Someone on LinkedIn asked: Is Information Security driven by compliance? to which I say yes and this is a problem!:
My long answer goes like this:
This is certainly not the best answer. Follow the discussion over here. You are not going to learn anything technical but at least you will get a good idea how the majority of security professionals on LinkedIn think.
I asked on LinkedIn what security professionals think about Cloud Security. The answer was as expected. Nobody really knew what I was talking about. How cloud security is any different from web security?
Cloud security is different because the rules of the game are totally different. The recourses involved are totally different. Money is not an issue. I believe that anyone can afford $0.15 per month for 1TB of storage. Networking capabilities are not an issue. [...]
This will be a quick post just to share some POCs and more information regarding the recent Clickjacking technique, i.e. UI Redress Attack, a name suggested by Michael Zalewski.
Clickjacking is an oldie but, a goodie. You can track the origin of the attack back at the beginning of this decade. Clickjacking is essentially the ant-CSRF killer. It is also the killer of Flash, AJAX (because AJAX apps are sometimes easier to clickjack, look at Google) and some other technologies. [...]
Here is a common problem. You have to write an web-based email, im, ssh, xmmp, SMB, etc. client which must connect to a server other then the originating one. What do you do then? Hint: You cannot use Java!
Well, due to the fact the the browser has no idea how to spawn a tcp socket, you are stuck in the proxy-land. Typically you will write an application that will do a lot of transcoding and state management. [...]
Security Certifications - should you get some? Well, this is what I think.
IMHO if you go for a certificate then you pretty much put a box around yourself and your abilities. I am sorry, this is my personal opinion. People will perceive you as such and such because of your certifications. While having a cert might be a good idea for your career and in particular your CV, showing off with it could be a bit harmful. I am not saying that you shouldn’t get certified. [...]
I heard of clickjacking a couple of weeks back when the media blast started. At that time a had a very vague idea what it was and just recently I saw some POCs coming out to show how it works in practice.
Clickjacking, if I may categorize it, falls into the category of GUI attacks. I associate the clickjacking attack with the focus stealing attack which allows attackers to steal any file from the disk as long as they trick the victim to type enough characters. [...]
Why we are so obsessed with the newest exploit and attack developments while forgetting that the world hasn’t changed much since the last time we looked at it and laughed.
I think it is because very few of us, if anyone, are capable of looking into the entire security landscape with an open eyes and clear mind. [...]
A couple of months ago we started sorting out through all our work. In the processes we realized that we have to find a new home for several of our project. It was a tough decision because we had a lot of projects on our hands and there were even more pending to be completed in some fashion. Nevertheless, we decided to go with the plan. So, the idea of Secapps was born.
So what is Secapps? Secapps is the new home of our GHDB tool. [...]
A couple of months back GNUCITIZEN started House of Hackers, a social network for hackers and other like-minded people. Keep in mind that we use the word hacker in much broader context, i.e. someone who is intellectually challenged by the limitations of a system. Certainly, we do not promote criminal activities.
Today the network has expanded to 5500 members. I believe that it will reach 6000 members by the end of the year. It has been a huge success so far. [...]
This idea is perhaps stupid. Nevertheless, I rather document it here for good than not documenting it at all.
Here is the story. I had to reset the credentials of an online account I have. As usual, I went on the vendors’ site, clicked the forgotten password feature, typed my email address and clicked submit. A moment later an email arrived in my inbox with instructions how to reset the password. [...]
