Skip to main content


Showing posts from January, 2009

Aligning Online Security Interests

There was an interesting discussion regarding the larger societal problems associated with the use of insecure online services over at Wade Woolwine's blog . This is a follow-on to the discussion by Jeremiah Grossman - regarding the alignment of interests in web security . This discussion centered around the topic of how to align interests related to protecting online information. I have separated this problem into what I think are three important parts, Definition of common goals, Evaluation of online services against these definitions, and Education of consumers/clients/users of the product standards and evaluations. As a security professional, I often use the metaphor of information security controls as they mirror the emergency brakes used car, in the fact that they are used as risk mitigation. The faster you want to get from A to B, the more robust brakes you need. In addition for the purposes of this discussion, for vehicles in Canada there is also a minimum standard o

Completely Automated Brief History - Completely Automated Public Turing Test to Tell Computers and Humans Apart

Computer World has published an interesting and informative article regarding the Completely Automated Public Turing Test to Tell Computers and Humans Apart, or CAPTCHA as they are affectionately known. While they discuss the value of bot-busting techniques, they also note one of my favorite stories about the spammers using human-based cracking , and my personal favorite of all of these for its effectiveness - getting people to do the heavy lifting for free!

OS X Forensics Resources

With the recent and growing rise of Apple's market share and Microsoft's graceful decline forensic investigations will increasingly encounter Macs as part of the case. But does your existing toolset and methodologies take HFS+ unique characteristics into consideration? What about filevault and timemachine related structures. Check out the Mac OSX Forensics site as a good place to start with the learning.

ISACA Publication - Defining Information Security Manager Position Requirements

For those Security Manager's that have subscriptions to the ISACA publications, their are a couple of interesting articles/publications that have been released. The first one - Defining Information Security Manager Position Requirements - provides a good description of the information security management role within organizations and what it takes and will take to succeed. the JOnline publication also has included an article written by Kim Fath and John Ott that provides a basic description of the risks associated with application vulnerabilities. Although not a very original article it provides a good basic description of the issues.

Responsibility for Public Information Security Training

There have been a number of articles posted recently which point out statistics related to corporate responsibility for security practices, data breach disclosure laws which make it a requirement for customers to be notified of such breaches, etc. Are Canadian Breach Disclosure laws adequate? Canadian legislation not coming? In my observation, there may be a greater risk to our online society from general data abuses and breaches to ordinary citizens, many of these risks appear to stem from our behavior and online habits as a whole. Although many of us educated in the methods used to exploit sensitive information can protect ourselves through; checking website SSL certs, or knowing (spam) what a phishing email looks like, or running a few Google queries to check into the past of a person we're going to transact with I would argue that the large (and growing) majority of Internet users are not even this savy. Do we really think that this population of users will learn these skills

3rd Largest Data Breach Reported

Another wonderful example of how "massive" data breaches can occur. It will be interesting to see how the fallout from this incident differ from the TJX event. From Washington Post: Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients. Baldwin said Heartland does not know how long the malicious software was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. “The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was

Security Strengths of Cloud Services

As the debate rages on the direction of 'cloud' computing - which is really just 2.0 word for "software-as-a-service' or SaaS - there are in my opinion a few security benefits which make cloud based services a more secure option for some. 1.  Common platfo rm .  Using a single service platform has the advantage that if a vulnerability exists in the service, it only takes one remedial fix.  This is unlike unique implementations of similar products in each customer, where vulnerabilities can go unnoticed, unpatched, and exploited for long periods of time.   This glass can also be half-empty though and a single problem or weakness can affect of the service customers.  But if my own experiences with using common platform products (like my macbook) are any indication, I would rather have a problem that all of the product's customers have and that will attract the required attention from the vendor at risk of losing them. 2.  Service agreements .  Mature formal service a

SANS Top 25 Programming Errors

Looks like appsec product vendors now have another angle to sell their gear as SANS has announced the release of their top 25 programming errors . This is a fantastic list of issues that don't get enough airplay, and instead of focusing on the symptoms of the mistakes (aka OWASP top 10 web-app vulns) this list provides a sample of the root cause issues, although it could be argued that all of these common problems stem from a lack of security policy definition and enforcement regarding development. At least for those organizations that like to use these types of lists as a form of policy tool, it will significantly reduce the number of issues that arise from development.

Forensics Links

Sorry about the gap in posts - its been an excellent holiday season and therefor not much time to read or write. Here is a couple of links to some excellent forensics papers which are almost required reading for security professionals these days. Information Assurance Advisory Council has published a 2nd edition of their guide for collecting and presenting digital evidence. An excellent reference for forensics work related to virtual machines has also been published by Brett Shavers here. A must-read for anyone doing forensic work related to VMs. Finally, here is a link to a list of papers related to digital forensics along with a great forum for investigators to discuss related topics. - Forensic Focus I know that it is easy for security professionals not working daily with forensics to miss out on some of the excellent material out there - I hope this helps catch people up. Mark