| Voyeur |
[27 Aug 2007|06:04pm] |
(Originally posted @ un-excogitate.org)
I think it must be the voyeur in me but I'm totally fascinated by the photos people take of the stuff they carry with them. I don't really know why. Am I trying to understand just how popular Apple Macbooks and iPods are? Do I just want to reinforce my love of Moleskins? Am I trying to fill in the gaps of the stuff that I carry around with me?
It all started with the Screenshot Tour: Show Us Your Go Bag, which also had a sequel, and then today I stumbled upon the Items We Carry Flickr group!
Ah it's all too much.
|
(leave your eulogy)
|
| Data Disclosure Laws in Australia |
[07 Aug 2007|10:24pm] |
(Originally posted @ un-excogitate.org)
I'm interested to see how proposed changes to the Australian Privacy Act are going to look:
The Federal Government is set to introduce data disclosure laws in Australia as early as 2008.
The push for data disclosure laws in Australia is part of a review of the Privacy Act being undertaken by the Australian Law Reform Commission (ALRC) which began early this year.
A discussion paper, recommending the introduction of these laws which would force organizations to notify customers of security breaches...
(From Computerworld Australia)
I have to agree with some of the comments in the article, especially in regards to it being a good thing for customers if businesses have to disclose information breaches. But whether it's "good business to notify customers", I'm not entirely sure. If your business suffered an information breach I can't imagine that disclosing that to your customers would be good for business.
Unless of course that due to stricter disclosure laws businesses have to tighten up their controls, which in turn provides better services to customers. But it's hard to see how having to increase, check and audit controls would simply occur easily and for nothing. So how does this happen? Well the businesses have to employ more security folk and spend more money on controls. And who do you think will have to pay for this service? My guess is that this will either cut profits or maybe we'll see customers wear the costs.
Regardless of the "how", I think the overall "why" of this law is definitely a good thing. The article alludes to how these types of incidents may be occurring all the time without anyone knowing. This thought worries me. I'm all for transparency.
|
(leave your eulogy)
|
| Hacking the Counter-Hackers |
[26 Jul 2007|10:30pm] |
(Originally posted @ un-excogitate.org)
This article over on Computerworld about the iSec guys who have found vulnerabilities within EnCase and the Sleuth Kit poses a fairly interesting issue in regards to the utilities used by security professionals. How much do these sorts of issues really impact upon your ability to present evidence to management, or even worse, court?
Many corporate environments, before people install and run new/unknown software, have to go through a degree assessment to ensure that the software doesn't contain any vulnerabilities or has a history of exploitation. Would a defense lawyer really pick apart these sorts of issues in forensic acquisition/analysis tools to discount evidence presented in court? I guess, probably depends on how expensive the lawyer is. What doesn't help the situation blow out of proportion - probably all the media that will surround the news report and associated black-hat expose features.
How much do these software vulnerabilities impact upon its ability to perform its intended duty? From what I read and understood, not a hell of a lot. It's like trying to argue in court that MS Windows XP, the underlying operating system used by security investigators, has a long history of exploitation and so no evidence examined on a Windows XP system holds any merit.
This article reminds me a little bit of some research I did back at University on potential issues with forensic examination of PalmOS devices, in that images acquired are constantly changing due to the nature of volatile memory.
I guess this will probably blow over. Interesting none the less.
|
(leave your eulogy)
|
| The Real Root CA |
[24 Jul 2007|10:47pm] |
(Originally posted @ un-excogitate.org)
So I was walking to get a coffee the other day and passed this church which had a sign out front that stated:
If you can't trust God
You can't trust anyone.
It got me thinking about trust and relationships, not just personal but professional and even security relationships. The concept of trust is an interesting concept. How do we ever trust other people? Is it human instinct to want to trust people naturally, or is that a cultural instinct that differs from region to region? Obviously the family tree carries with it a certain level of trust, we implicitly trust our parents the same as a child Certificate Authority trusts its parents.
