Steganography, In the Round →
A more complete explanation, via Sophos security blog Naked Security author Paul Ducklin, of steganography in-the-round, as it were...
NIST Releases Revision 2, Guide to Industrial Control Systems (ICS) Security
The National Institute of Standards and Technology (NIST) has announced the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. Outstanding.
New PayPal User Agreement, Demands Your Firstborn...
or Why-I-Am-Not-A-PayPal-Customer...
via The Washington Post's Brian Fung, comes the unsurprising news of blatant stupidity amongst the cubicles at PayPal. This time, taking the shape and form of the company's new user agreement. How this will play out, once the Federal Trade Commission takes a gander is anyone's guess. Read it and Weep.
Litchfield Unleashes Database Security Scorecard →
via El Reg's Darren Pauli, comes good news from David Litchfield, this time, in the form of a newly authored security product targeting the in-built security issues within Oracle Corporation's (NYSE: ORCL) DBMS. Outstanding.
Sunday Security Maxim
Shannon’s (Kerckhoffs’) Maxim: The adversaries know and understand the security hardware and strategies being employed. Comment: This is one of the reasons why open source security (e.g., cryptography) makes sense.
Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”, i.e., security based on keeping long-term secrets, is not a good idea. Comment: Short-term secrets can create useful uncertainty for an adversary, such as temporary passwords and unpredictable schedules for guard rounds. But relying on long term secrets is not smart.
Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Saturday Security Maxim
Colsch's (Keep It Simple) Maxim: Security won't work if there are too many different security measures to manage, and/or they are too complicated or hard to use. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Operation Overlord, June 6, 1944
“… these men came here – British and our allies, and Americans – to storm these beaches for one purpose only, not to gain anything for ourselves, not to fulfill any ambitions that America had for conquest, but just to preserve freedom. . . . Many thousands of men have died for such ideals as these. . . but these young boys. . . were cut off in their prime. . . I devoutly hope that we will never again have to see such scenes as these. I think and hope, and pray, that humanity will have learned. . . we must find some way . . . to gain an eternal peace for this world.”
– Eisenhower: A Soldier’s Life, by Carlo D’Este (ISBN-10: 0805056874 Holt Paperbacks; First Edition)
Web Security Dojo 2.0
Web Security Dojo 2.0, a full self-contained integral security environment, has been released to the self-study intelligentsia. Suited for student directed education, the program is FOSS and a product of Maven Security Consulting, the Dojo environ is available via SourceForge now.
DevSecOps Edition, 10+ Hours of Information Security + DevOps Video →
The kind folks at DevOps have made their video collection of HD quality Security DevOps content from RSAC 2015 available (with the only catch of a registration form). Highly recommended.
'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel
House of Drafts →
via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.
I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.
Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).
Tallinn 2.0 and the PRC →
If you read anything today focusing on warfare in the electronic realm, read the Lawfare blog's Ashley Deeks posting on this year's Tallinn-based NATO CCDCoE's CyCon 2015 confab. In particular, a Chinese academics' take on cyber jus ad bellum and jus ad bellum criteria to wage war, as targeted by Tallinn 2.0. Fascinating.
Hackerman Hacks Time, A Tutorial →
Credits:
- DIRECTOR & EDITOR - Jonas Ernhill
- WRITER - Leopold Nilsson
- PRODUCERS - Jonas Ernhill & Leopold Nilsson
- EXECUTIVE PRODUCERS - David Sandberg & Linus Andersson
- HACKERMAN - Leopold Nilsson
- COORDINATOR - Jonathan Gustavii
- DIRECTORS OF PHOTOGRAPHY - Jonas Ernhill, Martin Gärdemalm & Mattias Andersson
- POST PRODUCTION - Jimmy Lotare, Line Degerhammar, Boris Söderlind & Klas Trulsson
- MUSIC - Lost Years & iamMANOLIS
- SOUND DESIGNERS - Linda Iro Näsström & Erik Emanuelsson
- COLORIST - Jonas Ernhill & Martin Graderman
- PRODUCTION ASSISTANTS - Anton Hjalmarsson & Adam Forsén
- FILMED IN - The Grandma Fury’s Garage
- PRODUCTION COMPANIES - Laser Unicorns & Lampray
- THANKS TO - Film i Västerbotten, Random Bastards!, Forsure, Nils Moström & Jonas Westlund
Prævaricator →
Or, how interweb-ensconced journalists complain about user tracking, yet the companies they toil under (sometimes their own sites) utilize tracking... Written by Quinn Norton, on a Medium blog, adroitly monikered The Message.
Requiescat in Pace: John and Alicia Nash
Requiescat in Pace: John Forbes Nash, Jr., (1928 - 2015) and Alicia (nee Lopez-Harrison de Lardé) Nash (1933 - 2015).