Suggested Blog Reading – Tuesday May 8th, 2007

ReadOnly Tuesday and it feels like it should be Wednesday or Thursday (not sure why…it just does). I’m hoping to get back to setting up my home security lab this week and next but we’ll see how the weather is (nice == outside stuff, rain == inside stuff).

Here’s the list for today:

Dueling updates – is Apple quicker? – Only time will truly tell.

So, is Apple just inherently faster at patching security vulnerabilities? Did Apple rush out a fix faster than normal because of the media exposure about this particular vulnerability? Or maybe Microsoft is either just slower at the process or too busy with their own backlog of security patches – or both? Not many would argue against claims that Microsoft Windows has many more vulnerability found compared to Mac OS X.

Review – InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing – Good to see other people review training and courses.

I just returned from attending InfoSec Institute’s AEH course. Given the relevance of penetration testing to PCI, I thought that it would be worthwhile to post a review for anyone who’s considering attending.

France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws – I like this idea and I hope it catches on in North America.

In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII).

TSA: We’re not saying our hard drive is gone but… – My dog ate my hard drive.

On May 3, the TSA discovered the drive was missing from a controlled area at the Headquarters Office of Human Capital. The agency immediately reported the incident to law enforcement officials, the Department of Homeland Security and launched into an investigation.

Did it fall behind the desk? No.

Did Jim take it home to transfer his Phil Collins music collection to his desktop? No.

Maybe check behind the desk again?

The investigation hit a brick wall. By Friday night, it was time to fess up with a statement. The TSA doesn’t know whether the device is still within headquarters or was stolen. It has found no evidence an unauthorized individual is using the personal information.

Web Application Security Professionals Survey (May 2007) – Please take a minute to go through the survey when you get a chance.

Several people have asked where the surveys have gone to in the past several months. The answer is that I’ve been amazingly busy the last couple of months and simply haven’t had the time. The survey helps us learn more about the web application security industry and the community participants. We attempt to expose various aspects of web application security we previously didn’t know, understand, or fully appreciate. From time to time I’ll repeat some questions to to develop trends. And as always, the more people who submit data, the more representative the will be. Please feel free to forward this email along to anyone that might not have seen it.

Glitch attacks revealed – “First in a series of articles on attacking hardware and software by inducing faults”

One of the common assumptions software authors make is that the underlying hardware works reliably. Very few operating systems add their own parity bits or CRC to memory accesses. Even fewer applications check the results of a computation. Yet when it comes to cryptography and software protection, the attacker controls the platform in some manner and thus faulty operation has to be considered.

Fault induction is often used to test hardware during production or simulation runs. It was probably first observed when mildly radioactive material that is a natural part of chip packaging led to random memory bit flips.

ESI Searches: Getting to the Drive – Good overview on how the legal system leverages hard drives for forensic purposes.

Traditionally, we’ve relied on producing parties to, well, produce. Requesting parties weren’t entitled to rifle file cabinets or search briefcases. When evidence meant paper documents, relying on the other side’s diligence and good faith made sense. Anyone could read paper records, and when paper was “deleted,” it was gone.

Scroll to top