InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘Security’

ISO’s Glossary of IT Security Terminology

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 24, 2009

Since I haven’t put up my own Glossary of IT Security Terms, and there are tons of reputable sources on the web, I’ll will be linking to them instead.

First up is the ISO/IEC Joint Technical Committee 1, Sub-Committee 27’s Standing Document 6: Glossary of IT Security Terminology. It is a freely downloadable zipped Excel file with around 1,700 rows of definitions (some of which repeat depending on the reference material and working group). It also references the source document, and it is as of April 29, 2009. A Sample of the document follows:

Term:
Biometric

Definition:
automated recognition of individuals based on their behavioural and biological characteristics NOTE Definition from [2].

Stds/TRs/Drafts:
ISO/IEC FDIS 19792: 2009-04-16

WG:
WG3

Please note that FDIS stands for Final Draft International Standard. Working group 3 works on “Security Evaluation Criteria.” Please see here for more on the different Working Groups of SC27. The recently published ISO/IEC 19792’s title is, “Information technology — Security techniques — Security evaluation of biometrics”.

Posted in Glossary | Tagged: , , , , , | Leave a Comment »

Cloud Computing Links

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 2, 2008

There was a question on Cloud Computing security at the recent BarCamp at APC. This reminded me to put up my cloud computing links.

Newsweek had articles on cloud computing in Nov 2008 and June 2008.

TechTarget had a three part series of podcasts on Cloud Computing last month:
The Benefits of Cloud Computing
Cloud computing’s Impact on Agile Development practices, Software Testing, and E-Commerce
Cloud computing’s effect on application security

Bill Brenner in Computerworld writes about, The myth of Cloud Computing and the same author in CSO Online interviewed Chris Hoff on Virtualization and Cloud Computing.

One ought to also check out the Cloud Security blog, and its great news section on cloud computing security.


The IT Briefing Center also has a new 40 minute webcast, Can You Trust the Cloud?

I copied and pasted the program abstract and it’s as follows:
Join Daryl C. Plummer, Managing VP & Gartner Fellow, Featured Analyst Firm Gartner, Inc. and Chet Kapoor, CEO of Sonoa for an on-demand program available now. Our panel examines the enormous shift in economics going on with IT today and addresses key challenges and best practices with cloud computing.
Tune in and learn about cloud computing considerations when planning your capital expense budget and start changing the way your organization has traditionally used IT.

Posted in News | Tagged: , , , , | Leave a Comment »

Global InfoSec Surveys and Adobe Reader Vulnerabilities

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

Ernst & Young’s 2008 Information Security Survey

EY released their Global Information Security Survey 2008 a few weeks ago. The survey was conducted from June 6 – August 1, 2008, in more than 50 countries and with nearly 1,400 participating organizations.

Some of the key findings were:

  • Protecting reputation and brand has become a significant driver for InfoSec
  • People remain the weakest link
  • International InfoSec standards are gaining greater acceptance
  • Growing third-party risk are not being addressed
  • Business continuity still bound to IT
  • Another notable finding is that despite of the current period of economic pressures and of slowed growth, only 5% of respondents indicated a planned reduction in InfoSec expenditures, while 50% were planning to increase their investment in InfoSec. This is supported by similar numbers from CIO Magazine, CSO Magazine and PWC’s Global state of information security survey 2008 (pdf, 2.79 MB). Key highlights are stated here, and another summary can be found in a NetworkWorld.com article.

    For more information about the survey, click here. If you want a pdf copy of Ernst & Young’s 2008 Global Information Security Survey (1.42 MB) click here. For other informative pdfs from Ernst & Young regarding InfoSec, check out their Technology and Security Risk Services page.


    Adobe Reader vulns remind us why updating ASAP matters

    What I mean by ASAP here is after the correct patch management or change management procedures have been done. Patching/updating with no concern for proper procedures can easily lead to downtime and possibly even more vulnerabilities.

