Art of Information Security

While I was checking the weather via the internet last night, I saw a banner ad for FakeChecks.org (click here), which turns out to be an anti-check fraud website sponsored by the National Consumers League . Check fraud has been around almost as long as checks themselves (I am sure it took a week or two for someone to try to steal cash using the newly invented check… ), but the anonymity and long distance communications capabilities provided by the Internet are reviving old scams and creating new ones.

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud FakeChecks.org for their efforts.

Cheers, Erik

It has been one month since the release of Episode 1, and it has been downloaded over 215 times and FeedBurner is reporting over 80 subscribers to the feed (RSS and Podcast combined). This is much more attention than I expected Episode 1 to generate. Thanks !

But don’t think I am going to ‘rest on my laurels’…

The last month has been incredibly busy, and I have a ton of content that I want to work on but I keep getting pulled in different directions. Episode 2 is going to be an audio only podcast which I hope to have released over the weekend…

I have a number of topics that I am mulling over for Episodes 3 and beyond, which include:

- Basics of Information Security and Risk Management series

- Quick intro to some of the open source host protection tools I have been working with

- Discussion of my favorite open source security tool… (openSSL)

- and I am dying to start discussing some real world cryptography topics…

(Just to name a few…)

What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main menu bar (or click here). Also, your comments, posted either on Art of Information Security or via email, are always welcome.

BTW: Last week I participated in a webinar entitled Getting More Encryption for Less with Paul Stamp (Forrester Research), Jim Porell (Chief Architect IBM System z), and Paul Turner (VP, Product and Customer Solutions, Venafi). (Click here to listen to a replay.) Also, I will recap the Q & A portion of the webinar in Episode 2.

Best regards, Erik

While I was in London, the folks who run the RSA Conference did a quick interview with me on the Quick Business Case and Information Security in general.

Here is a link to the RSA Europe 2007 podcasts…

There are 16 conference participants with whom RSA did podcasts.

Check them out…

First, my apologies that the Quick Business Case Slidecast hasn’t been completed and posted yet. As soon as I get rid of my cold, I will be recording and posting it. I hope that will be within a few days.

It appears that someone was taking notes at my presentation on Oct 22nd. My presentation was featured in the RSA Conference Daily (article link) summary.

Cheers, Erik

RSA Europe 2007 was held the week of October 22nd. The conference was a three-day event, held at the Excel Convention Center, where it will also be held the next two years.

Some conference highlights follow…

Bruce Schneier Keynote

The second day of the conference opened with a Keynote from Bruce Schneier. If you ever have a chance to hear a presentation by Bruce - Do Not Pass It Up ! In addition to being a really good presenter, Bruce invests a lot of time into really thinking about and researching the mechanics of security. His keynote was entitled “Reconceptualizing Security”. I have four pages of notes from his presentation. Here are a few of the topics he touched on:

• Great discussion of “feelings” vs “reality” of security
• Examination of the language and cognitive challenges regarding risk
• Discussion and some revision of Bruce’s ideas regarding “Security Theater”
• Explanation of Lemon’s Markets
• Are many security products sold in a Lemon’s Market ?

DEF-105: 12 Common Java Security Traps

Brian Chess gave two presentations at the conference. Unfortunately, I was only able to attend one. This presentation focused on common, and significant, security problems that must be addressed during development.

Brian referenced two resources in his presentation, both of which I plan on researching:

Fortify Taxonomy: Software Security Errors

• This is an attempt to partition the entire space of software security flaws…

Open Source Software Vulnerability Project

• Application of the Vulnerability scanning tools developed by Brian’s company to Open Source projects to aid in the discovery and remedy of software security errors.

HT-108: Revenge of the Rodent: Did Your Mouse Turn Evil?

Ronald Heil’s presentation about malicious things that can be done with trusted devices, such as the mouse, was brilliant. Ronald reengineers a common computer mouse, using off-the-shelf components, and turns it into one that can be used to:

• Load malicious code onto a target computer
• Store data stolen from the user (for later retrieval)
• Provide attacker with remote control and data access (via Bluetooth)

DEV-109: Is Web 2.0 a Hackers Dream?

This was the third Caleb Sima presentation I have attended. Each one has been fantastic and better than the previous one.

This presentation focused on some of the application security pitfalls that Web 2.0 technologies, such as AJAX, are vulnerable to. Caleb’s presentations always mix static information with actual demonstrations of concepts. During this presentation he demonstrated a number of JavaScript application security faux pas.

A key thesis in the presentation was that Web 2.0 programing techniques, like AJAX, are dramatically increasing the attack surface of applications though movement of code to the client, were it can be easily examined and manipulated. Several examples of ‘bad logic’ or code to move to the client were given, and included:

• Security code (coupon code validation logic, admin status flagging, etc.)
• Input validation
• Range control and boundary checking logic

Summary

The above summaries are highlights. I attended all of the sessions on days two and three, and found them all to be very valuable and high quality. I was particularly impressed by the great English language skills of the presenters from non-English speaking countries. I do not know if I will have the opportunity to attend the European event in the future, but I would certainly recommend it.

Cheers,

Erik