D3tm4r's Blog (26)

Threat Modeling Card Game "Elevation of Privilege (EoP)"

Many people don't know or haven't heard of threat modeling let alone know how to do it.

Hackers and crackers break assumptions we have made for how a system will be used.

But how to make the right assumptions? One way is to predict evil based on past known threats.

This might be a good start but it's not enough because hackers will also break the assumptions we make based on past attacks and change their behavior. 

The better assumption is that all input…

Continue

Added by d3tm4r on January 31, 2015 at 7:24am — 1 Comment

What differentiates a pentest from other tests?

Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast. 

A good pentest not only answers the question “can my controls be breached?” but also the following questions:

  • How can I be breached?
  • How much damage to my business can a breach do?
  • Where am I most likely to be breached given my current…
Continue

Added by d3tm4r on June 1, 2014 at 7:31am — No Comments

Silly Secrets(!|?)

Every now and then somebody starts an argument about whether or not it should be a secret which security products you are using.

I will tell you my opinion on that right away:

1.) Unless your risk profile is extremely high and you are one of the five or so organizations in the world who really have super awesome wicked OPSEC in place, don't even bother starting to think about keeping secret the fact that you…

Continue

Added by d3tm4r on October 13, 2012 at 2:23am — No Comments

Your argument is invalid! Cause I'll give you a hard time if you insist on it.

Today I read a blogpost by Fefe in which he rants about how folks just give up on trying to develop more secure code or even fix all bugs in their software but instead draw resources from bugfixing teams in benefit of building mitigations like sandboxing technologies.

 

Fefe criticizes Adobe's security chief Arkin for saying the following sentence:

“My goal isn’t to find and fix every security bug, I’d…

Continue

Added by d3tm4r on February 11, 2012 at 7:44am — No Comments

Logging, Government Enacted Data Retention & Data Privacy Protection

I am lost - lost in an area of conflict.

 

Not that there were no solutions to solve the conflict.

In fact the conflict isn't as bad as it seems in the first place - at least this is my opinion.

 

You may be asking yourself exactly what am I talking about.

 

I am talking about the fact that we tell politicians and those in charge of IT:

a)…

Continue

Added by d3tm4r on October 2, 2011 at 3:00pm — No Comments

Books That Last

A friend who wants to start a career in information security asked me which books are a "must read".

 

It goes without saying that the one and only "must-read" is of course Jayson's book.

Since you found your way to this site, you'll probably already know that. ;-)

 

Up front I would like to say that I really doubt there are…

Continue

Added by d3tm4r on September 11, 2011 at 12:30pm — 2 Comments

The Benefits of FUD - ORLY?

Emmet Jorgensen has written an article on Infosecisland that I'd like discuss for a bit. It is about wether or not FUD only has a bad connotation or could actually do something good as well. I must say I kind of agree and at the same time strongly disagree with his stance.

 …

Continue

Added by d3tm4r on July 7, 2011 at 4:01pm — 4 Comments

Local Government Blocks Anonymizing Services

Maybe you already have read the news: the local authority of the state of Niedersachsen in Germany seems to have blocked various anonymizing services such as Tor from accessing the state's websites.

The state office for statistics and communications technology stated that they have blacklisted several anonymizing services for security reasons, to better…

Continue

Added by d3tm4r on June 20, 2011 at 10:30am — 2 Comments

Infosec Sales Practices - the Good the Bad and the Ridiculous

I think I am a polite and forthcoming person. Most of the time.

So when a sales representative of a reputable and well-known security vendor calls me, I will most of the time listen to what they are offering, although I really don't appreciate cold-calling. I will first see if I can somehow verify the identity of the caller before even continue talking to him or her. Since the person already managed to get my phone number, I will allow him to send me an email with his contact…

Continue

Added by d3tm4r on June 18, 2011 at 12:00pm — No Comments

Logging vs. Privacy, Data Protection Laws & Codetermination Regulations

Are you keeping track of how many organizations have been breached and their data stolen this week?

I stopped counting.

But it is very interesting to see how different organizations react to data breaches. Those who obviously don't have proper incident handling & response procedures mostly are hit much harder, detect the breach much later and in addition to that get very bad public reputation for it after the breach becomes public.

