web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 84

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: Safari Carpet Bombing - A Bug in Different Context
    May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Safari Carpet Bombing A Bug in Different Context The past weeks the issue with Apple s Safari browser have received very high media coverage For a short recap the carpet bombing vulnerability will dump a large number of files in the users desktop from a malicious web site without any action from the user The issue that i would like to stress is that Apple has clasified this problem as a nuisance and has sheduled it s fix for sometime this fall It is a perfect example of the different views that customers and software companies take on the same issue In the previous analysis on the subject we presented the most frequent reasons for this behaviour of the software companies There are insufficient human resources to address the issue There are profitable change requests or projects to to address

    Original URL path: http://www.shortinfosec.net/2008/06/safari-carpet-bombing-bug-in-different.html (2016-04-28)
    Open archived version from archive


  • Information Security Short Takes: Another Bad D.M.C.A. - Canadian Bill C-61
    1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Another Bad D M C A Canadian Bill C 61 Last week Bill C 61 was introduced in the Canadian parliament Supposedly it protects digital media from copyright infringement The danger in that law will not serve only to protect the copyright of music and video files but will possibly hamper the usage of legally purchased material Here is a flagrant example The Bill C 61 grants the copyright holders the right to demand damages from anyone who bypassed any sort of encryption with a few exceptions regarding interoperability encryption research and security 3v3n v3 ry l4m3 3 ncrypt 1on If this bill is passed into law and that you managed to read the above sentence the author can claim that you breached an encryption algorithm and sue you for 500 per infringement While the Dmitry Sklyarov incident should not be repeated we can expect

    Original URL path: http://www.shortinfosec.net/2008/06/bill-c-61-canadian-dmca.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Preventing Online Credit Card Theft - Revisited
    25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Preventing Online Credit Card Theft Revisited Online Credit Card Theft is a very old and frequently discussed topic And yet a lot of people in the world are still victims to credit card theft So in a brief morning post here are several simple pointers to minimize the risk of online theft NEVER respond to e mails claiming to be from your bank and requesting ANY account or personal information Also NEVER click on links contained in such mails NEVER give out information when receiving a telephone calls from someone claiming to be from your bank and asking account or personal information Alert your bank of all attempts described above When reporting don t press reply on a received e mail Call the bank s official phone number printed on your credit card Buy from reputable sources although there

    Original URL path: http://www.shortinfosec.net/2008/06/preventing-online-credit-card-theft.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Example - Setting targets for Information Security
    a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Example Setting targets for Information Security Targets and metrics for information security are not easy to prepare Most of IT and Security operations are based on maintenance and they are dependent on a large number of outside factors Here is an example on how to approach the problem Last week Shortinfosec net reached the 1000 th visitor Although it is a ridiculously small number for a serious site I ask all readers to be patient since this site is alive for only a couple of months and it s more of a hobby What is important for is to measure performance and set targets And the only way to do that is to do establish metrics and update them The current ShortInfosec net target is to increase the total monthly visits by 100 each month Here are our monthly statistics courtesy of sitemeter com Targets and metrics are not always easy to prepare especially in information technology Most of IT and Security operations are based on maintenance and are dependent on outside factors Another thing is that targets are very difficult to set if metrics are not measured to establish a baseline So what to measure Here is a simple rule set of choosing Information Security metrics Measuring must be a continuous process If there are gaps in your measurements they are useless for analysis and for setting targets Identify what to measure This can be done via two approaches Define list of objectives which you want to reach and identify which metrics are needed to measure the achievement of these objectives This approach focuses on the relevant objectives that need to be observed but usually it is more difficult to measure all necessary metrics Define list of metrics that can be measured and define which objectives can be concluded from them This approach focuses on measurable metrics but the observable objectives may not be entirely relevant to the entire process Delegate responsibility for measurement or set up a system that will automatically measure and log all relevant data Here is an example of a very simple measurement process for an Information Security Management System The Information Security Manager identified that the following metrics can be collected Number

    Original URL path: http://www.shortinfosec.net/2008/05/example-setting-targets-for-information.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: DemoCorp Subdomain Created
    tool Backtrack An Excellent Penetration Testing Suite Security for idiots and others that care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities DemoCorp Subdomain Created I have received comments via e mail that my posts are not supported

    Original URL path: http://www.shortinfosec.net/2008/05/democorp-subdomain-created.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Information Security and Strategy Carnival - second issue
    care blogarama the blog directory Hardware and Software Tutorials that Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Information Security and Strategy Carnival second issue A reminder The second issue of the Information Security and Strategy Carnival ShortInfoSec is coming on the 1st of June Please submit

    Original URL path: http://www.shortinfosec.net/2008/05/information-security-and-strategy_16.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: CEO's View on IT Outsourcing
    telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities CEO s View on IT Outsourcing In the past weeks i heard two CEO s from different companies state the fact that having an in house IT department is a large burden for them I consider that to be ample reason to investigate the managerial view of outsourcing I come from an engineering IT focused background In the engineering world the prevailing mentality is why let someone do something when i can do it myself But this is becoming increasingly expensive especially in the world of reducing margins and managers are fighting to maintain or increase profits I ve had the opportunity to do an informal interview with a CEO of a ICT consultancy company and delve deeper into the topic of outsourcing IT from a manager s point of view From the managers point of view there are three reasons for outsourcing costs are too large the internal IT infrastructure or personnel costs are affecting the bottom line and there are available alternatives that guarantee better costs management and costs projection resources are insufficient the internal IT personnel is not sufficient to properly operate the infrastructure and increasing this personnel is not possible due to unplanned costs too much complexity the company is not focusing on it s primary business since it spends too much time managing it s parts resources are much more valuable if used on another task the internal IT personnel will probably do the job better then the service provider but the company will benefit much more if they are focused on other activities As expected all four reasons boil down to the same goals profit and manageability And yet CEO s admit that there are benefits having an internal IT Excellent understanding of the business technology an outsourced service provider will certainly have excellent general understanding of IT operations but will rarely have an understanding of the inner technology operations of a company This is especially true for a company in regulated industries Banking Pharmaceuticals Pension funds etc An our service mentality a benefit of the engineer mentality The internal personnel will go to extra lengths to maintain or optimize the service and will quite often

    Original URL path: http://www.shortinfosec.net/2008/05/ceos-view-on-it-outsourcing.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Corporate Skype Wishlist
    team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Corporate Skype Wishlist I already blogged about the things that make Skype a poor choice for a corporate environment But facing reality the penetration of S kype for the home user is excellent and a whole lot of persons are quite familiar with the interface and the usage So if there is a way to make Skype more corporation friendly it becomes a very easy tool to be adopted by the employees Now there is talk that Skype may be sold Without knowing what will be the business model of the new possible owner here is a wish list that will make Skype the killer of all corporate IM applications Enable autonomous functionality Effectively the organization should be able to run skype in an autonomous mode without contact to outside skype servers This would probably require integration to Active Directory or some other Directory Service for user authentication Enable administrator controlled assignment of SuperNodes and RoutingNodes Each Skype program can become upon it s own decision

    Original URL path: http://www.shortinfosec.net/2008/04/corporate-skype-wishlist.html (2016-04-28)
    Open archived version from archive