Latest Posts


SOC 2 for Cloud Computing

October 09, 2011 Added by:Chris Schellman, CPA, CISSP, PCI QSA

SOC 2 reports allow cloud providers to communicate information about their services and the suitability of the design and operating effectiveness of their controls to prospective and existing customers in a well-known format that is nearly identical to an SSAE 16 report...

Comments  (2)


Abusing Windows Virtual Wireless NIC Feature

October 09, 2011 Added by:Kyle Young

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm...

Comments  (1)


The Lexicon Wars and Impediments to Cybersecurity

October 08, 2011 Added by:Joel Harding

What is cyberwar? Someone claimed that denying, degrading or destroying data on a network would be cyberwar. I admit, that would be bad, but by no stretch of the imagination would one single incident be considered a cyberwar. Of course, it honestly would depend on the targeted network...

Comments  (7)


Security Risk Management

October 07, 2011 Added by:Tony Campbell

The author explores the risk management lifecycle, describes methodologies for qualifying and quantifying risk and levels of risk, and provides examples of how these can best be described and/or presented at a senior management level...

Comments  (0)


Study Shows Banks Blocking More Fraud

October 07, 2011 Added by:Robert Siciliano

The FS-ISAC consists of a group of banks that shares threat information and interacts with the federal government on critical infrastructure issues. Its members include Citi, Prudential, Bank of America, JPMorgan Chase, Goldman Sachs and Wells Fargo, among others...

Comments  (0)


Don't Miss the Security BSides Kansas City Event

October 07, 2011 Added by:Security BSides

Each BSides is a community-driven framework for building events for and by information security community members. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening. You don’t want to miss it...

Comments  (0)


OS X Lion Captive Portal Hijacking Attack

October 07, 2011 Added by:Tom Eston

OS X Lion's new feature poses a security risk. When an OS X laptop joins a network which contains a captive portal, a window is automatically opened to prompt the user to interact with it. This presents a major security risk if an attacker can control this functionality...

Comments  (1)


ISA Embraces House Recommendations on Cybersecurity

October 07, 2011 Added by:Headlines

"The system they have recommended provides a pathway for a sustainable system to of cyber security that will result in securing our nations critical infrastructure while stimulating the IT engine that has provided most of the good news our economy has experienced over the last 20 years..."

Comments  (0)


Notes on the 2011 Verizon Breach Report

October 07, 2011 Added by:PCI Guru

Breaches occur because organizations get sloppy and, even with defense in depth in their security, there are too many controls where execution consistency has dropped leaving gaping holes in the various levels of security. However, once addressed, attackers will find other ways in...

Comments  (1)


Where Will 2012’s Online Threats Come From?

October 07, 2011 Added by:Infosec Island Admin

A recent survey released by PWC cites that over 75% of organizations are in the dark when it comes to online threats to their businesses. Given this rather alarming statistic, we wanted to point you towards two relevant SC magazine webcasts on finding and pre-empting hidden threats...

Comments  (0)


Trusted Computing from Portable Devices

October 06, 2011 Added by:Emmett Jorgensen

There are many different ways that secure devices are being used as platforms for collaborative technologies to address growing market requirements. The ability to secure activities anywhere, at any time, from any machine is something that will gain traction over the next few years...

Comments  (0)


The Dark Side of Collaboration

October 06, 2011 Added by:Steven Fox, CISSP, QSA

Realizing the value of security investments requires teamwork. However, corporate teams play in a competitive arena that demands flexibility and responsiveness. Managers must be ready to recognize when to use tactical collaborations for the benefit of team strategy...

Comments  (0)


SpyEye Trumps Mobile Banking SMS Security Systems

October 06, 2011 Added by:Headlines

"This latest SpyEye configuration demonstrates that out-of-band authentication systems, including SMS-based solutions, are not fool-proof... Using a combination of MITB technology and social engineering, fraudsters... fly under the radar of fraud detection systems..."

Comments  (0)


Risk Management: Context is the Key

October 06, 2011 Added by:Gabriel Bassett

There is a core problem in risk management. Technical people tend towards the “every security risk is important enough to fix” mantra, focusing on technical details and over-rating risks. Management is used to much more tolerant definitions of likelihood and impact quantifiable in dollars...

Comments  (0)


AmEx Secures Website Admin Debugging Panel Error

October 06, 2011 Added by:Headlines

“An attacker could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers," Femerstrand explained in a blog post...

Comments  (0)


Anonymous, Wall Street and Disinformation

October 06, 2011 Added by:Infosec Island Admin

FUD is a great motivator, and an attack on the NYSE or NYNEX, or any of the players here could have ripples later on. Those ripples would come in the form of people selling off their stocks, companies and corporations as well, and the net effect could potentially be large losses in the market...

Comments  (0)


Researchers Develop Enhanced Security for Cloud Computing

October 06, 2011 Added by:Headlines

SICE - A Hardware-Level Strongly Isolated Computing Environment for x86 Multi-core Platforms: "We have significantly reduced the surface' that can be attacked by malicious software. Previous techniques have exposed thousands of lines of code to potential attacks..."

Comments  (0)


Happy Birthday MS08-067

October 06, 2011 Added by:f8lerror

As a Penetration Tester, this vulnerability is sought out because it is highly reliable and very low risk. As an attacker, the simple fact is the attack still works. The vulnerability was widely used in conjunction with the conficker worm, which affected more than seven million systems...

Comments  (3)


Why Less Log Data is Better

October 05, 2011 Added by:Danny Lieberman

One of the crucial phases in estimating operational risk is data collection: understanding what threats, vulnerabilities you have and understanding not only what assets you have (digital, human, physical, reputational) but also how much they’re worth in dollars...

Comments  (1)


Optimization: What's a Steiner Tree?

October 05, 2011 Added by:Stefan Fouant

Steiner Tree optimizations are very useful where an ingress PE must send large amounts of data to multiple PEs and it is preferable to ensure that overall bandwidth utilization is reduced, perhaps because of usage-based billing scenarios which require that overall circuit utilization be reduced...

Comments  (0)