I am telling you, click fraud is worse than we know, because of the structural problems with checks and balances. Story here.
Jim.Reavis
|
 I am telling you, click fraud is worse than we know, because of the structural problems with checks and balances. Story here.
Jim.Reavis
This article about ICANN.com and IANA.com getting redirected was a favorite story of my friend Kurt Seifried, for the irony and the fact that “pwned” is becoming a legitimate verb.
Jim.Reavis
Fast changing email addresses, questionable online payment/money laundering services characterize the well organized blackmarket for malware, or in this case, extortionware.
Jim.Reavis
I recorded this webcast, Securing your Network - the Constant Battle, to talk about current issues and emerging best practices.
Jim.Reavis
|
July 20, 2008 According to this article in the Times Online, an aide to UK Prime Minister Gordon Brown had his BlackBerry stolen in Shanghai. While partying down at a disco in a local trendy hotel, the aide danced the night away with an attractive young lady who only had eyes for him - apparently. Come the next morning, the BlackBerry and lady - in actuality a Chinese agent, were nowhere to be seen. Alas, it was the smart phone that was the object of her desire, not Mr Brown’s dancing assistant. No matter, one night of action might be more than many bureaucrats experience in quite a while. I suggest RIM somehow work this into a marketing campaign - the latest BlackBerry works better than expensive cologne on the ladies, they just need to make sure that encryption comes standard in models designed to be stolen. By
Jim.Reavis •
Articles •
•
No Comments »  July 17, 2008 Sponsored by Neupart, the ERP of Security Governance, Risk Management and Compliance (GRC) could arguably be nominated as the buzzphrase of the year. Analysts, vendors and the media are touting GRC as a key overarching strategy to transform the modern corporation. What is GRC and is it useful to your business? As popular as GRC seems to be, it defies an easy and universal definition. The conventional wisdom is that the organizational overhead from onerous governance requirements and a checklist approach to compliance hurts the organization, making it less secure and less competitive. We recommend that you think of GRC as aligning and integrating each of the three components to improve the quality of results each component provides. OCEG, a non-profit association championing GRC, uses the term “Principled Performance” to describe this concept. PwC, who first coined the term, uses “Integrity-Driven Performance”. There clearly is some logic and common sense embedded in the definition. Take the example of a vulnerability assessment of IT assets that must be conducted for compliance purposes. A vulnerability assessment of a large enterprise will typically create a huge report of compliance tasks that will be difficult to accomplish. Using risk management can help cut down the tasks to those that really matter, streamlining compliance. (more…) Bill Brenner posted an entry at CSOOnline, Black Hat and the Hype Machine. Bill is a good guy and I think he generally came to the conclusion that the event is worth the hype. The devil’s advocates say that the event is overly hyped, and point to several front page vulnerabilities that have come out of the event that haven’t amounted to anything. I look at it from a different perspective, and I have a hard time thinking of significant security breaches of a technical nature that I didn’t first see the groundwork of at Black Hat. It is not as simple as crystal ball sessions called Attacks 2012, but if you connect the dots, the Zero-Day vulnerabilities, web hacking and virtually everything else has been pretty well laid out. There are several other good events, like CanSecWest, so I don’t want to single out BH for kudos, but a security event can’t control the type of hype created by the mainstream media, which is still very one dimensional about information security. Although I do very much like Vegas and might not go to it if it were held in Outer Mongolia (are the Pussycat Dolls there?), I actually plan on attending sessions, how about you? By
Jim.Reavis •
Articles •
•
No Comments » July 15, 2008 This is a fairly insane situation. According to the San Francisco Chronicle, a disgruntled city systems Insider threats have always been an issue. Generally insiders try to evade system controls, but given how reluctant corporations are to report and prosecute computer crime, what is to prevent more mafia-style shakedowns by narcissistic systems administrators and Dr Strangeloves of the IT department? Maybe we should think about renaming the “superuser” account so prevalent in many systems to the “systemwideaccessbutdontletitgotoyourhead” user. By
Jim.Reavis •
Articles •
•
2 Comments » July 14, 2008 Last week’s big news was the DNS vulnerability announcement by Dan Kaminsky. The sage of IOActive has been taken very seriously by the industry, several vendors have already released patches, and we can expect several more in the coming week. The robustness of the Internet’s DNS infrastructure merits serious analysis. Despite the fact that the Internet itself cannot work with out DNS, over half of the DNS servers allow recursion, a weakness that can lead to cache poisoning, sending your traffic to a criminal’s website. Many other vulnerabilities exist, and some readers might be amazed at the poor shape of many cobbled together DNS servers in production today. DNS vulnerabilities were cited as a key concern for 2008 at the eBay internal conference earlier this year, it looks like this prediction is coming true. Let’s hope Kaminsky’s DNS warning creates momentum to raise the bar for DNS security.
