Security musings (reflectorium)
Security musings (reflectorium)
Friday, February 27, 2004
  Password-protection of Lotus Notes IDs
Technical reference and a tool for cracking/brute-forcing/testing.
 
(0) comments
Thursday, February 26, 2004
  Infosurance
Dedicated search engine and infolandscape maintained by the ETH Z├╝rich.
(incl. Critical Infrastructures, etc.)
http://www.isn.ethz.ch/infosurance/ 
(0) comments
  Open Source Methodologies for Security Testing
I went to a FIST conference the other day in Frankfurt (at the university there). It took from 18:00 to 21:00, a bit more than a dozen people in attendance (incl. Alberto from CISSP-FFM!).
From the invitation: "FIST Conferences are free and open events where to present and talk different aspects of Penetration Testing and Information Security. Presentation of recent conferences in Madrid, Bombay, Delhi, Bangalore, Pune are available here...."
The final agenda was
  • Introduction - by Frank Sadowski, Cordinator OISSG Frankfurt and Balwant Rathore from OISSG
  • Information System Security Testing Framework (ISSTF) draft - by Balwant Rathore, CISSP from OISSG
  • ISSTF Web Application Security Testing Approach by Frank Sadowski

We had good discussions, especially on the risks in penetration testing and the overall need for a good methodology for Web Services testing. - I went away with the feeling that while penetration testing is at times "appealing" to management, from my point of view it has its shortcomings:
  • Penetration test findings are often wiped away by the IT dept., with a simple "ok, we'll patch the servers then"
  • You really test the skills/abilities of the pen testers, not the environment.
  • Noone can tell whether spending 100,000 USD instead of 20,000 USD has an added benefit.

Interesting enough, there are other (rival?) groups pondering open methodologies for security testing, e.g.
---
http://www.ncjrs.org/
http://virlib.ncjrs.org/lawe.asp?category=48&subcategory=193
Electronic Criime Scene Investigations - Guide for first responders
http://www.ncjrs.org/pdffiles1/nij/187736.pdf
---
WS-I releases Web Services Security Scenarios
http://www.ws-i.org/
http://www.techweb.com/wire/story/TWB20040225S0014
http://www.ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf
 
(0) comments
Tuesday, February 24, 2004
  Comparison Cobit vs. ITIL vs. ISO17799
.. strengths and weaknesses of each and which one to look at if in need of XYZ..
http://www.itsmf.org.za/Presentations/CobiT%20ITIL%20and%20BS7799.pdf 
(0) comments
Monday, February 16, 2004
  Misinformation in Security Advisories (ASN.1)
Bugtraq carried a very good posting by John Compton, that aims to clarify some misunderstandings.
http://www.securityfocus.com/archive/1/354034 
(0) comments
Saturday, February 07, 2004
  Just a really nice day at home
I just had a really nice day at home playing with my nephews-to-be..  
(0) comments
Friday, February 06, 2004
  I'm a CISM.. =)
The letter from ISACA with the certificate just arrived. I'm now a Certified Information Security Manager (CISM), which goes nicely with my Certified Information System Security Professional (CISSP) from (ISC)2.
- This makes me feel a bit strange and reminds me of the time I spent in the USA. It also makes me feel old and awkwardly aware that my CISSP three year anniversary is in March. "Stefan Keller, CISM, CISSP" or "Stefan Keller, CISSP, CISM"? - It's still an uncommon thing to boast certifications in Germany..
I hope it shows that I really enjoy working in the security field. (I think it will be the last cert. for some time..) 
(0) comments
Wednesday, February 04, 2004
  Another good security blog: Randy Bias  
(0) comments
  [CISSP-FFM] Notes from the CISSP-FFM Meeting, 15.01.2004
Just to wet the appetite of anyone in the greater Frankfurt (Germany) area.

The next meeting is planned to be Friday, 20.02.04 with Ernst&Young in Eschborn (Thank you Marcus!).
The next Bird-of-Feather event is the GI security management workshop this Friday, 06.02.04, in Frankfurt.

This one was a long meeting in Wiesbaden. We started at 19:30 and kept talking until 00:30 - which raised some concern for the safety of the Daimler folks that had to drive home all the way to Stuttgart. We quickly discussed whether we wanted any membership fees (no), and then moved on to a review of the Chaos Communication Conference in Berlin (Dec 27-29). We went through several presentation slides from the conference and the CISSP-FFMers that went there presented the key findings there. (see separate mail to the list) Marcus Rubenschuh gave a presentation on the German results of the E&Y's Information Security Survey. We then discussed the impact of Spam, the current situation and possible future scenarios. We then went through the slides to a NIST workshop on security metrics. There was criticism on the overall lack of good examples. We also did a brainstorm on future Birds-of-feather sessions around upcoming events, possible locations/calendar for the next events and a wish-list for field trips .. .

So please do join the fun: CISSP-FFM mailing list CISSP-FFM@Balrog.DE
Public Webinterface to subscribe and unsubscribe: http://AEble.DynDNS.ORG/cgi-bin/mailman/listinfo/cissp-ffm

 
(2) comments
Sunday, February 01, 2004
  Netcraft's humorous DNS education on MyDoom, DDOS..
..quotes five solutions and is titled "www.sco.com is a weapon of mass destruction".
http://news.netcraft.com/archives/2004/01/30/wwwscocom_is_a_weapon_of_mass_destruction.html 
(0) comments
  Freeware sites: snapfiles
 
(0) comments
  The nuclear boy scout
This is an older story, but I do like it a lot. From Harper's Magazine, Nov 1998: "The radioactive boy scout: when a teenager attempts to build a breeder reactor. (case of David Hahn who managed to secure materials and equipment from businesses and information from government officials to develop an atomic energy radiation project for his Boy Scout merit-badge)"  
(0) comments
  Cccure.org (The CISSP Open Study Guides Web Site)
Cccure.org (The CISSP Open Study Guides Web Site) has a online copy of the Handbook of Information Security Management as well as a variety of other good resources.
 
(0) comments


Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.

RSS Feed now atom.xml!
My public bloglines universe

Essential Security Web-Sites
Internet Head Up Display, Internet Storm Center incl. Handler's Diary NewsNow.co.uk on Virii and Security - Messagelabs stats, Trendmicro, Symantec, CAI, McAffee, F-Secure -- securityfocus, packetstorm


Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.
ARCHIVES
11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010
/


Powered by Blogger


related blogs: general and family research