Wednesday, December 31, 2008
Some good predictions for 2009
Tuesday, December 30, 2008
Friday, December 19, 2008
War and Information Security
Phishing now installing malware...NEW?
Why people stick to IE...or why should they change?
Tuesday, December 16, 2008
2009 predictions
- Apple threats: the number of people using Macs is growing very fast. It is starting to become something attractive for botnet herders, specially because almost all Mac users don't have anti-malware software installed nor have the habit of worrying about it, so it's easy to mantain the bots installed. If it was in the past I would think about a big worm coming, but cybercrime is reality now and those guys know when an opportunity like this arises.
- Blended/Hybrid Threats: We are seeing this already, like this malware that exploits SQL Injection and an IE vulnerability. I believe we will see a lot of threats using multiple attack vectors, maybe even from different platforms and technologies. Vulnerabilities than can be used to redirect traffic from multiple users (like Dan Kaminsky's DNS bug) will be used to force people to access infected content, that will trigger other infection mechanisms. Worms will be able to disseminate to a higher number of hosts without generating suspect spikes on charts, as the malware code will randomly choose between several infection methods to spread itself. Expect some huge botnets being found as a result.
- At least one "cloud computing" security incident: Ok, not that hard to say that, but I'll try to be a little more specific in the details :-), there will be a discussion about what was compromised (infrastructure? application? vendor? client?) and people will start discussing how to conduct forensics on those new conditions.
- Virtualization nightmare: A vulnerability will be found in a virtualization platform or in a virtualization-aware product, enabling attacks from one guest OS to another (or even reaching a Guest OS and triggering the exploit on another). It would be extremely fun to watch those "the cat is on the roof" discussions. A new wave of miraculous products will be released to solve the issue from that specific kind of attack. Your VM infrastructure will look like a Christmas Tree and the operation cost of a virtualized environment will not be what was expected anymore.
Thursday, December 11, 2008
Keep alive
Tuesday, December 2, 2008
Can good programmers be part of a SDLC?
AV on Mac
Monday, December 1, 2008
VP has taken the red pill
Wednesday, November 26, 2008
Windows pen testing - access tokens
Tuesday, November 25, 2008
Simple but dreadful, part 3 - Workstation local administrator
- Logon scripts with clear text passwords (noooo!!!!!!!!!!)
- Scripts from SMS or other central management tool with clear text passwords (believe me, the users will found that!)
- That-same-very-secret-password-that-only-those-ten-guys-know-about-for-all-boxes mistake (yes, I mentioned that before. Just in case)
- Different passwords generate by a "security by obscurity" algorithm that uses the name of the workstation as input. Hey, if it's a bad idea on encryption why would it be a good idea for passwords?
Friday, November 21, 2008
After all, how infosec is related to SOX??
Friday, November 14, 2008
I've never seen my previous CSO role so well explained
Mogull on adaptative Auth and AuthZ
- "User: This is an area I intend to talk about in much greater depth later on. Basically, right now we rely on static authentication (a single set of credentials to provide access) and I think we need to move more towards adaptive authentication (where we provide an authentication rating based on how strongly we trust that user at that time in that situation, and can thus then adjust the kinds of allowed transactions). This actually exists today- for example, my bank uses a username/password to let me in, but then requires an additional credential for transactions vs. basic access.
- Transaction: As with user, this is an area we’ve underexplored in traditional applications, but I think will be incredibly valuable in cloud services. We build something called adaptive authorization into our applications and enforce more controls around approving transactions. For example, if a user with a low authentication rating tries to transfer a large sum out of their bank account, a text message with a code will be send to their cell phone with a code. If they have a higher authentication rating, the value amount before that back channel is required goes up. We build policies on a transaction basis, linking in environmental, user, and situational measurements to approve or deny transactions. This is program logic, not something you can add on."
TCG IF-MAP
Friday, November 7, 2008
Sarbanes Oxley, good to hear people questioning
John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn't able to prevent cases like Bear Sterns, Lehman Bros., AIG and Merrill Lynch. Accountants are as creative as lawyers, they will always look for breaches in the controls (laws) to do their magic.
