InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Whitepapers’ Category

Mostly CA Links on Lean IT

Posted by Jaime Raphael Licauco, CISSP, GSEC on July 22, 2009

The “CA Advisor” (which is the Security Management Newsletter of CA) for April 2009, has a bunch of articles on Lean IT.

Notable articles in the Newsletter are:
CA’s RSA Keynote Explores Transformation of Identity and Access Management

Make IT Leaner with Identity-Centric Data Loss Prevention

Q&A: The Future of Role and Compliance Management

How Lean IT Can Maximize Value and Minimize Cost

White Papers
The Case for Lean IT
Lean has been successfully applied to domains beyond manufacturing, including to enterprise IT

Masters of Lean IT
Learn how 3 visionary IT executives maximized value and minimized waste

Gartner – Cost Cutting While Improving Security March 2008

Gartner – Managing IT Risks During Cost-Cutting Periods Oct 2008

Advertisements

Posted in Lean IT, Whitepapers | Tagged: | Leave a Comment »

Info Sec News, Feb 5, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 5, 2009

Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.


Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.

(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster


Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.

(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits


Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.

(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?

Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.


Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?

And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.

A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.

Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.


Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.

Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.


New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.


Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.

(Computerworld Blog) Security businesses move ahead in this economy

(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs

(Computerworld) Microsoft denies Windows 7 security feature contains bug

(Computerworld) Banks, customers feel the fallout of the Heartland breach

(Computerworld) Study: Data breaches continue to get more costly for businesses

(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns

Posted in Change Management, conferences, Incident Management, ISMS, Presentations, Privacy, social engineering, Webinars, Whitepapers | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Now its Firefox’s and Opera’s turn (Updated)

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 19, 2008

Firefox and Opera both patched their software this week after new critical vulnerabilities were found in both.

Firefox
Mozilla Foundation Security Advisory 2008-60
Security Focus BID

Opera Security Advisories
http://www.opera.com/support/kb/view/921/
http://www.opera.com/support/kb/view/924/
http://www.opera.com/support/kb/view/920/
http://www.opera.com/support/kb/view/923/

IE Bug Update
(Computerworld) Hackers exploit IE bug with ‘insidious’ Word docs – ActiveX control in Word file downloads malware to unpatched PCs, says McAfee

MS08-078 and the SDL – The MSDN blog has released an analysis of the recent zero day bug of IE. In the end, the author states, “I think this bug is a great example of ‘you will never get the code 100% right, so multiple defenses are critical.'”


⌘+⇧+L and other useful OS X hidden features – Not Security related but I thought that some Mac heads might find this useful.


(Security Park) 44 per cent of EU SMBs have been attacked by cyber criminals
Adobe Flash Player for Linux Security Bulletin and Update
(Heise Security) Keyloggers under the microscope – A team assembled by honeynet specialist Thorsten Holz from the University of Mannheim has published a case study of banking trojans, keyloggers and their dropzones. “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones” is available for download here.
(Security Park) Mobile Phone Security Tips

Posted in ISMS, vulnerability, Whitepapers | Tagged: , , , , | Leave a Comment »

Microsoft Issues Patch to Close Zero Day Hole

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 18, 2008

Microsoft has issued an unscheduled patch to close the security hole in IE in its MS08-078 Security Bulletin.


A Security Park report states that according to Panda Security, there has been as much malware in the first months of ’08 as the last 17 years combined.

Related links:
SANS published a 61 page whitepaper by Mark Baggett, GCIH, on the Effectiveness of Anti-Virus vs Metasploit Payloads
Anti-Virus Rants Blog


Computerworld Security lists 3 simple ways to protect from Social Networking Malware: 1. Have a stronger password, 2. Be wary of 3rd party apps 3. Beware of user generated SPAM.

Now I’m wondering if there are tips out there regarding Friendster since they obviously have a problem with the SPAM I’ve been getting from a couple of users.


CDW has a 2 page whitepaper on Making the Case for Security Spending


UPI.com Homeland and National Security Editor Shaun Waterman wrote about the questionable effectiveness of FISMA in real world use. The article states that the US Justice Dept got a grade of A-, because FISMA is primarily concerned with “ensuring that all agencies ‘have policies and procedures to enhance the security of information in their IT systems. [however FISMA does] ‘not assess whether the Department has actually implemented these processes, nor did it assess the actual security of the Department’s IT systems.'”


The US Center for Strategic and International Studies (CSIS) recommends a Cybersecurity model based on Nuclear Nonproliferation. This is because of the seriousness and complexity of cyberthreats, which require a coordinated approach that spans agency jurisdictions, borders and sectors.

See earlier Post for the CSIS report


Update on Browser Password Management Security

In the test by Chapin Information Services (CIS) Opera and Firefox each passed seven of 21 tests, IE passed five tests, and Safari and Chrome each passed two tests.

(The Register) Browser Password Security Test
(Chapin Info Services) Google Chrome receives lowest Password Security Score


Other Security News.
(Bank Info Security) Where the Jobs Are: 5 Hot Career Tips for 2009
(Bank Info Security) Top Certifications for Industry Pros

Posted in News, Social Networking, Whitepapers | Tagged: , , , , , , | Leave a Comment »

