Lowyat.NET: Latest topics by trifecta

[WTS] Amazon Fire TV 4K Ultra HD, FireTV 2nd Gen,

trifecta — Tue, 08 Mar 2016 17:19:09 +0800

Item(s):1 x Amazon Fire TV 4K Ultra HD, FireTV 2nd Gen Gaming Edition

Package includes:Amazon Fire TV, game controller, 32 GB microSD card plus 2 included games

Price: $640.00

Warranty: 1 yr

Dealing method: COD

Location: Cyberjaya, Wangsa Maju

Contact method/details: Whatsapp me at 019 229 5422
---

Item(s) conditions: Brand new from US, unopened

Picture:

Reason for sale: bought 2 by accident

Neo Geo X

trifecta — Mon, 25 Nov 2013 10:27:51 +0800

Anyone buying this or own this?
I still remember the original version, back in 1992, but it was damn expensive back then.
The cartridge was huge compared to SEGA or Nintendo but the graphics were way better than SEGA Megadrive or Nintendo.
It died back in 2004, now it's back.

Saw it on Groupons, and now the package also includes a handheld.

Which Fighting Stick is the best?

trifecta — Thu, 25 Aug 2011 12:23:44 +0800

Among all the 3 fighting stick, which would you choose for SF4 or Marvel vs Capcom....

State of the Internet 2010: A Report on the Ever-C

trifecta — Fri, 29 Oct 2010 10:11:31 +0800

“State of the Internet 2010: A Report on the Ever-Changing Threat Landscape” ... is a compilation of findings offering an overall perspective of the status of the threat landscape in the first half of 2010 (H1 2010).

It delivers insights and analysis based on data gathered from notable threats, trends, and statistics from January to June 2010. This report also includes tips and reminders on routine PC security and safe online behavior.

CA 2010

download, read , understand as to avoid being suckered into zero-knowledge

Hack in the Box 2010 Conference slide

trifecta — Sun, 24 Oct 2010 23:37:39 +0800

For you guys who unable to attend the conference (end yesterday in KL), here is the presentation slide from all speakers (speakers include from google security team, ISC, F-secure, Pandalabs, Sophos, ESEC, etc):

http://conference.hackinthebox.org/hitbsec...0kul/materials/

Conference website:

http://conference.hackinthebox.org

Good presentation to read:

1. Iphone Security Model
2. Smartphone Application and Security
3. Attacking GSM Base station

How to surf the Net without getting PWND!

trifecta — Wed, 08 Sep 2010 01:48:19 +0800

Sharing the presentation I attended at SysCan Singapore. Myth vs. Realities...some stuff you guys need to know.

The presenter was Bryce Galbraith:

QUOTE

A perpetually curious kid who at 10, got a Commodore 64 and a modem (before the Internet!) Now I’m just a bigger kid with a mortgage…
-I’ve held security positions at global ISPs and Fortune 500 companies.
-I was a senior member of Foundstone'sworld-renowned attack and penetration team as well as a senior instructor and co-author of Foundstone's"Ultimate Hacking: Hands-On" course series.
-I am a contributing author of the internationally bestselling book,Hacking Exposed: Network Security Secrets & Solutions.
-I’m currently one of the SANS Institute’s top rated Certified Instructors and a lead penetration tester at Layered Security.
-I’ve taught the art of ethical hacking and countermeasures to thousands of IT professionals from a who's who of top companies, financial institutions, and government agencies around the globe.
-I’m an active member of several security-related professional organizations, I speak at a variety of conferences, and hold a number of certifications: CISSP, GCIH, GSEC, CEH, CHFI, Security+, and CCNA.

CODE

Common Security Myth:

[B]Hackers loveour ignorance, arrogance and apathy.[/B]
Whether conscious or subconscious –doesn’t really matter
They have no mercy whatsoever…
The more you learn about technology, the more amazed you become that it works at all.
Exponential growth & infinitely complex
The more you learn about, “information security” the more you realize that the term is really an oxymoron.
Virtually impossible to defend against all threats.
Unplug? Not gonnahappen…
There is no “silver bullet” –despite what vendors say!
Myths abound…let’s explore a few favorites.

CODE

MYTH
[B]“I don’t have anything anyone would want.”[/B]
FACT
You have an IP address, MAC address, hard drive, CPU, memory and a nice pipe to the Internet that isn’t theirs.
Stealth, anonymity and misdirection are veryvaluable to attackers who do notwant to get caught.
Fraud-related activities, purveying illegal pornography, extortion, spam, Distributed Denial of Service (DDoS), etc.
They would love to add your machine to their botnet!
Guess who the Feds (or rival criminals) come looking for?
“It wasn’t me!” –Isn’t that what they all say?
Don’t forget about your identity and your money too

…

ah, this is my favorite...and yes, the audience did laugh it out loud
MYTH

CODE

“[B]I use a Mac. They’re waymore secure than Windows.”[/B]
FACT
[B]Macs are more obscure, not more secure -very important![/B]
Don’t be naïve. Hackers go for mass effect –historically Windows.
This is changing and hackers are all over it. There is blood in the water.
Remember hackers love ignorance, arrogance and apathy.
[B]Exploit writers actually prefer Macs and their users.[/B]
They are turning their attentions towards Macs with a vengeance.
Macs are in some ways easier to hack. Hackers hate Vista/7/2008 right now and as always, are choosing the path of least resistance.
Macs have no AV, Apple provides updates insecurely, less attention, lack of GPOs as a rule, no ASLR or stack canaries, misinformed users, and Macs haven’t been subjected to the full-force of the hacking underworld...yet.
Apple perpetuates the myth instead of warning their customers.
Users tend to believe the myth in mass and may even be arrogant about it.
“Pride goethbefore the fall”, as they say…

