This is a simple solution that turn a computer to significantly accelerate your physical surveillance video search from hours into minutes. Free to try, and pay $200 for a 16 video solutions (either via usb or IP camera).
http://www.vitamindinc.com/
a blog about how to better improve Enterprise Security via Best practice in Policy / Compliance / Control
Friday, September 3, 2010
Sunday, August 29, 2010
possible update to California Data Privacy law
http://www.bankinfosecurity.com/articles.php?art_id=2866&rf=2010-08-28-eb
one may need to update their notification policy.
one may need to update their notification policy.
Thursday, August 26, 2010
Sunday, August 22, 2010
SalesForce offer to AppExchange member Burp Pro Suite and Training video
not bad :)
training video:
http://vimeo.com/11553558
how to get the burp pro license:
http://security.force.com/webappscanner
save $200 a year if you are already a AppExchange member.
training video:
http://vimeo.com/11553558
how to get the burp pro license:
http://security.force.com/webappscanner
save $200 a year if you are already a AppExchange member.
Saturday, August 21, 2010
Comment from Burp Pro on latest shoot out of Applicaiton Scanner
http://blog.portswigger.net/2010/06/comparing-web-application-scanners-part.html
the UCSD report have a very interesting dominating graph. Seem like the winner are Burp Pro and WebInspect score pretty well (among the top 4 out of 13).
the UCSD report have a very interesting dominating graph. Seem like the winner are Burp Pro and WebInspect score pretty well (among the top 4 out of 13).
Blackhat 2010 Webcast Wrap up - Free
https://www2.gotomeeting.com/register/383863867
python attack tool docs:
http://hexsec.com/docs/
GDS Burp API:
http://mwielgoszewski.github.com/burpee/
python attack tool docs:
http://hexsec.com/docs/
GDS Burp API:
http://mwielgoszewski.github.com/burpee/
Webminar / Training - Free - Stanford Strategic Decision & Risk Management
http://strategicdecisions.stanford.edu/onDemandWebinars.htm
reviewing it now.
reviewing it now.
Thursday, August 19, 2010
Intel acquire Mcafee
look like more consolidation in the security world...
http://newsroom.intel.com/community/intel_newsroom/blog/2010/08/19/intel-to-acquire-mcafee
http://newsroom.intel.com/community/intel_newsroom/blog/2010/08/19/intel-to-acquire-mcafee
RIM and Encryption
so what side are you on?
http://www.reuters.com/article/idUSTRE67151F20100812?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FbusinessNews+%28News+%2F+US+%2F+Business+News%29
this go on to say to run your own BES server :) or one day the government will have your email.
http://www.reuters.com/article/idUSTRE67151F20100812?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FbusinessNews+%28News+%2F+US+%2F+Business+News%29
this go on to say to run your own BES server :) or one day the government will have your email.
Tuesday, August 17, 2010
Monday, August 16, 2010
Data Sanitization: DOD 5220.22-M vs NIST 800.88
if you compare the spec of DOD 5220.22-M with NIST 800.88, you will notice NIST offer the same level of security and provide significant speed advantage.
http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf
time: from days to hour (could be days to minute in case of encrypted secure erasure, if your drive have encrypted option).
the trick is of course the drive have to made 2001 and after, and is only officially enforce in ATA drive. SCSI implementation may be optional. I think hybrid approach may work...
use NIST first, when failed (due to lack of command support) apply DOD 5220.22-M as a backup.
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
Saturday, August 14, 2010
Security Tube
no lube!
http://www.securitytube.net/Default.aspx
now how do i get CPE credit for spending time on this site?
http://www.securitytube.net/Default.aspx
now how do i get CPE credit for spending time on this site?
Blackhat 2010 ATM video
http://it.toolbox.com/blogs/securitymonkey/blackhat-2010-video-the-atm-hack-and-jackpot-40245
in case you didn't make it this year...
in case you didn't make it this year...
