web-archive-net.com » NET » S » SHORTINFOSEC.NET

Total: 84

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Information Security Short Takes: Possible Emerging Player In InfoSec Market?
    Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Possible Emerging Player In InfoSec Market After the Rapid7 acquisition of Metasploit things are beginning to shift in the Vulnerability Scanning and Penetration Testing market The basic trend is one of merging the small independent players into larger organizations with a product portfolio covering a wider area Rapid7 published the NeXpose Community edition which pairs with Metasploit At this moment it still has some early adoption issues like problems with working on Windows 7 but these will be resolved The NeXpose Community may prove to be a strong adversary to Nessus in the free tools market and by presenting the possibilities of NeXpose to a wider community it will enter the minds of more potential commercial users But apparently the competition is not sleeping either For around a year there is a joint discount offer on a set of products by Tenable Networks Security Immunity Inc and DSquare Security This set creates a great overall product Nessus being the vulnerability scanner Immunity CANVAS being one of the commercial leaders in penetration testing frameworks and DSquare enriching the set with additional exploit packs for CANVAS

    Original URL path: http://www.shortinfosec.net/2009/12/possible-emerging-player-in-infosec.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Tutorial - Alternate Data Streams: The Forgotten Art of Information Hiding
    antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Tutorial Alternate Data Streams The Forgotten Art of Information Hiding Alternate Data Streams is a feature of the NTFS filesystem In essence they were created to provide compatibility with HFS or the old Macintosh Hierarchical File System The way that the Macintosh s file system works is that they will use both data and resource forks to store their contents The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details How do you create an ADS Wonderfully easy All you need to do is have the two files and then send the file to be hidden to the ADS of the host file with a simple type command type file to be hidden host file name of file to be hidden The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan rootkit as an Alternate Data Stream ADS to a perfectly safe file For instance once an attacker penetrates a Windows system he can easily hide the malicious payload for further access into an executable which is fairly frequently used like Calculator Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization Once you include an ADS into a file there is no visible change in filesize of the host file only the modified date is changed This makes it quite difficult to detect the Alternate Streamed file Also the ADS file does not change the MD5 hash of the original file which may prevent systems which control file modification through hashing from detecting the hidden file Here is an example C Users user Desktop md5sum test txt d41d8cd98f00b204e9800998ecf8427e test txt C Users user Desktop type image jpg test txt image jpg C Users user Desktop md 5sum test txt d41d8 cd 98f00b204e9800998 ecf 8427e test txt One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network But there is a catch most data carriers will ignore the Alternate Data Stream and here is the summary list Zip RAR or ARJ will simply compress the host file and disregard the ADS MIME and Base64 encoding e mail will ignore the ADS entirely FAT32 mostly used on USB flash drives will loose the ADS since it s not supported Steganography programs will read the bytes of the host file and stop at

    Original URL path: http://www.shortinfosec.net/2009/12/tutorial-alternate-data-streams.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Interview with GenApple founder
    The buyer pulls the commodity out of the vault The buyer receives the funds after a cool down period for disputes Mark John Hanson Exactly there s obviously more detail and I ll be happy to provide you with our animation intro that explains this users can also view our how it works area You are concerned with security and this is utterly important for a business like this Thus our website has been developed that each information vault is protected from hackers and people with bad intent We are certified by McAfee we also use a SSL certificate from Verisign so immediately when people are on our site all transactions from a simple search are secure We feel that as an information brokerage we should treat our customers as if they re dealing with a bank or financial institution information and knowledge is valuable Moreover when people sell information they want to keep their identity private because of the nature of transaction to us privacy is a form of security We want people to know that if they use this site their identity is kept safe and will not be disclose to anyone period Bozidar You use a very strong statement there protected from hackers In the world in which I live something hasn t been hacked only because a hacker still hasn t found the vulnerability to exploit or the interest in exploiting it So for argument s sake let s say that a hacker manages to break in and he she they steal information or redirect funds Do you accept any responsibility for the damages caused to the parties involved Mark John Hanson I do have confidence in our site s security and McAfee secure we will do our utmost to protect the information that people have disclosed from us as to your question our user agreement discloses precisely what responsibilities each party undertakes Bozidar So on this particular site it is very wise to read the agreement not just click the I Agree button Mark John Hanson What we want is for every use to read the user agreement and privacy policy before they sign up we have links to these agreements in the registration page The reason for this is that the user knows what to expect from us and also what we expect from every user This marketplace depends on GenApple to create a safe easy secure place to do a transaction Bozidar In your first target group vertical you mention US regulation On my attempt to register I saw that the registration address can only be a US address Does this mean that every user of GenApple needs to be under US jurisdiction Mark John Hanson For right now we re limiting it to the United States however probably very soon we ll open it up to many different countries this is party based on how we pay we have two payment methods to pay sellers 1 PayPal and 2 a bank check

    Original URL path: http://www.shortinfosec.net/2009/11/interview-with-genapple-founder.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: GenApple - First Glance at the First Information Brokerage
    security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities GenApple First Glance at the First Information Brokerage Internet has become a transfer medium for a lot of new business models some of which have failed and others which are thriving In this environment there is new service called GenApple which boasts to be the first information brokerage in the world With a business model similar to E bay GenApple facilitates the selling and buying of information A seller of information offers some information either at a fixed price or a via an auction The difference from E bay is that GenApple will act as an Escrow a third impartial party trusted by both seller and buyer GenApple will hold the offered information in a special vault until the trade is concluded and then let the buyer obtain it from the vault Similarly GenApple will hold the payment money for the seller until the dispute period has passed in order to facilitate refund in case of a dispute This new service opens a whole set of questions and possible

