Dailies
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Profession
- Security
- University and Studies
- Web Development
Monthly archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
Hacking the Counter-Hackers
This article over on Computerworld about the iSec guys who have found vulnerabilities within EnCase and the Sleuth Kit poses a fairly interesting issue in regards to the utilities used by security professionals. How much do these sorts of issues really impact upon your ability to present evidence to management, or even worse, court?
Many corporate environments, before people install and run new/unknown software, have to go through a degree assessment to ensure that the software doesn’t contain any vulnerabilities or has a history of exploitation. Would a defense lawyer really pick apart these sorts of issues in forensic acquisition/analysis tools to discount evidence presented in court? I guess, probably depends on how expensive the lawyer is. What doesn’t help the situation blow out of proportion - probably all the media that will surround the news report and associated black-hat expose features.
How much do these software vulnerabilities impact upon its ability to perform its intended duty? From what I read and understood, not a hell of a lot. It’s like trying to argue in court that MS Windows XP, the underlying operating system used by security investigators, has a long history of exploitation and so no evidence examined on a Windows XP system holds any merit.
This article reminds me a little bit of some research I did back at University on potential issues with forensic examination of PalmOS devices, in that images acquired are constantly changing due to the nature of volatile memory.
I guess this will probably blow over. Interesting none the less.
Posted by Christian
Posted in: Profession, Security
1 Comment »
26 July 2007
The Real Root CA
So I was walking to get a coffee the other day and passed this church which had a sign out front that stated:
If you can’t trust God
You can’t trust anyone.
It got me thinking about trust and relationships, not just personal but professional and even security relationships. The concept of trust is an interesting concept. How do we ever trust other people? Is it human instinct to want to trust people naturally, or is that a cultural instinct that differs from region to region? Obviously the family tree carries with it a certain level of trust, we implicitly trust our parents the same as a child Certificate Authority trusts its parents.
Later on that week I was talking to a colleague about the sign and about how putting that in context of security and CAs was kind of funny. He agreed and replied (and I’ll paraphrase): So that’s it! Verisign must have God on the payroll.
Posted by Christian
Posted in: Security
No Comments »
24 July 2007
Developing Secure Code
I book marked this article quite a while back and only now got to have a read of it. The 8 Simple Rules for Developing More Secure Code by Michael Howard over on the msdn is a list of habits of secure developers. I know it’s a little old now, but oh well.
Paraphrased to:
- Take responsibility of your code
- Never trust data
- Use threat modelling against your code
- Stay one step ahead - or keep up to date with emerging vulnerabilities and threats
- Use fuzz input testing
- Don’t write insecure code (I found this point rather over-arching but his comments are good)
- Recognise the strategic asymmetry - be aware that an attacker can spend much more dedicated time finding weaknesses than you can provide 100% secure code
- Use the best tools you can
What I like about Michael’s list is that is applicable to any software development environment using any methodology. From PHP apps developed by a sole-developer for a small company to large, multi-tier, thick-client apps developed by a team of developers. It’s all good.
Posted by Christian
Posted in: Computers, Profession, Security, Web Development
2 Comments »
22 July 2007
More than you want to know about DNS Pinning
Another Christian just posted this article on DNS Pinning. Really interesting read. I can’t help but find these sorts of vectors really worrying, vulnerabilities that allow external parties to access internal material (i.e. Intranet) from the source of an internal user.
You combine this with some of the nifty functionality available in the AttackAPI from GNUCitizen and you have some pretty powerful tools.
How many web developers in your organisation know about this stuff?
Posted by Christian
Posted in: Security
No Comments »
3 July 2007
Mainframe Security
I really enjoyed reading Andrew’s article on “The Mainframe Conundrum” and would highly recommend that anyone else in IT in the financial area, or other critical infrastructure areas should also read it.
Since starting my new job this sort of issue has definitely come up on a number of occasions. Not always directly linked to problems with trying to apply security concepts to legacy type systems (or the people who support them), in fact probably more often involved with general IT people who don’t understand the insider risk. In any case, similar to what Andrew discusses, the solution to these types of problems can be tackled by effective awareness, training and support.
Posted by Christian
Posted in: Profession, Security
No Comments »
1 July 2007