| Syndicate |
 |
| Browse archives | |||||||||||||||||||||||||||||||||||||||||||||||||
|
| User login |
| Navigation |
Do you remember the days when someone was on the phone chatting away and not paying attention to driving? Those days will soon be missed. Twice last week I noticed near wrecks by drivers, but instead of talking on the phone, they were texting. Evidently, I am not the only one noticing this... here is an article from Mercury News on the topic as well.
I apologize for the lack of content over the past month. My wife was finishing out the last stages of pregnancy and I am getting adjusted to my new life as a father.
I am starting to get back into the groove, so you can expect to see this blog pick up a bit more here in the comming weeks.
Thank you for your patience.
I am catching up on my reading for the week... so I just ran accross this article .
The article touches on the evolution of the anti virus market... how it was an anoyance before and is a tool of crime now. Here is a clip from the article that illustrates the point:
Over the last two years, malware has become professional crimeware. No longer coded by kids hoping to impress their friends, crimeware is big business. It’s more sophisticated, hides better, and contains more tricks; instead of one attack vector, it contains 10. The professionals intentionally code their malware programs to escape detection. Often, the latest crimeware bug is nothing but the same old Spybot or Sobig variant malformed just enough to escape anti-virus scan detection.
I was turned on to bitty browser earlier this week. This is an interesting concept... it is like a picture-in-picture for a browser. It would be interesting if this concept could be used to route traffic through the host website instead of the local proxy settings.
It would seem that something like this (using th host site's connection) could be used for quick searches that you want to remain anonymous or if you are behind a proxy server in a corporate environment that has some site blocked. I like having my search history logged for later reference so I would proabably not use this a ton; however, I can think of a couple of times that this would have really worked in a pinch.
This is one of the lighter hacking stories I have seen in a while. Evidently, there is sport in hacking your way in to a casino pool in Las Vegas. Why? Well it appears that the pools are the place to be during the day in Vegas.
According to the article, going to the pool seems to be like going to a popular night club... ...to wait in line, sometimes for as along as three hours, or to pay the cover, $30 for men, $20 for women, $3,000 for a cabana.
Now here is something that you do not see every day... at least not publicly. Paris Hilton accused of hacking !
It is official, anyone can be a hacker. No longer are we limited to the ranks of zit faced teenagers and social misfits that lurk in the corners of the internet to hold the title 'hacker'… it is also open to socialites that act like grade school girls. I think that this is pretty ridiculous:
As some of you know, this site was started as a project to find a way to bring some sanity to the world of security patching.
For those of you that are interested: the original mantra of patchtuesday.com.
I run accross articles from time to time that outline the problem of patching from a vendor persepctive. Here is an example of how the chaos continues from SecurityFocus.com. While the example here is a Microsoft patch, in theory, it could happen to any vendor. Basically, Patch Tueday rolled around, Microsoft issued their set of patches, and people started applying them.
As a result of the alleged foiled terrorist plot last week in London, a wave of new security restrictions have come in to play. Based on what I have read on the topic thus far, I think that most of the controls seemed acceptable.
The question I normally have in the wake of new procedures like this is: How long will they be in play? I have done a fair amount of traveling in my career - from the time before 9/11 when 15 min was almost overkill to get through security to the weeks after 9/11 where you seemed to bump into guards w/ M-16s every time you turned around, to having to remove my shoes at every check point.
Today on NPR, there was a story titled Time to reconsider terrorism futures. It seems a bit morbid on the surface; however, it brings up some pretty good points.
In thinking about the use of futures for terrorism, I think that it would be just as worthwhile to think about using futures for IT Security. Virtually the same logic applied by Susan Lee in the article above could be used to predict IT Security issues.
There was a story on www.smh.com.au yesterday titled "High bidders with low motives". In short, the story is about the sale of vulnerabilities to the highest bidder... regardless if the bidder is a legitimate company or a bad guy looking to profit off of the purchase.
I have been thinking about this for a while, and I have mixed emotions on the topic. Here are the questions that I have been asking myself:
According to a ComputerWorld article published today, two executives from the publicized Ohio University data breach were fired. This is in addition to the CIO that resigned three weeks ago.
I have only read the press releases on this story, so I do not have the total picture of everything that transpired behind the scenes. As I start to read between the lines, I cannot help but wonder if these executives were actually an example of a quote I once saw that was made by Gene Spafford.
