Intrusion Prevention Summit (Online)

Posted on July 7, 2010 by Dragan Pleskonjic

A free online summit on Intrusion Prevention takes place on July 8, 2010. At this summit, leading experts will look at the emerging threat landscape and provide tips to ensure your security management program can best overcome these new challenges in intrusion prevention. It will also cover key aspects in detecting, patching and immunizing your network to prevent repeated attacks from occurring. Hear leading industry experts from TechTarget, Vodafone, SecureWorks, ISACA, Fortinet and more as they discuss the latest innovations, best practices, barriers to implementation and measurable benefits of intrusion prevention.

Register here: http://www.brighttalk.com/r/svf.

Intrusion Prevention Summit Presentations Include: Continue reading

Share
Posted in Conferences, Events, Intrusion Detection / Prevention Systems | Tagged , , , , | Leave a comment

Threatsaurus from Sophos

Posted on June 27, 2010 by Dragan Pleskonjic

This is not brand new, but very useful information.  Sophos, one of world leaders in IT security and data protection, issued “Threatsaurus, the a-z of computer and data security threats”. Free PDF is here.

Whether you’re an IT professional, use a computer at work, or just browse the Internet, this book is for you. We tell you the facts about the threats to your computers and to your data in simple, easy-to-understand language. I recently got free paper copy at Infosecurity event in London.

Share
Posted in Books, Magazines and Journals, Education and Training | Tagged , , , | Leave a comment

What’s Wrong With Secure Software Development?

Posted on June 21, 2010 by Dragan Pleskonjic

The short answer is: “Resources”. Marisa Fagan, an analyst at Errata Security, notes that formal secure software development programs are often too much for development teams to handle. “These programs have the [not entirely unwarranted] reputation of consuming large amounts of time, people, and money. We need programs that cut out all the fat. The secure coding program needs to fit the size and capabilities of the organization. If we ask too much from the average developer, we’re going to get nothing at all.”

Despite a wealth of security knowledge and developers’ access to advanced tools, many software security risks remain. Analysts say that vulnerabilities arise because many software developers do not understand how to build security into their code. “There’s a lot more acceptance of security as part of the process now, but historically developers have never been responsible for security,” says Fortify chief scientist Brian Chess. Although there have been several initiatives aimed at educating developers about secure software development practices, “the talent coming out of schools right now doesn’t have the security knowledge it needs,” says SAFECode executive director Paul Kurtz. Some organizations are implementing secure development frameworks, such as the Building Security In Maturity Model (BSIMM), which impose secure best practices throughout the entire development team. “BSIMM is a good strategy if you have a formalized software development process,” Chess says. The goal of the frameworks is to help developers identify and remediate the most common coding errors and fix them during development, rather than waiting until after the code is complete.

Read more in article “Why Can’t Johnny Develop Secure Software?” at Security Dark Reading.

Share
Posted in Secure Programming | Tagged , , , , | 1 Comment

Security Impact of Cloud Computing

Posted on June 20, 2010 by Dragan Pleskonjic

Interesting paper titled “Understanding Cloud-Computing Vulnerabilities” appears in IEEE Security and Privacy Magazine (June 2010 issue). Authors of article are Bernd Grobauer, Tobias Walloschek, Elmar Stöcker, from Siemens (Munich, Germany).

Abstract of article says:

The current discourse about cloud computing security issues makes a well-founded assessment of the security impact of cloud computing difficult. Firstly, as seems to be the case for many discussions about risk, basic vocabulary such as “risk”, “threat”, and “vulnerability” are often used as if they were interchangeable, without regard to their respective definitions. Secondly, not every issue that is raised is really specific to cloud computing. A well-founded understanding of the “delta” that cloud computing really adds with respect to security issues can be achieved by carrying out an analysis of how each factor that contributes to risk is influenced by cloud computing. We argue that the most significant impact concerns “vulnerabilities”: cloud computing makes certain well-understood vulnerabilities more significant and adds new vulnerabilities. The article provides a precise definition of what makes a vulnerabity cloud-specific and provides many examples of such vulnerabilities.

You’ll need subscription to read full article at IEEE Computer Web site. DOI Bookmark is http://doi.ieeecomputersociety.org/10.1109/MSP.2010.115.

Citation information is:

  • Bernd Grobauer, Tobias Walloschek, Elmar Stöcker, “Understanding Cloud-Computing Vulnerabilities,” IEEE Security and Privacy, 10 Jun. 2010. IEEE computer Society Digital Library. IEEE Computer Society, <http://doi.ieeecomputersociety.org/10.1109/MSP.2010.115>.

This paper touches topic which is very hot nowadays because of increased importance of cloud computing and many discussions and different views of its security advantages and drawbacks.

