I’m happy to announce that my latest article, “Why Johnny Can’t Write Secure Code” has been published in the September/October issue of InfoSec Professional Magazine, a publication of (ISC)2, the International Information System Security Certification Consortium.

Intended primarily for InfoSec professionals with limited exposure to application development, the article is an explanation of modern Scrum/XP project management, with advice on how to work with teams using these techniques. You can get a copy of the article (and previous ones I’ve written) from the Resources page on my website.



Larger enterprises usually have several environments. There’s obviously the production environment, and usually a testing and QA environment. Many will also have a stress testing/staging environment, which is a close facsimile of production, used to characterize the performance of the solution being built/maintained.

A common problem is testing data. As a matter of good hygiene, it’s a good idea to use testing data in environments other than production, and there may be strong regulatory or other motivations to do that (think HIPAA requirements, Payment Card Industry (PCI) requirements, Personal Health Information (PHI) and Personally Identifying Information (PII)).

Opposing this desire for scrubbed, faked or otherwise testing-only data is the idea that the best data to test with is production data, because of the volume and diversity of the data. How then do you reconcile the desire for consistent, production volume data in lower environments while still preventing access to sensitive data by people who really have no need to see it? Enter Format Preserving Encryption, or FPE. Read more



BBC News is reporting on researchers’ announcement of the discovery of a very sophisticated piece of malware, called Project Sauron. Of particular note is how long the malware has remained undetected (five years) and the sophistication of the malware, which can jump the so-called “air gap” to computers not connected to the internet. Highly secure computers are typically air-gapped to prevent or complicate attack and exfiltration of data, and Project Sauron is an interesting example of the lengths to which a (likely state-sponsored), sophisticated attacker can go to get at the systems they want to compromise.

[via BBC News]



I haven’t blogged on security topics in a while, and this one ran across my news feed. Researchers investigating a Distributed Denial of Service (DDoS) attack on a website have uncovered a 25,000-bot strong network consisting of CCTV cameras running Busybox.

While we frequently think about botnets on full-on computers, the increasing use of devices such as cell phones, and now cameras highlights the increasing need for IT security as we roll towards a more comprehensive Internet of Things, lest it become an Internet of Bots.



Recently decided to take a secure Java coding course from SANS, partially because it’s good to brush up on the latest attacks, countermeasures and practices, but to be honest, mostly to log some CPEs for my CISSP certification. The course is part of the SANS Application Security (AppSec) curriculum. Here’s an overview of the course, and my review of it’s content.

The course is 4 days, and is taught in three different ways: live, via vLive (virtual classroom) and On Demand. I chose the On Demand option, which included the course books, a VMWare image with Linux and the software pre-loaded for the labs, and time-limited access (90 days) to the SANS training portal, where I could view pre-recorded sessions and take the quizzes. I ended up taking the course over the span of about 5 weeks, due to other commitments interrupting my progress. Read more



It’s been a while since I’ve blogged on a security topic, but this one caught my eye today: researchers in Germany have revealed an intriguing new ATM exploit. In the past I’ve written about skimmers, devices installed on ATMs to steal card codes from ATM cards. Now thieves are targeting the ATMs directly, instead of user accounts.

…hackers have to physically cut holes into ATMs, then plug in USB drives that install code onto the cash dispenser.

Once the exploit has been installed, the attacker types in a 12-digit access code, selects the denominations to dispense, and voila! Payday! There’s even a non-collusion mechanism built in:

…the criminal at the cash point had to call another gang member for a numerical code to input before they could grab the bank notes.

Obviously, this sort of exploit would have to be targeted specifically at a particular ATM maker, maybe at a given software release, and perhaps even at a particular bank, if the bank was to customize the ATM code at all.

Still, somehow I feel safer that it’s not my bank account that’s being attacked, it’s the ATM itself. At least I don’t have to explain why my card and code were used, when in fact they were stolen.

[ BBC via Gizmodo ]



Here’s a new method of command and control for malware:

Researchers from Trend Micro have spotted a piece of malicious software for Android that receives instructions from an encrypted blog

In the past, botnets have received their instructions primarily from IRC. This is an intriguing development!

[via ComputerWorld]



I was out on a web site today, it doesn’t really matter which one, and was forced to create a profile for the (mis)use of the site’s owner.  I found their password standards to be, well “stringent” would be a good word, especially considering the information (my profile) that I was securing. Their standards for passwords were, and I quote: Read more



Wow, it’s months I spend not saying anything about computer security, and then there are two in a row.  Technology Review reports today that engineers at Intel have come up with a way to put a true random number generator on the processor die.  This has implications for a number of cryptographic techniques that rely on random numbers to function.

Finding randomness in computers is surprisingly difficult, and over the years people have tried everything from dedicated hardware-based random number generator hardware to using a webcam with the cap left on, to lava lamps of all things as a source of randomness.  In the past, the National Security Agency went so far as to use white noise from space to generate their random numbers, capturing the noise using radio telescopes.

The inclusion of this sort of random number generator strengthens protocols such as RSA, and HTTPS/SSL with the introduction of true, rather than pseudo-randomness. With the advances in quantum  cryptography in the last few years however, we may soon see the end of this class of cryptography, as quantum computers would theoretically be able to break these protocols instantly.



This is cool, in a “people spying on my country” kind of way: Gizmodo reports that the recent break-up of a supposed Russian deep cover spy ring included the FBI discovering their use of Steganography.  As a security and crypto guy, this is very interesting.

Steganography is the hiding of information in plain sight, much like the lemon juice you used to use to write secret messages when you were a kid. Digital steganography alters computer files, usually pictures or audio files, to hide information within them. This is the first case that I’m aware of that uses real stego as part of real espionage. Assuming it’s really espionage that is.

For the technically minded, one way that digital steganography works is by altering the low-order bits of photos or music files. If we change the least significant bit of a pixel in a digital photo, the difference between it’s original value and the new value that encodes information is likely unnoticable by the human eye. The same can be said of digital photos.

Detecting steganography is difficult: you need to know the program used, or you need to perform complicated statistical analysis to stand a chance of detecting it. It’s remarkable to me that we’ve at last seen this technology in the wild.

keep looking »


WP Themes