Later on that week I was talking to a colleague about the sign and about how putting that in context of security and CAs was kind of funny. He agreed and replied (and I'll paraphrase): So that's it! Verisign must have God on the payroll.
|
(leave your eulogy)
|
| Developing Secure Code |
[22 Jul 2007|10:09pm] |
(Also available over @ un-excogitate.org)
I book marked this article quite a while back and only now got to have a read of it. The 8 Simple Rules for Developing More Secure Code by Michael Howard over on the msdn is a list of habits of secure developers. I know it's a little old now, but oh well.
Paraphrased to:
- Take responsibility of your code
- Never trust data
- Use threat modelling against your code
- Stay one step ahead - or keep up to date with emerging vulnerabilities and threats
- Use fuzz input testing
- Don't write insecure code (I found this point rather over-arching but his comments are good)
- Recognise the strategic asymmetry - be aware that an attacker can spend much more dedicated time finding weaknesses than you can provide 100% secure code
- Use the best tools you can
What I like about Michael's list is that is applicable to any software development environment using any methodology. From PHP apps developed by a sole-developer for a small company to large, multi-tier, thick-client apps developed by a team of developers. It's all good.
|
(leave your eulogy)
|
| Mainframe Security |
[01 Jul 2007|12:29am] |
(Cross posted on un-excogitate.org)
I really enjoyed reading Andrew's article on "The Mainframe Conundrum" and would highly recommend that anyone else in IT in the financial area, or other critical infrastructure areas should also read it.
Since starting my new job this sort of issue has definitely come up on a number of occasions. Not always directly linked to problems with trying to apply security concepts to legacy type systems (or the people who support them), in fact probably more often involved with general IT people who don't understand the insider risk. In any case, similar to what Andrew discusses, the solution to these types of problems can be tackled by effective awareness, training and support.
|
(leave your eulogy)
|
| Some Readings and Why Compliance Does Not Always Mean Security |
[23 Jun 2007|02:04am] |
(Originally posted at un-excogitate.org)
This week has been incredibly hectic at work. A combination of not only the other project guy being on leave, but also our direct manager too. I've been keeping track of my online-readings, but only at a superficial level. Some of the things that definitely jumped out at me..
Google Safe Browsing API
The Safe Browsing API is an experimental API that allows client applications to check URLs against Google's constantly-updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.
I think this effort is related to the research and hard work that Google have been doing in this space and it's good to see them giving this sort of functionality back out to the Internet. Apart from the obvious uses that this sort of API provides to developers, it's all the stuff that you can't think of that makes it exciting, I mean have you seen how much stuff you can do with Google Maps.
Trinity Rescue Kit
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
Found this on a post from Darknet and what I found really interesting was the toolkits ability to read and write to NTFS. Cool stuff.
Why do Security?
Really good post from Andy's blog on why compliance is not the reason to secure. I couldn't agree more, and it's surprising at how many people still tie them together as if one implies the other. I understand that they potentially overlap quite a bit but they can also be separated completely. At work we try and offer solutions to both and often have a distinct line between our approaches, compliance control recommendations and risk-based control recommendations.
This issue relates quite closely to security awareness - another topic that we discuss almost daily - and on most project engagements some of the time is spent on educating non-security team members on the two separate approaches we use, and the difference and importance of the two approaches. The idea is to hopefully push some of this "culture" out to the IT teams to get them to start documenting controls even before we see the documentation and in some cases we are starting to see this happen. We don't expect non-security people to be experts on compliance and up-to-date vulnerabilities, which is what we're there for, but the more they start thinking about these issues the more secure the process is from end to end.
|
(leave your eulogy)
|
| Word of the Day: Idempotence |
[17 Jun 2007|01:51pm] |
(Originally posted @ un-excogitate.org)
Whilst wading through some of the standards at work I stumbled upon this word and naturally I ended up at Wiki (and Answers) to figure out what it meant.
