1. 21:42 4th Mar 2010

    tags: no-sql,!securityOfftopi

    image: download

    Offtopic again, but I’m going to keep running with the NoSQL stuff. (Image credit: http://www.browsertoolkit.com/fault-tolerance.png)

    Offtopic again, but I’m going to keep running with the NoSQL stuff.

    (Image credit: http://www.browsertoolkit.com/fault-tolerance.png)

     
    2. Comments

  2. 10:19

    tags: link,securitysocial attacks

    The Register on Social Hacking

    Nicely following on from my last post, The Register reports from the BSides security conference

     
    3. Comments

  3. 09:12 3rd Mar 2010

    tags: securitygooglelong post

    Lessons from the Google hack for Universities, part I

    More details are coming out about the Google/China hacking incident. There’s even talk of how resistance is futile

    Dave Aitel from Immunity, who is one the top guys out there on the offensive side, has been making this point for a while. Given a modern penetration toolkit (Canvas for the flush, Metasploit for the cheap), breaking into nearly any organisation is possible. Given more resource, pretty much anything softer than GCHQ/NSA is a target. It’s just a matter of time, effort and economics. How many person-days is it worth the attacker spending on breaking in?

    For the defender, things are muddied even further by the issue of unpatched bugs, or zero-days. How do you defend against an attack for which no patch, anti-virus signature or IPS rule exists? To quote Dave again:

    Everyone says an attack is “sophisticated” whenever any 0day is involved. But that should be the baseline. Or rather, it IS the baseline and everyone seems to just be finding out

    Universities maybe can be less worried by this than most, but not for good reasons. Attackers use their resources wisely: there’s no need to use an expensively developed zero-day Internet Explorer exploit when there’s an unpatched copy of WordPress running on the user webserver and no DMZ.

    For most people and organistations this is somewhere between unpalatable and unacceptable. It’s saying that even if we keep all our systems patched and make sure every PHP app anywhere on the network is secure we’ll still be 0wn3d. And the reality is that most Universities (especially the older ones) are so devolved that even getting everything patched is a Sisyphean task.

    So if a senior manager asks “What is the point of employing these InfoSec staff if we are going to be broken into anyway” it’d be best to have a good response ready. That’s something we’ll return to in a future post (along with a post on the mechanics of how targetted attacks work)

     
    4. Comments

  4. 09:00 2nd Mar 2010

    tags: security,cctv,quote

    The important question isn’t whether cameras solve past crime or deter future crime; it’s whether they’re a good use of resources. They’re expensive, both in money and in their Orwellian effects on privacy and civil liberties. Their inevitable misuse is another cost; police have spied on naked women in their own homes, shared nude images, sold best-of videos and even spied on national politicians. Though we might be willing to accept these downsides for a real increase in security, cameras don’t provide that.
    — Bruce Schneier on CCTV. An excellent article on CNN that explains more eloquently that I can why we should worry about CCTV.
     
    5. Comments

  5. 15:44 1st Mar 2010

    tags: securitydownfall

    It’s another Downfall remix, and it’s even on-topic for this blog (via Pangloss).

     
    6. Comments

  6. 21:46 27th Feb 2010

    tags: !security,databases

    NoSQL, MySQL and memcached. Post from HighScalability.com

    Not security related particularly, but I’ve just read two interesting articles over at High Scalability.

    First up there’s an article entitled MySQL and Memcached, the end of an era (for those of us who work in more “enterprise” shops this raises a wry smile because in this world MySQL is still regarded as daring technology, never mind memcached). Secondly there’s the classic How I learned to stop worrying and love using lots of disk space to scale, which is the best introduction I’ve read so far to the NoSQL model

     
    7. Comments

  7. 21:36

    tags: quotetwitter

    Most writing online is devolving toward SMS and tweets that involve quick, throwaway notes with abbreviations and threaded references. This is not a form of lasting communication. In 2020 there is unlikely to be a list of classic tweets and blog posts that every student and educated citizen should have read.
    — Gene Spafford, via ArsTechnica
     
    8. Comments

  8. 17:48 25th Feb 2010

    tags: lawsecuritylink

    Pangloss on the Google/Italy court case

    Pangloss has an excellent description of the implications of the European E-Commerce Directive on the convictions of Google employees on privacy charges in Italy.

     
    9. Comments

  9. 16:33

    tags: securitylink

    MS uses court order to take down botnet

    “Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet….[the] order allows the temporary cut-off of traffic to 277 Internet domains that form command and control nodes”

    It’s good to see the legal route being used in such a productive way. It may not be a permanent solution, but it’s still a good amount of disruption. Thanks Microsoft.

     
    10. Comments

  10. 11:14

    tags: security,news of the worldhacking

    On the News of the World phone hacking

    Following on from yesterday’s discussion of passsword stealing, we have the recent report on the News of the World by the House of Commons Culture, Media and Sport select committee on hacking at the News of the World.

    The general aspects of the case are covered elsewhere (and may well be dug up again by a judicial  review it seems), but I’d thought I’d add two comments.

    Firstly it shows, again, the uselessness of passwords as a means for protecting sensitive information. Exactly how this “hack” occurred isn’t public, but I’ll put hard up hard cash that it was a social attack and not a technical one. Over on At The Sauce there’s a description how one journalist believes his voicemail was accessed and it seems very plausible. As ever, the simplest solution to obtaining a password is to just ring up the provider and ask for it.

    Secondly, the MPs are quoted as being “surprised” that this action wasn’t illegal. It’s always seemed strange that accessing an already read email, or already listened to voicemail, isn’t interception. Hopefully that will change as a result of this. Gaining access by technical means (like the  Prince Phillip Prestel hackers, or the Paris Hilton case) leads to a charge under the Computer Misuse Act, but that doesn’t apply to these attacks.

    Yates told the committee it was hard to get convictions for accessing others’ voicemails under the Regulation of Investigatory Powers Act. The committee recommended that the law be amended to cover all hacking of messages. (Source)

     
    11. Comments