Friday Summary - July 17, 2009By Adrian Lane
I apologize to those of you reading this on Saturday morning – with the stress of completing some major projects before Black Hat, I forgot that to push the Summary out Friday morning, we have to finish it off Thursday night. So much for the best laid plans and all.
The good news is that we have a lot going on at Black Hat. Adrian and I will both be there, and we’re running another Disaster Recovery Breakfast, this time with our friends over at Threatpost. I’m moderating the VC panel at Black Hat on Wednesday, and will be on the Defcon Security Jam 2: The Fails Keep on Coming panel. This is, by far, my favorite panel. Mostly because of the on-stage beverages provided.
Since I goon for the events (that means work), Adrian will be handling most of our professional meetings for those of you who are calling to set them up. To be honest, Black Hat really isn’t the best place for these unless you catch us the first day (for reasons you can probably figure out yourself). This is the one conference a year when we try and spend as much of our time as possible in talks absorbing information. There is some excellent research on this year’s agenda, and if you have the opportunity to go I highly recommend it.
I think it’s critical for any security professional to keep at least half an eye on what’s going on over on the offensive side. Without understanding where the threats are shifting, we’ll always be behind the game. I’ve been overly addicted to the Tour de France for the past two weeks, and it’s fascinating to watch the tactical responsiveness of the more experienced riders as they intuitively assess, dismiss, or respond to the threats around them. While the riders don’t always make large moves, they best sense what might happen around the next turn and position themselves to take full advantage of any opportunities, or head off attacks (yes, they’re called attacks) before they post a risk. Not to over-extend another sports analogy, but by learning what’s happening on the offensive side, we can better position ourselves to head off threats before they overly impact our organizations.
And seriously, it’s a great race this year with all sorts of drama, so I highly recommend you catch it. Especially starting next Tuesday when they really hit the mountains and start splitting up the pack.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Martin interviews Steve Ocepek on this week’s Network Security Podcast (plus we cover a few major news stories).
- Rich is quoted in a Dark Reading article on implemented least privileges.
- Rich is quoted alongside former Gartner co-worker Jeff Wheatman on database privileges over at Channel Insider.
- John Sawyer refers to our Database Activity Monitoring paper in another Dark Reading article.
Favorite Securosis Posts
- Rich: Adrian’s Technology vs. Practicality really hit home. I miss liking stuff.
- Adrian: Database Encryption, Part 6: Use Cases. Someone has already told us privately that one of the use cases exactly described their needs, and they are off and implementing.
Other Securosis Posts
- Oracle Critical Patch Update, July 2009
- Microsoft Patched; Firefox’s Turn
- Second Unpatched Microsoft Flaw Being Exploited
- Subscribe to the Friday Summary Mailing List
- Pure Extortion
Project Quant Posts
- We’re getting near the end of phase 1 and here’s the work in progress: Project Quant: Partial Draft Report
Favorite Outside Posts
- Adrian: Amrit Williams North Korea Cyber Scape Goat of the World. The graphic is priceless!
- Rich: David and Alex over at the New School preview their Black Hat talk.
Top News and Posts
- Microsoft Windows and Internet Explorer security issues patched.
- Oracle CPU for July 2009.
- Goldman Trading Code Leaked.
- Mike Andrews has a nice analysis on Google Web “OS”.
- Twitter Hack makes headlines.
- Lexis-Nexus breached by the mob?
- Vulnerability scanning the clouds.
- State department worker sentenced for snooping passports.
- Casino sign failure (pretty amusing).
- PayPal reports security blog to the FBI for a phishing screenshot.
- A school sues a bank over theft due to hacked computer. This is a tough one; the school was hacked and proper credentials stolen, but according to their contract those transfers shouldn’t have been allowed even from the authenticated system/account.
- Nmap 5 released – Ed’s review.
Blog Comment of the Week
This week’s best comment comes from SmithWill in response to Technology vs. Practicality:
Be weary of the CTO/car fanatic. Over-built engines=over instrumented, expensive networks. But they’re smoking fast!