web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 241

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: July 2012
    problems if not done correctly We will not delve into what SLA and service conditions are agreed on with your service provider We will focus on the migration process Assuming you have selected a service to migrate to a cloud provider and have selected the cloud provider even after contract signing things may still be far from complete The migration process is the thing that can be very painful and can break the entire service for an extended amount of time And sadly the service provider may not be too interested in properly supporting you in the migration process for whatever reason To ensure a successful migration or at least to be able to pull on the handbrake before disaster strikes make sure that you check the following elements before driving into the migration process Clearly understand what data from the current service will be migrated into the cloud service this is crucial from several points of view If there is migration you must understand the amount of data can and will be migrated whether the service provider has sufficient space to accept all data or you ll need to prioritize and whether the format of the data remains the same For instance you may be using a MySQL database but are migrating all data into an Oracle cloud service Also if data is not migrated you ll need to keep it available to the users as legacy data Clearly understand the migration process of the data from local into cloud service if existent the migration of data can vary wildly It can depend on very complex factors like change of format structure proxying etc or very simple like bandwidth to transfer the files over Understand authentication source of the cloud provider all your services were authenticated to a data set within your company usually a LDAP server or a database You must understand which data set can the cloud provider support for authentication because you may need to recreate your user s accounts and generate and distribute new passwords to them Gather all usage scenarios of the service as it is currently delivered in house there may be multiple usage scenarios for a service that have been introduced through the years either officially or unofficially For instance a mail server can be accessed via POP3 IMAP MAPI on Exchange servers and different users may be using different protocols Confirm which usage scenarios are supported by the service provider your users may need to be reconfigured in advance or at the moment of migration You need to understand which steps you ll need to take to maintain minimum outage for the users This is usually tightly connected to the authentication source and set up Ensure you have bandwidth Going into the cloud means remote access And whatever your in house service was you never cared about bandwidth usage and latency over your gigabit LAN but that bandwidth usage may be very significant Observe your current network using network analysis tools

    Original URL path: http://www.shortinfosec.net/2012_07_01_archive.html (2016-04-27)
    Open archived version from archive


  • Information Security Short Takes: June 2012
    Suite Security for idiots and others that care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics

    Original URL path: http://www.shortinfosec.net/2012_06_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: March 2012
    in way of electronic trail e mail can leave much more eletronic trail if not approached properly In the past months Shortinfosec had the fortune to review an social engineering attack performed by a pen test team on a company While the pen test was considered a failure by the client significant elements of the attack point to open issues with the client Publication of this information is based on the provision all information regarding the pen test client and provider location business and identity to be unidentifiable The attack The social engineering attack was performed over a phone line not even being in the same city as the client with the pen testers using publicly accessible lines The targets of the attack were chosen from social networks The attack was three stage Collect information about order delivery process delays timing etc Collect information about current order in pipeline order prepared but not delivered to customer Divert order to different address The attack was performed by multiple phone calls which created contact with multiple targets Each call was a probing attempt to collect as much information possible The first and second stage of attack was targeted at the same targets but with several days delay between stages Two persons performed all attacks In the first stage of attack the attackers simulated a disgruntled customer which insisted on getting details on the process as his delivery was not proper Approximately half of the targets responded were either compliant to explain the process or were unable to reach the account manager and proceeded to divulge information to the attackers In the second stage of the attack the attackers approached targets that were deemed soft that were most compliant and divulged most information They misrepresented as persons from multiple client companies until they received information of a current order in pipeline A minor number of targets responded with required details simply because they most targets did not have access to order information In the third stage of the attack the attackers again approached the soft targets attempting to divert the order from pipeline to a different delivery address Most targets did not have the authority to change the delivery address The attackers reached a target with appropriate authority but that target contacted the real client while on the phone to verify The client denied any change which caused the all kinds of alarms to go off At the end police were notified immediately and the pen testers nearly ended up in custody The review When investigating the approach used by the social engineering attack we found missteps in the following areas The process research the failure of the attack had one primary reason The requested redirection address was outside of the free delivery area and the targeted person actually sent out an electronic invoice to the real client for the redirection This invoice was rushed by the client s accounting department since it was for an outstanding order and immediately disputed by the

