Monday, December 17, 2007
I'm alive!
Thursday, December 13, 2007
Another bot prediction that comes true
Botnet-controlled Trojan robbing online bank customers
Well, take a look at my presentation in BH Europe this year (March). This was there, as well as the method being used by the malware from that article:"The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic. It’s targeted for each specific bank." (Don Jackson, SecureWorks)So, another prediction from that presentation has just been confirmed.Thursday, November 22, 2007
New trends, new threats
Wednesday, November 7, 2007
Honeytokens on databases
Thursday, November 1, 2007
Right on the bullseye about the insider threat
- "Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
- Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
- The best defenses against malicious employees are often business process controls, not security technologies.
- The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
- The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
- If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
- Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
- Preventative controls built into the business process are more efficient than external technological preventative controls."
Pete Lindstrom and Linda Stutsman about "best practices"
Tuesday, October 30, 2007
Finally something good about NAC
Wednesday, October 17, 2007
Spafford and magical solutions
Tuesday, October 16, 2007
Another post on the wall
Application Security and MS
Thursday, October 11, 2007
Log mining
Wednesday, October 10, 2007
Good analogy
Friday, October 5, 2007
Gunnar Peterson and security budget
Thursday, October 4, 2007
Killer encryption application
Wednesday, September 26, 2007
Brazilian Bank Trojans
Monday, September 24, 2007
About SIEMs and insider threats
Monday, August 27, 2007
DLP and honeytokens
Monday, August 20, 2007
Security Bingo
Friday, August 3, 2007
PSI, from Secunia

Monday, June 25, 2007
How to kick ass
Wednesday, June 13, 2007
XML being used by malware - We said it!!!
Monday, June 4, 2007
Grossman on Web App Vuln Scanners
Tuesday, May 29, 2007
Bejtlich - versions
Phrack
Friday, May 25, 2007
Stration worm
CC numbers are everywhere
Thursday, May 24, 2007
Risk Management - measuring all components of the equation
Wednesday, May 16, 2007
HotBot papers
Thursday, May 10, 2007
Power
Wednesday, May 9, 2007
Security Architecture Blueprint
SSL FTP on Longhorn
Friday, May 4, 2007
Enabling business
Stop Disabling and Start Enabling
If information security is to ever have an ounce of credibility in a corporate world it has to stop disabling and start enabling. The days of hiding behind thick piles of self-scribed doctrine and exercising personal dogma laced with stupid egotistical power trips based on technology religion must end. If you talk to most (yes most) folks outside of information security in an environment where this culture is allowed to exist they will usually raise an eyebrow, get their heckles up or even laugh in your face. The locker-room conversation discuss the “thought police†and ways to not tell or involve security about what’s really happening: and quite frankly I don’t blame them. Why?
Because sadly some so called security folks are nothing short of dinosaurs and I suspect exhibit many of the traits above. This article in CSOOnline prove it.
Can you blame people? I often read things and laugh, sometimes I read them and get angry and occasionally I read things and don’t know what to say apart from “what “wibbly wobbly†planet do you live on?â€
Maybe you would like to kill all cell phones as well? Lets face it they are really annoying. All those people talking and doing business while you try and read your newspaper with your drip coffee and Krispy Kreme.
Maybe that new fangled Internet thing should be shut off period? After all what’s wrong with paper and carrier pigeons?
I hope the author doesn’t work for a publicly traded company. If he does I am calling Kramer for a sell recommendation and I am serious.
As Dilbert once said †I am not anti-business, I am anti-idiotâ€.
Yes, he is quite right about it! Another funny thing about blocking IM is that the request usually comes from managers that don't want their team spending time chatting. So they try to make Security block it, avoiding the direct conflict with the team. When I say that I'll do it only if the reasons are clearly stated to the users, they usually give up.
Mark Curphey raises a very important issue on the post above. When you start to be a problem and overreact on some threats people will start to avoid putting Security together in their projects, as they expect the same behavior (disabling). Try to show to the company that your role is not disabling things. Even when writing reports or providing feedback, try to replace the "can't be used" with a "can be used with security improvements". I know that sometimes even that is impossible, but don't discard it until you really sees that there is no other option.Wednesday, May 2, 2007
Joanna and Mr. Chuvakin
Monday, April 9, 2007
Two-factor authentication and Banks
Thursday, April 5, 2007
WEP? No chance
Tuesday, April 3, 2007
Botnets trends
White PaperI would like to receive feedback from the security community. Please feel free to send me any comments.
Tuesday, March 27, 2007
PCI problems
Is the personal firewall necessary?
Path of least resistance
Thursday, March 22, 2007
The Kid is growing!
Posts you hang on the wall
accomplished is setting the bar very low, and encouraging
companies to look only at meeting that standard. I've had
senior IT managers tell me "We are going to do the exact
minimum, wherever possible."In log analysis terms, that means that the logs to to a big
bucket which is periodically dumped into the compost
heap. Nobody'll look in the bucket until someone passes
legislation requiring people to LOOK at it. And, of course,
when that happens, they'll do the exact minimum, &c..."Congrats Marcus, always sharp!