CODE

[B]MYTH[/B]
“[I]I don’t use Internet Explorer. I use ___________.”[/I]
[B]FACT[/B]
Remember obscurity is not the same as security.
No browser is secure –only varying degrees of insecurity
Hacker’s routinely release exploits for all of them.
Month-of-browser bugs proved the point convincingly
http://browserfun.blogspot.com/
Recent study:
Firefox flaws account for 44% of all browser bugs. Apple's Safari takes second, with 35%, IE in third with 15%.
Much of the security, or lack there of, still rests on the individual user awareness, actions and discretion as well as the level of attention the hacking world directs at it.

and this is what most anti-virus FANBOYS like to claim without thinking:

CODE

[B]MYTH[/B]
[I]“I have Product XYZ on my computer to protect me.”[/I]
[B]FACT[/B]
There is no product that will protect against all the threats. It simply doesn’t exist. I wish it did…
AV can be bypassed with polymorphic code generators.
Encoders, encryption, code-obfuscators, etc.
Firewalls/proxies can be bypassed in numerous ways
“The truth about personal firewalls”
http://www.rootkit.com/newsread.php?newsid=849
SSL encapsulation
Covert channels
Riding over trusted connections
Invisible IE windows

download the material to read it full.

tons of other presentation at syscan.org. Usually held in June every year.

read here!

Career Path in Information Security

Thu, 01 Jan 1970 07:30:00 +0800

Leading Security Related Resources

trifecta — Wed, 06 Jan 2010 20:42:24 +0800

here's a long list of Infosec reading places, which also inter-wind with Business Continuity Processes.
Not all standards are being practices in Malaysia, among the reason is the maturity level of this country Infosec.
For BCP, only certain banks and O&G have Disaster Recovery Sites. Imagine if tsunami hit KL and Putrajaya, there's no DRP, all our records, from tax to IC gone.

Enjoy!

____________ _________ _________ _________ ___

Information Security

The ISF Standard of Good Practice for Information Security
The ISF standard is designed to help any organization, irrespective of market sector, size or structure, keep the business risks associated with its information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organization. http://www.isfsecur itystandard. com/index_ ie.htm

CERT® Coordination Center (CERT/CC)
The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. Although it was established as an incident response team, the CERT/CC has evolved beyond that, focusing instead on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams world wide to address the threats. http://www.cert. org/certcc. html

Information Security Handbook: A Guide for Managers.
NIST has published a new information security handbook which should be “required reading” for pretty well most everyone involved with IT and/or IT Security although some people can certainly skim many of the sections in this 176 page document.
http://csrc. nist.gov/ publications/ nistpubs/ 800-100/sp800- 100.pdf

Assessing your legal vulnerabilities
Businesses face legal risks related to disruptions and disasters: how can these be addressed? By Jay N. Rosenblatt, a business lawyer at the law firm Simpson Wigle LLP.
http://www.continui tycentral. com/feature0443. htm

CERT® Insider Threat Research
The CERT insider threat research focuses on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization. http://www.cert. org/insider_ threat/

Secure Coding: Principles & Practices
Welcome to the on-line home of Secure Coding: Principles and Practices (O'Reilly, 2003). They provide information about the book and its authors; updated versions of links and tables that appear in the book; and also original supplemental material like op/ed pieces and vulnerability analyses. It's all offered in the spirit of helping us build strong and light "virtual bridges" in the years to come. http://www.secureco ding.org/

The Information Systems Security Association (ISSA)
ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. With active participation from individuals and chapters all over the world, the ISSA is the largest international, not-for-profit association specifically for security professionals.
http://www.issa. org/
FREE Trade Magazine Subscriptions and Technical Document Downloads
Browse through this extensive list of trade publications and technical documents by industry and geographic eligibility to find the titles that best match your skills and interests. Simply complete the application form and submit it. Publications are absolutely free to professionals who qualify (this service is provided by ISSA).
http://issa. tradepub. com/

The Open Web Application Security Project (OWASP)
OWASP is dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Their open source projects and local chapters produce free, unbiased, open-source documentation, tools, and standards. The OWASP community also facilitates papers, conferences, local chapters, presentations, and mailing lists. If you're new to application security, try their “getting started guide”.
http://www.owasp. org/index. php/Main_ Page

How to become an information security professional
Many years ago, while directing IT operations for a small company on the West Coast, I became aware that our network security was particularly weak. The company was growing at a rapid pace, IT was understaffed, the network was at capacity in a number of ways, and the demands were brutal both in terms of time and technology needs. While I didn't mind the long hours, I did mind that I didn't feel "up to snuff" in terms of selecting technologies that would enable us to expand the network and secure it. I had responsibility for IT and security, but I felt that there were holes in my knowledge. I wanted to fix that. So began my quest to become an information security professional.
http://www.itmanage rsjournal. com/article. pl?sid=05/ 11/15/2027247