SOX brought a lot of money to Information Security, but it also brought some directed focus on some controls that are not always the most required for all organizations. It would be nice to see a review of the law, verifying its results and actual costs.
The WPA sky is not falling
A lot of noise about a new research that "cracked" WPA was made this week. Well, there are more details about it today, and they clearly show that the WPA sky is not falling.
There is a very good abstract of what is happening on the article above:
"To describe the attack succinctly, it's a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That's a very critical distinction; this is a serious attack, and the first real flaw in TKIP that's been found and exploited. But it's still a subset of a true key crack."
So, it's not the final attack against WPA protected networks, but it is a very important building block for more elaborate attacks. I can see that in a near future we will see more serious stuff being done using this as a starting point. Keep your ears open.
Friday, October 31, 2008
Virtualization? Give me a better OS instead!
Tuesday, October 28, 2008
I left this one pass
Financial malware gets smarter? But we've said that many times!
Thursday, October 23, 2008
Microsoft MS08-067
Saturday, October 18, 2008
Victor is back
Wednesday, September 24, 2008
Which compliance pill to take?
- Mandate the tools (e.g. "must use a firewall") - and risk "checklist mentality", resulting in BOTH insecurity and "false sense" of security.
- Mandate the results (e.g. "must be secure") - and risk people saying "eh, but I dunno how" - and then not acting at all, again leading to insecurity.
solution to this? I personally would take the pill #1 over pill #2 (and
that is why I like PCI that much), but with some pause to think, for sure."Actually, I believe it may be possible to reach an intermediate alternative. By defining the rules and standards for Risk assessment and management we could set the standards on defining acceptable risk levels instead of saying "must be secure", and without the need to go as deep as "must use a firewall". Of course that this approach would cause several questions about how to achieve compliance, but it would give more freedom to organizations about how to approach the risks and avoid "checklist mentality". The problem with risk management based compliance is that the organization can manipulate its risk assessments and downplay stuff that should be identified as "high risks". If the risk equation, impact and probability levels are standardized, however, it would be easy to compare apples to apples and say things like "risks above level X must be mitigated until level Y".Even by taking that approach we would still have to deal with the control efficiency problem. Like the firewall that Anton mentioned, there are several controls (probably most of them) that the way that they were implemented and how they are managed are even more important than the control itself. Maybe the best way to solve that is defining appropriate ways to deploy and maintain each proposed control. Ok, we could go into a very deep (and inefficient) level of details by doing that. Seems to be a catch 22 situation. Personally, I don't know who is worse to point where the bar should be placed: auditors or standard writers. I don't trust both :-)
Thursday, September 18, 2008
It is so obvious that it hurts
Tuesday, September 16, 2008
Wordpress security
Monday, September 15, 2008
Good tip to fight laptop theft
Friday, September 12, 2008
And now, ScribeFire!

Zoundry Raven test
I'm testing Zoundry Raven calling the XML-RPC interface of Wordpress on a SSL URL. It's maybe an alternative to secure posting, as I can use the "shared certificate" URL for this, what can't be done with the regular wp-admin Wordpress interface. I just need to check if this thing doesn't "escape" from the specified URL to do other stuff.
Thursday, September 11, 2008
Security by economic obfuscation
Simple but dreadful, part 2 - Network shares
Wednesday, September 10, 2008
NAC and DLP
Wednesday, September 3, 2008
Best Practices - Even Dilbert know what they mean
Friday, August 29, 2008
(ISC)2 Board candidate
Tuesday, August 19, 2008
Simple but dreadful, part 1 - Logon Scripts
Friday, August 8, 2008
Portknocking, SPA and SOA
Thursday, August 7, 2008
The future of mass card theft (and PCI)
Thursday, July 31, 2008
PCI QSA
Tuesday, July 29, 2008
Black Hat, Defcon, the basics
- Can you promptly identify someone guessing passwords for administrative accounts on all your servers?
- Can you say for sure that there are no weak passwords for all administrative accounts on all your servers?
- Can you say for sure that you don't have a user/password on a test box that also exists on a production server?