Those organizations who detect…

Continue

Added by d3tm4r on June 16, 2011 at 4:38pm — No Comments

Accountability for Internet Users

Here's my take on Dancho Danchev's great article 5 reasons why the proposed ID scheme for internet users is a bad idea on ZDNet. Politicians all over the world have finally realized that internet crime is a serious business and they want to do something to counter it. They overreact because they realize that they slept through that development and now…

Continue

Added by d3tm4r on May 25, 2011 at 7:00am — No Comments

Martial Arts and IT defense

Humans are great at detecting patterns and abstracting knowledge and in successfully applying these patterns and principles to very disparate fields. This can happen for all kinds of small tasks that we have to fulfill on a daily basis.

It can also lead to some of mankind's greatest philosophical models like Taoism, Confucianism and Buddhism.

 

I could also mention some other religions and philosophies but I want to stick with…

Continue

Added by d3tm4r on May 23, 2011 at 5:00am — 3 Comments

Apple's Location Service

I am not sure if this is worth a blog post but it's definitely too long for a tweet.

Today I was totally blown away by the precision of Apple's location service - on the iPod Touch!

It is well known for a long time that all iOS devices use Apple's location database which is comprised of cell-tower locations as well as the locations of Wifi hotspots and access points. Of course there is also a knowledge base…

Continue

Added by d3tm4r on May 5, 2011 at 3:00pm — No Comments

Engage yourself in IPv6! Issue #2 - THC tools

Just dumping some shell output and comments today. :)

If you haven't read the first issue of this series of articles on IPv6, I'd recommend you read it first. 

 

IPv6 Attack Toolkit by THC (The Hacker's Choice)

You can download the tools here: http://www.thc.org/thc-ipv6/

Right now there is no…

Continue

Added by d3tm4r on April 17, 2011 at 4:53am — 2 Comments

Information Security Podcast List

Here is my list of infosec podcasts I listen to or have listened to now and then.

 

Podcasts that I listen to regularly

(ordered by preference)

1.) Risky Business @riskybusiness

2.) Pauldotcom Security Weekly @pauldotcom

3.) Social-Engineer Podcast by @humanhacker @dave_rel1k…

Continue

Added by d3tm4r on April 16, 2011 at 11:04am — 1 Comment

Engage yourself in IPv6! Issue #1 - Link Local

If you are into network security, now is the time to acquaint yourself with IPv6.

 

If you're planning to buy or perform a penetration test on your site, make sure that IPv6 is incorporated in the test. 

If the pentest firm that you hired does not incorporate it or reacts kind of hesitant or surprised, get another vendor!

 

Why

Why? Because IPv6 is and has been enabled in all kinds of operating systems and networking devices for some…

Continue

Added by d3tm4r on April 16, 2011 at 8:30am — No Comments

Seeing Is Believing

It's quite amazing to watch people's reactions when things that you told them could or would happen actually do happen.

This throws up the question if we ever can proactively prevent bad things from happening as long as we are depending on a broader community to actually help and enable society to prevent them from happening.

Those are not only my own personal thoughts - this is an observation which is quite old and now being discussed again very widely.

It has also been…

Continue

Added by d3tm4r on April 2, 2011 at 5:30am — No Comments

Thou shalt not mistrust the PKI

I am getting the impression that the end user is not supposed to ever mistrust any of those CAs that all browser and OS vendors are shipping with their products for our convenience. 

The Comodo hack was only one incident in a row of incidents that show us that the trust model of PKI for SSL certificates is broken in many ways. 

First off there are far too many CAs that your browser or operating system trusts per default.

Your browser or operating system trusts them so…

Continue

Added by d3tm4r on March 29, 2011 at 12:30pm — 3 Comments

Promises And Reality Of Modern Commercial IDS

Another lengthy repost from my tumblr blog with some editing.

It's still a topic I am concerned with and which I'd like to discuss.
And where could be a better place for that than DTH? :)
Well now here it…
Continue

Added by d3tm4r on March 5, 2011 at 1:30pm — No Comments

The new Cyber Security Strategy for Germany

The German Department of the Interior has recently published its new Cyber Security Strategy for Germany (german version here).

Whether it's good or not that a government is…

Continue

Added by d3tm4r on February 26, 2011 at 2:30pm — 1 Comment

Latest Activity

Robert Gray is now a member of Dissecting The Hack
Oct 17
Nikhil is now a member of Dissecting The Hack
Oct 8
tata 1997 is now a member of Dissecting The Hack
Oct 4
Dan Komis commented on James Fisher's blog post Stealing Passwords with FireFox 3.6.X
"How do you do this on firefox 52? I removed lines 1061-1127, and replaced it with   var pwmgr = this._pwmgr;        pwmgr.addLogin(aLogin); but it's not working."
Sep 27

© 2017   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service