Cyberwar - A Threat to Business By Gideon T. Rasmussen, CISSP, CISA, CISM, IAM
The threat of cyberwarfare is different from common Internet threats and most organizations are not adequately prepared for it. Corporate defenses typically concentrate on protecting data from theft or alteration. Cyberwarfare also seeks to disrupt critical infrastructure and services. That brings availability, resiliency and incident response into the mix. Expect malicious attacks by determined hackers. They will be well trained and have ample resources.
http://www.gideonra smussen.com/ article-14. html

The Information Warfare Site (IWS)
IWS is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce. It is the aim of the site to develop a special emphasis on offensive and defensive information operations. IWS first went online in December 1999. Since its launch it has undergone a complete redesign and many key texts have been added. In adherence to its founding principles IWS has developed several mailing lists to enable a more interactive debate. http://www.iwar. org.uk/index. htm

The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
http://www.cert. org/archive/ pdf/Defense_ in_Depth092106. pdf

Practices for Securing Critical Information Assets.
A landmark security report – truly a classic. While written before September 11th it remains valid.
http://www.ncinfrag ard.org/pdf/ Practices_ For_Securing_ Critical_ Information_ Assets.pdf

IT Control Objectives for Basel II
The exposure draft (ED) of IT Control Objectives for Basel II was released 16 May 2007 on the ISACA and ITGI websites http://www.isaca. org and http://www.itgi. org. It provides a framework for managing information risk in the context of Basel II. In applying this framework, financial services organizations are able to apply recognized processes and controls to the information technology space. The IT control objectives and management processes outlined in it address the role of information technology in operational risk, and the resulting tasks for IT practitioners, internal IT auditors, IT risk managers and information security officers.
http://www.itgi. org/

The Information Security Management Maturity Model (ISM3)
The Information Security Management Maturity Model (ISM3, or ISM-cubed) extends ISO9001 quality management principles to information security management (ISM) systems. Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations. Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available.
http://www.ism3. com/

Gary Hinson's web site has a variety of excellent resources
a. For ISO 27000, he maintains a comprehensive page of links at
- http://www.iso27001 .security. com/html/ links.html and
b. For IT governance, check out http://www.noticebo red.com/html/ governance. html

The National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace is part of our overall effort to protect the Nation. It is an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the federal government, state and local governments, the private sector, and the American people.
http://www.whitehou se.gov/pcipb/

Risk Assessment and BS7799-3
It's been a busy time for information security professionals, & it's not over yet. ISO 17799 (http://www.itgovern ance.co.uk/ products/ 31) has been comprehensively updated, ISO 27001 (http://www.itgovern ance.co.uk/ products/ 33) has replaced BS 7799-2:2002 (save £40, buy the two standards together - http://www.itgovern ance.co.uk/ products/ 32), and BS7799-3
(http://www.itgovern ance.co.uk/ products/ 162) will be published in December.

The risk assessment is at the heart of any information security management system, and the new BS7799-3:2005 expands on the risk assessment guidance given in ISO 27001. This is a standard you can't afford to be without - pre-order your copy
(http://www.itgovern ance.co.uk/ products/ 162) today for immediate delivery

The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library.
The mission of NIST's Computer Security Division is to improve information systems security by:

Raising awareness of IT risks, vulnerabilities and protection requirements, particularly for new and emerging technologies;
Researching, studying, and advising agencies of IT vulnerabilities and devising techniques for the cost-effective security and privacy of sensitive Federal systems;
Developing standards, metrics, tests and validation programs:

to promote, measure, and validate security in systems and services
to educate consumers and
to establish minimum security requirements for Federal systems
Developing guidance to increase secure IT planning, implementation, management and operation.
http://csrc. nist.gov/
http://csrc. nist.gov/ sec-cert/ ca-library. html

Information technology governance - From Wikipedia, (the free encyclopedia)
Information technology governance, IT governance or ICT Governance, is a subset discipline of Corporate governance focused on information technology systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley ( USA ) and Basel II ( Europe )), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization.
http://en.wikipedia .org/wiki/ Information_ technology_ governance

CSO and CSOonline.com are published by CXO Media Inc., which is an IDG (International Data Group) company.
http://www.csoonlin e.com/

Customer Privacy
Microsoft releases guidelines for customer privacyA 49-page document previously kept internally by Microsoft was released at an international privacy professionals' conference in Toronto . The company hopes its Privacy Guidelines for Developing Software Products and Services will spur further industry discussion on the subject.http: //cwflyris. computerworld. com/t/935278/ 21700429/ 37981/2/

"Secure, Defend and Transform: The Complete E-Business Legal Strategy" by PriceWaterhouseCoop ers.
http://www.pwcgloba l.com/lu/ eng/ins-sol/ publ/pwc_ legal.pdf

The SANS (SysAdmin, Audit, Network, Security) Institute
SANS is one of the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system – (Internet Storm Center). http://www.sans. org/

Welcome to U.S. Security Awareness!
This site is dedicated to increasing security awareness among the general population and the technology community. The Basic Security section is focused to the average person. The Advanced Security section will be of interest to technologists, senior management and legislators.
http://www.ussecuri tyawareness. org/

A web site devoted to Technology Law . http://www.ecompute rlaw.com/ articles/ listing.php

