Security musings (reflectorium)
Security musings (reflectorium)
Thursday, July 29, 2004
Just got married
It's all legal now .. will marry in church on August 7th
the picture is right here at
http://skeller1.blogspot.com/2004/07/just-got-married.html
(0) comments
It's all legal now .. will marry in church on August 7th
the picture is right here at
http://skeller1.blogspot.com/2004/07/just-got-married.html
Wednesday, July 21, 2004
Vulnerability announcement to exploit - time window
(from a posting by M S Hines to a mailing list)
"Information Security, July 2004, p 23 contains an article on the time the
world has to patch against the latest vulnerability (source: Foundstone).
The data shows the time between the announcement of a vulnerability or
release of a patch and a malware-bearing exploit being discovered in the
wild (an 'interesting' term - in the wild usually means 'attacking your
hosts').
1999 - 280.5 days
2000 - 104 days
2001 - 205 days
2002 - 88 days
2003 - 26 days
2004 - 10 days
"
(0) comments
"Information Security, July 2004, p 23 contains an article on the time the
world has to patch against the latest vulnerability (source: Foundstone).
The data shows the time between the announcement of a vulnerability or
release of a patch and a malware-bearing exploit being discovered in the
wild (an 'interesting' term - in the wild usually means 'attacking your
hosts').
1999 - 280.5 days
2000 - 104 days
2001 - 205 days
2002 - 88 days
2003 - 26 days
2004 - 10 days
"
Tuesday, July 20, 2004
(0) comments
Tuesday, July 13, 2004
(0) comments
Today's MS advisories
KB839645:
http://www.microsoft.com/technet/security/Bulletin/MS04-024.mspx
KB841872:
http://www.microsoft.com/technet/security/Bulletin/MS04-020.mspx
KB841373:
http://www.microsoft.com/technet/security/Bulletin/MS04-021.mspx
KB841873:
http://www.microsoft.com/technet/security/Bulletin/MS04-022.mspx
KB842526:
http://www.microsoft.com/technet/security/Bulletin/MS04-019.mspx
KB840315:
http://www.microsoft.com/technet/security/Bulletin/MS04-023.mspx
(0) comments
(0) comments
http://www.microsoft.com/technet/security/Bulletin/MS04-024.mspx
KB841872:
http://www.microsoft.com/technet/security/Bulletin/MS04-020.mspx
KB841373:
http://www.microsoft.com/technet/security/Bulletin/MS04-021.mspx
KB841873:
http://www.microsoft.com/technet/security/Bulletin/MS04-022.mspx
KB842526:
http://www.microsoft.com/technet/security/Bulletin/MS04-019.mspx
KB840315:
http://www.microsoft.com/technet/security/Bulletin/MS04-023.mspx
The Sarbox Conspiracy
This article in CIO Magazine triggered quite some discussions on the ISACA list that I'm on. Sarbox = Sarbanes-Oxley = SOX, a US regulation that impacts a lot of companies and starts to trickle down now to ones not listed in the US. Dave Richards, the president of The Institute of Internal Auditors (IIA) takes a stand in the comments section. Should be an interesting read.
http://www.cio.com/archive/070104/sarbox.html
(0) comments
http://www.cio.com/archive/070104/sarbox.html
Monday, July 12, 2004
(0) comments
(0) comments
Friday, July 09, 2004
PraxIS July 2004
IN THIS ISSUE
1) Risk & Security
IT Governance document available from ITGI
Business Continuity Maturity Model
...
Links:
IT Governance download from http://www.itgi.org/
also Business Continuity Maturity Model free download
(0) comments
(0) comments
IN THIS ISSUE
1) Risk & Security
IT Governance document available from ITGI
Business Continuity Maturity Model
...
Links:
IT Governance download from http://www.itgi.org/
also Business Continuity Maturity Model free download
World Bank Technology Risk Checklist v6.1
http://www.opencsoproject.org/forum/about39.html
From the Introduction: "The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers (CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers and Systems Administrators with a way of measuring and validating the level of security within a particular organization."
The checklist covers the following areas:
1. Risk Management
2. Policy Management
3. Cyber-Intelligence
4. Access Controls/Authentication
5. Firewalls
6. Active content filtering
7. Intrusion detection system (IDS)
8. Virus scanners
9. Encryption
10. Vulnerability testing
11. Systems administration
12. Incident response plan (IRP)
13. Wireless Security
(I found this in a post from Marc Menninger on cissp-forum [Thanks Marc!])
(0) comments
http://www.opencsoproject.org/forum/about39.html
From the Introduction: "The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers (CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers and Systems Administrators with a way of measuring and validating the level of security within a particular organization."
The checklist covers the following areas:
1. Risk Management
2. Policy Management
3. Cyber-Intelligence
4. Access Controls/Authentication
5. Firewalls
6. Active content filtering
7. Intrusion detection system (IDS)
8. Virus scanners
9. Encryption
10. Vulnerability testing
11. Systems administration
12. Incident response plan (IRP)
13. Wireless Security
(I found this in a post from Marc Menninger on cissp-forum [Thanks Marc!])
Thursday, July 08, 2004
(0) comments
(0) comments
(0) comments
US government recommends the use of an alternative browser..
Martin McKeay on where the US government actually made that recommendation, which was mentioned quite a bit lately in light of the recent IE problems.
He thinks it's this one:
US-CERT Vulnerability Note VU#713878
(in Section III)
(0) comments
Martin McKeay on where the US government actually made that recommendation, which was mentioned quite a bit lately in light of the recent IE problems.
