Security

Jim's blog

Tuesday, November 2. 2010

Axenic Web Site





Last week my business web site for Axenic Ltd went live after a few months of gestation and a week or so of concentrated labour. Thanks to Chris Blunt for his efforts on the content and Plastic Studio for the design work.
Posted by
in Security at 22:40 | Comments (0) | Trackbacks (0)

Wednesday, August 26. 2009

A practical view of security

Crypto nerd
Posted by
in Security at 14:19 | Comments (0) | Trackbacks (0)

Thursday, March 5. 2009

The pain of security

I have just been reminded of Marcus Ranum's "The Six Dumbest Ideas in Computer Security".

The idea that we should only allow what is necessary for the function we need to deliver is usually only thought of at the level of firewalls and other network level systems. Once we get onto a workstation or server we generally have access to a wide range of services by default - even on a locked down system.
I am going to start taking a serious look at the hundreds of installed packages on my Ubuntu laptop to see what I can remove or disable without stopping me doing what I need to on a day to day basis.

One that comes instantly to mind is the Vodafone Mobile Connect Client. The Gnome Network manager now handles my Vodem 3G USB device properly and I am no longer using VMC. Of course I won't be able to send or receive text messages (unless there is something else to do that) but actually apart from an initial test to see if it works, I never did anyway.

I'll keep a record of my application and executable cleanup activity and update this from time to time.
Posted by
in Security at 14:45 | Comments (0) | Trackbacks (0)

Wednesday, October 1. 2008

Security thinking

Another excellent article by Bruce Schneier on how our thinking on security makes us take illogical steps to prevent attacks similar to previous ones rather than focussing on how to best protect ourselves in a more general way. We are more scared of events that are statistically unlikely to occur than events like plane crashes and terrorist bombs that are extremely unlikely (in most parts of the world).

It got me wondering about how the US governments response to the current financial crisis is like their response to 9/11. Is the massive cash injection that they are trying to get through Congress a knee-jerk response that will cover one of the cracks until the next crisis arrives in an unexpected form? What really needs to be done to protect the world's population from this kind of event?
Posted by
in Security at 12:41 | Comments (0) | Trackbacks (0)

Thursday, July 31. 2008

I have just re-discovered this article by Marcus Ranum - long time security guru and developer of one of the world's first network firewalls.

I see similar issues all the time in the course of my work - there is frequently not time or budget to do a thorough job of securing a system but often both are needed to fix it downstream. There is one customer of mine who pulled an application release shortly before go live day after we looked at the risks they would be exposed to. It will be deployed but in a different framework and with only strictly required network connectivity.
Posted by
in Security at 14:41 | Comments (0) | Trackbacks (0)

Friday, July 4. 2008

Another hacked biometric security system

Computerworld has this this article on how a researcher made a rubber fingerprint copy and made a retail purchase at a store trialling a new payment system. It's not a great recommendation.
Posted by
in Security at 11:37 | Comments (0) | Trackbacks (0)

Wednesday, July 2. 2008

Intrusion detection etc

Some years ago I was involved in the design of a managed security service. For a variety of reasons it was less successful than I (and the company) expected and it was a very hard sell to customers who couldn't see the point for the most part - or at least the cost-benefits.

I just found this blog quoting some really interesting research pointing out the time that most vulnerabilities exist before compromise, detection and mitigation, and showing where IDS and managed security services may still have a useful place.
Posted by
in Security at 13:55 | Comments (0) | Trackbacks (0)

Wednesday, March 5. 2008

If an attacker has physical access it's all over anyway


The guys at SecurityAssessment.com have been digging into the techniques of tapping directly into memory of a running PC using standard Direct Memory Access (DMA). External peripheral buses such as Firewire and PCMCIA use DMA for fast efficient transfer of data directly into host memory.
Adam Boileau of SecurityAssessment.com has demonstrated how he connected his Linux laptop into the Firewire port of a laptop running Windows XP and accessed its memory to bypass user authentication processes. This how DMA and Firewire are designed to work and is not a flaw in the Microsoft operating system (contrary to the article headline).
Posted by
in Security at 15:00 | Comments (0) | Trackbacks (0)

Monday, October 29. 2007

Graphics cards as a hacker tool

I am regularly trying to figure the tradeoff with clients between password lengths, lifetimes, complexity and ease of remembering for staff. A complex password takes longer for a hacker to crack so doesn't need to be changed as often. Less frequent password change makes it a bit easier for staff to manage more complex passwords. However this article points out that the tools hackers have available are growing ever more powerful. The GPU in high end graphics cards appear to be able to crack complex passwords in days rather than month so do we need to advise staff to change complex passwords on a daily basis? That would be almost impossible in most organisations.