An EComputerLaw newsletter. www.EComputerLaw. com

Auditor Answers: Maintaining Compliance in Home Offices.
Out of sight can’t mean out of mind, when it comes to upholding policies and procedures in the home offices of your workers. What should companies do to maintain compliance standards across a distributed workforce? http://www.itcinsti tute.com/ display.aspx? ID=2253

Insider Threat Group - Yahoo Groups
The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed by authorized personnel. Those interested in learning more about insider threat will benefit from the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic. http://groups. yahoo.com/ group/insider- threat

Australian Government Information and Communications Technology Security Manual
The Australian Government Information and Communications Technology Security Manual (also known as ACSI 33) has been developed by the Defense Signals Directorate (DSD) to provide policies and guidance to Australian Government agencies on how to protect their ICT systems.
http://www.dsd. gov.au/library/ infosec/acsi33. html

More Information Security Practices

Build Security In (BSI)
As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems.
https://buildsecuri tyin.us-cert. gov/daisy/ bsi/home. html

CERT®'s Resiliency Engineering Research
The cornerstone of their research is the development of the CERT® Resiliency Engineering Framework. The framework is the foundation for a process improvement approach to security and business continuity. It establishes an organization’s resiliency engineering process: a collection of essential capabilities that an organization performs to ensure that its important assets—people, information, technology, and facilities—stay productive in supporting business processes and services. The framework serves as a foundation from which an organization can measure its current competency, set improvement targets, and establish plans and actions to close any identified gaps. As a result, the organization repositions and repurposes its security and business continuity activities and takes on a process improvement mindset that helps to keep these activities productive in the long run.
http://www.cert. org/resiliency_ engineering/

The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help Organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. CIS members develop and encourage the widespread use of security configuration benchmarks through a global consensus process involving participants from the public and private sectors. The practical CIS Benchmarks support available high level standards that deal with the "Why, Who, When, and Where" aspects of IT security by detailing "How" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge.
http://www.cisecuri ty.org/index. html

Process Agnostic Navigational View
The process agnostic approach incorporates security into each basic phase of software development. The best practices and methods described are applicable to any and all development approaches as long as they result in the creation of software artifacts.
https://buildsecuri tyin.us-cert. gov/daisy/ bsi/438.html

Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.
http://www.cert. org/governance/ ges.html
· Article 1: Characteristics of Effective Security Governance (pdf)
· Article 2: Defining an Effective Enterprise Security Program (ESP) (pdf)
· Article 3: Enterprise Security Governance Activities (pdf)

GAO Executive Guide: Information Security Management: Learning From Leading Organizations. A high priority of the CIO Council is to ensure the implementation of security practices within the Federal government that gain public confidence and protect government services, privacy, and sensitive and national security information. This Executive Guide, "Information Security Management, Learning From Leading Organizations, " clearly illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point--the need to link security to business requirements- -is particularly important, and is illustrated in a statement of a security manager quoted in the guide: "Because every control has some cost associated with
it, every control needs a business reason to be put in place." http://www.gao. gov/special. pubs/cit. html (Its the 3rd item in the GAO list of papers)

A Few Good Metrics Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them. http://www.csoonlin e.com/read/ 070105/metrics. html

The Center for Education and Research in Information Assurance and Security The Center for Education and Research in Information Assurance and Security (CERIAS) is currently viewed as one of the world's leading centers for research and education in areas of information security that are crucial to the protection of critical computing and communication infrastructure. http://www.cerias. purdue.edu/

ISO27001 in North America
ISO27001 is the new, international standard of information security best practice. With its origins in ISO17799 and BS7799, ISO27001 is providing comprehensive best-practice advice and guidance to private and public sector organizations around the world on how to design and implement an effective information security management system ('ISMS'). On this site, you can find out how an ISO27001 ISMS can help organizations meet their commercial and business needs for cost-effective information security while at the same meeting their information- related regulatory compliance objectives and positioning them for new and emerging regulations.
http://www.27001. com/default. aspx

The Defense-in-Depth Foundational Curriculum handbook discusses information assurance issues and how to address these at both organizational and technical levels. The handbook is written for students ranging from system administrators to CIOs who have some technical understanding of information systems.
http://www.cert. org/archive/ pdf/Defense_ in_Depth092106. pdf

Guide 6: Managing and Auditing IT Vulnerabilities
The IIA has released its sixth guide in its Global Technology Audit Guide (GTAG®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. http://www.theiia. org/guidance/ technology/ gtag/gtag6/

Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
By Sheila Frankel, Bernard Eydt, Les Owens, and Karen Scarfone,
NIST Special Publication 800-97
http://csrc. nist.gov/ publications/ nistpubs/ 800-97/SP800- 97.pdf

Security Awareness Program Development Guidance
This guidance material includes a white paper Key Considerations for Developing Effective Information and Training Programs that outlines how to successfully and effectively address an information security awareness and training program. Included is an accompanying information security awareness presentation titled The Role of Information Security in Everyday Business. This presentation provides content that can be leveraged for effective security awareness presentations to organizations’ entire workforces, and also can be used to serve as an official launch of the information security awareness and training program in your organization. Also included is an End User Security Awareness presentation template and video, providing material to help articulate what is involved with building an information security awareness and training program to your management and peers within your company.
http://www.microsof t.com/technet/ security/ understanding/ awareness. mspx