He thinks it's this one:
US-CERT Vulnerability Note VU#713878
(in Section III)
Wednesday, July 07, 2004
Hackers' playground
from a posting to "secevents":
"Hacker Playground (http://www.hackerplayground.com) is a new web site that will feature the Internet's FIRST legal private hackable network. This site has been developed in a response to the problems faced by security experts in the field with no way to test if their security models and skills can stand up against other security experts in the field. "
[..]
"The games design is simple. Sign up for an account and gain access to a Fedora Core Linux box via ssh which has access to a private hackable network. The rules are quite simple root a server anyway possible sniff the network for passwords using arp posin attacks, run buffer overflows etc..., secure the server and leave three services open for others to try and take control away from you. The winner of the game will be determined by ?owned root time?, basically the user who owns root the longest wins the game!
Another interesting feature that the site designers have come up with is a way for the community to "Watch The Games"." [...]
(0) comments
from a posting to "secevents":
"Hacker Playground (http://www.hackerplayground.com) is a new web site that will feature the Internet's FIRST legal private hackable network. This site has been developed in a response to the problems faced by security experts in the field with no way to test if their security models and skills can stand up against other security experts in the field. "
[..]
"The games design is simple. Sign up for an account and gain access to a Fedora Core Linux box via ssh which has access to a private hackable network. The rules are quite simple root a server anyway possible sniff the network for passwords using arp posin attacks, run buffer overflows etc..., secure the server and leave three services open for others to try and take control away from you. The winner of the game will be determined by ?owned root time?, basically the user who owns root the longest wins the game!
Another interesting feature that the site designers have come up with is a way for the community to "Watch The Games"." [...]
Tuesday, July 06, 2004
(0) comments
(0) comments
Learning by Doing: CISCO Certified Network Administrator 3.0
This is from an article in the Register. Matthew Basham teaches a courses for Cisco Certified Engeineers, wrote a text book on it and made it available free on the net at
http://www.spcollege.edu/star/cisco/Matt/list_of_current_papers_and_brief.htm
Warning ! It's a *big* word document (5 MB).
- or as Axel would put it "It's a big *word* document."
(0) comments
This is from an article in the Register. Matthew Basham teaches a courses for Cisco Certified Engeineers, wrote a text book on it and made it available free on the net at
http://www.spcollege.edu/star/cisco/Matt/list_of_current_papers_and_brief.htm
Warning ! It's a *big* word document (5 MB).
- or as Axel would put it "It's a big *word* document."
Monday, July 05, 2004
"Risk Analysis in Software Design" - and SecureUML and UMLsec
I found this on Dana Epp's blog. - Gary McGraw from Cigital wrote an article for IEEE Security & Privacy magazine called "Risk Analysis in Software Design". Very good article, good comparison, somewhat academic.
Gary McGraw has some interesting links in it
(0) comments
I found this on Dana Epp's blog. - Gary McGraw from Cigital wrote an article for IEEE Security & Privacy magazine called "Risk Analysis in Software Design". Very good article, good comparison, somewhat academic.
Gary McGraw has some interesting links in it
- SecureUML
("based on role-based access control and models security requirements for well-behaved applications in predictable environments"). - UMLsec
("an extension to UML that enables the modeling of security-related features such as confidentiality and access control.") - The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers by H. Cavusoglu, B. Mishra, and S. Raghunathan
Saturday, July 03, 2004
Rainbowcrack and MD5 cracking
"md5er" has set up a quick website and system to crack md5 hashes online using Rainbow tables. According to him, the project is using RainbowCrack and currently ~47 Gb of tables. At the moment it can crack hashes of lowercase letters and/or numbers up to 8 characters long. The cracking service is free
If you are interested you can check out the site here: http://passcracking.com
There have since been discussions on whether this site might fall victim to the slashdot effect. - So it might be interesting to watch it. (see [appsec-research] list)
(0) comments
"md5er" has set up a quick website and system to crack md5 hashes online using Rainbow tables. According to him, the project is using RainbowCrack and currently ~47 Gb of tables. At the moment it can crack hashes of lowercase letters and/or numbers up to 8 characters long. The cracking service is free
If you are interested you can check out the site here: http://passcracking.com
There have since been discussions on whether this site might fall victim to the slashdot effect. - So it might be interesting to watch it. (see [appsec-research] list)
Friday, July 02, 2004
The Jericho Forum and the CSO Interchange
The Jericho Group is up to something good and has an excellent presentation on this decade's security challenges with interesting statstics. Really good stuff. (Maybe a tiny bit elitist.. =) )
Some links:
The NetworkWorldFusion article also has the following graph:
(0) comments
(0) comments
The Jericho Group is up to something good and has an excellent presentation on this decade's security challenges with interesting statstics. Really good stuff. (Maybe a tiny bit elitist.. =) )
Some links:
- The Jericho Group Home Page
- The CSO Interchange
- CSO Interchage June 16, 2004 agenda
- Nice article by NetworkWorldFusion
- Jericho Group on US Security Crusade
- "A seat on the board"
The NetworkWorldFusion article also has the following graph:
Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.
RSS Feed now atom.xml!
Essential Security Web-Sites
Internet Head Up Display,
Internet Storm Center incl. Handler's Diary
NewsNow.co.uk on Virii and Security -
Messagelabs stats,
Trendmicro,
Symantec,
CAI,
McAffee,
F-Secure
-- securityfocus,
packetstorm
Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
ARCHIVES
11/01/2003 - 12/01/2003/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010
/
related blogs: general and family research