In mathematics the concept of idempotence roughly means that "some operation yields the same result whether it is done only once or several times..."
When looking at this term in computer science it refers to when a function, or RPC call, or web-service call, or any type of operation in a distributed system, "can be safely called repeatedly, since a single call or multiple calls produce the same result and the same side effects to the entire system as a whole."
Answers has a few examples which explain what this concept means, two of these are:
- C header files, which "are often designed to be idempotent, that is, if the header file is included more than once (as can easily happen with nested #included files), then nothing untoward happens - the effect is the same as if a file had been included only once."
- and HTTP GET Requests, which "are assumed to be idempotent. The web infrastructure uses this assumption to cache the result of these requests."
As you can see the computer science meaning of this term does morph the original mathematics semantics just slightly, regardless the concept is quite interesting and does play a part in securing web applications. In particular when designing input/output and using HTTP protocols as they were originally intended, such as submitting changed, non-idempotent data with POST instead of GET.
Where this is potentially vulnerable is where web apps are designed to use GET requests to modify databases, or other state changes. In addition to these requests being cache-able, and therefore recalled, it can also lead to unsuspecting 3rd parties making system changes. A number of sources highlight that the potential source of this problem is that the HTTP RFC leaves the handling of GET calls as inferred to be idempotent, when they may be implemented differently - obviously left up to the programmer.
A good example of this type of exploit is when digg.com allowed users to add friends just by visiting a URL, ie http://digg.com/invitefrom/{username}.
|
(leave your eulogy)
|
| Web Server Malware Statistics |
[09 Jun 2007|11:25am] |
(This post originally @ un-excogitate.org)
The Google Security Blog has an interesting article on some research they've been performing on comparing web server software against web servers distributing malware. The statistic I liked the most of course was that while Apache accounted for approximately 66% of web servers on the internet (IIS at 23%), IIS accounted for 49% of the web servers hosting malware.
The article offers up some suggestions for why this may be the case
We suspect that the causes for IIS featuring more prominently in these countries (China and South Korea) could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy, and second, some security patches are not available for pirated copies of Microsoft operating systems.
It's seems like a downward spiral where pirated software in turn leads to end-user exploitation. Whether or not Microsoft, for the greater good, should allow their patches to be applied to pirated software I'm unsure. It's a balancing act I guess, until some critical mass of end-users get owned by these servers it's probably not worth them changing their policy.
|
(2 eulogys | leave your eulogy)
|
| Insiders and Webservers |
[05 Jun 2007|07:09pm] |
(Originally posted @ un-excogitate.org)
Two separate things I wanted to write about in here today.
Firstly was the article from Infoworld on a Cyber-Ark study into IT employees gaining unauthorised access to company systems. (Thanks Martin for the link to the article). Even though most security people will be open about their concerns of the insider threat, the "nice-guy" in me was still surprised to see the results of the study finding that:
one in three of the roughly 200 IT employees participating in the study admitted to somehow gaining unauthorized access to company systems for the purpose of reading sensitive materials.
And this was from an Information Security event!
Naturally you have to take these sorts of survey results with a grain of salt. So I jumped over to the news release to have more of a look and found even more findings of a "well I knew it was bad but didn't realise it was that bad" nature:
more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently.
This included Administrative level credentials.
These sorts of security problems do make me remember all the hours I spent at university working on technical solutions to this sort of problem (nothing has changed in 3+ years people), and it becomes so apparent, not that it wasn't already, that this problem has deeper roots than technology, people and policies. There might never be a perfect fix to this problem.
The second thing I wanted to mention was that NIST just released a Draft of the their Guidelines on Securing Public Webservers and after a quick skim read I was quite pleased with it. In particular the section on "Recovering from a Security Compromise". I know that so many people out there are fantastic at configuring servers and web applications, but you compare that with the number of people who could successfully recover from a security compromise and gather useful forensic evidence and you would be greatly surprised.
|
(leave your eulogy)
|
| Offline RSS is Old School |
[03 Jun 2007|05:52pm] |
(Originally posted @ un-excogitate.org)
And now thanks to Gears I can read my news on the laptop even after it's disconnected from the (inter)network!