Auditing security using the PCI standard and related guidance - (Because personal information must be protected)
We need to protect personal information much more than ever before and extensive help from the PCI Security Standards Council and numerous other organizations does exist.
http://www.auditnet .org/articles/ DSIA200704. htm

SANS Top-20 Internet Security Attack Targets (2006 Annual Update)
http://www.sans. org/top20/

The (ISC)² 2007 Resource Guide for Today's Information Security Professional - Global Edition - provides the latest resources in educational references, year-long events listings and leading industry sponsors all in one handy downloadable reference guide.
https://www. isc2.org/ /cgi-bin/ content.cgi? page=920

SANS Software Security Institute (SSI)
The new SANS project has six goals: 1) Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them; 2) Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier; 3) Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps; 4) Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge; 5) Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses and 6) Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in
similar regions around the world.
http://www.sans- ssi.org/

The Center for Internet Security: Global Security Benchmarks for Computers Connected to the Internet - In today's world of e-business and increased networking among companies, standards that define detailed, technical security specifications for computers connected to the Internet are vital to the security of every organization' s mission-critical information.
http://www.isaca. org/template. cfm?template= /ContentManageme nt/ContentDispla y.cfm&ContentID= 3515

Security Configuration Checklists Program for IT Products
A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures for configuring an IT product to a baseline level of security.
http://checklists. nist.gov/ index.html

PCI compliance after the TJX data breach
The recent TJX Companies Inc. data breach refocused attention on credit card security, retailers and the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is to the credit card industry what Sarbanes-Oxley (SOX) has been to publicly held companies. It's pushing them to comply with the PCI Security Standards Council guidelines, the most recent of which was drafted in September 2006. It forces card issuers and processors to invest in the necessary compliance technology and training or face crippling consequences. Those who don't can be heavily fined or barred from issuing or accepting cards from any council members. And, because the council consists of a consortium of five powerful card companies -- Visa, MasterCard, American Express, Discover and JCB -- not complying can effectively ban a bank from issuing cards or a merchant from accepting them.
http://searchsecuri ty.techtarget. com/tip/0, 289483,sid14_ gci1245717, 00.html?track= NL-430&ad= 581054&asrc= EM_NLT_1088715

IT Audit Checklist: Payment Card Industry (PCI)
The IT Audit Checklist for PCI offers:

54 specific checklist items to help assess your audit readiness
Recommendations for avoiding common PCI compliance failures
Pointers on audit planning, preparation, testing, and reporting
Clarification on what auditors want (and don't want) to see
http://www.itcinsti tute.com/ display.aspx? id=2499
The Systems Security Engineering Capability Maturity Model (SSE-CMM) was developed to advance security engineering as a defined, mature, and measurable discipline. It describes the characteristics essential to the success of an organization' s security engineering process, and is applicable to all security engineering organizations including government, commercial, and academic. http://www.issea. org/sse_cmm. asp
The International Systems Security Engineering Association (ISSEA)
Established in 1999, the ISSEA is a non-profit professional organization dedicated to the adoption of systems security engineering as a defined and measurable discipline.
http://www.issea. org/

CCCure.Org
The CISSP, SSCP, CISM, CISA, ISSPCS, and SANS GIAC GCFW Open Study Guides web site is dedicated to helping people in achieving their goal of becoming a CISSP, SSCP, CISM, CISA, ISSPCS, or GCFW. Over the years it has become a vast container of resources that can assist you in mastering the domains of the specific Common Body of Knowledge related to each of the above certifications.
http://www.cccure. org/

Switch security
Properly configured, switches can add another layer of security to your network. This article provides best practices configurations that should be considered for any organization. The tips within can help isolate systems from hackers, prevent the spread of zero day viruses and prevent unauthorized systems from connecting to your network.
http://isc.sans. org/diary. php?storyid= 1583
The CIAO/IIA series of board level security guidance reports
The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
· Information Security Management and Assurance: A Call to Action for Corporate Governance
http://www.theiia. org/download. cfm?file= 22398

· Information Security Governance: What Directors Need to Know
http://www.theiia. org/download. cfm?file= 7382

· Building, Managing, and Auditing Information Security
http://www.theiia. org/download. cfm?file= 33288
SCORE
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael
Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool". Try the tool which is at - http://www.sans. org/score/ ssp.php

Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA)
To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
http://www.isaca. org/Template. cfm?Section= Home&Template= /ContentManageme nt/ContentDispla y.cfm&ContentID= 24572

Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
http://www.theiia. org/itaudit/ index.cfm? iid=496&catid= 21&aid=2388

Hammer Time: Enforcing Internal Security - by Linda L. Briggs.
Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them?
http://www.itcinsti tute.com/ display.aspx? id=2403

Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.
http://www.efortres ses.com/refdocs/ 2006-Breaches- Matrix.pdf
http://www.privacyr ights.org/ ar/ChronDataBrea ches.htm
http://www.cybercri me.gov/cccases. html

Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
http://www.itcinsti tute.com/ display.aspx? id=1823
National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) – (See below for their key initiatives) - http://csrc. nist.gov/
a) US Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems” (PDF): http://csrc. nist.gov/ publications/ fips/fips200/ FIPS-200- final-march. pdf
b) NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems” (PDF): http://csrc. nist.gov/ publications/ nistpubs/ 800-53/SP800- 53.pdf
c) NIST Special Publication (SP) 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems” (PDF): http://csrc. nist.gov/ publications/ drafts/SP800- 53A-spd.pdf
d) Federal Information Security Management Act (FISMA) Implementation Project: http://csrc. nist.gov/ sec-cert/

