Jul 25 2009
I’m sitting down to nurse a cup of coffee this morning. Had friends over last night, a fair amount of drinking ensued, lots of male bonding through bad jokes and some rousing games of Alhambra and Saint Petersburg. This is my idea of a good Friday night with friends, which worries me a little, since it makes me sound and feel like a middle-age geek. Which I have to say is a pretty good description. I guess I’ll have to overcompensate at Black Hat and Defcon next week. In the mean time, here are some of the stories from this week that are clogging up my Firefox tabs.
- Adobe issues security advisory for Flash zero-day flaw – Rumor has it that Adobe has known about this flaw for over seven months.
- Help for internal auditors on PCI Compliance – Some of these points are going to help me as the assessor as well. But more of them should be part of your security processes whether your trying to be PCI compliant or simply secure.
- Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha. The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture. Very interesting concept, I want to see how Chris develops it going forward.
- Vulnerabilty scanning and Clouds: an attempt to move the dialog on – This is the post that kickstarted the Hoff’s thinking for the previous article. Lack of vulnerability scanning is just one of the reasons that cloud computing gives compliance officers fits.
- The growing threat to business banking online – Somewhere in the last couple of years the Internet has gone from being the Wild West to the streets of Chicago in the 1920’s. The bad guys have become incredibly well organized and you’re taking your digital health in your own hands every time you go online. Businesses and local governments are increasingly becoming targets. After all, “That’s where the money is.”
- Mind games: How social engineers win your confidence – Scams and grifting are as old as humanity, probably older if you want to consider some of the examples you can find in the animal kingdom. And they stick around because once you’ve mastered the basic principals, it’s relatively easy to get what you want out of the majority of people and situations. The best defense is to be educated and be able to recognize some of the clues you’re being social engineered without you having to consciously think about it.
- Network Solutions hack compromises 573,000 credit, debit accounts – Good job NS, you allowed code to be installed on a compromised system and gave up over half a million records, mainly of mom and pop stores. I hope you do a better job protecting our domain names.
Just added – Matasano site compromised. I couldn’t fault them too much for falling to a Zero Day, except for the fact that they’re a research firm that should be finding these things on other people’s sites, not their own.