Share
Posted in Operating Systems and Application Security, Security Research | Tagged , | 1 Comment

New WordPress Version and Theme

Posted on June 20, 2010 by Dragan Pleskonjic

This blog has new look now. With change to the newest version of WordPress 3.0, I decided to change theme as well. Old Simple Blue theme served well for many years (I don’t have exact date when I had installed it). New theme is quite new for WordPress as well. It is Twenty Ten 1.0 theme by the WordPress team with some of my customizations and adaptations. It should be better fit with new version of blogging platform. As with every new thing, it will need some time to fine tune all small bits, plug-ins and other details.

I hope you’ll like this theme even more than previous and continue to read my blog as before.

Share
Posted in General | Tagged , | Leave a comment

Citation at Fourth Balkan Conference in Informatics

Posted on May 23, 2010 by Dragan Pleskonjic

Our earlier book, which has been published 2007, was cited at IEEE Conference Journal. It is interesting and actual for many organizations at moment:

“Security is a process of keeping necessary level of risk in acceptable boundaries. That means security is a continual process and not a final state. Organization or institution can’t consider itself “secured” after last security check. That process needs to be continual.”
(Book in Serbian “Sigurnost računarskih sistema i mreža”, Dragan Pleskonjić, Nemanja Maček, Borislav Đorđević, Marko Carić, Mikro knjiga 2007, ISBN 978-86-7555-305-2)

Citation appeared at IEEE conference “2009 Fourth Balkan Conference in Informatics”. Link is: http://www.computer.org/portal/web/csdl/doi?doc=doi%2F10.1109%2FBCI.2009.20. Reference number is [3], DOI link: http://doi.ieeecomputersociety.org/10.1109/BCI.2009.20.

Share
Posted in Conferences, Events, Security Research | Tagged , , , , , | 2 Comments

Citation and Quotes

Posted on May 13, 2010 by Dragan Pleskonjic

I was cited and quoted couple of times in IEEE Computer Magazine (vol. 43, no. 5, May 2010) article “Fighting Intrusions into Wireless Networks”. You will need IEEE Digital Library subscription to access article or you can buy PDF there. Author of article is George Lawton. It is on pages 12-15.

Also, I got info that my earlier scientific paper titled “Wireless Intrusion Detection Systems (WIDS)”, presented at 19th Annual Computer Security Applications Conference, December 8-12, 2003, Las Vegas, Nevada, USA, was cited in Springer Link Book “Novel Algorithms and Techniques in Telecommunications and Networking”, topic: “An Architecture for Wireless Intrusion Detection Systems Using Artificial Neural Networks”. If you don’t have Springer Link subscription, you can see preview on Google Books (here).
It is reference [19] on page 356 and 360.

Same paper was cited at Telektronikk Journal 1.2005, Information Society and Security, paper “Vulnerabilities in wireless networks and intrusion detection”, reference [14].

In scientific word, citation is very important and respected.

Share
Posted in Books, Magazines and Journals, Security Research, Wireless Security | Tagged , , , , , , , , | Leave a comment

Poll: Do You Store Your Credit Card PIN Into Mobile Phone?

Posted on April 9, 2010 by Dragan Pleskonjic

I invite you to answer poll question “Do you store your credit card PIN into mobile phone?” (column on the right of this blog). Possible answers are:

  • Yes, in plain text
  • Yes, but secured/encrypted
  • No
  • I don’t have a credit card

Thank you for voting.

Share
Posted in Polls, Security, Security Research | Tagged , , , , | Leave a comment

Interception of GSM Calls

Posted on January 7, 2010 by Dragan Pleskonjic

There is serious vulnerability with A5/1 encryption scheme used in GSM networks. It can lead to interception of GSM calls.This vulnerability has been presented by Karsten Nohl and Chris Paget at the 26th Chaos Communication Congress (26C3). This event is the annual four-day conference organized by the Chaos Computer Club (CCC). It took place from December 27th to December 30th 2009 at the bcc Berliner Congress Center in Berlin, Germany.

Citation from CCC Web site:

The world’s most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM’s security hasn’t received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.

From the total lack of network to handset authentication, to the “Of course I’ll give you my IMSI” message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.

Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS’ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.

Slides are here.

Track repository is here. It implements attack on the A5/1 cipher.

Torrents are here.

Note 1: This in not advocating exploiting weaknesses but rather wanting to inform about the fact that GSM calls are already being intercepted and decrypted using commercial tools.

Note 2: Links above are active in moment of writing this blog post. It is possible that some of them can be recalled or inactive from various reasons.

Share
Posted in Conferences, Events, Cryptography, Mobile / Cellular / Bluetooth, Security Research, Wireless Security | Tagged , , , , , | Leave a comment

Poll: Have You Used Penetration Testing Services?

Posted on December 14, 2009 by Dragan Pleskonjic

I invite you to answer poll question “Have you used penetration testing services” (column on the right of this blog). Possible answers are:

  1. Yes
  2. No
  3. Have I used… what?
  4. I provide those services

Thank you for voting.

Wikipedia article defines penetration test in this way:

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

See more here.

Share
Posted in Penetration Testing, Polls, Security | Tagged , | Leave a comment