web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 241

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: Fairwell to Ray Bradbury
    services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Fairwell to Ray Bradbury For the man who illustrated our imagination and made me personally read more rest in peace Ray Ray Bradbury 1938 2012 9 09 AM Email this post 22 comments Aparat aer conditionat said I will definitely read too August 23 2012 at 8 22 AM Supraveghere video said Thanks for the recommendation August 27 2012 at 9 14 PM Vanzari case said I need to read this August 29 2012 at 1 59 PM Cazare pensiune said Good to know I will have to give it a shot September 3 2012 at 12 13 PM Centrale termice pe lemne said Thanks for sharing it September 4 2012 at 3 31 PM Invitatie nunta said interesting I will read this book September 5 2012 at 8 05 AM Cauciucuri said I like the imagination and i will read the book when i have time September 5 2012 at 10 27 AM Masaj anticelulitic said It s a nice book September

    Original URL path: http://www.shortinfosec.net/2012/06/fairwell-to-ray-bradbury.html (2016-04-27)
    Open archived version from archive


  • Information Security Short Takes: Observations of lack of research in social engineering
    social networks The attack was three stage Collect information about order delivery process delays timing etc Collect information about current order in pipeline order prepared but not delivered to customer Divert order to different address The attack was performed by multiple phone calls which created contact with multiple targets Each call was a probing attempt to collect as much information possible The first and second stage of attack was targeted at the same targets but with several days delay between stages Two persons performed all attacks In the first stage of attack the attackers simulated a disgruntled customer which insisted on getting details on the process as his delivery was not proper Approximately half of the targets responded were either compliant to explain the process or were unable to reach the account manager and proceeded to divulge information to the attackers In the second stage of the attack the attackers approached targets that were deemed soft that were most compliant and divulged most information They misrepresented as persons from multiple client companies until they received information of a current order in pipeline A minor number of targets responded with required details simply because they most targets did not have access to order information In the third stage of the attack the attackers again approached the soft targets attempting to divert the order from pipeline to a different delivery address Most targets did not have the authority to change the delivery address The attackers reached a target with appropriate authority but that target contacted the real client while on the phone to verify The client denied any change which caused the all kinds of alarms to go off At the end police were notified immediately and the pen testers nearly ended up in custody The review When investigating the approach used by the social engineering attack we found missteps in the following areas The process research the failure of the attack had one primary reason The requested redirection address was outside of the free delivery area and the targeted person actually sent out an electronic invoice to the real client for the redirection This invoice was rushed by the client s accounting department since it was for an outstanding order and immediately disputed by the client thus exposing the attack This shows insufficient research of the process The selection of targets the targets of the attack were selected purely by one criteria anyone who has a public information regarding their employment at the pen test client on social sites This approach is easy but there were very little criteria of how useful these targets are in the further stages of the attack and how they tend to react This caused multiple calls of relatively low quality information or response in the first and second stage thus spreading the attacker resources thin The selection of faked client the faked client was not researched and was selected by random from the information received in the second stage of the attack The client should

