December 2009
1 post
2 tags
Death to SOX IT Sec Compliance?
Very interesting lawsuit developing which challenges the very existence of Sarbanes-Oxley in the US. A summary is available here, courtesy of Secure Channel.
No question the potential outcome here would be a coup de grace for this misplaced and ill-designed security/compliance requirement for scads of US companies. Security vendors will be paying very close attention to this - and I suspect those...
November 2009
6 posts
2 tags
HFAIT - Shodan →
HFAIT?
Click the title link, play around. No longer do you need to spend resources to scan target networks, simply query them through a search engine. Google hacking’s been around for a while, but this is beyond web content.
Want to find vulnerable FTP servers running version xxxx globally? Drop it in, and away you go.
Awesome. It’s one of those lovely double edged swords. Immensely...
4 tags
HFAIT - NY Yankees Parade Confetti = Your PII!
HFAIT? Well, after cleaning up after the NY Yankees World Series parade - people started finding all sorts of lovely personal information scattered about.
The article is a bit scant on details, but enough that I regret reading this first thing in the morning. No coffee, no breakfast, and now I just feel nauseous.
We see examples of PII and other sensitive information being breached every single...
4 tags
HFAIT - SSL/TLS Protocol Borked
Fun times hitting the news feeds today.
The IETF has apparently been working on a fix to the SSL protocol for the last 2-3 months in secret, due to a vulnerability disclosed privately which can allow SSL sessions be intercepted and the data within these streams, manipulated. I can has your sensitive data now plz?
Since this is a protocol level flaw, it’s going to affect nearly ever...
5 tags
HFAIT - Canadian Bill C-47 →
How Fucked Am I Today - Bill C-47
A useful analysis of each section of the bill being proposed which is designed to allow RCMP, CSIS and likely lower level law enforcement agencies to require ISPs and other telecommunication service providers access to data transmissions.
Some of the wonderful highlights include:
If it’s encrypted, you have to provide access to the decryption key
If it...
3 tags
HFAIT - FBI DCSNet →
HFAIT? Ok, well it’s not just today and it’s been around (and will continue to exist) for some time. Anyway, the US FBI’s wiretapping system is effective, comprehensive and can be used without warrants. Trust No One!
2 tags
HFAIT? - Browser Bookmarks →
How Fucked Am I Today - Web browser bookmarks.
Theoretical vulnerability at this point, but so dirt simple and cheap to exploit that I imagine we’ll be seeing some of this in the next few months, bundled in with other malware distributions.
October 2009
6 posts
4 tags
new sections - "security pirate's guide" and "how...
two bits of news for tonight!
FIRST!
alright so instead of posting work that other people are doing and commenting/summarizing and otherwise butchering the quality. i’m actually gonna start to write my own stuff! well, i’ll probably also continue to repost that stuff too.
i’ll be naming the series as follows.
the security pirate’s guide to: live incident response,...
2 tags
CRTC 'rules' on internet neutrality in Canada →
Well, it’s not great, and it’s still vague but it’s a start. ISPs which employ ‘traffic management’ (see: quotas, caps, shaping and throttling) now must notify clients and use fair and reasonable process when deploying this technology.
5 tags
Report: Web Application Security Statistics... →
The always insightful WASC security statistics report for all of 2008 has just been released.
The data collected represents combined results of webapp vulnerability assessments from such market leaders as Whitehat, Cenzic, HP and Veracode. In total, 12186 individual sites were sampled.
One thing to consider, the results are gathered from organizations who already have purchased services from...
5 tags
5 tags
Report: Telus/University of Toronto - Canadian IT...
Telus and the University of Toronto have teamed up to deliver their second annual ‘Joint Study on Canadian IT Security Practices’. A few weeks ago, I was invited to the ISACA presentation in Toronto where the authors of this report reviewed the executive summary. I’m still getting through the full report, but so far it’s an incredible wealth of information. I’m really...
1 tag
Obligatory introduction
They always start this way. It’s a rule or something. As some of you may have guessed, this is a blog. Welcome! I’m Erik. I work at a Canadian IT services/hosting company managing everything security. This includes incident response, sales, engineering, compliance, audit, risk management, training and privacy matters. In my spare time I try to change the culture to accept security as...