Admin | InfoSec Perception - Infosec Reviews

In 2008 I wrote a glowing commentary about Charles Stross’s 2007 novel Halting State.

I’ve just finished reading an earlier work by Stross, Glasshouse, originally published in hardback by Ace and also available in paperback, Kindle and audiobook. I think readers with an interest in computing, information assurance, and nanotechnology will find it immense fun.

Recently I got an e-mail message from a naïve young person who was excited about the riches available through part-time work at home posting links to products on the Web. I hope that the approach to spotting fraud will be useful to other potential victims; please feel free to circulate it among your colleagues at work as part of any security-awareness program.

From:––– Date: Wednesday, May 23, 2012 15:11 To: – a bunch of people who don’t necessarily know each other –

Subject: I am my own boss try it out for yourself

How to Get Rich using your PC http://doctoraluisazitzer.com/disclog24.php?jID=7xovx

In late May, I received the following e-mail message from someone in Guangdong, China using an English name:

Hi,we are manufacturer specialized in producing&designing OEM portable speakers for mp3/mp4/notebook/ipod and other mobile device.

It also has a Mp3 player function,but more than that.Play mp3 format music from TF card or U-disk.also there’s FM radio function,you can share the news even in your trip or travel.

I found your company name&email address in E-market place.

I know you are selling brands in this field.but if you can put our products on your shelves,it will enlarge your products’ range,and it will attract more new clients and give your old clients more services.

With its reasonable price and multi-function features, it will be a very good choice for gift or accessories for ipod/iphone,it’s portable, with external rechargeable battery, you can take it anywhere anytime.

and I’m sure of that it will be fashion soon in your local market.

Your each enquiry will be appreciated very much and will be taken care very seriously.We believe the customers are our only lifeblood.

For more details of us,please visit our website.and we are gold supplier on Alibaba,please check the page.

Looking forward to hear from you soon.

My wife, Dr Deborah N. Black, MD, is an expert in neural feedback (NF) for improving the attention of patients with attention-deficit / hyperactivity disorder (ADHD). There’s an interesting news story about the technique on National Public Radio (NPR). This approach to retraining disorderly brains monitors electroencephalographic (EEG) data as the subjects learn to focus better by playing video games or controlling the visibility of a favourite movie being played on a special DVD player or computer. There are many sites in the United Kingdom which advertise NF treatments; try search string “neural feedback adhd uk” in a search engine. For example, “Learning with neural feedback” has useful information about the technique.

Today I increased my virtue coefficient by getting to the swimming pool up the road from where I live (well, 7 km from where I live in farming country) early in the morning. On my way out after a vigorous set of laps (I normally swim a “mile,” which is an ancient measure of distance still used in backwaters such as the USA), I stopped at the desk to tell the attendant that I would like to switch my automatic payments from my credit card to a direct withdrawal from my bank account (VISA charges are rough on the profits of this small business in the wilds of Vermont and I’d like to do my part to help these folks out).

Francis Cianfrocca, a leading expert on Advanced Persistent Threats, continues his overview of the issues following his first article on the topic in the InfoSec Perception blog. What follows is Mr Cianfrocca’s work with minor edits from M. E. Kabay.

Advanced persistent threats (APTs) attack with privilege escalation and operate through application accesses that, to network monitors, appear to be fully normal in terms of network source addresses, protocol syntax-correctness, and user authentication / authorization levels. Both detection and remediation of these attacks are critical business objectives; whether driven by regulatory or operational sensitivities, data privacy and application security must be maintained and the flow of data must continue without interruption.

Continue reading

Former student, good friend and brilliant colleague Jan Buitron, MSIA, CISSP, MCSE tells us a whimsical tale with lessons for us in the security field. Everything that follows is Jan’s work with minor edits by Mich.

It was a big project for a homeowner. My friend set out to design, dig and decorate a fish pond out in her back yard. She dug the pond by hand, with her mother directing her in how to construct up from the bottom depth and sculpt the sides of the pond. She went to local rock and building supply stores to find just the right rocks to decorate the pond’s margins. Careful planning went into designing the plant-scaping of the pond. Shorter plants were set around the pond’s edges and, since they wanted the pond to attract birds, they made especially sure that there was at least one shallow area where the local birds could bathe easily.

In business continuity planning (BCP) and disaster recovery planning (DRP), its commonplace to urge planners to create initial plans and then test them for ways to improve. This approach is parallel to the current standards of software development and risk management. In the 1960s and 1970s, the standard software development methodology was the system development life cycle (SDLC), in which analysis, design, and approvals of the complete design were so onerous that delivery of finished software could be delayed by years. Since the 1980s, a much more common methodology is spiral development, which was originally called rapid application development (RAD), joint application development (JAD), or iterative, agile and incremental development.

A local reporter spent eight hours interviewing students and faculty in the computer science and information assurance (IA) programs at Norwich University a couple of days before I began writing this article. At one point, he asked half a dozen of our students what they felt was special about their education in the School of Business and Management. One young man responded immediately that the focus in our programs is service to organizations in furtherance of their mission-critical objectives; in contrast, he said, he had the impression that some of the students he had met from well-established programs at other institutions participating in various computing and security competitions were focused primarily on details of technology. “People use technology to achieve business goals,” he said, “not just because technology is interesting and fun.” Another student laughed and pointed at me: “Prof Kabay has drilled us in every course with his motto, ‘Reality trumps theory.’” Students nodded and explained that they had learned never to solve problems by applying rote learning as if recipes and checklists could be applied without careful consideration of the specific requirements of any situation.

Vulnerability management is the embodiment of continuous process improvement in system security.

In a recent discussion in the Norwich University IS342 (Management of Information Assurance) course in the Bachelor of Science in Computer Security and Information Assurance, the class reviewed Rebecca Gurley Bace’s chapter 46, “Vulnerability Assessment” from the Computer Security Handbook, 5^th Edition.

Bace explains that vulnerability management includes several phases:

Assessing deployed information systems to determine their security status;
Determining corrective measures
Managing the appropriate application of the corrections.