    I’m saying this after the SANS Internet Storm Center came across pdf files that exploited the recently found Javascript buffer overflow vulnerability. They also took note that at the time of writing (Nov 7, 2008) NO ANTI VIRUS could detect the malicious pdf.

    However, had you updated your Adobe Reader to version 9 (Windows systems) a few weeks back, you wouldn’t even need to think of the problem.

    Posted in ISMS, News, vulnerability | Tagged: , , , , , , , , , , , , | Leave a Comment »

    Wireless Hacking part 2

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 7, 2008

    Yesterday, I had a post on Using Nmap to detect Rouge Wireless Access Points. With that post were various links to tools on hacking wireless networks that are freely available on the net. This is of course to help inform the public on the perils of wireless network computing. However, I also posted a link on the advantages on wireless and how to secure it. As is often the case, one must seek a balance or prioritize among that OTHER security triad of COST vs SECURITY vs CONVENIENCE.

    For the history buffs, there is a A Brief History of Wireless Security from SecurityUncorked.com. CSOonline, back in May 2008, also published a very informative article on Wireless Security: The Basics.

    News from SC Magazine US, SecurityFocus.com and Heise Security just came out that WPA can now be cracked in around 15 minutes.

    The SecurityFocus.com news item above talks about Recovering a WEP key in less than a minute using the aircrack-ptw tool that is used with the aircrack-ng toolsuite.

    I remember a few months ago Risky Business podcasts interviewed the maker of Metasploit framework, HD Moore, regarding his evil Eee PC. It’s about the new KARMA+Metasploit 3 framework which is a set of tools that listens to all client probe requests and can then become a fake wireless AP for any requested network. The scary thing here is that you can possibly get owned as long as your wireless is enabled and its automatically looking for a wireless access point, without the user even knowing it. The older Karma framework is available here.

    If the Risky Business podcast didn’t get you a wee bit paranoid, an interview by Network World on, Wireless security foiled by new exploits, just might do the trick. They interviewed Joshua Wright who writes the security blog WillHackforSushi.com and is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks.

    I wonder what tools were used for the “Wall of Sheep” at the Defcon conferences, which was also at the BlackHat, this year. In case you’ve never heard of the “Wall of Sheep”, its a wall with a projection of Usernames and part of the passwords for the users foolish enough to not have enough security on their wireless connections. MySpace and Gmail accounts have also shown up (in spite of Gmail using the default https, but just for log-on) through the use of replay attacks. Apple iPhones and Window’s mobile phones have also shown up.

    Since you’ll want to save some of the information from the KARMA+Metaploit 3 framework, I’m guessing newer mini-notebooks like the Acer Aspire One which retails for around $350, and Lenovo Ideapad S10 which retails for around $400, would both be great for this.

    Since its related, there’s an On Demand Webcast sponsored by Nokia on, Corporate Mobility Policy and Device Management. In case your organization is PCI compliant or is looking forward (or dreading) compliance in the future, Network World will be having a webcast next month on PCI Wireless Compliance Demystified.

    Posted in ISMS, News, Philippines, vulnerability, Wireless | Tagged: , , , , , , , , , , , , , , , , , | 1 Comment »

    Recent Whitepapers on the Net

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008

    Secure Mobile Computing Using Two-Factor Authentication with VPNs and Disk Encryption – sponsored by Alladin

    ABSTRACT:
    This paper highlights the risks that organizations run in allowing mobile users full access to the enterprise network, data, and applications through VPN. It takes a detailed look at how making sensitive corporate data available in this manner, creates security gaps with passwords and encryption keys stored on the hard drive. Aladdin focuses on successfully addressing these issues with strong two-factor authentication, reviewing the broad range of easy to deploy, easy to use, and low cost two-factor authentication devices available that meet the needs of organizations today.