Smart cards are looking better and better...

From Realtime Web Security referring to a New Scientist article that I'll need to look up.

It's easy to forget how computationally powerful some graphics cards are. They create near realistic renderings of objects and it turns out their good for password cracking, too. New Scientist is reporting that Elcomsoft, a Moscow based software company, has filed for a US patent on a technique to radically improve the speed of password cracking using off the shelf video cards like nVidia's GeForce 8800
... read more

Posted by
in Security at 11:49 | Comments (0) | Trackbacks (0)

Wednesday, October 17. 2007

x86 Memory system and virtualisation

The X86 Memory System And Why It's Hard To Virtualize Securely

The first in a series of articles by Thomas Ptacek about how the x86 system memory architecture makes secure virtualisation difficult.

This reinforces the message I got some time ago from a colleague working in the hacking/forensics field forensics who pointed out that encrypted disks and related technologies are useless if you can gain access directly into system memory through a DMA channel. PCMCIA slots (and probably USB) have DMA capabilities that are easily usable by a competent hacker with physical access to a computer.

from Security Focus
Posted by
in Security at 14:55 | Comments (0) | Trackbacks (0)

Tuesday, October 16. 2007

Spam is less of an issue for many people

According to this article

Most people are seeing less spam because of filters provided by either their workplace or ISP.

Posted by
in Security at 11:12 | Comments (0) | Trackbacks (0)

Tuesday, October 9. 2007

Microsoft release Windows 2008 server RC0

Just noticed that Microsoft have announced Windows Server 2008 Release Candidate 0.

You can download it.

How long before the hackers have cracked it?
Posted by
in Security at 11:39 | Comments (0) | Trackbacks (0)

Monday, October 8. 2007

NZ companies under-invest in security

Why do NZ companies invest less in security than those overseas?

http://computerworld.co.nz/news.nsf/scrt/F27620C382A5B1D3CC257363007FFE18
Posted by
in Security at 14:57 | Comments (0) | Trackbacks (0)

Phishers target Linux

Linux servers are a desirable target for phishers as they provide a more flexible framework for launching attacks. Researchers are finding more and more Linux servers being compromised by hackers.

"The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes," he said.

and

"Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks, said Iftach Amit, director of security research with Finjan's malicious code research centre.

Capabilities like this make Linux machines highly coveted by online attackers, and they fetch a premium in the underground marketplace for compromised machines, Amit said."

Read the article here
Posted by
in Security at 14:49 | Comments (0) | Trackbacks (0)

Monday, September 24. 2007

Hacker bears bad news about PDF

And you thought PDF was a 'safe' format to download text in... You shouldn't just download PDF files assuming that they are safe to view. A researcher has identified a major flaw in all versions of Adobe's Acrobat PDF Reader according to Computerworld.

The hacker who discovered a recently patched QuickTime flaw affecting the Firefox browser says he has found an equally serious flaw in Adobe Systems's PDF file format.

"Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!!," wrote Petko Petkov, in a breathless Thursday blog posting. "All it takes is to open a PDF document or stumble across a page which embeds one."

Petkov said he had confirmed the issue on Adobe Reader 8.1 on Windows XP and that other versions may be affected.


Read the complete article.
Posted by
in Security at 12:47 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 24 entries) next page »

Categories



All categories

Static Pages

Frontpage
Truant Photos
Hookey
Building Hookey
Resolution Photos for Charlie
Spar turning arrangement
Links
Plimmerton Classic Boats 2008
test
Weather

Last Google Search

mollyhawk seagull welsford jim Brousseau

Random Quotes

"Everyone has a talent. What is rare is the courage to nurture it in solitude and to follow the talent to the dark places where it leads."
Erica Jong

Archives

Syndicate This Blog

Powered by

Serendipity PHP Weblog

Wellington Weather

Loading the PEAR Services/Weather module failed. Please insure that the module is installed.