Blog

More SCADA News- Water Plant Hacked

By Rich
I’m linking to Jim at DCS Security- he has the best SCADA background in the blog community and hopefully he’ll dig into this particular hack a little more: http://dcssec.blogspot.com/2006/11/more-on-water-system-hack.html The more we transition process control networks to the same tech we run the Internet on, and the same Windows and *nix systems we run our homes and businesses on, the more incidents like this we’ll see… (my original post on SCADA)

Month of Kernel Bugs Starts With Apple: November Should be Fun

By Rich
The first flaw isn’t all that interesting (affecting older PowerBooks, and only under certain conditions) but methinks November will be pretty darn interesting: http://blogs.zdnet.com/Ou/?p=359 http://kernelfun.blogspot.com/ http://www.securityfocus.com/brief/344 http://blog.washingtonpost.com/securityfix/2006/11/exploit_released_for_unpatched_1.html http://www.mckeay.net/secure/2006/11/a_month_of_kernel_bugs.html More later, but the nasty ones to watch out for will, I expect, generally be either for wireless drivers (like this one), or file systems (and make nasty USB keys with). Remember, these all run in ring 0 and can do

Top Five Steps to Prevent Data Loss and Information Leaks

By Rich
One of the great things about the Internet is that it allows isolated assholes to connect and communicate like never before. Thus Rothman and I, mere professional acquaintances and friendly faces at a few industry events, can engage in deeper dialog, dragging any of our loyal readers down with us. (Mike and I are the assholes, not you guys. Except maybe for Will). I like it when smart guys like Mike push me, it makes for better analysis. I published a little on data security a few weeks ago, and Mike calls for a simpler approach. I thought about it

Evilsquirrel Enterprises Announces North American Expansion

By Rich
< p style=”text-align:center;”> < p style=”text-align:center;”>Evilsquirrel Enterprises Announces North American Expansion < p style=”text-align:center;”>Leaders in world domination to expand geographic services. Undisclosed HQ, USA, Oct. 31, 2006 – Evilsquirrel Enterprises, the leading provider of world domination services, announced today that they are leveraging their best-in-class international infrastructure to expand into the North American market. As the preeminent world domination specialists, enterprises now have a truly global provider offering unmatched services and support. “Our success at Evilsquirrel is that we listen to our customers,” said Squirrelzilla, CEO of Evilquirrel Enterprises. “Their screams of agony feed our

If You Think Boarding Passes and IDs Improve Security, You Shouldn’t Be In Security

By Rich
There’s been a lot of hubbub the past couple of days over Christopher Soghoian posting a tool to let anyone print their own boarding pass. While I’m all for publicizing security silliness, I personally try and avoid things that might invite 2 a.m. non-social visits from the FBI. The thing is, anyone who thinks ID checks and boarding passes provide any security at all to planes (or any public area), shouldn’t be working in security. I spent a lot of time providing security for large crowds and public spaces. ID’s and boarding passes are a weak

Security = Compliance, Compliance Rarely = Security

By Rich
Good security will almost always make you compliant (or pretty darn close, not counting all the documentation). Compliance alone will pretty much never make you secure. ‘Nuff said. (Inspired by this from Rothman, who I swear isn’t giving me kickbacks)

Risk Management: Set Your Domain Experts Free

By Rich
The blogoshpere is kind of funny sometimes as we all run around referencing each other constantly, so you’ll have to excuse the “my sister’s best friend’s 2nd cousin twice removed’s boyfriends bookie” path for this post. (Actually, I really dig all our cross referencing, I think it creates a cool community of experts). Everything started with Alex Hutton’s What Risk Management Isn’t post, to which Mike Rothman replied, to which Arthur at Emergent Chaos replied. Follow that? Me neither, so here’s most of Arthur’s post (hopefully he doesn’t mind I lifted

The Three Types of Best Practices

By Rich
Jim over at DCS Security (a great new blog) just finished his last in a series of good posts on security layers. He brings up a favorite subject of mine, best practices: Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place. I hate to dash his hopes, but it turns out that’s not really how

How I Know There Are Very Few

By Rich
Anton Chuvakin eviscerates me here for claiming there are very few 0days (what Shimel is starting to call Less than Zero Days). Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it … What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from “stale” attacks; however, it is NOT the same as to say that there are few 0days out there. I am stunned when folks make those claims. BTW, check out this list
Page 323 of 330 pages ‹ First  < 321 322 323 324 325 >  Last ›