Security awareness for governance, risk, compliance and business
Information security is a vital element of corporate and IT governance and risk management. It minimizes risks to valuable information assets and maximizes compliance with laws, regulations and standards such as ISO 17799/ISO 27001, HIPAA, SOX, data protection/privacy, software copyright and intellectual property protection, banking industry regulations and many more.
Secure organizations may confidently pursue new business opportunities that would be considered too risky by their insecure peers. Simply put, good security is good business.
NoticeBored helps build a genuine security culture through security awareness
http://www.noticebo red.com/index. html

Twelve habits of successful IT professionals.
http://www.educause .edu/ir/library/ pdf/erm0613. pdf

Schaser-Vartan Books’ new release, Say What You Do, spells out in layman’s terms the often bewildering differences between policies, procedures and standards — topics that have historically been written about in industry jargon. What sets the book apart is its candidly practical approach, focusing on creating policies that really work rather than pushing theories that break down in the real world. “Armed with this book, you should be able to lead a policy development project at your company from the ground up and from the top down without losing your mind,” says co-author and attorney Marcelo Halpern.
http://home. businesswire. com/portal/ site/google/ index.jsp? ndmViewId= news_view& newsId=200704170 05246&newsLang= en

Boardroom Briefing: Business Continuity and Disaster Recovery
Support your crisis management preparations (as something will happen).
Boardroom Briefing: Business Continuity and Disaster Recovery

Second edition of Guide to Business Continuity Management.
This comprehensive resource guide reviews in detail numerous BCM areas and strategies, including an overview of the regulatory landscape, risk assessment and business impact analysis, program design, business alignment, training, testing, maintenance, and compliance monitoring and auditing. Updates to the second edition of Guide to Business Continuity Management include a special introduction that examines two significant issues in the field of BCM: the continuing difficulties caused by devastating hurricane seasons, and the potential business disruption that an avian flu pandemic could cause. Other additions include industry-specific questions for BCM programs in the manufacturing, retail, healthcare and telecommunications sectors.
http://now.eloqua. com/es.asp? s=361&e=FADCF1F8 59DE4310969DEB6D FB1726D7& elq=54F37758B1AB 48F98DD409D0C100 64D7

How to establish an effective Computer Security Incident Response Team at:
http://www.cert. org/csirts

The Canadian Centre for Emergency Preparedness (CCEP)
CCEP is a not-for-profit organization based in Canada & devoted to the promotion of emergency risk management to individuals, communities and organizations, in both government and the private sector, with the aim of reducing the risk, impact and cost of natural, human-induced and technological disasters. CCEP's objectives are to raise awareness of the increasing risks of disasters, promote the need for sound disaster management practices and disseminate information on the availability of professional expertise and resources, including technology.
http://www.ccep. ca/index. html

What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today?
The Auditor Responds: Short answer – Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.
The long answer – http://www.itcinsti tute.com/ display.aspx? ID=2090

[/B]Business Continuity Planning Standards and Guidelines
Regulatory compliance requirements influence many of the information security practitioner' s roles and responsibilities, including the development of a business continuity plan. In this excerpt from Chapter 1: Contingency and Continuity Planning of "Business Continuity and Disaster Recovery for InfoSec Managers," John W. Rittinghouse and James F. Ransome outline the regulatory requirements that should be addressed when establishing and maintaining a business continuity plan.
http://go.techtarge t.com/r/458182/ 4842737

Malaysia own .my Hall of Shame

trifecta — Wed, 06 Jan 2010 19:48:42 +0800

following the notorious zone-h 'Hall of Shame', Mel and his team has put up our Malaysian finest website, especially gov.my that are prone to SQL Injection, Cross Site Scripting and tons more. www.security.org.my

I wonder, with all those millions spend, hundreds if not thousands of training hours, tens of thousand pages of Security SOP, multiple agencies security oversight from MAMPU to CSM to MCMC etc... .gov.my websites are still a playground from script kiddi0ts, I call 'em script kid idiots.

Here's the latest, Herald being whacked...Amen to that rflol!

Career Path in Information Security

trifecta — Sun, 03 Jan 2010 14:01:54 +0800

For those of your aspiring who wants to make Infosec a professional career, fresh grads, or already in IT but would like to specialize in the various discipline in Infosec, you might want to take a look at this chart. It serves only as a guide, and you not necessarily only get training from SANS, there are various other institute out there.

http://www.sans.org/security-training/roadmap.pdf

Infosec is more than AV folks.

Secure Passwords Keep You Safer

trifecta — Fri, 25 Dec 2009 12:55:01 +0800

Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.

My piece aside, there's been a lot written on this topic over the years -- both serious and humorous -- but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.

The attack I'm evaluating against is an offline password-guessing attack. This attack assumes that the attacker either has a copy of your encrypted document, or a server's encrypted password file, and can try passwords as fast as he can. There are instances where this attack doesn't make sense. ATM cards, for example, are secure even though they only have a four-digit PIN, because you can't do offline password guessing. And the police are more likely to get a warrant for your Hotmail account than to bother trying to crack your e-mail password. Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password.

Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it's attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.