This sort of functionality has been something that I've wanted for quite sometime, particular in the field of portable devices. The old adage of wanting to develop applications on PDAs and have them cache data offline whilst out on the field, then re-synchronise with the central database when they get back home.
Trust Google of course to make it all happen within your web-browser. Really good idea and I'm guessing it's going to help them really start to rope people into the concept of the GoogleOS (which people have been talking about for a while now).
And to ice that cake of theirs they've provided a simple, documented API for all your code-monkeys out there.
Of course, the security side of Gears is fairly interesting, and I'm betting right now that forensic experts out there are dissecting the manifest files and all the other funky stuff that's done in Javascript and Gears. Especially as in the API tutorial they show you that even after clearing firefoxes cache Gears still kicks in and stores that data offline.
|
(leave your eulogy)
|
| Remind Me |
[19 May 2007|06:37pm] |
|
Originally published at un-excogitate.org. You can comment here or there. This weekend has been so much slower than last and I can’t even begin to explain how good that is. I think the problem with last weekend was that it was the culmination of my sister’s birthday and mother’s day. Combine that with my family, Sara’s family, having to celebrate with my sister in silos to prevent interaction between my mum and dad.. it felt like we never stopped.
Today on the other hand had me up and about, but not rushing about, caught a coffee with my mum and wandered around the city prior to me ending up in the rehearsal room for 4 hours and then just spending some time catching up some Internet reading.
Some of the more interesting things from today’s reading include:
- The new Google Analytics. With all its revised Web2.0 web site statistic goodness. The only problem I have with the new version is the fact that it’s still so good at telling me how poor my hits are.
- Another Google statistic item, this time the Gapminder World 2006. Provides you more information on global statistics, for example life expectancy versus income per capita, than you can poke a stick at.
- Finally, the Remind Me video clip from Royksöpp. Saw this on the core77 blog and was really impressed with it. I love this style of art.
|
(4 eulogys | leave your eulogy)
|
| Security Priorities |
[05 May 2007|09:57pm] |
|
Originally published at un-excogitate.org. You can comment here or there. I’ve been really enjoying darkreading as of the last couple of months and their recent article on Security’s Top Five Priorities is no exception. It’s also good that they mention that their recent findings are different from similar research they performed not more than five months ago. This is a clear sign of how volatile this industry is, and I guess why I find it so interesting.
In short their top 5 priorities are as follows:
- Portable Devices leading to unauthorised information disclosure OR malware introduction
- Web application security, especially as these are becoming ubiquitous and often slip through firewalls and IDS without too many problems
- Security leaks and insider attacks, good examples of how the old “egg-shell” paradigm just does not cut it these days, you can’t just install firewalls to block the Internet when you give your 100+ inside employees access to sensitive information without controls. This problem also steps outside the boundaries of technology which is quite nice.
- Endpoint security. This can mean so many different things but this article is talking directly about Network Admission/Access Control
- Botnets
Personally I’m surprised that Botnets made it into the list over something like compliance or security awareness training (read social engineering), but their sample base is probably quite varied and I guess a lot of ISP/Marketing type companies might rate Botnet threats quite high compared to other issues.
I also find it interesting how some of the items are so closely related, in particular portable devices, endpoint security and insider threats. These three threats, in many cases, would not exist without the other. A good example is software which may be used to place controls around authorised USB memory stick access, directly related to portable device security but also acting as an end-point control usually trying to minimise the likelihood of an insider taking away sensitive information. This is of course referring to end point security which is not directly network access based.
