Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

NIST Releases Revision 2, Guide to Industrial Control Systems (ICS) Security

June 09, 2015 by Marc Handelman in All is Information, Governance, Hardware Security, ICS, ICS/SCADA, Information Security

The National Institute of Standards and Technology (NIST) has announced the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. Outstanding.

June 09, 2015 /Marc Handelman
All is Information, Governance, Hardware Security, ICS, ICS/SCADA, Information Security

Litchfield Unleashes Database Security Scorecard →

June 08, 2015 by Marc Handelman in Application Security, All is Information, Data Driven Security, Database Security, Information Security

via El Reg's Darren Pauli, comes good news from David Litchfield, this time, in the form of a newly authored security product targeting the in-built security issues within Oracle Corporation's (NYSE: ORCL) DBMS. Outstanding.

June 08, 2015 /Marc Handelman
Application Security, All is Information, Data Driven Security, Database Security, Information Security

DevSecOps Edition, 10+ Hours of Information Security + DevOps Video →

June 04, 2015 by Marc Handelman in All is Information, Application Security, Automation, Code, DevOps, Information Security, Education, DevSecOps

The kind folks at DevOps have made their video collection of HD quality Security DevOps content from RSAC 2015 available (with the only catch of a registration form). Highly recommended.

'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel

June 04, 2015 /Marc Handelman
All is Information, Application Security, Automation, Code, DevOps, Information Security, Education, DevSecOps

House of Drafts →

June 04, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Information Security, Security Failure

via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.

I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.

Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).

June 04, 2015 /Marc Handelman
All is Information, Blatant Stupidity, Information Security, Security Failure

Charlie Miller Keynote - OWASP 2015 →

June 03, 2015 by Marc Handelman in All is Information, Education, Information Security
June 03, 2015 /Marc Handelman
All is Information, Education, Information Security

Tallinn 2.0 and the PRC →

June 03, 2015 by Marc Handelman in Electronic Warfare, National Security, All is Information, NATO CCDCoE, Cyberwar

If you read anything today focusing on warfare in the electronic realm, read the Lawfare blog's Ashley Deeks posting on this year's Tallinn-based NATO CCDCoE's CyCon 2015 confab. In particular, a Chinese academics' take on cyber jus ad bellum and jus ad bellum criteria to wage war, as targeted by Tallinn 2.0. Fascinating.

June 03, 2015 /Marc Handelman
Electronic Warfare, National Security, All is Information, NATO CCDCoE, Cyberwar

Neil's Spiel →

May 29, 2015 by Marc Handelman in All is Information, Data Security, Infosec Policy, Information Security, Government, Social Engineering
May 29, 2015 /Marc Handelman
All is Information, Data Security, Infosec Policy, Information Security, Government, Social Engineering

Microsoft, SIR

May 28, 2015 by Marc Handelman in All is Information, Information Security, Intelligence

Just getting around to examining the Microsoft Corporation (NasdaqGS: MSFT) Security Intelligence Report (SIR)... Now in it's eighteenth volume, the SIR is typically well-wrought, and might be considered pithy.

May 28, 2015 /Marc Handelman
All is Information, Information Security, Intelligence

It Ain't Big, It's Large... Security Analytics →

May 27, 2015 by Marc Handelman in All is Information, Alternate Attack Analysis, Information Security, SEIM
May 27, 2015 /Marc Handelman
All is Information, Alternate Attack Analysis, Information Security, SEIM

PenTesters Framework Released →

May 27, 2015 by Marc Handelman in All is Information, Information Security, Penetration Testing, GitHub

News, via TrustedSec, of the release of the latest version of the eponymous PenTesters Framework (written by David Kennedy, CEO of TrustedSec). Download the PTF at GitHub or clone the project (git clone https://github.com/trustedsec/ptf). Enjoy.

May 27, 2015 /Marc Handelman
All is Information, Information Security, Penetration Testing, GitHub

Iudicium Securitatem, Quod McAfee →

May 26, 2015 by Marc Handelman in All is Information, Security Opinion

Behold, John McAfee's take on the greatest security challenge of our time...