    Web Application Security: Too Costly to Ignore sponsored by HP

    Posted: 24 Sep 2008
    Published: 24 Sep 2008
    Format: PDF
    Length: 8 Page(s)

    ABSTRACT:
    Web application security is crucial to mitigating the risks of attack and attaining regulatory compliance. The number of web attacks is on the rise and is exponentially more cost effective to remedy those flaws early in the development process. There is an enormous chasm between where application security should be and the sad shape of application security today. Download this free whitepaper from HP Software to learn about the gaps in most application security programs and how to incorporate application security across the lifecycle.


    Oracle Advanced Security TDE (Encryption)

    Posted: 15 Jul 2008
    Published: 01 Jun 2007
    Format: PDF
    Length: 19 Page(s)

    ABSTRACT:
    Encryption is a key component of the defense-in-depth principle and Oracle continues to develop innovative solutions to help customers address increasingly stringent security requirements around the safeguarding of PII data. Retailers can use Oracle Advanced Security TDE to address PCI-DSS requirements while university and healthcare organizations can use TDE to safeguard social security numbers and other sensitive information. Encryption plays an especially important role in safeguarding data in transit. Oracle Advanced Security network encryption protects data in transit on the intranet from network sniffing and modification. Oracle Advanced Security TDE protects sensitive data on disk drives and backup media from unauthorized access, helping reduce the impact of lost or stolen media.


    Data Center TCO – A Comparison of High-density and Low-density Spaces sponsored by Intel

    Posted: 24 Jul 2008
    Published: 01 Jan 2007
    Format: PDF
    Length: 12 Page(s)

    ABSTRACT:
    One of the most common misconceptions in this period of growth is that the total cost of ownership (TCO) of a new data center is lower with a low-density design. In fact, the most efficient new data centers are those with high-density designs, which leverage virtualization to reduce TCO by millions.

    This white paper explains why and offers suggestions for successful operations in the high-density data center. Key considerations include:

    * Airflow distribution challenges
    * Server uniformity
    * Airflow velocities
    * Hot aisle temperature

    Posted in Whitepapers | Tagged: , , , , | Leave a Comment »

    Using Nmap to detect rogue Wireless Access Points

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 6, 2008

    Pauldotcom interviewed Gordon “Fyodor” Lyon (the Nmap dude) back in Sept 24. Check out the transcript of the interview here.

    Direct audio download of the show can be found here.

    If you use Nmap, Paul Asadoorian, GCIA, GCIH (who started the website), also released a script for the new version of Nmap (4.76) here.

    Other wireless tools you can use can be found in the Top 5 Wireless Tools page of the insecure.org site. The likes of Kismet, NetStumbler, Aircrack-ng, Airsnort and KisMac are all there.

    I am both amazed and appalled by the current state of wireless security in the Manila area. Although its probably better than when Van Hauser checked it out back in 2004, users still aren’t aware of how dangerous it is to pass off confidential or private information using wireless access points. Back in June 2008, Inquirer posted this on the FBI warning wi-fi users.

    Recent articles regarding cracking of Wireless Access Points using Nvidia cards can be found in SCmagazineUK and Heise Security.

    A dated (May 2007) blog on WPA cracking might be interesting to you, an even older video (2005) with a really annoying soundtrack can also be found online. You may also want to check this out.

    On the lighter side, I found two articles on hacking for smartbro. Here and here. One of which should be reserved for April fools, the other for more adventurous people.


    Speaking on wireless security and its problems, here’s a 36 minute video from the IT Briefing Center on
    The Evolution of the Wireless Enterprise: Networking in a World Without Wires sponsored by Motorola. It talks about the cost savings of going wireless, additional benefits of going wireless and there’s a case study they cite on using wireless for the healthcare industry.


    On a totally different topic, and since I can’t get enough of web app security (aside from security metrics), here’s a 25 minute podcast by Gartner, sponsored by IBM entitled, “Stay Ahead of the Hackers: Strategies to Protect your Web Applications – and Your Organization“.


    Gartner also has a 27 minute video on “Using Secure Remote Management to Drive the Convergence of IT Operations and Security Compliance” also from the IT Briefing Center.

    Posted in Philippines, Wireless | Tagged: , , , , , , , , , , , , | 2 Comments »