Monday, December 17, 2007
Thursday, December 13, 2007
Botnet-controlled Trojan robbing online bank customersWell, take a look at my presentation in BH Europe this year (March). This was there, as well as the method being used by the malware from that article:"The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic. Itâ€™s targeted for each specific bank." (Don Jackson, SecureWorks)So, another prediction from that presentation has just been confirmed.
Thursday, November 22, 2007
Wednesday, November 7, 2007
Thursday, November 1, 2007
- "Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
- Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some arenâ€™t.
- The best defenses against malicious employees are often business process controls, not security technologies.
- The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
- The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
- If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
- Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
- Preventative controls built into the business process are more efficient than external technological preventative controls."
Tuesday, October 30, 2007
Wednesday, October 17, 2007
Tuesday, October 16, 2007
Thursday, October 11, 2007
Wednesday, October 10, 2007
Friday, October 5, 2007
Thursday, October 4, 2007
Wednesday, September 26, 2007
Monday, September 24, 2007
Monday, August 27, 2007
Monday, August 20, 2007
Friday, August 3, 2007
Monday, June 25, 2007
Wednesday, June 13, 2007
Monday, June 4, 2007
Tuesday, May 29, 2007
Friday, May 25, 2007
Thursday, May 24, 2007
Wednesday, May 16, 2007
Thursday, May 10, 2007
Wednesday, May 9, 2007
Friday, May 4, 2007
If information security is to ever have an ounce of credibility in a corporate world it has to stop disabling and start enabling. The days of hiding behind thick piles of self-scribed doctrine and exercising personal dogma laced with stupid egotistical power trips based on technology religion must end. If you talk to most (yes most) folks outside of information security in an environment where this culture is allowed to exist they will usually raise an eyebrow, get their heckles up or even laugh in your face. The locker-room conversation discuss the â€œthought policeâ€ and ways to not tell or involve security about whatâ€™s really happening: and quite frankly I donâ€™t blame them. Why?
Because sadly some so called security folks are nothing short of dinosaurs and I suspect exhibit many of the traits above. This article in CSOOnline prove it.
Kill instant messaging. Stop it at the desktop via security and group policies. Stop it at the gateway. Stop it at the firewall. Death to IM. My opinion: This is the best way to go if you can get away with it. If youâ€™re running e-mail and a working phone system in a general office environment, IM is a geek-toy luxury. Simple as that.
Can you blame people? I often read things and laugh, sometimes I read them and get angry and occasionally I read things and donâ€™t know what to say apart from â€œwhat â€œwibbly wobblyâ€ planet do you live on?â€
Maybe you would like to kill all cell phones as well? Lets face it they are really annoying. All those people talking and doing business while you try and read your newspaper with your drip coffee and Krispy Kreme.
Maybe that new fangled Internet thing should be shut off period? After all whatâ€™s wrong with paper and carrier pigeons?
I hope the author doesnâ€™t work for a publicly traded company. If he does I am calling Kramer for a sell recommendation and I am serious.
As Dilbert once said â€ I am not anti-business, I am anti-idiotâ€.
Yes, he is quite right about it! Another funny thing about blocking IM is that the request usually comes from managers that don't want their team spending time chatting. So they try to make Security block it, avoiding the direct conflict with the team. When I say that I'll do it only if the reasons are clearly stated to the users, they usually give up.Mark Curphey raises a very important issue on the post above. When you start to be a problem and overreact on some threats people will start to avoid putting Security together in their projects, as they expect the same behavior (disabling). Try to show to the company that your role is not disabling things. Even when writing reports or providing feedback, try to replace the "can't be used" with a "can be used with security improvements". I know that sometimes even that is impossible, but don't discard it until you really sees that there is no other option.
Wednesday, May 2, 2007
Monday, April 9, 2007
Thursday, April 5, 2007
Tuesday, April 3, 2007
White PaperI would like to receive feedback from the security community. Please feel free to send me any comments.
Tuesday, March 27, 2007
Thursday, March 22, 2007
accomplished is setting the bar very low, and encouraging
companies to look only at meeting that standard. I've had
senior IT managers tell me "We are going to do the exact
minimum, wherever possible."In log analysis terms, that means that the logs to to a big
bucket which is periodically dumped into the compost
heap. Nobody'll look in the bucket until someone passes
legislation requiring people to LOOK at it. And, of course,
when that happens, they'll do the exact minimum, &c..."Congrats Marcus, always sharp!
