Aug
30
Interesting report and an increasingly mentioned trend:
The convergence of physical and information security might be likened to
the early days of flight. While there have been some ambitious attempts at
convergence by daredevil visionaries, as described in the case studies,
progress, for the most part, has been slow and difficult. The truth remains
that convergence, which is typically based on the vision of specific
individuals rather than on a structured, well thought-out, repeatable model
guided by a clear vision and road map, is still in its early stages.
For the visionaries of
our case studies, there are some easy convergence wins in terms of
efficiencies of scale gained by integrating information and physical security
monitoring and video surveillance systems on a common organization
network. But these advantages cater to technical people and are promoted by
the security technology and communications companies of the world. The hard convergence wins ”the ones that will provide the largest benefit”
require buy-in from senior executives. As it stands today, senior management
typically sees security more as a tactical function than a necessary
component of business processes or decision making.
When the authors talk about converged security in this publication, particularly
as it relates to enterprise risk, they are talking about not only physical and
information security, but also the wider areas of protection, including security
responsibility found within human resources and crisis management as well as
within businesses or operational lines of responsibility.
Posted by Dominic White
Last modified on 2007-09-05 13:05
Aug
30
When you first start pentesting (sorry, auditing ;) ), one of the questions that never seem to be adequately answered for the senior people is "So what?".
Continue reading "Test the right Controls"
Posted by Dominic White
Last modified on 2007-08-30 23:13
Aug
30
After wondering why I have not received any updates from whitedust.net over the last few days, I went to check on the site. Upon arrival, I found this:
14 August 2007 - 23:58 GMT
With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the industry
for real world projects - for good, you won't be seeing us again. You "Won".
Good luck out there. You'll need it.
-The Staff
Continue reading "Bring Back Whitedust.net"
Posted by Dominic White
Aug
27
For a cool R32mil (approx $4.5millon), what a bargain. I give them 6 months before they all start wearing suits and start using terms like "governance maturity model" ;)
But seriously, congratulations to the SensePost team. They have done spectacularly well in a short time and with a small team (this works out to over a million or two per employee I think).
Posted by Dominic White
Last modified on 2007-08-28 09:10
Aug
26
A few weeks ago a post on our internal list pointed me at a tool called Evolution put together buy some company named Paterva. I've been playing with it quite a bit, and have even used it to demo some stuff to germalists.
Then today I say that there will be a 27dinner in Pretoria tomorrow. To my surprise Roelof Temmingh (previously of Sensepost) will be speaking, and what's more he is the founder of Paterva and one of the authors of Evolution!
I have high hopes this may be one of the best 27dinners yet (no offense to the marketing types) and if you will be in the Pta region tomorrow, come check it out.
If you won't be in the Pta region, then go check out Evolution anyway. The second beta of the standalone GUI was released last week and I am about to start playing with it. If it's anything like the last one, the web version is more functional (unless you decompile the java classes and modify the static search terms, but I would *never* do that), but the GUI gives you a good idea of it's functionality. A company and a tool to keep your eye on.
(P.S. Is it just me, or is South Africa rocking the information security party?)
Posted by Dominic White
Aug
24
For a couple of months, I've had my Mac's weather widget reporting on Cape Town, because for some reason "Johannesburg, South Africa" doesn't work, and "Johannesburg" gives me the weather for some other Johannesburg. After some fiddling with AccuWeather's site, I worked out, that if you use the following string, it will report on Johannesburg, SA:
AFR|ZA|SF004|JOHANNESBURG
Posted by Dominic White
Aug
23
Kris Budnik, my director, and myself recently did a presentation in Durban as part of a breakfast hosted by
Tip-offs Anonymous. In the presentation I provided three demonstrations; the first on privacy attacks and concerns with the Web 2.0; the second on Web 2.0 attacks, in particular an XSS Proxy demo; the third, and last on bluetooth attacks with mobile phones. It got great press coverage:
Continue reading "Security and the Media"
Posted by Dominic White
Aug
10
All sorts of hype has been made about the big talks at Blackhat, but for those of us that weren't there, check out the side-channell coolness from the SensePost guys (straight out of SA). They have released a tool called Squeeza which provides a nice functional shell-like overlay for your SQL injections. Additionally, the demo'ed some very cool DXSRT which takes the JavaScript 'logged on' timing attacks to a new level.
However, what I thought was awesome were the side channel data leaks via DNS. Basically, by getting a machine behind a firewall to do a DNS lookup to <encoded data>.attackersdomain.com you can leak data out from behind a firewall. Simple and very cool.
While I'm at it, check out their blog, it's shaping up to be a great regular read.
Continue reading "Side Channel Coolness"
Posted by Dominic White
SensePost
Barry Irwin
singe: Awesome breakdown from the reigning Web App Scanner queens NTObjectives on why their scanner kicked the other's asses http://is.gd/9e0GZ
Schneier on Security: Wikibooks Cryptography Textbook