Wednesday, January 31, 2007

Marcus J Ranum (MJR) and Bruce Schneier on Full Disclosure

Marcus J Ranum (MJR) says:
- “After 10 years of full disclosure, security has not gotten any better”.
Bruce says:
- “Bugs exist whether or not they are disclosed in a public forum. Vendors are more responsive when it could cause bad PR. Public disclosure forces vendors to more quickly fix flaws which makes systems more secure”.
Haha... See the full battle on securiteam blog.

Labels: ,

Thursday, January 25, 2007

The best practices for network security in 2007

Here's my best practice list, in order of importance:
1. Roll out corporate security policies
2. Deliver corporate security awareness and training
3. Run frequent information security self-assessments
4. Perform regulatory compliance self-assessments
5. Deploy corporate-wide encryption
6. Value, protect, track and manage all corporate assets
7. Test business continuity and disaster recovery planning
Read the article (by Gary S. Miliefsky)

Wednesday, January 24, 2007

INTERNET RESOURCES FOR COMPUTER FORENSICS

It is Great!

Sunday, January 21, 2007

Chinese Prof Cracks SHA-1 Data Encryption Scheme (OR) SHA-1 added to list of "accomplishments"

The reason for this change is that 41-years old associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has already cracked SHA-1... Professor Wang Xiaoyun, a graduate of Shandong University of Technology's mathematics department, and her research team obtained results by using ordinary personal computers... Wang's method of cracking the encryptions differs from all others. Although encryption analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods.
Read the article and slashdot discussion.

Saturday, January 13, 2007

Open-Source Spying


Top-secret information is becoming less useful than it used to be. “The intelligence business was initially, if not inherently, about secrets — running risks and expending a lot of money to acquire secrets,” he said, with the idea that “if you limit how many people see it, it will be more secure, and you will be able to get more of it. But that’s now appropriate for a small and shrinking percentage of information.” The time is past for analysts to act like “monastic scholars in a cave someplace,” he added, laboring for weeks or months in isolation to produce a report...
Read the article in nytimes.

Wednesday, January 10, 2007

"Teaching an Old Dog New Tricks" or "The Problem is Complexity"

First off, it gave me a much-needed booster-shot of humility about my code. Having a piece of software instantly point out a dozen glaring holes in your code is never fun - but it's an important sensation to savour... More importantly, it showed me that tools like Fortify really do work, and that they find vulnerabilities faster and better than a human... The "many eyes" theory of software quality doesn't appear to hold true, either. FTWK was widely used for almost ten years, and only one of the problems I found with Fortify was a problem I already knew about.
Read Marcus J. Ranum's article here. (He is Chief Of Security for Tenable Security.)

Saturday, January 06, 2007

Internet Explorer Unsafe for 284 Days in 2006

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
Read this article (by Brian Krebs). It is also discussed at slashdot.com

Thursday, January 04, 2007

Five Hackers Who Left a Mark on 2006

H.D. Moore has always been a household name—and a bit of a rock star—in hacker circles. As a vulnerability researcher and exploit writer, he built the Metasploit Framework into a must-use penetration testing tool...
Read about them!
+ Related discussion in slashdot.

Wednesday, January 03, 2007

Michal Zalewski on the Wire

I show that security problems are inherent to the way we design systems, bound to just about any aspect of modern computing; and that only by understanding it can you follow and mitigate threats efficiently... When users have access to more and more bandwidth and computing power, they can more easily carry out brute-force attacks against protocols and algorithms...
Read Federico Biancuzzi's interview with Michal Zalewski about his book. (August 2006)

Tuesday, January 02, 2007

Top 10 Web Hacks of 2006

Attacks always get better, never worse. That’s what probably what I’ll remember most about 2006. What a year it’s been in web hacking! There’s never been such a big leap forward in the industry and frankly it’s really hard to keep up... To look back on what’s been discovered RSnake, Robert Auger, and myself collected as many of the new 2006 web hacks as we could find. We’re using the term "hacks" loosely to describe some of the more creative, useful, and interesting techniques/discoveries/compromises. There were about 60 to choose from making the selection process REALLY difficult. After much email deliberation we believe we created a solid Top 10. Below you’ll find the entire list in no particular order. Enjoy!
Read this Top10 in Jeremiah Grossman's blog.

Monday, January 01, 2007

Cookie Stealing Upgrade: Ajax Style

For those of you that have been living under a good and solid rock lately, AJAX is revolutionizing the way the web works in the fact that it brings desktop-like functionality straight to the web in the form of Javascript and XML (For this tutorial, a working knowledge of XML is not needed.) In other words, AJAX (Asynchronous Javascript and XML) gets rid of pesky page refreshes and coupled with DHTML effects, can lead to quite interesting desktop-like web apps... The property that is much sought after with AJAX is its ability to send arbitrary requests to a server in the form of an XMLHttpRequest...
Read this article in milw0rm.com.