Tuesday, August 10, 2010
Free Training: State of California Privacy Training course via PPT
http://www.cio.ca.gov/OIS/Government/privacy/default.asp
PodCast: Cloud Computing: The Case for Security Certification
Jim Reavis from Cloud Security Alliance is being interview by this Podcast at Bank Info Security.
key take away:
The common scenario public cloud: cpu intensive farm that need to scale up quickly
The common scenario private cloud: traditional setup of physical machines, with financial industry.
CCSK Certification for Security Professional: http://www.cloudsecurityalliance.org/certifyme.html
key take away:
The common scenario public cloud: cpu intensive farm that need to scale up quickly
The common scenario private cloud: traditional setup of physical machines, with financial industry.
CCSK Certification for Security Professional: http://www.cloudsecurityalliance.org/certifyme.html
Beyond Identity Fraud.... Business Identity Fraud via ACH
http://www.bankinfosecurity.com/articles.php?art_id=2829&rf=2010-08-09-eb
it is time to take step to make sure your finance department take step to protect the ACH #.
several bank have take extra client deployed to further protect browser and server connectivity.
it is time to take step to make sure your finance department take step to protect the ACH #.
several bank have take extra client deployed to further protect browser and server connectivity.
Monday, August 9, 2010
Free Training: OWASP
In my search to train up my developers to be aware of OWASP standards, i have located some good and free resource:
the google training should have 3 parts (total of 3 hrs)
now the only part you need is a good system to document that your end user have view the video and take a quick quiz for your compliance / audit purposes :)
Netcraft News: Firefox security test add-on was backdoored
Netcraft News: Firefox security test add-on was backdoored
if you are using Mozilla Sniffer you better uninstall it! this is insane attacking the pen-tester tool!
2010 Application VTA Tool Copmarison
the report have come out in Feb, 2010, a must read if you are in the market for the VTA tool:
seem like after reading Burp Pro post, Ceznic's Hailstorm is the top automated tool and beat out IBM's AppScan and HP's WebInspect.
Sunday, August 8, 2010
2010 Data Breach Investigations Report Released by Verizon
I am very happy that we choose to use Verizon / CyberTrust this year for my company Third party VTA.
interesting stats:
48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)
blog post here: http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/
interesting stats:
48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)
blog post here: http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/
Out-of-band patch for .LNK vulnerability | SecuraBit
Out-of-band patch for .LNK vulnerability | SecuraBit
is it just me, but how come Symantec does not have a definition for Sality.AT or Sality-AT?
Securing password resets in web apps | SecuraBit
Securing password resets in web apps | SecuraBit
a must read on how to properly design a secure password reset for your web application:
A high level summary is:
Never send password on email, but instead send a reset link to the account email address with CAPTCHA check, and include IP address of the requestor.
Make sure the password reset link is random and not a standard seed, and have a short time limit for expiration
On click of reset link, make user answer challenge response to secret question
Make user sign-on again after reset of password (instead of auto login), send a email to notify account owner that password have been successfully reset.
Brand audit for yourself and your Security Department
one of the take away from my Corner Stones of Trust 2010 Conference, is a session by JJ Thompson at Rook Security called "Renaissance Security Pro Techniques for Today's Privacy and Security Challenges".
Mr. Thompson recommend to take periodical brand audit on yourself and your own Security department. As there is often a difference between what you strive to be and what you are perceive to be. Since the world judge you based on the collective perception, it make sense to make sure we are always on target. He recommend Rypple, a web app that make is design for product brand audit. Give it a try and post back here.
Career Advice for Information Security Professional
i have a great session at Blackhat 2010 @ Las Vegas, they are recruiter firm based in east coast that offer some interesting insight on the career path of Info Sec professional.
http://www.infosecleaders.com/
One of the best advice is to start writing a blog / article in a industry that you want to grow in.
http://www.infosecleaders.com/
One of the best advice is to start writing a blog / article in a industry that you want to grow in.
W3AF will be available on Rapid 7 soon
This could be very interesting combo:
http://www.rapid7.com/news-events/press-releases/2010/2010-w3af.jsp
http://www.rapid7.com/news-events/press-releases/2010/2010-w3af.jsp
Subscribe to:
Posts (Atom)