By
Jim.Reavis •
Articles •
•
No Comments » July 7, 2008 (Note: posting this item again as the ISSA Elections previously had a problem and re-voting starts today.) By Jim Reavis It is my great pleasure and honor to provide my personal endorsement of Dave Cullinane for the position of It is my hope that the many discussions about the candidates that will occur at chapter meetings and online will be high-minded and will focus on the positive merits of each candidate. I also hope that each individual ISSA member will take the initiative to vote their own conscience and that chapters that vote as a bloc will be a thing of the past. While I think we have three excellent candidates for President this year, my reason for making a public endorsement is that I feel that Dave Cullinane is a clear choice as the person to lead the ISSA for the next two years. Before I explain my opinion, I would like to briefly mention the other two presidential candidates:
This brings me back to Dave Cullinane. Dave is not only a professional with a wide range of experiences on his resume, but he has truly excelled in his various roles. Dave received SC Magazine’s Global Award as Chief Security Officer of the Year for 2005, and also received CSO Magazine’s 2006 Compass Award as a Visionary Leader of the Security Profession. Dave is the Chief Information Security Officer for eBay, which to me looks like the most challenging CISO job in the world. Not only must Dave keep up with the scaling issues of an Amazon or a Google, he must instill trust in the billions of peer to peer transactions in this enormous marketplace. Dave is excelling in this position in many ways, and to top it off was able to bring the infamous hacker Vladuz to justice with the help of Romanian authorities.
This ISSA has been around for 24 years, and in some respects is at risk of having the the industry pass it by. It must grow more evenly on a global basis. It must attract the younger security professionals. It must adapt to the technological changes and stay relevant within the industry convergence we are now seeing. I feel that Dave’s strategic vision combined with his ability to execute are vital assets to the ISSA for the tough decisions that are ahead. Again, this is my opinion alone and based on my honest opinion of the challenges ahead, and with the insight gained as a past ISSA board member and former association executive director. Please make sure that you participate in the process and cast your ballot. By
Jim.Reavis •
Articles •
•
No Comments » July 1, 2008 Google announced today that they are releasing their internal web assessment tool called ratproxy into public open source. It looks like an interesting tool, not with the full developer’s approach of something like HP WebInspect, but it likely has some interesting analytics to complement commercial tools. It is a passive tool, which has the disadvantage of less thoroughness than a tool that tries to actively break web sites, but has the advantage of not being disruptive to web sites since it doesn’t really touch them, of course essential to Google because they didn’t actually have permission to test web sites. The big deal is that it is free, which may cause some chaos in a market that charges quite a bit for these tools. Google in and of itself is a sizeable security company, it has other proprietary internal security tools, and one wonders when and what else it could give away. By
Jim.Reavis •
Articles •
•
No Comments » |
|
engineer apparently gave himself exclusive root access to systems in the city’s computer network. Apparently, this was some sort of an “insurance policy” against disciplinary action or termination for poor performance. It appears as though his poor performance was related to personal motivation not inherent skills, as he was smart enough to engineer a monitoring system to track what others were saying about him.
