Security

This is an article I've been wanting to post on here for quite a while. This article discusses the major fundamental security rules, based on processes and policies rather than technology. A lot of this, honestly, is common sense, but unfortunately it's the simple things like this that are so often overlooked.

Traditionally, people look at the infosec field as something to do about firewalls and antivirus. They treat technology as THE solution, instead of simply the enabler. And it’s this fallacy that weakens any security implementation. Security is a process, not a product… and should be treated as such. Through the security lifecycle, policy and procedure needs to take precedence over implementation. It’s a bigger part of the circle for a reason.

Overall, this is a concise, well thought out, and well written security article, and is definitely a must-read.

The Eight Rules of Security

SecurityFocus has a great article on transparent firewalls. It doesn't cover many technical details, but it provides a great introduction to what they are, why they're useful, etc.

Read the full article.

Anyone with experience in the IT security field should be familiar with the name Bruce Schneier. Author of Applied Cryptography, he's one of the definitive experts on cryptography, and he's recently been expanding his expertise into the wider world of security in general.

He recently granted an interview to CSO Magazine, in which he discusses various issues facing security professionals, concerns in a post-09/11 world, and several other topics. He also discusses/plugs his new book, Beyond Fear, which seems like it should be a very interesting read.

Here's the full interview.

A DoS vulnerability exists in all versions of OpenSSL prior to 0.9.6k and 0.9.7c. Upgrading as soon as possible is recommended. Read the full advisory for more information.

Also, on an unrelated note, two recent vulnerabilities in OpenSSH were discovered. This is a couple weeks old now, but definitely important enough to mention here. Short story: upgrade to OpenSSH 3.7.1p2 ASAP. For more information, read the original advisory, as well as the newer portable advisory.

For those not up to speed on this story, last week Dan Greer (CTO of security consultant @stake) and several others released a report entitled "Cyber Insecurity: The Cost of a Monopoly," in which they discussed the security issues related to Microsoft's market dominance (actual report can be found on the CCIA homepage).

Surprisingly, Greer was fired from his position as CTO of @stake one day after releasing the report. Why? Although @stake denies any involvement, Microsoft is one of their largest customers. Hmm... piss off a client in legitimate research and get fired? Wonderful.

So now, one week later, Greer himself has finally been interviewed about this. You can read the full story here. Although it's nothing earth-shattering, it does sum up the incredulity of the whole situation. Definitely worth a read.

I recently came across a couple good security-related articles that's well worth reading.

The first is an introduction to firewalls and backdoors, describing each type, listing examples, and providing tips. Also contains links to some very useful external resources. http://securityfocus.com/infocus/1701

The second article disusses real-time alerting with snort, the most popular open-source IDS (Intrusion Detection System). http://newsforge.com/article.pl?sid=03/06/09/1939256. It does not cover installation or initial configuration, however; check out the snort documentation for details on this.

LinuxSecurity.com is featuring an article on Intrusion Detection Systems.

"Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity."

This is a good introduction to the process for any security-minded individuals out there.

Full story

Apparently Opera contains some fishy elements that may transmit some of your personal data to them. Great, I was actually thinking of trying out opera... but not anymore.

Here is the link on The Inquirer
http://www.theinquirer.net/?article=9056

This is a roundup of various wireless security articles, news, and product information. Worth a quick look for anyone working with wireless technology.

Full story:
http://www.techweb.com/tech/mobile/20030407_mobile

According a new security survey released by the Computing Technology Industry Association, human error, rather than technology, is the most significant cause of security breaches.

Of course, anyone that's worked in the security field can certainly tell you this. Social Engineering, anyone?

More info can be found at the PCWorld article below:

http://www.pcworld.com/news/article/0,aid,109872,00.asp