Announcing: The Month of No Bugs (MONB)!

Wednesday, September 1, 2010

Announcing: The Month of No Bugs (MONB)!

It is with great excitement and anticipation that I announce the Month of No Bugs (MONB)! This month, I promise NOT to look for any new bugs out there, NOT to artificially elevate my bugs above all others, NOT to complain that vendors should give me the attention I deserve, NOT to pound my chest and [...]
Continue Reading...
Disclosing the Elephant in the Room of the Disclosure Debate

Friday, July 23, 2010

Disclosing the Elephant in the Room of the Disclosure Debate

There has been a lot of discussion lately about vulnerability disclosure, with Google and Microsoft respectively weighing in with their latest opinions on the topic. There is really nothing new here, as evidenced by the Google folks referencing a 9-year-old Bruce Schneier essay on the topic. I have written extensively on the topic and the related [...]
Continue Reading...
There is no such thing as *Real* Value

Wednesday, May 26, 2010

There is no such thing as *Real* Value

Rich Mogull has started a fire on his Securosis blog addressing questions of value and loss. I would like to provide some feedback. Most importantly, I would like to address this point: “I consider that an implied or assumed value, which may bear no correlation to the real value” Rich’s reference to something called a real value [...]
Continue Reading...
Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Thursday, April 29, 2010

Charlie Miller’s “Teach a Man to Fish” approach to disclosure: the happy medium?

Pre-eminent bugfinder Charlie Miller mentioned an interesting approach to disclosure after he compromised another Apple system - demonstrate the attack, describe how the vulnerability was found, and let the chips fall where they may. (Actually, I think his “teach a man to fish” approach might have been ancillary to the pwn2own contest…) At this stage of [...]
Continue Reading...
Rudeness, risk and vulnerability disclosure

Monday, April 26, 2010

Rudeness, risk and vulnerability disclosure

Robert Graham at Errata Security has yet another thoughtful post - this one on the “rudeness” of vulnerability disclosure. His key point: “However, vuln disclosure isn’t friendly. It is an inherently rude act.” It is an interesting post, primarily focused on the psychological relationship between bugfinders and vendors, but the thing I find the most puzzling is [...]
Continue Reading...
Security Budget Planning in Three Easy Steps

Wednesday, March 10, 2010

Security Budget Planning in Three Easy Steps

Gunnar Peterson has a great post on security budgeting. His essential point is to apply a “flat tax” to all IT spending. The value is in its simplicity. We can get a lot more complex (and often do), but this is an excellent starting point. Don’t forget the business and don’t forget we are “optimizing” our [...]
Continue Reading...
prev next
Posted on February 1 2010 Read more...

Addressing the Advanced Persistent Threat (APT)

In the past few weeks, the Advanced Persistent Threat (APT) has been all the rage in the infosec world.  Security professionals everywhere are taking sides about whether APT is new or not, despite (or perhaps due to) the lack of a clear and consistent definition. It started with Google suggesting (but not explicitly stating) that the ...
Posted on January 14 2010 Read more...

What does “Aurora” mean in Chinese?

George Kurtz of McAfee is providing some details about the hack attack against Google et.al. purportedly originating in China. One of his comments: I am sure you are wondering about the name “Aurora.”  Based on our analysis, “Aurora” was part of the filepath on the attacker’s machine that was included in two of the malware binaries ...
Posted on December 14 2009 Read more...

Meet my friend Micromort - he’s one in a million!

No, it i's not some sort of mini-Mortman! It's micromort, or in other words, a one-in-a-million chance of death. How can you add (or is that subtract?)  a micromort to your... err.. life? Here are some options (from Wikipedia): smoking 1.4 cigarettes (cancer, heart disease) drinking 0.5 liter of wine (cirrhosis of the liver) spending 1 hours in ...
Posted on December 14 2009 Read more...

Quick and Dirty Risk Calculations - CSI Survey Edition

The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization, you can use this information for quick and dirty risk calculations. Let me illustrate. The frequency ...
Posted on December 14 2009 Read more...

Notes on the Heartland breach

The Heartland saga continues and it appears that things are going its way. Not only has the company been on a campaign to make lemons out of lemonade by selling the equipment ("end-to-end" encryption) to their customers (and, presumably others), but at least one shareholder lawsuit was dismissed. The class-action suit had some interesting information: First, ...
Posted on December 8 2009 Read more...

Should we change passwords every 90 days?

[I was unsuccessful trying to post this as a comment on the Securosis blog so figured I'd post it here instead.] David Mortman at Securosis recently posted with the following challenge: Show me any reasonable evidence that changing all your users' passwords every 90 days reduces your risk of being exploited. No wonder they don't always listen ...
Posted on November 20 2009 Read more...

ENISA Cloud Computing Security Project

Today, the European Network and Information Security Agency (ENISA) released its Cloud Computing Risk Assessment report. I enjoyed participating on the project and making a number of new friends. As with most workgroups, this project had its ups and downs as each member found his position within the group. One of the biggest challenges was ...
Posted on November 18 2009 Read more...

Last Night’s NCIS Backdoor

Last night's episode of NCIS revealed a secret that has been hidden for quite some time. There is a backdoor in all iris scanners - two people have had their iris minutiae programmed into every iris scanner and can unlock any protected door (which amounts to about 5 doors, but important doors they must be)! I ...
Page 3 of 102«12345»...Last »