So the security of your password depends on two things: any details of the software that slow down password guessing, and in what order programs like PRTK guess different passwords.

Some software includes routines deliberately designed to slow down password guessing. Good encryption software doesn't use your password as the encryption key; there's a process that converts your password into the encryption key. And the software can make this process as slow as it wants.

http://www.wired.com...8?currentPage=1

P/S: password security is independent of the OS, regardless wheter one is on Linux,Mac or Windows and is also regardless of whether one is using AV or not.

Bit locker vulnerability

trifecta — Sat, 12 Sep 2009 06:57:56 +0800

Bitlocker encryption can be implemented in one of two ways

- System partition encryption
- Full disk encryption

However, since the MBR is never encrypted, anybody having physical access to a machine can infect the boot sector using a rootkit. This allows the rootkit to intercept disk I/O and hence compromise data during read/write to disk.

Discussion time.

Is Your Organization Ready for Windows 7?

trifecta — Thu, 03 Sep 2009 00:27:21 +0800

Is Your Organization Ready for Windows 7?

October 6, 2009
12:00 PM Eastern / 9:00 a.m. Pacific (60 minutes)

Event Details
Featured Speaker: Independent Analyst Firm Forrester’s Benjamin Gray

Forrester's Benjamin Gray discusses his April 2009 report "Get Ready For Windows 7" and whether or not your organization should deploy Windows 7 now or test applications and hardware against Windows Vista for greater compatibility with Windows 7. He'll also share:

• What he believes to be the top five Windows 7 features
• Industry benchmarks on what other North American and European enterprises are planning
• His recommendations for customers running Windows XP or Windows Vista

Save the Date for the Live Webcast on October 6, 2009. Prepare for the future by learning how to optimize your desktop infrastructure with Windows 7 while maximizing your existing technology investments. Attend this webcast to see how Windows 7 can benefit your organization with powerful technologies that help you secure, officially manage, and lower the cost of your organization's desktop infrastructure.

About Benjamin Gray:
Benjamin serves IT Infrastructure & Operations professionals. He is a leading expert on business-class PCs and desktop operating systems and also researches business-class mobile devices, mobile operating systems, and mobile device management solutions. Benjamin helps
Forrester clients develop and improve their strategy around client hardware and client operating systems. Benjamin's research and analysis have been widely cited in the press, including business media outlets such as The Associated Press, Bloomberg, The New York Times, USA Today, and The Wall Street Journal and industry media outlets such as Computerworld, eWeek, InformationWeek, InfoWorld, and NetworkWorld.

Check out more upcoming webcasts.
http://www.microsoft.com/windows/enterpris...7/webcasts.aspx

WinXP to Win7 Upgrade Matrix

trifecta — Tue, 04 Aug 2009 19:55:50 +0800

Questions on upgrading your WinXP clients to Win7, refer to the matrix below.
Thanks to Win Client team for this!

http://technet.microsoft.com/en-us/windows/ee150430.aspx

Alert - Critical Product Vulnerability - July 28,

trifecta — Wed, 29 Jul 2009 10:08:42 +0800

What is the purpose of this alert?

This alert is to provide you with an overview of two new security bulletins and one security advisory being released (out-of-band) on July 28, 2009.

=================================
NEW SECURITY BULLETIN SUMMARY
=================================

Bulletin ID: MS09-034

Bulletin Title: Cumulative Security Update for Internet Explorer (972260)

Maximum Severity Rating: Critical

Vulnerability Impact: Remote Code Execution

Restart Requirement: Requires restart

Affected Software: All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008

---------------------------------

Bulletin ID: MS09-035

Bulletin Title: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)

Maximum Severity Rating: Moderate

Vulnerability Impact: Remote Code Execution

Restart Requirement: Requires restart

Affected Software: Microsoft Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Visual C++ 2005, and Visual C++ 2008

=================================
SECURITY ADVISORY 973882 - OVERVIEW
=================================

Microsoft is releasing Security Advisory 973882 to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.

Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.

=================================
RECOMMENDATIONS
=================================

Review security advisory 973882, security bulletin MS09-034, and security bulletin MS09-035 at the links provided below for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.

Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.

=================================
ADDITIONAL RESOURCES
=================================

• Microsoft Security Advisory 973882 – Vulnerability Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/...ory/973882.mspx

• Microsoft Security Bulletin MS09-034 – Cumulative Security Update for Internet Explorer (972260): http://www.microsoft.com/technet/security/...n/MS09-034.mspx

• Microsoft Security Bulletin MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): http://www.microsoft.com/technet/security/...n/MS09-035.mspx

• Landing Page for ATL Guidance (for consumers, IT Professionals and Developers): http://www.microsoft.com/atl/

• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/

• Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/

• Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/

=================================
PUBLIC BULLETIN RELEASE WEBCASTS
=================================

Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin release.

Title: Information About Microsoft July 2009 Out-of-Band Security Bulletin Release
Date: Tuesday, July 28, 2009, 1:00 P.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/WebCastE...ntID=1032422339

Title: Information About Microsoft July 2009 Out-of-Band Security Bulletin Release
Date: Tuesday, July 28, 2009, 4:00 P.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/WebCastE...ntID=1032422341

Hacker Says iPhone 3GS Encryption Is ‘Useless’ for

trifecta — Sun, 26 Jul 2009 10:17:43 +0800

QUOTE

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

With its easy-to-use interface and wealth of applications available for download, the iPhone may be the most attractive smartphone yet for business use. Many companies seem to agree: In Apple’s quarterly earnings conference call Tuesday, Apple chief operating officer Tim Cook said almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece; multiple corporations and government organizations have purchased 25,000 iPhones each; and the iPhone has been approved in more than 300 higher education institutions.