Tuesday, March 20, 2007
Virtualization and Security
Saturday, March 17, 2007
Cobit 4.0 and other standards
Audit Quality and Freakonomics
Saturday, March 3, 2007
Those five mistakes over encryption
"Using a known secure method called RSA" (are they really encrypting passwords with RSA???)
"I can't tell you, it's so secure it's secret" (men, it's so funny to hear that!)Now, where are the security guys from these companies? Are they working only on their corporate policies? Even if some of these cases are just a salesman trying to lure you with a bad answer, there are some of those that are really bad encryption implementations. Some software houses still don't have nobody responsible for including security in their products and development processes. This makes the work of the security departments of companies that are buying their software much more harder, as sometimes they are struggling with business people to avoid that crappy software from entering into their business. And sometimes that crappy software is the best (or even the only) solution in terms of business functionality.Another aspect that really annoys me when I hear those answers. If those guys are saying those things to me without thinking twice, it's because someone else asked that and BOUGHT that answer. How can a CSO or something similar be satisfied with an answer like that? Encryption tends to be seen as a too technical subject for CSOs to learn about. No, they (we) need to know at least the basics about it. It's not that hard to identify those five mistakes. If you believe that a vendor already throwed something like those answers into you and you bought it, go look for a basic encryption introduction. Even by reading some pages from wikipedia you'll be able to identify most of those cases.The CISSP body of knowledge contains all the information needed by a CSO to know the encryption basics. If you already obtained your certification or are planning to get it, take your books and read that part again with a different look. Now you know when you'll need that information.
Friday, March 2, 2007
Encryption Mistakes, masterpiece by Chuvakin
- Creating your own encryption
- "Hard-coding" secrets
- Storing keys with the encrypted data
- not handling data recovery (or "where are those f* keys????")I think that every professional responsible for PCI compliance projects needs to read it. Encryption is not that silver bullet you're looking for (in fact, I hope you're not looking for one!)
Thursday, March 1, 2007
Storm Worm and some old predictions
Wednesday, February 28, 2007
I wanna be a Security Evangelist
Monday, February 26, 2007
Features and the security point of view
Thoughts on MS Security Intelligence Report
Log Injection
Fix Users
Friday, February 23, 2007
Black Hat Europe - Here we go!
Monday, February 12, 2007
Modern malware
Tuesday, February 6, 2007
Other view about anomaly-based detection
ROI
Security monitoring - NSM and Logs
Silver Bullet Podcast
- Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
- Li Gong, GM at Microsoft, MSN in China
- Marcus Ranum, CSO of Tenable Network Security, security products trainer
- Avi Rubin, Professor at Johns Hopkins, electronic voting security
- Fred Schneider, Professor at Cornell, trustworthy computing
- Greg Morrisett, Professor at Harvard, dependant type theory
- Matt Bishop, Professor at UC Davis, computer security
- Dave Wagner, Professor at Berkeley, software security and electronic voting
Thursday, February 1, 2007
EV SSL - Was it really necessary?
- More information about the site being visited presented by the browserHey, did somebody noticed that there wasn't a need to create (and to make companies pay more) a new kind of certificate to do that??? Why didn't the CAs just start following more strict verification processes for the regular SSL certificates? I bet that if Microsoft start threatening those CAs to remove their certificates from the Trusted Root CAs from IE if they don't improve their processes it would have the same effect. That green bar and more identity information presented could be done for any SSL certificate too.But the CAs wouldn't be earning a few hundred bucks from every company with a SSL website with this approach...
Friday, January 26, 2007
PCI, PCI, PCI! OK, but are they focusing at the right things?
Tuesday, January 23, 2007
Best Practices?
Symantec and SONAR
They are watching us!
Sunday, January 21, 2007
New MS VPN Protocol - or new backdoor covert channel?
Friday, January 19, 2007
Compliance solution in-a-box
Maybe I'm just grumpy, but the anonymous CJ Kelly is annoying me. Yesterday it was her jumping on the printing security risk bandwagon and today it's making some silly statements about compliance. Let's get one thing straight. There is no compliance SOLUTION. It's not something you can buy, not for any price. You need a strong security program as the foundation, and a way to document what you do and why. That's Step 12 of the P-CSO process. She points to Ogren's post (which is right) about the fact that much of the regulation has had little impact on the base level of security of an organization. And it's because a lot of organizations feel no pain because enforcement is a joke. But to say that the issue with compliance is the vendors not bringing forward complete solutions makes my blood boil. Just another example of someone wanting to solve a problem by open up the checkbook. Sorry CJ, it doesn't work like that.
http://www.computerworld.com/blogs/node/4392"One thing that's quite funny is to watch security boxes vendors saying that their product is 100% SOX Ready. WTF does that mean??? That or something like "with my product being SOX compliance is easy". Whow, I didn't knoew they are selling silver bullet boxes.PCI is another standard that is suffering from the same evil. PCI has 12 requirements, from access control to data encryption. You can see companies offering vulnerability scanners as the final solution to PCI compliance. My biggest worry is that if they keep pushing these lies is that probably someone is buying it. What kind of CSO do we have out there?