Friday, September 3, 2010

Accelerate video search with Vitamin D

This is a simple solution that turn a computer to significantly accelerate your physical surveillance video search from hours into minutes.  Free to try, and pay $200 for a 16 video solutions (either via usb or IP camera).

http://www.vitamindinc.com/

Sunday, August 22, 2010

Monday, August 16, 2010

Data Sanitization: DOD 5220.22-M vs NIST 800.88



if you compare the spec of DOD 5220.22-M with NIST 800.88, you will notice NIST offer the same level of security and provide significant speed advantage.

http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf

time:  from days to hour  (could be days to minute in case of encrypted secure erasure, if your drive have encrypted option).


the trick is of course the drive have to made 2001 and after, and is only officially enforce in ATA drive.  SCSI implementation may be optional.    I think hybrid approach may work...

use NIST first, when failed (due to lack of command support) apply DOD 5220.22-M as a backup.

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Tuesday, August 10, 2010

Free Training: State of California Privacy Training course via PPT

http://www.cio.ca.gov/OIS/Government/privacy/default.asp

PodCast: Cloud Computing: The Case for Security Certification

Jim Reavis from Cloud Security Alliance is being interview by this Podcast at Bank Info Security.

key take away:

The common scenario public cloud:  cpu intensive farm that need to scale up quickly

The common scenario private cloud:  traditional setup of physical machines, with financial industry.

CCSK Certification for Security Professional:  http://www.cloudsecurityalliance.org/certifyme.html







Beyond Identity Fraud.... Business Identity Fraud via ACH

http://www.bankinfosecurity.com/articles.php?art_id=2829&rf=2010-08-09-eb

it is time to take step to make sure your finance department take step to protect the ACH #.
several bank have take extra client deployed to further protect browser and server connectivity.

Monday, August 9, 2010

Free Training: OWASP

In my search to train up my developers to be aware of OWASP standards, i have located some good and free resource:



the google training should have 3 parts (total of 3 hrs)



newer, 2 hours total.


now the only part you need is a good system to document that your end user have view the video and take a quick quiz for your compliance / audit purposes :) 


Netcraft News: Firefox security test add-on was backdoored

Netcraft News: Firefox security test add-on was backdoored

if you are using Mozilla Sniffer you better uninstall it! this is insane attacking the pen-tester tool!

2010 Application VTA Tool Copmarison

the report have come out in Feb, 2010, a must read if you are in the market for the VTA tool:

seem like after reading Burp Pro post, Ceznic's Hailstorm is the top automated tool and beat out IBM's AppScan and HP's WebInspect.




Sunday, August 8, 2010

2010 Data Breach Investigations Report Released by Verizon

I am very happy that we choose to use Verizon / CyberTrust this year for my company Third party VTA.

interesting stats:


48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)


blog post here: http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/



Out-of-band patch for .LNK vulnerability | SecuraBit

Out-of-band patch for .LNK vulnerability | SecuraBit

is it just me, but how come Symantec does not have a definition for Sality.AT or Sality-AT?


Securing password resets in web apps | SecuraBit

Securing password resets in web apps | SecuraBit

a must read on how to properly design a secure password reset for your web application:


A high level summary is:

Never send password on email, but instead send a reset link to the account email address with CAPTCHA check, and include IP address of the requestor.

Make sure the password reset link is random and not a standard seed, and have a short time limit for expiration

On click of reset link, make user answer challenge response to secret question

Make user sign-on again after reset of password (instead of auto login), send a email to notify account owner that password have been successfully reset.


Brand audit for yourself and your Security Department

one of the take away from my Corner Stones of Trust 2010 Conference, is a session by JJ Thompson at Rook Security called "Renaissance Security Pro Techniques for Today's Privacy and Security Challenges".

Mr. Thompson recommend to take periodical brand audit on yourself and your own Security department.  As there is often a difference between what you strive to be and what you are perceive to be.   Since the world judge you based on the collective perception, it make sense to make sure we are always on target.   He recommend Rypple, a web app that make is design for product brand audit.   Give it a try and post back here.


Career Advice for Information Security Professional

i have a great session at Blackhat 2010 @ Las Vegas, they are recruiter firm based in east coast that offer some interesting insight on the career path of Info Sec professional.

http://www.infosecleaders.com/

One of the best advice is to start writing a blog / article in a industry that you want to grow in.

W3AF will be available on Rapid 7 soon

This could be very interesting combo:

http://www.rapid7.com/news-events/press-releases/2010/2010-w3af.jsp