All News (140 Posts)

<< Next - First ... 10 11 12 13 14 . Last - Previous >>

The scary world of Social Media and geo tagging

As the saying goes, “it is never too late”, and it is only recently that I created a twitter account.
I was convinced to do so after attending a SANS training course (more on that soon) where the instructor told us twitter was the best way to keep up to date and in touch with a great online security community.

I am not new to social media, but after “playing” with twitter for a few days I am both impressed and concerned!

Impressed because it is slick and indeed a great way to follow up some topics and keep in touch.
Concerned because it is a mine gold for wanna be thief!

It has been well publicized that people share far too much information on Facebook, information that can sometimes be used against them (by employers, people who dislike you, ex lovers, etc).
I feel however the micro blogging format of twitter invites more its users at describing and sharing mundane information such as what you eat, what you think, what you ...
>>[READ MORE]


PS3 Hacked and Cryptography

The recent hack on PS3 where the private key used by Sony to sign their games has been recovered is of course a very bad news for Sony. It finishes to open the door to piracy which started in January 2010. In theory, anyone could now sign (pirated) software to run natively on the PS3.

It is a case of badly implemented cryptography algorithm, in that case, the use a proprietary signing algorithm with a faulty random generator.
Crypto 101 says to NEVER use proprietary/secret algorithms. Now Sony’s will pay the price for not listening :)
The PS3 hack story is a great example of badly implemented cryptography which is as important as the choice of the security controls used to protect an asset.

BBC NEWS ARTICLE

The start of an answer from Sony, which seems to indicate they did not grasp the severity of the issue when first announced about a week ago
>>[READ MORE]


Interesting acquisitions

2011 seems to cary on with the trend of security companies acquisitions by big IT names. This is now the turn of DELL to buy SecureWorks, planning to offer managed security services in a near future.

Another interesting acquisition is that of Immunet by Sourcefire, which should help the later company to grow its business “in the cloud”.

SaaS and “in the cloud” are two 2010 themes which are likely to grow even more this year.

...
>>[READ MORE]

“Freemium” user procurement Strategy

Although this post is not directly related to IT Security, some of its implications are.

Looking at the recent craze around iOS devices which is pushing many companies to react to its users bringing such devices in the corporate environment, I wonder if some kind of new and ever so slightly twisted corporate “Freemium” user procurement strategy could be extracted from this…

– Wait for a new “sexy” gadget to come along that everyone wants
– Offer a free and equivalent “boring”/cheaper gadget, which does the job and just that.
– Resist your users to provide that new gadget…
– …but do not resist that much so it does not work in your corporate environment
– Accept and work to mitigate the risks associated with those uncontrolled devices
– Wait for the number of those users to grow and pass a tipping point
– Officially accept the use of those new gadg...
>>[READ MORE]


Stuxnet, a Digital Worm with physical consequences (not to say political!)

To follow-up on the theme of my last post, this worm has recently received a lot of media attention:
– It targeted Iran nuclear Plants (among other things)
– It is so sophisticated that it has likely been done with some country/national support
– It had a payload with physical consequences

One thing which did catch my attention was that in order for this worm to be so successful against a Process Network, the group of “hackers” must have had access to a testing environment… not everyone has a refinery in their back garden…

Below is a good explanation of what it actually does and how it does it.
If you are in a hurry:
http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
If your TV is broken:
>>[READ MORE]


Are you taking ZeuS wrath seriously?

ZeuS seems to be a popular and quite successful Trojan at the moment, at least in the UK.
It has been around for a while and has been updated several times (at least 3).
There is an excellent white paper written by M86 Security describing its use in what looks like an ongoing and sustain attack against British Banks.
The latest arrests were announced today where hackers had managed to steal about 20m pounds!
If you search the Internet you can see a trend where British bank customers have been successfully defrauded from their money over the last year, all by hackers using the ZeuS Trojan and for what seems an increasing amount of money!

What I find interesting is the fact money is being stolen at large and increasing scale. Actual mone...
>>[READ MORE]


IDC’s IT Security Conference 2010 – My take on it.

Yesterday I attended the IDC Security Conference in London.

I was not too sure what to think of it as I never attended that event before and only accepted a “spam/unsolicited invite” because for once I took the time to read the agenda and list of speakers who were to attend.

I can now say I do not regret it and it was a great conference with lot of interesting content on the future security context related to cloud and mobile computing with a pinch of data privacy.

One of the reason I decided to attend was also because the keynote speaker was Bruce Schneier, a person I never had the privilege to see at a conference before and whom I appreciate his offbeat approach to IT Security.

Although I have attached a mindmap of my conference notes at the end of the post, if you do not want to see a “Death by MindMap” or have a 50inch screen then I invite you to read the many highlights and industry insights which were discussed at that conferenc...
>>[READ MORE]


A funny case for not reusing passwords

By the way, you are free to create an account on my website! ;)

As seen on XKCD.COM!

...
>>[READ MORE]

Arcsight, another expensive acquisition… sorry, merger!

Following on the $7 billion and a bit acquisition of mcAfee by Intel last month, it is now the turn of Arcsight, a data correlation engine, to get acquired by HP for $1.5 billion, a bargain then! This follows a trend for large non IT Security companies to step into the security field.

What I found interesting though is the difference in vocabulary used by the two companies, actually, by the Arcsight current CEO Tom Reilly. HP speaks about “acquisition”, which really it’s what it is; whereas Tom’s email to Arcsight clients speaks about a “merger”. I guess this is standard practise when the smaller party get “swallowed” by a bigger company.

I’d be interested to see what changes this “merger” will bring to Arcsight and if any of the HP Operation Manager technology (aka OpenView) will find its way in a future Arcsight ESM release… or vice versa!

>>[READ MORE]


DoD Windows OS Security guides

I have recently came across that Department of Defence website where they provide free and unclassified Windows Security Guides. From Windows 2000 to windows 7, they provide a set of checklist and “STIG” which stands for Security Technical Implementation Guides.

Having only checked the Windows 7 “STIG”, I found it a useful resource when one can get some ideas on how to secure/validate a windows 7 server configuration.

http://iase.disa.mil/stigs/content_pages/windows_os_security.html

...
>>[READ MORE]