But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly (for reference, see Apple’s security overview for iPhone in business [pdf]), the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said.

Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

Wondering where the encryption comes into play? It doesn’t. Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own, he said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install a Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer

more.

[YOUTUBE]
<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/kHdNoKIZUCw&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowScriptAccess" value="always"></param><embed src="http://www.youtube.com/v/kHdNoKIZUCw&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" allowScriptAccess="always" width="425" height="344"></embed></object>[/YOUTUBE]

[YOUTUBE]<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/5wS3AMbXRLs&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowScriptAccess" value="always"></param><embed src="http://www.youtube.com/v/5wS3AMbXRLs&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" allowScriptAccess="always" width="425" height="344"></embed></object>[/YOUTUBE]

Free Win7 Training

trifecta — Sun, 31 May 2009 17:26:14 +0800

Hi everyone,

Microsoft Learning has just launched three free eLearning Clinics that you may be interested in test out. These Clinics are geared towards three different audiences, and focus on introducing new features and functionality to those interested in simply learning more about the OS or those that are already considering deploying in the near future.

What's New in Windows 7 for Consumers (1 Hour)
What’s New in Windows 7 for IT Professionals (2 Hours)
What’s New in Windows 7 for Information Workers (2 Hours)

Also, in case you are interested in more Windows 7 training and skills development information, Windows 7 Learning Portal is now live as well! This site is currently showcasing great readiness content, including 7 Silverlight Learning Snacks, free sample chapters from upcoming MS Press Books, Learning Plans, links to clinics/HOLs and more. This page can be found here - http://www.microsoft.com/learning/windows-7/default.mspx

If you have any questions or concerns, don’t hesitate to ask.

Anti-Virus doesn't work, what do you think?

trifecta — Sat, 23 May 2009 19:58:23 +0800

This topic was discuss in my CISSP mailing list.

Do you think Anti-Virus works?

I went through this debate with one of my colleagues. But, I really want to know your thoughts.

Please check the following links before comment.

http://www.jahne.com/information-and-remov...us-doesnt-work/

http://anti-virus-rants.blogspot.com/2009/...oesnt-work.html

Researchers show how to take control of Windows 7

trifecta — Fri, 24 Apr 2009 12:40:01 +0800

http://www.networkworld.com/news/2009/0423...ow-to-take.html

" Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference.

"There's no fix for this. It cannot be fixed. It's a design problem," Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack."

===========================================================================================================

Agreed the only thing ‘new’ here is that they seem to have modified their rootkit code to have it not patch any bytes on the hard disk of the victim if they want and they’ve possibly improved their backdoor code a bit . . . from reading the article my guess is that the 3KB vbootkit 2.0 code was mounted as an ISO image using VMWare or VPC’s ability to boot from an ISO file mapped to a DVDROM device after power on . . . so they booted the VM off of the “DVD” (ISO) which contained a malicious MBR which uses the eEye bootroot technique to persist from the time the MBR is read to the transition to protected mode and the kernel loading. There’s nothing new here – this is the same technique Derek Soeder demonstrated at BH 2005 . . .

Bitlocker with Secure Startup definitely mitigates these attacks by design.

Someone get these kids a freaking notebook with a TPM 1.2 chip already. 

F-Secure says stop using Adobe Acrobat Reader

trifecta — Wed, 22 Apr 2009 07:48:17 +0800

http://news.cnet.com/8301-1009_3-10224449-83.html

With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.
...
Adobe should make security a priority, he said.
Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.

oouchhh!!!!

[addedon]April 23, 2009, 8:49 am[/addedon]
Some security expert recommend using Foxit.
However, here's Crispin Cowan - once a Linux Security Guru, now with MS.

QUOTE

That depends on your threat model. All other things being equal (i.e. I am not saying anything specifically about Adobe Reader, Foxit, or any other specific product):
• Minority products are more secure against the everyday attacks out there on the Internet, because the attackers don’t bother to attack minority products very much. So if you use a minority product, you will be annoyed less by both attackers, and annoyed less by security updates, because there will be fewer of them.
• Minority products are less secure against determined attackers. If someone is specifically after you (e.g. you are a CFO at a big company and thus a juicy target) and they know you use some minority product, then the attackers can go dig up a private 0day for that product and then spearphish you with it. The private 0day will be easier to come by, because the Minority product has received far less attack attempts by hackers scrutiny from the security community, and thus the 0days are much easier to find being closer to the surface.

Of course, all things are rarely equal. Some products have more security effort than others. Qmail and Postfix have much higher security built in than Sendmail (to use some OSS examples).

Microsoft products have the SDL, and so have a relatively high degree of security built into the product. 0days in Microsoft products are hard to find because we have teams of people and fuzzing machines mining them out of the product. Kind of like trying to pan for gold up by Sutter’s Mill in 1870, because the ‘49ers mined most of the gold out of there 20 years before.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I use Foxit, just because its much faster and doesn’t prompt me to install 5 other products. However, I wonder if it’s any more secure.