shares are: – Source code for critical applications [...]
I was reading a comment from Shimel mentioning that NAC technology is becoming more mature every day, as we can see more 3rd party products integration. He mentions the integration of a IPS system, what promptly made me wonder about another kind of security product: DLP. Have anybody tried to integrate DLP and/or e-Discovery products [...]
You can see it here. So what are the quick wins you can do on security to go beyond best practices? Feedback would be nice.
