Maybe I’m just punchy from dealing with too much real spam, but I found this hilarious.
Introducing–Penis Reduction Pills!
Shipped to you, not in the stereotypical plain brown wrapper, but in a
large box proudly labeled on all six sides. Because you wouldn’t be
ordering them if you didn’t need them, right? Just leave the bottle
around the house where the girl you are interested in can find them.
(Note: placebos may have unintended side effects. Depending on the
Thanks to Rob Slade for bringing this to my attention – http://victoria.tc.ca/techrev/rms.htm
Related articles by Zemanta
Comprehensive? Well, pretty good.
The kind of thing that could keep a client’s IT staff occupied for weeks. If they had hard copy to annotate and work with.
Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency – that is what are the most critical failures that will affect the operation of the business.
The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.
FMEA on the other hand identifies criticality regardless of the cause.
Related articles by Zemanta
“Information is spilling out from the encrypted region into the unencrypted region”
Help me here. Why would you have an only partially encrypted drive? Yes, that’s easy to set up with Linux where you have many partitions. In fact failing to encrypt swap is a classical mistake.
But with Windows you have to quite explicitly set up partitions and move stuff around. The ‘out of the box’ default is a single partition with the system, data and swap all in the one partition. Yes, I’ve set up “D:” partitions and moved the user data (desktop etc) there. I’ve also set up a partition for the swap file. It helps with matters like fragmentation and backup management. But it takes thought, planning and deliberate action.
So why might you be keeping only part of your hard drive encrypted? I don’t know.
I can imagine a Windows user who has an encrypted USB drive and a clear (as in out of the box) main drive could hit this situation, but as data leakage goes I suspect this is small fry. The ‘potentially huge issue‘ may not be that earth shattering.
Since this is being presented at Usenix HotSec later this month perhaps it is a Linux issue. Damned journalists – so vague … Full-Disk Encryption Is Partial Protection, Analysts Say
Build your security assuming that the enemy knows as much about
your security and what you are doing as you do.
The lesson of history, InfoSec, industry, literature, warfare and politics tells us this is so.
What enables the enlightened rulers and good generals to conquer
the enemy at every move and achieve extraordinary success is
Foreknowledge cannot be elicited from ghosts and spirits; it
cannot be inferred from comparison of previous events, or from
the calculations of the heavens, but must be obtained from
people who have knowledge of the enemy’s situation.
Therefore there are five kinds of spies used:
Local spies, internal spies, double spies, dead spies, and
He goes on to say
Only the wisest ruler can use spies; only the most benevolent
and upright general can use spies, and only the most alert and
observant person can get the truth using spies.
Which is of course pandering. And then:
It is subtle, subtle!
Which is pandering still, but none the less true.
There is nowhere that spies cannot be used.
Which is also true. Hence http://privateeyespyshop.com/
Generally, if you want to attack an army, besiege a walled city,
assassinate individuals, you must know the identities of the
defending generals, assistants, associates, gate guards, and
officers. You must have spies seek and learn them.
However these days, many companies and countries publish all this information on the web. The identity theft in “Day of The Jackal” (which has been copied by many other authors since) can now be performed from the comfort of you local hot-spot equipped café or in some locals commuter train.
Charlatans don’t bother creating detailed schemes for deception. They
just have a feel for what fools people.
Its not about technology…
Bad guys have better people skills
Criminals usually don’t bother learning all the ins and out of the
technology they exploit — they simply learn enough to be dangerous. But
they spend endless hours understanding the people they plan to fool.
Hackers long ago learned a short cut, what they call social engineering:
Why spend years trying to hack into a bank when you can just ask an
account holder to give you their name and password?
and not only that, but adding technology won’t fix things.
The technologists, on the other hand, tend to fight this battle with one
hand tied behind their back. They generally spend most of their time
studying technology, learning all its nooks and crannies from the ground
up. They write careful research papers following the strict rules of
scientific method. They must spend endless hours defend their findings
against all comers, and they can’t hurt anyone while conducting studies.
They know the technology well, but they have little time to sit around
understanding how people work.
I’ve been saying for over a decade that InfoSec qualifications should focus on psychology and sociology and business rather than technical matters, but exams & qualifications such as CISSP, CISA, CEH, and SANS focus on technical matters.
Part of this is “the metrics problem”. We focus on what can be measured, the “if you can’t measure it, you can’t manage it” myth that started with Taylorism and has been promulgated by people who only see the numbers side of Deming’s principles. His “System of Profound Knowledge” advocated that all managers need to have a deep understanding
of psychology and human nature. His famous “14 points” are about attitudes towards management of work, not about numbers; in fact he was against many ‘numbers’ such as quotas. He viewed managing by numbers to be a “deadly disease”, along with an emphasis on short term results (more number-keeping), and relying on technology to solve problems that are really based in the organization, management and psychology of the workplace and corporation.
So how do we actually manage? How we evaluate people and their work?
How do we grant certifications and issue awards? How do we solve our business problems?
The media says that InfoSec is a growing market. I wonder sometimes if that growth isn’t in the sales of appliances – throwing technology at the problem and resisting the changes that are really needed, changes in organization, attitudes and management.
I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ‘snuck in’ by various methods such as XSS.
Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected – I’ll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?
Unsurprisingly the study concluded that update features within different
browsers played a key role in determining how quickly users update their
software. Firefox users “typically updated” within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.
So that makes me one of the ‘good guys’, a Firefox user. Actually I update my plug-ins ‘same day’ – which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)
The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.
Now lets be fair, not everyone has control over what they use.
“I think it may be a little unfair for many IE users to be grouped in
the ‘less diligent’ bucket because they’re stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, ‘unfair’ isn’t
going to keep them safe,” Ollmann writes.
As it says in the article I’ve referenced …
A white paper on the study, Understanding the Web browser threat, can be