Monica Belluci and Security
Trends – security and movie stars, Manuela Arcuri and Monica Bellucci, Verisign and Mcafee. Information security and risk analysis is complex stuff, with multiple dimensions of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships. This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical […]
Offensive security
I have written several times in the past here, here and here about the notion of taking cyber security on the offensive James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align […]
Cyber crime costs over $1 trillion
A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser: As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally. Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the […]
What if al-Qaeda Got Stuxnet?
Speaking at this years RSA Security conference in San Francisco, Deputy Defense Secretary William Lynn was worried about al-Qaeda getting Stuxnet: al-Qaeda operates as a network comprising both a multinational, stateless army and a radical SunniMuslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a Christian–Jewish alliance is conspiring to destroy […]
The security of open source software
A conversation with a client this morning revolved around software development tool alternatives in an environment of Web Socket. Why not use Flash on the client and AMF on the server side?, the client asked. I hesitated for a moment and answered – because Adobe is proprietary and closed source and the only developers looking […]
Counter cyber terrorism with social networks
The topic of offensive strategies against hackers comes up frequently and I am surprised and dismayed by the US strategies on combating cyber terror. The Americans are still thinking in a conventional warfare paradigm – in defending a new domain, William Lyn writes: It must also recognize that traditional Cold War deterrence models of assured […]
Stuxnet targeting specific SCADA configurations
The debate on whether or not the Israelis wrote the Stuxnet malware rages on – but it seems pretty clear from the research from ESET and Siemens own findings – here that the virus is apparently only activated in plants with a specific configuration. To be exact – the target is not the SCADA system […]
Are we glorifying the attackers and prosecuting the victims?
With all the media noise about Stuxnet, cyber war and cyber terror, I proposed taking a closer look at how we relate to the players. Whether uber hackers or PLO terrorists; are we glorifying the attackers at the expense of prosecuting the victims? In data security I don’t subscribe to utilitarian ethics (which attempts to […]
Open Source Security Testing
Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC. I’m not sure exactly if this project really qualifies as Open Source – since the license is not specified. As a methodology and not […]
Security theater and security politics
I had some input from colleagues on my Stuxnet posts – suggesting that I was downgrading the need to be vigilant against cyber-threats. Of course we must be vigilant, but let’s not forget a couple things: 1) We have to get the basics right – Note the Siemens guideline for implementing WinCC: “system administrator password […]