Another interesting point is how their results differ slightly from the most critical issues that were highlighted in the 2006 CSI/FBI Computer Security Survey, being:
- Data Protection, including classification, identification, protection and application software vulnerability security
- Policy and regulatory compliance
- Identity theft and leakage of private information
- Viruses and worms
- Management involvement, risk management, or supportive resources such as HR
|
(leave your eulogy)
|
| 25 |
[04 May 2007|06:25pm] |
|
Originally published at un-excogitate.org. You can comment here or there. It’s been a little under a week since I turned 25 and I have to say I’m doing a fantastic job of making it last. I mean there is still some cake left in the fridge 6 days after!
As far as birthday presents go I was spoilt rotten, as usual, here is a pic of some of the goodies.
For birthday cakes I was lucky enough to receive not one, not two, but four different cakes. My favourite was easily the chocolate cake made by Sara and adorned with Strawberries!
In addition to being long lasting it’s also been a fantastically interesting week, work wise. It’s been the 2nd week of my new job and every day is exposing more challenges and more things which are interesting me. The more I get to know my colleagues the happier I am at the decision I made to shift into this job.
|
(4 eulogys | leave your eulogy)
|
| Cookies and Hacking Web 2.0 |
[27 Apr 2007|10:43pm] |
|
Originally published at un-excogitate.org. You can comment here or there. Just read the short, but interesting, post from shauninman.com where he comments on the cookie disclaimer on allthingsd.com. For some reason this post jumped out at me and made me realise that “oh yeah, cookies are taken for granted”. I mean it’s not like many people stop each and every cookie and inspect their content then pass judgement on whether to allow them or not. In fact, it is probably true that in many cases cookies are taken for granted by the same people who try and advocate against widespread acceptance of cookies.
So as a security expert I like the idea of providing an open disclaimer to your web-visiting-clientele explaining just what sort of cookies your website is going to create, but I can’t help but think that as a web-designer wanting to make any sort of money off your traffic you want to make sure that these sorts of things continue unhindered. So which is it? Explain how to remove the cookies, just don’t use the cookies? Remove your adds? Keep your adds?
I don’t know the answer and most likely it can only be decided on a case by case basis. Either way I like the initiative that allthingsd.com have taken in explaining what third-parties are involved in cookie placement.
On a side note I’ve been really interested in reading jungsonnstudios.com, recently renamed to 0×000000.com. A recent entry that I found REALLY informative was his link to a presentation presented in Dubai on Hacking Web 2.0. Not entirely unrelated to the first half of this post, as cookies do play a minor role in user experience and web2.0 stuff.
|
(leave your eulogy)
|
| Profile of a Fraudster |
[25 Apr 2007|10:13am] |
|
Originally published at un-excogitate.org. You can comment here or there. Just finished having a skim of the KPMG Profile of a Fraudster Survey for this year, which I found from the recent Risks Digest post. I have to admit that this survey interested me not only in the professional sense but also personally given my family history. Some of the more interesting statistics do not surpise me at all:
- 70 percent of fraudsters were between the ages of 36 and 55 years old.
- 85 percent of perpetrators were male.
- In 68 percent of profiles the perpetrator acted independently.
- Members of senior management (including board members) represent 60 percent of all fraudsters. An additional 26 percent of profiles involve management level persons bringing the total to 86 percent of profiles involving management. This result highlights a risk that every company faces: executives are entrusted with sensitive company information and yet are also often in a position to override internal controls.
- 91 percent of perpetrators did not stop at one single fraudulent transaction but rather performed multiple fraudulent transactions; every third perpetrator acted more than 50 times.
- Greed and opportunity (when taken together account for 73 percent of profiles) are indicated to be the overriding motivations for fraud.
- No prior suspicion existed in more than half of the profiles…
- Perpetrators were able to commit fraud by primarily exploiting weak internal controls, in 49 percent of profiles.
I guess the only additional information I would have liked to have seen from this report is more international information, such as from Australia and the US.
|
(2 eulogys | leave your eulogy)
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| [ |
go |
| |
earlier |
] |
|
|
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
xntrik's journal