    Original URL path: http://www.shortinfosec.net/2012_03_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: February 2012
    carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities 7 Problems with Cell Phone Forensics Cell phones don t feel newfangled but in truth they are With innovation comes swift change sometimes so swift that it is difficult for forensic scientists to keep up Criminals use cell phones in a variety of crimes and it is up to the forensic scientists to uncover their transgressions But where do they start What are some complications that scientists encounter Innovation Change is the number one issue for forensic scientists to overcome Even the cell phone manufactures don t always know how to retrieve information stored in new phones so how can scientists retrieve the information Staying up to date on new cell phones is challenging but not impossible As fast as they are created criminals come up with ways to abuse them Strangely enough this can be beneficial for forensic scientists Using online tips can allow scientists to simply access information that would otherwise remain unreachable Charge Unlike computers much of what is stored in a phones memory is reliant upon the battery When the electricity goes so does the information Depending on what information you are looking for and how it is stored battery or charger power is an essential thing to think about SIM cards and removable media SIM cards are the soul of a cell phone They carry vital user information Likewise

    Original URL path: http://www.shortinfosec.net/2012_02_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: January 2012
    in word processor at 65 screen brightness Portability not really comparable since all other laptops are 15 but the Mac is very easy on the shoulders and an excellent companion at meetings Speed of functions all implemented functions within the OS are implemented VERY WELL For example the Cisco IPSec VPN connection using the native Lion client authenticates at least 10 seconds faster than the Cisco VPN Client for 64bit Windows 7 we actually measured The gripes Naturally not everything is that great and here are the frustrations that we faced with our Mac The keyboard shortcuts putting an IT pro who worked on a PC and Unix for 20 years in front of a Mac running OSX is a special kind of hell NONE of the keyboard shortcuts are the same and it a significant effort to shift to OSX shortcuts They are not illogical only completely different which hampers productivity for anyone used to do much of their work on a keyboard Interoperability with other platforms There are interoperability gripes with a lot of stuff The Mac can join an AD domain sort of but we had a lot of stress getting the Mac to use cached credentials Mostly the same happened with a Linux based LDAP service Software is missing A lot of productivity software that we are used to is missing for Mac we stumbled on Visio then on MS Project then on Notepad then on 7zip We didn t go into developing Java in Eclipse because of the following point Mind there are replacements for most of the software we were missing but productivity was hampered since we needed to find the appropriate software buy it and learn how to use it VMware player is nonexistent for Mac we are limited to VirtualBox Lacking native support for obvious items first disaster no support for NTFS write We had to revert to the dreaded FAT32 which was a deal breaker for development As if that wasn t enough iSCSI is not natively supported which further killed any attempt at accessing the large Java codebase on our iSCSI fileserver Remote access So far we haven t discovered an efficient native tool to access and work on our Mac remotely The Apple Remote Desktop is a shameless highway robbery why should any company or user need to pay any money to access and manage a single Mac remotely We are at the moment trying out VNC which is not a very preferred platform No Native or Free Disk Encryption Updated thanks to comments on reddit com Up to OSX 10 6 only Sophos SafeGuard provided full disk encryption for a Mac For OSX 10 7 there is FileVault full disk encryption but we haven t tried it Conclusions and thoughts We are not abandoning the Mac it is a great tool and an asset in our little lab But in the current state of things it takes a lot of effort and compromise to fully migrate to a Mac platform especially since a multi environment knowledge is required If today someone asks us whether a Mac is a good idea for company use we would not be very supportive for the following reasons Business Software lack of compatibility Updated per the comment of Ryan Black Incompatibility with writing to NTFS filsystem which is everywhere previously stated NTFS fileservers fileservers are accessed through SMB which is supported Learning Curve for efficient use Talkback and comments are most welcome Related posts Information Risks when Branching Software Versions 8 Golden Rules of Change Management 9 21 AM 6 comments Email this post Labels information strategy Solution building Choosing Data Storage A difficult dance IT has come a long way in the past 15 years and definitely has advanced into the realm of commodity service But there are still complexities under the hood of this commodity service One of the most underestimated in complexity is data storage it is taken for granted by everyone For example i frequently talk to a high ranking manager in a software company and he constantly states that all that is needed is another disk At the end of the day data storage is very far from simple Every organization needs to provide storage service for it s requirements But storage is not only capacity and one must be careful when choosing the appropriate solution for storage There are three basic options at the moment Cloud storage services Open Source based storage systems Commercial enterprise storage systems We will evaluate each service from the following key parameters of a storage system Capacity The first and usually only thing we think about when we talk about storage and the easiest to achieve Regardless of option for data storage capacity is upgradeable In open source storage systems which are based on commodity hardware upgrades are limited to the abilities of the host server box The enterprise systems are much more upgradeable but at high costs For a cloud storage provider capacity upgrade is nearly infinite at least on paper It is wise to plan ahead and consider whether future ability will support your requirements Input Output Operations per Second IOPS The usually forgotten and very difficult to assess parameter but nonetheless very important The IOPS should present the amount of operations that the system can perform on a storage within a time frame of 1 second But since read and write operations on a storage can vary sequential or random read or write even there are front end and back end IOPS when using RAID configurations Cloud storage services do not publish IOPS Enterprise manufacturers always publish the IOPS number that is most beneficial to them and the open source solution mostly leaves the IOPS to the builder of the system In any case the end result is DO NOT TRUST THE NUMBERS There are some nice estimation calculators online like wmarow s iops calculator but use them only for reference The smart solution is to test the storage

