First day of May, and I’m feeling OK! The sickness has passed through me and I’m feeling 99% better with the exception of still being a little tired.
Here’s the list for today:
MITMing an SSLized Java App – Good article
I was recently working on a Java-based application that communicated exclusively over SSL. This is a good thing for the application, but a bad thing for someone trying to test it. I naively thought that I could edit a couple of files and boom, be on my way.
Encryption for PCI Compliance – Good discussion on key lengths, algorithms, backups, etc. to meet PCI compliance.
Although we have discussed encryption and the PCI requirements before, many people still do not understand how to properly implement secure encryption systems. So, this post is aimed to make this as simple to understand as possible by answering the common questions that people ask.
Nokia eyes scalability with new security appliance – You can keep throwing hardware at the problem but ultimately Check Point has to work on the performance of their software.
The IP690 is based on a multicore, multithreaded Intel Corp. processing platform to accommodate future software, including applications from other vendors, Taylor said. It’s Nokia’s first appliance based on this kind of architecture.
Power of Negotiation – Insightful post.
Spinning up a new security program is no easy feat. Neither is changing the direction of one that is already in place. One of the first things that everybody identifies as necessary is policy. Whenever the auditors come through and organization or department, documented policies are one of the first things they ask to review. But policies are one of the hardest things in security, or business for that matter, to generate and update. Heck, in comparison, ethics is easier than policies. In ethics, usually, when a person has to think about something then they are probably crossing the line. But with policies how much is enough and where does it start crossing the line. By line I am talking about things such as cost efficiency, individual privacy, and any number of other questionable subjects.
Think *ACCIDENTAL* Leak Prevention – It’s really like rubber sheets for your bed…just in case
Here is a useful bit of insight that emerged from this discussion: if you think of such products as ACCIDENTAL leak prevention defenses, you will likely get over the intense desire to claim that “they are all hopelessly broken by design.” This idea was inspired by this post , which said: “There is no doubt that these systems are evadable […] Inadvertent data leakage is a different story [and can be managed effectively].”
Open Source Training – I’m not sure how valid Wireshark certification would be but the BSD one looks interesting.
I’d like to mention a few notes on training for open source software that appeared on my radar recently. The first is Wireshark University, the result of collaboration among Laura Chappell and her Protocol Analysis Institute, Gerald Combs (Wireshark author), and CACE Technologies, maintainers/developers of WinPcap and AirPcap. WiresharkU is offering a certification and four DVD-based courses, along with live training delivered through another vendor.
Wireless NAC != Wireless IPS: AirTight…Leaks… – Good assessment.
Rob Graham and I came in contact with some Airtight boxes. In case you don’t know they are a maker of wireless IDS technology. Since we know a thing or two about wireless we wanted to look and see how these boxes work and if the perform as advertised. If you don’t want to read the entire blog post the short answer is: not completely. In our quick peek we found 3 problems. If we were doing a real assessment we would have pulled out the screw drivers and, ICE gear, and disassembler but instead we looked at this from a blackbox remote perspective.
Should the Network Security Industry Exist? – Am I obsolete already?
Last week, I read that well known security expert and writer Bruce Schneier recently opined that there should be no network security industry, because software vendors should make their products so secure that there would be no need for third party security products. He apparently said this at the Infosecurity conference in London (which, interestingly enough, is sponsored by security vendors). You can read about his comments here (incidentally, all of us here hold Bruce in very high regard, so this blog post is not intended to be criticism of him).
Hiding Inside a Rainbow – Very clear post about rainbow tables. Didier’s been motivated since returning from Black Hat Europe
Steganography is the art of hiding messages so that uninitiated wouldn’t suspect the presence of a message. A rainbow table is a huge binary file used for password cracking. This is the first in a series of posts on research I’ve done on how to hide data in rainbow tables, and how to detect its presence.
XML Firewall Architecture and Best Practices for Configuration and Auditing – GSEC Gold Certification honors paper from Don Patterson (PDF format)
Stealth for Survival: Threat of the Unknown – GCIH Gold Certification paper from Ken Dunham (PDF format)