Tuesday, March 20, 2007
Saturday, March 17, 2007
Saturday, March 3, 2007
"Using a known secure method called RSA" (are they really encrypting passwords with RSA???)
"I can't tell you, it's so secure it's secret" (men, it's so funny to hear that!)Now, where are the security guys from these companies? Are they working only on their corporate policies? Even if some of these cases are just a salesman trying to lure you with a bad answer, there are some of those that are really bad encryption implementations. Some software houses still don't have nobody responsible for including security in their products and development processes. This makes the work of the security departments of companies that are buying their software much more harder, as sometimes they are struggling with business people to avoid that crappy software from entering into their business. And sometimes that crappy software is the best (or even the only) solution in terms of business functionality.Another aspect that really annoys me when I hear those answers. If those guys are saying those things to me without thinking twice, it's because someone else asked that and BOUGHT that answer. How can a CSO or something similar be satisfied with an answer like that? Encryption tends to be seen as a too technical subject for CSOs to learn about. No, they (we) need to know at least the basics about it. It's not that hard to identify those five mistakes. If you believe that a vendor already throwed something like those answers into you and you bought it, go look for a basic encryption introduction. Even by reading some pages from wikipedia you'll be able to identify most of those cases.The CISSP body of knowledge contains all the information needed by a CSO to know the encryption basics. If you already obtained your certification or are planning to get it, take your books and read that part again with a different look. Now you know when you'll need that information.
Friday, March 2, 2007
- Creating your own encryption
- "Hard-coding" secrets
- Storing keys with the encrypted data
- not handling data recovery (or "where are those f* keys????")I think that every professional responsible for PCI compliance projects needs to read it. Encryption is not that silver bullet you're looking for (in fact, I hope you're not looking for one!)
Thursday, March 1, 2007
Wednesday, February 28, 2007
Monday, February 26, 2007
Friday, February 23, 2007
Monday, February 12, 2007
Tuesday, February 6, 2007
- Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
- Li Gong, GM at Microsoft, MSN in China
- Marcus Ranum, CSO of Tenable Network Security, security products trainer
- Avi Rubin, Professor at Johns Hopkins, electronic voting security
- Fred Schneider, Professor at Cornell, trustworthy computing
- Greg Morrisett, Professor at Harvard, dependant type theory
- Matt Bishop, Professor at UC Davis, computer security
- Dave Wagner, Professor at Berkeley, software security and electronic voting
Thursday, February 1, 2007
- More information about the site being visited presented by the browserHey, did somebody noticed that there wasn't a need to create (and to make companies pay more) a new kind of certificate to do that??? Why didn't the CAs just start following more strict verification processes for the regular SSL certificates? I bet that if Microsoft start threatening those CAs to remove their certificates from the Trusted Root CAs from IE if they don't improve their processes it would have the same effect. That green bar and more identity information presented could be done for any SSL certificate too.But the CAs wouldn't be earning a few hundred bucks from every company with a SSL website with this approach...
Friday, January 26, 2007
Tuesday, January 23, 2007
Sunday, January 21, 2007
Friday, January 19, 2007
Maybe I'm just grumpy, but the anonymous CJ Kelly is annoying me. Yesterday it was her jumping on the printing security risk bandwagon and today it's making some silly statements about compliance. Let's get one thing straight. There is no compliance SOLUTION. It's not something you can buy, not for any price. You need a strong security program as the foundation, and a way to document what you do and why. That's Step 12 of the P-CSO process. She points to Ogren's post (which is right) about the fact that much of the regulation has had little impact on the base level of security of an organization. And it's because a lot of organizations feel no pain because enforcement is a joke. But to say that the issue with compliance is the vendors not bringing forward complete solutions makes my blood boil. Just another example of someone wanting to solve a problem by open up the checkbook. Sorry CJ, it doesn't work like that.
http://www.computerworld.com/blogs/node/4392"One thing that's quite funny is to watch security boxes vendors saying that their product is 100% SOX Ready. WTF does that mean??? That or something like "with my product being SOX compliance is easy". Whow, I didn't knoew they are selling silver bullet boxes.PCI is another standard that is suffering from the same evil. PCI has 12 requirements, from access control to data encryption. You can see companies offering vulnerability scanners as the final solution to PCI compliance. My biggest worry is that if they keep pushing these lies is that probably someone is buying it. What kind of CSO do we have out there?