sureITy an Infosec blog

Few links i found worth sharing from the week (Wk.20/2010):

ramkish — Sun, 23 May 2010 15:56:21 +0000

Lot of talk about Metasploit now, after the Metasploit Framework 3.4.0 Release

An exploitable VM for testing Metasploitable

For the Pentester > Quickly gathering logins/emails with theHarvester and Metasploit

BTW this Advanced Penetration Testing (APT) – Pentesting High Security Environments content looks impressive

You can have a Open Secure Wireless

Well @securosis & @ashimmy are calling out to Infosec bloggers

Is Twitter Making Us Dumb? Bloggers, Please Come Back

Calling all security bloggers, come out, come out where ever you are

Advice: If you dont want to share dont post it > Why I'm not leaving Facebook

Yes, SIEM technologies have improved > Implementing SIEM

Off-topic:

Dell views net-books as a complement, and not a replacement, for laptops & they are right >

I found this Credit Card Concierge Experiment quite amusing

Advice to Govt. of India after the decision to develop their own version of OS & Software

ramkish — Fri, 14 May 2010 13:38:05 +0000

Note: This advice is offered free with no obligations

The Indian government has set in motion an ambitious plan to develop its own software & operating systems after the spurt in cyber attacks on Indian establishments. I think this is a bad idea and being an Indian i thought of contributing.

The Problem is not with the OS or software, it is with the way IT is managed.

Indian government should look at addressing the management of IT; developing a OS (or software) is not the solution. I am sure existing players can do a better job because they have matured their processes over time and it is really a mammoth task.

If i were to address this problem, i would start with this to-do list:

Do a risk assessment and then develop a risk management system
Develop an security management system or adopt some existing system like ISMS
Create a security plan & include specific plans for departments/units
Develop security evangelists in government departments
Implement technical systems like standard hardening like US Fed's or have special a government build

Hacking “Time”

ramkish — Thu, 13 May 2010 15:29:20 +0000

Who is not fascinated by traveling over time to future or past? this may be possible.

Reason: Time runs at different rates in different places in universe you just have to travel fast almost 186k miles/sec to endup in future

Good article from Stephen Hawking

Current high focus area for CISOs should be APT

ramkish — Sun, 24 Jan 2010 16:54:58 +0000

These APTs has been getting lot of attention recently and reasons why CISOs should focus on this threat now are:

a) These are essentially a type of targeted attack

b) And if they miss they reload and fire again till they hit the target

c) These are “Advanced” meaning they use publicly available exploits as well as develop custom ones

Draw up action items like; more focus on log analysis and checking out the reason behind the traffic to that xyz country IP(s) where your company has no business, more aggressive SPAM filtering, etc… And it helps to do things like network pruning and review of your IT policies & procedures

Odds of losing confidential personal data is increasing

ramkish — Sun, 20 Dec 2009 16:50:37 +0000

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.