[SecurityRatty] tag: to-do

Metadata: An Invisible CAPTCHA

Mon, 01 Dec 2008 21:30:02 +0000

Soon you may not need to squint at distorted letters to prove your humanity.

Sun Gives Advance Notice of Java Update

Mon, 01 Dec 2008 14:52:01 +0000

Tomorrow, Dec. 2, 2008, Sun will release updates for various versions of Java. This is the first example, to my knowledge, of an advance notification of an update by Sun Microsystems. In fact, it's the first advance notification I know of except for those from Microsoft, which started the practice to accommodate planning by IT departments. Microsoft's advance notifications come four days in advance of the actual update release. Sun's is one day in advance, and contains only minimal information. It says the following updates will be released:

JDK and JRE 6 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19
SDK and JRE 1.3.1_24

It also lists Sun alert numbers for the updates, but there are no links or indications of what the alerts mean. I tried to search for the numbers but had no luck. Still, advance notification is a good thing and this is a step in the right direction. I hope it's a trend.

BlueHat SDL Sessions Wrap-up

Mon, 01 Dec 2008 14:51:00 +0000

Hi everyone, Bryan here. The debut BlueHat SDL Sessions are over, and they were a resounding success: 96% of attendees completing evaluation surveys reported that they will be able to apply knowledge that they learned in the SDL sessions to make their products more secure. This is a great score and I’d like to thank all of our speakers and the BlueHat planning team for their hard work. As for the other 4% of attendees, we’ll just have to work that much harder next year to bring them actionable guidance for dealing with new vulnerabilities.

As promised, we recorded all of the day’s presentations and we’ve published them on TechNet:

Keynote Address by Scott Charney, Corporate VP, Microsoft Trustworthy Computing

Threat Modeling at EMC and Microsoft by Danny Dhillon of EMC and Adam Shostack of the Microsoft SDL team (of course)

Mitigations Unplugged by Matt Miller, Microsoft Security Science team

Concurrency Attacks on Web Applications by Scott Stender and Alex Vidergar of iSEC Partners

Fuzzed Enough? When it’s OK to Put the Shears Down by Jason Shirk, Dave Weinstein and Lars Opstad, Microsoft Security Science team

Real World Code Review – Using the Right Tools in the Right Place at the Right Time by Vinnie Liu of Stach & Liu

In addition to the presentations, we also recorded some short interviews (about 10 minutes long) with each of the speakers. If you’re just looking for a quick summary of a particular talk, these interviews are the place to start:

Threat Modeling at EMC, Danny Dhillon

Threat Modeling at Microsoft, Adam Shostack

Mitigations Unplugged, Matt Miller

Concurrency Attacks on Web Applications, Scott Stender and Alex Vidergar

Fuzzed Enough? Jason Shirk and Dave Weinstein

Real World Code Review, Vinnie Liu

I hope at least 96% of online readers will be able to directly apply this material to their products, just like the show attendees. Please post back and let us know, either way. And let us know what you’d like to see for next year. We have big plans to build on our success and make SDL Sessions 2.0 even bigger and better than the first.

Gadgets of the Mumbai Attacks

Mon, 01 Dec 2008 11:39:00 +0000

The Mumbai terrorists used an array of commercial technologies -- from Blackberries to GPS navigators to anonymous e-mail accounts -- to pull off their heinous attacks.

Hard to find AntiVirus Uninstall program links

Mon, 01 Dec 2008 11:25:35 +0000

Well done article on where to find those uninstall programs to completely remove certain AntiVirus programs.

clipped from whatsonmypc.wordpress.com

Uninstalling and Installing AntiVirus?Software…

The points of this article is to educate you to the fact that there are FREE antivirus software options available and that follow-up research may be required to “completely” uninstall (remove) antivirus software from your system in the event you desire to install another antivirus program.

The Good Get Conned-When Trust is Biological

Mon, 01 Dec 2008 11:00:35 +0000

Bruce Schnier linked to an interesting article a while back, discussing how brain chemistry causes you to trust people when demonstrate that they trust you, especially when they’re relying on you and may be vulnerable…interesting stuff:

THOMAS is a powerful brain circuit that releases the neurochemical oxytocin when we are trusted and induces a desire to reciprocate the trust we have been shown–even with strangers. The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS, the human brain makes us feel good when we help others–this is the basis for attachment to family and friends and cooperation with strangers

So my question: if real-life cons can easily scam people by appearing to depend on them, how does this affect the scams we see on the Net? Clearly some online cons rely on this method — the Nigerian bank scam being a prime example. It seems like social engineering scams particularly rely on this method — but not all scams. And of course many other vulnerabilities just seem to rely on people’s habits to just click links willy-nilly online, which is an impersonal event. If the net were a more personal place, we might see many more of those kinds of scams.

Manage and test firewall changes

Mon, 01 Dec 2008 10:10:00 +0000

Regardless of how you approach firewall management, manage. Configuration changes which appear to work properly can easily produce unwanted results. Only a formalized change and testing process based on clear strategic objectives can prevent growing cracks in the wall.

Global Dispatches: U.K. to bolster data security

Mon, 01 Dec 2008 02:00:00 +0000

A bill to bolster data security has been filed in the U.K. Parliament; Indian outsourcer Tata has opened a fourth services delivery center in China.

Challenges await Obama in bid to build up federal IT security

Mon, 01 Dec 2008 02:00:00 +0000

As Barack Obama prepares to become president in January, the task of upgrading the security of federal computer systems is still a work in progress despite several initiatives begun by the Bush administration.

The McColo takedown: Online neighborhood watch, or Internet frontier justice?

Mon, 01 Dec 2008 02:00:00 +0000

Security researchers are banding together to police the Net and neutralize allegedly nefarious hosting firms. That may not be the best approach, but it may be the only viable one for now.