    Original URL path: http://www.shortinfosec.net/2012/03/phone-call-social-engineering-is.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: 7 Problems with Cell Phone Forensics
    up to date on new cell phones is challenging but not impossible As fast as they are created criminals come up with ways to abuse them Strangely enough this can be beneficial for forensic scientists Using online tips can allow scientists to simply access information that would otherwise remain unreachable Charge Unlike computers much of what is stored in a phones memory is reliant upon the battery When the electricity goes so does the information Depending on what information you are looking for and how it is stored battery or charger power is an essential thing to think about SIM cards and removable media SIM cards are the soul of a cell phone They carry vital user information Likewise removable media such as SD cards can have lots of stored data on them It is important that forensic scientists have the appropriate equipment to read and evaluate the data Passwords Password protection on cell phones is challenging to overcome though not impossible Depending on the model passwords can be circumvented in several ways Internet connection The smarter cell phones become the harder they are to examine Using an internet connection instead of SMS or voice makes a forensic scientist s job much more difficult Quarantine One thing that is often disregarded is the need to sequester the cell phone before analyzing it New text messages can overwrite old material and connections to the internet can invalidate old data It is imperative to make sure the phone is isolated Security augmentations Forensic scientists must be especially alert when dealing with cell phones that have been improved in some way Some users have the capability of putting in dead man s switches effectually wiping the contents after an action or a period of time Malware can also be downloaded onto the phone placing the computer systems in danger There are many more problems for forensic scientists to watch out for but these are the seven most common Tracing cell phone data is a laborious task but it can be done All it takes is a little investigation a few tools and a lot of persistence This is a guest post by Coleen Torres blogger at Phone Internet She writes about saving money on home phone digital TV and high speed Internet by comparing prices from providers in your area for standalone service or phone TV Internet bundles Talkback and comments are most welcome Related posts When Will Your Mobile Phone get Hacked Is Geo Location Based DDoS Possible Is the Phone Working Alternative Telephony SLA 6 00 PM Email this post 22 comments Home security camera said The good folks at GotoCamera have made it a lot simpler to use a surveillance app over your phone without demanding much of your time and money And what s more it s FREE This FREE app gives you 1 click access to your cameras archives and settings You can get started by creating an account also free at www gotocamera com Follow the simple

    Original URL path: http://www.shortinfosec.net/2012/02/7-problems-with-cell-phone-forensics.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Is Geo Location Based DDoS Possible?
    Means of distribution of the attack software In order for a DDoS attack to succeed you need a high volume of attack zombie devices In a Geo Location DDoS you attack something which is at one geographic location so zombie phones need to be at or around the target location This means that you need to persuade a lot of people to install the attacking app needs on their phones There would be two options for this task An App that everyone will like This is very hard to achieve since whatever your App is even a game the percentage of people that will like the game can be very limited Also you need to develop this App for a lot of platforms since there are a lot of phone manufacturers and everyone has several different OS platforms A self distributing virus like application poses a whole set of challenges A virus can self distribute either through a vulnerability of the Operating System or through user action like sending an SMS with instructions to install an app Phone users do not readily install new apps simply because an SMS instructed them to and good luck finding vulnerabilities in a sufficient amount of platforms and versions of phone OS Sufficient concentration of Geo Location enabled zombie phones in the targeted areas Now this is a real numbers game with a lot of interesting results Targeted areas will be large metropolitan areas which are focus of large businesses which will have the highest concentration of zombie phones and where most damage to the reputation of the mobile provider can be done To estimate the number of zombie phones in any given area we need some starting parameters We ll use worst case scenarios for every parameter Geo Location enabled phone percentage in total phone population between 24 and 95 Gartner estimates that smart phones take up 18 of the total number of mobile phones We ll assume that every smart phone has Geo Location ability and we ll use percentages higher then 18 since the target area is going to have a greater population with the means and needs to have a smart phone For US we ll use 95 simply because of the FCC E911 phase 2 directive which mandates that 95 of all subscribers of the US mobile networks to have some form of Geo Location Percentage of phones that will be targeted by the attack app 51 since there are multiple manufacturers and platforms the attacker needs to attack the population with the highest probability of success the largest phone population with similar characteristics We ll use the percentage of penetration of platform Symbian which according to Gartner had 51 market share of all smart phone platforms Successfully zombified phones 20 the target population of mobile phones cannot be fully controlled The widest penetration of a virus infection was the Melissa virus for which it is estimated that it infected between 15 and 20 of all computers worldwide We

