Hot on the heels of this month’s security bulletin, a new vulnerability exploit surfaces with a malware in tow. The new zero-day vulnerability, as described in a previous post, prompted Microsoft to release Security Advisory (981374) while investigations are still underway. This Internet Explorer (IE) vulnerability exists due to an invalid pointer reference bug within IE, which, under certain conditions, c >>

trendmicro

03-09-2010 16:43
On the Risk of Overfocusing on Seductive Details

Learning about security means understanding types of risk, and investors, specifically value investors, have a long demonstrated track record of framing ways to think about asset protection and making it actionable. Recently I've been reading James Montier, very impressed with his approach which is based on a pretty rigid process and objective checklists, here is an excerpt from a recent interview:

Miguel: Let’s talk about the concept of seductive details…can y >>

1raindrop

03-10-2010 15:51
Bejtlich OWASP Podcast Posted
My appearance on OWASP Podcast 61 is available.

The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate.

We recorded the podcast in late January. Jim asked me the following questions:
Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?
What's the difference between focusing on threats vs focusing on vulnerabilities?
What is your problem with the "protect the data" mi >>



03-10-2010 11:08
Sergey Bratus on Learning from Hackers

I just saw Sergey Bratus’s talk at TROOPERS 10. He’s an interesting guy, and his talk was good. He’s a CS professor at Dartmouth, and he’s actually making an effort, on behalf of the academic community, to inject some genuine security clue into the education of CS students. He obviously has a tough topic to address, but he looks like he’s on the right track to me.

One thing he pointed out is that a lot of vulnerabilities over the years have actually resulted from the accident >>



03-10-2010 7:05
About the 'Rugged' Initiative
As most of the readers on my blog would be knowing, the Security experts in February launched a new effort to ensure software is written from the ground up with security in mind -- a philosophy and message they're aiming at people outside of the security industry.

The Rugged Software Development initiative is basically a foundation for creating resilient software that can stand up to attackers while performing its business or other functions.

"It's more of "a value system" for writ >>



03-10-2010 5:41
Are URL shorteners really dangerous?
There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full length counterparts and here's why...

How URL shorteners work

The purpose of a URL shortener is to replace a log URL (e.g: http://www.zscaler.com/downloadwhitepaper_stateofweb-q4-2009.html) with a shorter one (e >>

Feedproxy Security

03-09-2010 18:27
Three Steps to a Rational Security Budget

Security budgets are often based on combination of last year's spending, this year's threat du jour(s), and "best" practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that's how the budget grew organically starting from the 90s. 

A simple three ste >>

1raindrop

03-08-2010 22:49
Expert to Decrypt TLS/SSL Traffic

One of the most popular requests we've had is to provide a way to view encrypted traffic. The new Decryption expert aims to solve this problem for TLS/SSL traffic.

The purpose of encrypting data in the first place is to hide private information from a third party who has intercepted your network traffic. At first the ability to decrypt this traffic might seem like a violation of this tenant. However, in order to decrypt the traffic you will need to acquire >>

Technet

03-10-2010 23:38
Let’s talk about the End in End-to-End Trust, or the Human Being
Let’s talk about End in End-to-End Trust, or, in other words, the Human Being. Focus on the human subject – the beneficiary of technology We’re pretty good at dealing with everything from the digital perimeter through to the protected resources the person wants to access. But the big problem, the very old problem, that we’ve made little progress in solving, is reliably and confidently authenticating the person to the digital perimeter. Let’s keep in mind the kind of attacks on informat >>

Feedproxy Security

03-10-2010 21:55
Noted cryptographer on SSL, encryption and cloud computing
Cryptographer, Taher Elgamal of Axway Inc., the inventor and initial driving force behind SSL, explains how applications may be better adapted to defend against attacks.
 >>

Feedproxy Security