Thursday, November 27

Passive Information Gathering Tools for Firefox

There are all kinds of great tools popping up these days to help the security professional with their job. Here are a couple of the ones that I've found useful:

PassiveRecon in particular automates, to some degree, the mining of social and public information which is available about a target without actually connecting in any way to the host or web service.

AdvancedDork provides an easy way to use the advanced Google options (googledorking) to find additional or more refined public information regarding what's highlighted.

Anytime a utility can help cut down on the amount of time it takes to collect information, and allows more time to be spent on analyzing what's found it gets put into the toolbox.

Monday, November 17

Distributed SQL Injection Analysis - Excellent Description!

The guys over at Bloombit (British Columbia based firm) have provided an excellent analysis of an automated encoded SQL Injection attack which describes many of the techniques that malware distributors are using these days. And also provides some good pointers on how to prevent them. A few of the key points I got from the article:
  • Enforcement of parameterized SQL statements is important where possible.
  • Google and other web-based search tools are used to find starting points to conduct their probes (find your sites before they do!)
  • Profit motivated criminals drive this issue - not script-kiddies.
If you are involved in coding any database driven Internet sites or applications give this a read.

Tuesday, November 11

Google and AARP Security and Privacy Videos

Google and the former Assocation of American Retired Persons (AARP.org - via wikipedia) have co-produced a set of six videos geared to help educate the masses on the types of things people should be doing to protect themselves better on-line. The messages here are great for the average Internet user, and contains information on Safe starts, Practicing password safety, Sharing your content safely online, Know what's posted about you online, Shopping safely online, and Avoiding phishing scams.

Free Downloadable Log Management Tool - Q1 Labs

Q1 Labs has released a free version of their QRadar product - albeit a limited version (50 events / second). For any small or medium sized business that's looking to get a handle on their security logs from hosts firewalls and ID/PSs this seems like the right price point. Be aware that they are collecting contact information to that a sales guy will call and hopefully upsell you to the paid for enterprise version.

Thursday, November 6

CIPS - ICE Conference Presentation

I was lucky enough to be invited to speak at the recent Computer Information Processing Society's ICE Conference with one of the senior auditors from the Office of the Auditor General of Alberta. Our talk regarding the Myths of IT Risk and Control was well received and had a lot of questions and interest from the crowd.

I've posted a copy of the presentation in both PDF and PPTX format for anyone that would like a copy. And if anyone would like me to present on this topic to their organization please just let me know.

Inaugural Blog Post

This is the first blog post to the TripleCheck Consulting Blog. I hope to be adding interesting and engaging stories and reports from the Information Security and Risk Management world.

Please stay tuned...