There are a lot of experts in security out there. What they write is often dry as a bone. But there are a few sites that stay on top of the events, and express themselves in ways that us mere mortals can comprehend.
Bruce Schneier – He wrote the books, he writes the newsletters, he has the blog. Top of the list for a reason. The link is to his monthly CryptoGram…subscribe now.
Hagai Bar-el – Information Security Specialist whose websites focus on security engineering and on managing innovation processes. Good source for definitions. There is also a blog and RSS feed.
Handbook of Applied Cryptology – All Chapters are free for the download. Get them off the cloud now.
List of common SSL offending (and non-offending) sites.
The Heartbleed Hit List: The Passwords You Need to Change Right Now
Good video explanation:
Mashable Explains: What Is the Heartbleed Encryption Bug?
Java MUST MUST MUST read and do:
Critical Java Update Plugs 37 Security Holes — Krebs on Security
Visit a site, find security issues and send them home to hackers.
What looks like, and acts like – and is – a legit Add-On for Firefox has been compromised to assist in the compromise of others. For more information on how the Microsoft .NET Framework Assistant does this, see: Botnet Enlists Firefox Users to Hack Web Sites — Krebs on Security
Visit a site, find security issues and send them home to hackers.
What looks like, and acts like – and is – a legit Add-On for Firefox has been compromised to assist in the compromise of others. For more information on how the Microsoft .NET Framework Assistant does this, see: Botnet Enlists Firefox Users to Hack Web Sites — Krebs on Security
Technicolor’s Security Newsletter Issue #20 has a superb article on watermarking stereoscopic 3D. It starts slow (first the dinosaurs died and they all turned into 3D pixels), but it ramps up fast and includes tiny Greek symbols for those who are inclined to such things.
But generally it fills in a lot of details that are not often discussed outside the hallowed halls:
Watermarking 3D Movies, Security Newsletter 20, Security Newsletters – Technicolor
It doesn’t mention it directly, but it is another wake-up call for getting a picture meta-data protocol and/or standard in the film-to-post realm.
Technicolor’s Security Newsletter Issue #20 has a superb article on watermarking stereoscopic 3D. It starts slow (first the dinosaurs died and they all turned into 3D pixels), but it ramps up fast and includes tiny Greek symbols for those who are inclined to such things.
But generally it fills in a lot of details that are not often discussed outside the hallowed halls:
Watermarking 3D Movies, Security Newsletter 20, Security Newsletters – Technicolor
It doesn’t mention it directly, but it is another wake-up call for getting a picture meta-data protocol and/or standard in the film-to-post realm.
Quality Control for a projector is lamps and lenses and knowing how to keep the management system working.
Quality Control for a network is knowing how people will break into it, and knowing where it will break. So in that regard we need to know things in the same manner as a plumber knows what goes on in the pipes.
Wireshark does some of that. Being able to break into the system does some of that. Because if you can, someone who smells a perfect digital print worth millions certainly will be able to.
Good luck.
Quality Control for a projector is lamps and lenses and knowing how to keep the management system working.
Quality Control for a network is knowing how people will break into it, and knowing where it will break. So in that regard we need to know things in the same manner as a plumber knows what goes on in the pipes.
Wireshark does some of that. Being able to break into the system does some of that. Because if you can, someone who smells a perfect digital print worth millions certainly will be able to.
Good luck.
This is not something to panic about. This is just a topic to learn about. We typically attach our common work machines to the same network as the machines that control projectors and ticket systems. The lesson of StuxNet is that a breach of one is a breach of all. The lesson of the US Department of Defense is that employees must learn the basics of how systems can be infected and how to stop those infections. A simple USB stick allowed an infection that later allowed people to download secure documents from other countries through the US defence department systems.
Now Duqu, which appears to be targetting machine control systems in much more clever ways than Stuxnet and capable of many future variations. Let’s not forget that Digital Cinema Systems are machine control systems. The nature of the infection is to wildly scatter then wait for the new slaves to start chattering back where someone then checks to see what kind of fish has been caught. Then they put a list up on the ‘black hat’ web sites announcing Systems With Access Holes and trade your life for a few hundred dollars.
Here are some of the more recent articles. Make certain that there is someone in your organization who learns to stay on top of these things. Don’t pass it off to an outside group without also having employee training. This is a quality control issue. Put someone in charge.
Good News:
DuquDetector released to forensically detect pest – The H Security: News and Features
Not so good News
How much similar? Remotely Opening Prison Doors Schneier on Security
Cyber Intrusion Blamed for Hardware Failure at Water Utility — Krebs on Security
Stolen government certificate signed malware – The H Security: News and Features
Compromised certificates: Revocations alone are insufficient – The H Security: News and Features
Malware Signed With a Governmental Signing Key – F-Secure Weblog : News from the Lab
Old but relevent news:
Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.
Those are the beginning paragraphs to an interesting site:
We will use it as the launching point for exploring the best way for organizations who realize what a tremendous responsibility they have in the assets that they are storing.
Step I – Find the right person to learn this expertise.
Step 2 – Have them wander the site for a while.
Mastering the Framework is the chant behind this marvelous idea – put together a great set of test programs, put together the technical data that teaches on how to use it, and ask for a 4$ contribution to help feed people.
Offensive Security is a white hat group who teaches people to think like blackhats, so that they can better protect their environment. Find someone in your organization who can take advantage of this now, and make it a part of your procedures.
Read the entire article at:
Ex-Army man cracks popular security chip
How to open Infineon’s Trusted Platform Module
By Dan Goodin –– 17th February 2010 21:08 GMT
[Editor says: Constant Vigilance Alert – This is only interesting in that someone clever kept at it, breaking over 50 security chips until he found the means to break in…circumventing hardware and software destructive mechanisms.
Lesson: every network has the potential for a moment of excitement. Maybe not now, but at sometime you will need to have a professional view of your projection/server network.]
The full article is at IT Pro:
An attack on Apache’s project server has resulted in passwords being stolen from all users.
By Jennifer Scott, 14 Apr 2010 at 11:25
And continues:
“If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised,” said a blog post from the Apache Infrastructure team.
It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.
It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.
“We made a big error,” admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. “For this we are, of course, extremely sorry.”
He added: “The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.”
Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.
“We hope our disclosure has been as open as possible and true to the ASF spirit,” concluded the Apache blog. “Hopefully others can learn from our mistakes.”