May 26, 2015 /Marc Handelman
All is Information, Security Opinion

Ah... The Nineties! →

May 26, 2015 by Marc Handelman in All is Information, Security Flaws, Network Security, Networks

Gotta love the 90's... Regardless of that affection, avoid, if you will, blasts from the past such as this newly reported flaw via Peter Bright (writing at Ars Technica) with tinges of that bygone decade... Read it and Weep.

May 26, 2015 /Marc Handelman
All is Information, Security Flaws, Network Security, Networks

Information Security, Georgian →

May 22, 2015 by Marc Handelman in All is Information, Government, Information Security
May 22, 2015 /Marc Handelman
All is Information, Government, Information Security

Combo Breaker →

May 22, 2015 by Marc Handelman in All is Information, Lock Picking, Locks, Information Security

via TechnoBob's Lambert Varias comes news, of the astounding Arduinio-based automated combination-lock breaker hand-crafted by Samy Kamkar.

"The Combo Breaker can guess all three numbers on its own within a few minutes, but if you manually find the first number that makes the dial get stuck when you pull on the shackle, then Samy’s device can open the Master combination lock within 30 seconds, using a maximum of only eight attempts. To be more precise, Samy’s technique will give you the exact first and third numbers of the combination, plus eight possible second numbers." - via TechnoBob's Lambert Varias

May 22, 2015 /Marc Handelman
All is Information, Lock Picking, Locks, Information Security

Wetware Outnumbered →

May 21, 2015 by Marc Handelman in All is Information, Automation, Information Security, Robots, Software Entities, Wetware, Software

via Maria Korolov, writing at CSO, tells the tale of software robotic entities, who now, apparently outnumber wetware entities on the interwebs.

May 21, 2015 /Marc Handelman
All is Information, Automation, Information Security, Robots, Software Entities, Wetware, Software

Devil in the Haystack →

May 20, 2015 by Marc Handelman in All is Information, Application Security, Data Security, Information Security
May 20, 2015 /Marc Handelman
All is Information, Application Security, Data Security, Information Security

For Gizmodo, The Information Age Is Over →

May 20, 2015 by Marc Handelman in All is Information, Information Sciences, Information Security

Yes, the Information Age is supposedly kaput... Bid a Hearty Welcome to the Infrastructure Age; if Gizmodo is to be trusted with the proverbial crystal ball, that is.

Evidently, they are unaware that everything is, of course, information...

May 20, 2015 /Marc Handelman
All is Information, Information Sciences, Information Security

BSides Knoxville, I've Met the Enemy and It Is Us →

May 19, 2015 by Marc Handelman in All is Information, Defending Networks, Information Security, BSides
May 19, 2015 /Marc Handelman
All is Information, Defending Networks, Information Security, BSides
Image courtesy of 401(K) 2012 @ flickr.com

Image courtesy of 401(K) 2012 @ flickr.com

Rules of Irari →

May 19, 2015 by Marc Handelman in All is Information, Information Security

Ira Winkler and Araceli Treu Gomes rebuttal of critics of the Irari Rules. Today's Must Read.

The Eight Irari Rules:

The malware used should have been detected.

The attack exploited vulnerabilities where a patch was available.

Multifactor authentication was not in use on critical servers.

Static passwords were used in attacks on critical servers.

If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training.

Detection mechanisms that could have stopped the attack in progress were not in place or were ignored.

There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems.

User accounts that were compromised had excessive privileges.

via Ira Winkler and Araceli Treu Gomes - 'The Irari Rules for Declaring a Cyberattack ‘Sophisticated’ - Computerworld Apr 22, 2015 8:10 AM PT

May 19, 2015 /Marc Handelman
All is Information, Information Security

Top Ten List of Most Exposed Software →

May 18, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Cruft, Information Security, Infosec Competence

via Anthony M. Freed, writing at InfosecIsland comes this unfortunate, and unsurprising story of the top ten exposed applications currently on a majority of computational devices hereabouts, and the ramifications thereof.

May 18, 2015 /Marc Handelman
All is Information, Blatant Stupidity, Cruft, Information Security, Infosec Competence
  • Newer
  • Older