Security Balancetrying to bring balance to the Force |
 |
I’m starting a Wave
on Google Wave to build a collaboration piece on security decision making. Please send
me your contact if you want to participate.
It starts like this:
Security decision making
Dear security friends,
I’m
planning for a long time to work on a paper/presentation about security
decision [...]
I’ve just finished Malcolm Gladwell’s book The Tipping Point. As usual, Gladwell’s books always bring food for thought on security for me. Security is deeply related to human behaviour, the main subject of his books. The most interesting thing from TP for security is the Dunbar’s number. Honestly, when I read about it I thought [...]
I agree with Ben Tomhave on this particular subject. He is basically saying that we still don’t have a good solution for reliable and repeatable risk assessments. I must say that this is not true to smaller scopes, like a single application or a small network or system. However, when we start talking about a [...]
I like the spin that Pete Lindstrom gives to some classical security discussions, but I think he is completely missing the point here:
“If finding vulnerabilities makes software more secure, why do we assert that software with the highest vulnerability count is less secure (than, e.g., a competitor)?”
If we agree with him we could also say [...]
Back in 2007 I noticed (together with Fucs and Victor) that botnet creators had to solve a very important issue to keep controlling the infected computers: how to update the location of the controller?
Until then they were including the controller location inside the bot code, so it was easy to find to identify it and [...]
I was glad to be one of the contributors of the “unsecured economies report”, sponsored by McAfee. It’s certainly a very good report and it’s nice to see my name in the same list as Ross Anderson and Gene Spafford.
However, McAfee is saying since the Economic Forum in Davos that the losses due to loss [...]
The info about Senthil Cheetancheri proposal on fighting zero-day attacks with a peer-to-peer software that shares information about anomalous behavior is spread through a lot of security blogs and portals today. It is not that innovative, but it’s certainly something nice to think about.
I would go a little further and propose something a little different. [...]
Seriously, their research is awesome…but the picture…OMG!
I’m a bit late on this subject, but I think it’s worth a post. For those who usually do pentesting and usually get some access to Windows boxes, but are looking for a specific credential (like a domain admin), impersonating access tokens available can be a very useful approach. The details about how to do [...]
Richard Mogull mentions on his blog today the concepts of adaptative Authentication and Authorization. In short, from his post:
“User: This is an area I intend to talk about in much greater depth later on. Basically, right now we rely on static authentication (a single set of credentials to provide access) and I think we need [...]
