An Information Security Community
Many people don't know or haven't heard of threat modeling let alone know how to do it.
Hackers and crackers break assumptions we have made for how a system will be used.
But how to make the right assumptions? One way is to predict evil based on past known threats.
This might be a good start but it's not enough because hackers will also break the assumptions we make based on past attacks and change their behavior.
The better assumption is that all input…Continue
Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast.
A good pentest not only answers the question “can my controls be breached?” but also the following questions:
Added by d3tm4r on June 1, 2014 at 7:31am — No Comments
Every now and then somebody starts an argument about whether or not it should be a secret which security products you are using.
I will tell you my opinion on that right away:
1.) Unless your risk profile is extremely high and you are one of the five or so organizations in the world who really have super awesome wicked OPSEC in place, don't even bother starting to think about keeping secret the fact that you…Continue
Added by d3tm4r on October 13, 2012 at 2:23am — No Comments
Today I read a blogpost by Fefe in which he rants about how folks just give up on trying to develop more secure code or even fix all bugs in their software but instead draw resources from bugfixing teams in benefit of building mitigations like sandboxing technologies.
Fefe criticizes Adobe's security chief Arkin for saying the following sentence:
“My goal isn’t to find and fix every security bug, I’d…Continue
Added by d3tm4r on February 11, 2012 at 7:44am — No Comments
I am lost - lost in an area of conflict.
Not that there were no solutions to solve the conflict.
In fact the conflict isn't as bad as it seems in the first place - at least this is my opinion.
You may be asking yourself exactly what am I talking about.
I am talking about the fact that we tell politicians and those in charge of IT:
Added by d3tm4r on October 2, 2011 at 3:00pm — No Comments
A friend who wants to start a career in information security asked me which books are a "must read".
It goes without saying that the one and only "must-read" is of course Jayson's book.
Since you found your way to this site, you'll probably already know that. ;-)
Up front I would like to say that I really doubt there are…Continue
Emmet Jorgensen has written an article on Infosecisland that I'd like discuss for a bit. It is about wether or not FUD only has a bad connotation or could actually do something good as well. I must say I kind of agree and at the same time strongly disagree with his stance.
Maybe you already have read the news: the local authority of the state of Niedersachsen in Germany seems to have blocked various anonymizing services such as Tor from accessing the state's websites.
The state office for statistics and communications technology stated that they have blacklisted several anonymizing services for security reasons, to better…Continue
I think I am a polite and forthcoming person. Most of the time.
So when a sales representative of a reputable and well-known security vendor calls me, I will most of the time listen to what they are offering, although I really don't appreciate cold-calling. I will first see if I can somehow verify the identity of the caller before even continue talking to him or her. Since the person already managed to get my phone number, I will allow him to send me an email with his contact…
Added by d3tm4r on June 18, 2011 at 12:00pm — No Comments
Are you keeping track of how many organizations have been breached and their data stolen this week?
I stopped counting.
But it is very interesting to see how different organizations react to data breaches. Those who obviously don't have proper incident handling & response procedures mostly are hit much harder, detect the breach much later and in addition to that get very bad public reputation for it after the breach becomes public.
Those organizations who detect…Continue
Added by d3tm4r on June 16, 2011 at 4:38pm — No Comments
Here's my take on Dancho Danchev's great article 5 reasons why the proposed ID scheme for internet users is a bad idea on ZDNet. Politicians all over the world have finally realized that internet crime is a serious business and they want to do something to counter it. They overreact because they realize that they slept through that development and now…Continue
Added by d3tm4r on May 25, 2011 at 7:00am — No Comments
Humans are great at detecting patterns and abstracting knowledge and in successfully applying these patterns and principles to very disparate fields. This can happen for all kinds of small tasks that we have to fulfill on a daily basis.
It can also lead to some of mankind's greatest philosophical models like Taoism, Confucianism and Buddhism.
I could also mention some other religions and philosophies but I want to stick with…Continue
I am not sure if this is worth a blog post but it's definitely too long for a tweet.
Today I was totally blown away by the precision of Apple's location service - on the iPod Touch!
It is well known for a long time that all iOS devices use Apple's location database which is comprised of cell-tower locations as well as the locations of Wifi hotspots and access points. Of course there is also a knowledge base…Continue
Added by d3tm4r on May 5, 2011 at 3:00pm — No Comments
Just dumping some shell output and comments today. :)
If you haven't read the first issue of this series of articles on IPv6, I'd recommend you read it first.
IPv6 Attack Toolkit by THC (The Hacker's Choice)
You can download the tools here: http://www.thc.org/thc-ipv6/
Right now there is no…Continue
Here is my list of infosec podcasts I listen to or have listened to now and then.
Podcasts that I listen to regularly
(ordered by preference)
1.) Risky Business @riskybusiness
2.) Pauldotcom Security Weekly @pauldotcom
3.) Social-Engineer Podcast by @humanhacker @dave_rel1k…Continue
If you are into network security, now is the time to acquaint yourself with IPv6.
If you're planning to buy or perform a penetration test on your site, make sure that IPv6 is incorporated in the test.
If the pentest firm that you hired does not incorporate it or reacts kind of hesitant or surprised, get another vendor!
Why? Because IPv6 is and has been enabled in all kinds of operating systems and networking devices for some…Continue
Added by d3tm4r on April 16, 2011 at 8:30am — No Comments
It's quite amazing to watch people's reactions when things that you told them could or would happen actually do happen.
This throws up the question if we ever can proactively prevent bad things from happening as long as we are depending on a broader community to actually help and enable society to prevent them from happening.
Those are not only my own personal thoughts - this is an observation which is quite old and now being discussed again very widely.
It has also been…Continue
Added by d3tm4r on April 2, 2011 at 5:30am — No Comments
I am getting the impression that the end user is not supposed to ever mistrust any of those CAs that all browser and OS vendors are shipping with their products for our convenience.
The Comodo hack was only one incident in a row of incidents that show us that the trust model of PKI for SSL certificates is broken in many ways.
First off there are far too many CAs that your browser or operating system trusts per default.
Your browser or operating system trusts them so…Continue
Added by d3tm4r on March 5, 2011 at 1:30pm — No Comments
Whether it's good or not that a government is…Continue