Hacktivists and Havij | Dark Reading
By Daniel Miessler on March 31st, 2012: Tagged as Information Security
Nmap 5.61TEST5 : Major Update
By Daniel Miessler on March 22nd, 2012: Tagged as Information Security
DARPA seeks to free the world from passwords | ExtremeTech
By Daniel Miessler on March 19th, 2012: Tagged as Information Security
Android.Bmaster Exploits root access to connect to Botnet | The Hacker News (THN)
By Daniel Miessler on February 15th, 2012: Tagged as Information Security | Mobile Security
Applying Fundamentals to Health and Information Security
By Daniel Miessler on February 13th, 2012: Tagged as Health | Information Security
Image by pshan427
In both health and information security it’s easy to become conceptually constrained by external advice, recommendations, and standards. The numbers of entities available to tell you what you should–or must-do is legion, and such wisdom is often coupled with dire warnings if you don’t listen.
In infosec we’re told by credit card companies that we must use x, y, and z types of controls to protect a, b, and c types of data. The government tells us we must do a whole set of things to protect health information, and that you must ensure nobody in your company is committing fraud. Examples of repercussions include anything from fines to criminal prosecution.
With health advice it’s much the same. We’re consistently hosed down with what to avoid and what to embrace. So and so leads to diabetes, which leads to heart disease, which leads to death, etc. Overeating leads to x, which leads to y, which is associated with z. Watch the carbs. Don’t eat too much fat. Control your portions. Get your vegetables, but don’t skimp on the protein. And whatever your path, don’t forget to get enough vitamin E, and fish oil, and garlic, and vitamin D, ad infinitum.
While health and information security are obviously different worlds, they’re similar in one key way:
If you adhere to solid fundamentals you don’t have to worry much about checklists for “healthy” or “secure” behavior. Fundamentals largely remove the need to obsess about external validation.
If you’re worried about heart disease and diabetes and vitamin deficiency and high blood pressure and…(you get the idea), try eating small amounts of healthy food–mostly raw vegetables with some fish and other meats thrown in sometimes. Take a simple, high-quality multivitamin. Get 30 minutes of exercise every day.
If you do those things you soon won’t have to worry much about your next physical.
And it’s the same for information security. Open a book on security fundamentals and you’ll find the analogs to living a health lifestyle. Unique identification., proper authentication, authorization, and accounting. Conduct security monitoring. Ask yourself if you’re secure, and keep asking yourself.
Do these basics and notice that all of your PCI, SOX, HIPPA, and other requirements simply become non-issues. It’s not that they go away per say, it’s just that by behaving properly in the first place you will have satisfied them automatically.
Mastering fundamentals the effortless method for achieving high standards. Focus on excelling at the basics and leave the need for checklists and endless advice for those who refuse to do so.
::
Building the Ideal 100-word Password List
By Daniel Miessler on February 12th, 2012: Tagged as Information Security
There’s some phenomenal password research here from clarkson.edu that talks about common passwords found during Internet attacks.
I’ve taken those entries and put them into a single list here on Github, and I will soon be adding the abridged rockyou list (once I get their permission). Thanks to @jhaddix for pointing me toward that list.
The idea is to maintain a tight, ever-evolving password list that I can use for busting accounts, and people can fork as desired. So as new research comes out on more up-to-date passwords, I’ll update the list.
Let me know if you’re interested in participating.
::