Hack in The Box Conference 2008 Materials

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 1, 2008


Amitpal Dhillon – Addressing Identity Management.pdf
3.7M


Dino Dai Zovi – Mac OS Xploitation.pdf
623K


Ero Carrera – Analysis and Visualization of Common Packers.pdf
3.7M

Hernan Ochoa – Pass-The-Hash Toolkit for Windows.pdf 535K


Jim Geovedi – Hacking a Bird in the Sky 2.0.pdf
3.1M


Julian Ho – Moocherhunter.pdf
124K


Peter Silberman – Full Process Reconstitution from Memory.pdf
144K


Alexander Tereshkin – Bluepilling the Xen Hypervisor.pdf
8.3M


Alexander Tereshkin – Bluepilling the Xen Hypervisor Demo (Large File)
142M


Eric Lawrence – IE 8 – Engineering a Trustworthy Browser.pdf
13M


Jonathan Squire – A Fox in the Hen House.pdf
3.5M


Paul Craig – Hacking Internet Kiosks.pdf
1.2M


Roberto Preatoni – Time for a Free Hardware Foundation.pdf
11M


Saumil Shah – Browser Exploits – A New Model for Browser Security.pdf
2.1M


The Grugq – How the Leopard Hides His Spots.pdf
01-Nov-2008 12:39 128K


Mel Mudin and Lee – Advanced Network Forensics Lab Demo (Large File)
29M


Charlie Miller – iPwning the iPhone.pdf
9.8M


Charl van Der Walt – Pushing the Camel Through the Eye of a Needle.pdf
23M


Ilfak Guilfanov – Decompilers and Beyond.pdf
418K


Kris Kaspersky – Remote Code Execution Through Intel CPU Bugs.pdf
1.3M


Petko D Petkov – Client Side Security.pdf
1.0M


AR Samhuri – Next Generation Reverse Shell.pdf
7.7M


Adrian Pastor – Cracking into Embedded Devices and Beyond.pdf
889K


Mary Yeoh – Security Penetration Testing at RTL Level.pdf
4.4M


Matthew Geiger – How to Build Your Own Password Cracker and Disassembler.pdf
471K


Shreeraj Shah – Top 10 Web 2.0 Attacks.pdf
1.1M


Advanced Wireless Lab (Very Large File)
1.2G


Ching Tim Meng – Detecting and Removing Malware without Antivirus Software.pdf
321K


KEYNOTE 1 – Jeremiah Grossman – The Art of Click-Jacking.pdf
2.5M


KEYNOTE 2 – Marcus Ranum – Cyberwar is Bullshit.pdf
54K


KEYNOTE 3 + 4 – The Pirate Bay Dissolving a Billion Dollar Industry as a Hobby.zip
38M

Posted in conferences, News, Whitepapers | Tagged: , , , , , , , , , , , , , | Leave a Comment »

SPAM drops, DDoS Attacks, Whitepapers

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 15, 2008

There’s apparently been a huge drop in SPAM after two ISPs were cut off.
Stories from Washington Post, and BBC. Brian Krebs of the Wash Post also talks about this in his Security Fix Blog.


More ISPs are allocating resources for DDoS attacks according to Arbor Network’s 2008 Worldwide Infrastructure Security Report. A related article is on ZDNet and an article on Vunet talks about ISP’s fear on IPv6 threats.

A study by Google, presented at the RIPE Meeting in Dubai reports that France and Russia are ahead in IPv6 .


Security Focus reports that, “Anti-malware testing group releases standards“, and they can be downloaded here.


SANS will also have a Webcast on Understanding the WPA/WPA2 Break.

Since we’re on the topic of webcasts, SourceBoston’s 2008 Conference from March of this year have been up on Blip.tv for a while now. They have great presentations on Incident response, Secure Coding, etc.


And since I enjoyed Schneier’s essay on, “The Psychology of Security“, I just thought that InfoSec professionals would find it funny that the Washington Times reports that Paranoia is on the rise :).


SC Magazine Whitepaper Roundup

Top five strategies for combating modern threats – is anti-virus dead?
By: Sophos Plc.
Today’s fast, targeted, silent threats take advantage of the open network and new technologies that support an increasingly mobile workforce. Organizations need innovative approaches to protect the web, email servers and endpoint. This paper discusses the security implications of modern…

Complying with the Payment Card Industry’s Data Security Standard
By: DeviceLock, Inc.
The Payment Card Industry Data Security Standard (PCI DSS) was drawn up in order to reduce leakage and inappropriate use of credit card information. It contains over 100 clear information security requirements for all companies who process, store or transfer data about cardholders: banks, processing…

Addressing the Operational Challenges of Administrative Passwords
By: ManageEngine
Enterprises making use of various IT systems (servers, devices, applications etc.) face numerous challenges due to the proliferation of administrative passwords (also called as privileged passwords). This white paper discusses the problems associated with administrative password proliferation with…

Tripwire PCI DSS Solutions- Automated, Continuous Compliance
By: Tripwire, Inc.
Find out step-by-step what it takes to become compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), and how Tripwire can help your company achieve and maintain PCI compliance.

Malware Security: Taking the Botnet Threat Seriously
By: FireEye, Inc.
How does malware continue to infiltrate networks? Primarily because traditional defenses only address the threat in pieces and parts, which leaves gaps in the enterprise security infrastructure. Meanwhile, malware has become organized to form massive ‘botnets’ (networks of compromised…

ComputerWorld Technical Briefing: Mission-Critical Security – The Threat from Within
By: PacketMotion
We all know blind spots are bad for drivers but are you aware of how potentially disastrous they can be for IT security professionals? Take a few minutes to review this Computerworld report and you’ll get a clear picture of both the problem and the solution!.

Automating Code Reviews: How to Manage Application Risk on a Shrinking Budget
By: Veracode
In a tightening economy many organizations are faced with a “do more with less” mandate on their budgets and their security strategies. On-demand application security testing offered as an outsourced service – based on binary analysis and multiple scanning technologies…

Database Auditing Tools and Strategies
By: Sensage
Learn about a new set of software tools that provide low overhead audit collection with storage, alerting and reporting capabilities. This paper details the trade-offs and strategy of each option.

Posted in News, Whitepapers, Wireless | Tagged: , , , , , , , , , , , , | Leave a Comment »