Security Balancetrying to bring balance to the Force |
 |
As everybody in the field had predicted, malware targetting SCADA system has finally come true. The lucky thing is this one is looking for information to steal only, not actually doing anything. I wonder what outcome could we have if this nasty little thing was designed to force systems to fail. SCADA systems are one [...]
I’m surprised that most of the MitB attacks are still just stealing credentials instead of changing transaction contents on the fly. I can see that credentials have an intrinsic value on the “black market”, but the attack model of stealing credentials and then using them to log into the victim account to perform transactions seems [...]
I was reading a nice post from Gunnar Peterson about APTs. His making the point that everybody is excited about this “oh huge threat oh oh” stuff from the Google x China incident but in fact we should be worried about properly engineering the systems we depend on. I like his analogy of blaming the big [...]
I’m starting a Wave on Google Wave to build a collaboration piece on security decision making. Please send me your contact if you want to participate. It starts like this: Security decision making Dear security friends, I’m planning for a long time to work on a paper/presentation about security decision making. I was planning to [...]
I was reading the post that I just published when I noted that the post right before that was complaining about attempts to standardize diversity, the curse of the “best practices”. The funny thing is that on the last post I tried to make the case for a big standard, that would probably end up [...]
I was happy to find Anton Chuvakin’s post about the issues of doing security based on risk management a few days ago. As I said on my twitter, “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field”. Anton made a very good summary about [...]
I was happy to see the last posts from Alan Shimel about the incident on LxLabs and what that means to “cloud security”. Not only because I think he is right about using it as an example of why we should think about cloud security but also because I like his “anti-hype” posture. Ok, that [...]
I agree with Ben Tomhave on this particular subject. He is basically saying that we still don’t have a good solution for reliable and repeatable risk assessments. I must say that this is not true to smaller scopes, like a single application or a small network or system. However, when we start talking about a [...]
Back in 2007 I noticed (together with Fucs and Victor) that botnet creators had to solve a very important issue to keep controlling the infected computers: how to update the location of the controller? Until then they were including the controller location inside the bot code, so it was easy to find to identify it [...]
Do you know what that is? That’s a complete disaster! I’ve got the tip for this very interesting Burton Group discussion from Anton Chuvakin’s post (who also has an overflowing ”2blog” queue . There is a way to summarize that discussion. The key issue on deperimeterization is the control over the endpoint. If you are pushing [...]