    Original URL path: http://www.shortinfosec.net/2010/09/is-geo-location-based-ddos-possible.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Is the Phone Working? - Alternative Telephony SLA
    defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Is the Phone Working Alternative Telephony SLA Telephony costs are one of the main targets of cost cutting in many large companies In this effort the companies are turning to alternative voice providers who offer much cheaper calls and more flexible services But these new operators are using new technologies and are relatively new on the market so the buyer should approach the alternative telephony service with care and apply proper Service Level Agreement What we are used to In a traditional telephony the voice reliability is taken for granted and all equipment is designed to offer very high availability Also capacity is not an issue since each incoming circuit to a switch is dedicated and the switching capacity of the Telco Switch is calculated via well known formulae Erlang models to provide switching of all initiated calls PSTN availability was measured at 99 99 maximum of 4 minute outage per month or a total of 52 minutes outage per year in 1993 and that number is closing to 99 994 Compared to this classical IP data services are struggling with passing the two point five nines 99 5 which is equivalent to 3 6 hours outage per month or nearly 2 days per year For all medium to large businesses especially in operating a retail business telephony is a default service one that must ALWAYS work one that is really taken for granted The potential challenges with an alternative voice provider When a company decides to use the services of an alternative telephony provider several issues may appear The alternative telephony provider may bypass the ILEC operator Incumbent Local Exchange Carrier to minimize costs and quite often they may arrive at your premises via a data link to attach to the company s PBX Once we walk into the realm of data transfer things get much different The data link is terminated on a lower reliability active equipment usually router or L3 switch To mimimize costs this device will not be of a too high class and it s hardware reliability will be around 98 99 The data link can be prone to faults on a physical level alternative telephony operators are not too big on infrastructure protection and want fast deployment so it can happen that the operator s cable is strung on power lines

    Original URL path: http://www.shortinfosec.net/2008/08/is-phone-working-alternative-telephony.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Support Free Internet - Stop SOPA and PIPA
    Suite Security for idiots and others that care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Support Free Internet Stop SOPA and PIPA Stop SOPA and PIPA We openly declare our support for the efforts to prevent the

    Original URL path: http://www.shortinfosec.net/2012/01/support-free-internet-stop-sopa-and.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Privacy Ignorance - Was Eric Schmidt thinking?
    JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Privacy Ignorance Was Eric Schmidt thinking Eric Schmidt said in a CNBC special recently that If you have something that you don t want anyone to know maybe you shouldn t be doing it in the first place And yet the reaction to this flagrant ignorance of basic privacy is met with mixed reactions Some are criticizing others are agreeing Garett Rogers at ZDnet is even brown nosing at Google s CEO for some reason with a statement I couldn t agree with him more It would have been easy to just start ranting about the generic ignorance of Eric Schmidt for anything private But i wanted to see what will the google engine do with something that I don t want anyone to know and yet i could t prevent it from happening ILLNESS I created a series of e mails which i exchanged between two gmail accounts It took 3 e mails for gmail to suddenly start offering me anti allergy bracelets and refer me to doctors in their adsense Now google engines know that I have an allergy Here are the transcripts word for word of those e mails I appologize for not being on time but i had to visit a

    Original URL path: http://www.shortinfosec.net/2009/12/privacy-ignorance-should-eric-schmidt.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: Failed attempt at optimizing InfoSec Risk Assessment
    Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Failed attempt at optimizing InfoSec Risk Assessment Last weekend I got into a discussion with an insurance supervisor on the topics of risk assessment He explained the process of work of actuaries in insurance and that there are standardized tables of probabilities for an event to occur like sickness and death and how it is used to calculate insurance premiums After digesting the explanation my reaction was that I found the holy grail of the Information Security Risk analysis All it takes is for enough amount of incident event be collected into a statistical table and all possible types of information security incidents will have a standardized table of frequency and impact no more assessments over the entire organization And in such a great and utopian solution at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs But I was quickly brought back to reality by the expert in insurance with a good question Actuarial tables are compiled based on information that is mandatory to be published illness fires theft even death How will you collect accurate information from information security when it s not mandatory to publish them And he was

    Original URL path: http://www.shortinfosec.net/2012/01/impossible-way-to-optimize-infosec-risk.html (2016-04-27)
    Open archived version from archive