    Original URL path: http://www.shortinfosec.net/2012_01_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: December 2011
    February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities The STRATFOR Conundrum It has been a while since the last published article and we are not going to try to make excuses But we are enticed to do a quick note of the developing story of STRATFOR In summary Strategic Forecasting STRATFOR servers got hacked by a group apparently affiliated with Anonymous Anonymous have since denied any involvement in

    Original URL path: http://www.shortinfosec.net/2011_12_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: September 2011
    1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Five Information Security Issues We All Face Today Technology has done a great deal for changing the way we live and do business today While the benefits are numerous however there have been challenges that come with that development Here s a look at some of the information security issues we all face Awareness A blog post by Rik Ferguson for Trend Micro says awareness and education are key issues surrounding information security today People must understand and accept the risks that come with using technology and the Internet in particular By knowing threats are present they can learn to use these luxuries carefully and not blindly accept that someone will have the solutions for any problems they may face Complacent Businesses We place considerable faith in businesses to safeguard our personal information However some companies are not always as proactive about defending files as they could be Ferguson suggested In fact some don t strengthen protective measures already in place until information breaches or near breaches occur Customers want to know their information is protected and businesses often have a legal obligation to plan ahead and monitor their client files as much as possible A Wealth of Online Possibilities Online banking smart phones credit cards bill pay and countless other Internet options open individuals to numerous hacking risks and opportunities for

    Original URL path: http://www.shortinfosec.net/2011_09_01_archive.html (2016-04-27)
    Open archived version from archive

  • Information Security Short Takes: August 2011
    Space and Performance Here is the conflict between storage vendors and clients Storage vendors do not sell space and rarely sell performance they sell hard drives And everything in their portfolio cache slots licenses is based on physical drives So they will always push the client into a number of drives mentality This is wrong the client needs to think in terms of useable space and Input Output Operations per Second IOPS because at the end of the day the servers do not care that you have 20 drives when they see only 100GB of partition and only 200 IOPS when they need 1000 And here we hit the problem of balance as you are well aware a storage can provide different levels of data protection through redundancy or parity at the cost of physical capacity and performance When declaring your useable space you need to either declare the number of IOPS that it needs to support or which is very difficult or to declare a RAID level Since estimating actual IOPS requirement is difficult you can always approach it with a I need a better functionality then I have at the moment This is very easy to achieve with the Wmarow s IOPS calculator Input the parameters for number of drives and raid level that is currently servicing your server Then input the estimated number of drives and organization RAID that you are thinking of buying Compare the IOPS results If you are migrating more servers to one RAID group add up all initial IOPS and compare to the one resulting IOPS You need to achieve a better IOPS result for the target then currently by at least 50 The results will vary wildly based on number and type of drives as well as RAID level We have calculated a sample of IOPS results for a 2 TB capacity drive using different RAID levels and disk drives with an assumption of using a small storage with only 16 slots for disks click the image for large version Please note that the actual IOPS result of a certain storage system may be different in absolute value because of processor power advanced algorithms and cache memory But regardless of these attributes the relative ratio between the produced IOPS will remain the same RAID0 will be always 3 times faster then RAID5 on same drives Also please note that no matter what the abilities of the storage system that you are looking at there are physical limitations to each disk and these cannot be overcome by any amount of cache intelligent algorithms or processing power of the storage system In conclusion since the absolute value of different storage system may be different what is the best way for a client to be certain that he she will receive the balance of protection and performance that is needed There are two options Test the configuration If someone wants to sell a storage he she should be able to create a same configuration storage

    Original URL path: http://www.shortinfosec.net/2011_08_01_archive.html (2016-04-27)
    Open archived version from archive