Interesting article from the Register on how steganography was being used in prision to order murders.
I doubt that any of the inmates that created these cryptographic messages will be nominated for the Fields Medal; however, I did raise an eyebrow when I read the orginal article and learned that the Baconian cipher , a 400 year old cryptographic technique, was used.
Over the past month or so, I have been digging into Portable Apps from a consumer perspective. The concept of portable apps is pretty simple... and in stead of trying to come up with my own definition, I will just copy the definition from the Portable Apps site:
A portable app is a computer program that you can carry around with you on a portable device and use on any Windows computer. When your USB flash drive, portable hard drive, iPod or other portable device is plugged in, you have access to your software and personal data just as you would on your own PC. And when you unplug, none of your personal data is left behind.
BootStrap Security is a term that I give to clever, inexpensive, and relatively effective methods to solve real security problems. I have come up w/ a ton of these over the years... and have forgotten a number of them. So from now on, any time that I think of, see, or come across a BootStrap security idea, I will post it.
Home Alarms
Depending on where you live in America, home alarms are largely useless. I know that does not make the ADT or Brinks sales guy feel too good, but it is the truth.
Three strategy issues that Info Sec departments will have to deal with in the near future: Part I
Over the years, there have been concepts and strategies that have popped up and gone away with the times. The concepts that I try to pay attention to are ones that I hear time and again from different sources and presented in different manners. For example, until I see a concept/ strategy covered by mainstream media sources, papers written by industry analysts, blogs, vendor support, etc… I have a hard time reconciling a concept/ strategy in my mind with its potential viability in the market.
There is absolutly no Info Sec value to this... but posting this calculation seemed like a good idea at the time.
$10 to the first person that can recite this orally in less then 2 min. ;)
pi=
3.14159 26535 89793 23846 26433 83279 50288 41971 69399 37510 58209 74944 59230 78164 06286 20899 86280 34825 34211 70679 82148 08651 32823 06647 09384 46095 50582 23172 53594 08128 48111 74502 841
About three months ago, I was turned on to Clipmarks , about one month ago I became a Clipmarks users, and about a day ago I started wondering how I lived without it.
Clipmarks is really pretty slick in how it works. You set up an account, download the browser plug in, and start 'clipping'. Basically, 'clipping' is nothing more than using the Clipmarks tool to highlight something that you see on a web page and save it. Think of it as bookingmarking with an attitude. Clipmarks has a Web20ish look and feel... tagging, comments, and tie ins to services like del.icio.us and digg really make it useful. Additionally, you can make comments about your clip, others can also comments and/ or 'pop' your clip. Popping is a concept similar to 'digging', essentially a real time poll or agreement with an article, story, or clip.
In Corporate America, everybody's gotta watch everybody else. Since the users are looking to beat the company, the administrators are watching the employees. The managers are watching the administrators. The directors are watching the managers. The VPs are watching the directors. The CEO is watching the VPs. The board is watching the CEO. The stockholders are watching the board. And the eye-in-the-sky Vericept is watching us all.
The term 'Information Security Portfolio Management Services' is a mash up of Information Security Management and Financial Portfolio Management Services.
If you have a financial advisor, you probably go to them once or twice a year and present them with a wish list. You mention things like you want to retire at 60 and have an income of $x per year until 90, you want to finance $y of your kids college education, maybe you want to go on an extravagant trip to the South Pacific for your 25th wedding anniversary that will cost $z, buy a lake house, annually support a charity, and so on. Based on this wish list, the financial advisor applies their knowledge of the financial management space, like the Rule of 72 , tax laws, their own personal experiences, etc. and tells you how much you have to sock away and where to best sock your money to have the best chance to accomplish your wish list.
As an Information Security practitioner, most of my day seems to be about risk... addressing risk, quantifying risk, analyzing risk, building countermeasures to support risks, etc. So when I hear somebody in the media talk about risk, my ears normally tune in.
That was the case here. I was listening to the news at the gym yesterday and heard one of the more convincing risk acceptance arguments that I have heard in a while. The argument was made by Mike Griffin of NASA. Click here for the CBS page that has the whole story.
| Where is all the original Patch Tuesday stuff? |
|
If you are looking for the original Patch Tuesday write up, it is here. I have taken down the other posts, write ups, and podcasts. |
| Patch Tuesday Reader Clips |
|
|
| PatchTuesday Clipmarks... |