Skip to content

{ Category Archives } Information Security

Related to information security, risk management, compliance, etc

Could PRISM Improve Enterprise Security Response?

While we’re all up in arms about the unwarranted data collection that the NSA has been performing, and the potential issues around privacy and legality of the PRISM program, one intrepid reportert stopped to ask the question of how much this is costing the US Taxpayers. “The program was expected to cost $278 million in […]

The Malware Problem

¬† I like the term ‘malware.’ If you step out of the marketing for a minute, it’s a very simple, clear term to describe software that does something bad in your execution environment. A virus is a kind of malware, and so are rootkits, malicious shell code, and just about anything else you don’t like […]

Information Security Logos


The Interconnected Web and Shifting Target Surfaces

Take a look at what’s in your browser right now. I’ll go ahead and assume you’ve got multiple tabs open. They each display a different site, which is probably pulling in code and content from at least 3 or 4 distinct ¬†sources, maybe more, not to mention the 3rd party libraries and tools that are […]

The Blurry Line of Marketing Funded Research

Microsoft’s Security Engineering Center recently published a document called Software Vulnerability Exploit Trends. In reading it, I was confronted with a familiar feeling, a mix of interest and frustration that I’ll just call frustinterest. I was totally frustrinterested in this document. It had charts like this one. I really want to love this chart. It’s […]

New Fox Series: When Clouds Go Bad!

Here’s the scenario: you’re a nefarious attacker and you want to compromise some boxes, install your malware and run a little (or huge) botnet. There are plenty of malware and botnet options for you to choose from, but you still need a few things. You need some internet connected storage on which to host the […]

Understanding Intent and Control – When Defaults Attack

Article “A Japanese ministry is conducting an internal investigation after a Google Groups account used for international treaty negotiations was left on its default, publicly viewable settings.” It’s tempting to say that Google should change the defaults to be more secure. Security professionals understand the default-deny stance really well, but there are other perspectives to […]

Hackers and Auditors: A Common Threat

And here’s the link to the webcast. 253 people attended live, which I think was pretty darn good.

Web App Vuln Stats

Some stats about Web Application vulnerabilities from White Hat Security. Around 30 percent of Websites are likely to contain content spoofing bugs 18 percent, insufficient authorization 17 percent, SQL injection 14 percent, predictable resource location 11 percent, session fixation 11 percent, cross-site request forgery (CSRF) 10 percent, insufficient authentication 9 percent, HTTP response-splitting flaws To […]

There Is No Perimeter

Ok, so ATMs are computing devices and ergo they’re vulnerable to attack. Why is this attack interesting? Why is it worth a post? Well, let’s start here: “This is not something the average hacker on the street would have access to,” he adds. “They need physical access to the ATM — they need to have […]

Tagged ,