    Original URL path: http://www.shortinfosec.net/2009/11/genapple-first-glance-at-first.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Database Admin Hacking his Ex Firm - Is It All His Fault?
    antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Database Admin Hacking his Ex Firm Is It All His Fault Data Breaches has just published information about a Former GEXA employee pl eads guilty to computer intrusion According to the article here is what happened Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System GEMS database While connected to the GEXA Energy computer network Kim recklessly caused damage by among other things issuing various Oracle database commands which created a new data table in the GEMS production database which when copied to the GEMS staging database caused the automated script to fail thus impairing the availability of data As a result of the Kim s intrusion into their protected computer system GEXA Energy incurred a loss of at least 100 000 the costs associated with troubleshooting securing and repairing the GEXA Energy computer network and the GEMS database Kim was indicted in June 2009 We quite agree that the access of the former employee is illegal and he did probably cause a lot of sleepless nights for the admins security officers and a lot of stress for the GEXA management But GEXA blames the ex DBA for some wrong reasons Let us break down the stated loss amount of 100 000 Troubleshooting the issue the problems were actually caused once the production system was copied into staging so it is quite probable that the production was not impaired at least not in any significant way So troubleshooting was a couple of man days and by any salary standards could not cost more then 4 000 Securing the computer network and GEXA systems and network the incident was caused by the inadequate levels of security measures on the procedural network and database levels So any costs incurred by GEXA to beef up and revise security would have to be spent regardless of the incident In my opinion these costs should be incurred by the GEXA Information Security Officer the Head of Internal Audit the HR Officer and the last external auditor of the computer systems Repairing the GEXA GEMS database and computer network this part was mostly a witch hunt for rootkits trojans and breach of integrity one that has to be performed after any breach This part is really the only segment that the Ex DBA should be accountable for In conclusion GEXA did suffer a lot of grief from this incident and we commend them on the success in identifying the attacker But in reality the incident is caused by

    Original URL path: http://www.shortinfosec.net/2009/11/database-admin-hacking-his-ex-firm-is.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: IT Risks vs. Information Risks
    of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities IT Risks vs Information Risks As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly Here are my high level definitions IT Risks The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation Information Risks The probability that information data can be exploited and the likely damage from the exploitation While these may seem similar to the layman they should clearly be viewed and positioned differently by the Information Security professional Here s why IT Risks should have a focus on technology while Information Risks should not have a focus on technology By clearly positioning the two as different it is easier to delineate responsibilities when partnering with the business on managing risks Knowing who owns what always increases your chances of being successful IT risks given their technology orientation will rightfully so land more on the plate of IT professionals plate to manage vs the business Information Risks should accordingly land more so on the business side When I say land from a

    Original URL path: http://www.shortinfosec.net/2009/11/it-risks-vs-information-risks.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Role of Information Security Manager
    1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Role of Information Security Manager As the Information Security Manager you will take responsibility for developing maintaining monitoring compliance of all information security policy and procedures The successful Information Security Manager will perform security risk analysis and risk management perform security tests manage internal audits on information security processes controls and systems You will take responsibility for developing and maintaining the organization s project disaster recovery and business continuity plans for information systems and monitors changes in legislation and accreditation standards that affect information security You will provide guidance and consultation on projects for IT

    Original URL path: http://www.shortinfosec.net/2009/11/role-of-information-security-manager.html (2016-04-28)
    Open archived version from archive

  • Information Security Short Takes: Information Security and Strategy Carnival - issue #5
    Count Blog Archive 2014 1 January 1 2013 2 November 1 October 1 2012 8 July 1 June 1 March 1 February 1 January 4 2011 16 December 1 September 1 August 2 July 1 June 6 May 3 March 1 January 1 2010 47 December 2 November 7 October 8 September 6 June 1 May 1 April 2 March 13 February 1 January 6 2009 70 December 13 November 17 October 4 July 1 June 2 April 6 March 8 February 9 January 10 2008 130 December 5 November 4 October 3 September 2 August 20 July 27 June 25 May 15 April 18 March 1 February 4 January 6 Alexa Rank Follow me on Twitter Recent Posts Maintaining quality in outsourcing telco services Engaging a team for a security analysis Hacking Virtual Machines Part 1 Sniffing Mac Antivirus Staying careful and safer Steganography Passing through the defenses Choosing a Disaster Recovery Center Location Avoiding security complications when servicing desktop equpment Fuzzing with OWASP s JBroFuzz Mitigating Risks of the IT Disaster Recovery Test Internet Security Categories antivirus 2 audit 1 biometrics 1 Blog carnival 8 business continuity 9 competition 2 Computer security 42 Databases 3 disaster recovery 2 encryption 13 forensics 11 fraud 7 GPS 1 How To 29 Incident Management 7 information security 194 information strategy 78 Instant Messaging 2 malware 1 microsoft 9 Network security 22 penetration testing 38 Physical security 4 privacy 21 SLA 6 software development 14 Solution building 34 steganography 2 Templates 2 training and certification 4 trojan 1 windows 6 Site Meter BlogCommunities Information Security and Strategy Carnival issue 5 For the fifth issue of the Information Security and Strategy Carnival I am pleased to present the following texts Dan Cornell over at Denim Group posts a great article on 13 Things

    Original URL path: http://www.shortinfosec.net/2009/11/information-security-and-strategy.html (2016-04-28)
    Open archived version from archive