- Can you say for sure that there are no shared folders on your servers with sensitive information and weak permissions settings?
- Do you know who knows the password for (and use) the root or Administrator account?
Friday, July 18, 2008
PVLANs and DMZs
"Hanging on the wall" posting of the week
Thursday, July 17, 2008
CISSP value
Thursday, July 10, 2008
VMWare vulnerability
Wednesday, July 9, 2008
Master dissertation test
Kaminsky and the new vulnerability patching world
Thursday, July 3, 2008
Virtualization security, some thoughts about it
Monday, June 30, 2008
Unauthorized reading confirmation on Outlook
Wednesday, June 25, 2008
SIEM dead, time for search?
- False positives in correlation rules
- Burden on the IS organization by requiring full-time monitoring
- A taxing incident-response process
- An inability to monitor events at rates greater than 10.000 events per second
- High cost of maintaining and build new adapters
- Complexity of modeling environment
Wednesday, June 18, 2008
Open Group Risk Management "taxonomy"
"With a goal of getting IT professionals to use standard terminology and eliminate ambiguity in expressing important risk-management concepts, the Open Group is finalizing a 50-page compendium of "risk-management and analysis taxonomy."
The Open Group Security Forum's risk taxonomy of about 100 expressions will not only address seemingly simple words such as threat, vulnerability and risk, but less common terms such as control strength."I was thinking, why these guys are doing it when there are stuff like ISO Guide 73, ISO27005 and ISO27000 published or in their way to be published?This is why we asked so much for Server Core
Friday, June 13, 2008
I'm back
Thursday, June 5, 2008
I didn't quit the blogging stuff
Friday, May 16, 2008
The discussion about GRC
Debian
Thursday, May 15, 2008
Vulnerability Numbers, Q1 2008
Saturday, May 10, 2008
(ISC)2 exams
Wednesday, April 30, 2008
Virtualization - there is also a good security aspect
Thursday, April 24, 2008
Finally someone said it!
Wednesday, April 23, 2008
The new security guy
Friday, April 18, 2008
Isn't it an interesting case for business continuity studies?
Thursday, April 17, 2008
Windows Server 2008 - Server Core
Have you tried Secunia PSI?
Adobe is the next target - does anyone still doubt?
Polaris - A very interesting research piece from HP
CyberStorm II and languages
Some good quotes from RSA
Tuesday, April 15, 2008
How many companies are looking into Security as a Marketing feature?
From a RSA vendor leaflet
RSA, final post
Writing this while waiting to board my return flight to Sao Paulo. It’s good to write after a few hours far from the conference, as it gives me a better view of what really impressed me most. I agree with other bloggers that mentioned the lack of innovation this year. However, it was expected.
I think I can mention some highlights. Black Ops, Sins of Our Fathers, Avoiding the “Security groundhog dayâ€, the DLP Panel, Ajax Security were very good in terms of presentation and discussion, but honestly, nothing new from them.
The best sessions for me were Bruce Schneier’s and Malcolm Gladwell’s. Both talked about human perception and the way that we think. Schneier has already published some things about it, especially about the way thaty we perceive Risk. Gladwell presentation was very interesting even if it wasn’t related to security at all. He talked about decision making, but not common decisions, but those made unconsciously. I think there are lots of situations in security that can benefit from his theories. The way that we assemble and conduct security monitoring centers, for instance, can be radically changed. By reading his book (“Blink: The Power of Thinking Without Thinking

The exposition was kind of sad. Tons of “appliances†providing solutions to problems defined by the vendors themselves. Lots of vendors talking about how their products provide very nice reports, but what about detection, prevention? Can all the problems in security be solved by a nice report with some pie charts?
The networking aspect, by the other side, was terrific. I met lots of people who write very good blogs, people that I found that are reading mine. I hope to be able to attend to the conference the next years to maintain all those contacts. Thumbs up for Martin McKeay, Jennifer Leggio and Alan Shimmel for organizing the bloggers meetup. It was very good and an extraordinary opportunity to chat with people that I respect a lot. Thanks!