Infosecurity.US

Information Security with Occasional Forays into Other Realms

  • Web Log
npm.jpg

Node Package Manager, Tribulátio, In Paradiso

August 23, 2017 by Marc Handelman in Attacks, Attack Analysis, Security Development, Security Failure, Security Flaws, Information Security, Infosec Competence

Well, looks like there is a bit of bother at npm, what with the security failures of recent import. Read Adam Shostack's well-crafted piece detailing what's broken, and what to do about it (it being fairly obvious once you read his thoughtful post). Enjoy.

"In June, security researcher ChALkeR explained how he "obtained direct publish access to 14% of npm packages (including popular ones). The estimated number of packages potentially reachable through dependency chains is 54%." Then, there was a typo-squatting attack that went undetected for two weeks. And just a few days ago, Ivan Akulov reported on malicious packages in npm." - via Adam Shostack, writing at IANS

August 23, 2017 /Marc Handelman
Attacks, Attack Analysis, Security Development, Security Failure, Security Flaws, Information Security, Infosec Competence

Stockpiled →

May 31, 2017 by Marc Handelman in Blatant Stupidity, Infosec Competence, Infosec Policy, All is Information

via the eponymous Iain Thomson, whilst plying his trade at El Reg, comes this astonishing tale of the profoundly stupifying incompetence at Microsoft Corporation (NasdaqGS: MSFT) in regards to the Redmond, Washington software leveiathan's askew morality... This time, focused on the company's complaints targeting the National Security Agency's stockpiling of exploitation bits, yet also, dancing the stockpile two-step... Simply astounding.

"Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor" - via Iain Thomson writing at El Reg

May 31, 2017 /Marc Handelman
Blatant Stupidity, Infosec Competence, Infosec Policy, All is Information

Glenny, Hire the Hackers →

December 31, 2015 by Marc Handelman in All is Information, Information Security, Infosec Competence
December 31, 2015 /Marc Handelman
All is Information, Information Security, Infosec Competence

Who's In Charge of What →

November 20, 2015 by Marc Handelman in All is Information, Infrastructure, Infosec Competence

Patrick Tucker, writing at DefenseOne, details the comedy of errors waiting to be unleashed.

November 20, 2015 /Marc Handelman
All is Information, Infrastructure, Infosec Competence

Irari Report, Cybersecurity Guidance with Howard Schmidt

July 03, 2015 by Marc Handelman in All is Information, Cybersecurity, Information Security, Infosec Competence
July 03, 2015 /Marc Handelman
All is Information, Cybersecurity, Information Security, Infosec Competence

Sunday Security Maxim

June 21, 2015 by Marc Handelman in Infosec Competence, Security Maxim

Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory

June 21, 2015 /Marc Handelman
Infosec Competence, Security Maxim

Maturing Information Security When Compliance Can't Cut It

June 18, 2015 by Marc Handelman in All is Information, Information Security, Infosec Competence
June 18, 2015 /Marc Handelman /Source
All is Information, Information Security, Infosec Competence

Web Security Dojo 2.0

June 05, 2015 by Marc Handelman in Education, Information Security, Infosec Competence

Web Security Dojo 2.0, a full self-contained integral security environment, has been released to the self-study intelligentsia. Suited for student directed education, the program is FOSS and a product of Maven Security Consulting, the Dojo environ is available via SourceForge now.

June 05, 2015 /Marc Handelman
Education, Information Security, Infosec Competence

Top Ten List of Most Exposed Software →

May 18, 2015 by Marc Handelman in All is Information, Blatant Stupidity, Cruft, Information Security, Infosec Competence

via Anthony M. Freed, writing at InfosecIsland comes this unfortunate, and unsurprising story of the top ten exposed applications currently on a majority of computational devices hereabouts, and the ramifications thereof.

May 18, 2015 /Marc Handelman
All is Information, Blatant Stupidity, Cruft, Information Security, Infosec Competence

Institutional Investors Lose Faith In Security Competence At Board Level →

April 22, 2015 by Marc Handelman in All is Information, Information Security, Cybersecurity Competence, Infosec Competence

Yes, and here's why it very well may be true:

"KPMG also found that 79 percent of investors would be discouraged from investing in a business that has been hacked. The findings revealed that investors believe less than half of the boards of the companies that they currently invest in have adequate skills to manage cyber risk. Furthermore, they believe that 43 percent of board members have unacceptable skills and knowledge to manage innovation and risk in the digital world. This sentiment was mirrored in a recent KPMG survey of FTSE 350 businesses, which found that 39 percent of boards and management agreed they were severely lacking in their understanding of the area." via Antony Savvas writing at Techworld.

April 22, 2015 /Marc Handelman
All is Information, Information Security, Cybersecurity Competence, Infosec Competence